kuzzle 2.16.11 → 2.17.2

package/lib/model/security/profile.js

@@ -1,3 +1,4 @@
+"use strict";
 /*
  * Kuzzle, a backend software, self-hostable and ready to use
  * to power modern apps
@@ -18,259 +19,218 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-
-'use strict';
-
-const _ = require('lodash');
-const Bluebird = require('bluebird');
-
-const Rights = require('./rights');
-const kerror = require('../../kerror');
-const { isPlainObject } = require('../../util/safeObject');
-
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Profile = void 0;
+const lodash_1 = __importDefault(require("lodash"));
+const bluebird_1 = __importDefault(require("bluebird"));
+const rights_1 = __importDefault(require("./rights"));
+const kerror = __importStar(require("../../kerror"));
+const safeObject_1 = require("../../util/safeObject");
 const assertionError = kerror.wrap('api', 'assert');
-
 /**
  * @class Profile
  */
 class Profile {
-  constructor() {
-    this._id = null;
-    this.policies = [];
-    this.rateLimit = 0;
-  }
-
-  /**
-   * @param {Kuzzle} kuzzle
-   *
-   * @returns {Promise}
-   */
-  async getPolicies() {
-    if (!global.kuzzle) {
-      throw kerror.get('security', 'profile', 'uninitialized', this._id);
+    constructor() {
+        this._id = null;
+        this.policies = [];
+        this.optimizedPolicies = [];
+        this.rateLimit = 0;
     }
-
-    return Bluebird.map(this.policies, async ({restrictedTo, roleId}) => {
-      const role = await global.kuzzle.ask('core:security:role:get', roleId);
-      return {restrictedTo, role};
-    });
-  }
-
-  /**
-   * @param {Request} request
-   * @param {Kuzzle} kuzzle
-   * @returns {Promise<boolean>}
-   */
-  async isActionAllowed(request) {
-    if (this.policies === undefined || this.policies.length === 0) {
-      return false;
-    }
-
-    const policies = await this.getPolicies();
-
-    const results = await Bluebird.map(
-      policies,
-      policy => policy.role.isActionAllowed(request, policy.restrictedTo));
-
-    return results.includes(true);
-  }
-
-  /**
-   * Validates the Profile format
-   *
-   * @param {Object} [options]
-   * @param {boolean} [options.strict] - If true, only allows resctrictions on
-   *                                     existing indexes/collections
-   * @returns {Promise}
-   */
-  async validateDefinition({ strict = false } = {}) {
-    this.validateRateLimit();
-
-    if (!this.policies) {
-      throw assertionError.get('missing_argument', `${this._id}.policies`);
+    /**
+     * @param {Kuzzle} kuzzle
+     *
+     * @returns {Promise}
+     */
+    async getPolicies() {
+        if (!global.kuzzle) {
+            throw kerror.get('security', 'profile', 'uninitialized', this._id);
+        }
+        return bluebird_1.default.map(this.optimizedPolicies, async ({ restrictedTo, roleId }) => {
+            const role = await global.kuzzle.ask('core:security:role:get', roleId);
+            return { restrictedTo, role };
+        });
     }
-
-    if (!Array.isArray(this.policies)) {
-      throw assertionError.get('invalid_type', `${this._id}.policies`, 'object[]');
+    /**
+     * @param {Request} request
+     * @returns {Promise}
+     */
+    async getAllowedPolicies(request) {
+        if (this.optimizedPolicies === undefined || this.optimizedPolicies.length === 0) {
+            return [];
+        }
+        const policies = await this.getPolicies();
+        return policies.filter(policy => policy.role.isActionAllowed(request));
     }
-
-    if (this.policies.length === 0) {
-      throw assertionError.get('empty_argument', `${this._id}.policies`);
+    /**
+     * @param {Request} request
+     * @returns {Promise<boolean>}
+     */
+    async isActionAllowed(request) {
+        if (this.optimizedPolicies === undefined || this.optimizedPolicies.length === 0) {
+            return false;
+        }
+        const allowedPolicies = await this.getAllowedPolicies(request);
+        return allowedPolicies
+            .some(policy => policy.role.checkRestrictions(request.input.args.index, request.input.args.collection, policy.restrictedTo));
     }
-
-    let i = 0;
-    for (const policy of this.policies) {
-      if (!policy.roleId) {
-        throw assertionError.get('missing_argument', `${this._id}.policies[${i}].roleId`);
-      }
-
-      for (const member of Object.keys(policy)) {
-        if (member !== 'roleId' && member !== 'restrictedTo') {
-          throw assertionError.get(
-            'unexpected_argument',
-            `${this._id}.policies[${i}].${member}`,
-            '"roleId", "restrictedTo"');
+    /**
+     * Validates the Profile format
+     *
+     * @param {Object} [options]
+     * @param {boolean} [options.strict] - If true, only allows resctrictions on
+     *                                     existing indexes/collections
+     * @returns {Promise}
+     */
+    async validateDefinition({ strict = false } = {}) {
+        this.validateRateLimit();
+        if (!this.policies) {
+            throw assertionError.get('missing_argument', `${this._id}.policies`);
         }
-      }
-
-      if (policy.restrictedTo) {
-        if (!Array.isArray(policy.restrictedTo)) {
-          throw assertionError.get(
-            'invalid_type',
-            `${this._id}.policies[${i}].restrictedTo`,
