@teamkeel/functions-runtime 0.289.2 → 0.290.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@teamkeel/functions-runtime",
-  "version": "0.289.2",
+  "version": "0.290.1",
   "description": "Internal package used by @teamkeel/sdk",
   "main": "src/index.js",
   "scripts": {

package/src/consts.js

@@ -0,0 +1,20 @@
+const PROTO_ACTION_TYPES = {
+  UNKNOWN: "OPERATION_TYPE_UNKNOWN",
+  CREATE: "OPERATION_TYPE_CREATE",
+  GET: "OPERATION_TYPE_GET",
+  LIST: "OPERATION_TYPE_LIST",
+  UPDATE: "OPERATION_TYPE_UPDATE",
+  DELETE: "OPERATION_TYPE_DELETE",
+  READ: "OPERATION_TYPE_READ",
+  WRITE: "OPERATION_TYPE_WRITE",
+};
+
+const PROTO_ACTION_TYPES_REQUEST_HANDLER = [
+  "OPERATION_TYPE_CREATE",
+  "OPERATION_TYPE_GET",
+  "OPERATION_TYPE_LIST",
+];
+
+module.exports.PROTO_ACTION_TYPES_REQUEST_HANDLER =
+  PROTO_ACTION_TYPES_REQUEST_HANDLER;
+module.exports.PROTO_ACTION_TYPES = PROTO_ACTION_TYPES;

package/src/handleRequest.js

@@ -5,7 +5,12 @@ const {
 } = require("json-rpc-2.0");
 
 const { getDatabase } = require("./database");
-const { PERMISSION_STATE, PermissionError } = require("./permissions");
+const {
+  PERMISSION_STATE,
+  PermissionError,
+  checkBuiltInPermissions,
+} = require("./permissions");
+const { PROTO_ACTION_TYPES_REQUEST_HANDLER } = require("./consts");
 
 const { errorToJSONRPCResponse, RuntimeErrors } = require("./errors");
 
@@ -13,7 +18,13 @@ const { errorToJSONRPCResponse, RuntimeErrors } = require("./errors");
 // to execute a custom function based on the contents of a jsonrpc-2.0 payload object.
 // To read more about jsonrpc request and response shapes, please read https://www.jsonrpc.org/specification
 async function handleRequest(request, config) {
-  const { createFunctionAPI, createContextAPI, functions } = config;
+  const {
+    createFunctionAPI,
+    createContextAPI,
+    functions,
+    permissions,
+    actionTypes,
+  } = config;
 
   if (!(request.method in functions)) {
     return createJSONRPCErrorResponse(
@@ -33,28 +44,48 @@ async function handleRequest(request, config) {
     // to any of the model apis we provide to the custom function is processed in a transaction.
     // This is useful for permissions where we want to only proceed with database writes if all permission rules
     // have been validated.
-    const result = await db.transaction().execute(async (trx) => {
-      const api = createFunctionAPI({ headers, db: trx });
+    const result = await db.transaction().execute(async (transaction) => {
       const ctx = createContextAPI(request.meta);
+      const api = createFunctionAPI({
+        headers,
+        db: transaction,
+      });
+
+      const customFunction = functions[request.method];
 
       // Call the user's custom function!
-      const fnResult = await functions[request.method](
-        request.params,
-        api,
-        ctx
-      );
+      const fnResult = await customFunction(request.params, api, ctx);
+
+      // api.permissions maintains an internal state of whether the current operation has been *explicitly* permitted/denied by the user in the course of their custom function.
+      // we need to check that the final state is permitted or unpermitted. if it's not, then it means that the user has taken no explicit action to permit/deny
+      // and therefore we default to checking the permissions defined in the schema automatically.
+      switch (api.permissions.getState()) {
+        case PERMISSION_STATE.PERMITTED:
+          return fnResult;
+        case PERMISSION_STATE.UNPERMITTED:
+          throw new PermissionError(
+            `Not permitted to access ${request.method}`
+          );
+        default:
+          // unknown state, proceed with checking against the built in permissions in the schema
+          const relevantPermissions = permissions[request.method];
+
+          const actionType = actionTypes[request.method];
+          // We only want to run permission checks at the handleRequest level for action types list, get and create
+          // Delete and update permission checks need to be baked into the model api because they require reading records to be deleted / updated from the database first in order to ascertain whether the records to be deleted or updated fulfil the permission
+          if (PROTO_ACTION_TYPES_REQUEST_HANDLER.includes(actionType)) {
+            // check will throw a PermissionError if a permission rule is invalid
+            await checkBuiltInPermissions({
+              rows: fnResult,
+              permissions: relevantPermissions,
+              db: transaction,
+              ctx,
+              functionName: request.method,
+            });
+          }
 
