Refactor Privileges to remove the need to pass session

Author: CarsonF

src/components/authorization/policy/executor/all-permissions-view.ts

@@ -16,8 +16,8 @@ import {
   type ChildSingleAction,
   type PropAction,
 } from '../actions';
-import { type UserEdgePrivileges } from './user-edge-privileges';
-import { type UserResourcePrivileges } from './user-resource-privileges';
+import { type EdgePrivileges } from './edge-privileges';
+import { type ResourcePrivileges } from './resource-privileges';
 
 export type AllPermissionsView<TResourceStatic extends ResourceShape<any>> =
   Record<
@@ -34,7 +34,7 @@ export const createAllPermissionsView = <
   TResourceStatic extends ResourceShape<any>,
 >(
   resource: EnhancedResource<TResourceStatic>,
-  privileges: UserResourcePrivileges<TResourceStatic>,
+  privileges: ResourcePrivileges<TResourceStatic>,
 ) =>
   createLazyRecord<AllPermissionsView<TResourceStatic>>({
     getKeys: () => [...resource.securedPropsPlusExtra, ...resource.childKeys],
@@ -67,7 +67,7 @@ export const createAllPermissionsOfEdgeView = <
   TAction extends string,
 >(
   resource: EnhancedResource<TResourceStatic>,
-  privileges: UserEdgePrivileges<TResourceStatic, TKey, TAction>,
+  privileges: EdgePrivileges<TResourceStatic, TKey, TAction>,
 ) =>
   createLazyRecord<Record<TAction, boolean>>({
     getKeys: () => [],

src/components/authorization/policy/executor/edge-privileges.ts

@@ -1,7 +1,19 @@
-import { EnhancedResource, type ResourceShape, type Session } from '~/common';
+import { LazyGetter as Once } from 'lazy-get-decorator';
+import {
+  EnhancedResource,
+  type ResourceShape,
+  UnauthorizedException,
+} from '~/common';
 import { type ResourceObjectContext } from '../object.type';
-import { type PolicyExecutor } from './policy-executor';
-import { UserEdgePrivileges } from './user-edge-privileges';
+import {
+  type AllPermissionsOfEdgeView,
+  createAllPermissionsOfEdgeView,
+} from './all-permissions-view';
+import {
+  type FilterOptions,
+  type PolicyExecutor,
+  type ResolveParams,
+} from './policy-executor';
 
 export class EdgePrivileges<
   TResourceStatic extends ResourceShape<any>,
@@ -12,18 +24,105 @@ export class EdgePrivileges<
   constructor(
     resource: TResourceStatic | EnhancedResource<TResourceStatic>,
     readonly key: TKey,
+    private readonly object: ResourceObjectContext<TResourceStatic> | undefined,
     private readonly policyExecutor: PolicyExecutor,
   ) {
     this.resource = EnhancedResource.of(resource);
   }
 
-  forUser(session: Session, object?: ResourceObjectContext<TResourceStatic>) {
-    return new UserEdgePrivileges<TResourceStatic, TKey, TAction>(
+  /** @deprecated */
+  get session() {
+    return this.policyExecutor.sessionHost.current;
+  }
+
+  /** @deprecated Use {@link forContext} instead */
+  forUser(_session: unknown, object?: ResourceObjectContext<TResourceStatic>) {
+    return object ? this.forContext(object) : this;
+  }
+
+  get context() {
+    return this.object;
+  }
+
+  forContext(object: ResourceObjectContext<TResourceStatic>) {
+    if (object === this.object) {
+      return this;
+    }
+    return new EdgePrivileges(
       this.resource,
       this.key,
       object,
-      session,
       this.policyExecutor,
     );
   }
+
+  can(action: TAction) {
+    const perm = this.policyExecutor.resolve({
+      action,
+      resource: this.resource,
+      prop: this.key,
+    });
+    return perm === true || perm === false
+      ? perm
+      : perm.isAllowed({
+          object: this.object,
+          resource: this.resource,
+          session: this.policyExecutor.sessionHost.current,
+        });
+  }
+
+  verifyCan(action: TAction) {
+    if (this.can(action)) {
+      return;
+    }
+    throw UnauthorizedException.fromPrivileges(
+      action,
+      this.object,
+      this.resource,
+      this.key,
+    );
+  }
+
+  /**
+   * An alternative view that gives an object with all the permissions for
+   * actions.
+   * @example
+   * const privileges = Privileges.forEdge(User, 'email');
+   * if (privileges.all.read) {
+   *   // can read
+   * }
+   */
+  @Once()
+  get all(): AllPermissionsOfEdgeView<TAction> {
+    return createAllPermissionsOfEdgeView(this.resource, this);
+  }
+
+  /**
+   * Applies a filter to the `node` so that only readable nodes continue based on our polices.
+   * This requires `node` & `project` to be defined where this cypher snippet
+   * is inserted.
+   */
+  filterToReadable(options?: FilterOptions) {
+    return this.dbFilter({
+      action: 'read',
+      ...options,
+    });
+  }
+
+  dbFilter(options: FilterOptions & Pick<ResolveParams, 'action'>) {
+    return this.policyExecutor.cypherFilter({
+      ...options,
+      resource: this.resource,
+      prop: this.key,
+    });
+  }
 }
+
+/**
+ * @deprecated Use {@link EdgePrivileges} instead.
+ */
+export type UserEdgePrivileges<
+  TResourceStatic extends ResourceShape<any>,
+  TKey extends string,
+  TAction extends string,
+> = EdgePrivileges<TResourceStatic, TKey, TAction>;

