wabe 0.6.12 → 0.6.14

package/src/hooks/permissions.test.ts

@@ -1,412 +0,0 @@
-import { describe, expect, it, beforeEach, mock, spyOn } from 'bun:test'
-import { _getPermissionPropertiesOfAClass, _checkCLP } from './permissions'
-import { HookObject } from './HookObject'
-import { OperationType } from '.'
-import type { WabeContext } from '../server/interface'
-import * as permissions from './permissions'
-import { RoleEnum } from '../../generated/wabe'
-
-describe('Permissions', () => {
-	describe('Class Level Permissions', () => {
-		const mockGetObject = mock(() => {})
-
-		const controllers = {
-			database: {
-				getObject: mockGetObject,
-			},
-		} as any
-
-		beforeEach(() => {
-			mockGetObject.mockClear()
-		})
-
-		const config = {
-			schema: {
-				classes: [
-					{
-						name: 'TestClass',
-						fields: {
-							field1: { type: 'String' },
-						},
-						permissions: {
-							read: {
-								requireAuthentication: true,
-								authorizedRoles: [RoleEnum.Admin],
-							},
-						},
-					},
-					{
-						name: 'TestClass2',
-						fields: {
-							field2: { type: 'String' },
-						},
-					},
-					{
-						name: 'TestClass3',
-						fields: {
-							field2: { type: 'String' },
-						},
-						permissions: {
-							read: {
-								requireAuthentication: true,
-								authorizedRoles: ['everyone'],
-							},
-						},
-					},
-					{
-						name: 'TestClass4',
-						fields: {
-							field2: { type: 'String' },
-						},
-						permissions: {
-							read: {
-								requireAuthentication: true,
-								authorizedRoles: [],
-							},
-						},
-					},
-					{
-						name: 'TestClass5',
-						fields: {
-							field2: { type: 'String' },
-						},
-						permissions: {},
-					},
-				],
-			},
-		} as any
-
-		const context = { wabe: { config } } as any
-
-		it('should throw an error if authorized roles is empty and the user is not root', () => {
-			mockGetObject.mockResolvedValue({
-				id: 'sessionId',
-				user: { id: 'userId' },
-			} as never)
-
-			const context: WabeContext<any> = {
-				sessionId: 'sessionId',
-				user: {
-					id: 'userId',
-					role: {
-						id: 'roleId',
-						name: 'Admin',
-					},
-				},
-				isRoot: false,
-				wabe: { controllers, config } as any,
-			}
-
-			const obj = new HookObject({
-				className: 'TestClass4',
-				context,
-				object: {
-					id: 'id',
-				},
-				operationType: OperationType.BeforeRead,
-				select: {},
-			})
-
-			expect(() => _checkCLP(obj, OperationType.BeforeRead)).toThrow(
-				'Permission denied to read class TestClass4',
-			)
-		})
-
-		it('should throw an error if operation is undefined and user is not root', () => {
-			mockGetObject.mockResolvedValue({
-				id: 'sessionId',
-				user: { id: 'userId' },
-			} as never)
-
-			const context: WabeContext<any> = {
-				sessionId: 'sessionId',
-				user: {
-					id: 'userId',
-					role: {
-						id: 'roleId',
-						name: 'Admin',
-					},
-				},
-				isRoot: false,
-				wabe: { controllers, config } as any,
-			}
-
-			const obj = new HookObject({
-				className: 'TestClass5',
-				context,
-				object: {
-					id: 'id',
-				},
-				operationType: OperationType.BeforeRead,
-				select: {},
-			})
-
-			expect(() => _checkCLP(obj, OperationType.BeforeRead)).toThrow(
-				'Permission denied to read class TestClass5',
-			)
-		})
-
-		it('should get the permission for a given className', () => {
-			const permission = _getPermissionPropertiesOfAClass({
-				className: 'TestClass',
-				operation: 'read',
-				context,
-			})
-
-			expect(permission).toEqual({
-				requireAuthentication: true,
-				authorizedRoles: [RoleEnum.Admin],
-			})
-
-			const permission2 = _getPermissionPropertiesOfAClass({
-				className: 'TestClass2',
-				operation: 'read',
-				context,
-			})
-
-			expect(permission2).toBeUndefined()
-		})
-
-		it('should throw permission denied if no session id is provided but class require authentication', () => {
-			const context: WabeContext<any> = {
-				sessionId: '',
-				user: {},
-				isRoot: false,
-				wabe: { controllers, config } as any,
-			}
-
-			const obj = new HookObject({
-				className: 'TestClass',
-				context,
-				object: {
-					id: 'id',
-				},
-				operationType: OperationType.BeforeRead,
-				select: {},
-			})
-
-			expect(() => _checkCLP(obj, OperationType.BeforeRead)).toThrow(
