npm - aws-service-stack - Versions diffs - 0.18.372 → 0.18.374 - Mend

aws-service-stack 0.18.372 → 0.18.374

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (64) hide show

package/README.md +150 -0
package/dist/_examples/controller/property/property-crud.d.ts +4 -0
package/dist/_examples/controller/property/property-crud.js +58 -0
package/dist/_examples/controller/property/property-crud.js.map +1 -0
package/dist/_examples/controller/property/property.config.d.ts +10 -0
package/dist/_examples/controller/property/property.config.js +53 -0
package/dist/_examples/controller/property/property.config.js.map +1 -0
package/dist/_examples/controller/property/property.controller.d.ts +14 -0
package/dist/_examples/controller/property/property.controller.js +72 -0
package/dist/_examples/controller/property/property.controller.js.map +1 -0
package/dist/_examples/controller/property/property.permissions.d.ts +2 -0
package/dist/_examples/controller/property/property.permissions.js +19 -0
package/dist/_examples/controller/property/property.permissions.js.map +1 -0
package/dist/controller/controller-api.d.ts +5 -0
package/dist/controller/controller-api.js +29 -1
package/dist/controller/controller-api.js.map +1 -1
package/dist/controller/controller-role.d.ts +53 -0
package/dist/controller/controller-role.js +216 -0
package/dist/controller/controller-role.js.map +1 -0
package/dist/controller/index.d.ts +1 -0
package/dist/controller/index.js +1 -0
package/dist/controller/index.js.map +1 -1
package/dist/function/cognito/cognito.function.d.ts +15 -0
package/dist/function/cognito/cognito.function.js +45 -0
package/dist/function/cognito/cognito.function.js.map +1 -1
package/dist/function/cognito/index.d.ts +5 -1
package/dist/function/cognito/index.js +4 -0
package/dist/function/cognito/index.js.map +1 -1
package/dist/function/index.d.ts +4 -0
package/dist/model/base.config.d.ts +5 -1
package/dist/model/base.config.js +7 -0
package/dist/model/base.config.js.map +1 -1
package/dist/model/base.model.d.ts +15 -0
package/dist/model/base.model.js +4 -1
package/dist/model/base.model.js.map +1 -1
package/dist/model/index.d.ts +1 -0
package/dist/model/index.js.map +1 -1
package/dist/model/role.model.d.ts +20 -0
package/dist/model/role.model.js +12 -0
package/dist/model/role.model.js.map +1 -0
package/dist/model/validation.model.d.ts +1 -1
package/dist/model/validation.model.js.map +1 -1
package/dist/service/index.d.ts +3 -0
package/dist/service/index.js +3 -0
package/dist/service/index.js.map +1 -1
package/dist/service/permission.cache.d.ts +24 -0
package/dist/service/permission.cache.js +61 -0
package/dist/service/permission.cache.js.map +1 -0
package/dist/service/permission.repo.d.ts +16 -0
package/dist/service/permission.repo.js +63 -0
package/dist/service/permission.repo.js.map +1 -0
package/dist/service/permission.service.d.ts +39 -0
package/dist/service/permission.service.js +151 -0
package/dist/service/permission.service.js.map +1 -0
package/dist/utils/date.util.d.ts +0 -13
package/dist/utils/date.util.js +0 -35
package/dist/utils/date.util.js.map +1 -1
package/dist/utils/index.d.ts +0 -1
package/dist/utils/index.js +0 -1
package/dist/utils/index.js.map +1 -1
package/package.json +31 -31
package/dist/utils/data.util.d.ts +0 -20
package/dist/utils/data.util.js +0 -73
package/dist/utils/data.util.js.map +0 -1

package/README.md CHANGED Viewed

@@ -420,6 +420,156 @@ new Function(this, "MyFunction", {
 });
 ```
+## 🔐 Role-Based Access Control (RBAC)
+The framework provides a centralized RBAC system through `ControllerRole`, which manages Cognito user pool groups, DynamoDB-backed permissions, and scope-based data filtering — all integrated directly into `ControllerApi`.
