groot/automatisch
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(auth): add user and role management

Browse Source
This commit is contained in:
Ali BARIN
2023-07-18 21:00:10 +00:00
parent a7104c41a2
commit 0deaa03218
108 changed files with 2909 additions and 388 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
packages/backend/bin/database/utils.ts
View File

@@ -3,36 +3,16 @@ import logger from '../../src/helpers/logger';
import client from './client';
import User from '../../src/models/user';
import Role from '../../src/models/role';
import Permission from '../../src/models/permission';
import '../../src/config/orm';
async function seedPermissionsIfNeeded() {
const existingPermissions = await Permission.query().limit(1).first();
if (!existingPermissions) return;
const getPermission = (subject: string, actions: string[]) => actions.map(action => ({ subject, action }));
await Permission.query().insert([
...getPermission('Connection', ['create', 'read', 'delete', 'update']),
...getPermission('Execution', ['read']),
...getPermission('Flow', ['create', 'delete', 'publish', 'read', 'update']),
...getPermission('Role', ['create', 'delete', 'read', 'update']),
...getPermission('User', ['create', 'delete', 'read', 'update']),
])
}
async function createOrFetchRole() {
const role = await Role.query().limit(1).first();
if (!role) {
const createdRole = await Role.query().insertAndFetch({
name: 'Admin',
key: 'admin',
});
return createdRole;
}
async function fetchAdminRole() {
const role = await Role
.query()
.where({
key: 'admin'
})
.limit(1)
.first();
return role;
}
@@ -43,9 +23,7 @@ export async function createUser(
) {
const UNIQUE_VIOLATION_CODE = '23505';
await seedPermissionsIfNeeded();
const role = await createOrFetchRole();
const role = await fetchAdminRole();
const userParams = {
email,
password,

2
packages/backend/package.json
View File

@@ -4,7 +4,7 @@
"license": "See LICENSE file",
"description": "The open source Zapier alternative. Build workflow automation without spending time and money.",
"scripts": {
"dev": "ts-node-dev --exit-child src/server.ts",
"dev": "ts-node-dev --watch 'src/graphql/schema.graphql' --exit-child src/server.ts",
"worker": "nodemon --watch 'src/**/*.ts' --exec 'ts-node' src/worker.ts",
"build": "tsc && yarn copy-statics",
"build:watch": "nodemon --watch 'src/**/*.ts' --watch 'bin/**/*.ts' --exec yarn build --ext ts",

16
packages/backend/src/db/migrations/20230615200200_create_roles.ts
View File

@@ -16,13 +16,27 @@ export async function up(knex: Knex): Promise<void> {
.select('role')
.groupBy('role');
let shouldCreateAdminRole = true;
for (const { role } of uniqueUserRoles) {
// skip empty roles
if (!role) continue;
const lowerCaseRole = lowerCase(role);
if (lowerCaseRole === 'admin') {
shouldCreateAdminRole = false;
}
await knex('roles').insert({
name: capitalize(role),
key: lowerCase(role),
key: lowerCaseRole,
});
}
if (shouldCreateAdminRole) {
await knex('roles').insert({
name: 'Admin',
key: 'admin',
});
}
}

39
packages/backend/src/db/migrations/20230615205857_create_permissions.ts
View File

@@ -1,23 +1,46 @@
import { Knex } from 'knex';
const getPermission = (subject: string, actions: string[]) => actions.map(action => ({ subject, action }));
const getPermissionForRole = (roleId: string, subject: string, actions: string[], conditions: string[] = []) => actions
.map(action => ({
role_id: roleId,
subject,
action,
conditions,
}));
export async function up(knex: Knex): Promise<void> {
await knex.schema.createTable('permissions', (table) => {
table.uuid('id').primary().defaultTo(knex.raw('gen_random_uuid()'));
table.uuid('role_id').references('id').inTable('roles');
table.string('action').notNullable();
table.string('subject').notNullable();
table.jsonb('conditions').notNullable().defaultTo([]);
table.timestamps(true, true);
});
await knex('permissions').insert([
...getPermission('Connection', ['create', 'read', 'delete', 'update']),
...getPermission('Execution', ['read']),
...getPermission('Flow', ['create', 'delete', 'publish', 'read', 'update']),
...getPermission('Role', ['create', 'delete', 'read', 'update']),
...getPermission('User', ['create', 'delete', 'read', 'update']),
]);
const roles = await knex('roles').select(['id', 'key']) as { id: string, key: string }[];
for (const role of roles) {
// `admin` role should have no conditions unlike others by default
const isAdmin = role.key === 'admin';
const roleConditions = isAdmin ? [] : ['isCreator'];
// default permissions
await knex('permissions').insert([
...getPermissionForRole(role.id, 'Connection', ['create', 'read', 'delete', 'update'], roleConditions),
...getPermissionForRole(role.id, 'Execution', ['read'], roleConditions),
...getPermissionForRole(role.id, 'Flow', ['create', 'delete', 'publish', 'read', 'update'], roleConditions),
]);
// admin specific permission
if (isAdmin) {
await knex('permissions').insert([
...getPermissionForRole(role.id, 'User', ['create', 'read', 'delete', 'update']),
...getPermissionForRole(role.id, 'Role', ['create', 'read', 'delete', 'update']),
]);
}
}
}
export async function down(knex: Knex): Promise<void> {

25
packages/backend/src/db/migrations/20230615210510_create_roles_permissions.ts
View File

@@ -1,25 +0,0 @@
import { Knex } from 'knex';
export async function up(knex: Knex): Promise<void> {
await knex.schema.createTable('roles_permissions', (table) => {
table.uuid('id').primary().defaultTo(knex.raw('gen_random_uuid()'));
table.uuid('role_id').references('id').inTable('roles');
table.uuid('permission_id').references('id').inTable('permissions');
});
const roles = await knex('roles').select('id');
const permissions = await knex('permissions').select('id');
for (const role of roles) {
for (const permission of permissions) {
await knex('roles_permissions').insert({
role_id: role.id,
permission_id: permission.id,
});
}
}
}
export async function down(knex: Knex): Promise<void> {
return knex.schema.dropTable('roles_permissions');
}

