746 lines
23 KiB
TypeScript
746 lines
23 KiB
TypeScript
/*
|
|
ACL System inspired on Zend_ACL.
|
|
All functions accept strings, objects or arrays unless specified otherwise.
|
|
|
|
'*' is used to express 'all'
|
|
|
|
Database structure in Redis (using default prefix 'acl')
|
|
|
|
Users:
|
|
|
|
acl_roles_{userid} = set(roles)
|
|
|
|
Roles:
|
|
|
|
acl_roles = {roleNames} // Used to remove all the permissions associated to ONE resource.
|
|
|
|
acl_parents_{roleName} = set(parents)
|
|
acl_resources_{roleName} = set(resourceNames)
|
|
|
|
Permissions:
|
|
acl_allows_{resourceName}_{roleName} = set(permissions)
|
|
Note: user ids, role names and resource names are all case sensitive.
|
|
|
|
Roadmap:
|
|
- Add support for locking resources. If a user has roles that gives him permissions to lock
|
|
a resource, then he can get exclusive write operation on the locked resource.
|
|
This lock should expire if the resource has not been accessed in some time.
|
|
*/
|
|
import * as _ from 'lodash';
|
|
import * as bluebird from 'bluebird';
|
|
import { contract } from './contract';
|
|
import { ILogger, IAcl, IBucketsOption, IBackend, Action } from './interfaces';
|
|
import { Value, Values, strings, Callback, AnyCallback, AllowedCallback } from './interfaces';
|
|
contract.debug = true;
|
|
|
|
function makeArray(arr: any | Object): Array<any> {
|
|
return Array.isArray(arr) ? arr : [arr];
|
|
}
|
|
|
|
function allowsBucket(role: string): string {
|
|
return 'allows_' + role;
|
|
}
|
|
|
|
function keyFromAllowsBucket(str: string): string {
|
|
return str.replace(/^allows_/, '');
|
|
}
|
|
|
|
export class ACL implements IAcl {
|
|
logger: any;
|
|
backend: any;
|
|
options: any;
|
|
constructor(backend: IBackend<Action[]>, logger: ILogger | any, options?: any) {
|
|
const buckets: IBucketsOption = {
|
|
meta: 'meta',
|
|
parents: 'parents',
|
|
permissions: 'permissions',
|
|
resources: 'resources',
|
|
roles: 'roles',
|
|
users: 'users'
|
|
};
|
|
|
|
options = _.extend({
|
|
buckets: buckets
|
|
}, options);
|
|
|
|
this.logger = logger;
|
|
this.backend = backend;
|
|
this.options = options;
|
|
}
|
|
|
|
public allow(roles: Values, resources: strings, permissions: strings, cb?: Callback): Promise<void> {
|
|
contract(arguments)
|
|
.params('string|array', 'string|array', 'string|array', 'function')
|
|
.params('string|array', 'string|array', 'string|array')
|
|
.params('array', 'function')
|
|
.params('array')
|
|
.end();
|
|
|
|
if ((arguments.length === 1) || ((arguments.length === 2) && _.isObject(roles) && _.isFunction(resources))) {
|
|
return this._allowEx(roles).nodeify(resources);
|
|
} else {
|
|
let _this = this;
|
|
roles = makeArray(roles);
|
|
resources = makeArray(resources);
|
|
let backend = _this.backend;
|
|
let transaction = _this.backend.begin();
|
|
backend.add(transaction, _this.options.buckets.meta, 'roles', roles);
|
|
resources.forEach(function (resource) {
|
|
_.each(roles, (role) => {
|
|
backend.add(transaction, allowsBucket(resource), role, permissions);
|
|
});
|
|
});
|
|
roles.forEach(function (role) {
|
|
_this.backend.add(transaction, _this.options.buckets.resources, role, resources);
|
|
});
|
|
return backend.endAsync(transaction).nodeify(cb);
|
|
}
|
|
}
|
|
/* addUserRoles( userId, roles, function(err) )
|
|
* Adds roles to a given user id.
|
|
@param {String|Number} User id.
|
|
@param {String|Array} Role(s) to add to the user id.