-				'Permission denied to read class TestClass',
-			)
-		})
-
-		it('should not throw permission denied if authorized roles is everyone', () => {
-			mockGetObject.mockResolvedValue({
-				id: 'sessionId',
-				user: { id: 'userId' },
-			} as never)
-
-			const context: WabeContext<any> = {
-				sessionId: 'sessionId',
-				user: {
-					id: 'userId',
-					role: {
-						id: 'roleId',
-						name: 'Role',
-					} as any,
-				} as any,
-				isRoot: false,
-				wabe: {
-					controllers,
-					config,
-				} as any,
-			}
-
-			const obj = new HookObject({
-				className: 'TestClass3',
-				context,
-				object: {
-					id: 'id',
-				},
-				operationType: OperationType.BeforeRead,
-				select: {},
-			})
-
-			_checkCLP(obj, OperationType.BeforeRead)
-		})
-
-		it('should throw permission denied if authorized roles is everyone but requireAuthentication is true and client is anonymous', () => {
-			mockGetObject.mockResolvedValue({
-				id: 'sessionId',
-				user: { id: 'userId' },
-			} as never)
-
-			const context: WabeContext<any> = {
-				sessionId: undefined,
-				user: undefined,
-				isRoot: false,
-				wabe: {
-					controllers,
-					config,
-				} as any,
-			}
-
-			const obj = new HookObject({
-				className: 'TestClass3',
-				context,
-				object: {
-					id: 'id',
-				},
-				operationType: OperationType.BeforeRead,
-				select: {},
-			})
-
-			expect(() => _checkCLP(obj, OperationType.BeforeRead)).toThrow(
-				'Permission denied to read class TestClass3',
-			)
-		})
-
-		it('should throw permission denied if role is not an authorized role', () => {
-			mockGetObject.mockResolvedValue({
-				id: 'sessionId',
-				user: { id: 'userId' },
-			} as never)
-
-			const context: WabeContext<any> = {
-				sessionId: 'sessionId',
-				user: {
-					id: 'userId',
-					role: {
-						id: 'roleId',
-						name: 'Role',
-					} as any,
-				} as any,
-				isRoot: false,
-				wabe: {
-					controllers,
-					config,
-				} as any,
-			}
-
-			const obj = new HookObject({
-				className: 'TestClass',
-				context,
-				object: {
-					id: 'id',
-				},
-				operationType: OperationType.BeforeRead,
-				select: {},
-			})
-
-			expect(() => _checkCLP(obj, OperationType.BeforeRead)).toThrow(
-				'Permission denied to read class TestClass',
-			)
-		})
-
-		it('should not throw permission denied if valid session id is provided', () => {
-			mockGetObject.mockResolvedValue({
-				id: 'sessionId',
-				user: { id: 'userId' },
-			} as never)
-
-			const context: WabeContext<any> = {
-				sessionId: 'sessionId',
-				user: {
-					id: 'userId',
-					role: {
-						id: 'roleId',
-						name: 'Admin',
-					} as any,
-				} as any,
-				isRoot: false,
-				wabe: {
-					controllers,
-					config,
-				} as any,
-			}
-
-			const obj = new HookObject({
-				className: 'TestClass',
-				context,
-				object: { id: 'id' },
-				operationType: OperationType.BeforeRead,
-				select: {},
-			})
-
-			_checkCLP(obj, OperationType.BeforeRead)
-		})
-
-		it('should not throw permission denied if client is root', () => {
-			const context: WabeContext<any> = {
-				sessionId: '',
-				user: {
-					id: '',
-				} as any,
-				isRoot: true,
-				wabe: { controllers, config } as any,
-			}
-
-			const obj = new HookObject({
-				className: 'TestClass',
-				context,
-				object: { id: 'id' },
-				operationType: OperationType.BeforeRead,
-				select: {},
-			})
-
-			_checkCLP(obj, OperationType.BeforeRead)
-		})
-
-		it('should call _checkPermission on beforeRead', () => {
-			const spyBeforeRead = spyOn(permissions, 'defaultCheckPermissionOnRead').mockReturnValue()
-
-			permissions.defaultCheckPermissionOnRead({} as never)
-
-			expect(spyBeforeRead).toHaveBeenCalledTimes(1)
-			expect(spyBeforeRead).toHaveBeenCalledWith({})
-
-			spyBeforeRead.mockRestore()
-		})
-
-		it('should call _checkPermission on beforeCreate', () => {
-			const spyBeforeCreate = spyOn(permissions, 'defaultCheckPermissionOnCreate').mockReturnValue()
-
-			permissions.defaultCheckPermissionOnCreate({
-				sessionId: 'sessionId',
-				user: { id: 'userId' },
-			} as never)
-
-			expect(spyBeforeCreate).toHaveBeenCalledTimes(1)
-			expect(spyBeforeCreate).toHaveBeenCalledWith({
-				sessionId: 'sessionId',
-				user: { id: 'userId' },
-			})
-
-			spyBeforeCreate.mockRestore()
-		})
-
-		it('should call _checkPermission on beforeUpdate', () => {