+### Architecture
+```
+┌──────────────────┐
+│  ControllerApi   │ ← Delegates RBAC check automatically
+├──────────────────┤
+│  ControllerRole  │ ← Permission CRUD, Cognito groups, scope enforcement
+├──────────────────┤
+│PermissionService │ ← Read-through cache (15-min TTL) + orchestration
+├──────────────────┤
+│  PermissionRepo  │ ← DynamoDB via BaseRepoDBImpl
+└──────────────────┘
+```
+### Permission Model
+Each permission is stored in DynamoDB with the composite key `role#resource#scope`:
+```typescript
+interface Permission {
+  id: string;
+  role: string; // Cognito group name: "Manager", "Agent"
+  resource: string; // API resource: "property", "order"
+  scope: string; // Data scope: "Organization", "Branch", "Agent"
+  method: {
+    get?: boolean;
+    post?: boolean;
+    patch?: boolean;
+    put?: boolean;
+    delete?: boolean;
+  };
+  permissionKey: string; // "Manager#property#Branch"
+}
+```
+### Configuration
+Enable RBAC by adding `ROLE_TABLE`, `ROLE_PATH`, and `SCOPE_MAP` to your entity config:
+```typescript
+import { EntityConfigImpl, ScopeMap } from "@chinggis/core";
+const scopeMap: ScopeMap = new Map([
+  ["Organization", { filterField: "orgId", claimKey: "custom:orgId" }],
+  ["Branch", { filterField: "branchId", claimKey: "custom:branch" }],
+  ["Agent", { filterField: "agentId", claimKey: "custom:agent" }],
+]);
+export class PropertyConfig extends EntityConfigImpl {
+  constructor() {
+    super("/properties", ["adminUsers"]);
+    this.setDynamoDB("property-dev", "owner", indexMap)
+      .setOpenSearch(domain, "property")
+      .setPolicies(policyList)
+      .setScopes(scopeMap)
+      .setRoleTable("role-permissions-dev")
+      .setRolePath("/properties/role");
+  }
+}
+```
+When both `ROLE_TABLE` and `SCOPE_MAP` are configured, `ControllerApi` automatically creates a `ControllerRole` instance and enforces RBAC on every request.
+### How It Works
+1. **Request arrives** at `ControllerApi.resolveCrudRequest()`
+2. If RBAC is configured, `ControllerRole.checkRbacAccess()` is called
+3. User's **role** is extracted from JWT `groups[0]`
+4. **Scope** is read from `?scope=Branch` query parameter and validated against `ScopeMap`
+5. Permission is checked via `PermissionService` (with in-memory cache)
+6. On success, **scope filter** is applied (e.g., `filter.branchId = identity["custom:branch"]`)
+7. On failure, `403 PermissionDenied` is thrown
+### Permission CRUD Endpoints
+When `ROLE_PATH` is configured, permission management endpoints are automatically available:
+```
+GET     /properties/role               # List all permissions
+POST    /properties/role               # Create a permission
+PATCH   /properties/role               # Update a permission
+DELETE  /properties/role               # Delete a permission
+POST    /properties/role/add-role      # Create a Cognito user pool group
+POST    /properties/role/add-user-role # Add a User to cognito group
+```
+#### Create a Permission
+```json
+POST /properties/role
+{
+  "role": "Manager",
+  "resource": "property",
+  "scope": "Branch",
+  "method": { "get": true, "post": true, "patch": true, "delete": false }
+}
+```
+#### Create a Cognito Group (Role)
+```json
+POST /properties/role/add-role
+{
+  "groupName": "Manager",
+  "description": "Branch-level managers"
+}
+```
+### Programmatic Usage
+`ControllerRole` can also be used directly in custom controllers or services:
+```typescript
+import { ControllerRole } from "@chinggis/core";
+const roleController = new ControllerRole("role-permissions-dev");
+// Permission CRUD
+await roleController.addPermission({
+  role: "Manager",
+  resource: "property",
+  scope: "Branch",
+  method: { get: true, post: true, patch: true },
+});
+await roleController.listPermissions();
+await roleController.updatePermission("perm-id", { method: { delete: true } });
+await roleController.deletePermission("perm-id");
+// Permission check
+const allowed = await roleController.hasPermission("Manager", "property", "Branch", "GET");
+// Cognito group management