-      // api.permissions maintains an internal state of whether the current operation has been permitted either by the user or by built-in permission rules
-      // we need to check that the final state is permitted. if it's not, then we want to rollback
-      // the transaction
-      if (api.permissions.getState() !== PERMISSION_STATE.PERMITTED) {
-        // Any error thrown inside of Kysely's transaction execute() will cause the transaction to be rolled back.
-        // PermissionError is handled by our JSONRPC error serialisation code
-        throw new PermissionError(`Not permitted to access ${request.method}`);
-      } else {
-        // otherwise, if everything is permitted, then we just return the function result from
-        // the transaction closure.
-        return fnResult;
+          // If the built in permission check above doesn't throw, then it means that the request is permitted and we can continue returning the return value from the custom function out of the transaction
+          return fnResult;
       }
     });
 

package/src/handleRequest.test.js

@@ -5,6 +5,7 @@ import { test, expect, beforeEach, describe } from "vitest";
 import { ModelAPI } from "./ModelAPI";
 import { getDatabase } from "./database";
 import { Permissions } from "./permissions";
+import { PROTO_ACTION_TYPES } from "./consts";
 
 import KSUID from "ksuid";
 
@@ -22,6 +23,9 @@ test("when the custom function returns expected value", async () => {
         };
       },
     },
+    actionTypes: {
+      createPost: PROTO_ACTION_TYPES.CREATE,
+    },
     createFunctionAPI: ({ headers, db }) => {
       return {
         permissions: new Permissions(),
@@ -52,6 +56,10 @@ test("when the custom function doesnt return a value", async () => {
         api.permissions.allow();
       },
     },
+    permissions: {},
+    actionTypes: {
+      createPost: PROTO_ACTION_TYPES.CREATE,
+    },
     createFunctionAPI: ({ headers, db }) => {
       return {
         permissions: new Permissions(),
@@ -77,6 +85,9 @@ test("when there is no matching function for the path", async () => {
     functions: {
       createPost: async (inputs, api, ctx) => {},
     },
+    actionTypes: {
+      createPost: PROTO_ACTION_TYPES.CREATE,
+    },
     createFunctionAPI: ({ headers, db }) => {
       return {
         permissions: new Permissions(),
@@ -100,12 +111,15 @@ test("when there is no matching function for the path", async () => {
 test("when there is an unexpected error in the custom function", async () => {
   const config = {
     functions: {
-      createPost: (inputs, api, ctx) => {
+      createPost: async (inputs, api, ctx) => {
         api.permissions.allow();
 
         throw new Error("oopsie daisy");
       },
     },
+    actionTypes: {
+      createPost: PROTO_ACTION_TYPES.CREATE,
+    },
     createFunctionAPI: ({ headers, db }) => {
       return {
         permissions: new Permissions(),
@@ -129,12 +143,15 @@ test("when there is an unexpected error in the custom function", async () => {
 test("when there is an unexpected object thrown in the custom function", async () => {
   const config = {
     functions: {
-      createPost: (inputs, api, ctx) => {
+      createPost: async (inputs, api, ctx) => {
         api.permissions.allow();
 
