@strapi/admin 4.3.7 → 4.4.0-beta.1

package/server/services/permission/engine.js

@@ -1,107 +1,36 @@
 'use strict';
 
-const {
-  curry,
-  map,
-  filter,
-  propEq,
-  isFunction,
-  isBoolean,
-  isArray,
-  isNil,
-  isEmpty,
-  isObject,
-  prop,
-  merge,
-  pick,
-  difference,
-  cloneDeep,
-} = require('lodash/fp');
-const { AbilityBuilder, Ability } = require('@casl/ability');
-const sift = require('sift');
+const { curry, isArray, isEmpty, difference } = require('lodash/fp');
+const permissions = require('@strapi/permissions');
+
 const permissionDomain = require('../../domain/permission/index');
 const { getService } = require('../../utils');
-const {
-  createEngineHooks,
-  createWillEvaluateContext,
-  createWillRegisterContext,
-} = require('./engine-hooks');
-
-const allowedOperations = [
-  '$or',
-  '$and',
-  '$eq',
-  '$ne',
-  '$in',
-  '$nin',
-  '$lt',
-  '$lte',
-  '$gt',
-  '$gte',
-  '$exists',
-  '$elemMatch',
-];
-const operations = pick(allowedOperations, sift);
-
-const conditionsMatcher = (conditions) => {
-  return sift.createQueryTester(conditions, { operations });
-};
-
-module.exports = (conditionProvider) => {
-  const state = {
-    hooks: createEngineHooks(),
-  };
-
-  return {
-    hooks: state.hooks,
-
-    /**
-     * Generate an ability based on the given user (using associated roles & permissions)
-     * @param user
-     * @param options
-     * @returns {Promise<Ability>}
-     */
-    async generateUserAbility(user, options) {
-      const permissions = await getService('permission').findUserPermissions(user);
-      const abilityCreator = this.generateAbilityCreatorFor(user);
 
-      return abilityCreator(permissions, options);
-    },
+module.exports = (params) => {
+  const { providers } = params;
 
+  const engine = permissions.engine
+    .new({ providers })
     /**
-     * Create an ability factory for a specific user
-     * @param user
-     * @returns {function(*, *): Promise<Ability>}
+     * Validate the permission's action exists in the action registry
      */
-    generateAbilityCreatorFor(user) {
-      return async (permissions, options) => {
-        const { can, build } = new AbilityBuilder(Ability);
-
-        for (const permission of permissions) {
-          const registerFn = this.createRegisterFunction(can, permission, user);
-
-          await this.evaluate({ permission, user, options, registerFn });
-        }
-
-        return build({ conditionsMatcher });
-      };
-    },
-
-    /**
-     * Validate, invalidate and transform the permission attributes
-     * @param {Permission} permission
-     * @returns {null|Permission}
-     */
-    formatPermission(permission) {
-      const { actionProvider } = getService('permission');
-
-      const action = actionProvider.get(permission.action);
+    .on('before-format::validate.permission', ({ permission }) => {
+      const action = providers.action.get(permission.action);
 
       // If the action isn't registered into the action provider, then ignore the permission
       if (!action) {
-        return null;
+        strapi.log.debug(
+          `Unknown action "${permission.action}" supplied when registering a new permission in engine`
+        );
+        return false;
       }
+    })
 
+    /**
+     * Remove invalid properties from the permission based on the action (applyToProperties)
+     */
+    .on('format.permission', (permission) => {
+      const action = providers.action.get(permission.action);
       const properties = permission.properties || {};
 
       // Only keep the properties allowed by the action (action.applyToProperties)
@@ -116,153 +45,34 @@ module.exports = (conditionProvider) => {
         permission
       );
 
-      // If the `fields` property is an empty array, then ignore the permission
-      const { fields } = properties;
-
-      if (isArray(fields) && isEmpty(fields)) {
-        return null;
-      }
-
       return permissionWithSanitizedProperties;
-    },
-
-    /**
-     * Update the permission components through various processing
-     * @param {Permission} permission
-     * @returns {Promise<void>}
-     */
-    async applyPermissionProcessors(permission) {
-      const context = createWillEvaluateContext(permission);
-
-      // 1. Trigger willEvaluatePermission hook and await transformation operated on the permission
-      await state.hooks.willEvaluatePermission.call(context);
-    },
+    })
 