+await roleController.addRole("us-east-1_PoolId", "Manager", "Branch-level managers");
+await roleController.assignRole("us-east-1_PoolId", "john@example.com", "Manager");
+```
+### Caching
+`PermissionService` uses a read-through cache with **15-minute TTL** optimized for Lambda warm invocations:
+- Cache hits return instantly without DB calls
+- Concurrent requests for the same key are deduplicated (single in-flight fetch)
+- Cache is automatically invalidated on create, update, and delete operations
 ## 🤝 Contributing
 1. Fork the repository

package/dist/_examples/controller/property/property-crud.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+import "reflect-metadata";
+import { APIGatewayProxyEvent } from "aws-lambda";
+import "./property.controller";
+export declare const handler: (event: APIGatewayProxyEvent) => Promise<import("src/utils").APIResponse>;

package/dist/_examples/controller/property/property-crud.js ADDED Viewed

@@ -0,0 +1,58 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.handler = void 0;
+require("reflect-metadata");
+const typedi_1 = __importStar(require("typedi"));
+require("./property.controller");
+const handler = (event) => typedi_1.default.get(HelperCDI).process(event);
+exports.handler = handler;
+let HelperCDI = class HelperCDI {
+    controller = typedi_1.default.get("PropertyController");
+    async process(event) {
+        console.log("example Processing...");
+        return this.controller.resolveCrudRequest(event);
+    }
+};
+HelperCDI = __decorate([
+    (0, typedi_1.Service)()
+], HelperCDI);
+//# sourceMappingURL=property-crud.js.map

package/dist/_examples/controller/property/property-crud.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"property-crud.js","sourceRoot":"","sources":["../../../../src/_examples/controller/property/property-crud.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,4BAA0B;AAC1B,iDAA4C;AAG5C,iCAA+B;AAExB,MAAM,OAAO,GAAG,CAAC,KAA2B,EAAE,EAAE,CAAC,gBAAS,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;AAAnF,QAAA,OAAO,WAA4E;AAGhG,IAAM,SAAS,GAAf,MAAM,SAAS;IACL,UAAU,GAAuB,gBAAS,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;IAE7E,KAAK,CAAC,OAAO,CAAC,KAA2B;QACvC,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;QACrC,OAAO,IAAI,CAAC,UAAU,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC;IACnD,CAAC;CACF,CAAA;AAPK,SAAS;IADd,IAAA,gBAAO,GAAE;GACJ,SAAS,CAOd","sourcesContent":["import \"reflect-metadata\";\nimport Container, { Service } from \"typedi\";\nimport { APIGatewayProxyEvent } from \"aws-lambda\";\nimport { PropertyController } from \"./property.controller\";\nimport \"./property.controller\";\n\nexport const handler = (event: APIGatewayProxyEvent) => Container.get(HelperCDI).process(event);\n\n@Service()\nclass HelperCDI {\n private controller: PropertyController = Container.get(\"PropertyController\");\n\n async process(event: APIGatewayProxyEvent) {\n console.log(\"example Processing...\");\n return this.controller.resolveCrudRequest(event);\n }\n}\n"]}

package/dist/_examples/controller/property/property.config.d.ts ADDED Viewed

@@ -0,0 +1,10 @@
+import { EntityConfigImpl } from "../../../model/base.config";
+export declare const openSearch_order: {
+    domain: string;
+    index: string;
+};
+export declare const path = "/property";
+export declare class PropertyConfig extends EntityConfigImpl {
+    constructor();
+}
+export declare const CONFIG_PROPERTY: PropertyConfig;

package/dist/_examples/controller/property/property.config.js ADDED Viewed

@@ -0,0 +1,53 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CONFIG_PROPERTY = exports.PropertyConfig = exports.path = exports.openSearch_order = void 0;
+const base_config_1 = require("../../../model/base.config");
+const core_1 = require("../../../index.js");
+const order_repo_db_interface_1 = require("../../repositories/order/order-repo-db.interface");
+// OpenSearch configuration
+exports.openSearch_order = {
+    domain: "https://search-amplify-opense-1ddfdekgbbpwe-kgxh6aum57h2wc4moozm2jcvom.ap-southeast-1.es.amazonaws.com",
+    index: "order",
+};