1
packages/backend/src/db/migrations/20230702210636_create_saml_auth_providers.ts
View File

@@ -13,6 +13,7 @@ export async function up(knex: Knex): Promise<void> {
table.text('email_attribute_name').notNullable();
table.text('role_attribute_name').notNullable();
table.uuid('default_role_id').references('id').inTable('roles');
table.boolean('active').defaultTo(false);
table.timestamps(true, true);
});

7
packages/backend/src/db/migrations/20230715214424_make_user_password_nullable.ts
View File

@@ -6,9 +6,6 @@ export async function up(knex: Knex): Promise<void> {
});
}
export async function down(knex: Knex): Promise<void> {
return await knex.schema.alterTable('users', table => {
// what do we do? passwords cannot be left empty
// table.string('password').notNullable().alter();
});
export async function down(): Promise<void> {
// void
}

76
packages/backend/src/graphql/mutation-resolvers.ts
View File

@@ -1,47 +1,59 @@
import createConnection from './mutations/create-connection';
import generateAuthUrl from './mutations/generate-auth-url';
import updateConnection from './mutations/update-connection';
import resetConnection from './mutations/reset-connection';
import verifyConnection from './mutations/verify-connection';
import deleteConnection from './mutations/delete-connection';
import createFlow from './mutations/create-flow';
import createRole from './mutations/create-role.ee';
import createStep from './mutations/create-step';
import createUser from './mutations/create-user.ee';
import deleteConnection from './mutations/delete-connection';
import deleteCurrentUser from './mutations/delete-current-user.ee';
import deleteFlow from './mutations/delete-flow';
import deleteRole from './mutations/delete-role.ee';
import deleteStep from './mutations/delete-step';
import deleteUser from './mutations/delete-user.ee';
import duplicateFlow from './mutations/duplicate-flow';
import executeFlow from './mutations/execute-flow';
import forgotPassword from './mutations/forgot-password.ee';
import generateAuthUrl from './mutations/generate-auth-url';
import login from './mutations/login';
import registerUser from './mutations/register-user.ee';
import resetConnection from './mutations/reset-connection';
import resetPassword from './mutations/reset-password.ee';
import updateConnection from './mutations/update-connection';
import updateCurrentUser from './mutations/update-current-user';
import updateFlow from './mutations/update-flow';
import updateFlowStatus from './mutations/update-flow-status';
import executeFlow from './mutations/execute-flow';
import deleteFlow from './mutations/delete-flow';
import duplicateFlow from './mutations/duplicate-flow';
import createStep from './mutations/create-step';
import updateRole from './mutations/update-role.ee';
import updateStep from './mutations/update-step';
import deleteStep from './mutations/delete-step';
import createUser from './mutations/create-user.ee';
import deleteUser from './mutations/delete-user.ee';
import updateUser from './mutations/update-user';
import forgotPassword from './mutations/forgot-password.ee';
import resetPassword from './mutations/reset-password.ee';
import login from './mutations/login';
import updateUser from './mutations/update-user.ee';
import verifyConnection from './mutations/verify-connection';
const mutationResolvers = {
createConnection,
generateAuthUrl,
updateConnection,
resetConnection,
verifyConnection,
deleteConnection,
createFlow,
createRole,
createStep,
createUser,
deleteConnection,
deleteCurrentUser,
deleteFlow,
deleteRole,
deleteStep,
deleteUser,
duplicateFlow,
executeFlow,
forgotPassword,
generateAuthUrl,
login,
registerUser,
resetConnection,
resetPassword,
updateConnection,
updateCurrentUser,
updateUser,
updateFlow,
updateFlowStatus,
executeFlow,
deleteFlow,
duplicateFlow,
createStep,
updateRole,
updateStep,
deleteStep,
createUser,
deleteUser,
updateUser,
forgotPassword,
resetPassword,
login,
verifyConnection,
};
export default mutationResolvers;

34
packages/backend/src/graphql/mutations/create-role.ee.ts Normal file
View File

@@ -0,0 +1,34 @@
import kebabCase from 'lodash/kebabCase';
import Permission from '../../models/permission';
import Role from '../../models/role';
import Context from '../../types/express/context';
type Params = {
input: {
name: string;
description: string;
permissions: Permission[];
};
};
const createRole = async (_parent: unknown, params: Params, context: Context) => {
context.currentUser.can('create', 'Role');
const { name, description, permissions } = params.input;
const key = kebabCase(name);
const existingRole = await Role.query().findOne({ key });
if (existingRole) {
throw new Error('Role already exists!');
}
return await Role.query().insertGraph({
key,
name,
description,
permissions,
}, { relate: ['permissions'] }).returning('*');
};
export default createRole;

27
packages/backend/src/graphql/mutations/create-user.ee.ts
View File

@@ -1,15 +1,21 @@
import User from '../../models/user';
import Role from '../../models/role';
import Context from '../../types/express/context';
type Params = {
input: {
fullName: string;
email: string;
password: string;
role: {
id: string;
};
};
};
const createUser = async (_parent: unknown, params: Params) => {
const createUser = async (_parent: unknown, params: Params, context: Context) => {
context.currentUser.can('create', 'User');
const { fullName, email, password } = params.input;
const existingUser = await User.query().findOne({ email });
@@ -18,14 +24,23 @@ const createUser = async (_parent: unknown, params: Params) => {
throw new Error('User already exists!');
}
const role = await Role.query().findOne({ key: 'user' });
const user = await User.query().insert({
const userPayload: Partial<User> = {
fullName,
email,
password,
roleId: role.id,
});
};
try {
context.currentUser.can('update', 'Role');
userPayload.roleId = params.input.role.id;
} catch {
// void
const role = await Role.query().findOne({ key: 'user' });
userPayload.roleId = role.id;
}
const user = await User.query().insert(userPayload);
return user;
};

22
packages/backend/src/graphql/mutations/delete-current-user.ee.ts Normal file
View File