     /**
-     * Register new rules using `registerFn` based on valid permission's conditions
-     * @param options {object}
-     * @param options.permission {object}
-     * @param options.user {object}
-     * @param options.options {object | undefined}
-     * @param options.registerFn {Function}
-     * @returns {Promise<void>}
+     * Ignore the permission if the fields property is an empty array (access to no field)
      */
-    async evaluate(options) {
-      const { user, registerFn, options: conditionOptions } = options;
-
-      // Assert options.permission validity and format it
-      const permission = this.formatPermission(options.permission);
-
-      // If options.permission is invalid, then ignore the permission
-      if (permission === null) {
-        return;
-      }
-
-      await this.applyPermissionProcessors(permission);
-
-      // Extract the up-to-date components from the permission
-      const { action, subject, properties = {}, conditions } = permission;
-
-      // Register the permission if there is no condition
-      if (isEmpty(conditions)) {
-        return registerFn({ action, subject, fields: properties.fields });
-      }
-
-      /** Set of functions used to resolve + evaluate conditions & register the permission if allowed */
-
-      // 1. Replace each condition name by its associated value
-      const resolveConditions = map(conditionProvider.get);
-
-      // 2. Filter conditions, only keep those whose handler is a function
-      const filterValidConditions = filter((condition) => isFunction(condition.handler));
-
-      // 3. Evaluate the conditions handler and returns an object
-      // containing both the original condition and its result
-      const evaluateConditions = (conditions) => {
-        return Promise.all(
-          conditions.map(async (condition) => ({
-            condition,
-            result: await condition.handler(
-              user,
-              merge(conditionOptions, { permission: cloneDeep(permission) })
-            ),
-          }))
-        );
-      };
-
-      // 4. Only keeps booleans or objects as condition's result
-      const filterValidResults = filter(({ result }) => isBoolean(result) || isObject(result));
-
-      /**/
-
-      const evaluatedConditions = await Promise.resolve(conditions)
-        .then(resolveConditions)
-        .then(filterValidConditions)
-        .then(evaluateConditions)
-        .then(filterValidResults);
+    .on('after-format::validate.permission', ({ permission }) => {
+      const { fields } = permission.properties;
 
-      // Utils
-      const resultPropEq = propEq('result');
-      const pickResults = map(prop('result'));
-
-      if (evaluatedConditions.every(resultPropEq(false))) {
-        return;
-      }
-
-      // If there is no condition or if one of them return true, register the permission as is
-      if (isEmpty(evaluatedConditions) || evaluatedConditions.some(resultPropEq(true))) {
-        return registerFn({ action, subject, fields: properties.fields });
-      }
-
-      const results = pickResults(evaluatedConditions).filter(isObject);
-
-      if (isEmpty(results)) {
-        return registerFn({ action, subject, fields: properties.fields });
+      if (isArray(fields) && isEmpty(fields)) {
+        return false;
       }
+    });
 
-      // Register the permission
-      return registerFn({
-        action,
-        subject,
-        fields: properties.fields,
-        condition: { $and: [{ $or: results }] },
-      });
+  return {
+    get hooks() {
+      return engine.hooks;
     },
 
     /**
-     * Encapsulate a register function with custom params to fit `evaluatePermission`'s syntax
-     * @param can
-     * @param {Permission} permission
-     * @param {object} user
-     * @returns {function}
+     * Generate an ability based on the given user (using associated roles & permissions)
+     * @param user
+     * @returns {Promise<Ability>}
      */
-    createRegisterFunction(can, permission, user) {
-      const registerToCasl = (caslPermission) => {
-        const { action, subject, fields, condition } = caslPermission;
-
-        can(
-          action,
-          isNil(subject) ? 'all' : subject,
-          fields,
-          isObject(condition) ? condition : undefined
-        );
-      };
-
-      const runWillRegisterHook = async (caslPermission) => {
-        const hookContext = createWillRegisterContext(caslPermission, {
-          permission,
-          user,
-        });
-
-        await state.hooks.willRegisterPermission.call(hookContext);
-
-        return caslPermission;
-      };
+    async generateUserAbility(user) {
+      const permissions = await getService('permission').findUserPermissions(user);
 
