wabe 0.6.9 → 0.6.10

package/src/hooks/permissions.test.ts

@@ -0,0 +1,424 @@
+import { describe, expect, it, beforeEach, mock, spyOn } from 'bun:test'
+import { _getPermissionPropertiesOfAClass, _checkCLP } from './permissions'
+import { HookObject } from './HookObject'
+import { OperationType } from '.'
+import type { WabeContext } from '../server/interface'
+import * as permissions from './permissions'
+import { RoleEnum } from '../../generated/wabe'
+
+describe('Permissions', () => {
+	describe('Class Level Permissions', () => {
+		const mockGetObject = mock(() => {})
+
+		const controllers = {
+			database: {
+				getObject: mockGetObject,
+			},
+		} as any
+
+		beforeEach(() => {
+			mockGetObject.mockClear()
+		})
+
+		const config = {
+			schema: {
+				classes: [
+					{
+						name: 'TestClass',
+						fields: {
+							field1: { type: 'String' },
+						},
+						permissions: {
+							read: {
+								requireAuthentication: true,
+								authorizedRoles: [RoleEnum.Admin],
+							},
+						},
+					},
+					{
+						name: 'TestClass2',
+						fields: {
+							field2: { type: 'String' },
+						},
+					},
+					{
+						name: 'TestClass3',
+						fields: {
+							field2: { type: 'String' },
+						},
+						permissions: {
+							read: {
+								requireAuthentication: true,
+								authorizedRoles: ['everyone'],
+							},
+						},
+					},
+					{
+						name: 'TestClass4',
+						fields: {
+							field2: { type: 'String' },
+						},
+						permissions: {
+							read: {
+								requireAuthentication: true,
+								authorizedRoles: [],
+							},
+						},
+					},
+					{
+						name: 'TestClass5',
+						fields: {
+							field2: { type: 'String' },
+						},
+						permissions: {},
+					},
+				],
+			},
+		} as any
+
+		const context = { wabe: { config } } as any
+
+		it('should throw an error if authorized roles is empty and the user is not root', () => {
+			mockGetObject.mockResolvedValue({
+				id: 'sessionId',
+				user: { id: 'userId' },
+			} as never)
+
+			const context: WabeContext<any> = {
+				sessionId: 'sessionId',
+				user: {
+					id: 'userId',
+					role: {
+						id: 'roleId',
+						name: 'Admin',
+					},
+				},
+				isRoot: false,
+				wabe: { controllers, config } as any,
+			}
+
+			const obj = new HookObject({
+				className: 'TestClass4',
+				context,
+				object: {
+					id: 'id',
+				},
+				operationType: OperationType.BeforeRead,
+				select: {},
+			})
+
+			expect(_checkCLP(obj, OperationType.BeforeRead)).rejects.toThrow(
+				'Permission denied to read class TestClass4',
+			)
+		})
+
+		it('should throw an error if operation is undefined and user is not root', () => {
+			mockGetObject.mockResolvedValue({
+				id: 'sessionId',
+				user: { id: 'userId' },
+			} as never)
+
+			const context: WabeContext<any> = {
+				sessionId: 'sessionId',
+				user: {
+					id: 'userId',
+					role: {
+						id: 'roleId',
+						name: 'Admin',
+					},
+				},
+				isRoot: false,
+				wabe: { controllers, config } as any,
+			}
+
+			const obj = new HookObject({
+				className: 'TestClass5',
+				context,
+				object: {
+					id: 'id',
+				},
+				operationType: OperationType.BeforeRead,
+				select: {},
+			})
+
+			expect(_checkCLP(obj, OperationType.BeforeRead)).rejects.toThrow(
+				'Permission denied to read class TestClass5',
+			)
+		})
+
+		it('should get the permission for a given className', async () => {
+			const permission = await _getPermissionPropertiesOfAClass({
+				className: 'TestClass',
+				operation: 'read',
+				context,
+			})
+
+			expect(permission).toEqual({
+				requireAuthentication: true,
+				authorizedRoles: [RoleEnum.Admin],
+			})
+
+			const permission2 = await _getPermissionPropertiesOfAClass({
+				className: 'TestClass2',
+				operation: 'read',
+				context,
+			})
+
+			expect(permission2).toBeUndefined()
+		})
+
+		it('should throw permission denied if no session id is provided but class require authentication', () => {
+			const context: WabeContext<any> = {
+				sessionId: '',
+				user: {},
+				isRoot: false,
+				wabe: { controllers, config } as any,
+			}
+
+			const obj = new HookObject({
+				className: 'TestClass',
+				context,
+				object: {
+					id: 'id',
+				},
+				operationType: OperationType.BeforeRead,
+				select: {},
+			})
+
+			expect(_checkCLP(obj, OperationType.BeforeRead)).rejects.toThrow(
+				'Permission denied to read class TestClass',
+			)
+		})
+