         throw { err: "oopsie daisy" };
       },
     },
+    actionTypes: {
+      createPost: PROTO_ACTION_TYPES.CREATE,
+    },
     createFunctionAPI: ({ headers, db }) => {
       return {
         permissions: new Permissions(),
@@ -189,6 +206,7 @@ describe("ModelAPI error handling", () => {
     `.execute(db);
 
     functionConfig = {
+      permissions: {},
       functions: {
         createPost: async (inputs, api, ctx) => {
           api.permissions.allow();

package/src/index.d.ts

@@ -1,6 +1,3 @@
-// This file doesn't contain types describing this package, rather it contains generic types
-// that are used by the generated @teamkeel/sdk package.
-
 export type IDWhereCondition = {
   equals?: string | null;
   oneOf?: string[] | null;
@@ -68,9 +65,6 @@ export type RequestHeaders = {
 export declare class Permissions {
   constructor();
 
-  // check() can be used to check the given row(s) against the permission rules defined in the schema
-  async check(rows: any | any[]): Promise<void>;
-
   // allow() can be used to explicitly permit access to an action
   allow(): void;
 

package/src/index.js

@@ -3,7 +3,11 @@ const { RequestHeaders } = require("./RequestHeaders");
 const { handleRequest } = require("./handleRequest");
 const KSUID = require("ksuid");
 const { getDatabase } = require("./database");
-const { Permissions, PERMISSION_STATE } = require("./permissions");
+const {
+  Permissions,
+  PERMISSION_STATE,
+  checkBuiltInPermissions,
+} = require("./permissions");
 
 module.exports = {
   ModelAPI,
@@ -12,6 +16,7 @@ module.exports = {
   getDatabase,
   Permissions,
   PERMISSION_STATE,
+  checkBuiltInPermissions,
   ksuid() {
     return KSUID.randomSync().string;
   },

package/src/permissions.js

@@ -1,6 +1,7 @@
 class PermissionError extends Error {}
 
 const PERMISSION_STATE = {
+  UNKNOWN: "unknown",
   PERMITTED: "permitted",
   UNPERMITTED: "unpermitted",
 };
@@ -14,10 +15,6 @@ class Permissions {
     };
   }
 
-  async check(rows) {
-    throw new Error("Not implemented");
-  }
-
   allow() {
     this.state.permitted = true;
   }
@@ -25,22 +22,49 @@ class Permissions {
   deny() {
     // if a user is explicitly calling deny() then we want to throw an error
     // so that any further execution of the custom function stops abruptly
-    // we don't need to explicitly set pending to false as the error will have been thrown
-    // so we know an action has been taken
+    this.state.permitted = false;
+
     throw new PermissionError();
   }
 
   getState() {
     switch (true) {
-      // this will cover both permitted being false, and null (initial state)
-      case !this.state.permitted:
+      case this.state.permitted === false:
         return PERMISSION_STATE.UNPERMITTED;
-      default:
+      case this.state.permitted === null:
+        return PERMISSION_STATE.UNKNOWN;
+      case this.state.permitted === true:
         return PERMISSION_STATE.PERMITTED;
     }
   }
 }
 
+const checkBuiltInPermissions = async ({
+  rows,
+  permissions,
+  ctx,
+  db,
+  functionName,
+}) => {
+  // rows can actually just be a single record too so we need to wrap it
+  if (!Array.isArray(rows)) {
+    rows = [rows];
+  }
+
+  for (const permissionFn of permissions) {
+    const result = await permissionFn(rows, ctx, db);
+
+    // if any of the permission functions return true,
+    // then we return early
+    if (result) {
+      return;
+    }
+  }
+
+  throw new PermissionError(`Not permitted to access ${functionName}`);
+};
+
+module.exports.checkBuiltInPermissions = checkBuiltInPermissions;
 module.exports.PermissionError = PermissionError;
 module.exports.PERMISSION_STATE = PERMISSION_STATE;
 module.exports.Permissions = Permissions;

package/src/permissions.test.js

@@ -1,31 +1,120 @@
-import { Permissions, PERMISSION_STATE, PermissionError } from "./permissions";
+import {
+  Permissions,
+  PERMISSION_STATE,
+  PermissionError,
+  checkBuiltInPermissions,
+} from "./permissions";
+import { getDatabase } from "./database";
 
