Kristaps Fabians Geikins
165 lines
5.3 KiB
TypeScript
165 lines
5.3 KiB
TypeScript
import type { GetStream } from '@/modules/core/domain/streams/operations'
|
|
import {
|
|
isResourceAllowed,
|
|
RoleResourceTargets,
|
|
roleResourceTypeToTokenResourceType
|
|
} from '@/modules/core/helpers/token'
|
|
import { ProjectRecordVisibility } from '@/modules/core/helpers/types'
|
|
import type {
|
|
AuthorizeResolver,
|
|
GetUserAclRole,
|
|
GetUserServerRole,
|
|
ValidateScopes
|
|
} from '@/modules/shared/domain/operations'
|
|
import type { GetRoles } from '@/modules/shared/domain/rolesAndScopes/operations'
|
|
import { ForbiddenError } from '@/modules/shared/errors'
|
|
import type { adminOverrideEnabled } from '@/modules/shared/helpers/envHelper'
|
|
import type { EventBusEmit } from '@/modules/shared/services/eventBus'
|
|
import { WorkspaceEvents } from '@/modules/workspacesCore/domain/events'
|
|
import type { GetWorkspaceRoleAndSeat } from '@/modules/workspacesCore/domain/operations'
|
|
import { isNullOrUndefined, Roles } from '@speckle/shared'
|
|
import { OperationTypeNode } from 'graphql'
|
|
|
|
/**
|
|
* Validates the scope against a list of scopes of the current session.
|
|
*/
|
|
export const validateScopesFactory = (): ValidateScopes => async (scopes, scope) => {
|
|
const errMsg = `Your auth token does not have the required scope${
|
|
scope?.length ? ': ' + scope + '.' : '.'
|
|
}`
|
|
|
|
if (!scopes) throw new ForbiddenError(errMsg, { info: { scope } })
|
|
if (scopes.indexOf(scope) === -1 && scopes.indexOf('*') === -1)
|
|
throw new ForbiddenError(errMsg, { info: { scope } })
|
|
}
|
|
|
|
const workspaceRoleImplicitProjectRoleMap = (
|
|
projectVisibility: ProjectRecordVisibility | null
|
|
) => {
|
|
const isFullyPrivate = projectVisibility === ProjectRecordVisibility.Private
|
|
|
|
return <const>{
|
|
[Roles.Workspace.Admin]: Roles.Stream.Owner,
|
|
[Roles.Workspace.Member]: isFullyPrivate ? null : Roles.Stream.Reviewer,
|
|
[Roles.Workspace.Guest]: null
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Checks the userId against the resource's acl.
|
|
*/
|
|
export const authorizeResolverFactory =
|
|
(deps: {
|
|
getRoles: GetRoles
|
|
adminOverrideEnabled: typeof adminOverrideEnabled
|
|
getUserServerRole: GetUserServerRole
|
|
getStream: GetStream
|
|
getUserAclRole: GetUserAclRole
|
|
getWorkspaceRoleAndSeat: GetWorkspaceRoleAndSeat
|
|
emitWorkspaceEvent: EventBusEmit
|
|
}): AuthorizeResolver =>
|
|
async (userId, resourceId, requiredRole, userResourceAccessLimits, operationType) => {
|
|
userId = userId || null
|
|
const roles = await deps.getRoles()
|
|
|
|
// TODO: Cache these results with a TTL of 1 mins or so, it's pointless to query the db every time we get a ping.
|
|
|
|
const role = roles.find((r) => r.name === requiredRole)
|
|
if (!role) throw new ForbiddenError('Unknown role: ' + requiredRole)
|
|
|
|
const resourceRuleType = roleResourceTypeToTokenResourceType(role.resourceTarget)
|
|
const isResourceLimited =
|
|
resourceRuleType &&
|
|
!isResourceAllowed({
|
|
resourceId,
|
|
resourceType: resourceRuleType,
|
|
resourceAccessRules: userResourceAccessLimits
|
|
})
|
|
if (isResourceLimited) {
|
|
throw new ForbiddenError('You are not authorized to access this resource.')
|
|
}
|
|
|
|
if (
|
|
deps.adminOverrideEnabled() &&
|
|
userId &&
|
|
(!operationType || operationType === OperationTypeNode.QUERY)
|
|
) {
|
|
const serverRole = await deps.getUserServerRole({ userId })
|
|
if (serverRole === Roles.Server.Admin) return
|
|
}
|
|
|
|
let targetWorkspaceId: string | null = null
|
|
let streamVisibility: ProjectRecordVisibility | null = null
|
|
|
|
if (role.resourceTarget === RoleResourceTargets.Streams) {
|
|
const stream = await deps.getStream({
|
|
userId: userId || undefined,
|
|
streamId: resourceId
|
|
})
|
|
|
|
if (!stream) {
|
|
throw new ForbiddenError(
|
|
`Resource of type ${role.resourceTarget} with ${resourceId} not found`
|
|
)
|
|
}
|
|
|
|
targetWorkspaceId = stream.workspaceId
|
|
streamVisibility = stream.visibility
|
|
|
|
const isPublic = streamVisibility === ProjectRecordVisibility.Public
|
|
if (isPublic && role.weight < 200) return
|
|
}
|
|
|
|
if (role.resourceTarget === RoleResourceTargets.Workspaces) {
|
|
targetWorkspaceId = resourceId
|
|
}
|
|
|
|
let userAclRole = userId
|
|
? await deps.getUserAclRole({
|
|
aclTableName: role.aclTableName,
|
|
userId,
|
|
resourceId
|
|
})
|
|
: null
|
|
|
|
if (!userAclRole) {
|
|
// Implicit workspace project access
|
|
if (
|
|
role.resourceTarget === RoleResourceTargets.Streams &&
|
|
targetWorkspaceId &&
|
|
userId
|
|
) {
|
|
const workspaceRoleAndSeat = await deps.getWorkspaceRoleAndSeat({
|
|
workspaceId: targetWorkspaceId,
|
|
userId
|
|
})
|
|
const implicitStreamRole =
|
|
workspaceRoleAndSeat?.role.role &&
|
|
workspaceRoleImplicitProjectRoleMap(streamVisibility)[
|
|
workspaceRoleAndSeat.role.role
|
|
]
|
|
userAclRole = implicitStreamRole
|
|
}
|
|
|
|
if (!userAclRole) {
|
|
throw new ForbiddenError('You are not authorized to access this resource.')
|
|
}
|
|
}
|
|
|
|
const fullRole = roles.find((r) => r.name === userAclRole)
|
|
|
|
if (fullRole && fullRole.weight < role.weight) {
|
|
throw new ForbiddenError('You are not authorized.')
|
|
}
|
|
|
|
if (!isNullOrUndefined(targetWorkspaceId)) {
|
|
await deps.emitWorkspaceEvent({
|
|
eventName: WorkspaceEvents.Authorizing,
|
|
payload: {
|
|
workspaceId: targetWorkspaceId,
|
|
userId
|
|
}
|
|
})
|
|
}
|
|
}
|