|
|
@param {Function} Callback called when finished.
|
|
@return {Promise} Promise resolved when finished
|
|
*/
|
|
public addUserRoles(userId: Value, roles: strings, cb?: Callback): Promise<void> {
|
|
contract(arguments)
|
|
.params('string|number', 'string|array', 'function')
|
|
.params('string|number', 'string|array')
|
|
.end();
|
|
|
|
let transaction = this.backend.begin();
|
|
this.backend.add(transaction, this.options.buckets.meta, 'users', userId);
|
|
this.backend.add(transaction, this.options.buckets.users, userId, roles);
|
|
|
|
if (Array.isArray(roles)) {
|
|
let _this = this;
|
|
|
|
roles.forEach(function (role) {
|
|
_this.backend.add(transaction, _this.options.buckets.roles, role, userId);
|
|
});
|
|
}
|
|
else {
|
|
this.backend.add(transaction, this.options.buckets.roles, roles, userId);
|
|
}
|
|
|
|
return this.backend.endAsync(transaction).nodeify(cb);
|
|
}
|
|
/*
|
|
removeUserRoles( userId, roles, function(err) )
|
|
Remove roles from a given user.
|
|
@param {String|Number} User id.
|
|
@param {String|Array} Role(s) to remove to the user id.
|
|
@param {Function} Callback called when finished.
|
|
@return {Promise} Promise resolved when finished
|
|
*/
|
|
public removeUserRoles(userId: Value, roles: strings, cb?: Callback): Promise<void> {
|
|
contract(arguments)
|
|
.params('string|number', 'string|array', 'function')
|
|
.params('string|number', 'string|array')
|
|
.end();
|
|
|
|
let transaction = this.backend.begin();
|
|
this.backend.remove(transaction, this.options.buckets.users, userId, roles);
|
|
|
|
if (Array.isArray(roles)) {
|
|
let _this = this;
|
|
|
|
roles.forEach(function (role) {
|
|
_this.backend.remove(transaction, _this.options.buckets.roles, role, userId);
|
|
});
|
|
}
|
|
else {
|
|
this.backend.remove(transaction, this.options.buckets.roles, roles, userId);
|
|
}
|
|
|
|
return this.backend.endAsync(transaction).nodeify(cb);
|
|
}
|
|
/*
|
|
userRoles( userId, function(err, roles) )
|
|
Return all the roles from a given user.
|
|
|
|
@param {String|Number} User id.
|
|
@param {Function} Callback called when finished.
|
|
@return {Promise} Promise resolved with an array of user roles
|
|
*/
|
|
public userRoles(userId: Value, cb?: (err: Error, roles: string[]) => any): bluebird<string[]> {
|
|
return this.backend.getAsync(this.options.buckets.users, userId).nodeify(cb);
|
|
}
|
|
/*
|
|
roleUsers( roleName, function(err, users) )
|
|
Return all users who has a given role.
|
|
@param {String|Number} rolename.
|
|
@param {Function} Callback called when finished.
|
|
@return {Promise} Promise resolved with an array of users
|
|
*/
|
|
public roleUsers(role: Value, cb?: (err: Error, users: Values) => any): Promise<any> {
|
|
return this.backend.getAsync(this.options.buckets.roles, role).nodeify(cb);
|
|
}
|
|
/*
|
|
hasRole( userId, rolename, function(err, is_in_role) )
|
|
Return boolean whether user is in the role
|
|
@param {String|Number} User id.
|
|
@param {String|Number} rolename.
|
|
@param {Function} Callback called when finished.
|
|
@return {Promise} Promise resolved with boolean of whether user is in role
|
|
*/
|
|
public hasRole(userId: Value, role: string, cb?: (err: Error, isInRole: boolean) => any): bluebird<boolean> {
|
|
return this.userRoles(userId).then(function (roles) {
|
|
return roles.indexOf(role) !== -1;
|
|
}).nodeify(cb);
|
|
}
|
|
|
|
/*
|
|
addRoleParents( role, parents, function(err) )
|
|
Adds a parent or parent list to role.
