Convert Session.roles & Policy.roles to sets

Author: CarsonF

src/components/authorization/handler/can-impersonate.handler.ts

@@ -9,7 +9,9 @@ export class CanImpersonateHandler {
 
   handle(event: CanImpersonateEvent) {
     const p = this.privileges.for(AssignableRoles);
-    const valid = event.session.roles.every((role) => p.can('edit', role));
+    const valid = event.session.roles
+      .values()
+      .every((role) => p.can('edit', role));
     event.allow.vote(valid);
   }
 }

src/components/authorization/policies/conditions/role.condition.ts

@@ -12,7 +12,7 @@ export class RoleCondition implements Condition {
   constructor(readonly allowed: ReadonlySet<Role>) {}
 
   isAllowed({ session }: IsAllowedParams<any>) {
-    const given = session.roles;
+    const given = session.roles.values();
     return given.some((role) => this.allowed.has(role));
   }
 

src/components/authorization/policy/executor/policy-executor.ts

@@ -1,6 +1,6 @@
 import { forwardRef, Inject, Injectable } from '@nestjs/common';
 import { CachedByArg } from '@seedcompany/common';
-import { identity, intersection } from 'lodash';
+import { identity } from 'lodash';
 import { type EnhancedResource } from '~/common';
 import { Identity, type Session } from '~/core/authentication';
 import { type QueryFragment } from '~/core/database/query';
@@ -147,8 +147,8 @@ export class PolicyExecutor {
       }
 
       const roleCondition =
-        policy.roles && policy.roles.length > 0
-          ? new RoleCondition(new Set(policy.roles))
+        policy.roles && policy.roles.size > 0
+          ? new RoleCondition(policy.roles)
           : undefined;
 
       if (!roleCondition && condition === true) {
@@ -279,11 +279,10 @@ export class PolicyExecutor {
       if (!policy.roles) {
         return true; // policy doesn't limit roles
       }
-      const rolesSpecifiedByPolicyThatUserHas = intersection(
-        policy.roles,
+      const rolesSpecifiedByPolicyThatUserHas = policy.roles.intersection(
         session.roles,
       );
-      return rolesSpecifiedByPolicyThatUserHas.length > 0;
+      return rolesSpecifiedByPolicyThatUserHas.size > 0;
     });
     return policies;
   }

src/components/authorization/policy/policy.factory.ts

@@ -3,7 +3,7 @@ import {
   DiscoveryService,
 } from '@golevelup/nestjs-discovery';
 import { Injectable, type OnModuleInit } from '@nestjs/common';
-import { entries, mapEntries, mapValues } from '@seedcompany/common';
+import { entries, mapEntries, mapValues, setOf } from '@seedcompany/common';
 import { pick, startCase } from 'lodash';
 import { type DeepWritable, type Writable } from 'ts-essentials';
 import { type EnhancedResource, many, type Role } from '~/common';
@@ -35,7 +35,7 @@ export interface Policy {
   /* Policy Name */
   name: string;
   /* Only applies to these roles */
-  roles?: readonly Role[];
+  roles?: ReadonlySet<Role>;
   /* What the policy grants */
   grants: Grants;
   /* An optimization to determine Powers this policy contains */
@@ -103,7 +103,7 @@ export class PolicyFactory implements OnModuleInit {
   ): PlainPolicy {
     const name = startCase(discoveredClass.name.replace(/Policy$/, ''));
 
-    const roles = meta.role === 'all' ? undefined : many(meta.role);
+    const roles = meta.role === 'all' ? undefined : setOf(many(meta.role));
 
     const grants: WritableGrants = new Map();
     const resultList = many(meta.def(resGranter)).flat();

src/components/engagement/engagement.rules.ts

@@ -1,5 +1,6 @@
 /* eslint-disable no-case-declarations */
 import { Injectable } from '@nestjs/common';
+import { setOf } from '@seedcompany/common';
 import { node, relation } from 'cypher-query-builder';
 import { first, intersection } from 'lodash';
 import {
@@ -28,7 +29,7 @@ interface StatusRule {
   transitions: Transition[];
 }
 
-const rolesThatCanBypassWorkflow: Role[] = [Role.Administrator];
+const rolesThatCanBypassWorkflow = setOf<Role>([Role.Administrator]);
 