@@ -0,0 +1,22 @@
import { Duration } from 'luxon';
import Context from '../../types/express/context';
import deleteUserQueue from '../../queues/delete-user.ee';
const deleteCurrentUser = async (_parent: unknown, params: never, context: Context) => {
const id = context.currentUser.id;
await context.currentUser.$query().delete();
const jobName = `Delete user - ${id}`;
const jobPayload = { id };
const millisecondsFor30Days = Duration.fromObject({ days: 30 }).toMillis();
const jobOptions = {
delay: millisecondsFor30Days
};
await deleteUserQueue.add(jobName, jobPayload, jobOptions);
return true;
};
export default deleteCurrentUser;

41
packages/backend/src/graphql/mutations/delete-role.ee.ts Normal file
View File

@@ -0,0 +1,41 @@
import Role from '../../models/role';
import Context from '../../types/express/context';
type Params = {
input: {
id: string;
};
};
const deleteRole = async (
_parent: unknown,
params: Params,
context: Context
) => {
context.currentUser.can('delete', 'Role');
const role = await Role
.query()
.findById(params.input.id)
.throwIfNotFound();
const count = await role
.$relatedQuery('users')
.resultSize();
if (count > 0) {
throw new Error('All users must be migrated away from the role!');
}
if (role.isAdmin) {
throw new Error('Admin role cannot be deleted!');
}
// delete permissions first
await role.$relatedQuery('permissions').delete();
await role.$query().delete();
return true;
};
export default deleteRole;

23
packages/backend/src/graphql/mutations/delete-user.ee.ts
View File

@@ -1,11 +1,24 @@
import Context from '../../types/express/context';
import deleteUserQueue from '../../queues/delete-user.ee';
import { Duration } from 'luxon';
import Context from '../../types/express/context';
import User from '../../models/user';
import deleteUserQueue from '../../queues/delete-user.ee';
const deleteUser = async (_parent: unknown, params: never, context: Context) => {
const id = context.currentUser.id;
type Params = {
input: {
id: string;
};
};
await context.currentUser.$query().delete();
const deleteUser = async (
_parent: unknown,
params: Params,
context: Context
) => {
context.currentUser.can('delete', 'User');
const id = params.input.id;
await User.query().deleteById(id);
const jobName = `Delete user - ${id}`;
const jobPayload = { id };

33
packages/backend/src/graphql/mutations/register-user.ee.ts Normal file
View File

@@ -0,0 +1,33 @@
import User from '../../models/user';
import Role from '../../models/role';
type Params = {
input: {
fullName: string;
email: string;
password: string;
};
};
const registerUser = async (_parent: unknown, params: Params) => {
const { fullName, email, password } = params.input;
const existingUser = await User.query().findOne({ email });
if (existingUser) {
throw new Error('User already exists!');
}
const role = await Role.query().findOne({ key: 'user' });
const user = await User.query().insert({
fullName,
email,
password,
roleId: role.id,
});
return user;
};
export default registerUser;

4
packages/backend/src/graphql/mutations/update-user.ts → packages/backend/src/graphql/mutations/update-current-user.ts
View File

@@ -8,7 +8,7 @@ type Params = {
};
};
const updateUser = async (
const updateCurrentUser = async (
_parent: unknown,
params: Params,
context: Context
@@ -22,4 +22,4 @@ const updateUser = async (
return user;
};
export default updateUser;
export default updateCurrentUser;

91
packages/backend/src/graphql/mutations/update-role.ee.ts Normal file
View File

@@ -0,0 +1,91 @@
import Context from '../../types/express/context';
import Role from '../../models/role';
import Permission from '../../models/permission';
import permissionCatalog from '../../helpers/permission-catalog.ee';
type Params = {
input: {
id: string;
name: string;
description: string;
permissions: Permission[];
};
};
const updateRole = async (
_parent: unknown,
params: Params,
context: Context
) => {
context.currentUser.can('update', 'Role');
const {
id,
name,
description,
permissions,
} = params.input;
const role = await Role
.query()
.findById(id)
.throwIfNotFound();
try {
const updatedRole = await Role.transaction(async (trx) => {
await role.$relatedQuery('permissions', trx).delete();
if (permissions?.length) {
const sanitizedPermissions = permissions
.filter((permission) => {
const {
action,
subject,
conditions,
} = permission;
const relevantAction = permissionCatalog.actions.find(actionCatalogItem => actionCatalogItem.key === action);
const validSubject = relevantAction.subjects.includes(subject);
const validConditions = conditions.every(condition => {
return !!permissionCatalog
.conditions
.find((conditionCatalogItem) => conditionCatalogItem.key === condition);
})
return validSubject && validConditions;
})
.map((permission) => ({
...permission,
roleId: role.id,
}));
await Permission.query().insert(sanitizedPermissions);
}
await role
.$query(trx)
.patch(
{
name,
description,
}
);
return await Role
.query(trx)
.leftJoinRelated({
permissions: true
})
.withGraphFetched({
permissions: true
})
.findById(id);
});
return updatedRole;
} catch (err) {
throw new Error('The role could not be updated!');
}
};
export default updateRole;

44
packages/backend/src/graphql/mutations/update-user.ee.ts Normal file
View File

@@ -0,0 +1,44 @@
import Context from '../../types/express/context';
import User from '../../models/user';
type Params = {
input: {
id: string;
email: string;
fullName: string;
role: {
id: string;
};
};
};
const updateUser = async (
_parent: unknown,
params: Params,
context: Context
) => {
context.currentUser.can('update', 'User');
const userPayload: Partial<User> = {
email: params.input.email,
fullName: params.input.fullName,
};
try {
context.currentUser.can('update', 'Role');
userPayload.roleId = params.input.role.id;
} catch {
// void
}
const user = await User.query()
.patchAndFetchById(
params.input.id,
userPayload,
);
return user;
};
export default updateUser;

10
packages/backend/src/graphql/queries/get-app.ts
View File

@@ -1,4 +1,5 @@
import App from '../../models/app';
import Connection from '../../models/connection';
import Context from '../../types/express/context';
type Params = {
@@ -6,13 +7,16 @@ type Params = {
};
const getApp = async (_parent: unknown, params: Params, context: Context) => {
context.currentUser.can('read', 'Connection');
const conditions = context.currentUser.can('read', 'Connection');
const userConnections = context.currentUser.$relatedQuery('connections');
const allConnections = Connection.query();
const connectionBaseQuery = conditions.isCreator ? userConnections : allConnections;
const app = await App.findOneByKey(params.key);
if (context.currentUser) {
const connections = await context.currentUser
.$relatedQuery('connections')
const connections = await connectionBaseQuery
.select('connections.*')
.fullOuterJoinRelated('steps')
.where({

