From 13c33c70d495ea7b96886b934cd654c1252da4a6 Mon Sep 17 00:00:00 2001 From: bergatco <129839305+bergatco@users.noreply.github.com> Date: Thu, 17 Oct 2024 11:17:21 +0200 Subject: [PATCH] BC-7879 - Use OpenAPI client for authz call in tldraw-server (#5292) --- .../.openapi-generator-ignore | 1 - .../.openapi-generator/FILES | 1 - .../authorization-api-client/models/action.ts | 31 --- .../models/authorization-context-params.ts | 210 ++++++++++++++++-- .../authorization-api-client/models/index.ts | 1 - .../authorization-client.adapter.spec.ts | 25 ++- ...orization-error.loggable-exception.spec.ts | 6 +- ...ation-forbidden.loggable-exception.spec.ts | 4 +- .../src/infra/authorization-client/index.ts | 7 +- .../mapper/authorization-context.builder.ts | 20 +- .../api/dto/authorization-body.params.ts | 10 +- .../domain/rules/instance.rule.ts | 5 +- .../files-storage/files-storage.const.ts | 14 +- .../files-storage/uc/files-storage.uc.ts | 4 +- 14 files changed, 246 insertions(+), 93 deletions(-) delete mode 100644 apps/server/src/infra/authorization-client/authorization-api-client/models/action.ts diff --git a/apps/server/src/infra/authorization-client/authorization-api-client/.openapi-generator-ignore b/apps/server/src/infra/authorization-client/authorization-api-client/.openapi-generator-ignore index bbc533d699f..b10976372d8 100644 --- a/apps/server/src/infra/authorization-client/authorization-api-client/.openapi-generator-ignore +++ b/apps/server/src/infra/authorization-client/authorization-api-client/.openapi-generator-ignore @@ -31,7 +31,6 @@ git_push.sh models/* # list of allowed files in the "models" folder -!models/action.ts !models/authorization-body-params.ts !models/authorization-context-params.ts !models/authorized-reponse.ts diff --git a/apps/server/src/infra/authorization-client/authorization-api-client/.openapi-generator/FILES b/apps/server/src/infra/authorization-client/authorization-api-client/.openapi-generator/FILES index b0b81500e3f..3bee5e3e44d 100644 --- a/apps/server/src/infra/authorization-client/authorization-api-client/.openapi-generator/FILES +++ b/apps/server/src/infra/authorization-client/authorization-api-client/.openapi-generator/FILES @@ -4,7 +4,6 @@ base.ts common.ts configuration.ts index.ts -models/action.ts models/authorization-body-params.ts models/authorization-context-params.ts models/authorized-reponse.ts diff --git a/apps/server/src/infra/authorization-client/authorization-api-client/models/action.ts b/apps/server/src/infra/authorization-client/authorization-api-client/models/action.ts deleted file mode 100644 index c74334d322b..00000000000 --- a/apps/server/src/infra/authorization-client/authorization-api-client/models/action.ts +++ /dev/null @@ -1,31 +0,0 @@ -/* tslint:disable */ -/* eslint-disable */ -/** - * Schulcloud-Verbund-Software Server API - * This is v3 of Schulcloud-Verbund-Software Server. Checkout /docs for v1. - * - * The version of the OpenAPI document: 3.0 - * - * - * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). - * https://openapi-generator.tech - * Do not edit the class manually. - */ - - - -/** - * - * @export - * @enum {string} - */ - -export const Action = { - READ: 'read', - WRITE: 'write' -} as const; - -export type Action = typeof Action[keyof typeof Action]; - - - diff --git