-            'object[]');
+        if (!Array.isArray(this.policies)) {
+            throw assertionError.get('invalid_type', `${this._id}.policies`, 'object[]');
         }
-
-        let j = 0;
-        for (const restriction of policy.restrictedTo) {
-          if (!isPlainObject(restriction)) {
-            throw assertionError.get(
-              'invalid_type',
-              `${this._id}.policies[${i}].restrictedTo[${restriction}]`,
-              'object');
-          }
-
-          if (restriction.index === null || restriction.index === undefined) {
-            throw assertionError.get(
-              'missing_argument',
-              `${this._id}.policies[${i}].restrictedTo[${j}].index`);
-          }
-
-          if (strict) {
-            const indexExists = await global.kuzzle.ask(
-              'core:storage:public:index:exist',
-              restriction.index);
-
-            if (!indexExists) {
-              throw kerror.get(
-                'services',
-                'storage',
-                'unknown_index',
-                restriction.index);
-            }
-          }
-
-          if ( restriction.collections !== undefined
-            && restriction.collections !== null
-          ) {
-            if (!Array.isArray(restriction.collections)) {
-              throw assertionError.get(
-                'invalid_type',
-                `${this._id}.policies[${i}].restrictedTo[${j}].collections`,
-                'string[]');
+        if (this.policies.length === 0) {
+            throw assertionError.get('empty_argument', `${this._id}.policies`);
+        }
+        let i = 0;
+        for (const policy of this.policies) {
+            if (!policy.roleId) {
+                throw assertionError.get('missing_argument', `${this._id}.policies[${i}].roleId`);
             }
-
-            if (strict) {
-              const invalidCollections = [];
-              for (const collection of restriction.collections) {
-                const isValid = await global.kuzzle.ask(
-                  'core:storage:public:collection:exist',
-                  restriction.index,
-                  collection);
-
-                if (!isValid) {
-                  invalidCollections.push(collection);
+            for (const member of Object.keys(policy)) {
+                if (member !== 'roleId' && member !== 'restrictedTo') {
+                    throw assertionError.get('unexpected_argument', `${this._id}.policies[${i}].${member}`, '"roleId", "restrictedTo"');
                 }
-              }
-
-              if (invalidCollections.length > 0) {
-                throw kerror.get(
-                  'services',
-                  'storage',
-                  'unknown_collection',
-                  restriction.index,
-                  invalidCollections);
-              }
             }
-          }
-
-          for (const member of Object.keys(restriction)) {
-            if (member !== 'index' && member !== 'collections') {
-              throw assertionError.get(
-                'unexpected_argument',
-                `${this._id}.policies[${i}].restrictedTo[${j}].${member}`,
-                '"index", "collections"');
+            if (policy.restrictedTo) {
+                if (!Array.isArray(policy.restrictedTo)) {
+                    throw assertionError.get('invalid_type', `${this._id}.policies[${i}].restrictedTo`, 'object[]');
+                }
+                let j = 0;
+                for (const restriction of policy.restrictedTo) {
+                    if (!(0, safeObject_1.isPlainObject)(restriction)) {
+                        throw assertionError.get('invalid_type', `${this._id}.policies[${i}].restrictedTo[${restriction}]`, 'object');
+                    }
+                    if (restriction.index === null || restriction.index === undefined) {
+                        throw assertionError.get('missing_argument', `${this._id}.policies[${i}].restrictedTo[${j}].index`);
+                    }
+                    if (strict) {
+                        const indexExists = await global.kuzzle.ask('core:storage:public:index:exist', restriction.index);
+                        if (!indexExists) {
+                            throw kerror.get('services', 'storage', 'unknown_index', restriction.index);
+                        }
+                    }
+                    if (restriction.collections !== undefined
+                        && restriction.collections !== null) {
+                        if (!Array.isArray(restriction.collections)) {
+                            throw assertionError.get('invalid_type', `${this._id}.policies[${i}].restrictedTo[${j}].collections`, 'string[]');
+                        }
+                        if (strict) {
+                            const invalidCollections = [];
+                            for (const collection of restriction.collections) {
+                                const isValid = await global.kuzzle.ask('core:storage:public:collection:exist', restriction.index, collection);
+                                if (!isValid) {
+                                    invalidCollections.push(collection);
+                                }
+                            }
+                            if (invalidCollections.length > 0) {