|
|
@param {String} Child role.
|
|
@param {String|Array} Parent role(s) to be added.
|
|
@param {Function} Callback called when finished.
|
|
@return {Promise} Promise resolved when finished
|
|
*/
|
|
public addRoleParents(role: string, parents: Values, cb?: Callback): Promise<void> {
|
|
contract(arguments)
|
|
.params('string|number', 'string|array', 'function')
|
|
.params('string|number', 'string|array')
|
|
.end();
|
|
|
|
let transaction = this.backend.begin();
|
|
this.backend.add(transaction, this.options.buckets.meta, 'roles', role);
|
|
this.backend.add(transaction, this.options.buckets.parents, role, parents);
|
|
return this.backend.endAsync(transaction).nodeify(cb);
|
|
};
|
|
|
|
/*
|
|
removeRoleParents( role, parents, function(err) )
|
|
|
|
Removes a parent or parent list from role.
|
|
|
|
If `parents` is not specified, removes all parents.
|
|
|
|
@param {String} Child role.
|
|
@param {String|Array} Parent role(s) to be removed [optional].
|
|
@param {Function} Callback called when finished [optional].
|
|
@return {Promise} Promise resolved when finished.
|
|
*/
|
|
public removeRoleParents(role: any, parents: Function, cb: Function) {
|
|
contract(arguments)
|
|
.params('string', 'string|array', 'function')
|
|
.params('string', 'string|array')
|
|
.params('string', 'function')
|
|
.params('string')
|
|
.end();
|
|
|
|
if (!cb && _.isFunction(parents)) {
|
|
cb = parents;
|
|
parents = null;
|
|
}
|
|
|
|
let transaction = this.backend.begin();
|
|
if (parents) {
|
|
this.backend.remove(transaction, this.options.buckets.parents, role, parents);
|
|
} else {
|
|
this.backend.del(transaction, this.options.buckets.parents, role);
|
|
}
|
|
return this.backend.endAsync(transaction).nodeify(cb);
|
|
}
|
|
/*
|
|
removeRole( role, function(err) )
|
|
|
|
Removes a role from the system.
|
|
|
|
@param {String} Role to be removed
|
|
@param {Function} Callback called when finished.
|
|
*/
|
|
public removeRole(role: string, cb?: Callback): Promise<void> {
|
|
contract(arguments)
|
|
.params('string', 'function')
|
|
.params('string').end();
|
|
|
|
let _this = this;
|
|
// Note that this is not fully transactional.
|
|
return this.backend.getAsync(this.options.buckets.resources, role).then((resources) => {
|
|
let transaction = _this.backend.begin();
|
|
resources.forEach((resource) => {
|
|
let bucket = allowsBucket(resource);
|
|
_this.backend.del(transaction, bucket, role);
|
|
});
|
|
_this.backend.del(transaction, _this.options.buckets.resources, role);
|
|
_this.backend.del(transaction, _this.options.buckets.parents, role);
|
|
_this.backend.del(transaction, _this.options.buckets.roles, role);
|
|
_this.backend.remove(transaction, _this.options.buckets.meta, 'roles', role);
|
|
|
|
// `users` collection keeps the removed role
|
|
// because we don't know what users have `role` assigned.
|
|
return _this.backend.endAsync(transaction);
|
|
}).nodeify(cb);
|
|
};
|
|
/*
|
|
removeResource( resource, function(err) )
|
|
Removes a resource from the system
|
|
@param {String} Resource to be removed
|
|
@param {Function} Callback called when finished.
|
|
@return {Promise} Promise resolved when finished
|
|
*/
|
|
public removeResource(resource: string, cb?: Callback): Promise<void> {
|
|
contract(arguments)
|
|
.params('string', 'function')
|
|
.params('string')
|
|
.end();
|
|
|
|
let _this = this;
|
|
return this.backend.getAsync(this.options.buckets.meta, 'roles').then(function (roles: Array<String>) {
|
|
let transaction = _this.backend.begin();
|
|
_this.backend.del(transaction, allowsBucket(resource), roles);
|
|
roles.forEach((role) => {
|
|
_this.backend.remove(transaction, _this.options.buckets.resources, role, resource);
|
|
});
|
|
return _this.backend.endAsync(transaction);
|
|
}).nodeify(cb);
|
|
}
|
|
/*
|
|
allow( roles, resources, permissions, function(err) )
|
|
Adds the given permissions to the given roles over the given resources.
