UNPKG

@grown/access/index.js

Version:

8.13 kBJavaScriptView Raw

1'use strict';
2
3const debug = require('debug')('grown:access');
4
5const RE_DOUBLE_STAR = /\/\*\*/g;
6const RE_SINGLE_STAR = /\/\*/g;
7
8module.exports = (Grown, util) => {
function _reduceHandler(handler, permissions) {
  const parts = handler.split('.');
11
  let _handler;
13
  // iterate until one handler matches
  while (parts.length) {
    _handler = permissions[parts.join('.')];
17
    /* istanbul ignore else */
    if (_handler) {
      break;
    }
22
    parts.pop();
  }
25
  /* istanbul ignore else */
  if (!_handler) {
    return null;
  }
30
  return _handler;
}
33
function _compileMatch(rule) {
  const fixedRoute = rule.path
    .replace(RE_DOUBLE_STAR, '/.*?')
    .replace(RE_SINGLE_STAR, '/[^\\/]+?');
38
  let regex;
40
  try {
    regex = new RegExp(`^${fixedRoute}$`);
  } catch (e) {
    throw new Error(`Cannot compile '${rule.path}' as route handler`);
  }
46
  return conn => {
    /* istanbul ignore else */
    if (rule.method
      && rule.method !== conn.method) {
      return;
    }
53
    return regex.test(conn.request_path) && rule.handler;
  };
}
57
function _makeMatcher(ruleset) {
  const matches = ruleset.map(rule => this._compileMatch(rule));
60
  debug('%s handler%s %s compiled',
    ruleset.length,
    ruleset.length === 1 ? '' : 's',
    ruleset.length === 1 ? 'was' : 'were');
65
  return conn =>
    matches
      .map(match => match(conn))
      .filter(x => x);
}
71
function _makeTree(role, groups, property) {
  const out = [];
74
  /* istanbul ignore else */
  if (groups[role]) {
    groups[role][property].forEach(c => {
      out.push(c);
      Array.prototype.push.apply(out, this._makeTree(c, groups, property));
    });
  }
82
  return out;
}
85
function _runACL(conn, role, handlers) {
  const children = this._makeTree(role, this._groups, 'children');
  const parents = this._makeTree(role, this._groups, 'parents');
89
  debug('#%s Checking access for %s <%s>', conn.pid, role, handlers.join(', ') || '...');
91
  return Promise.resolve()
    .then(() => {
      const c = handlers.length;
      const ok = [];
96
      for (let i = 0; i < c; i += 1) {
        const handler = handlers[i];
99
        // FIXME: normalize possible values
        let test = this._reduceHandler(handler, this.permissions);
102
        /* istanbul ignore else */
        if (test !== null && typeof test === 'object' && typeof test[role] !== 'undefined') {
          test = test[role];
        }
107
        /* istanbul ignore else */
        if (typeof test === 'boolean') {
          ok.push([handler, test]);
          test = {};
        }
113
        /* istanbul ignore else */
        if (typeof test === 'string') {
          ok.push([handler, test]);
          test = {};
        }
119
        /* istanbul ignore else */
        if (typeof test === 'function') {
          ok.push([handler, test]);
          test = {};
        }
125
        /* istanbul ignore else */
        if (test !== null) {
          const y = parents.length;
129
          for (let k = 0; k < y; k += 1) {
            /* istanbul ignore else */
            if (typeof test[parents[k]] !== 'undefined') {
              ok.push([parents[k], test[parents[k]]]);
              break;
            }
          }
137
          const z = children.length;
139
          for (let l = 0; l < z; l += 1) {
            /* istanbul ignore else */
            if (test && typeof test[children[l]] !== 'undefined') {
              ok.push([children[l], test[children[l]]]);
              break;
            }
          }
        }
      }
149
      // FIXME: allow promises and serial callbacks?