+exports.path = "/property"; // url path base
+// Order configuration
+class PropertyConfig extends base_config_1.EntityConfigImpl {
+    constructor() {
+        // DYNAMODB
+        const tableName = "Property-dev";
+        const ownerFieldName = "ownerId";
+        const indexMap = new core_1.DynamoIndexMap()
+            .setFields("ownerId")
+            .set("byAgent", { field: "agentId", rFields: ["agentId"] })
+            .set("propertyByBranch", { field: "branchId", rFields: ["branchId"] })
+            .set("byOrg", { field: "organizationId", rFields: ["organizationId"] });
+        // PERMISSIONS
+        const adminGroupNames = ["adminUsers"];
+        const policyList = [
+            { method: core_1.HttpMethod.GET, path: `${exports.path}`, access: [core_1.Access.USER, core_1.Access.PUBLIC, core_1.Access.ADMIN] },
+            { method: core_1.HttpMethod.GET, path: `${exports.path}/search`, access: [core_1.Access.USER], response: order_repo_db_interface_1.RESPONSE_FIELDS_LIST },
+            { method: core_1.HttpMethod.GET, path: `${exports.path}/search/query`, access: [core_1.Access.USER], response: order_repo_db_interface_1.RESPONSE_FIELDS_LIST },
+            { method: core_1.HttpMethod.GET, path: `${exports.path}/search/query/total-count`, access: [core_1.Access.USER] },
+            { method: core_1.HttpMethod.GET, path: `${exports.path}/{id}`, access: [core_1.Access.USER], response: order_repo_db_interface_1.RESPONSE_FIELDS_DETAILS },
+            { method: core_1.HttpMethod.POST, path: `${exports.path}`, access: [core_1.Access.USER], validator: order_repo_db_interface_1.CREATE, response: order_repo_db_interface_1.RESPONSE_FIELDS_DETAILS },
+            { method: core_1.HttpMethod.PUT, path: `${exports.path}/{id}`, access: [core_1.Access.USER], validator: order_repo_db_interface_1.REPLACE, response: order_repo_db_interface_1.RESPONSE_FIELDS_DETAILS },
+            { method: core_1.HttpMethod.PATCH, path: `${exports.path}/{id}`, access: [core_1.Access.USER], validator: order_repo_db_interface_1.UPDATE, response: order_repo_db_interface_1.RESPONSE_FIELDS_DETAILS },
+            { method: core_1.HttpMethod.DELETE, path: `${exports.path}/{id}`, access: [core_1.Access.USER] },
+        ];
+        // SCOPES
+        const scopeMap = new core_1.ScopeMap()
+            .set("branch", { filterField: "branchId", claimKey: "sub" })
+            .set("agent", { filterField: "agentId", claimKey: "custom:agent" })
+            .set("org", { filterField: "organizationId", claimKey: "custom:org" });
+        // INIT
+        super(exports.path, adminGroupNames);
+        this.setDynamoDB(tableName, ownerFieldName, indexMap)
+            .setOpenSearch(exports.openSearch_order.domain, exports.openSearch_order.index)
+            .setPolicies(policyList)
+            .setPermissionMap({ scopeMap, roleTable: "Permission-dev", rolePath: "/permission/plp" });
+    }
+}
+exports.PropertyConfig = PropertyConfig;
+// Export default Order configuration
+exports.CONFIG_PROPERTY = new PropertyConfig();
+//# sourceMappingURL=property.config.js.map

package/dist/_examples/controller/property/property.config.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"property.config.js","sourceRoot":"","sources":["../../../../src/_examples/controller/property/property.config.ts"],"names":[],"mappings":";;;AAAA,4DAA8D;AAC9D,yCAAwG;AACxG,8FAM0D;AAE1D,2BAA2B;AACd,QAAA,gBAAgB,GAAG;IAC9B,MAAM,EAAE,wGAAwG;IAChH,KAAK,EAAE,OAAO;CACf,CAAC;AACW,QAAA,IAAI,GAAG,WAAW,CAAC,CAAC,gBAAgB;AAEjD,sBAAsB;AACtB,MAAa,cAAe,SAAQ,8BAAgB;IAClD;QACE,WAAW;QACX,MAAM,SAAS,GAAG,cAAc,CAAC;QACjC,MAAM,cAAc,GAAG,SAAS,CAAC;QACjC,MAAM,QAAQ,GAAG,IAAI,qBAAc,EAAE;aAClC,SAAS,CAAC,SAAS,CAAC;aACpB,GAAG,CAAC,SAAS,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC;aAC1D,GAAG,CAAC,kBAAkB,EAAE,EAAE,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC,UAAU,CAAC,EAAE,CAAC;aACrE,GAAG,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,gBAAgB,EAAE,OAAO,EAAE,CAAC,gBAAgB,CAAC,EAAE,CAAC,CAAC;QAE1E,cAAc;QACd,MAAM,eAAe,GAAG,CAAC,YAAY,CAAC,CAAC;QAEvC,MAAM,UAAU,GAAqB;YACnC,EAAE