Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[RFC] Casl ownership specification #613

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

[RFC] Casl ownership specification #613

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
3743e71
feat: add auto discovering ownerships
floross Mar 13, 2023
3f59c9f
feat: add auto discovering ownerships
floross Mar 13, 2023
d51d17c
feat: add auto discovering ownerships
floross Mar 14, 2023
9576d50
wip: continue to specify casl
floross Mar 14, 2023
bfca179
feat: add validations and transformations
floross Mar 15, 2023
9a41226
fix: add casl ownerships user model discovery
floross Mar 15, 2023
7a9ce12
feat: add specification casl
floross Mar 15, 2023
fe087ef
wip: continue to specify casl
floross Mar 17, 2023
23a045d
wip: continue to specify casl
floross Mar 20, 2023
e78d9b2
fix: update casl specifications
floross Apr 14, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
6 changes: 6 additions & 0 deletions .eslintrc.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,12 @@
{
"ignore": ["^@(trxn)/"]
}
],
"prefer-const": [
"error",
{
"destructuring": "all"
}
]
}
},
Expand Down
26 changes: 14 additions & 12 deletions examples/api-prisma/prisma/schema.prisma
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,8 @@ generator graphqlResolvers {
output = "../src/nestjs-resolvers"

// Path relative to the output directory
tsConfigFilePath = "../../tsconfig.app.json"
nestjsServicesImportPath = "./nestjs-services"
tsConfigFilePath = "../../tsconfig.app.json"
nestjsServicesImportPath = "./nestjs-services"
nestjsGraphqlDtosImportPath = "./nestjs-graphql-dtos"
}

Expand All @@ -43,24 +43,26 @@ generator nestjsServices {
//--------------------------------------------
// This part describe the project models
//--------------------------------------------

model User {
id Int @id @default(autoincrement())
email String @unique
name String?
role Role @relation(fields: [roleId], references: [id])
roleId Int
id Int @id @default(autoincrement())
email String @unique
password String
name String?
role Role @relation(fields: [roleId], references: [id])
roleId Int
}

model Role {
id Int @id @default(autoincrement())
name String
users User[]
id Int @id @default(autoincrement())
name String
users User[]
rights Right[]
}

model Right {
id Int @id @default(autoincrement())
name String @unique
id Int @id @default(autoincrement())
name String @unique
roles Role[]
}

Expand Down
31 changes: 31 additions & 0 deletions examples/api-prisma/prisma/seed.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
import { PrismaClient } from '@prisma/client';
import * as bcrypt from 'bcrypt';

const prisma = new PrismaClient();

async function seed() {
await prisma.user.upsert({
where: { email: '[email protected]' },
update: {},
create: {
email: '[email protected]',
name: 'Admin',
password: bcrypt.hashSync('password', 10),
role: {
connectOrCreate: {
where: {
id: 1,
},
create: {
id: 1,
name: 'role 1',
},
},
},
},
});
}

seed().catch((e) => {
console.error(e);
});
4 changes: 2 additions & 2 deletions examples/api-prisma/project.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,12 +50,12 @@
"serve": {
"configurations": {
"production": {
"buildTarget": "examples-api-prisma:build-custom:production"
"buildTarget": "examples-api-prisma:build:production"
}
},
"executor": "@nrwl/js:node",
"options": {
"buildTarget": "examples-api-prisma:build-custom"
"buildTarget": "examples-api-prisma:build"
}
},
"test": {
Expand Down
34 changes: 33 additions & 1 deletion examples/api-prisma/src/app/modules/authentication.module.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,49 @@
import { AbilityBuilder } from '@casl/ability';
import { Module } from '@nestjs/common';
import { AuthenticationModule as TrxnAuthenticationModule } from '@trxn/nestjs-authentication';
import { APP_GUARD } from '@nestjs/core';

import {
AppAbility,
getSelectPrismaUserQuery,
UserWithOwnershipIds,
} from '../../casl';
import { UserModule } from './user.module';

import {
JwtGlobalAuthGuard,
AuthenticationModule as TrxnAuthenticationModule,
} from '@trxn/nestjs-authentication';
import { Action, CaslModule, PoliciesGuard } from '@trxn/nestjs-casl';

