unleash.unleash/src/lib/db/access-store.ts

import { EventEmitter } from 'events';
import { Knex } from 'knex';
import metricsHelper from '../metrics-helper';
import { DB_TIME } from '../metric-events';

const T = {
    ROLE_USER: 'role_user',
    ROLES: 'roles',
    ROLE_PERMISSION: 'role_permission',
};

export interface IUserPermission {
    project?: string;
    permission: string;
}

export interface IRole {
    id: number;
    name: string;
    description?: string;
    type: string;
    project?: string;
}

export interface IUserRole {
    roleId: number;
    userId: number;
}

export class AccessStore {
    private logger: Function;

    private timer: Function;

    private db: Knex;

    constructor(db: Knex, eventBus: EventEmitter, getLogger: Function) {
        this.db = db;
        this.logger = getLogger('access-store.js');
        this.timer = (action: string) =>
            metricsHelper.wrapTimer(eventBus, DB_TIME, {
                store: 'access-store',
                action,
            });
    }

    async getPermissionsForUser(userId: number): Promise<IUserPermission[]> {
        const stopTimer = this.timer('getPermissionsForUser');
        const rows = await this.db
            .select('project', 'permission')
            .from<IUserPermission>(`${T.ROLE_PERMISSION} AS rp`)
            .leftJoin(`${T.ROLE_USER} AS ur`, 'ur.role_id', 'rp.role_id')
            .where('ur.user_id', '=', userId);
        stopTimer();
        return rows;
    }

    async getPermissionsForRole(roleId: number): Promise<IUserPermission[]> {
        const stopTimer = this.timer('getPermissionsForRole');
        const rows = await this.db
            .select('project', 'permission')
            .from<IUserPermission>(`${T.ROLE_PERMISSION}`)
            .where('role_id', '=', roleId);
        stopTimer();
        return rows;
    }

    async getRoles(): Promise<IRole[]> {
        return this.db
            .select(['id', 'name', 'type', 'description'])
            .from<IRole>(T.ROLES);
    }

    async getRoleWithId(id: number): Promise<IRole> {
        return this.db
            .select(['id', 'name', 'type', 'description'])
            .where('id', id)
            .first()
            .from<IRole>(T.ROLES);
    }

    async getRolesForProject(projectId: string): Promise<IRole[]> {
        return this.db
            .select(['id', 'name', 'type', 'project', 'description'])
            .from<IRole>(T.ROLES)
            .where('project', projectId)
            .andWhere('type', 'project');
    }

    async getRootRoles(): Promise<IRole[]> {
        return this.db
            .select(['id', 'name', 'type', 'project', 'description'])
            .from<IRole>(T.ROLES)
            .andWhere('type', 'root');
    }

    async removeRolesForProject(projectId: string): Promise<void> {
        return this.db(T.ROLES)
            .where({
                project: projectId,
            })
            .delete();
    }

    async getRolesForUserId(userId: number): Promise<IRole[]> {
        return this.db
            .select(['id', 'name', 'type', 'project', 'description'])
            .from<IRole[]>(T.ROLES)
            .innerJoin(`${T.ROLE_USER} as ru`, 'ru.role_id', 'id')
            .where('ru.user_id', '=', userId);
    }

    async getUserIdsForRole(roleId: number): Promise<IRole[]> {
        const rows = await this.db
            .select(['user_id'])
            .from<IRole>(T.ROLE_USER)
            .where('role_id', roleId);
        return rows.map(r => r.user_id);
    }

    async addUserToRole(userId: number, roleId: number): Promise<void> {
        return this.db(T.ROLE_USER).insert({
            user_id: userId,
            role_id: roleId,
        });
    }

    async removeUserFromRole(userId: number, roleId: number): Promise<void> {
        return this.db(T.ROLE_USER)
            .where({
                user_id: userId,
                role_id: roleId,
            })
            .delete();
    }

    async removeRolesOfTypeForUser(
        userId: number,
        roleType: string,
    ): Promise<void> {
        const rolesToRemove = this.db(T.ROLES)
            .select('id')
            .where({ type: roleType });

        return this.db(T.ROLE_USER)
            .where({ user_id: userId })
            .whereIn('role_id', rolesToRemove)
            .delete();
    }

    async createRole(
        name: string,
        type: string,
        project?: string,
        description?: string,
    ): Promise<IRole> {
        const [id] = await this.db(T.ROLES)
            .insert({ name, description, type, project })
            .returning('id');
        return { id, name, description, type, project };
    }

    async addPermissionsToRole(
        role_id: number,
        permissions: string[],
        projectId?: string,
    ): Promise<void> {
        const rows = permissions.map(permission => ({
            role_id,
            project: projectId,
            permission,
        }));
        return this.db.batchInsert(T.ROLE_PERMISSION, rows);
    }

    async removePermissionFromRole(
        roleId: number,
        permission: string,
        projectId?: string,
    ): Promise<void> {
        return this.db(T.ROLE_PERMISSION)
            .where({
                role_id: roleId,
                permission,
                project: projectId,
            })
            .delete();
    }