-      return async (caslPermission) => {
-        await runWillRegisterHook(caslPermission);
-        registerToCasl(caslPermission);
-      };
+      return engine.generateAbility(permissions, user);
     },
 
     /**

package/server/services/permission/permissions-manager/query-builers.js

@@ -49,9 +49,10 @@ const unwrapDeep = (obj) => {
 
       if (_.isPlainObject(v)) {
         if ('$elemMatch' in v) {
-          v = v.$elemMatch; // removing this key
+          _.setWith(acc, key, unwrapDeep(v.$elemMatch));
+        } else {
+          _.setWith(acc, key, unwrapDeep(v));
         }
-        _.setWith(acc, key, unwrapDeep(v));
       } else if (_.isArray(v)) {
         // prettier-ignore
         _.setWith(acc, key, v.map(v => unwrapDeep(v)));

package/server/services/permission/queries.js

@@ -144,7 +144,7 @@ const cleanPermissionsInDatabase = async () => {
   const total = await strapi.query('admin::permission').count();
   const pageCount = Math.ceil(total / pageSize);
 
-  for (let page = 0; page < pageCount; page++) {
+  for (let page = 0; page < pageCount; page += 1) {
     // 1. Find invalid permissions and collect their ID to delete them later
     const results = await strapi
       .query('admin::permission')

package/server/services/permission.js

@@ -10,11 +10,14 @@ const permissionQueries = require('./permission/queries');
 
 const actionProvider = createActionProvider();
 const conditionProvider = createConditionProvider();
-const engine = createPermissionEngine(conditionProvider);
 const sectionsBuilder = createSectionsBuilder();
 
 const sanitizePermission = domain.sanitizePermissionFields;
 
+const engine = createPermissionEngine({
+  providers: { action: actionProvider, condition: conditionProvider },
+});
+
 module.exports = {
   // Queries / Actions
   ...permissionQueries,

package/server/strategies/admin.js

@@ -33,10 +33,16 @@ const authenticate = async (ctx) => {
 
   const userAbility = await getService('permission').engine.generateUserAbility(user);
 
+  // TODO: use the ability from ctx.state.auth instead of
+  // ctx.state.userAbility, and remove the assign below
   ctx.state.userAbility = userAbility;
   ctx.state.user = user;
 
-  return { authenticated: true, credentials: user };
+  return {
+    authenticated: true,
+    credentials: user,
+    ability: userAbility,
+  };
 };
 
 /** @type {import('.').AuthStrategy} */

package/server/strategies/api-token.js

@@ -1,5 +1,6 @@
 'use strict';
 
+const { castArray, isNil } = require('lodash/fp');
 const { UnauthorizedError, ForbiddenError } = require('@strapi/utils').errors;
 const constants = require('../services/constants');
 const { getService } = require('../utils');
@@ -20,7 +21,10 @@ const extractToken = (ctx) => {
   return null;
 };
 
-/** @type {import('.').AuthenticateFunction} */
+/**
+ * Authenticate the validity of the token
+ *
+ *  @type {import('.').AuthenticateFunction} */
 const authenticate = async (ctx) => {
   const apiTokenService = getService('api-token');
   const token = extractToken(ctx);
@@ -33,33 +37,89 @@ const authenticate = async (ctx) => {
     accessKey: apiTokenService.hash(token),
   });
 
+  // token not found
   if (!apiToken) {
     return { authenticated: false };
   }
 
