Create Identity.asRole

This moves all session creations into the service.

Author: CarsonF

src/components/authentication/authentication.service.ts

@@ -256,6 +256,17 @@ export class AuthenticationService {
     return session;
   }
 
+  asRole<R>(role: Role, fn: () => R): R {
+    const session: Session = {
+      token: 'system',
+      issuedAt: DateTime.now(),
+      userId: 'anonymous' as ID,
+      anonymous: false,
+      roles: [`global:${role}`],
+    };
+    return this.sessionHost.withSession(session, fn);
+  }
+
   async changePassword(
     oldPassword: string,
     newPassword: string,

src/components/authorization/policy/executor/policy-dumper.ts

@@ -15,19 +15,13 @@ import { Chalk, type ChalkInstance } from 'chalk';
 import Table from 'cli-table3';
 import { Command, Option } from 'clipanion';
 import { startCase } from 'lodash';
-import { DateTime } from 'luxon';
 import fs from 'node:fs/promises';
 import { type LiteralUnion } from 'type-fest';
 import { inspect } from 'util';
 import xlsx from 'xlsx';
-import {
-  type EnhancedResource,
-  firstOr,
-  type ID,
-  Role,
-  type Session,
-} from '~/common';
+import { type EnhancedResource, firstOr, Role } from '~/common';
 import { searchCamelCase } from '~/common/search-camel-case';
+import { Identity } from '~/core/authentication';
 import { InjectableCommand } from '~/core/cli';
 import { type ResourceLike, ResourcesHost } from '~/core/resources';
 import {
@@ -45,6 +39,7 @@ type AnyResource = EnhancedResource<any>;
 @Injectable()
 export class PolicyDumper {
   constructor(
+    private readonly identity: Identity,
     private readonly resources: ResourcesHost,
     private readonly executor: PolicyExecutor,
   ) {}
@@ -173,51 +168,45 @@ export class PolicyDumper {
     resource: AnyResource,
     options: { props: boolean | ReadonlySet<string> },
   ): DumpedRow[] {
-    const session: Session = {
-      token: 'system',
-      issuedAt: DateTime.now(),
-      userId: 'anonymous' as ID,
-      anonymous: false,
-      roles: [`global:${role}`],
-    };
-    const resolve = (action: string, prop?: string) =>
-      this.executor.resolve({
-        session,
-        resource,
-        calculatedAsCondition: true,
-        optimizeConditions: true,
-        action,
-        prop,
-      });
-    return [
-      {
-        role,
-        resource,
-        edge: undefined,
-        ...mapValues.fromList(ResourceAction, (action) => resolve(action))
-          .asRecord,
-      },
-      ...(options.props !== false
-        ? ([
-            [resource.securedPropsPlusExtra, PropAction],
-            [resource.childSingleKeys, ChildSingleAction],
-            [resource.childListKeys, ChildListAction],
-          ] as const)
-        : []
-      ).flatMap(([set, actions]) =>
-        [...set]
-          .filter(
-            (p) => typeof options.props === 'boolean' || options.props.has(p),
-          )
-          .map((prop) => ({
-            role,
-            resource,
-            edge: prop,
-            ...mapValues.fromList(actions, (action) => resolve(action, prop))
-              .asRecord,
-          })),
-      ),
-    ];
+    return this.identity.asRole(role, () => {
+      const resolve = (action: string, prop?: string) =>
+        this.executor.resolve({
+          resource,
+          calculatedAsCondition: true,
+          optimizeConditions: true,
+          action,
+          prop,
+        });
+      return [
+        {
+          role,
+          resource,
+          edge: undefined,
+          ...mapValues.fromList(ResourceAction, (action) => resolve(action))
+            .asRecord,
+        },
+        ...(options.props !== false
+          ? ([
+              [resource.securedPropsPlusExtra, PropAction],
+              [resource.childSingleKeys, ChildSingleAction],
+              [resource.childListKeys, ChildListAction],
+            ] as const)
+          : []
+        ).flatMap(([set, actions]) =>
+          [...set]
+            .filter(
+              (p) => typeof options.props === 'boolean' || options.props.has(p),
+            )
+            .map((prop) => ({
+              role,
+              resource,
+              edge: prop,
+              ...mapValues.fromList(actions, (action) => resolve(action, prop))
+                .asRecord,
+            })),
+        ),
+      ];
+    });
   }
 }
 

src/components/workflow/permission.serializer.ts

@@ -1,7 +1,6 @@
 import { setOf } from '@seedcompany/common';
-import { DateTime } from 'luxon';
-import { type ID, Role, type Session } from '~/common';
-import { type SessionHost } from '../authentication';
+import { type ID, Role } from '~/common';
+import { type Identity } from '~/core/authentication';
 import { type Privileges, type UserResourcePrivileges } from '../authorization';
 import { Condition } from '../authorization/policy/conditions';
 import { type Workflow } from './define-workflow';
@@ -12,18 +11,11 @@ export const transitionPermissionSerializer =
   <W extends Workflow>(
     workflow: W,
     privileges: Privileges,
-    sessionHost: SessionHost,
+    identity: Identity,
   ) =>
   (transition: W['transition']): readonly SerializedTransitionPermission[] => {
     const all = [...Role].flatMap((role) => {
-      const session: Session = {
-        token: 'system',
-        issuedAt: DateTime.now(),
-        userId: 'anonymous' as ID,
-        anonymous: false,
-        roles: [`global:${role}`],
-      };
-      return sessionHost.withSession(session, () => {
+      return identity.asRole(role, () => {
         const p = privileges.for(workflow.eventResource);
         const readEvent = resolve(p, 'read', transition.key);
         const execute = resolve(p, 'create', transition.key);

src/components/workflow/workflow.service.ts

@@ -1,7 +1,7 @@
 import { Inject, Injectable } from '@nestjs/common';
 import { type Nil } from '@seedcompany/common';
 import { type ID, UnauthorizedException } from '~/common';
-import { SessionHost } from '../authentication';
+import { Identity } from '~/core/authentication';
 import { Privileges } from '../authorization';
 import { MissingContextException } from '../authorization/policy/conditions';
 import { type Workflow } from './define-workflow';
@@ -20,7 +20,7 @@ export const WorkflowService = <W extends Workflow>(workflow: () => W) => {
   @Injectable()
   abstract class WorkflowServiceClass {
     @Inject() protected readonly privileges: Privileges;
-    @Inject() protected readonly sessionHost: SessionHost;
+    @Inject() protected readonly identity: Identity;
     protected readonly workflow: W;
 
     constructor() {
@@ -143,7 +143,7 @@ export const WorkflowService = <W extends Workflow>(workflow: () => W) => {
         transitionPermissionSerializer(
           this.workflow,
           this.privileges,
-          this.sessionHost,
+          this.identity,
         ),
       );
     }

src/core/authentication/identity.service.ts

@@ -1,5 +1,5 @@
 import { Inject, Injectable } from '@nestjs/common';
-import type { ID } from '~/common';
+import type { ID, Role } from '~/common';
 import { type AuthenticationService } from '../../components/authentication';
 import { SessionHost } from '../../components/authentication/session.host';
 
@@ -29,4 +29,11 @@ export class Identity {
   async asUser<R>(user: ID<'User'>, fn: () => Promise<R>): Promise<R> {
     return await this.auth.asUser(user, fn);
   }
+
+  /**
+   * Run this function with the current user as an ephemeral one this role
+   */
+  asRole<R>(role: Role, fn: () => R): R {
+    return this.auth.asRole(role, fn);
+  }
 }