,MAAM,EAAE,iBAAC,CAAC,GAAG,EAAE,IAAI,EAAE,GAAG,YAAI,EAAE,EAAE,MAAM,EAAE,CAAC,aAAC,CAAC,IAAI,EAAE,aAAC,CAAC,MAAM,EAAE,aAAC,CAAC,KAAK,CAAC,EAAE;YACvE,EAAE,MAAM,EAAE,iBAAC,CAAC,GAAG,EAAE,IAAI,EAAE,GAAG,YAAI,SAAS,EAAE,MAAM,EAAE,CAAC,aAAC,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,8CAAQ,EAAE;YAC/E,EAAE,MAAM,EAAE,iBAAC,CAAC,GAAG,EAAE,IAAI,EAAE,GAAG,YAAI,eAAe,EAAE,MAAM,EAAE,CAAC,aAAC,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,8CAAQ,EAAE;YACrF,EAAE,MAAM,EAAE,iBAAC,CAAC,GAAG,EAAE,IAAI,EAAE,GAAG,YAAI,2BAA2B,EAAE,MAAM,EAAE,CAAC,aAAC,CAAC,IAAI,CAAC,EAAE;YAC7E,EAAE,MAAM,EAAE,iBAAC,CAAC,GAAG,EAAE,IAAI,EAAE,GAAG,YAAI,OAAO,EAAE,MAAM,EAAE,CAAC,aAAC,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,iDAAQ,EAAE;YAC7E,EAAE,MAAM,EAAE,iBAAC,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,YAAI,EAAE,EAAE,MAAM,EAAE,CAAC,aAAC,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,gCAAM,EAAE,QAAQ,EAAE,iDAAQ,EAAE;YAC5F,EAAE,MAAM,EAAE,iBAAC,CAAC,GAAG,EAAE,IAAI,EAAE,GAAG,YAAI,OAAO,EAAE,MAAM,EAAE,CAAC,aAAC,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,iCAAO,EAAE,QAAQ,EAAE,iDAAQ,EAAE;YACjG,EAAE,MAAM,EAAE,iBAAC,CAAC,KAAK,EAAE,IAAI,EAAE,GAAG,YAAI,OAAO,EAAE,MAAM,EAAE,CAAC,aAAC,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,gCAAM,EAAE,QAAQ,EAAE,iDAAQ,EAAE;YAClG,EAAE,MAAM,EAAE,iBAAC,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,YAAI,OAAO,EAAE,MAAM,EAAE,CAAC,aAAC,CAAC,IAAI,CAAC,EAAE;SAC7D,CAAC;QAEF,SAAS;QACT,MAAM,QAAQ,GAAG,IAAI,eAAQ,EAAE;aAC5B,GAAG,CAAC,QAAQ,EAAE,EAAE,WAAW,EAAE,UAAU,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;aAC3D,GAAG,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,SAAS,EAAE,QAAQ,EAAE,cAAc,EAAE,CAAC;aAClE,GAAG,CAAC,KAAK,EAAE,EAAE,WAAW,EAAE,gBAAgB,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC,CAAC;QAEzE,OAAO;QACP,KAAK,CAAC,YAAI,EAAE,eAAe,CAAC,CAAC;QAC7B,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,cAAc,EAAE,QAAQ,CAAC;aAClD,aAAa,CAAC,wBAAgB,CAAC,MAAM,EAAE,wBAAgB,CAAC,KAAK,CAAC;aAC9D,WAAW,CAAC,UAAU,CAAC;aACvB,gBAAgB,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,gBAAgB,EAAE,QAAQ,EAAE,iBAAiB,EAAE,CAAC,CAAC;IAC9F,CAAC;CACF;AAvCD,wCAuCC;AAED,qCAAqC;AACxB,QAAA,eAAe,GAAG,IAAI,cAAc,EAAE,CAAC","sourcesContent":["import { EntityConfigImpl } from \"../../../model/base.config\";\nimport { Access as a, DynamoIndexMap, EndpointPolicy, HttpMethod as m, ScopeMap } from \"@chinggis/core\";\nimport {\n CREATE,\n REPLACE,\n RESPONSE_FIELDS_DETAILS as FIELDS_D,\n RESPONSE_FIELDS_LIST as FIELDS_L,\n UPDATE,\n} from \"../../repositories/order/order-repo-db.interface\";\n\n// OpenSearch configuration\nexport const openSearch_order = {\n domain: \"https://search-amplify-opense-1ddfdekgbbpwe-kgxh6aum57h2wc4moozm2jcvom.ap-southeast-1.es.amazonaws.com\",\n index: \"order\",\n};\nexport const path = \"/property\"; // url path base\n\n// Order configuration\nexport class PropertyConfig extends EntityConfigImpl {\n constructor() {\n // DYNAMODB\n const tableName = \"Property-dev\";\n const ownerFieldName = \"ownerId\";\n const indexMap = new DynamoIndexMap()\n .setFields(\"ownerId\")\n .set(\"byAgent\", { field: \"agentId\", rFields: [\"agentId\"] })\n .set(\"propertyByBranch\", { field: \"branchId\", rFields: [\"branchId\"] })\n .set(\"byOrg\", { field: \"organizationId\", rFields: [\"organizationId\"] });\n\n // PERMISSIONS\n const adminGroupNames = [\"adminUsers\"];\n\n const policyList: EndpointPolicy[] = [\n { method: m.GET, path: `${path}`, access: [a.USER, a.PUBLIC, a.ADMIN] },\n { method: m.GET, path: `${path}/search`, access: [a.USER], response: FIELDS_L },\n { method: m.GET, path: `${path}/search/query`, access: [a.USER], response: FIELDS_L },\n { method: m.GET, path: `${path}/search/query/total-count`, access: [a.USER] },\n { method: m.GET, path: `${path}/{id}`, access: [a.USER], response: FIELDS_D },\n { method: m.POST, path: `${path}`, access: [a.USER], validator: CREATE, response: FIELDS_D },\n { method: m.PUT, path: `${path}/{id}`, access: [a.USER], validator: REPLACE, response: FIELDS_D },\n { method: m.PATCH, path: `${path}/{id}`, access: [a.USER], validator: UPDATE, response: FIELDS_D },\n { method: m.DELETE, path: `${path}/{id}`, access: [a.USER] },\n ];\n\n // SCOPES\n const scopeMap = new ScopeMap()\n .set(\"branch\", { filterField: \"branchId\", claimKey: \"sub\" })\n .set(\"agent\", { filterField: \"agentId\", claimKey: \"custom:agent\" })\n .set(\"org\", { filterField: \"organizationId\", claimKey: \"custom:org\" });\n\n // INIT\n super(path, adminGroupNames);\n this.setDynamoDB(tableName, ownerFieldName, indexMap)\n .setOpenSearch(openSearch_order.domain, openSearch_order.index)\n .setPolicies(policyList)\n .setPermissionMap({ scopeMap, roleTable: \"Permission-dev\", rolePath: \"/permission/plp\" });\n }\n}\n\n// Export default Order configuration\nexport const CONFIG_PROPERTY = new PropertyConfig();\n"]}

package/dist/_examples/controller/property/property.controller.d.ts ADDED Viewed

@@ -0,0 +1,14 @@
+import { OrderService } from "../../service/order-service.interface";
+import "../../service/order-service";
+import { Order } from "src/_examples/model-shared/example.model";
+import { HttpRequest } from "src/utils";
+import { ControllerApi } from "src/controller";
+/**
+ * Example Controller for Profile: Validator (Zod) is set centrally.
+ * Scopes are configured in PropertyConfig via ScopeMap.
+ */
+export declare class PropertyController extends ControllerApi<Order, OrderService> {
+    protected processCrudRequest(event: HttpRequest): Promise<any>;
+    constructor();
+    getPermission(permission: string): Promise<boolean>;
+}

package/dist/_examples/controller/property/property.controller.js ADDED Viewed

@@ -0,0 +1,72 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PropertyController = void 0;
+const typedi_1 = __importStar(require("typedi"));
+const property_config_1 = require("./property.config");
+require("../../service/order-service");
+const controller_1 = require("src/controller");
+const property_permissions_1 = require("./property.permissions");
+/**
+ * Example Controller for Profile: Validator (Zod) is set centrally.
+ * Scopes are configured in PropertyConfig via ScopeMap.
+ */
+let PropertyController = class PropertyController extends controller_1.ControllerApi {
+    processCrudRequest(event) {
+        return undefined;
+    }
+    constructor() {
+        const service = typedi_1.default.get("OrderService");
+        super(service, property_config_1.CONFIG_PROPERTY.toObject());
+    }
+    async getPermission(permission) {
+        return (0, property_permissions_1.hasPropertyPermission)(permission);
+    }
+};
+exports.PropertyController = PropertyController;
+exports.PropertyController = PropertyController = __decorate([
+    (0, typedi_1.Service)("PropertyController"),
+    __metadata("design:paramtypes", [])
+], PropertyController);
+//# sourceMappingURL=property.controller.js.map

package/dist/_examples/controller/property/property.controller.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"property.controller.js","sourceRoot":"","sources":["../../../../src/_examples/controller/property/property.controller.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,iDAA4C;AAG5C,uDAAoD;AAEpD,uCAAqC;AAGrC,+CAA+C;AAC/C,iEAA+D;AAE/D;;;GAGG;AAEI,IAAM,kBAAkB,GAAxB,MAAM,kBAAmB,SAAQ,0BAAkC;IAC9D,kBAAkB,CAAC,KAAkB;QAC7C,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;QACE,MAAM,OAAO,GAAiB,gBAAS,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QAC5D,KAAK,CAAC,OAAO,EAAE,iCAAe,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC7C,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,UAAkB;QACpC,OAAO,IAAA,4CAAqB,EAAC,UAAU,CAAC,CAAC;IAC3C,CAAC;CACF,CAAA;AAbY,gDAAkB;6BAAlB,kBAAkB;IAD9B,IAAA,gBAAO,EAAC,oBAAoB,CAAC;;GACjB,kBAAkB,CAa9B","sourcesContent":["import Container, { Service } from \"typedi\";\nimport {} from \"../../../controller/base-controller\";\n\nimport { CONFIG_PROPERTY } from \"./property.config\";\nimport { OrderService } from \"../../service/order-service.interface\";\nimport \"../../service/order-service\";\nimport { Order } from \"src/_examples/model-shared/example.model\";\nimport { HttpRequest } from \"src/utils\";\nimport { ControllerApi } from \"src/controller\";\nimport { hasPropertyPermission } from \"./property.permissions\";\n\n/**\n * Example Controller for Profile: Validator (Zod) is set centrally.