|
|
|
|
@param {String|Array} role(s) to add permissions to.
|
|
@param {String|Array} resource(s) to add permisisons to.
|
|
@param {String|Array} permission(s) to add to the roles over the resources.
|
|
@param {Function} Callback called when finished.
|
|
|
|
allow( permissionsArray, function(err) )
|
|
|
|
@param {Array} Array with objects expressing what permissions to give.
|
|
|
|
[{roles:{String|Array}, allows:[{resources:{String|Array}, permissions:{String|Array}]]
|
|
|
|
@param {Function} Callback called when finished.
|
|
@return {Promise} Promise resolved when finished
|
|
*/
|
|
public removeAllow(role: string, resources: strings, permissions: strings, cb?: Callback): Promise<void> {
|
|
contract(arguments)
|
|
.params('string', 'string|array', 'string|array', 'function')
|
|
.params('string', 'string|array', 'string|array')
|
|
.params('string', 'string|array', 'function')
|
|
.params('string', 'string|array')
|
|
.end();
|
|
|
|
resources = makeArray(resources);
|
|
if (cb || (permissions && !_.isFunction(permissions))) {
|
|
permissions = makeArray(permissions);
|
|
} else {
|
|
cb = (permissions as any);
|
|
permissions = null;
|
|
}
|
|
|
|
return this.removePermissions(role, resources, permissions, cb);
|
|
};
|
|
/*
|
|
removePermissions( role, resources, permissions)
|
|
Remove permissions from the given roles owned by the given role.
|
|
Note: we loose atomicity when removing empty role_resources.
|
|
@param {String}
|
|
@param {String|Array}
|
|
@param {String|Array}
|
|
*/
|
|
public removePermissions(role: string, resources: strings, permissions: strings, cb?: Function): Promise<void> {
|
|
let _this = this;
|
|
let transaction = _this.backend.begin();
|
|
_.each(resources, resource => {
|
|
let bucket = allowsBucket(resource);
|
|
if (permissions) {
|
|
_this.backend.remove(transaction, bucket, role, permissions);
|
|
} else {
|
|
_this.backend.del(transaction, bucket, role);
|
|
_this.backend.remove(transaction, _this.options.buckets.resources, role, resource);
|
|
}
|
|
});
|
|
|
|
// Remove resource from role if no rights for that role exists.
|
|
// Not fully atomic...
|
|
return _this.backend.endAsync(transaction).then(function () {
|
|
let transaction = _this.backend.begin();
|
|
return bluebird.all(_.map(resources, resource => {
|
|
let bucket = allowsBucket(resource);
|
|
return _this.backend.getAsync(bucket, role).then(function (permissions) {
|
|
if (permissions.length === 0) {
|
|
_this.backend.remove(transaction, _this.options.buckets.resources, role, resource);
|
|
}
|
|
});
|
|
})).then(function () {
|
|
return _this.backend.endAsync(transaction);
|
|
});
|
|
}).nodeify(cb);
|
|
};
|
|
/*
|
|
allowedPermissions( userId, resources, function(err, obj) )
|
|
Returns all the allowable permissions a given user have to
|
|
access the given resources.
|
|
It returns an array of objects where every object maps a
|
|
resource name to a list of permissions for that resource.
|
|
|
|
@param {String|Number} User id.
|
|
@param {String|Array} resource(s) to ask permissions for.
|
|
@param {Function} Callback called when finished.