      return ok
        .map(check => {
          /* istanbul ignore else */
          if (typeof check[1] === 'function') {
            check[1] = check[1](conn);
          }
157
          /* istanbul ignore else */
          if (check[1] === 'inherit') {
            check[1] = null;
          }
162
          /* istanbul ignore else */
          if (check[1] === 'allow') {
            check[1] = true;
          }
167
          /* istanbul ignore else */
          if (check[1] === 'deny') {
            check[1] = false;
          }
172
          debug('#%s Test access <%s> %s', conn.pid, check[0], check[1]);
174
          return check;
        })
        .reduce((prev, cur) => {
          /* istanbul ignore else */
          if (parents.indexOf(cur[0]) > -1) {
            debug('#%s Parent access found <%s>', conn.pid, cur[0]);
            cur[1] = false;
          }
183
          /* istanbul ignore else */
          if (children.indexOf(cur[0]) > -1) {
            debug('#%s Children access found <%s>', conn.pid, cur[0]);
            cur[1] = true;
          }
189
          /* istanbul ignore else */
          if (prev && cur[1] === null) {
            cur[0] = prev[0];
            cur[1] = prev[1];
194
            debug('#%s Inherited access <%s> %s', conn.pid, cur[0], prev[1]);
          }
197
          return cur;
        }, null);
    })
    .then(result => {
      if (!result) {
        debug('#%s Skip. No rules were defined', conn.pid);
      } else {
        debug('#%s Got access <%s> %s', conn.pid, result[0], result[1]);
      }
207
      /* istanbul ignore else */
      if (result && result[1] === false) {
        return conn.raise(403);
      }
    });
}
214
return Grown('Access', {
  _reduceHandler,
  _compileMatch,
  _makeMatcher,
  _makeTree,
  _runACL,
221
  _groups: {},
  _ruleset: [],
224
  resources: {},
  permissions: {},
227
  $install(ctx) {
    /* istanbul ignore else */
    if (typeof this.access_rules === 'object') {
      this.rules(this.access_rules);
    }
233
    const matchHandlers = this._makeMatcher(this._ruleset);
235
    ctx.mount('Access#pipe', conn => {
      const _handlers = matchHandlers(conn).filter(x => x);
238
      return Promise.resolve()
        .then(() => (this.access_filter && this.access_filter(conn)) || 'Unknown')
        .then(x => this._runACL(conn, x, _handlers));
    });
  },
244
  $mixins() {
    const self = this;
247
    return {
      methods: {
        can(role, resource, action) {
          const _handlers = !Array.isArray(resource)
            ? [action ? `${resource}.${action}` : resource]
            : resource;
254
          return Promise.resolve()
            .then(() => role || (self.access_filter && self.access_filter(this)) || 'Unknown')
            .then(x => self._validateRules(this, x, _handlers));
        },
      },
    };
  },
262
  rules(config) {
    util.extendValues(this.permissions, config.permissions);
265
    Object.keys(config.resources || {}).forEach(key => {
      this.resources[key] = config.resources[key];
268
      let _path = config.resources[key];
      let _method = 'GET';
271
      /* istanbul ignore else */
      if (_path.indexOf(' ') > -1) {
        _path = _path.split(' ');
        _method = _path[0].toUpperCase();
        _path = _path[1];
      }
278
      this._ruleset.push({
        path: _path,
        method: _method,
        handler: key,
      });
    });
285
    (!Array.isArray(config.roles) && config.roles ? [config.roles] : config.roles || [])
      .forEach(roles => roles.split('.').reduce((prev, cur) => {
        /* istanbul ignore else */
        if (!prev) {
          return cur;
        }
292
        /* istanbul ignore else */
        if (!this._groups[prev]) {
          this._groups[prev] = {
            parents: [],
            children: [],
          };
        }
300
        /* istanbul ignore else */
        if (!this._groups[cur]) {
          this._groups[cur] = {