a/apps/server/src/infra/authorization-client/authorization-api-client/models/authorization-context-params.ts b/apps/server/src/infra/authorization-client/authorization-api-client/models/authorization-context-params.ts index 7ff5255cec6..32ce6a97e38 100644 --- a/apps/server/src/infra/authorization-client/authorization-api-client/models/authorization-context-params.ts +++ b/apps/server/src/infra/authorization-client/authorization-api-client/models/authorization-context-params.ts @@ -5,36 +5,206 @@ * This is v3 of Schulcloud-Verbund-Software Server. Checkout /docs for v1. * * The version of the OpenAPI document: 3.0 - * + * * * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). * https://openapi-generator.tech * Do not edit the class manually. */ -// May contain unused imports in some cases -// @ts-ignore -import type { Action } from './action'; -// May contain unused imports in some cases -// @ts-ignore -import type { Permission } from './permission'; + /** - * + * * @export * @interface AuthorizationContextParams */ export interface AuthorizationContextParams { - /** - * - * @type {Action} - * @memberof AuthorizationContextParams - */ - action: Action; - /** - * User permissions that are needed to execute the operation. - * @type {Array} - * @memberof AuthorizationContextParams - */ - requiredPermissions: Array; + /** + * Define for which action the operation should be performend. + * @type {string} + * @memberof AuthorizationContextParams + */ + 'action': AuthorizationContextParamsAction; + /** + * User permissions that are needed to execute the operation. + * @type {Array} + * @memberof AuthorizationContextParams + */ + 'requiredPermissions': Array; } + +export const AuthorizationContextParamsAction = { + READ: 'read', + WRITE: 'write' +} as const; + +export type AuthorizationContextParamsAction = typeof AuthorizationContextParamsAction[keyof typeof AuthorizationContextParamsAction]; +export const AuthorizationContextParamsRequiredPermissions = { + ACCOUNT_CREATE: 'ACCOUNT_CREATE', + ACCOUNT_DELETE: 'ACCOUNT_DELETE', + ACCOUNT_EDIT: 'ACCOUNT_EDIT', + ACCOUNT_VIEW: 'ACCOUNT_VIEW', + ADD_SCHOOL_MEMBERS: 'ADD_SCHOOL_MEMBERS', + ADMIN_EDIT: 'ADMIN_EDIT', + ADMIN_VIEW: 'ADMIN_VIEW', + BASE_VIEW: 'BASE_VIEW', + CALENDAR_CREATE: 'CALENDAR_CREATE', + CALENDAR_EDIT: 'CALENDAR_EDIT', + CALENDAR_VIEW: 'CALENDAR_VIEW', + CHANGE_TEAM_ROLES: 'CHANGE_TEAM_ROLES', + CLASS_CREATE: 'CLASS_CREATE', + CLASS_EDIT: 'CLASS_EDIT', + CLASS_FULL_ADMIN: 'CLASS_FULL_ADMIN', + CLASS_LIST: 'CLASS_LIST', + CLASS_REMOVE: 'CLASS_REMOVE', + CLASS_VIEW: 'CLASS_VIEW', + COMMENTS_CREATE: 'COMMENTS_CREATE', + COMMENTS_EDIT: 'COMMENTS_EDIT', + COMMENTS_VIEW: 'COMMENTS_VIEW', + CONTENT_NON_OER_VIEW: 'CONTENT_NON_OER_VIEW', + CONTENT_VIEW: 'CONTENT_VIEW', + CONTEXT_TOOL_ADMIN: 'CONTEXT_TOOL_ADMIN', + CONTEXT_TOOL_USER: 'CONTEXT_TOOL_USER', + COURSEGROUP_CREATE: 'COURSEGROUP_CREATE', + COURSEGROUP_EDIT: 'COURSEGROUP_EDIT', + COURSE_ADMINISTRATION: 'COURSE_ADMINISTRATION', + COURSE_CREATE: 'COURSE_CREATE', + COURSE_DELETE: 'COURSE_DELETE', + COURSE_EDIT: 'COURSE_EDIT', + COURSE_REMOVE: 'COURSE_REMOVE', + COURSE_VIEW: 'COURSE_VIEW', + CREATE_SUPPORT_JWT: 'CREATE_SUPPORT_JWT', + CREATE_TOPICS_AND_TASKS: 'CREATE_TOPICS_AND_TASKS', + DASHBOARD_VIEW: 'DASHBOARD_VIEW', + DATASOURCES_CREATE: 