 @Injectable()
 export class EngagementRules {
@@ -328,8 +329,7 @@ export class EngagementRules {
     );
 
     // If current user is not an approver (based on roles) then don't allow any transitions
-    const currentUserRoles = session.roles;
-    if (intersection(approvers, currentUserRoles).length === 0) {
+    if (session.roles.intersection(setOf(approvers)).size === 0) {
       return [];
     }
 
@@ -356,7 +356,7 @@ export class EngagementRules {
 
   canBypassWorkflow() {
     const { roles } = this.identity.current;
-    return intersection(rolesThatCanBypassWorkflow, roles).length > 0;
+    return roles.intersection(rolesThatCanBypassWorkflow).size > 0;
   }
 
   async verifyStatusChange(

src/components/project/project.service.ts

@@ -159,9 +159,10 @@ export class ProjectService {
       await this.projectMembers.create(
         {
           userId: session.userId,
-          roles: session.roles.filter((role) =>
-            Role.applicableToProjectMembership.has(role),
-          ),
+          roles: session.roles
+            .values()
+            .filter((role) => Role.applicableToProjectMembership.has(role))
+            .toArray(),
           projectId: project,
         },
         false,

src/core/authentication/session/session.dto.ts

@@ -6,7 +6,7 @@ class RawSession extends DataObject {
   readonly token: string;
   readonly issuedAt: DateTime;
   readonly userId: ID;
-  readonly roles: readonly Role[];
+  readonly roles: Iterable<Role>;
   readonly anonymous: boolean;
 
   /**
@@ -18,13 +18,17 @@ class RawSession extends DataObject {
    */
   readonly impersonatee?: {
     id?: ID;
-    roles: readonly Role[];
+    roles: ReadonlySet<Role>;
   };
 }
 
 export class Session extends RawSession {
+  declare readonly roles: ReadonlySet<Role>;
+
   static from(session: RawSession): Session {
-    return Session.defaultValue(Session, session);
+    return Object.assign(Session.defaultValue(Session), session, {
+      roles: new Set(session.roles),
+    });
   }
 
   with(next: Partial<RawSession>): Session {
@@ -41,7 +45,7 @@ export class Session extends RawSession {
   }
 
   get isAdmin() {
-    return this.roles.includes('Administrator');
+    return this.roles.has('Administrator');
   }
 
   isSelf(id: ID<'User'>) {

src/core/authentication/session/session.initiator.ts

@@ -1,5 +1,5 @@
 import { forwardRef, Inject, Injectable } from '@nestjs/common';
-import { csv } from '@seedcompany/common';
+import { csv, setOf } from '@seedcompany/common';
 import {
   type ID,
   InputException,
@@ -90,15 +90,15 @@ export class SessionInitiator {
       );
     }
 
-    const roles = csvHeader(request?.headers?.['x-cord-impersonate-role']);
+    const rawRoles = csvHeader(request?.headers?.['x-cord-impersonate-role']);
 
-    if (!roles && !user) {
+    if (!rawRoles && !user) {
       return undefined;
     }
 
-    const scoped = (roles ?? []).map(assertValidRole);
+    const roles = setOf((rawRoles ?? []).map(assertValidRole));
 
-    return { id: user, roles: scoped };
+    return { id: user, roles };
   }
 }
 

src/core/authentication/session/session.manager.ts

@@ -1,5 +1,5 @@
 import { Injectable } from '@nestjs/common';
-import { CachedByArg } from '@seedcompany/common';
+import { CachedByArg, setOf } from '@seedcompany/common';
 import { DateTime } from 'luxon';
 import type { Writable } from 'ts-essentials';
 import {
@@ -78,10 +78,10 @@ export class SessionManager {
       impersonatee && result.userId
         ? {
             id: impersonatee?.id ?? ghost?.id,
-            roles: [
+            roles: setOf([
               ...(impersonatee.roles ?? []),
               ...(result.impersonateeRoles ?? []),
-            ],
+            ]),
           }
         : undefined;
 
@@ -125,7 +125,7 @@ export class SessionManager {
   }
 
   @CachedByArg()
-  lazySessionForRootUser(input?: Partial<Session>) {
+  lazySessionForRootUser(input?: Parameters<Session['with']>[0]) {
     const promiseOfRootId = this.waitForRootUserIdOnce().then((id) => {
       (session as Writable<Session>).userId = id;
       return id;