            parents: [],
            children: [],
          };
        }
308
        this._groups[prev].parents.push(cur);
        this._groups[cur].children.push(prev);
311
        return cur;
      }, null));
314
    return this;
  },
});
318};

1	`'use strict';`
2
3	`const debug = require('debug')('grown:access');`
4
5	`const RE_DOUBLE_STAR = /\/\\/g;`
6	`const RE_SINGLE_STAR = /\/\*/g;`
7
8	`module.exports = (Grown, util) => {`
9	`function _reduceHandler(handler, permissions) {`
10	`const parts = handler.split('.');`
11
12	`let _handler;`
13
14	`// iterate until one handler matches`
15	`while (parts.length) {`
16	`_handler = permissions[parts.join('.')];`
17
18	`/* istanbul ignore else */`
19	`if (_handler) {`
20	`break;`
21	`}`
22
23	`parts.pop();`
24	`}`
25
26	`/* istanbul ignore else */`
27	`if (!_handler) {`
28	`return null;`
29	`}`
30
31	`return _handler;`
32	`}`
33
34	`function _compileMatch(rule) {`
35	`const fixedRoute = rule.path`
36	`.replace(RE_DOUBLE_STAR, '/.*?')`
37	`.replace(RE_SINGLE_STAR, '/[^\\/]+?');`
38
39	`let regex;`
40
41	`try {`
42	regex = new RegExp(`^${fixedRoute}$`);
43	`} catch (e) {`
44	throw new Error(`Cannot compile '${rule.path}' as route handler`);
45	`}`
46
47	`return conn => {`
48	`/* istanbul ignore else */`
49	`if (rule.method`
50	`&& rule.method !== conn.method) {`
51	`return;`
52	`}`
53
54	`return regex.test(conn.request_path) && rule.handler;`
55	`};`
56	`}`
57
58	`function _makeMatcher(ruleset) {`
59	`const matches = ruleset.map(rule => this._compileMatch(rule));`
60
61	`debug('%s handler%s %s compiled',`
62	`ruleset.length,`
63	`ruleset.length === 1 ? '' : 's',`
64	`ruleset.length === 1 ? 'was' : 'were');`
65
66	`return conn =>`
67	`matches`
68	`.map(match => match(conn))`
69	`.filter(x => x);`
70	`}`
71
72	`function _makeTree(role, groups, property) {`
73	`const out = [];`
74
75	`/* istanbul ignore else */`
76	`if (groups[role]) {`
77	`groups[role][property].forEach(c => {`
78	`out.push(c);`
79	`Array.prototype.push.apply(out, this._makeTree(c, groups, property));`
80	`});`
81	`}`
82
83	`return out;`
84	`}`
85
86	`function _runACL(conn, role, handlers) {`
87	`const children = this._makeTree(role, this._groups, 'children');`
88	`const parents = this._makeTree(role, this._groups, 'parents');`
89
90	`debug('#%s Checking access for %s <%s>', conn.pid, role, handlers.join(', ') \|\| '...');`
91
92	`return Promise.resolve()`
93	`.then(() => {`
94	`const c = handlers.length;`
95	`const ok = [];`
96
97	`for (let i = 0; i < c; i += 1) {`
98	`const handler = handlers[i];`
99
100	`// FIXME: normalize possible values`
101	`let test = this._reduceHandler(handler, this.permissions);`
102
103	`/* istanbul ignore else */`
104	`if (test !== null && typeof test === 'object' && typeof test[role] !== 'undefined') {`
105	`test = test[role];`
106	`}`
107
108	`/* istanbul ignore else */`
109	`if (typeof test === 'boolean') {`
110	`ok.push([handler, test]);`
111	`test = {};`
112	`}`
113
114	`/* istanbul ignore else */`
115	`if (typeof test === 'string') {`
116	`ok.push([handler, test]);`
117	`test = {};`
118	`}`
119
120	`/* istanbul ignore else */`
121	`if (typeof test === 'function') {`
122	`ok.push([handler, test]);`
123	`test = {};`
124	`}`
125
126	`/* istanbul ignore else */`
127	`if (test !== null) {`
128	`const y = parents.length;`
129
130	`for (let k = 0; k < y; k += 1) {`
131	`/* istanbul ignore else */`
132	`if (typeof test[parents[k]] !== 'undefined') {`
133	`ok.push([parents[k], test[parents[k]]]);`
134	`break;`
135	`}`
136	`}`
137
138	`const z = children.length;`
139
140	`for (let l = 0; l < z; l += 1) {`
141	`/* istanbul ignore else */`
142	`if (test && typeof test[children[l]] !== 'undefined') {`
143	`ok.push([children[l], test[children[l]]]);`
144	`break;`
145	`}`
146	`}`
147	`}`
148	`}`
149
150	`// FIXME: allow promises and serial callbacks?`
151	`return ok`
152	`.map(check => {`
153	`/* istanbul ignore else */`
