Mirrors/unleash.unleash
1
0
Fork 0
mirror of https://github.com/Unleash/unleash.git synced 2024-10-18 20:09:08 +02:00
Code Issues Projects Releases Wiki Activity
24b057ab6d
unleash.unleash/src/lib/middleware/rbac-middleware.ts

89 lines
3.1 KiB
TypeScript
Raw Normal View History

feat: Default roles and RBAC permission checker. (#735) This PR Introduces first steps towards RBAC according to our specifications. Rbac will assume users to exist in the Unleash user table with a unique id. This is required to make correct mappings between users and roles.
2021-03-11 22:51:58 +01:00
/* eslint-disable @typescript-eslint/explicit-module-boundary-types */
import {
CREATE_FEATURE,
UPDATE_FEATURE,
DELETE_FEATURE,
ADMIN,
fix: move permission to types
2021-05-02 20:58:02 +02:00
} from '../types/permissions';
Feat/options need types (#794) feat: options are now typed - This makes it easier to know what to send to unleash.start / unleash.create - Using a Partial to instantiate the config, then melding it with defaults to get a config object with all fields set either to their defaults or to whatever is passed in. Co-authored-by: Fredrik Strand Oseberg <fredrik.no@gmail.com> Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com>
2021-04-22 10:07:10 +02:00
import { IUnleashConfig } from '../types/option';
import { IUnleashStores } from '../types/stores';
fix: User should require a ID field set (#799)
2021-04-22 23:40:52 +02:00
import User from '../types/user';
feat: Default roles and RBAC permission checker. (#735) This PR Introduces first steps towards RBAC according to our specifications. Rbac will assume users to exist in the Unleash user table with a unique id. This is required to make correct mappings between users and roles.
2021-03-11 22:51:58 +01:00
Feat/options need types (#794) feat: options are now typed - This makes it easier to know what to send to unleash.start / unleash.create - Using a Partial to instantiate the config, then melding it with defaults to get a config object with all fields set either to their defaults or to whatever is passed in. Co-authored-by: Fredrik Strand Oseberg <fredrik.no@gmail.com> Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com>
2021-04-22 10:07:10 +02:00
interface PermissionChecker {
hasPermission(
user: User,
permission: string,
projectId?: string,
): Promise<boolean>;
}
const rbacMiddleware = (
config: Pick<IUnleashConfig, 'getLogger'>,
{ featureToggleStore }: Pick<IUnleashStores, 'featureToggleStore'>,
accessService: PermissionChecker,
): any => {
feat: Default roles and RBAC permission checker. (#735) This PR Introduces first steps towards RBAC according to our specifications. Rbac will assume users to exist in the Unleash user table with a unique id. This is required to make correct mappings between users and roles.
2021-03-11 22:51:58 +01:00
const logger = config.getLogger('/middleware/rbac-middleware.js');
logger.info('Enabling RBAC');
return (req, res, next) => {
req.checkRbac = async (permission: string) => {
const { user, params } = req;
if (!user) {
logger.error('RBAC requires a user to exist on the request.');
return false;
}
if (user.isAPI) {
return user.permissions.includes(ADMIN);
}
if (!user.id) {
logger.error('RBAC requires the user to have a unique id.');
return false;
}
// For /api/admin/projects/:projectId we will find it as part of params
let { projectId } = params;
fix: rbac now checks permission for both projects (#838) - When updating a toggle - If the project is updated, the user performing the operation will need UPDATE_FEATURE permission for both old and new project fixes: #837
2021-05-05 22:32:25 +02:00
// Temporary workaround to figure out projectId for feature toggle updates.
if (permission === DELETE_FEATURE) {
feat: Default roles and RBAC permission checker. (#735) This PR Introduces first steps towards RBAC according to our specifications. Rbac will assume users to exist in the Unleash user table with a unique id. This is required to make correct mappings between users and roles.
2021-03-11 22:51:58 +01:00
const { featureName } = params;
projectId = await featureToggleStore.getProjectId(featureName);
fix: rbac now checks permission for both projects (#838) - When updating a toggle - If the project is updated, the user performing the operation will need UPDATE_FEATURE permission for both old and new project fixes: #837
2021-05-05 22:32:25 +02:00
} else if (permission === UPDATE_FEATURE) {
// if projectId of feature is different from project in body
// need to check that we have UPDATE_FEATURE access on both old and new project
// TODO: Look at this to make it smoother once we get around to looking at project
// Changing project of a toggle should most likely be a separate endpoint
const { featureName } = params;
projectId = await featureToggleStore.getProjectId(featureName);
const newProjectId = req.body
? req.body.project || projectId
: projectId;
if (newProjectId !== projectId) {
return (
accessService.hasPermission(
user,
permission,
projectId,
) &&
accessService.hasPermission(
user,
permission,
newProjectId,
)
);
}
feat: Default roles and RBAC permission checker. (#735) This PR Introduces first steps towards RBAC according to our specifications. Rbac will assume users to exist in the Unleash user table with a unique id. This is required to make correct mappings between users and roles.
2021-03-11 22:51:58 +01:00
} else if (permission === CREATE_FEATURE) {
fix: migrate all permissions to rbac (#782) * fix: migrate all permissions to rbac * fix: update migration guide fixes #782
2021-04-12 20:25:03 +02:00
projectId = req.body.project || 'default';
feat: Default roles and RBAC permission checker. (#735) This PR Introduces first steps towards RBAC according to our specifications. Rbac will assume users to exist in the Unleash user table with a unique id. This is required to make correct mappings between users and roles.
2021-03-11 22:51:58 +01:00
}
return accessService.hasPermission(user, permission, projectId);
};
return next();
};
};
module.exports = rbacMiddleware;
export default rbacMiddleware;
Reference in New Issue Copy Permalink