-			const spyBeforeUpdate = spyOn(permissions, 'defaultCheckPermissionOnUpdate').mockReturnValue()
-
-			permissions.defaultCheckPermissionOnUpdate({
-				sessionId: 'sessionId',
-				user: { id: 'userId' },
-			} as never)
-
-			expect(spyBeforeUpdate).toHaveBeenCalledTimes(1)
-			expect(spyBeforeUpdate).toHaveBeenCalledWith({
-				sessionId: 'sessionId',
-				user: { id: 'userId' },
-			})
-
-			spyBeforeUpdate.mockRestore()
-		})
-
-		it('should call _checkPermission on beforeDelete', () => {
-			const spyBeforeDelete = spyOn(permissions, 'defaultCheckPermissionOnDelete').mockReturnValue()
-
-			permissions.defaultCheckPermissionOnDelete({
-				sessionId: 'sessionId',
-				user: { id: 'userId' },
-			} as never)
-
-			expect(spyBeforeDelete).toHaveBeenCalledTimes(1)
-			expect(spyBeforeDelete).toHaveBeenCalledWith({
-				sessionId: 'sessionId',
-				user: { id: 'userId' },
-			})
-
-			spyBeforeDelete.mockRestore()
-		})
-	})
-})

package/src/hooks/permissions.ts

@@ -1,93 +0,0 @@
-import type { PermissionsOperations } from '../schema'
-import type { WabeContext } from '../server/interface'
-import type { HookObject } from './HookObject'
-import { OperationType } from './index'
-
-const convertOperationTypeToPermission = (operationType: OperationType) => {
-	const template: Record<OperationType, PermissionsOperations> = {
-		[OperationType.BeforeCreate]: 'create',
-		[OperationType.AfterCreate]: 'create',
-		[OperationType.BeforeRead]: 'read',
-		[OperationType.AfterRead]: 'read',
-		[OperationType.BeforeDelete]: 'delete',
-		[OperationType.AfterDelete]: 'delete',
-		[OperationType.BeforeUpdate]: 'update',
-		[OperationType.AfterUpdate]: 'update',
-	}
-
-	return template[operationType]
-}
-
-export const _getPermissionPropertiesOfAClass = ({
-	className,
-	operation,
-	context,
-}: {
-	className: string
-	operation: PermissionsOperations
-	context: WabeContext<any>
-}) => {
-	const wabeClass = context.wabe.config.schema?.classes?.find((c) => c.name === className)
-
-	if (!wabeClass) throw new Error(`Class ${className} not found in schema`)
-
-	const permission = wabeClass.permissions?.[operation]
-
-	return permission
-}
-
-export const _checkCLP = (object: HookObject<any, any>, operationType: OperationType) => {
-	if (object.context.isRoot) return
-
-	const permissionOperation = convertOperationTypeToPermission(operationType)
-
-	if (!permissionOperation) throw new Error('Bad operation type provided')
-
-	const permissionProperties = _getPermissionPropertiesOfAClass({
-		className: object.className,
-		operation: permissionOperation,
-		context: object.context,
-	})
-
-	// If no permission is defined by default we throw an error, Zero trust principle
-	if (!permissionProperties)
-		throw new Error(`Permission denied to ${permissionOperation} class ${object.className}`)
-
-	const sessionId = object.context.sessionId
-
-	if (!permissionProperties.requireAuthentication && !permissionProperties.authorizedRoles) return
-
-	// User is not corrected but requireAuthentication is on true
-	if (!sessionId || !object.getUser()) {
-		throw new Error(`Permission denied to ${permissionOperation} class ${object.className}`)
-	}
-
-	if (permissionProperties.authorizedRoles?.includes('everyone')) return
-
-	// authorizedRoles is empty
-	if (permissionProperties.authorizedRoles?.length === 0 || !permissionProperties)
-		throw new Error(`Permission denied to ${permissionOperation} class ${object.className}`)
-
-	const roleName = object.context.user?.role?.name
-
-	// No role name found
-	if (!roleName) {
-		throw new Error(`Permission denied to ${permissionOperation} class ${object.className}`)
-	}
-
-	// The role of the user is not included in the authorizedRoles
-	if (!permissionProperties.authorizedRoles?.includes(roleName))
-		throw new Error(`Permission denied to ${permissionOperation} class ${object.className}`)
-}
-
-export const defaultCheckPermissionOnRead = (object: HookObject<any, any>) =>
-	_checkCLP(object, OperationType.BeforeRead)
-
-export const defaultCheckPermissionOnCreate = (object: HookObject<any, any>) =>
-	_checkCLP(object, OperationType.BeforeCreate)
-
-export const defaultCheckPermissionOnUpdate = (object: HookObject<any, any>) =>
-	_checkCLP(object, OperationType.BeforeUpdate)
-
-export const defaultCheckPermissionOnDelete = (object: HookObject<any, any>) =>
-	_checkCLP(object, OperationType.BeforeDelete)