+		it('should not throw permission denied if authorized roles is everyone', () => {
+			mockGetObject.mockResolvedValue({
+				id: 'sessionId',
+				user: { id: 'userId' },
+			} as never)
+
+			const context: WabeContext<any> = {
+				sessionId: 'sessionId',
+				user: {
+					id: 'userId',
+					role: {
+						id: 'roleId',
+						name: 'Role',
+					} as any,
+				} as any,
+				isRoot: false,
+				wabe: {
+					controllers,
+					config,
+				} as any,
+			}
+
+			const obj = new HookObject({
+				className: 'TestClass3',
+				context,
+				object: {
+					id: 'id',
+				},
+				operationType: OperationType.BeforeRead,
+				select: {},
+			})
+
+			expect(_checkCLP(obj, OperationType.BeforeRead)).resolves
+		})
+
+		it('should throw permission denied if authorized roles is everyone but requireAuthentication is true and client is anonymous', () => {
+			mockGetObject.mockResolvedValue({
+				id: 'sessionId',
+				user: { id: 'userId' },
+			} as never)
+
+			const context: WabeContext<any> = {
+				sessionId: undefined,
+				user: undefined,
+				isRoot: false,
+				wabe: {
+					controllers,
+					config,
+				} as any,
+			}
+
+			const obj = new HookObject({
+				className: 'TestClass3',
+				context,
+				object: {
+					id: 'id',
+				},
+				operationType: OperationType.BeforeRead,
+				select: {},
+			})
+
+			expect(_checkCLP(obj, OperationType.BeforeRead)).rejects.toThrow(
+				'Permission denied to read class TestClass3',
+			)
+		})
+
+		it('should throw permission denied if role is not an authorized role', () => {
+			mockGetObject.mockResolvedValue({
+				id: 'sessionId',
+				user: { id: 'userId' },
+			} as never)
+
+			const context: WabeContext<any> = {
+				sessionId: 'sessionId',
+				user: {
+					id: 'userId',
+					role: {
+						id: 'roleId',
+						name: 'Role',
+					} as any,
+				} as any,
+				isRoot: false,
+				wabe: {
+					controllers,
+					config,
+				} as any,
+			}
+
+			const obj = new HookObject({
+				className: 'TestClass',
+				context,
+				object: {
+					id: 'id',
+				},
+				operationType: OperationType.BeforeRead,
+				select: {},
+			})
+
+			expect(_checkCLP(obj, OperationType.BeforeRead)).rejects.toThrow(
+				'Permission denied to read class TestClass',
+			)
+		})
+
+		it('should not throw permission denied if valid session id is provided', () => {
+			mockGetObject.mockResolvedValue({
+				id: 'sessionId',
+				user: { id: 'userId' },
+			} as never)
+
+			const context: WabeContext<any> = {
+				sessionId: 'sessionId',
+				user: {
+					id: 'userId',
+					role: {
+						id: 'roleId',
+						name: 'Admin',
+					} as any,
+				} as any,
+				isRoot: false,
+				wabe: {
+					controllers,
+					config,
+				} as any,
+			}
+
+			const obj = new HookObject({
+				className: 'TestClass',
+				context,
+				object: { id: 'id' },
+				operationType: OperationType.BeforeRead,
+				select: {},
+			})
+
+			expect(_checkCLP(obj, OperationType.BeforeRead)).resolves
+		})
+
+		it('should not throw permission denied if client is root', () => {
+			const context: WabeContext<any> = {
+				sessionId: '',
+				user: {
+					id: '',
+				} as any,
+				isRoot: true,
+				wabe: { controllers, config } as any,
+			}
+
+			const obj = new HookObject({
+				className: 'TestClass',
+				context,
+				object: { id: 'id' },
+				operationType: OperationType.BeforeRead,
+				select: {},
+			})
+
+			expect(_checkCLP(obj, OperationType.BeforeRead)).resolves
+		})
+
+		it('should call _checkPermission on beforeRead', () => {
+			const spyBeforeRead = spyOn(
+				permissions,
+				'defaultCheckPermissionOnRead',
+			).mockResolvedValue()
+
+			permissions.defaultCheckPermissionOnRead({} as never)
+
+			expect(spyBeforeRead).toHaveBeenCalledTimes(1)
+			expect(spyBeforeRead).toHaveBeenCalledWith({})
+
+			spyBeforeRead.mockRestore()
+		})
+
+		it('should call _checkPermission on beforeCreate', () => {
+			const spyBeforeCreate = spyOn(
+				permissions,
+				'defaultCheckPermissionOnCreate',
+			).mockResolvedValue()
+
+			permissions.defaultCheckPermissionOnCreate({
+				sessionId: 'sessionId',
+				user: { id: 'userId' },
+			} as never)
+
+			expect(spyBeforeCreate).toHaveBeenCalledTimes(1)
+			expect(spyBeforeCreate).toHaveBeenCalledWith({
+				sessionId: 'sessionId',
+				user: { id: 'userId' },
+			})
+
+			spyBeforeCreate.mockRestore()
+		})
+
+		it('should call _checkPermission on beforeUpdate', () => {
+			const spyBeforeUpdate = spyOn(
+				permissions,