\n * Scopes are configured in PropertyConfig via ScopeMap.\n */\n@Service(\"PropertyController\")\nexport class PropertyController extends ControllerApi<Order, OrderService> {\n protected processCrudRequest(event: HttpRequest): Promise<any> {\n return undefined;\n }\n\n constructor() {\n const service: OrderService = Container.get(\"OrderService\");\n super(service, CONFIG_PROPERTY.toObject());\n }\n\n async getPermission(permission: string): Promise<boolean> {\n return hasPropertyPermission(permission);\n }\n}\n"]}

package/dist/_examples/controller/property/property.permissions.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export declare const PROPERTY_PERMISSION_KEYS: Set<string>;
2	+ export declare function hasPropertyPermission(permission: string): boolean;

package/dist/_examples/controller/property/property.permissions.js ADDED Viewed

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PROPERTY_PERMISSION_KEYS = void 0;
+exports.hasPropertyPermission = hasPropertyPermission;
+exports.PROPERTY_PERMISSION_KEYS = new Set([
+    "adminusers.property.branch.GET",
+    "adminusers.property.branch.POST",
+    "user.property.branch.GET",
+    "user.property.agent.GET",
+    "user.property.agent.POST",
+    "owner.property.branch.GET",
+    "owner.property.branch.POST",
+    "owner.property.agent.GET",
+    "owner.property.agent.POST",
+]);
+function hasPropertyPermission(permission) {
+    return exports.PROPERTY_PERMISSION_KEYS.has(permission);
+}
+//# sourceMappingURL=property.permissions.js.map

package/dist/_examples/controller/property/property.permissions.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"property.permissions.js","sourceRoot":"","sources":["../../../../src/_examples/controller/property/property.permissions.ts"],"names":[],"mappings":";;;AAYA,sDAEC;AAdY,QAAA,wBAAwB,GAAG,IAAI,GAAG,CAAS;IACtD,gCAAgC;IAChC,iCAAiC;IACjC,0BAA0B;IAC1B,yBAAyB;IACzB,0BAA0B;IAC1B,2BAA2B;IAC3B,4BAA4B;IAC5B,0BAA0B;IAC1B,2BAA2B;CAC5B,CAAC,CAAC;AAEH,SAAgB,qBAAqB,CAAC,UAAkB;IACtD,OAAO,gCAAwB,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;AAClD,CAAC","sourcesContent":["export const PROPERTY_PERMISSION_KEYS = new Set<string>([\n \"adminusers.property.branch.GET\",\n \"adminusers.property.branch.POST\",\n \"user.property.branch.GET\",\n \"user.property.agent.GET\",\n \"user.property.agent.POST\",\n \"owner.property.branch.GET\",\n \"owner.property.branch.POST\",\n \"owner.property.agent.GET\",\n \"owner.property.agent.POST\",\n]);\n\nexport function hasPropertyPermission(permission: string): boolean {\n return PROPERTY_PERMISSION_KEYS.has(permission);\n}\n"]}

package/dist/controller/controller-api.d.ts CHANGED Viewed

@@ -6,18 +6,23 @@ export declare abstract class ControllerApi<R extends BaseEntity, T extends Crud
     protected readonly service: T;
     protected config: EntityConfig;
     protected adminGroupNames: string[];
+    private roleController;
     protected constructor(baseService: T, config: EntityConfig);
+    /** Return constructor-defined resource name */
+    protected getResource(): string;
     resolveCrudRequest(event: APIGatewayProxyEvent): Promise<APIResponse>;
     setConfig(config: EntityConfig): void;
     processCrudRequestPre(req: HttpRequest): Promise<HttpRequest>;
     processCrudRequestPost(request: HttpRequest, response: R | List<R>): Promise<R | List<R>>;
     protected handleList(methode: HttpMethod, path: string, request: HttpRequest): Promise<any>;
+    protected handlePermission(req: HttpRequest, path: string): Promise<any>;
     protected handleUpdate(entityId: string, requestBody: any, requestedUser?: CognitoUser): Promise<R>;
     protected handleDelete(entityId: string, requestedUser?: CognitoUser): Promise<boolean>;
     protected handleFetch(entityId: string, requestedUser?: CognitoUser): Promise<R>;
