|
|
|
@ -12,7 +12,7 @@ class PolicyModel extends Model {
|
|
|
|
|
entity_type: String, // user | group
|
|
|
|
|
entity_id: String,
|
|
|
|
|
access_type: String, // allow | deny
|
|
|
|
|
target_type: { type: String, default: 'application' }, // application
|
|
|
|
|
target_type: { type: String, default: 'application' }, // application | api_scope
|
|
|
|
|
target_id: String,
|
|
|
|
|
active: { type: Boolean, default: true },
|
|
|
|
|
}
|
|
|
|
@ -44,6 +44,27 @@ class PolicyModel extends Model {
|
|
|
|
|
return (await this.check_allow(entity_id, target_id)) && !(await this.check_deny(entity_id, target_id))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static async check_user_denied(user, target_id) {
|
|
|
|
|
const groups = await user.groups()
|
|
|
|
|
const group_ids = groups.map(x => x.id)
|
|
|
|
|
|
|
|
|
|
const user_denials = await this.find({
|
|
|
|
|
entity_id: user.id,
|
|
|
|
|
target_id,
|
|
|
|
|
access_type: 'deny',
|
|
|
|
|
active: true,
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
const group_denials = await this.find({
|
|
|
|
|
entity_id: { $in: group_ids },
|
|
|
|
|
target_id,
|
|
|
|
|
access_type: 'deny',
|
|
|
|
|
active: true,
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
return user_denials.length > 0 || group_denials.length > 0
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static async check_user_access(user, target_id) {
|
|
|
|
|
const groups = await user.groups()
|
|
|
|
|
const group_ids = groups.map(x => x.id)
|
|
|
|
@ -51,28 +72,28 @@ class PolicyModel extends Model {
|
|
|
|
|
const user_approvals = await this.find({
|
|
|
|
|
entity_id: user.id,
|
|
|
|
|
target_id,
|
|
|
|
|
approval_type: 'allow',
|
|
|
|
|
access_type: 'allow',
|
|
|
|
|
active: true,
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
const user_denials = await this.find({
|
|
|
|
|
entity_id: user.id,
|
|
|
|
|
target_id,
|
|
|
|
|
approval_type: 'deny',
|
|
|
|
|
access_type: 'deny',
|
|
|
|
|
active: true,
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
const group_approvals = await this.find({
|
|
|
|
|
entity_id: { $in: group_ids },
|
|
|
|
|
target_id,
|
|
|
|
|
approval_type: 'allow',
|
|
|
|
|
access_type: 'allow',
|
|
|
|
|
active: true,
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
const group_denials = await this.find({
|
|
|
|
|
entity_id: { $in: group_ids },
|
|
|
|
|
target_id,
|
|
|
|
|
approval_type: 'deny',
|
|
|
|
|
access_type: 'deny',
|
|
|
|
|
active: true,
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
@ -109,6 +130,8 @@ class PolicyModel extends Model {
|
|
|
|
|
const Application = this.models.get('Application')
|
|
|
|
|
const app = await Application.findById(this.target_id)
|
|
|
|
|
target_display = `Application: ${app.name}`
|
|
|
|
|
} else if ( this.target_type === 'api_scope' ) {
|
|
|
|
|
target_display = `API Scope: ${this.target_id}`
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return {
|
|
|
|
|