-import { beforeEach, expect, test } from "vitest";
+import { beforeEach, describe, expect, test } from "vitest";
+
+process.env.KEEL_DB_CONN_TYPE = "pg";
+process.env.KEEL_DB_CONN = `postgresql://postgres:postgres@localhost:5432/functions-runtime`;
 
 let permissions;
+let ctx = {};
+let db = getDatabase();
 
-beforeEach(() => {
-  permissions = new Permissions();
-});
+describe("explicit", () => {
+  beforeEach(() => {
+    permissions = new Permissions();
+  });
 
-test("explicitly allowing execution", () => {
-  expect(permissions.getState()).toEqual(PERMISSION_STATE.UNPERMITTED);
+  test("explicitly allowing execution", () => {
+    expect(permissions.getState()).toEqual(PERMISSION_STATE.UNKNOWN);
 
-  permissions.allow();
+    permissions.allow();
 
-  expect(permissions.getState()).toEqual(PERMISSION_STATE.PERMITTED);
-});
+    expect(permissions.getState()).toEqual(PERMISSION_STATE.PERMITTED);
+  });
 
-test("explicitly denying execution", () => {
-  expect(permissions.getState()).toEqual(PERMISSION_STATE.UNPERMITTED);
+  test("explicitly denying execution", () => {
+    expect(permissions.getState()).toEqual(PERMISSION_STATE.UNKNOWN);
 
-  expect(() => permissions.deny()).toThrowError(PermissionError);
+    expect(() => permissions.deny()).toThrowError(PermissionError);
 
-  expect(permissions.getState()).toEqual(PERMISSION_STATE.UNPERMITTED);
+    expect(permissions.getState()).toEqual(PERMISSION_STATE.UNPERMITTED);
+  });
 });
 
-test("check", async () => {
-  await expect(() => permissions.check()).rejects.toThrowError(
-    "Not implemented"
-  );
+describe("check", () => {
+  const functionName = "createPerson";
+
+  test("check - success", async () => {
+    const permissionRule1 = (records, ctx, db) => {
+      // Only allow names starting with Adam
+      return records.every((r) => r.name.startsWith("Adam"));
+    };
+
+    const rows = [
+      {
+        id: "123",
+        name: "Adam Bull",
+      },
+      {
+        id: "234",
+        name: "Adam Lambert",
+      },
+    ];
+
+    await expect(
+      checkBuiltInPermissions({
+        rows,
+        ctx,
+        db,
+        functionName,
+        permissions: [permissionRule1],
+      })
+    ).resolves.ok;
+  });
+
+  test("check - failure", async () => {
+    // only allow Petes
+    const permissionRule1 = (records, ctx, db) => {
+      return records.every((r) => r.name === "Pete");
+    };
+
+    const rows = [
+      {
+        id: "123",
+        name: "Adam", // this one will cause an error to be thrown because Adam is not Pete
+      },
+      {
+        id: "234",
+        name: "Pete",
+      },
+    ];
+
+    await expect(
+      checkBuiltInPermissions({
+        rows,
+        ctx,
+        db,
+        functionName,
+        permissions: [permissionRule1],
+      })
+    ).rejects.toThrow();
+  });
+
+  test("with a single row", async () => {
+    const permissionRule1 = (records, ctx, db) => {
+      // Only allow names starting with Adam
+      return records.every((r) => r.name.startsWith("Adam"));
+    };
+
+    const rows = {
+      id: "123",
+      name: "Adam Bull",
+    };
+
+    await expect(
+      checkBuiltInPermissions({
+        rows,
+        ctx,
+        db,
+        functionName,
+        permissions: [permissionRule1],
+      })
+    ).resolves.ok;
+  });
 });