|
|
*/
|
|
public allowedPermissions(userId: Value, resources: strings, cb?: AnyCallback): bluebird<any> {
|
|
if (!userId) {
|
|
return cb(null, {});
|
|
}
|
|
|
|
contract(arguments)
|
|
.params('string|number', 'string|array', 'function')
|
|
.params('string|number', 'string|array')
|
|
.end();
|
|
|
|
if (this.backend.unionsAsync) {
|
|
return this.optimizedAllowedPermissions(userId, resources, cb);
|
|
}
|
|
|
|
let _this = this;
|
|
resources = makeArray(resources);
|
|
return this.userRoles(userId).then(roles => {
|
|
let result = {};
|
|
|
|
return bluebird.all(_.map(resources, resource => {
|
|
return _this._resourcePermissions(roles, resource).then(function (permissions) {
|
|
result[resource] = permissions;
|
|
});
|
|
})).then(function () {
|
|
return result;
|
|
});
|
|
|
|
}).nodeify(cb);
|
|
}
|
|
/*
|
|
optimizedAllowedPermissions( userId, resources, function(err, obj) )
|
|
|
|
Returns all the allowable permissions a given user have to
|
|
access the given resources.
|
|
|
|
It returns a map of resource name to a list of permissions for that resource.
|
|
|
|
This is the same as allowedPermissions, it just takes advantage of the unions
|
|
function if available to reduce the number of backend queries.
|
|
|
|
@param {String|Number} User id.
|
|
@param {String|Array} resource(s) to ask permissions for.
|
|
@param {Function} Callback called when finished.
|
|
*/
|
|
public optimizedAllowedPermissions(userId, resources, cb) {
|
|
if (!userId) {
|
|
return cb(null, {});
|
|
}
|
|
|
|
contract(arguments)
|
|
.params('string|number', 'string|array', 'function|undefined')
|
|
.params('string|number', 'string|array')
|
|
.end();
|
|
|
|
resources = makeArray(resources);
|
|
let self = this;
|
|
|
|
return this._allUserRoles(userId).then(function (roles) {
|
|
let buckets = resources.map(allowsBucket);
|
|
if (roles.length === 0) {
|
|
let emptyResult = {};
|
|
buckets.forEach(function (bucket) {
|
|
emptyResult[bucket] = [];
|
|
});
|
|
return bluebird.resolve(emptyResult);
|
|
}
|
|
|
|
return self.backend.unionsAsync(buckets, roles);
|
|
}).then(function (response) {
|
|
let result = {};
|
|
Object.keys(response).forEach(function (bucket) {
|
|
result[keyFromAllowsBucket(bucket)] = response[bucket];
|
|
});
|
|
|
|
return result;
|
|
}).nodeify(cb);
|
|
}
|
|
/*
|
|
isAllowed( userId, resource, permissions, function(err, allowed) )
|
|
|
|
Checks if the given user is allowed to access the resource for the given
|
|
permissions (note: it must fulfill all the permissions).
|
|
|
|
@param {String|Number} User id.
|
|
@param {String|Array} resource(s) to ask permissions for.
|
|
@param {String|Array} asked permissions.
|
|
@param {Function} Callback called wish the result.
|
|
*/
|
|
public isAllowed(userId: Value, resource: strings, permissions: strings, cb?: AllowedCallback): Promise<boolean> {
|
|
contract(arguments)
|
|
.params('string|number', 'string', 'string|array', 'function')
|
|
.params('string|number', 'string', 'string|array')
|
|
.end();
|
|
|
|
let _this = this;
|
|
return this.backend.getAsync(this.options.buckets.users, userId).then(function (roles) {
|
|
if (roles.length) {
|
|
return _this.areAnyRolesAllowed(roles, resource, permissions);
|
|
} else {
|
|
return false;
|
|
}
|
|
}).nodeify(cb);
|
|
}
|
|
|
|
/*
|
|
areAnyRolesAllowed( roles, resource, permissions, function(err, allowed) )
|
|
|
|
Returns true if any of the given roles have the right permissions.
|
|
|
|
@param {String|Array} Role(s) to check the permissions for.
|
|
@param {String} resource(s) to ask permissions for.
|
|
@param {String|Array} asked permissions.
|
|
@param {Function} Callback called with the result.