18
packages/backend/src/graphql/queries/get-connected-apps.ts
View File

@@ -1,6 +1,8 @@
import { IConnection } from '@automatisch/types';
import App from '../../models/app';
import Context from '../../types/express/context';
import Flow from '../../models/flow';
import Connection from '../../models/connection';
type Params = {
name: string;
@@ -11,19 +13,25 @@ const getConnectedApps = async (
params: Params,
context: Context
) => {
context.currentUser.can('read', 'Connection');
const conditions = context.currentUser.can('read', 'Connection');
const userConnections = context.currentUser.$relatedQuery('connections');
const allConnections = Connection.query();
const connectionBaseQuery = conditions.isCreator ? userConnections : allConnections;
const userFlows = context.currentUser.$relatedQuery('flows');
const allFlows = Flow.query();
const flowBaseQuery = conditions.isCreator ? userFlows : allFlows;
let apps = await App.findAll(params.name);
const connections = await context.currentUser
.$relatedQuery('connections')
const connections = await connectionBaseQuery
.select('connections.key')
.where({ draft: false })
.count('connections.id as count')
.groupBy('connections.key');
const flows = await context.currentUser
.$relatedQuery('flows')
const flows = await flowBaseQuery
.withGraphJoined('steps')
.orderBy('created_at', 'desc');

9
packages/backend/src/graphql/queries/get-dynamic-data.ts
View File

@@ -1,6 +1,7 @@
import { IDynamicData, IJSONObject } from '@automatisch/types';
import Context from '../../types/express/context';
import App from '../../models/app';
import Step from '../../models/step';
import ExecutionStep from '../../models/execution-step';
import globalVariable from '../../helpers/global-variable';
import computeParameters from '../../helpers/compute-parameters';
@@ -16,10 +17,12 @@ const getDynamicData = async (
params: Params,
context: Context
) => {
context.currentUser.can('update', 'Flow');
const conditions = context.currentUser.can('update', 'Flow');
const userSteps = context.currentUser.$relatedQuery('steps');
const allSteps = Step.query();
const stepBaseQuery = conditions.isCreator ? userSteps : allSteps;
const step = await context.currentUser
.$relatedQuery('steps')
const step = await stepBaseQuery
.withGraphFetched({
connection: true,
flow: true,

9
packages/backend/src/graphql/queries/get-dynamic-fields.ts
View File

@@ -1,6 +1,7 @@
import { IDynamicFields, IJSONObject } from '@automatisch/types';
import Context from '../../types/express/context';
import App from '../../models/app';
import Step from '../../models/step';
import globalVariable from '../../helpers/global-variable';
type Params = {
@@ -14,10 +15,12 @@ const getDynamicFields = async (
params: Params,
context: Context
) => {
context.currentUser.can('update', 'Flow');
const conditions = context.currentUser.can('update', 'Flow');
const userSteps = context.currentUser.$relatedQuery('steps');
const allSteps = Step.query();
const stepBaseQuery = conditions.isCreator ? userSteps : allSteps;
const step = await context.currentUser
.$relatedQuery('steps')
const step = await stepBaseQuery
.withGraphFetched({
connection: true,
flow: true,

9
packages/backend/src/graphql/queries/get-execution-steps.ts
View File

@@ -1,5 +1,6 @@
import Context from '../../types/express/context';
import paginate from '../../helpers/pagination';
import Execution from '../../models/execution';
type Params = {
executionId: string;
@@ -12,10 +13,12 @@ const getExecutionSteps = async (
params: Params,
context: Context
) => {
context.currentUser.can('read', 'Execution');
const conditions = context.currentUser.can('read', 'Execution');
const userExecutions = context.currentUser.$relatedQuery('executions');
const allExecutions = Execution.query();
const executionBaseQuery = conditions.isCreator ? userExecutions : allExecutions;
const execution = await context.currentUser
.$relatedQuery('executions')
const execution = await executionBaseQuery
.withSoftDeleted()
.findById(params.executionId)
.throwIfNotFound();

9
packages/backend/src/graphql/queries/get-execution.ts
View File

@@ -1,4 +1,5 @@
import Context from '../../types/express/context';
import Execution from '../../models/execution';
type Params = {
executionId: string;
@@ -9,10 +10,12 @@ const getExecution = async (
params: Params,
context: Context
) => {
context.currentUser.can('read', 'Execution');
const conditions = context.currentUser.can('read', 'Execution');
const userExecutions = context.currentUser.$relatedQuery('executions');
const allExecutions = Execution.query();
const executionBaseQuery = conditions.isCreator ? userExecutions : allExecutions;
const execution = await context.currentUser
.$relatedQuery('executions')
const execution = await executionBaseQuery
.withGraphFetched({
flow: {
steps: true,

10
packages/backend/src/graphql/queries/get-executions.ts
View File

@@ -1,5 +1,6 @@
import { raw } from 'objection';
import Context from '../../types/express/context';
import Execution from '../../models/execution';
import paginate from '../../helpers/pagination';
type Params = {
@@ -12,7 +13,11 @@ const getExecutions = async (
params: Params,
context: Context
) => {
context.currentUser.can('read', 'Execution');
const conditions = context.currentUser.can('read', 'Execution');
const userExecutions = context.currentUser.$relatedQuery('executions');
const allExecutions = Execution.query();
const executionBaseQuery = conditions.isCreator ? userExecutions : allExecutions;
const selectStatusStatement = `
case
@@ -23,8 +28,7 @@ const getExecutions = async (
as status
`;
const executions = context.currentUser
.$relatedQuery('executions')
const executions = executionBaseQuery
.joinRelated('executionSteps as execution_steps')
.select('executions.*', raw(selectStatusStatement))
.withSoftDeleted()