    async getRootRoleForAllUsers(): Promise<IUserRole[]> {
        const rows = await this.db
            .select('id', 'user_id')
            .distinctOn('user_id')
            .from(`${T.ROLES} AS r`)
            .leftJoin(`${T.ROLE_USER} AS ru`, 'r.id', 'ru.role_id')
            .where('r.type', '=', 'root');

        return rows.map(row => ({
            roleId: +row.id,
            userId: +row.user_id,
        }));
    }
}
feat: Default roles and RBAC permission checker. (#735) This PR Introduces first steps towards RBAC according to our specifications. Rbac will assume users to exist in the Unleash user table with a unique id. This is required to make correct mappings between users and roles. 2021-03-11 22:51:58 +01:00			`import { EventEmitter } from 'events';`
Make sure we keep the announced status of each app (#770) * Make sure we keep the announced status of each app - Since we were running onConflict().merge() we were keeping our entire new object from our remapRow method, and that was overwriting the current announcement status of the row back to false, unless we'd by random chance actually set the announced property on our row to be inserted. * Add migration for cleaning up application-created events - fixes: #769 2021-03-23 12:43:33 +01:00			`import { Knex } from 'knex';`
feat: Default roles and RBAC permission checker. (#735) This PR Introduces first steps towards RBAC according to our specifications. Rbac will assume users to exist in the Unleash user table with a unique id. This is required to make correct mappings between users and roles. 2021-03-11 22:51:58 +01:00			`import metricsHelper from '../metrics-helper';`
fix: refactor event types 2021-04-29 10:21:29 +02:00			`import { DB_TIME } from '../metric-events';`
feat: Default roles and RBAC permission checker. (#735) This PR Introduces first steps towards RBAC according to our specifications. Rbac will assume users to exist in the Unleash user table with a unique id. This is required to make correct mappings between users and roles. 2021-03-11 22:51:58 +01:00
			`const T = {`
			`ROLE_USER: 'role_user',`
			`ROLES: 'roles',`
			`ROLE_PERMISSION: 'role_permission',`
			`};`

			`export interface IUserPermission {`
			`project?: string;`
			`permission: string;`
			`}`

			`export interface IRole {`
			`id: number;`
			`name: string;`
			`description?: string;`
			`type: string;`
			`project?: string;`
			`}`

feat: Add username/password authentication (#777) 2021-04-09 13:46:53 +02:00			`export interface IUserRole {`
			`roleId: number;`
			`userId: number;`
			`}`

feat: Default roles and RBAC permission checker. (#735) This PR Introduces first steps towards RBAC according to our specifications. Rbac will assume users to exist in the Unleash user table with a unique id. This is required to make correct mappings between users and roles. 2021-03-11 22:51:58 +01:00			`export class AccessStore {`
			`private logger: Function;`

			`private timer: Function;`

			`private db: Knex;`

			`constructor(db: Knex, eventBus: EventEmitter, getLogger: Function) {`
			`this.db = db;`
			`this.logger = getLogger('access-store.js');`
			`this.timer = (action: string) =>`
			`metricsHelper.wrapTimer(eventBus, DB_TIME, {`
			`store: 'access-store',`
			`action,`
			`});`
			`}`

fix: migrate all permissions to rbac (#782) * fix: migrate all permissions to rbac * fix: update migration guide fixes #782 2021-04-12 20:25:03 +02:00			`async getPermissionsForUser(userId: number): Promise<IUserPermission[]> {`
feat: Default roles and RBAC permission checker. (#735) This PR Introduces first steps towards RBAC according to our specifications. Rbac will assume users to exist in the Unleash user table with a unique id. This is required to make correct mappings between users and roles. 2021-03-11 22:51:58 +01:00			`const stopTimer = this.timer('getPermissionsForUser');`
			`const rows = await this.db`
			`.select('project', 'permission')`
			.from<IUserPermission>(`${T.ROLE_PERMISSION} AS rp`)
			.leftJoin(`${T.ROLE_USER} AS ur`, 'ur.role_id', 'rp.role_id')
fix: migrate all permissions to rbac (#782) * fix: migrate all permissions to rbac * fix: update migration guide fixes #782 2021-04-12 20:25:03 +02:00			`.where('ur.user_id', '=', userId);`
feat: Default roles and RBAC permission checker. (#735) This PR Introduces first steps towards RBAC according to our specifications. Rbac will assume users to exist in the Unleash user table with a unique id. This is required to make correct mappings between users and roles. 2021-03-11 22:51:58 +01:00			`stopTimer();`
			`return rows;`
			`}`

			`async getPermissionsForRole(roleId: number): Promise<IUserPermission[]> {`
			`const stopTimer = this.timer('getPermissionsForRole');`
			`const rows = await this.db`
			`.select('project', 'permission')`
			.from<IUserPermission>(`${T.ROLE_PERMISSION}`)
			`.where('role_id', '=', roleId);`
			`stopTimer();`
			`return rows;`
			`}`

			`async getRoles(): Promise<IRole[]> {`
			`return this.db`
			`.select(['id', 'name', 'type', 'description'])`
			`.from<IRole>(T.ROLES);`
			`}`