+                                throw kerror.get('services', 'storage', 'unknown_collection', restriction.index, invalidCollections);
+                            }
+                        }
+                    }
+                    for (const member of Object.keys(restriction)) {
+                        if (member !== 'index' && member !== 'collections') {
+                            throw assertionError.get('unexpected_argument', `${this._id}.policies[${i}].restrictedTo[${j}].${member}`, '"index", "collections"');
+                        }
+                    }
+                    j++;
+                }
             }
-          }
-
-          j++;
+            i++;
         }
-      }
-
-      i++;
+        return true;
     }
-
-    return true;
-  }
-
-  /**
-   * Resolves an array of rights related to the profile's roles.
-   *
-   * @returns {Promise}
-   */
-  async getRights () {
-    const profileRights = {};
-
-    const policies = await this.getPolicies();
-
-    for (const policy of policies) {
-      const role = policy.role;
-      let restrictedTo = _.cloneDeep(policy.restrictedTo);
-
-      if (restrictedTo === undefined || restrictedTo.length === 0) {
-        restrictedTo = [{collections: ['*'], index: '*'}];
-      }
-
-      for (const [controller, rights] of Object.entries(role.controllers)) {
-        for (const [action, actionRights] of Object.entries(rights.actions)) {
-          for (const restriction of restrictedTo) {
-            if (restriction.collections === undefined
-              || restriction.collections.length === 0
-            ) {
-              restriction.collections = ['*'];
+    /**
+     * Resolves an array of rights related to the profile's roles.
+     *
+     * @returns {Promise}
+     */
+    async getRights() {
+        const profileRights = {};
+        const policies = await this.getPolicies();
+        for (const policy of policies) {
+            const role = policy.role;
+            let restrictedTo = lodash_1.default.cloneDeep(policy.restrictedTo);
+            if (restrictedTo === undefined || restrictedTo.size === 0) {
+                restrictedTo = new Map([['*', ['*']]]);
             }
-
-            for (const collection of restriction.collections) {
-              const rightsItem = {
-                action,
-                collection,
-                controller,
-                index: restriction.index,
-                value: actionRights
-              };
-              const rightsObject = {
-                [this.constructor._hash(rightsItem)]: rightsItem
-              };
-
-              _.assignWith(profileRights, rightsObject, Rights.merge);
+            for (const [controller, rights] of Object.entries(role.controllers)) {
+                for (const [action, actionRights] of Object.entries(rights.actions)) {
+                    for (const [restrictedIndex, restrictedCollections] of restrictedTo.entries()) {
+                        let collections = restrictedCollections;
+                        if (restrictedCollections === undefined
+                            || restrictedCollections.length === 0) {
+                            collections = ['*'];
+                        }
+                        for (const collection of collections) {
+                            const rightsItem = {
+                                action,
+                                collection,
+                                controller,
+                                index: restrictedIndex,
+                                value: actionRights
+                            };
+                            const rightsObject = {
+                                // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+                                // @ts-ignore
+                                [this.constructor._hash(rightsItem)]: rightsItem
+                            };
+                            lodash_1.default.assignWith(profileRights, rightsObject, rights_1.default.merge);
+                        }
+                    }
+                }
             }
-          }
         }
-      }
-    }
-
-    return profileRights;
-  }
-
-  static _hash () {
-    return false;
-  }
-
-  validateRateLimit () {
-    if (this.rateLimit === null || this.rateLimit === undefined) {
-      this.rateLimit = 0;
+        return profileRights;
     }
-
-    if ( typeof this.rateLimit !== 'number'
-      || !Number.isInteger(this.rateLimit)
-    ) {
-      throw assertionError.get('invalid_type', 'rateLimit', 'integer');
+    static _hash() {
+        return false;
     }
-
-    if (this.rateLimit < 0) {
-      throw assertionError.get('invalid_argument', 'rateLimit', 'positive integer, or zero');
+    validateRateLimit() {
+        if (this.rateLimit === null || this.rateLimit === undefined) {
+            this.rateLimit = 0;
+        }
+        if (typeof this.rateLimit !== 'number'
+            || !Number.isInteger(this.rateLimit)) {
+            throw assertionError.get('invalid_type', 'rateLimit', 'integer');
+        }
+        if (this.rateLimit < 0) {
+            throw assertionError.get('invalid_argument', 'rateLimit', 'positive integer, or zero');
+        }
     }
-  }
 }
-
-module.exports = Profile;
+exports.Profile = Profile;
+//# sourceMappingURL=profile.js.map

