@things-factory/auth-base 6.2.50 → 6.2.52

package/dist-server/utils/check-permission.d.ts

@@ -0,0 +1,7 @@
+import { Domain } from '@things-factory/shell';
+import { PrivilegeObject } from '../service/privilege/privilege';
+import { User } from '../service/user/user';
+export declare function checkPermission(privilegeObject: PrivilegeObject, user: User, domain: Domain, unsafeIP?: boolean, prohibitedPrivileges?: {
+    category: string;
+    privilege: string;
+}[]): Promise<boolean>;

package/dist-server/utils/check-permission.js

@@ -0,0 +1,38 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkPermission = void 0;
+const user_1 = require("../service/user/user");
+async function checkPermission(privilegeObject, user, domain, unsafeIP, prohibitedPrivileges) {
+    if (!privilegeObject) {
+        return true;
+    }
+    const { owner: domainOwnerGranted, super: superUserGranted, category, privilege } = privilegeObject;
+    if (unsafeIP) {
+        if (privilege && category) {
+            // unsafeIP 상황에서는 ownership granted는 적용되지 않는다.
+            if ((prohibitedPrivileges || []).find(pp => pp.category == category && pp.privilege == privilege)) {
+                return false;
+            }
+            return await user_1.User.hasPrivilege(privilege, category, domain, user);
+        }
+        // privilege, category가 설정되지 않은 경우에는 ownership granted가 설정되었다면 허가하지 않는다.
+        return !domainOwnerGranted && !superUserGranted;
+    }
+    else {
+        if (!privilege || !category) {
+            // privilege, category가 설정되지 않은 경우에는 ownership granted만을 적용한다.
+            return ((domainOwnerGranted && (await process.domainOwnerGranted(domain, user))) ||
+                (superUserGranted && (await process.superUserGranted(domain, user))));
+        }
+        if ((domainOwnerGranted && (await process.domainOwnerGranted(domain, user))) ||
+            (superUserGranted && (await process.superUserGranted(domain, user)))) {
+            return true;
+        }
+        if ((prohibitedPrivileges || []).find(pp => pp.category == category && pp.privilege == privilege)) {
+            return false;
+        }
+        return await user_1.User.hasPrivilege(privilege, category, domain, user);
+    }
+}
+exports.checkPermission = checkPermission;
+//# sourceMappingURL=check-permission.js.map

