Add api_scope target for IAM policy

2020-05-20 21:17:07 -05:00
parent faab948a6b
commit b526b8f24d
6 changed files with 72 additions and 11 deletions
--- a/app/models/iam/Policy.model.js
+++ b/app/models/iam/Policy.model.js
@@ -12,7 +12,7 @@ class PolicyModel extends Model {
            entity_type: String, // user | group
            entity_id: String,
            access_type: String, // allow | deny
-            target_type: { type: String, default: 'application' }, // application
+            target_type: { type: String, default: 'application' }, // application | api_scope
            target_id: String,
            active: { type: Boolean, default: true },
        }
@@ -44,6 +44,27 @@ class PolicyModel extends Model {
        return (await this.check_allow(entity_id, target_id)) && !(await this.check_deny(entity_id, target_id))
    }

+    static async check_user_denied(user, target_id) {
+        const groups = await user.groups()
+        const group_ids = groups.map(x => x.id)
+
+        const user_denials = await this.find({
+            entity_id: user.id,
+            target_id,
+            access_type: 'deny',
+            active: true,
+        })
+
+        const group_denials = await this.find({
+            entity_id: { $in: group_ids },
+            target_id,
+            access_type: 'deny',
+            active: true,
+        })
+
+        return user_denials.length > 0 || group_denials.length > 0
+    }
+
    static async check_user_access(user, target_id) {
        const groups = await user.groups()
        const group_ids = groups.map(x => x.id)
@@ -51,28 +72,28 @@ class PolicyModel extends Model {
        const user_approvals = await this.find({
            entity_id: user.id,
            target_id,
-            approval_type: 'allow',
+            access_type: 'allow',
            active: true,
        })

        const user_denials = await this.find({
            entity_id: user.id,
            target_id,
-            approval_type: 'deny',
+            access_type: 'deny',
            active: true,
        })

        const group_approvals = await this.find({
            entity_id: { $in: group_ids },
            target_id,
-            approval_type: 'allow',
+            access_type: 'allow',
            active: true,
        })

        const group_denials = await this.find({
            entity_id: { $in: group_ids },
            target_id,
-            approval_type: 'deny',
+            access_type: 'deny',
            active: true,
        })

@@ -109,6 +130,8 @@ class PolicyModel extends Model {
            const Application = this.models.get('Application')
            const app = await Application.findById(this.target_id)
            target_display = `Application: ${app.name}`
+        } else if ( this.target_type === 'api_scope' ) {
+            target_display = `API Scope: ${this.target_id}`
        }

        return {