package/lib/model/security/rights.js

@@ -38,4 +38,4 @@ function merge (prev, cur) {
   return cur;
 }
 
-module.exports = {merge};
+module.exports = { merge };

package/lib/model/security/role.d.ts

@@ -0,0 +1,40 @@
+import { ControllerRight, ControllerRights } from '../../types/ControllerRights';
+import { KuzzleRequest } from '../../../index';
+import { OptimizedPolicyRestrictions } from '../../types/PolicyRestrictions';
+/**
+ * @class Role
+ */
+export declare class Role {
+    controllers: ControllerRights;
+    _id: string;
+    constructor();
+    /**
+     * @param {Request} request
+     * @returns {boolean}
+     */
+    isActionAllowed(request: KuzzleRequest): boolean;
+    /**
+     * @returns {Promise}
+     */
+    validateDefinition(): Promise<void>;
+    /**
+     * @param {String} index
+     * @param {String} collection
+     * @param {Map<string, string[]>} restrictedTo Restricted indexes
+     * @returns {Boolean} resolves to a Boolean value
+     */
+    checkRestrictions(index: string, collection: string, restrictedTo: OptimizedPolicyRestrictions): boolean;
+    /**
+     * Verifies that a controller rights definition is correct
+     *
+     * @param  {Array.<string, Object>}
+     * @throws If the controller definition is invalid
+     */
+    validateControllerRights(name: string, controller: ControllerRight): void;
+    /**
+     * Checks if current role allows to log in
+     *
+     * @returns {boolean}
+     */
+    canLogIn(): boolean;
+}