Add permissions to serialized workflow resolved from policies

CarsonF · CarsonF · commit 191b9f0c2c15 · 2024-06-12T10:47:18.000-05:00
diff --git a/src/components/authorization/policy/executor/user-resource-privileges.ts b/src/components/authorization/policy/executor/user-resource-privileges.ts
@@ -110,12 +110,7 @@ export class UserResourcePrivileges<
     relation: ChildListsKey<TResourceStatic>,
   ): boolean;
   can(action: AnyAction, prop?: SecuredResourceKey<TResourceStatic>) {
-    const perm = this.policyExecutor.resolve({
-      action,
-      session: this.session,
-      resource: this.resource,
-      prop,
-    });
+    const perm = this.resolve({ action, prop });
     return perm === true || perm === false
       ? perm
       : perm.isAllowed({
@@ -125,6 +120,14 @@ export class UserResourcePrivileges<
         });
   }
 
+  resolve(params: Omit<ResolveParams, 'session' | 'resource'>) {
+    return this.policyExecutor.resolve({
+      ...params,
+      session: this.session,
+      resource: this.resource,
+    });
+  }
+
   verifyCan(action: ResourceAction): void;
   verifyCan(
     action: PropAction,
diff --git a/src/components/workflow/dto/serialized-workflow.dto.ts b/src/components/workflow/dto/serialized-workflow.dto.ts
@@ -1,7 +1,8 @@
 import { createUnionType, Field, ObjectType } from '@nestjs/graphql';
 import { cacheable } from '@seedcompany/common';
+import { stripIndent } from 'common-tags';
 import * as uuid from 'uuid';
-import { DataObject, ID, IdField } from '~/common';
+import { DataObject, ID, IdField, Role } from '~/common';
 import { Workflow } from '../define-workflow';
 import { DynamicState } from '../transitions/dynamic-state';
 import { TransitionType } from './workflow-transition.dto';
@@ -61,6 +62,40 @@ export class SerializedWorkflowNotifier extends DataObject {
   readonly label: string;
 }
 
+@ObjectType('WorkflowTransitionPermission', {
+  description: stripIndent`
+    A permission for a transition.
+
+    This will either have \`readEvent\` or \`execute\` as a boolean,
+    specifying the action this permission defines.
+    If this is true, there could still be a condition that must be met,
+    described by the \`condition\` field.
+  `,
+})
+export class SerializedWorkflowTransitionPermission extends DataObject {
+  @Field(() => Role)
+  role: Role;
+
+  @Field({
+    description:
+      'The action for this permission is conditional, described by this field.',
+    nullable: true,
+  })
+  condition?: string;
+
+  @Field({
+    description: 'Can this role read historical events for this transition?',
+    nullable: true,
+  })
+  readEvent?: boolean;
+
+  @Field({
+    description: 'Can this role execute this transition?',
+    nullable: true,
+  })
+  execute?: boolean;
+}
+
 @ObjectType('WorkflowTransition')
 export class SerializedWorkflowTransition extends DataObject {
   @IdField()
@@ -86,6 +121,9 @@ export class SerializedWorkflowTransition extends DataObject {
 
   @Field(() => [SerializedWorkflowNotifier])
   readonly notifiers: readonly SerializedWorkflowNotifier[];
+
+  @Field(() => [SerializedWorkflowTransitionPermission])
+  readonly permissions: readonly SerializedWorkflowTransitionPermission[];
 }
 
 @ObjectType('Workflow')
@@ -99,7 +137,12 @@ export class SerializedWorkflow extends DataObject {
   @Field(() => [SerializedWorkflowTransition])
   readonly transitions: readonly SerializedWorkflowTransition[];
 