			`async getRoleWithId(id: number): Promise<IRole> {`
			`return this.db`
			`.select(['id', 'name', 'type', 'description'])`
			`.where('id', id)`
			`.first()`
			`.from<IRole>(T.ROLES);`
			`}`

			`async getRolesForProject(projectId: string): Promise<IRole[]> {`
			`return this.db`
			`.select(['id', 'name', 'type', 'project', 'description'])`
			`.from<IRole>(T.ROLES)`
			`.where('project', projectId)`
			`.andWhere('type', 'project');`
			`}`

feat: Add username/password authentication (#777) 2021-04-09 13:46:53 +02:00			`async getRootRoles(): Promise<IRole[]> {`
			`return this.db`
			`.select(['id', 'name', 'type', 'project', 'description'])`
			`.from<IRole>(T.ROLES)`
			`.andWhere('type', 'root');`
			`}`

feat: Default roles and RBAC permission checker. (#735) This PR Introduces first steps towards RBAC according to our specifications. Rbac will assume users to exist in the Unleash user table with a unique id. This is required to make correct mappings between users and roles. 2021-03-11 22:51:58 +01:00			`async removeRolesForProject(projectId: string): Promise<void> {`
			`return this.db(T.ROLES)`
			`.where({`
			`project: projectId,`
			`})`
			`.delete();`
			`}`

			`async getRolesForUserId(userId: number): Promise<IRole[]> {`
			`return this.db`
			`.select(['id', 'name', 'type', 'project', 'description'])`
			`.from<IRole[]>(T.ROLES)`
			.innerJoin(`${T.ROLE_USER} as ru`, 'ru.role_id', 'id')
			`.where('ru.user_id', '=', userId);`
			`}`

			`async getUserIdsForRole(roleId: number): Promise<IRole[]> {`
			`const rows = await this.db`
			`.select(['user_id'])`
			`.from<IRole>(T.ROLE_USER)`
			`.where('role_id', roleId);`
			`return rows.map(r => r.user_id);`
			`}`

			`async addUserToRole(userId: number, roleId: number): Promise<void> {`
			`return this.db(T.ROLE_USER).insert({`
			`user_id: userId,`
			`role_id: roleId,`
			`});`
			`}`

			`async removeUserFromRole(userId: number, roleId: number): Promise<void> {`
			`return this.db(T.ROLE_USER)`
			`.where({`
			`user_id: userId,`
			`role_id: roleId,`
			`})`
			`.delete();`
			`}`

feat: Add username/password authentication (#777) 2021-04-09 13:46:53 +02:00			`async removeRolesOfTypeForUser(`
			`userId: number,`
			`roleType: string,`
			`): Promise<void> {`
			`const rolesToRemove = this.db(T.ROLES)`
			`.select('id')`
			`.where({ type: roleType });`

			`return this.db(T.ROLE_USER)`
			`.where({ user_id: userId })`
			`.whereIn('role_id', rolesToRemove)`
			`.delete();`
			`}`

feat: Default roles and RBAC permission checker. (#735) This PR Introduces first steps towards RBAC according to our specifications. Rbac will assume users to exist in the Unleash user table with a unique id. This is required to make correct mappings between users and roles. 2021-03-11 22:51:58 +01:00			`async createRole(`
			`name: string,`
			`type: string,`
			`project?: string,`
			`description?: string,`
			`): Promise<IRole> {`
			`const [id] = await this.db(T.ROLES)`
			`.insert({ name, description, type, project })`
			`.returning('id');`
			`return { id, name, description, type, project };`
			`}`

			`async addPermissionsToRole(`
			`role_id: number,`
			`permissions: string[],`
			`projectId?: string,`
			`): Promise<void> {`
			`const rows = permissions.map(permission => ({`
			`role_id,`
			`project: projectId,`
			`permission,`
			`}));`
			`return this.db.batchInsert(T.ROLE_PERMISSION, rows);`
			`}`

			`async removePermissionFromRole(`
			`roleId: number,`
			`permission: string,`
			`projectId?: string,`
			`): Promise<void> {`
			`return this.db(T.ROLE_PERMISSION)`
			`.where({`
			`role_id: roleId,`
			`permission,`
			`project: projectId,`
			`})`
			`.delete();`
			`}`
feat: Add username/password authentication (#777) 2021-04-09 13:46:53 +02:00
			`async getRootRoleForAllUsers(): Promise<IUserRole[]> {`
			`const rows = await this.db`
			`.select('id', 'user_id')`
			`.distinctOn('user_id')`
			.from(`${T.ROLES} AS r`)
			.leftJoin(`${T.ROLE_USER} AS ru`, 'r.id', 'ru.role_id')
			`.where('r.type', '=', 'root');`

			`return rows.map(row => ({`
			`roleId: +row.id,`
			`userId: +row.user_id,`
			`}));`
			`}`
feat: Default roles and RBAC permission checker. (#735) This PR Introduces first steps towards RBAC according to our specifications. Rbac will assume users to exist in the Unleash user table with a unique id. This is required to make correct mappings between users and roles. 2021-03-11 22:51:58 +01:00			`}`