@Module({
imports: [
CaslModule.register({
getRoles: () => ['user'],
rolePermissions: {
user: (
ability: AbilityBuilder<AppAbility>,
user: UserWithOwnershipIds,
) => {
ability.can(Action.Read, 'User', { id: user.id });
ability.can(Action.Read, 'Role', { id: user.role.id });
ability.can(Action.Read, 'Right', {
id: { in: user.role.rights.map(({ id }) => id) },
});
},
},
}),
TrxnAuthenticationModule.register({
imports: [UserModule],
customSelect: getSelectPrismaUserQuery(),
jwtModuleOptions: {
secret: 'secret',
},
}),
],
exports: [TrxnAuthenticationModule],
providers: [
{ provide: APP_GUARD, useClass: JwtGlobalAuthGuard },
{ provide: APP_GUARD, useClass: PoliciesGuard },
],
})
export class AuthenticationModule {}
1 change: 1 addition & 0 deletions examples/api-prisma/src/app/modules/database.module.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import { Module } from '@nestjs/common';

import { DatabaseModule as TrxnDatabaseModule } from '@trxn/nestjs-database';

@Module({
Expand Down
22 changes: 17 additions & 5 deletions examples/api-prisma/src/app/modules/graphql.module.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,23 +2,35 @@ import { ApolloDriver, ApolloDriverConfig } from '@nestjs/apollo';
import { Module } from '@nestjs/common';
import { GraphQLModule as NestjsGraphQLModule } from '@nestjs/graphql';

import { GraphqlModule } from '../../nestjs-resolvers';
import { ModelsAuthorizationServicesModules } from '../../nestjs-authorization-services';
import { GraphqlAuthorizationModule } from '../../nestjs-graphql-resolvers-casl';
import { DatabaseModule } from './database.module';
import { NestjsServicesModule } from './services.module';

@Module({
imports: [
NestjsGraphQLModule.forRoot<ApolloDriverConfig>({
driver: ApolloDriver,
include: [GraphqlModule],
include: [GraphqlAuthorizationModule],
autoSchemaFile: 'schema.gql',
sortSchema: true,
debug: true,
playground: true,
}),
GraphqlModule.register({
imports: [NestjsServicesModule],
GraphqlAuthorizationModule.register({
imports: [
ModelsAuthorizationServicesModules.register({
imports: [DatabaseModule, NestjsServicesModule],
defaultOwnershipIndexes: {
User: { id: true, roleId: true },
Role: { id: true },
Right: { id: true },
},
}),
NestjsServicesModule,
],
}),
],
exports: [GraphqlModule],
exports: [GraphqlAuthorizationModule],
})
export class NestjsGraphqlModule {}
3 changes: 2 additions & 1 deletion examples/api-prisma/src/app/modules/user.module.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
import { Module } from '@nestjs/common';
import { UserModule as TrxnUserModule } from '@trxn/nestjs-user';

import { NestjsServicesModule } from './services.module';

import { UserModule as TrxnUserModule } from '@trxn/nestjs-user';

@Module({
imports: [
TrxnUserModule.register({
Expand Down
67 changes: 67 additions & 0 deletions examples/api-prisma/src/casl/can/can-action-right.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
import { AbilityBuilder } from '@casl/ability';

import { AppAbility } from '../types/app-ability';
import { UserWithOwnershipIds } from '../types/user-with-ownership-ids';

import { Action } from '@trxn/nestjs-casl';

export function getAllRightIds(user: UserWithOwnershipIds) {
return user.role.rights.map((right) => right.id);
}