'DATASOURCES_CREATE', + DATASOURCES_DELETE: 'DATASOURCES_DELETE', + DATASOURCES_EDIT: 'DATASOURCES_EDIT', + DATASOURCES_RUN: 'DATASOURCES_RUN', + DATASOURCES_RUN_VIEW: 'DATASOURCES_RUN_VIEW', + DATASOURCES_VIEW: 'DATASOURCES_VIEW', + DEFAULT_FILE_PERMISSIONS: 'DEFAULT_FILE_PERMISSIONS', + DELETE_TEAM: 'DELETE_TEAM', + EDIT_ALL_FILES: 'EDIT_ALL_FILES', + ENTERTHECLOUD_START: 'ENTERTHECLOUD_START', + FEDERALSTATE_CREATE: 'FEDERALSTATE_CREATE', + FEDERALSTATE_EDIT: 'FEDERALSTATE_EDIT', + FEDERALSTATE_VIEW: 'FEDERALSTATE_VIEW', + FILESTORAGE_CREATE: 'FILESTORAGE_CREATE', + FILESTORAGE_EDIT: 'FILESTORAGE_EDIT', + FILESTORAGE_REMOVE: 'FILESTORAGE_REMOVE', + FILESTORAGE_VIEW: 'FILESTORAGE_VIEW', + FILE_CREATE: 'FILE_CREATE', + FILE_DELETE: 'FILE_DELETE', + FILE_MOVE: 'FILE_MOVE', + FOLDER_CREATE: 'FOLDER_CREATE', + FOLDER_DELETE: 'FOLDER_DELETE', + GROUP_LIST: 'GROUP_LIST', + GROUP_FULL_ADMIN: 'GROUP_FULL_ADMIN', + GROUP_VIEW: 'GROUP_VIEW', + HELPDESK_CREATE: 'HELPDESK_CREATE', + HELPDESK_EDIT: 'HELPDESK_EDIT', + HELPDESK_VIEW: 'HELPDESK_VIEW', + HOMEWORK_CREATE: 'HOMEWORK_CREATE', + HOMEWORK_EDIT: 'HOMEWORK_EDIT', + HOMEWORK_VIEW: 'HOMEWORK_VIEW', + IMPORT_USER_MIGRATE: 'IMPORT_USER_MIGRATE', + IMPORT_USER_UPDATE: 'IMPORT_USER_UPDATE', + IMPORT_USER_VIEW: 'IMPORT_USER_VIEW', + INSTANCE_VIEW: 'INSTANCE_VIEW', + INVITE_ADMINISTRATORS: 'INVITE_ADMINISTRATORS', + INVITE_EXPERTS: 'INVITE_EXPERTS', + JOIN_MEETING: 'JOIN_MEETING', + LEAVE_TEAM: 'LEAVE_TEAM', + LERNSTORE_VIEW: 'LERNSTORE_VIEW', + LESSONS_CREATE: 'LESSONS_CREATE', + LESSONS_VIEW: 'LESSONS_VIEW', + LINK_CREATE: 'LINK_CREATE', + NEWS_CREATE: 'NEWS_CREATE', + NEWS_EDIT: 'NEWS_EDIT', + NEWS_VIEW: 'NEWS_VIEW', + NEXTCLOUD_USER: 'NEXTCLOUD_USER', + NOTIFICATION_CREATE: 'NOTIFICATION_CREATE', + NOTIFICATION_EDIT: 'NOTIFICATION_EDIT', + NOTIFICATION_VIEW: 'NOTIFICATION_VIEW', + OAUTH_CLIENT_EDIT: 'OAUTH_CLIENT_EDIT', + OAUTH_CLIENT_VIEW: 'OAUTH_CLIENT_VIEW', + PASSWORD_EDIT: 'PASSWORD_EDIT', + PWRECOVERY_CREATE: 'PWRECOVERY_CREATE', + PWRECOVERY_EDIT: 'PWRECOVERY_EDIT', + PWRECOVERY_VIEW: 'PWRECOVERY_VIEW', + RELEASES_CREATE: 'RELEASES_CREATE', + RELEASES_EDIT: 'RELEASES_EDIT', + RELEASES_VIEW: 'RELEASES_VIEW', + REMOVE_MEMBERS: 'REMOVE_MEMBERS', + RENAME_TEAM: 'RENAME_TEAM', + REQUEST_CONSENTS: 'REQUEST_CONSENTS', + ROLE_CREATE: 'ROLE_CREATE', + ROLE_EDIT: 'ROLE_EDIT', + ROLE_VIEW: 'ROLE_VIEW', + SCHOOL_CHAT_MANAGE: 'SCHOOL_CHAT_MANAGE', + SCHOOL_CREATE: 'SCHOOL_CREATE', + SCHOOL_EDIT: 'SCHOOL_EDIT', + SCHOOL_EDIT_ALL: 'SCHOOL_EDIT_ALL', + SCHOOL_LOGO_MANAGE: 'SCHOOL_LOGO_MANAGE', + SCHOOL_NEWS_EDIT: 'SCHOOL_NEWS_EDIT', + SCHOOL_PERMISSION_CHANGE: 'SCHOOL_PERMISSION_CHANGE', + SCHOOL_PERMISSION_VIEW: 'SCHOOL_PERMISSION_VIEW', + SCHOOL_STUDENT_TEAM_MANAGE: 'SCHOOL_STUDENT_TEAM_MANAGE', + SCHOOL_SYSTEM_EDIT: 'SCHOOL_SYSTEM_EDIT', + SCHOOL_SYSTEM_VIEW: 'SCHOOL_SYSTEM_VIEW', + SCHOOL_TOOL_ADMIN: 'SCHOOL_TOOL_ADMIN', + SCOPE_PERMISSIONS_VIEW: 'SCOPE_PERMISSIONS_VIEW', + START_MEETING: 'START_MEETING', + STUDENT_CREATE: 'STUDENT_CREATE', + STUDENT_DELETE: 'STUDENT_DELETE', + STUDENT_EDIT: 'STUDENT_EDIT', + STUDENT_LIST: 'STUDENT_LIST', + STUDENT_SKIP_REGISTRATION: 'STUDENT_SKIP_REGISTRATION', + SUBMISSIONS_CREATE: 'SUBMISSIONS_CREATE', + SUBMISSIONS_EDIT: 'SUBMISSIONS_EDIT', + SUBMISSIONS_SCHOOL_VIEW: 