9
packages/backend/src/graphql/queries/get-flow.ts
View File

@@ -1,14 +1,17 @@
import Context from '../../types/express/context';
import Flow from '../../models/flow';
type Params = {
id: string;
};
const getFlow = async (_parent: unknown, params: Params, context: Context) => {
context.currentUser.can('read', 'Flow');
const conditions = context.currentUser.can('read', 'Flow');
const userFlows = context.currentUser.$relatedQuery('flows');
const allFlows = Flow.query();
const baseQuery = conditions.isCreator ? userFlows : allFlows;
const flow = await context.currentUser
.$relatedQuery('flows')
const flow = await baseQuery
.withGraphJoined('[steps.[connection]]')
.orderBy('steps.position', 'asc')
.findOne({ 'flows.id': params.id })

9
packages/backend/src/graphql/queries/get-flows.ts
View File

@@ -1,3 +1,4 @@
import Flow from '../../models/flow';
import Context from '../../types/express/context';
import paginate from '../../helpers/pagination';
@@ -10,10 +11,12 @@ type Params = {
};
const getFlows = async (_parent: unknown, params: Params, context: Context) => {
context.currentUser.can('read', 'Flow');
const conditions = context.currentUser.can('read', 'Flow');
const userFlows = context.currentUser.$relatedQuery('flows');
const allFlows = Flow.query();
const baseQuery = conditions.isCreator ? userFlows : allFlows;
const flowsQuery = context.currentUser
.$relatedQuery('flows')
const flowsQuery = baseQuery
.joinRelated({
steps: true,
})

7
packages/backend/src/graphql/queries/get-permission-catalog.ee.ts Normal file
View File

@@ -0,0 +1,7 @@
import permissionCatalog from '../../helpers/permission-catalog.ee';
const getPermissionCatalog = async () => {
return permissionCatalog;
};
export default getPermissionCatalog;

23
packages/backend/src/graphql/queries/get-role.ee.ts Normal file
View File

@@ -0,0 +1,23 @@
import Context from '../../types/express/context';
import Role from '../../models/role';
type Params = {
id: string
};
const getRole = async (_parent: unknown, params: Params, context: Context) => {
context.currentUser.can('read', 'Role');
return await Role
.query()
.leftJoinRelated({
permissions: true
})
.withGraphFetched({
permissions: true
})
.findById(params.id)
.throwIfNotFound();
};
export default getRole;

10
packages/backend/src/graphql/queries/get-roles.ee.ts Normal file
View File

@@ -0,0 +1,10 @@
import Context from '../../types/express/context';
import Role from '../../models/role';
const getRoles = async (_parent: unknown, params: unknown, context: Context) => {
context.currentUser.can('read', 'Role');
return await Role.query().orderBy('name');
};
export default getRoles;

2
packages/backend/src/graphql/queries/get-saml-auth-providers.ee.ts
View File

@@ -1,7 +1,7 @@
import SamlAuthProvider from '../../models/saml-auth-provider.ee';
const getSamlAuthProviders = async () => {
const providers = await SamlAuthProvider.query();
const providers = await SamlAuthProvider.query().where({ active: true });
return providers;
};

16
packages/backend/src/graphql/queries/get-step-with-test-executions.ts
View File

@@ -1,6 +1,7 @@
import Context from '../../types/express/context';
import ExecutionStep from '../../models/execution-step';
import { ref } from 'objection';
import ExecutionStep from '../../models/execution-step';
import Step from '../../models/step';
import Context from '../../types/express/context';
type Params = {
stepId: string;
@@ -11,15 +12,16 @@ const getStepWithTestExecutions = async (
params: Params,
context: Context
) => {
context.currentUser.can('update', 'Flow');
const conditions = context.currentUser.can('update', 'Flow');
const userSteps = context.currentUser.$relatedQuery('steps');
const allSteps = Step.query();
const stepBaseQuery = conditions.isCreator ? userSteps : allSteps;
const step = await context.currentUser
.$relatedQuery('steps')
const step = await stepBaseQuery
.findOne({ 'steps.id': params.stepId })
.throwIfNotFound();
const previousStepsWithCurrentStep = await context.currentUser
.$relatedQuery('steps')
const previousStepsWithCurrentStep = await stepBaseQuery
.withGraphJoined('executionSteps')
.where('flow_id', '=', step.flowId)
.andWhere('position', '<', step.position)

23
packages/backend/src/graphql/queries/get-user.ts Normal file
View File

@@ -0,0 +1,23 @@
import Context from '../../types/express/context';
import User from '../../models/user';
type Params = {
id: string
};
const getUser = async (_parent: unknown, params: Params, context: Context) => {
context.currentUser.can('read', 'User');
return await User
.query()
.leftJoinRelated({
role: true
})
.withGraphFetched({
role: true
})
.findById(params.id)
.throwIfNotFound();
};
export default getUser;

26
packages/backend/src/graphql/queries/get-users.ts Normal file
View File

@@ -0,0 +1,26 @@
import Context from '../../types/express/context';
import paginate from '../../helpers/pagination';
import User from '../../models/user';
type Params = {
limit: number;
offset: number;
};
const getUsers = async (_parent: unknown, params: Params, context: Context) => {
context.currentUser.can('read', 'User');
const usersQuery = User
.query()
.leftJoinRelated({
role: true
})
.withGraphFetched({
role: true
})
.orderBy('full_name', 'desc');
return paginate(usersQuery, params.limit, params.offset);
};
export default getUsers;

9
packages/backend/src/graphql/queries/test-connection.ts
View File

@@ -1,5 +1,6 @@
import Context from '../../types/express/context';
import App from '../../models/app';
import Connection from '../../models/connection';
import globalVariable from '../../helpers/global-variable';
type Params = {
@@ -12,10 +13,12 @@ const testConnection = async (
params: Params,
context: Context
) => {
context.currentUser.can('update', 'Connection');
const conditions = context.currentUser.can('update', 'Connection');
const userConnections = context.currentUser.$relatedQuery('connections');
const allConnections = Connection.query();
const connectionBaseQuery = conditions.isCreator ? userConnections : allConnections;
let connection = await context.currentUser
.$relatedQuery('connections')
let connection = await connectionBaseQuery
.findOne({
id: params.id,
})