     protected handleReplace(entityId: string, entity: any, requestedUser?: CognitoUser): Promise<R>;
     protected handlePostCreate(entity: R, cognitoUser: CognitoUser): Promise<R>;
     protected abstract processCrudRequest(event: HttpRequest): Promise<any>;
+    protected isPermissionRequest(path: string): boolean;
     protected isListRequest(methode: HttpMethod, path: string): boolean;
     protected isUpdateRequest(methode: HttpMethod, path: string): boolean;
     protected isDeleteRequest(methode: HttpMethod, path: string): boolean;

package/dist/controller/controller-api.js CHANGED Viewed

@@ -4,10 +4,12 @@ exports.ControllerApi = void 0;
 const index_1 = require("../index");
 const exception_1 = require("../exception");
 const string_util_1 = require("../utils/string.util");
+const controller_role_1 = require("./controller-role");
 class ControllerApi {
     service;
     config;
     adminGroupNames;
+    roleController;
     constructor(baseService, config) {
         this.service = baseService;
         if (!config)
@@ -16,13 +18,26 @@ class ControllerApi {
         if (config.ADMIN_GROUP_NAME) {
             this.adminGroupNames = config.ADMIN_GROUP_NAME;
         }
+        if (config.PERMISSION_MAP) {
+            this.roleController = new controller_role_1.ControllerRole(config.PERMISSION_MAP.roleTable);
+        }
         this.service.setConfig(config);
     }
+    /** Return constructor-defined resource name */
+    getResource() {
+        return this.config.BASE_PATH.replace("/", "");
+    }
     async resolveCrudRequest(event) {
         try {
             let req = (0, index_1.parseHttpRequest)(event, this.adminGroupNames);
             const policy = (0, index_1.findMatchedPolicy)(req.methode, event?.requestContext?.resourcePath, this.config.ENDPOINT_POLICY);
-            this.checkPermission(policy?.access, req.requestType);
+            if (this.config.PERMISSION_MAP && this.roleController) {
+                const resource = this.getResource();
+                await this.roleController.checkRbacAccess(req, resource, this.config.PERMISSION_MAP.scopeMap, this.adminGroupNames);
+            }
+            else {
+                this.checkPermission(policy?.access, req.requestType);
+            }
             this.validateRequest(policy?.validator, req.body);
             if (req.identity) {
                 log.debug("groups: " + JSON.stringify(req.identity.groups, null, 2));
@@ -78,6 +93,9 @@ class ControllerApi {
             return await this.service.scan(request?.filter || {});
         }
     }
+    async handlePermission(req, path) {
+        return this.roleController.handlePermissionRequest(req, path, this.config.PERMISSION_MAP, this.adminGroupNames);
+    }
     async handleUpdate(entityId, requestBody, requestedUser) {
         if (!entityId)
             throw new exception_1.ErrorHttp({ code: 400, error: "BadRequest" }, "[CORE] Cannot PATCH resource without id field");
@@ -149,6 +167,14 @@ class ControllerApi {
         // Save entity
         return this.service.save(entity, profileId, parentId, cognitoUser);
     }
+    isPermissionRequest(path) {
+        if (this.config.PERMISSION_MAP && this.roleController) {
+            const rolePath = (0, string_util_1.trimSpecialChar)(this.config.PERMISSION_MAP.rolePath);
+            const normalizedPath = (0, string_util_1.trimSpecialChar)(path);
+            return normalizedPath.includes(rolePath);
+        }
+        return false;
+    }
     isListRequest(methode, path) {
         const basePath = (0, string_util_1.trimSpecialChar)(this.config.BASE_PATH);
         const allowedPaths = [
@@ -195,6 +221,8 @@ class ControllerApi {
     async handleCrudByMethod(req) {
         const path = req.event?.requestContext?.resourcePath;
         const entity = this.parseEntity(req.body);
+        if (this.isPermissionRequest(path))
+            return this.handlePermission(req, path);
         if (this.isUpdateRequest(req.methode, path))
             return this.handleUpdate(req.entityId, entity, req.identity);
         if (this.isDeleteRequest(req.methode, path))