+				'defaultCheckPermissionOnUpdate',
+			).mockResolvedValue()
+
+			permissions.defaultCheckPermissionOnUpdate({
+				sessionId: 'sessionId',
+				user: { id: 'userId' },
+			} as never)
+
+			expect(spyBeforeUpdate).toHaveBeenCalledTimes(1)
+			expect(spyBeforeUpdate).toHaveBeenCalledWith({
+				sessionId: 'sessionId',
+				user: { id: 'userId' },
+			})
+
+			spyBeforeUpdate.mockRestore()
+		})
+
+		it('should call _checkPermission on beforeDelete', () => {
+			const spyBeforeDelete = spyOn(
+				permissions,
+				'defaultCheckPermissionOnDelete',
+			).mockResolvedValue()
+
+			permissions.defaultCheckPermissionOnDelete({
+				sessionId: 'sessionId',
+				user: { id: 'userId' },
+			} as never)
+
+			expect(spyBeforeDelete).toHaveBeenCalledTimes(1)
+			expect(spyBeforeDelete).toHaveBeenCalledWith({
+				sessionId: 'sessionId',
+				user: { id: 'userId' },
+			})
+
+			spyBeforeDelete.mockRestore()
+		})
+	})
+})

package/src/hooks/permissions.ts

@@ -0,0 +1,113 @@
+import type { PermissionsOperations } from '../schema'
+import type { WabeContext } from '../server/interface'
+import type { HookObject } from './HookObject'
+import { OperationType } from './index'
+
+const convertOperationTypeToPermission = (operationType: OperationType) => {
+	const template: Record<OperationType, PermissionsOperations> = {
+		[OperationType.BeforeCreate]: 'create',
+		[OperationType.AfterCreate]: 'create',
+		[OperationType.BeforeRead]: 'read',
+		[OperationType.AfterRead]: 'read',
+		[OperationType.BeforeDelete]: 'delete',
+		[OperationType.AfterDelete]: 'delete',
+		[OperationType.BeforeUpdate]: 'update',
+		[OperationType.AfterUpdate]: 'update',
+	}
+
+	return template[operationType]
+}
+
+export const _getPermissionPropertiesOfAClass = ({
+	className,
+	operation,
+	context,
+}: {
+	className: string
+	operation: PermissionsOperations
+	context: WabeContext<any>
+}) => {
+	const wabeClass = context.wabe.config.schema?.classes?.find(
+		(c) => c.name === className,
+	)
+
+	if (!wabeClass) throw new Error(`Class ${className} not found in schema`)
+
+	const permission = wabeClass.permissions?.[operation]
+
+	return permission
+}
+
+export const _checkCLP = async (
+	object: HookObject<any, any>,
+	operationType: OperationType,
+) => {
+	if (object.context.isRoot) return
+
+	const permissionOperation = convertOperationTypeToPermission(operationType)
+
+	if (!permissionOperation) throw new Error('Bad operation type provided')
+
+	const permissionProperties = await _getPermissionPropertiesOfAClass({
+		className: object.className,
+		operation: permissionOperation,
+		context: object.context,
+	})
+
+	// If no permission is defined by default we throw an error, Zero trust principle
+	if (!permissionProperties)
+		throw new Error(
+			`Permission denied to ${permissionOperation} class ${object.className}`,
+		)
+
+	const sessionId = object.context.sessionId
+
+	if (
+		!permissionProperties.requireAuthentication &&
+		!permissionProperties.authorizedRoles
+	)
+		return
+
+	// User is not corrected but requireAuthentication is on true
+	if (!sessionId || !object.getUser())
+		throw new Error(
+			`Permission denied to ${permissionOperation} class ${object.className}`,
+		)
+
+	if (permissionProperties.authorizedRoles?.includes('everyone')) return
+
+	// authorizedRoles is empty
+	if (
+		permissionProperties.authorizedRoles?.length === 0 ||
+		!permissionProperties
+	)
+		throw new Error(
+			`Permission denied to ${permissionOperation} class ${object.className}`,
+		)
+
+	const roleName = object.context.user?.role?.name
+
+	// No role name found
+	if (!roleName)
+		throw new Error(
+			`Permission denied to ${permissionOperation} class ${object.className}`,
+		)
+
+	// The role of the user is not included in the authorizedRoles
+	if (!permissionProperties.authorizedRoles?.includes(roleName))
+		throw new Error(
+			`Permission denied to ${permissionOperation} class ${object.className}`,
+		)
+}
+
+export const defaultCheckPermissionOnRead = (object: HookObject<any, any>) =>
+	_checkCLP(object, OperationType.BeforeRead)
+
+export const defaultCheckPermissionOnCreate = (object: HookObject<any, any>) =>
+	_checkCLP(object, OperationType.BeforeCreate)
+
+export const defaultCheckPermissionOnUpdate = (object: HookObject<any, any>) =>
+	_checkCLP(object, OperationType.BeforeUpdate)
+
+export const defaultCheckPermissionOnDelete = (object: HookObject<any, any>) =>
+	_checkCLP(object, OperationType.BeforeDelete)