|
|
*/
|
|
public areAnyRolesAllowed(roles: strings, resource: strings, permissions: strings, cb?: AllowedCallback): Promise<boolean> {
|
|
contract(arguments)
|
|
.params('string|array', 'string', 'string|array', 'function')
|
|
.params('string|array', 'string', 'string|array')
|
|
.end();
|
|
|
|
roles = makeArray(roles);
|
|
permissions = makeArray(permissions);
|
|
|
|
if (roles.length === 0) {
|
|
return (bluebird as any).resolve(false).nodeify(cb);
|
|
} else {
|
|
return this._checkPermissions(roles, resource, permissions).nodeify(cb);
|
|
}
|
|
}
|
|
/*
|
|
whatResources(role, function(err, {resourceName: [permissions]})
|
|
|
|
Returns what resources a given role or roles have permissions over.
|
|
|
|
whatResources(role, permissions, function(err, resources) )
|
|
|
|
Returns what resources a role has the given permissions over.
|
|
|
|
@param {String|Array} Roles
|
|
@param {String[Array} Permissions
|
|
@param {Function} Callback called wish the result.
|
|
*/
|
|
public whatResources(roles: strings, permissions: strings, cb?: AnyCallback): Promise<any> {
|
|
contract(arguments)
|
|
.params('string|array')
|
|
.params('string|array', 'string|array')
|
|
.params('string|array', 'function')
|
|
.params('string|array', 'string|array', 'function')
|
|
.end();
|
|
|
|
roles = makeArray(roles);
|
|
if (_.isFunction(permissions)) {
|
|
cb = (<any>permissions);
|
|
permissions = undefined;
|
|
} else if (permissions) {
|
|
permissions = makeArray(permissions);
|
|
}
|
|
|
|
return this.permittedResources(roles, permissions, cb);
|
|
}
|
|
|
|
public permittedResources(roles: strings, permissions: strings, cb?: Function): Promise<void> {
|
|
let _this = this;
|
|
let result: any = _.isUndefined(permissions) ? {} : [];
|
|
return this._rolesResources(roles).then(function (resources) {
|
|
return bluebird.all(resources.map(function (resource) {
|
|
return _this._resourcePermissions(roles, resource).then(function (p) {
|
|
if (permissions) {
|
|
let commonPermissions = _.intersection(permissions, p);
|
|
if (commonPermissions.length > 0) {
|
|
result.push(resource);
|
|
}
|
|
} else {
|
|
result[resource] = p;
|
|
}
|
|
});
|
|
})).then(function () {
|
|
return result;
|
|
});
|
|
}).nodeify(cb);
|
|
}
|
|
|
|
// -----------------------------------------------------------------------------
|
|
//
|
|
// Private methods
|
|
//
|
|
// -----------------------------------------------------------------------------
|
|
|
|
//
|
|
// Same as allow but accepts a more compact input.
|
|
//
|
|
private _allowEx(objs): any {
|
|
let _this = this;
|
|
objs = makeArray(objs);
|
|
|
|
let demuxed = [];
|
|
objs.forEach(function (obj) {
|
|
let roles = obj.roles;
|
|
obj.allows.forEach(function (allow) {
|
|
demuxed.push({
|
|
roles: roles,
|
|
resources: allow.resources,
|
|
permissions: allow.permissions
|
|
});
|
|
});
|
|
});
|
|
|
|
return bluebird.reduce(demuxed, function (values, obj) {
|
|
const roles: Values = obj.roles;
|
|
const resources: strings = obj.resources;
|
|
const permissions: strings = obj.permissions;
|
|
return _this.allow(roles, resources, permissions, null);
|
|
}, null);
|
|
}
|
|
|
|
//
|
|
// Returns the parents of the given roles
|
|
//
|
|
private _rolesParents(roles) {
|
|
return this.backend.unionAsync(this.options.buckets.parents, roles);
|
|
}
|
|
//
|
|
// Return all roles in the hierarchy including the given roles.