package/dist-server/utils/check-permission.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"check-permission.js","sourceRoot":"","sources":["../../server/utils/check-permission.ts"],"names":[],"mappings":";;;AAEA,+CAA2C;AAEpC,KAAK,UAAU,eAAe,CACnC,eAAgC,EAChC,IAAU,EACV,MAAc,EACd,QAAkB,EAClB,oBAAgE;IAEhE,IAAI,CAAC,eAAe,EAAE;QACpB,OAAO,IAAI,CAAA;KACZ;IAED,MAAM,EAAE,KAAK,EAAE,kBAAkB,EAAE,KAAK,EAAE,gBAAgB,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,eAAe,CAAA;IAEnG,IAAI,QAAQ,EAAE;QACZ,IAAI,SAAS,IAAI,QAAQ,EAAE;YACzB,8CAA8C;YAC9C,IAAI,CAAC,oBAAoB,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,QAAQ,IAAI,QAAQ,IAAI,EAAE,CAAC,SAAS,IAAI,SAAS,CAAC,EAAE;gBACjG,OAAO,KAAK,CAAA;aACb;YAED,OAAO,MAAM,WAAI,CAAC,YAAY,CAAC,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,CAAA;SAClE;QAED,wEAAwE;QACxE,OAAO,CAAC,kBAAkB,IAAI,CAAC,gBAAgB,CAAA;KAChD;SAAM;QACL,IAAI,CAAC,SAAS,IAAI,CAAC,QAAQ,EAAE;YAC3B,8DAA8D;YAC9D,OAAO,CACL,CAAC,kBAAkB,IAAI,CAAC,MAAM,OAAO,CAAC,kBAAkB,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC;gBACxE,CAAC,gBAAgB,IAAI,CAAC,MAAM,OAAO,CAAC,gBAAgB,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,CACrE,CAAA;SACF;QAED,IACE,CAAC,kBAAkB,IAAI,CAAC,MAAM,OAAO,CAAC,kBAAkB,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC;YACxE,CAAC,gBAAgB,IAAI,CAAC,MAAM,OAAO,CAAC,gBAAgB,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,EACpE;YACA,OAAO,IAAI,CAAA;SACZ;QAED,IAAI,CAAC,oBAAoB,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,QAAQ,IAAI,QAAQ,IAAI,EAAE,CAAC,SAAS,IAAI,SAAS,CAAC,EAAE;YACjG,OAAO,KAAK,CAAA;SACb;QAED,OAAO,MAAM,WAAI,CAAC,YAAY,CAAC,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,CAAA;KAClE;AACH,CAAC;AA/CD,0CA+CC","sourcesContent":["import { Domain } from '@things-factory/shell'\nimport { PrivilegeObject } from '../service/privilege/privilege'\nimport { User } from '../service/user/user'\n\nexport async function checkPermission(\n  privilegeObject: PrivilegeObject,\n  user: User,\n  domain: Domain,\n  unsafeIP?: boolean,\n  prohibitedPrivileges?: { category: string; privilege: string }[]\n): Promise<boolean> {\n  if (!privilegeObject) {\n    return true\n  }\n\n  const { owner: domainOwnerGranted, super: superUserGranted, category, privilege } = privilegeObject\n\n  if (unsafeIP) {\n    if (privilege && category) {\n      // unsafeIP 상황에서는 ownership granted는 적용되지 않는다.\n      if ((prohibitedPrivileges || []).find(pp => pp.category == category && pp.privilege == privilege)) {\n        return false\n      }\n\n      return await User.hasPrivilege(privilege, category, domain, user)\n    }\n\n    // privilege, category가 설정되지 않은 경우에는 ownership granted가 설정되었다면 허가하지 않는다.\n    return !domainOwnerGranted && !superUserGranted\n  } else {\n    if (!privilege || !category) {\n      // privilege, category가 설정되지 않은 경우에는 ownership granted만을 적용한다.\n      return (\n        (domainOwnerGranted && (await process.domainOwnerGranted(domain, user))) ||\n        (superUserGranted && (await process.superUserGranted(domain, user)))\n      )\n    }\n\n    if (\n      (domainOwnerGranted && (await process.domainOwnerGranted(domain, user))) ||\n      (superUserGranted && (await process.superUserGranted(domain, user)))\n    ) {\n      return true\n    }\n\n    if ((prohibitedPrivileges || []).find(pp => pp.category == category && pp.privilege == privilege)) {\n      return false\n    }\n\n    return await User.hasPrivilege(privilege, category, domain, user)\n  }\n}\n"]}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@things-factory/auth-base",
-  "version": "6.2.50",
+  "version": "6.2.52",
   "main": "dist-server/index.js",
   "browser": "dist-client/index.js",
   "things-factory": true,
@@ -30,10 +30,10 @@
     "migration:create": "node ../../node_modules/typeorm/cli.js migration:create -d ./server/migrations"
   },
   "dependencies": {
-    "@things-factory/email-base": "^6.2.50",
+    "@things-factory/email-base": "^6.2.52",
     "@things-factory/env": "^6.2.33",
-    "@things-factory/i18n-base": "^6.2.50",
-    "@things-factory/shell": "^6.2.50",
+    "@things-factory/i18n-base": "^6.2.52",
+    "@things-factory/shell": "^6.2.52",
     "@things-factory/utils": "^6.2.48",
     "jsonwebtoken": "^9.0.0",
     "koa-passport": "^6.0.0",
@@ -43,5 +43,5 @@
     "passport-local": "^1.0.0",
     "popsicle-cookie-jar": "^1.0.0"
   },
-  "gitHead": "4dc51db04b745ac434d2bb874038ac4c3b47989b"
+  "gitHead": "234f95b63937521f1791a9e2141024ee7816d26d"
 }

package/server/index.ts

@@ -16,6 +16,8 @@ export * from './utils/get-secret'
 export * from './utils/check-user-belongs-domain'
 export * from './utils/access-token-cookie'
 export * from './utils/encrypt-state'
+export * from './utils/check-permission'
+
 export * from './errors'
 
 export * from './types'

package/server/service/domain-generator/domain-generator-mutation.ts

@@ -11,7 +11,7 @@ import { DomainGeneratorInput, DomainUserRoleInput } from './domain-generator-ty
 