68
packages/backend/src/graphql/query-resolvers.ts
View File

@@ -1,49 +1,59 @@
import getApps from './queries/get-apps';
import getApp from './queries/get-app';
import getApps from './queries/get-apps';
import getAutomatischInfo from './queries/get-automatisch-info';
import getBillingAndUsage from './queries/get-billing-and-usage.ee';
import getConnectedApps from './queries/get-connected-apps';
import testConnection from './queries/test-connection';
import getFlow from './queries/get-flow';
import getFlows from './queries/get-flows';
import getStepWithTestExecutions from './queries/get-step-with-test-executions';
import getExecution from './queries/get-execution';
import getExecutions from './queries/get-executions';
import getExecutionSteps from './queries/get-execution-steps';
import getCurrentUser from './queries/get-current-user';
import getDynamicData from './queries/get-dynamic-data';
import getDynamicFields from './queries/get-dynamic-fields';
import getCurrentUser from './queries/get-current-user';
import getPaymentPlans from './queries/get-payment-plans.ee';
import getPaddleInfo from './queries/get-paddle-info.ee';
import getBillingAndUsage from './queries/get-billing-and-usage.ee';
import getExecution from './queries/get-execution';
import getExecutionSteps from './queries/get-execution-steps';
import getExecutions from './queries/get-executions';
import getFlow from './queries/get-flow';
import getFlows from './queries/get-flows';
import getUser from './queries/get-user';
import getUsers from './queries/get-users';
import getInvoices from './queries/get-invoices.ee';
import getAutomatischInfo from './queries/get-automatisch-info';
import getTrialStatus from './queries/get-trial-status.ee';
import getSubscriptionStatus from './queries/get-subscription-status.ee';
import getPaddleInfo from './queries/get-paddle-info.ee';
import getPaymentPlans from './queries/get-payment-plans.ee';
import getPermissionCatalog from './queries/get-permission-catalog.ee';
import getRole from './queries/get-role.ee';
import getRoles from './queries/get-roles.ee';
import getSamlAuthProviders from './queries/get-saml-auth-providers.ee';
import getStepWithTestExecutions from './queries/get-step-with-test-executions';
import getSubscriptionStatus from './queries/get-subscription-status.ee';
import getTrialStatus from './queries/get-trial-status.ee';
import healthcheck from './queries/healthcheck';
import testConnection from './queries/test-connection';
const queryResolvers = {
getApps,
getApp,
getApps,
getAutomatischInfo,
getBillingAndUsage,
getConnectedApps,
testConnection,
getFlow,
getFlows,
getStepWithTestExecutions,
getCurrentUser,
getDynamicData,
getDynamicFields,
getExecution,
getExecutions,
getExecutionSteps,
getDynamicData,
getDynamicFields,
getCurrentUser,
getPaymentPlans,
getPaddleInfo,
getBillingAndUsage,
getFlow,
getFlows,
getInvoices,
getAutomatischInfo,
getTrialStatus,
getSubscriptionStatus,
getPaddleInfo,
getPaymentPlans,
getPermissionCatalog,
getRole,
getRoles,
getSamlAuthProviders,
getStepWithTestExecutions,
getSubscriptionStatus,
getTrialStatus,
getUser,
getUsers,
healthcheck,
testConnection,
};
export default queryResolvers;

139
packages/backend/src/graphql/schema.graphql
View File

@@ -42,31 +42,45 @@ type Query {
getTrialStatus: GetTrialStatus
getSubscriptionStatus: GetSubscriptionStatus
getSamlAuthProviders: [GetSamlAuthProviders]
getUsers(
limit: Int!
offset: Int!
): UserConnection
getUser(id: String!): User
getRoles: [Role]
getRole(id: String!): Role
getPermissionCatalog: PermissionCatalog
healthcheck: AppHealth
}
type Mutation {
createConnection(input: CreateConnectionInput): Connection
generateAuthUrl(input: GenerateAuthUrlInput): AuthLink
updateConnection(input: UpdateConnectionInput): Connection
resetConnection(input: ResetConnectionInput): Connection
verifyConnection(input: VerifyConnectionInput): Connection
deleteConnection(input: DeleteConnectionInput): Boolean
createFlow(input: CreateFlowInput): Flow
createRole(input: CreateRoleInput): Role
createStep(input: CreateStepInput): Step
createUser(input: CreateUserInput): User
deleteConnection(input: DeleteConnectionInput): Boolean
deleteCurrentUser: Boolean
deleteFlow(input: DeleteFlowInput): Boolean
deleteRole(input: DeleteRoleInput): Boolean
deleteStep(input: DeleteStepInput): Step
deleteUser(input: DeleteUserInput): Boolean
duplicateFlow(input: DuplicateFlowInput): Flow
executeFlow(input: ExecuteFlowInput): executeFlowType
forgotPassword(input: ForgotPasswordInput): Boolean
generateAuthUrl(input: GenerateAuthUrlInput): AuthLink
login(input: LoginInput): Auth
registerUser(input: RegisterUserInput): User
resetConnection(input: ResetConnectionInput): Connection
resetPassword(input: ResetPasswordInput): Boolean
updateConnection(input: UpdateConnectionInput): Connection
updateCurrentUser(input: UpdateCurrentUserInput): User
updateFlow(input: UpdateFlowInput): Flow
updateFlowStatus(input: UpdateFlowStatusInput): Flow
executeFlow(input: ExecuteFlowInput): executeFlowType
deleteFlow(input: DeleteFlowInput): Boolean
duplicateFlow(input: DuplicateFlowInput): Flow
createStep(input: CreateStepInput): Step
updateRole(input: UpdateRoleInput): Role
updateStep(input: UpdateStepInput): Step
deleteStep(input: DeleteStepInput): Step
createUser(input: CreateUserInput): User
deleteUser: Boolean
updateUser(input: UpdateUserInput): User
forgotPassword(input: ForgotPasswordInput): Boolean
resetPassword(input: ResetPasswordInput): Boolean
login(input: LoginInput): Auth
verifyConnection(input: VerifyConnectionInput): Connection
}
"""
@@ -278,6 +292,15 @@ type Execution {
flow: Flow
}
type UserConnection {
edges: [UserEdge]
pageInfo: PageInfo
}
type UserEdge {
node: User
}
input CreateConnectionInput {
key: String!
formattedData: JSONObject!
@@ -361,9 +384,31 @@ input CreateUserInput {
fullName: String!
email: String!
password: String!
role: UserRoleInput!
}
input UserRoleInput {
id: String
}
input UpdateUserInput {
id: String!
fullName: String
email: String
role: UserRoleInput
}
input DeleteUserInput {
id: String!
}
input RegisterUserInput {
fullName: String!
email: String!
password: String!
}
input UpdateCurrentUserInput {
email: String
password: String
fullName: String
@@ -383,6 +428,29 @@ input LoginInput {
password: String!
}
input PermissionInput {
action: String!
subject: String!
conditions: [String]
}
input CreateRoleInput {
name: String!
description: String
permissions: [PermissionInput]
}
input UpdateRoleInput {
id: String!
name: String!
description: String
permissions: [PermissionInput]
}
input DeleteRoleInput {
id: String!
}
"""
The `JSONObject` scalar type represents JSON objects as specified by [ECMA-404](http://www.ecma-international.org/publications/files/ECMA-ST/ECMA-404.pdf).
"""
@@ -454,11 +522,21 @@ type User {
id: String
fullName: String
email: String
role: String
role: Role
permissions: [Permission]
createdAt: String
updatedAt: String
}
type Role {
id: String
name: String
key: String
description: String
isAdmin: Boolean
permissions: [Permission]
}
type PageInfo {
currentPage: Int!
totalPages: Int!
@@ -561,6 +639,35 @@ type GetSamlAuthProviders {
issuer: String
}
type Permission {
id: String
action: String
subject: String
conditions: [String]
}
type PermissionCatalog {
actions: [Action]
subjects: [Subject]
conditions: [Condition]
}
type Action {
label: String
key: String
subjects: [String]
}
type Condition {
key: String
label: String
}
type Subject {
label: String
key: String
}
schema {
query: Query
mutation: Mutation

