Add api_scope target for IAM policy

2020-05-20 21:17:07 -05:00
parent faab948a6b
commit b526b8f24d
6 changed files with 72 additions and 11 deletions
--- a/app/controllers/api/v1/IAM.controller.js
+++ b/app/controllers/api/v1/IAM.controller.js
@@ -2,7 +2,7 @@ const { Controller } = require('libflitter')

 class IAMController extends Controller {
    static get services() {
-        return [...super.services, 'models']
+        return [...super.services, 'models', 'canon']
    }

    async check_entity_access(req, res, next) {
@@ -111,7 +111,7 @@ class IAMController extends Controller {
                .message('Invalid access_type. Must be one of: allow, deny.')
                .api()

-        if ( !['application'].includes(req.body.target_type) )
+        if ( !['application', 'api_scope'].includes(req.body.target_type) )
            return res.status(400)
                .message('Invalid target_type. Must be one of: application.')
                .api()
@@ -124,6 +124,12 @@ class IAMController extends Controller {
                return res.status(400)
                    .message('Invalid target_id.')
                    .api()
+        } else if ( req.body.target_type === 'api_scope' ) {
+            const api_scopes = this.canon.get('controller::api:v1:Reflect.api_scopes')()
+            if ( !api_scopes.includes(req.body.target_id) )
+                return res.status(400)
+                    .message('Invalid target_id.')
+                    .api()
        }

        const policy = new Policy({
@@ -189,7 +195,7 @@ class IAMController extends Controller {
                .message('Invalid access_type. Must be one of: allow, deny.')
                .api()

-        if ( !['application'].includes(req.body.target_type) )
+        if ( !['application', 'api_scope'].includes(req.body.target_type) )
            return res.status(400)
                .message('Invalid target_type. Must be one of: application.')
                .api()
@@ -202,6 +208,12 @@ class IAMController extends Controller {
                return res.status(400)
                    .message('Invalid target_id.')
                    .api()
+        } else if ( req.body.target_type === 'api_scope' ) {
+            const api_scopes = this.canon.get('controller::api:v1:Reflect.api_scopes')()
+            if ( !api_scopes.includes(req.body.target_id) )
+                return res.status(400)
+                    .message('Invalid target_id.')
+                    .api()
        }

        policy.entity_type = req.body.entity_type
--- a/app/controllers/api/v1/Reflect.controller.js
+++ b/app/controllers/api/v1/Reflect.controller.js
@@ -130,7 +130,7 @@ class ReflectController extends Controller {
        return res.api()
    }

-    async get_scopes(req, res, next) {
+    api_scopes() {
        const routers = this.routers.canonical_items
        const scopes = []

@@ -158,6 +158,11 @@ class ReflectController extends Controller {
        }

        scopes.sort()
+        return scopes
+    }
+
+    async get_scopes(req, res, next) {
+        const scopes = this.api_scopes()
        return res.api(scopes.map(x => {
            return { scope: x }
        }))