+  const currentDate = new Date();
+
+  if (!isNil(apiToken.expiresAt)) {
+    const expirationDate = new Date(apiToken.expiresAt);
+    // token has expired
+    if (expirationDate < currentDate) {
+      return { authenticated: false, error: new UnauthorizedError('Token expired') };
+    }
+  }
+
+  // update lastUsedAt
+  await apiTokenService.update(apiToken.id, {
+    lastUsedAt: currentDate,
+  });
+
+  if (apiToken.type === constants.API_TOKEN_TYPE.CUSTOM) {
+    const ability = await strapi.contentAPI.permissions.engine.generateAbility(
+      apiToken.permissions.map((action) => ({ action }))
+    );
+
+    return { authenticated: true, ability, credentials: apiToken };
+  }
+
   return { authenticated: true, credentials: apiToken };
 };
 
-/** @type {import('.').VerifyFunction} */
+/**
+ * Verify the token has the required abilities for the requested scope
+ *
+ *  @type {import('.').VerifyFunction} */
 const verify = (auth, config) => {
-  const { credentials: apiToken } = auth;
+  const { credentials: apiToken, ability } = auth;
 
   if (!apiToken) {
-    throw new UnauthorizedError();
+    throw new UnauthorizedError('Token not found');
+  }
+
+  const currentDate = new Date();
+
+  if (!isNil(apiToken.expiresAt)) {
+    const expirationDate = new Date(apiToken.expiresAt);
+    // token has expired
+    if (expirationDate < currentDate) {
+      throw new UnauthorizedError('Token expired');
+    }
   }
 
+  // Full access
   if (apiToken.type === constants.API_TOKEN_TYPE.FULL_ACCESS) {
     return;
   }
 
-  /**
-   * If you don't have `full-access` you can only access `find` and `findOne`
-   * scopes. If the route has no scope, then you can't get access to it.
-   */
+  // Read only
+  if (apiToken.type === constants.API_TOKEN_TYPE.READ_ONLY) {
+    /**
+     * If you don't have `full-access` you can only access `find` and `findOne`
+     * scopes. If the route has no scope, then you can't get access to it.
+     */
+    const scopes = castArray(config.scope);
 
-  const scopes = Array.isArray(config.scope) ? config.scope : [config.scope];
-  if (config.scope && scopes.every(isReadScope)) {
-    return;
+    if (config.scope && scopes.every(isReadScope)) {
+      return;
+    }
+  }
+
+  // Custom
+  else if (apiToken.type === constants.API_TOKEN_TYPE.CUSTOM) {
+    if (!ability) {
+      throw new ForbiddenError();
+    }
+
+    const scopes = castArray(config.scope);
+
+    const isAllowed = scopes.every((scope) => ability.can(scope));
+
+    if (isAllowed) {
+      return;
+    }
   }
 
   throw new ForbiddenError();

package/server/validation/api-tokens.js

@@ -9,8 +9,16 @@ const apiTokenCreationSchema = yup
     name: yup.string().min(1).required(),
     description: yup.string().optional(),
     type: yup.string().oneOf(Object.values(constants.API_TOKEN_TYPE)).required(),
+    permissions: yup.array().of(yup.string()).nullable(),
+    lifespan: yup
+      .number()
+      .integer()
+      .min(1)
+      .oneOf(Object.values(constants.API_TOKEN_LIFESPANS))
+      .nullable(),
   })
-  .noUnknown();
+  .noUnknown()
+  .strict();
 
 const apiTokenUpdateSchema = yup
   .object()
@@ -18,8 +26,10 @@ const apiTokenUpdateSchema = yup
     name: yup.string().min(1).notNull(),
     description: yup.string().nullable(),
     type: yup.string().oneOf(Object.values(constants.API_TOKEN_TYPE)).notNull(),
+    permissions: yup.array().of(yup.string()).nullable(),
   })
-  .noUnknown();
+  .noUnknown()
+  .strict();
 
 module.exports = {
   validateApiTokenCreationInput: validateYupSchema(apiTokenCreationSchema),

package/server/validation/common-functions/check-fields-are-correctly-nested.js

@@ -12,7 +12,7 @@ const checkFieldsAreCorrectlyNested = (fields) => {
   }
 
   let failed = false;
-  for (let indexA = 0; indexA < fields.length; indexA++) {
+  for (let indexA = 0; indexA < fields.length; indexA += 1) {
     failed = fields
       .slice(indexA + 1)
       .some(