8
packages/backend/src/helpers/authentication.ts
View File

@@ -15,10 +15,12 @@ const isAuthenticated = rule()(async (_parent, _args, req) => {
req.currentUser = await User
.query()
.findById(userId)
.joinRelated({
.leftJoinRelated({
role: true,
permissions: true,
})
.withGraphFetched({
role: true,
permissions: true,
});
@@ -38,9 +40,9 @@ const authentication = shield(
},
Mutation: {
'*': isAuthenticated,
login: allow,
createUser: allow,
registerUser: allow,
forgotPassword: allow,
login: allow,
resetPassword: allow,
},
},

4
packages/backend/src/helpers/find-or-create-user-by-saml-identity.ee.ts
View File

@@ -22,7 +22,7 @@ const findOrCreateUserBySamlIdentity = async (userIdentity: Record<string, unkno
return user;
}
const createdUser = await User.query().insertGraphAndFetch({
const createdUser = await User.query().insertGraph({
fullName: [
mappedUser.name,
mappedUser.surname
@@ -40,7 +40,7 @@ const findOrCreateUserBySamlIdentity = async (userIdentity: Record<string, unkno
]
}, {
relate: ['identities']
});
}).returning('*');
return createdUser;
};

72
packages/backend/src/helpers/permission-catalog.ee.ts Normal file
View File

@@ -0,0 +1,72 @@
const Connection = {
label: 'Connection',
key: 'Connection',
};
const Flow = {
label: 'Flow',
key: 'Flow',
};
const Execution = {
label: 'Execution',
key: 'Execution',
};
const permissionCatalog = {
conditions: [
{
key: 'isCreator',
label: 'Is creator'
}
],
actions: [
{
label: 'Create',
key: 'create',
subjects: [
Connection.key,
Flow.key,
]
},
{
label: 'Read',
key: 'read',
subjects: [
Connection.key,
Execution.key,
Flow.key,
]
},
{
label: 'Update',
key: 'update',
subjects: [
Connection.key,
Flow.key,
]
},
{
label: 'Delete',
key: 'delete',
subjects: [
Connection.key,
Flow.key,
]
},
{
label: 'Publish',
key: 'publish',
subjects: [
Flow.key,
]
}
],
subjects: [
Connection,
Flow,
Execution
]
};
export default permissionCatalog;

20
packages/backend/src/helpers/user-ability.ts Normal file
View File

@@ -0,0 +1,20 @@
import { PureAbility, fieldPatternMatcher, mongoQueryMatcher } from '@casl/ability';
import type User from '../models/user'
// Must be kept in sync with `packages/web/src/helpers/userAbility.ts`!
export default function userAbility(user: Partial<User>) {
const permissions = user?.permissions;
const role = user?.role;
// We're not using mongo, but our fields, conditions match
const options = {
conditionsMatcher: mongoQueryMatcher,
fieldMatcher: fieldPatternMatcher
};
if (!role || !permissions) {
return new PureAbility([], options);
}
return new PureAbility<[string, string], string[]>(permissions, options);
}

6
packages/backend/src/models/permission.ts
View File

@@ -2,19 +2,23 @@ import Base from './base';
class Permission extends Base {
id: string;
roleId: string;
action: string;
subject: string;
conditions: string[];
static tableName = 'permissions';
static jsonSchema = {
type: 'object',
required: ['action', 'subject'],
required: ['roleId', 'action', 'subject'],
properties: {
id: { type: 'string', format: 'uuid' },
roleId: { type: 'string', format: 'uuid' },
action: { type: 'string', minLength: 1 },
subject: { type: 'string', minLength: 1 },
conditions: { type: 'array', items: { type: 'string' } },
createdAt: { type: 'string' },
updatedAt: { type: 'string' },
},