 @Resolver()
 export class DomainGeneratorMutation {
-  @Directive('@privilege(category: "domain", privilege: "mutation", superUserGranted: true)')
+  @Directive('@privilege(superUserGranted: true)')
   @Directive('@transaction')
   @Mutation(returns => Domain)
   async domainRegister(

package/server/service/privilege/privilege-directive.ts

@@ -3,6 +3,7 @@ import gql from 'graphql-tag'
 
 import { getDirective, MapperKind, mapSchema } from '@graphql-tools/utils'
 import { User } from '../user/user'
+import { checkPermission } from '../../utils/check-permission'
 
 process['PRIVILEGES'] = {}
 
@@ -33,22 +34,29 @@ export const privilegeDirectiveResolver = (schema: GraphQLSchema) =>
         }
 
         fieldConfig.resolve = async function (source, args, context, info) {
-          const { domain, user } = context.state
+          const { domain, user, unsafeIP, prohibitedPrivileges } = context.state
 
-          if (domainOwnerGranted && (await process.domainOwnerGranted(domain, user))) {
-            return await resolve.call(this, source, args, context, info)
-          }
-
-          if (superUserGranted && (await process.superUserGranted(domain, user))) {
-            return await resolve.call(this, source, args, context, info)
-          }
-
-          if (!category || !privilege) throw new Error(`Unauthorized! Access restricted to authorized personnel only`)
-
-          if (await User.hasPrivilege(privilege, category, domain, user)) {
+          if (
+            await checkPermission(
+              {
+                category,
+                privilege,
+                owner: domainOwnerGranted,
+                super: superUserGranted
+              },
+              user,
+              domain,
+              unsafeIP,
+              prohibitedPrivileges
+            )
+          ) {
             return await resolve.call(this, source, args, context, info)
           } else {
-            throw new Error(`Unauthorized! ${category}-${privilege} privilege required`)
+            throw new Error(
+              `Unauthorized! ${
+                category && privilege ? category + ':' + privilege + ' privilege' : 'ownership granted'
+              } required`
+            )
           }
         }
 

package/server/service/privilege/privilege-query.ts

@@ -8,14 +8,6 @@ import { PrivilegeList } from './privilege-types'
 
 @Resolver(Privilege)
 export class PrivilegeQuery {
-  @Directive('@privilege(category: "privilege", privilege: "query", domainOwnerGranted: true, superUserGranted: true)')
-  @Query(returns => Privilege, { description: 'To fetch privilege' })
-  async privilege(@Arg('name') name: string, @Arg('category') category: string): Promise<Privilege> {
-    return await getRepository(Privilege).findOne({
-      where: { name, category }
-    })
-  }
-
   @Directive('@privilege(category: "privilege", privilege: "query", domainOwnerGranted: true, superUserGranted: true)')
   @Query(returns => PrivilegeList, { description: 'To fetch multiple privileges' })
   async privileges(@Args() params: ListParam, @Ctx() context: ResolverContext): Promise<PrivilegeList> {
@@ -23,7 +15,12 @@ export class PrivilegeQuery {
       params,
       repository: getRepository(Privilege),
       alias: 'p',
-      searchables: ['name', 'category']
+      searchables: ['privilege', 'category'],
+      filtersMap: {
+        privilege: {
+          columnName: 'name'
+        }
+      }
     })
       .orderBy('p.category', 'ASC')
       .getManyAndCount()
@@ -42,22 +39,22 @@ export class PrivilegeQuery {
 
   @Query(returns => Boolean, { description: 'To query whether I have the given permission' })
   async hasPrivilege(
-    @Arg('name') name: string,
+    @Arg('privilege') privilege: string,
     @Arg('category') category: string,
     @Ctx() context: ResolverContext
   ): Promise<Boolean> {
     const { domain, user } = context.state
-    return await User.hasPrivilege(name, category, domain, user)
+    return await User.hasPrivilege(privilege, category, domain, user)
   }
 
   @Query(returns => [Domain], { description: 'To fetch domains with given privilege for user' })
   async domainsWithPrivilege(
-    @Arg('name') name: string,
+    @Arg('privilege') privilege: string,
     @Arg('category') category: string,
     @Ctx() context: ResolverContext
   ): Promise<Partial<Domain>[]> {
     const { user } = context.state
-    return await User.getDomainsWithPrivilege(name, category, user)
+    return await User.getDomainsWithPrivilege(privilege, category, user)
   }
 
