Add ability to manage and grant IAM permissions as policy

2021-04-15 10:38:43 -05:00
parent 5645e8fae1
commit f2995899ec
10 changed files with 437 additions and 9 deletions
--- a/app/models/iam/Permission.model.js
+++ b/app/models/iam/Permission.model.js
@@ -0,0 +1,23 @@
+const { Model } = require('flitter-orm')
+
+class PermissionModel extends Model {
+    static get schema() {
+        return {
+            active: { type: Boolean, default: true },
+            target_type: String,
+            permission: String
+        }
+    }
+
+    async to_api() {
+        return {
+            _id: this.id,
+            id: this.id,
+            active: this.active,
+            target_type: this.target_type,
+            permission: this.permission,
+        }
+    }
+}
+
+module.exports = exports = PermissionModel
--- a/app/models/iam/Policy.model.js
+++ b/app/models/iam/Policy.model.js
@@ -15,36 +15,46 @@ class PolicyModel extends Model {
            target_type: { type: String, default: 'application' }, // application | api_scope | machine | machine_group
            target_id: String,
            active: { type: Boolean, default: true },
+            for_permission: { type: Boolean, default: false },
+            permission: String,
        }
    }

-    static async check_allow(entity_id, target_id) {
+    static async check_allow(entity_id, target_id, permission = undefined) {
        const policies = await this.find({
            entity_id,
            target_id,
            access_type: 'allow',
            active: true,
+            ...(permission ? {
+                for_permission: true,
+                permission,
+            } : {})
        })

        return policies.length > 0
    }

-    static async check_deny(entity_id, target_id) {
+    static async check_deny(entity_id, target_id, permission = undefined) {
        const policies = await this.find({
            entity_id,
            target_id,
            access_type: 'deny',
            active: true,
+            ...(permission ? {
+                for_permission: true,
+                permission,
+            } : {})
        })

        return policies.length === 0
    }

-    static async check_entity_access(entity_id, target_id) {
-        return (await this.check_allow(entity_id, target_id)) && !(await this.check_deny(entity_id, target_id))
+    static async check_entity_access(entity_id, target_id, permission = undefined) {
+        return (await this.check_allow(entity_id, target_id, permission)) && !(await this.check_deny(entity_id, target_id, permission))
    }

-    static async check_user_denied(user, target_id) {
+    static async check_user_denied(user, target_id, permission = undefined) {
        const groups = await user.groups()
        const group_ids = groups.map(x => x.id)

@@ -53,6 +63,10 @@ class PolicyModel extends Model {
            target_id,
            access_type: 'deny',
            active: true,
+            ...(permission ? {
+                for_permission: true,
+                permission,
+            } : {})
        })

        const group_denials = await this.find({
@@ -60,6 +74,10 @@ class PolicyModel extends Model {
            target_id,
            access_type: 'deny',
            active: true,
+            ...(permission ? {
+                for_permission: true,
+                permission,
+            } : {})
        })

        return user_denials.length > 0 || group_denials.length > 0
@@ -95,7 +113,7 @@ class PolicyModel extends Model {
        return all
    }

-    static async check_user_access(user, target_id) {
+    static async check_user_access(user, target_id, permission = undefined) {
        const groups = await user.groups()
        const group_ids = groups.map(x => x.id)
        const target_ids = await this.get_all_related(target_id)
@@ -105,6 +123,10 @@ class PolicyModel extends Model {
            target_id: { $in: target_ids },
            access_type: 'allow',
            active: true,
+            ...(permission ? {
+                for_permission: true,
+                permission,
+            } : {})
        })

        const user_denials = await this.find({
@@ -112,6 +134,10 @@ class PolicyModel extends Model {
            target_id: { $in: target_ids },
            access_type: 'deny',
            active: true,
+            ...(permission ? {
+                for_permission: true,
+                permission,
+            } : {})
        })

        const group_approvals = await this.find({
@@ -119,6 +145,10 @@ class PolicyModel extends Model {
            target_id: { $in: target_ids },
            access_type: 'allow',
            active: true,
+            ...(permission ? {
+                for_permission: true,
+                permission,
+            } : {})
        })

        const group_denials = await this.find({
@@ -126,6 +156,10 @@ class PolicyModel extends Model {
            target_id: { $in: target_ids },
            access_type: 'deny',
            active: true,
+            ...(permission ? {
+                for_permission: true,
+                permission,
+            } : {})
        })

        // IF user has explicit denial, deny
@@ -186,6 +220,8 @@ class PolicyModel extends Model {
            target_display,
            target_type: this.target_type,
            target_id: this.target_id,
+            for_permission: this.for_permission,
+            permission: this.permission,
        }
    }
 }