'SUBMISSIONS_SCHOOL_VIEW', + SUBMISSIONS_VIEW: 'SUBMISSIONS_VIEW', + SYNC_START: 'SYNC_START', + SYSTEM_CREATE: 'SYSTEM_CREATE', + SYSTEM_EDIT: 'SYSTEM_EDIT', + SYSTEM_VIEW: 'SYSTEM_VIEW', + TASK_DASHBOARD_TEACHER_VIEW_V3: 'TASK_DASHBOARD_TEACHER_VIEW_V3', + TASK_DASHBOARD_VIEW_V3: 'TASK_DASHBOARD_VIEW_V3', + TEACHER_CREATE: 'TEACHER_CREATE', + TEACHER_DELETE: 'TEACHER_DELETE', + TEACHER_EDIT: 'TEACHER_EDIT', + TEACHER_LIST: 'TEACHER_LIST', + TEACHER_SKIP_REGISTRATION: 'TEACHER_SKIP_REGISTRATION', + TEAM_CREATE: 'TEAM_CREATE', + TOOL_CREATE_ETHERPAD: 'TOOL_CREATE_ETHERPAD', + TEAM_EDIT: 'TEAM_EDIT', + TEAM_INVITE_EXTERNAL: 'TEAM_INVITE_EXTERNAL', + TEAM_VIEW: 'TEAM_VIEW', + TOOL_ADMIN: 'TOOL_ADMIN', + TOOL_CREATE: 'TOOL_CREATE', + TOOL_EDIT: 'TOOL_EDIT', + TOOL_NEW_VIEW: 'TOOL_NEW_VIEW', + TOOL_VIEW: 'TOOL_VIEW', + TOPIC_CREATE: 'TOPIC_CREATE', + TOPIC_EDIT: 'TOPIC_EDIT', + TOPIC_VIEW: 'TOPIC_VIEW', + UPLOAD_FILES: 'UPLOAD_FILES', + USE_LIBREOFFICE: 'USE_LIBREOFFICE', + USE_ROCKETCHAT: 'USE_ROCKETCHAT', + USERGROUP_CREATE: 'USERGROUP_CREATE', + USERGROUP_EDIT: 'USERGROUP_EDIT', + USERGROUP_VIEW: 'USERGROUP_VIEW', + USER_CHANGE_OWN_NAME: 'USER_CHANGE_OWN_NAME', + USER_CREATE: 'USER_CREATE', + USER_LOGIN_MIGRATION_ADMIN: 'USER_LOGIN_MIGRATION_ADMIN', + USER_LOGIN_MIGRATION_ROLLBACK: 'USER_LOGIN_MIGRATION_ROLLBACK', + USER_LOGIN_MIGRATION_FORCE: 'USER_LOGIN_MIGRATION_FORCE', + USER_MIGRATE: 'USER_MIGRATE', + USER_UPDATE: 'USER_UPDATE', + YEARS_EDIT: 'YEARS_EDIT' +} as const; + +export type AuthorizationContextParamsRequiredPermissions = typeof AuthorizationContextParamsRequiredPermissions[keyof typeof AuthorizationContextParamsRequiredPermissions]; + + diff --git a/apps/server/src/infra/authorization-client/authorization-api-client/models/index.ts b/apps/server/src/infra/authorization-client/authorization-api-client/models/index.ts index 59dfc03282f..befef5df252 100644 --- a/apps/server/src/infra/authorization-client/authorization-api-client/models/index.ts +++ b/apps/server/src/infra/authorization-client/authorization-api-client/models/index.ts @@ -1,4 +1,3 @@ -export * from './action'; export * from './authorization-body-params'; export * from './authorization-context-params'; export * from './authorized-reponse'; diff --git a/apps/server/src/infra/authorization-client/authorization-client.adapter.spec.ts b/apps/server/src/infra/authorization-client/authorization-client.adapter.spec.ts index e2b68d63e56..c346b2960c7 100644 --- a/apps/server/src/infra/authorization-client/authorization-client.adapter.spec.ts +++ b/apps/server/src/infra/authorization-client/authorization-client.adapter.spec.ts @@ -4,16 +4,21 @@ import { Test, TestingModule } from '@nestjs/testing'; import { AxiosResponse } from 'axios'; import { Request } from 'express'; import { - Action, AuthorizationApi, + AuthorizationBodyParams, AuthorizationBodyParamsReferenceType, + AuthorizationContextParamsAction, + AuthorizationContextParamsRequiredPermissions, AuthorizedReponse, } from './authorization-api-client'; import { AuthorizationClientAdapter } from './authorization-client.adapter'; import { AuthorizationErrorLoggableException, AuthorizationForbiddenLoggableException } from './error'; const jwtToken = 'someJwtToken'; -const requiredPermissions = ['somePermissionA', 'somePermissionB']; +const requiredPermissions: Array = [ + AuthorizationContextParamsRequiredPermissions.ACCOUNT_CREATE, + AuthorizationContextParamsRequiredPermissions.ACCOUNT_DELETE, +]; describe(AuthorizationClientAdapter.name, () => { let module: TestingModule; @@ -58,9 +63,9 @@ describe(AuthorizationClientAdapter.name, () => { describe('checkPermissionsByReference', () => { describe('when authorizationReferenceControllerAuthorizeByReference resolves successful', () => { const setup = (props: { isAuthorized: boolean }) => { - const params = { + const params: AuthorizationBodyParams = { context: { - action: Action.READ, + action: AuthorizationContextParamsAction.READ, requiredPermissions, }, referenceType: AuthorizationBodyParamsReferenceType.COURSES, @@ -118,7 +123,7 @@ describe(AuthorizationClientAdapter.name, () => { const setup = () => { const params = { context: { - action: Action.READ, + action: AuthorizationContextParamsAction.READ, requiredPermissions, }, referenceType: AuthorizationBodyParamsReferenceType.COURSES, @@ -148,7 +153,7 @@ describe(AuthorizationClientAdapter.name, () => { const setup = () => { const params = { context: { - action: Action.READ, + action: AuthorizationContextParamsAction.READ, requiredPermissions, }, referenceType: AuthorizationBodyParamsReferenceType.COURSES, @@ -196,7 +201,7 @@ describe(AuthorizationClientAdapter.name, () => { const setup = () => { const params = { context: { - action: Action.READ, + action: AuthorizationContextParamsAction.READ, requiredPermissions, }, referenceType: AuthorizationBodyParamsReferenceType.COURSES, @@ -239,7 +244,7 @@ describe(AuthorizationClientAdapter.name, () => { const setup = () => { const params = { context: { - action: Action.READ, + action: AuthorizationContextParamsAction.READ, requiredPermissions, }, referenceType: AuthorizationBodyParamsReferenceType.COURSES, @@ -282,7 +287,7 @@ describe(AuthorizationClientAdapter.name, () => { const setup = () => { const params = { context: { - action: Action.READ, + action: AuthorizationContextParamsAction.READ, requiredPermissions, }, referenceType: AuthorizationBodyParamsReferenceType.COURSES, @@ -314,7 +319,7 @@ describe(AuthorizationClientAdapter.name, () => { const setup = () => { const params = { context: { - action: Action.READ, + action: AuthorizationContextParamsAction.READ, requiredPermissions, }, referenceType: AuthorizationBodyParamsReferenceType.COURSES, diff --git a/apps/server/src/infra/authorization-client/error/authorization-error.loggable-exception.spec.ts b/apps/server/src/infra/authorization-client/error/authorization-error.loggable-exception.spec.ts index 601cad990fc..41530094e87 100644 --- a/apps/server/src/infra/authorization-client/error/authorization-error.loggable-exception.spec.ts +++ b/apps/server/src/infra/authorization-client/error/authorization-error.loggable-exception.spec.ts @@ -1,4 +1,4 @@ -import { Action, AuthorizationBodyParamsReferenceType } from '../authorization-api-client'; +import { AuthorizationBodyParamsReferenceType, AuthorizationContextParamsAction } from '../authorization-api-client'; import { AuthorizationErrorLoggableException } from './authorization-error.loggable-exception'; describe('AuthorizationErrorLoggableException', () => { @@ -7,7 +7,7 @@ describe('AuthorizationErrorLoggableException', () => { const setup = () => { const