|
|
//
|
|
/*
|
|
Acl.prototype._allRoles = function(roleNames, cb){
|
|
var _this = this, roles;
|
|
|
|
_this._rolesParents(roleNames, function(err, parents){
|
|
roles = _.union(roleNames, parents);
|
|
async.whilst(
|
|
function (){
|
|
return parents.length >0;
|
|
},
|
|
function (cb) {
|
|
_this._rolesParents(parents, function(err, result){
|
|
if(!err){
|
|
roles = _.union(roles, parents);
|
|
parents = result;
|
|
}
|
|
cb(err);
|
|
});
|
|
},
|
|
function(err){
|
|
cb(err, roles);
|
|
}
|
|
);
|
|
});
|
|
};
|
|
*/
|
|
//
|
|
// Return all roles in the hierarchy including the given roles.
|
|
//
|
|
private _allRoles(roleNames) {
|
|
let _this = this;
|
|
|
|
return this._rolesParents(roleNames).then(function (parents) {
|
|
if (parents.length > 0) {
|
|
return _this._allRoles(parents).then(function (parentRoles) {
|
|
return _.union(roleNames, parentRoles);
|
|
});
|
|
} else {
|
|
return roleNames;
|
|
}
|
|
});
|
|
}
|
|
|
|
//
|
|
// Return all roles in the hierarchy of the given user.
|
|
//
|
|
private _allUserRoles(userId) {
|
|
let _this = this;
|
|
|
|
return this.userRoles(userId).then(function (roles) {
|
|
if (roles && roles.length > 0) {
|
|
return _this._allRoles(roles);
|
|
} else {
|
|
return [];
|
|
}
|
|
});
|
|
}
|
|
|
|
//
|
|
// Returns an array with resources for the given roles.
|
|
//
|
|
private _rolesResources(roles) {
|
|
let _this = this;
|
|
roles = makeArray(roles);
|
|
|
|
return this._allRoles(roles).then(function (allRoles) {
|
|
let result = [];
|
|
|
|
// check if bluebird.map simplifies this code
|
|
return bluebird.all(allRoles.map(function (role) {
|
|
return _this.backend.getAsync(_this.options.buckets.resources, role).then(function (resources) {
|
|
result = result.concat(resources);
|
|
});
|
|
})).then(function () {
|
|
return result;
|
|
});
|
|
});
|
|
}
|
|
|
|
//
|
|
// Returns the permissions for the given resource and set of roles
|
|
//
|
|
private _resourcePermissions(roles, resource): any {
|
|
let _this = this;
|
|
|
|
if (roles.length === 0) {
|
|
return bluebird.resolve([]);
|
|
} else {
|
|
return this.backend.unionAsync(allowsBucket(resource), roles).then(function (resourcePermissions) {
|
|
return _this._rolesParents(roles).then(function (parents) {
|
|
if (parents && parents.length) {
|
|
return _this._resourcePermissions(parents, resource).then(function (morePermissions) {
|
|
return _.union(resourcePermissions, morePermissions);
|
|
});
|
|
} else {
|
|
return resourcePermissions;
|
|
}
|
|
});
|
|
});
|
|
}
|
|
}
|
|
|
|
//
|
|
// NOTE: This function will not handle circular dependencies and result in a crash.
|
|
//
|
|
private _checkPermissions(roles, resource, permissions): any {
|
|
let _this = this;
|
|
return this.backend.unionAsync(allowsBucket(resource), roles).then(function (resourcePermissions) {
|
|
if (resourcePermissions.indexOf('*') !== -1) {
|
|
return true;
|
|
} else {
|
|
permissions = permissions.filter(function (p) {
|
|
return resourcePermissions.indexOf(p) === -1;
|
|
});
|
|
|
|
if (permissions.length === 0) {
|
|
return true;
|
|
} else {
|
|
return _this.backend.unionAsync(_this.options.buckets.parents, roles).then(function (parents) {
|
|
if (parents && parents.length) {
|
|
return _this._checkPermissions(parents, resource, permissions);
|
|
} else {
|
|
return false;
|
|
}
|
|
});
|
|
}
|
|
}
|
|
});
|
|
}
|
|
|
|
};
|
|
|
|
// -----------------------------------------------------------------------------
|
|
//
|
|
// Helpers
|
|
//
|
|
// -----------------------------------------------------------------------------
|