src/components/authorization/policy/executor/policy-executor.ts

@@ -40,7 +40,7 @@ export interface FilterOptions {
 @Injectable()
 export class PolicyExecutor {
   constructor(
-    private readonly sessionHost: SessionHost,
+    readonly sessionHost: SessionHost,
     private readonly policyFactory: PolicyFactory,
     @Inject(forwardRef(() => ConditionOptimizer))
     private readonly conditionOptimizer: ConditionOptimizer & {},

src/components/authorization/policy/executor/privileges.ts

@@ -5,8 +5,10 @@ import {
   EnhancedResource,
   type ResourceShape,
   type SecuredPropsPlusExtraKey,
-  type Session,
 } from '~/common';
+import { SessionHost } from '../../../authentication/session.host';
+import type { Power } from '../../dto';
+import { MissingPowerException } from '../../missing-power.exception';
 import {
   type ChildListAction,
   type ChildSingleAction,
@@ -16,22 +18,25 @@ import { type ResourceObjectContext } from '../object.type';
 import { EdgePrivileges } from './edge-privileges';
 import { PolicyExecutor } from './policy-executor';
 import { ResourcePrivileges } from './resource-privileges';
-import { UserPrivileges } from './user-privileges';
-import { UserResourcePrivileges } from './user-resource-privileges';
 
 @Injectable()
 export class Privileges {
-  constructor(private readonly policyExecutor: PolicyExecutor) {}
+  constructor(
+    private readonly policyExecutor: PolicyExecutor,
+    private readonly sessionHost: SessionHost,
+  ) {}
 
-  forUser(session: Session) {
-    return new UserPrivileges(session, this.policyExecutor);
+  /** @deprecated */
+  forUser(_session: unknown) {
+    return this;
   }
 
   forResource<TResourceStatic extends ResourceShape<any>>(
     resource: TResourceStatic | EnhancedResource<TResourceStatic>,
   ) {
     return new ResourcePrivileges<TResourceStatic>(
       EnhancedResource.of(resource),
+      undefined,
       this.policyExecutor,
     );
   }
@@ -67,6 +72,7 @@ export class Privileges {
     return new EdgePrivileges(
       EnhancedResource.of(resource),
       key,
+      undefined,
       this.policyExecutor,
     );
   }
@@ -75,15 +81,46 @@ export class Privileges {
    * Returns the privileges given the appropriate user & resource context.
    */
   for<TResourceStatic extends ResourceShape<any>>(
-    session: Session,
     resource: TResourceStatic | EnhancedResource<TResourceStatic>,
     object?: ResourceObjectContext<TResourceStatic>,
+  ): ResourcePrivileges<TResourceStatic>;
+  /** @deprecated */
+  for<TResourceStatic extends ResourceShape<any>>(
+    _session: unknown,
+    resource: TResourceStatic | EnhancedResource<TResourceStatic>,
+    object?: ResourceObjectContext<TResourceStatic>,
+  ): ResourcePrivileges<TResourceStatic>;
+  for<TResourceStatic extends ResourceShape<any>>(
+    sessionOrRes: any,
+    resOrCtx: any,
+    ctx?: any,
   ) {
-    return new UserResourcePrivileges<TResourceStatic>(
-      resource,
-      object,
-      session,
+    const hasSession = sessionOrRes.token && sessionOrRes.anonymous != null;
+    return new ResourcePrivileges<TResourceStatic>(
+      hasSession ? resOrCtx : sessionOrRes,
+      hasSession ? ctx : resOrCtx,
       this.policyExecutor,
     );
   }
+
+  /**
+   * I think this should be replaced in-app code with `.for(X).verifyCan('create')`
+   */
+  verifyPower(power: Power) {
+    const session = this.sessionHost.current;
+    if (!this.powers.has(power)) {
+      throw new MissingPowerException(
+        power,
+        `User ${
+          session.anonymous ? 'anon' : session.userId
+        } does not have the requested power: ${power}`,
+      );
+    }
+  }
+
+  get powers(): Set<Power> {
+    const session = this.sessionHost.current;
+    const policies = this.policyExecutor.getPolicies(session);
+    return new Set(policies.flatMap((policy) => [...policy.powers]));
+  }
 }