params = { context: { - action: Action.READ, + action: AuthorizationContextParamsAction.READ, requiredPermissions: [], }, referenceType: AuthorizationBodyParamsReferenceType.COURSES, @@ -49,7 +49,7 @@ describe('AuthorizationErrorLoggableException', () => { const setup = () => { const params = { context: { - action: Action.READ, + action: AuthorizationContextParamsAction.READ, requiredPermissions: [], }, referenceType: AuthorizationBodyParamsReferenceType.COURSES, diff --git a/apps/server/src/infra/authorization-client/error/authorization-forbidden.loggable-exception.spec.ts b/apps/server/src/infra/authorization-client/error/authorization-forbidden.loggable-exception.spec.ts index 75b19806969..cf68e47dddd 100644 --- a/apps/server/src/infra/authorization-client/error/authorization-forbidden.loggable-exception.spec.ts +++ b/apps/server/src/infra/authorization-client/error/authorization-forbidden.loggable-exception.spec.ts @@ -1,12 +1,12 @@ +import { AuthorizationBodyParamsReferenceType, AuthorizationContextParamsAction } from '../authorization-api-client'; import { AuthorizationForbiddenLoggableException } from './authorization-forbidden.loggable-exception'; -import { Action, AuthorizationBodyParamsReferenceType } from '../authorization-api-client'; describe('AuthorizationForbiddenLoggableException', () => { describe('getLogMessage', () => { const setup = () => { const params = { context: { - action: Action.READ, + action: AuthorizationContextParamsAction.READ, requiredPermissions: [], }, referenceType: AuthorizationBodyParamsReferenceType.COURSES, diff --git a/apps/server/src/infra/authorization-client/index.ts b/apps/server/src/infra/authorization-client/index.ts index 3965174bf62..3ae4709e19f 100644 --- a/apps/server/src/infra/authorization-client/index.ts +++ b/apps/server/src/infra/authorization-client/index.ts @@ -1,4 +1,9 @@ -export { Action, AuthorizationBodyParamsReferenceType, AuthorizationContextParams } from './authorization-api-client'; +export { + AuthorizationBodyParamsReferenceType, + AuthorizationContextParams, + AuthorizationContextParamsAction, + AuthorizationContextParamsRequiredPermissions, +} from './authorization-api-client'; export { AuthorizationClientAdapter } from './authorization-client.adapter'; export { AuthorizationClientConfig, AuthorizationClientModule } from './authorization-client.module'; export { AuthorizationContextBuilder } from './mapper'; diff --git a/apps/server/src/infra/authorization-client/mapper/authorization-context.builder.ts b/apps/server/src/infra/authorization-client/mapper/authorization-context.builder.ts index 16b55a5564c..99432f001cc 100644 --- a/apps/server/src/infra/authorization-client/mapper/authorization-context.builder.ts +++ b/apps/server/src/infra/authorization-client/mapper/authorization-context.builder.ts @@ -1,22 +1,28 @@ -import { Permission } from '@shared/domain/interface'; -import { Action, AuthorizationContextParams } from '../authorization-api-client'; +import { + AuthorizationContextParams, + AuthorizationContextParamsAction, + AuthorizationContextParamsRequiredPermissions, +} from '../authorization-api-client'; export class AuthorizationContextBuilder { - static build(requiredPermissions: Array, action: Action): AuthorizationContextParams { + static build( + requiredPermissions: Array, + action: AuthorizationContextParamsAction + ): AuthorizationContextParams { return { action, requiredPermissions, }; } - static write(requiredPermissions: Permission[]): AuthorizationContextParams { - const context = this.build(requiredPermissions, Action.WRITE); + static write(requiredPermissions: AuthorizationContextParamsRequiredPermissions[]): AuthorizationContextParams { + const context = this.build(requiredPermissions, AuthorizationContextParamsAction.WRITE); return context; } - static read(requiredPermissions: Permission[]): AuthorizationContextParams { - const context = this.build(requiredPermissions, Action.READ); + static read(requiredPermissions: AuthorizationContextParamsRequiredPermissions[]): AuthorizationContextParams { + const context = this.build(requiredPermissions, AuthorizationContextParamsAction.READ); return context; } diff --git a/apps/server/src/modules/authorization/api/dto/authorization-body.params.ts b/apps/server/src/modules/authorization/api/dto/authorization-body.params.ts index c2e7b4656ff..474a3eeb865 100644 --- a/apps/server/src/modules/authorization/api/dto/authorization-body.params.ts +++ b/apps/server/src/modules/authorization/api/dto/authorization-body.params.ts @@ -1,5 +1,5 @@ -import { Permission } from '@shared/domain/interface'; import { ApiProperty } from '@nestjs/swagger'; +import { Permission } from '@shared/domain/interface'; import { Type } from 'class-transformer'; import { IsArray, IsEnum, IsMongoId, ValidateNested } from 'class-validator'; import { Action, AuthorizableReferenceType, AuthorizationContext } from '../../domain'; @@ -7,9 +7,9 @@ import { Action, AuthorizableReferenceType, AuthorizationContext } from '../../d class AuthorizationContextParams implements AuthorizationContext { @IsEnum(Action) @ApiProperty({ - description: 'Define for which action the operation should be performend.', + name: 'action', enum: Action, - enumName: 'Action', + description: 'Define for which action the operation should be performend.', example: Action.read, }) action!: Action; @@ -17,11 +17,11 @@ class AuthorizationContextParams implements AuthorizationContext { @IsArray() @IsEnum(Permission, { each: true }) @ApiProperty({ + name: 'requiredPermissions', enum: Permission, - enumName: 'Permission', isArray: true, description: 'User permissions that are needed to execute the operation.', - example: Permission.USER_UPDATE, + example: [Permission.USER_UPDATE], }) requiredPermissions!: Permission[]; } diff --git a/apps/server/src/modules/authorization/domain/rules/instance.rule.ts b/apps/server/src/modules/authorization/domain/rules/instance.rule.ts index 7389aca1023..c40fed63eac 100644 --- a/apps/server/src/modules/authorization/domain/rules/instance.rule.ts +++ b/apps/server/src/modules/authorization/domain/rules/instance.rule.ts @@ -2,9 +2,8 @@ import { Instance } from '@modules/instance'; import { Injectable } from '@nestjs/common'; import { User } from '@shared/domain/entity'; import { RoleName } from '@shared/domain/interface'; -import { Action } from '@infra/authorization-client'; import { AuthorizationHelper } from '../service/authorization.helper'; -import { AuthorizationContext, Rule } from '../type'; +import { Action, AuthorizationContext, Rule } from '../type'; @Injectable() export class InstanceRule