feat(auth): add user and role management

This commit is contained in:
Ali BARIN
2023-07-18 21:00:10 +00:00
parent a7104c41a2
commit 0deaa03218
108 changed files with 2909 additions and 388 deletions

View File

@@ -2,19 +2,23 @@ import Base from './base';
class Permission extends Base {
id: string;
roleId: string;
action: string;
subject: string;
conditions: string[];
static tableName = 'permissions';
static jsonSchema = {
type: 'object',
required: ['action', 'subject'],
required: ['roleId', 'action', 'subject'],
properties: {
id: { type: 'string', format: 'uuid' },
roleId: { type: 'string', format: 'uuid' },
action: { type: 'string', minLength: 1 },
subject: { type: 'string', minLength: 1 },
conditions: { type: 'array', items: { type: 'string' } },
createdAt: { type: 'string' },
updatedAt: { type: 'string' },
},

View File

@@ -1,6 +1,7 @@
import {
Model,
Page,
ModelClass,
PartialModelObject,
ForClassMethod,
AnyQueryBuilder,
@@ -8,6 +9,10 @@ import {
const DELETED_COLUMN_NAME = 'deleted_at';
const supportsSoftDeletion = (modelClass: ModelClass<any>) => {
return modelClass.jsonSchema.properties.deletedAt;
}
const buildQueryBuidlerForClass = (): ForClassMethod => {
return (modelClass) => {
const qb: AnyQueryBuilder = Model.QueryBuilder.forClass.call(
@@ -15,7 +20,7 @@ const buildQueryBuidlerForClass = (): ForClassMethod => {
modelClass
);
qb.onBuild((builder) => {
if (!builder.context().withSoftDeleted && qb.modelClass().jsonSchema.properties.deletedAt) {
if (!builder.context().withSoftDeleted && supportsSoftDeletion(qb.modelClass())) {
builder.whereNull(
`${qb.modelClass().tableName}.${DELETED_COLUMN_NAME}`
);
@@ -38,9 +43,13 @@ class ExtendedQueryBuilder<M extends Model, R = M[]> extends Model.QueryBuilder<
static forClass: ForClassMethod = buildQueryBuidlerForClass();
delete() {
return this.patch({
[DELETED_COLUMN_NAME]: new Date().toISOString(),
} as unknown as PartialModelObject<M>);
if (supportsSoftDeletion(this.modelClass())) {
return this.patch({
[DELETED_COLUMN_NAME]: new Date().toISOString(),
} as unknown as PartialModelObject<M>);
}
return super.delete();
}
hardDelete() {

View File

@@ -1,4 +1,5 @@
import Base from './base';
import Permission from './permission';
import User from './user';
class Role extends Base {
@@ -7,6 +8,7 @@ class Role extends Base {
key: string;
description: string;
users?: User[];
permissions?: Permission[];
static tableName = 'roles';
@@ -18,12 +20,16 @@ class Role extends Base {
id: { type: 'string', format: 'uuid' },
name: { type: 'string', minLength: 1 },
key: { type: 'string', minLength: 1 },
description: { type: ['string', 'null'], minLength: 1, maxLength: 255 },
description: { type: ['string', 'null'], maxLength: 255 },
createdAt: { type: 'string' },
updatedAt: { type: 'string' },
},
};
static get virtualAttributes() {
return ['isAdmin'];
}
static relationMappings = () => ({
users: {
relation: Base.HasManyRelation,
@@ -33,7 +39,19 @@ class Role extends Base {
to: 'users.role_id',
},
},
permissions: {
relation: Base.HasManyRelation,
modelClass: Permission,
join: {
from: 'roles.id',
to: 'permissions.role_id',
},
},
});
get isAdmin() {
return this.key === 'admin';
}
}
export default Role;

View File

@@ -16,6 +16,7 @@ class SamlAuthProvider extends Base {
emailAttributeName: string;
roleAttributeName: string;
defaultRoleId: string;
active: boolean;
static tableName = 'saml_auth_providers';
@@ -45,7 +46,8 @@ class SamlAuthProvider extends Base {
surnameAttributeName: { type: 'string', minLength: 1 },
emailAttributeName: { type: 'string', minLength: 1 },
roleAttributeName: { type: 'string', minLength: 1 },
defaultRoleId: { type: 'string', format: 'uuid' }
defaultRoleId: { type: 'string', format: 'uuid' },
active: { type: 'boolean' },
},
};

View File

@@ -1,22 +1,25 @@
import crypto from 'node:crypto';
import { QueryContext, ModelOptions } from 'objection';
import bcrypt from 'bcrypt';
import { DateTime } from 'luxon';
import { Ability } from '@casl/ability';
import type { Subject } from '@casl/ability';
import crypto from 'node:crypto';
import {
ModelOptions,
QueryContext
} from 'objection';
import appConfig from '../config/app';
import checkLicense from '../helpers/check-license.ee';
import userAbility from '../helpers/user-ability';
import Base from './base';
import ExtendedQueryBuilder from './query-builder';
import Connection from './connection';
import Flow from './flow';
import Step from './step';
import Role from './role';
import Permission from './permission';
import Execution from './execution';
import Flow from './flow';
import Identity from './identity.ee';
import UsageData from './usage-data.ee';
import Permission from './permission';
import ExtendedQueryBuilder from './query-builder';
import Role from './role';
import Step from './step';
import Subscription from './subscription.ee';
import UsageData from './usage-data.ee';
class User extends Base {
id!: string;
@@ -148,15 +151,11 @@ class User extends Base {
},
},
permissions: {
relation: Base.ManyToManyRelation,
relation: Base.HasManyRelation,
modelClass: Permission,
join: {
from: 'users.role_id',
through: {
from: 'roles_permissions.role_id',
to: 'roles_permissions.permission_id',
},
to: 'permissions.id',
to: 'permissions.role_id',
},
},
identities: {
@@ -292,23 +291,43 @@ class User extends Base {
}
}
get ability() {
if (!this.permissions) {
throw new Error('User.permissions must be fetched!');
async $afterFind(): Promise<any> {
const hasValidLicense = await checkLicense();
if (hasValidLicense) return this;
if (Array.isArray(this.permissions)) {
this.permissions = this.permissions.filter((permission) => {
const isRolePermission = permission.subject === 'Role';
return !isRolePermission;
});
}
return new Ability(this.permissions);
return this;
}
can(action: string, subject: Subject) {
get ability(): ReturnType<typeof userAbility> {
return userAbility(this);
}
can(action: string, subject: string) {
const can = this.ability.can(action, subject);
if (!can) throw new Error('Not authorized!');
return can;
const relevantRule = this.ability.relevantRuleFor(action, subject);
const conditions = relevantRule?.conditions as string[] || [];
const conditionMap: Record<string, true> = Object
.fromEntries(
conditions.map((condition) => [condition, true])
)
return conditionMap;
}
cannot(action: string, subject: Subject) {
cannot(action: string, subject: string) {
const cannot = this.ability.cannot(action, subject);
if (cannot) throw new Error('Not authorized!');