   @FieldResolver(type => String)
@@ -76,6 +73,11 @@ export class PrivilegeQuery {
     })
   }
 
+  @FieldResolver(type => String)
+  async privilege(@Root() privilege: Privilege, @Ctx() context: ResolverContext) {
+    return privilege.name
+  }
+
   @FieldResolver(type => [Role])
   async roles(@Root() privilege: Privilege) {
     return (

package/server/service/privilege/privilege.ts

@@ -27,9 +27,6 @@ export class PrivilegeObject {
 
   @Field({ nullable: true })
   super?: boolean
-
-  @Field({ nullable: true })
-  protected?: boolean
 }
 
 @InputType()
@@ -45,9 +42,6 @@ export class PrivilegeInput {
 
   @Field({ nullable: true })
   super?: boolean
-
-  @Field({ nullable: true })
-  protected?: boolean
 }
 
 @Entity()

package/server/service/user/user.ts

@@ -312,12 +312,12 @@ export class User {
     }
   }
 
-  static async hasPrivilege(name: string, category: string, domain: Domain, user: User) {
+  static async hasPrivilege(privilege: string, category: string, domain: Domain, user: User) {
     const result = await getRepository(User).query(
       `
       SELECT COUNT(1) AS "has_privilege" FROM "privileges" "PRIVILEGES"
       WHERE "PRIVILEGES"."category" = '${category}'
-      AND "PRIVILEGES"."name" = '${name}'
+      AND "PRIVILEGES"."name" = '${privilege}'
       AND "PRIVILEGES"."id" IN (
         SELECT "RP"."privileges_id"
         FROM "users_roles" "UR"
@@ -334,7 +334,7 @@ export class User {
 
   static async getPrivilegesByDomain(user: User, domain: Domain) {
     const result = await getRepository(User).query(`
-      SELECT name, category FROM "privileges" "PRIVILEGES"
+      SELECT name privilege, category FROM "privileges" "PRIVILEGES"
       WHERE "PRIVILEGES"."id" IN (
         SELECT "RP"."privileges_id"
         FROM "users_roles" "UR"
@@ -347,7 +347,7 @@ export class User {
     return result
   }
 
-  static async getDomainsWithPrivilege(name: string, category: string, user: User) {
-    return getDomainsWithPrivilege(user, name, category)
+  static async getDomainsWithPrivilege(privilege: string, category: string, user: User) {
+    return getDomainsWithPrivilege(user, privilege, category)
   }
 }

package/server/utils/check-permission.ts

@@ -0,0 +1,52 @@
+import { Domain } from '@things-factory/shell'
+import { PrivilegeObject } from '../service/privilege/privilege'
+import { User } from '../service/user/user'
+
+export async function checkPermission(
+  privilegeObject: PrivilegeObject,
+  user: User,
+  domain: Domain,
+  unsafeIP?: boolean,
+  prohibitedPrivileges?: { category: string; privilege: string }[]
+): Promise<boolean> {
+  if (!privilegeObject) {
+    return true
+  }
+
+  const { owner: domainOwnerGranted, super: superUserGranted, category, privilege } = privilegeObject
+
+  if (unsafeIP) {
+    if (privilege && category) {
+      // unsafeIP 상황에서는 ownership granted는 적용되지 않는다.
+      if ((prohibitedPrivileges || []).find(pp => pp.category == category && pp.privilege == privilege)) {
+        return false
+      }
+
+      return await User.hasPrivilege(privilege, category, domain, user)
+    }
+
+    // privilege, category가 설정되지 않은 경우에는 ownership granted가 설정되었다면 허가하지 않는다.
+    return !domainOwnerGranted && !superUserGranted
+  } else {
+    if (!privilege || !category) {
+      // privilege, category가 설정되지 않은 경우에는 ownership granted만을 적용한다.
+      return (
+        (domainOwnerGranted && (await process.domainOwnerGranted(domain, user))) ||
+        (superUserGranted && (await process.superUserGranted(domain, user)))
+      )
+    }
+
+    if (
+      (domainOwnerGranted && (await process.domainOwnerGranted(domain, user))) ||
+      (superUserGranted && (await process.superUserGranted(domain, user)))
+    ) {
+      return true
+    }
+
+    if ((prohibitedPrivileges || []).find(pp => pp.category == category && pp.privilege == privilege)) {
+      return false
+    }
+
+    return await User.hasPrivilege(privilege, category, domain, user)
+  }
+}