implements Rule { @@ -20,7 +19,7 @@ export class InstanceRule implements Rule { const hasPermission = this.authorizationHelper.hasAllPermissions(user, context.requiredPermissions); // As temporary solution until the user with write access to instance added as group, we must check the role. - if (context.action === Action.WRITE) { + if (context.action === Action.write) { const hasRole = this.authorizationHelper.hasRole(user, RoleName.SUPERHERO); return hasPermission && hasRole; diff --git a/apps/server/src/modules/files-storage/files-storage.const.ts b/apps/server/src/modules/files-storage/files-storage.const.ts index 970f575b327..2d731aa02d8 100644 --- a/apps/server/src/modules/files-storage/files-storage.const.ts +++ b/apps/server/src/modules/files-storage/files-storage.const.ts @@ -1,5 +1,7 @@ -import { AuthorizationContextBuilder } from '@infra/authorization-client'; -import { Permission } from '@shared/domain/interface'; +import { + AuthorizationContextBuilder, + AuthorizationContextParamsRequiredPermissions, +} from '@infra/authorization-client'; export enum FilesStorageInternalActions { downloadBySecurityToken = '/file-security/download/:token', @@ -8,8 +10,8 @@ export enum FilesStorageInternalActions { export const API_VERSION_PATH = '/api/v3'; export const FileStorageAuthorizationContext = { - create: AuthorizationContextBuilder.write([Permission.FILESTORAGE_CREATE]), - read: AuthorizationContextBuilder.read([Permission.FILESTORAGE_VIEW]), - update: AuthorizationContextBuilder.write([Permission.FILESTORAGE_EDIT]), - delete: AuthorizationContextBuilder.write([Permission.FILESTORAGE_REMOVE]), + create: AuthorizationContextBuilder.write([AuthorizationContextParamsRequiredPermissions.FILESTORAGE_CREATE]), + read: AuthorizationContextBuilder.read([AuthorizationContextParamsRequiredPermissions.FILESTORAGE_VIEW]), + update: AuthorizationContextBuilder.write([AuthorizationContextParamsRequiredPermissions.FILESTORAGE_EDIT]), + delete: AuthorizationContextBuilder.write([AuthorizationContextParamsRequiredPermissions.FILESTORAGE_REMOVE]), }; diff --git a/apps/server/src/modules/files-storage/uc/files-storage.uc.ts b/apps/server/src/modules/files-storage/uc/files-storage.uc.ts index ac80e3d45a8..0ee2c516e63 100644 --- a/apps/server/src/modules/files-storage/uc/files-storage.uc.ts +++ b/apps/server/src/modules/files-storage/uc/files-storage.uc.ts @@ -3,11 +3,11 @@ import { AuthorizationClientAdapter, AuthorizationContextBuilder, AuthorizationContextParams, + AuthorizationContextParamsRequiredPermissions, } from '@infra/authorization-client'; import { EntityManager, RequestContext } from '@mikro-orm/core'; import { HttpService } from '@nestjs/axios'; import { Injectable, NotFoundException } from '@nestjs/common'; -import { Permission } from '@shared/domain/interface'; import { Counted, EntityId } from '@shared/domain/types'; import { DomainErrorHandler } from '@src/core'; import { LegacyLogger } from '@src/core/logger'; @@ -85,7 +85,7 @@ export class FilesStorageUC { await this.authorizationClientAdapter.checkPermissionsByReference( AuthorizationBodyParamsReferenceType.INSTANCES, storageLocationId, - AuthorizationContextBuilder.write([Permission.INSTANCE_VIEW]) + AuthorizationContextBuilder.write([AuthorizationContextParamsRequiredPermissions.INSTANCE_VIEW]) ); }