huanld/speckle-server
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
d10fd393df82dfd49411d63edc0fb028dbeb7ae4
speckle-server/packages/server/modules/shared/index.js
T
Chuck Driesler 6eaf3c8c92 feat(workspaces): cru(d) resolvers (#2521) 
* feat(workspaces): drop createdByUserId from the dataschema

* feat(workspaces): repositories WIP

* merge

* protect against removing last admin in workspace

* quick impl and stub tests

* add tests

* services

* unit tests for role services

* feat(workspaces): authorize project creation if workspace specified

* feat(workspaces): emit project created event

* feat(workspaces): assign roles on project create in workspace

* feat(workspaces): update project roles when user added to workspace

* feat(workspaces): stencil gql resolvers

* fix(workspaces): lol lmao

* fix(workspaces): perform automatic project role update in service function

* fix(workspaces): also delete roles

* fix(workspaces): broke tests again oops

* fix(workspaces): update `onProjectCreated` listener to use new repo method

* fix(workspaces): use service function in event listener

* fix(workspaces): get workspace projects via existing stream repo functions

* fix(workspaces): roles mapping in domain, use enum

* feat(workspaces): stencil gql api and resolvers

* fix(workspaces): repair type reference in tests

* fix(workspaces): consolidate files, use different existing stream-getter

* fix(workspaces): more specific error

* fix(workspaces): roles and scopes

* fix(workspaces): yield per page

* fix(workspaces): some test dry

* fix(workspaces): superdry

* fix(workspaces): add scopes

* fix(workspaces): classic

* feat(workspaces): create workspace mutation

* feat(workspaces): I'm sure everything will be fine

* fix(workspaces): yep

* fix(workspaces): successful gql e2e test

* feat(workspaces): update workspace resolver

* chore(workspaces): update resolver test

* feat(workspaces): some retrieval resolvers

* chore(workspaces): tests for query resolvers

* fix(chore): revert temp test command change

* fix(workspaces): test structure and gql types

* fix(workspaces): validate user authz to perform some operations

* fix(workspaces): use existing test infrastructure

* fix(workspaces): stop `isPublic` check if authorizing a workspace resource

* fix(workspaces): better test hygiene

---------

Co-authored-by: Gergő Jedlicska <gergo@jedlicska.com>
2024-07-25 12:58:28 +01:00

140 lines
4.0 KiB
JavaScript
Raw Blame History

'use strict'
const knex = require(`@/db/knex`)
const { ForbiddenError } = require('apollo-server-express')
const {
pubsub,
StreamSubscriptions,
CommitSubscriptions,
BranchSubscriptions
} = require('@/modules/shared/utils/subscriptions')
const { Roles } = require('@speckle/shared')
const { adminOverrideEnabled } = require('@/modules/shared/helpers/envHelper')
const { ServerAcl: ServerAclSchema } = require('@/modules/core/dbSchema')
const { getRolesFactory } = require('@/modules/shared/repositories/roles')
const {
roleResourceTypeToTokenResourceType,
isResourceAllowed
} = require('@/modules/core/helpers/token')
const db = require('@/db/knex')
const ServerAcl = () => ServerAclSchema.knex()
/**
* Validates the scope against a list of scopes of the current session.
* @param {string[]|undefined} scopes
* @param {string} scope
* @return {void}
*/
async function validateScopes(scopes, scope) {
const errMsg = `Your auth token does not have the required scope${
scope?.length ? ': ' + scope + '.' : '.'
}`
if (!scopes) throw new ForbiddenError(errMsg, { scope })
if (scopes.indexOf(scope) === -1 && scopes.indexOf('*') === -1)
throw new ForbiddenError(errMsg, { scope })
}
const getUserAclEntry = async ({ aclTableName, userId, resourceId }) => {
if (!userId) {
return null
}
const query = { userId }
// Different acl tables have different names for the resource id column
switch (aclTableName) {
case 'server_acl': {
// No mutation necessary
break
}
case 'stream_acl': {
query.resourceId = resourceId
break
}
case 'workspace_acl': {
query.workspaceId = resourceId
break
}
}
return await knex(aclTableName).select('*').where(query).first()
}
/**
* Checks the userId against the resource's acl.
* @param {string | null | undefined} userId
* @param {string} resourceId
* @param {string} requiredRole
* @param {import('@/modules/core/domain/tokens/types').TokenResourceIdentifier[] | undefined | null} [userResourceAccessLimits]
*/
async function authorizeResolver(
userId,
resourceId,
requiredRole,
userResourceAccessLimits
) {
userId = userId || null
const roles = await getRolesFactory({ db })()
// TODO: Cache these results with a TTL of 1 mins or so, it's pointless to query the db every time we get a ping.
const role = roles.find((r) => r.name === requiredRole)
if (!role) throw new ForbiddenError('Unknown role: ' + requiredRole)
const resourceRuleType = roleResourceTypeToTokenResourceType(role.resourceTarget)
const isResourceLimited =
resourceRuleType &&
!isResourceAllowed({
resourceId,
resourceType: resourceRuleType,
resourceAccessRules: userResourceAccessLimits
})
if (isResourceLimited) {
throw new ForbiddenError('You are not authorized to access this resource.')
}
if (adminOverrideEnabled()) {
const serverRoles = await ServerAcl().select('role').where({ userId })
if (serverRoles.map((r) => r.role).includes(Roles.Server.Admin)) return requiredRole
}
try {
if (role.resourceTarget !== 'workspace') {
const { isPublic } = await knex(role.resourceTarget)
.select('isPublic')
.where({ id: resourceId })
.first()
if (isPublic && role.weight < 200) return true
}
} catch {
throw new ForbiddenError(
`Resource of type ${role.resourceTarget} with ${resourceId} not found`
)
}
const userAclEntry = await getUserAclEntry({
aclTableName: role.aclTableName,
userId,
resourceId
})
if (!userAclEntry) {
throw new ForbiddenError('You are not authorized to access this resource.')
}
userAclEntry.role = roles.find((r) => r.name === userAclEntry.role)
if (userAclEntry.role.weight >= role.weight) return userAclEntry.role.name
throw new ForbiddenError('You are not authorized.')
}
module.exports = {
validateScopes,
authorizeResolver,
pubsub,
StreamPubsubEvents: StreamSubscriptions,
CommitPubsubEvents: CommitSubscriptions,
BranchPubsubEvents: BranchSubscriptions
}
Reference in New Issue View Git Blame Copy Permalink