17
packages/backend/src/models/query-builder.ts
View File

@@ -1,6 +1,7 @@
import {
Model,
Page,
ModelClass,
PartialModelObject,
ForClassMethod,
AnyQueryBuilder,
@@ -8,6 +9,10 @@ import {
const DELETED_COLUMN_NAME = 'deleted_at';
const supportsSoftDeletion = (modelClass: ModelClass<any>) => {
return modelClass.jsonSchema.properties.deletedAt;
}
const buildQueryBuidlerForClass = (): ForClassMethod => {
return (modelClass) => {
const qb: AnyQueryBuilder = Model.QueryBuilder.forClass.call(
@@ -15,7 +20,7 @@ const buildQueryBuidlerForClass = (): ForClassMethod => {
modelClass
);
qb.onBuild((builder) => {
if (!builder.context().withSoftDeleted && qb.modelClass().jsonSchema.properties.deletedAt) {
if (!builder.context().withSoftDeleted && supportsSoftDeletion(qb.modelClass())) {
builder.whereNull(
`${qb.modelClass().tableName}.${DELETED_COLUMN_NAME}`
);
@@ -38,9 +43,13 @@ class ExtendedQueryBuilder<M extends Model, R = M[]> extends Model.QueryBuilder<
static forClass: ForClassMethod = buildQueryBuidlerForClass();
delete() {
return this.patch({
[DELETED_COLUMN_NAME]: new Date().toISOString(),
} as unknown as PartialModelObject<M>);
if (supportsSoftDeletion(this.modelClass())) {
return this.patch({
[DELETED_COLUMN_NAME]: new Date().toISOString(),
} as unknown as PartialModelObject<M>);
}
return super.delete();
}
hardDelete() {

20
packages/backend/src/models/role.ts
View File

@@ -1,4 +1,5 @@
import Base from './base';
import Permission from './permission';
import User from './user';
class Role extends Base {
@@ -7,6 +8,7 @@ class Role extends Base {
key: string;
description: string;
users?: User[];
permissions?: Permission[];
static tableName = 'roles';
@@ -18,12 +20,16 @@ class Role extends Base {
id: { type: 'string', format: 'uuid' },
name: { type: 'string', minLength: 1 },
key: { type: 'string', minLength: 1 },
description: { type: ['string', 'null'], minLength: 1, maxLength: 255 },
description: { type: ['string', 'null'], maxLength: 255 },
createdAt: { type: 'string' },
updatedAt: { type: 'string' },
},
};
static get virtualAttributes() {
return ['isAdmin'];
}
static relationMappings = () => ({
users: {
relation: Base.HasManyRelation,
@@ -33,7 +39,19 @@ class Role extends Base {
to: 'users.role_id',
},
},
permissions: {
relation: Base.HasManyRelation,
modelClass: Permission,
join: {
from: 'roles.id',
to: 'permissions.role_id',
},
},
});
get isAdmin() {
return this.key === 'admin';
}
}
export default Role;

4
packages/backend/src/models/saml-auth-provider.ee.ts
View File

@@ -16,6 +16,7 @@ class SamlAuthProvider extends Base {
emailAttributeName: string;
roleAttributeName: string;
defaultRoleId: string;
active: boolean;
static tableName = 'saml_auth_providers';
@@ -45,7 +46,8 @@ class SamlAuthProvider extends Base {
surnameAttributeName: { type: 'string', minLength: 1 },
emailAttributeName: { type: 'string', minLength: 1 },
roleAttributeName: { type: 'string', minLength: 1 },
defaultRoleId: { type: 'string', format: 'uuid' }
defaultRoleId: { type: 'string', format: 'uuid' },
active: { type: 'boolean' },
},
};

65
packages/backend/src/models/user.ts
View File

@@ -1,22 +1,25 @@
import crypto from 'node:crypto';
import { QueryContext, ModelOptions } from 'objection';
import bcrypt from 'bcrypt';
import { DateTime } from 'luxon';
import { Ability } from '@casl/ability';
import type { Subject } from '@casl/ability';
import crypto from 'node:crypto';
import {
ModelOptions,
QueryContext
} from 'objection';
import appConfig from '../config/app';
import checkLicense from '../helpers/check-license.ee';
import userAbility from '../helpers/user-ability';
import Base from './base';
import ExtendedQueryBuilder from './query-builder';
import Connection from './connection';
import Flow from './flow';
import Step from './step';
import Role from './role';
import Permission from './permission';
import Execution from './execution';
import Flow from './flow';
import Identity from './identity.ee';
import UsageData from './usage-data.ee';
import Permission from './permission';
import ExtendedQueryBuilder from './query-builder';
import Role from './role';
import Step from './step';
import Subscription from './subscription.ee';
import UsageData from './usage-data.ee';
class User extends Base {
id!: string;
@@ -148,15 +151,11 @@ class User extends Base {
},
},
permissions: {
relation: Base.ManyToManyRelation,
relation: Base.HasManyRelation,
modelClass: Permission,
join: {
from: 'users.role_id',
through: {
from: 'roles_permissions.role_id',
to: 'roles_permissions.permission_id',
},
to: 'permissions.id',
to: 'permissions.role_id',
},
},
identities: {
@@ -292,23 +291,43 @@ class User extends Base {
}
}
get ability() {
if (!this.permissions) {
throw new Error('User.permissions must be fetched!');
async $afterFind(): Promise<any> {
const hasValidLicense = await checkLicense();
if (hasValidLicense) return this;
if (Array.isArray(this.permissions)) {
this.permissions = this.permissions.filter((permission) => {
const isRolePermission = permission.subject === 'Role';
return !isRolePermission;
});
}
return new Ability(this.permissions);
return this;
}
can(action: string, subject: Subject) {
get ability(): ReturnType<typeof userAbility> {
return userAbility(this);
}
can(action: string, subject: string) {
const can = this.ability.can(action, subject);
if (!can) throw new Error('Not authorized!');
return can;
const relevantRule = this.ability.relevantRuleFor(action, subject);
const conditions = relevantRule?.conditions as string[] || [];
const conditionMap: Record<string, true> = Object
.fromEntries(
conditions.map((condition) => [condition, true])
)
return conditionMap;
}
cannot(action: string, subject: Subject) {
cannot(action: string, subject: string) {
const cannot = this.ability.cannot(action, subject);
if (cannot) throw new Error('Not authorized!');