-  static from<W extends Workflow>(workflow: W): SerializedWorkflow {
+  static from<W extends Workflow>(
+    workflow: W,
+    getPermissions: (
+      transition: W['transition'],
+    ) => readonly SerializedWorkflowTransitionPermission[],
+  ): SerializedWorkflow {
     const serializeState = (state: Workflow['state']) => {
       const { value, label } = workflow.states.entry(state);
       return { value, label };
@@ -134,6 +177,7 @@ export class SerializedWorkflow extends DataObject {
         notifiers: (transition.notifiers ?? []).map((notifier) => ({
           label: notifier.description,
         })),
+        permissions: getPermissions(transition),
       })),
     };
   }
diff --git a/src/components/workflow/permission.serializer.ts b/src/components/workflow/permission.serializer.ts
@@ -0,0 +1,68 @@
+import { setOf } from '@seedcompany/common';
+import { DateTime } from 'luxon';
+import { ID, Role, Session } from '~/common';
+import { Privileges, UserResourcePrivileges } from '../authorization';
+import { Permission } from '../authorization/policy/builder/perm-granter';
+import { Condition } from '../authorization/policy/conditions';
+import { Workflow } from './define-workflow';
+import { SerializedWorkflowTransitionPermission as SerializedTransitionPermission } from './dto/serialized-workflow.dto';
+import { TransitionCondition } from './workflow.granter';
+
+export const transitionPermissionSerializer =
+  <W extends Workflow>(workflow: W, privileges: Privileges) =>
+  (transition: W['transition']): readonly SerializedTransitionPermission[] => {
+    const all = [...Role].flatMap((role) => {
+      const session: Session = {
+        token: 'system',
+        issuedAt: DateTime.now(),
+        userId: 'anonymous' as ID,
+        anonymous: false,
+        roles: [`global:${role}`],
+      };
+      const p = privileges.for(session, workflow.eventResource);
+      const readEvent = resolve(p, 'read', transition.key);
+      const execute = resolve(p, 'create', transition.key);
+      return [
+        {
+          role,
+          readEvent: readEvent !== false,
+          condition: renderCondition(readEvent),
+        },
+        {
+          role,
+          execute: execute !== false,
+          condition: renderCondition(execute),
+        },
+      ];
+    });
+
+    // Remove roles that are never applicable.
+    const applicableRoles = setOf(
+      all.flatMap((p) => (p.readEvent || p.execute ? p.role : [])),
+    );
+    return all.filter((p) => applicableRoles.has(p.role));
+  };
+
+const resolve = (
+  p: UserResourcePrivileges<any>,
+  action: string,
+  transitionKey: ID,
+): Permission => {
+  const c = p.resolve({
+    action,
+    calculatedAsCondition: true,
+    optimizeConditions: true,
+  });
+
+  if (typeof c === 'boolean') {
+    return c;
+  }
+  // Cheaply resolve transition condition.
+  if (c instanceof TransitionCondition) {
+    return c.allowedTransitionKeys.has(transitionKey);
+  }
+
+  return c;
+};
+const renderCondition = (c: boolean | Condition) =>
+  typeof c === 'boolean' ? undefined : Condition.id(c);
diff --git a/src/components/workflow/workflow.service.ts b/src/components/workflow/workflow.service.ts
@@ -7,6 +7,7 @@ import {
   ExecuteTransitionInput as ExecuteTransitionInputFn,
   SerializedWorkflow,
 } from './dto';
+import { transitionPermissionSerializer } from './permission.serializer';
 import { withTransitionKey } from './workflow.granter';
 
 type ExecuteTransitionInput = ReturnType<
@@ -124,7 +125,10 @@ export const WorkflowService = <W extends Workflow>(workflow: W) => {
     }
 
     serialize() {
-      return SerializedWorkflow.from(this.workflow);
+      return SerializedWorkflow.from(
+        this.workflow,
+        transitionPermissionSerializer(this.workflow, this.privileges),
+      );
     }
   }
 

Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@ import {`
`7`	`7`	`ExecuteTransitionInput as ExecuteTransitionInputFn,`
`8`	`8`	`SerializedWorkflow,`
`9`	`9`	`} from './dto';`
	`10`	`+import { transitionPermissionSerializer } from './permission.serializer';`
`10`	`11`	`import { withTransitionKey } from './workflow.granter';`
`11`	`12`
`12`	`13`	`type ExecuteTransitionInput = ReturnType<`
`@@ -124,7 +125,10 @@ export const WorkflowService = <W extends Workflow>(workflow: W) => {`
`124`	`125`	`}`
`125`	`126`
`126`	`127`	`serialize() {`
`127`		`- return SerializedWorkflow.from(this.workflow);`
	`128`	`+ return SerializedWorkflow.from(`
	`129`	`+ this.workflow,`
	`130`	`+ transitionPermissionSerializer(this.workflow, this.privileges),`
	`131`	`+ );`
`128`	`132`	`}`
`129`	`133`	`}`
`130`	`134`