export function canReadRight(
abilities: AbilityBuilder<AppAbility>,
user: UserWithOwnershipIds,
) {
abilities.can(Action.Read, 'Right', { id: { in: getAllRightIds(user) } });
}
export function canSearchRight(
abilities: AbilityBuilder<AppAbility>,
user: UserWithOwnershipIds,
) {
abilities.can(Action.Search, 'Right', { id: { in: getAllRightIds(user) } });
}
export function canCountRight(
abilities: AbilityBuilder<AppAbility>,
user: UserWithOwnershipIds,
) {
abilities.can(Action.Count, 'Right', { id: { in: getAllRightIds(user) } });
}

export function canCreateRight(
abilities: AbilityBuilder<AppAbility>,
user: UserWithOwnershipIds,
) {
abilities.can(Action.Create, 'Right', { id: { in: getAllRightIds(user) } });
}
export function canUpdateRight(
abilities: AbilityBuilder<AppAbility>,
user: UserWithOwnershipIds,
) {
abilities.can(Action.Update, 'Right', { id: { in: getAllRightIds(user) } });
}
export function canDeleteRight(
abilities: AbilityBuilder<AppAbility>,
user: UserWithOwnershipIds,
) {
abilities.can(Action.Delete, 'Right', { id: { in: getAllRightIds(user) } });
}

export function canReadActionRight(
abilities: AbilityBuilder<AppAbility>,
user: UserWithOwnershipIds,
) {
canReadRight(abilities, user);
canSearchRight(abilities, user);
canCountRight(abilities, user);
}
export function canWriteActionRight(
abilities: AbilityBuilder<AppAbility>,
user: UserWithOwnershipIds,
allowDelete = true,
) {
canCreateRight(abilities, user);
canUpdateRight(abilities, user);

if (allowDelete) canDeleteRight(abilities, user);
}
67 changes: 67 additions & 0 deletions examples/api-prisma/src/casl/can/can-action-role.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
import { AbilityBuilder } from '@casl/ability';

import { AppAbility } from '../types/app-ability';
import { UserWithOwnershipIds } from '../types/user-with-ownership-ids';

import { Action } from '@trxn/nestjs-casl';

export function getAllRoleIds(user: UserWithOwnershipIds) {
return user.role.id;
}

export function canReadRole(
abilities: AbilityBuilder<AppAbility>,
user: UserWithOwnershipIds,
) {
abilities.can(Action.Read, 'Role', { id: { in: getAllRoleIds(user) } });
}
export function canSearchRole(
abilities: AbilityBuilder<AppAbility>,
user: UserWithOwnershipIds,
) {
abilities.can(Action.Search, 'Role', { id: { in: getAllRoleIds(user) } });
}
export function canCountRole(
abilities: AbilityBuilder<AppAbility>,
user: UserWithOwnershipIds,
) {
abilities.can(Action.Count, 'Role', { id: { in: getAllRoleIds(user) } });
}

export function canCreateRole(
abilities: AbilityBuilder<AppAbility>,
user: UserWithOwnershipIds,
) {
abilities.can(Action.Create, 'Role', { id: { in: getAllRoleIds(user) } });
}
export function canUpdateRole(
abilities: AbilityBuilder<AppAbility>,
user: UserWithOwnershipIds,
) {
abilities.can(Action.Update, 'Role', { id: { in: getAllRoleIds(user) } });
}
export function canDeleteRole(
abilities: AbilityBuilder<AppAbility>,
user: UserWithOwnershipIds,
) {
abilities.can(Action.Delete, 'Role', { id: { in: getAllRoleIds(user) } });
}

export function canReadActionRole(
abilities: AbilityBuilder<AppAbility>,
user: UserWithOwnershipIds,
) {
canReadRole(abilities, user);
canSearchRole(abilities, user);
canCountRole(abilities, user);
}
export function canWriteActionRole(
abilities: AbilityBuilder<AppAbility>,
user: UserWithOwnershipIds,
allowDelete = true,
) {
canCreateRole(abilities, user);
canUpdateRole(abilities, user);

if (allowDelete) canDeleteRole(abilities, user);
}
Loading