154	`if (typeof check[1] === 'function') {`
155	`check[1] = check[1](conn);`
156	`}`
157
158	`/* istanbul ignore else */`
159	`if (check[1] === 'inherit') {`
160	`check[1] = null;`
161	`}`
162
163	`/* istanbul ignore else */`
164	`if (check[1] === 'allow') {`
165	`check[1] = true;`
166	`}`
167
168	`/* istanbul ignore else */`
169	`if (check[1] === 'deny') {`
170	`check[1] = false;`
171	`}`
172
173	`debug('#%s Test access <%s> %s', conn.pid, check[0], check[1]);`
174
175	`return check;`
176	`})`
177	`.reduce((prev, cur) => {`
178	`/* istanbul ignore else */`
179	`if (parents.indexOf(cur[0]) > -1) {`
180	`debug('#%s Parent access found <%s>', conn.pid, cur[0]);`
181	`cur[1] = false;`
182	`}`
183
184	`/* istanbul ignore else */`
185	`if (children.indexOf(cur[0]) > -1) {`
186	`debug('#%s Children access found <%s>', conn.pid, cur[0]);`
187	`cur[1] = true;`
188	`}`
189
190	`/* istanbul ignore else */`
191	`if (prev && cur[1] === null) {`
192	`cur[0] = prev[0];`
193	`cur[1] = prev[1];`
194
195	`debug('#%s Inherited access <%s> %s', conn.pid, cur[0], prev[1]);`
196	`}`
197
198	`return cur;`
199	`}, null);`
200	`})`
201	`.then(result => {`
202	`if (!result) {`
203	`debug('#%s Skip. No rules were defined', conn.pid);`
204	`} else {`
205	`debug('#%s Got access <%s> %s', conn.pid, result[0], result[1]);`
206	`}`
207
208	`/* istanbul ignore else */`
209	`if (result && result[1] === false) {`
210	`return conn.raise(403);`
211	`}`
212	`});`
213	`}`
214
215	`return Grown('Access', {`
216	`_reduceHandler,`
217	`_compileMatch,`
218	`_makeMatcher,`
219	`_makeTree,`
220	`_runACL,`
221
222	`_groups: {},`
223	`_ruleset: [],`
224
225	`resources: {},`
226	`permissions: {},`
227
228	`$install(ctx) {`
229	`/* istanbul ignore else */`
230	`if (typeof this.access_rules === 'object') {`
231	`this.rules(this.access_rules);`
232	`}`
233
234	`const matchHandlers = this._makeMatcher(this._ruleset);`
235
236	`ctx.mount('Access#pipe', conn => {`
237	`const _handlers = matchHandlers(conn).filter(x => x);`
238
239	`return Promise.resolve()`
240	`.then(() => (this.access_filter && this.access_filter(conn)) \|\| 'Unknown')`
241	`.then(x => this._runACL(conn, x, _handlers));`
242	`});`
243	`},`
244
245	`$mixins() {`
246	`const self = this;`
247
248	`return {`
249	`methods: {`
250	`can(role, resource, action) {`
251	`const _handlers = !Array.isArray(resource)`
252	? [action ? `${resource}.${action}` : resource]
253	`: resource;`
254
255	`return Promise.resolve()`
256	`.then(() => role \|\| (self.access_filter && self.access_filter(this)) \|\| 'Unknown')`
257	`.then(x => self._validateRules(this, x, _handlers));`
258	`},`
259	`},`
260	`};`
261	`},`
262
263	`rules(config) {`
264	`util.extendValues(this.permissions, config.permissions);`
265
266	`Object.keys(config.resources \|\| {}).forEach(key => {`
267	`this.resources[key] = config.resources[key];`
268
269	`let _path = config.resources[key];`
270	`let _method = 'GET';`
271
272	`/* istanbul ignore else */`
273	`if (_path.indexOf(' ') > -1) {`
274	`_path = _path.split(' ');`
275	`_method = _path[0].toUpperCase();`
276	`_path = _path[1];`
277	`}`
278
279	`this._ruleset.push({`
280	`path: _path,`
281	`method: _method,`
282	`handler: key,`
283	`});`
284	`});`
285
286	`(!Array.isArray(config.roles) && config.roles ? [config.roles] : config.roles \|\| [])`
287	`.forEach(roles => roles.split('.').reduce((prev, cur) => {`
288	`/* istanbul ignore else */`
289	`if (!prev) {`
290	`return cur;`
291	`}`
292
293	`/* istanbul ignore else */`
294	`if (!this._groups[prev]) {`
295	`this._groups[prev] = {`
296	`parents: [],`
297	`children: [],`
298	`};`
299	`}`
300
301	`/* istanbul ignore else */`
302	`if (!this._groups[cur]) {`
303	`this._groups[cur] = {`
304	`parents: [],`
305	`children: [],`
306	`};`
307	`}`
308
309	`this._groups[prev].parents.push(cur);`
310	`this._groups[cur].children.push(prev);`
311
312	`return cur;`
313	`}, null));`
314
315	`return this;`
316	`},`
317	`});`
318	`};`