feat: add support for multiple context values

onebytegone · onebytegone · commit c2728bdc338f · 2026-01-07T15:25:23.000-05:00
diff --git a/src/utils/make-subject-specific-policies.ts b/src/utils/make-subject-specific-policies.ts
@@ -1,3 +1,4 @@
+import { isStringMap, StringMap } from '@silvermine/toolbox';
 import {
    isPolicyConditionConjunctionAllOf,
    isPolicyConditionConjunctionAnyOf,
@@ -60,11 +61,20 @@ function makeSubjectConditions(tokenReplacer: (s: string) => string, cond: Reado
    throw new Error(`Unreachable: ${typeof cond} (${Object.getOwnPropertyNames(cond)})`);
 }
 
-function makePolicyID(subjectID: string, roleID: string, policyIndex: number, contextValue?: string): string {
+function makePolicyID(subjectID: string, roleID: string, policyIndex: number, contextValue?: string | StringMap): string {
    const parts = [ `${roleID}[${policyIndex}]`, subjectID ];
 
    if (contextValue) {
-      parts.push(contextValue);
+      if (isStringMap(contextValue)) {
+         const sortedPairs = Object.keys(contextValue)
+            .sort()
+            .map((k) => { return `${k}=${contextValue[k]}`; })
+            .join(';');
+
+         parts.push(sortedPairs);
+      } else {
+         parts.push(contextValue);
+      }
    }
 
    return parts.join('|');
diff --git a/src/utils/substitute-values.ts b/src/utils/substitute-values.ts
@@ -1,18 +1,35 @@
+import { hasDefined, isString, isStringMap, StringMap } from '@silvermine/toolbox';
+
 export interface KnownTokenValues {
    subjectID: string;
-   contextValue?: string;
+   contextValue?: string | StringMap;
 }
 
+const CONTEXT_VALUE_REGEX = /{CONTEXT_VALUE(?::([^}]+))?}/g;
+
 export default function substituteValues(vals: KnownTokenValues, roleID: string, input: string): string {
-   let v = input;
+   const result = input.replace(/{SUBJECT_ID}/g, vals.subjectID);
+
+   return result.replace(CONTEXT_VALUE_REGEX, (_match: string, key?: string) => {
+      if (vals.contextValue === undefined) {
+         throw new Error(`Role "${roleID}" depends on a context value, but none was supplied`);
+      }
+
+      if (key === undefined) {
+         if (!isString(vals.contextValue)) {
+            throw new Error(`Role "${roleID}" uses {CONTEXT_VALUE} but contextValue is not a string`);
+         }
+         return vals.contextValue;
+      }
 
-   v = v.replace(/{SUBJECT_ID}/g, vals.subjectID);
+      if (!isStringMap(vals.contextValue)) {
+         throw new Error(`Role "${roleID}" uses {CONTEXT_VALUE:key} but contextValue is not a StringMap`);
+      }
 
-   if (vals.contextValue) {
-      v = v.replace(/{CONTEXT_VALUE}/g, vals.contextValue);
-   } else if (/{CONTEXT_VALUE}/.test(v)) {
-      throw new Error(`Role "${roleID}" depends on a context value, but none was supplied`);
-   }
+      if (!hasDefined(vals.contextValue, key)) {
+         throw new Error(`Role "${roleID}" references context key "${key}" but it was not provided`);
+      }
 
-   return v;
+      return vals.contextValue[key];
+   });
 }
diff --git a/tests/multi-dimensional-context.test.ts b/tests/multi-dimensional-context.test.ts
@@ -0,0 +1,140 @@
+import { expect } from 'chai';
+import { AuthorizerFactory } from '../src';
+import {
+   VIEW_BUDGET,
+   BUDGET_VIEWER_SINGLE,
+   BUDGET_VIEWER_MFG_HEAD,
+   BUDGET_VIEWER_KAZOO_PM,
+   BUDGET_VIEWER_ACCOUNTING_HEAD,
+} from './sample-data';
+
+describe('Multi-dimensional context authorization', () => {
+   const factory = new AuthorizerFactory([ VIEW_BUDGET ]),
+         mockBudget = 'budget:f47ac10b-58cc-4372-a567-0e02b2c3d479';
+
+   describe('BUDGET_VIEWER_SINGLE (kazoo manufacturing only)', () => {
+      const authorizer = factory.makeAuthorizerForSubject(BUDGET_VIEWER_SINGLE);
+
+      it('allows viewing kazoo manufacturing budget', () => {
+         const allowed = authorizer.isAllowed('budget:View', mockBudget, {
+            context: { 'budget:OwningDepartment': 'manufacturing', 'budget:ProductLine': 'kazoo' },
+         });
+
+         expect(allowed).to.strictlyEqual(true);
+      });
+
+      it('denies viewing rubber-duck manufacturing budget', () => {
+         const allowed = authorizer.isAllowed('budget:View', mockBudget, {
+            context: { 'budget:OwningDepartment': 'manufacturing', 'budget:ProductLine': 'rubber-duck' },
+         });
+
+         expect(allowed).to.strictlyEqual(false);
+      });
+
+      it('denies viewing kazoo marketing budget', () => {
+         const allowed = authorizer.isAllowed('budget:View', mockBudget, {
+            context: { 'budget:OwningDepartment': 'marketing', 'budget:ProductLine': 'kazoo' },
+         });
+
+         expect(allowed).to.strictlyEqual(false);
+      });
+   });
+
+   describe('BUDGET_VIEWER_MFG_HEAD (all products in manufacturing)', () => {
+      const authorizer = factory.makeAuthorizerForSubject(BUDGET_VIEWER_MFG_HEAD);
+
+      it('allows viewing kazoo manufacturing budget', () => {
+         const allowed = authorizer.isAllowed('budget:View', mockBudget, {
+            context: { 'budget:OwningDepartment': 'manufacturing', 'budget:ProductLine': 'kazoo' },
+         });
+
+         expect(allowed).to.strictlyEqual(true);
+      });
+
+      it('allows viewing rubber-duck manufacturing budget', () => {
+         const allowed = authorizer.isAllowed('budget:View', mockBudget, {
+            context: { 'budget:OwningDepartment': 'manufacturing', 'budget:ProductLine': 'rubber-duck' },
+         });
+
+         expect(allowed).to.strictlyEqual(true);
+      });
+
+      it('denies viewing kazoo marketing budget', () => {
+         const allowed = authorizer.isAllowed('budget:View', mockBudget, {
+            context: { 'budget:OwningDepartment': 'marketing', 'budget:ProductLine': 'kazoo' },
+         });
+
+         expect(allowed).to.strictlyEqual(false);
+      });
+   });
+
+   describe('BUDGET_VIEWER_KAZOO_PM (kazoo across departments)', () => {
+      const authorizer = factory.makeAuthorizerForSubject(BUDGET_VIEWER_KAZOO_PM);
+
+      it('allows viewing kazoo manufacturing budget', () => {
+         const allowed = authorizer.isAllowed('budget:View', mockBudget, {
+            context: { 'budget:OwningDepartment': 'manufacturing', 'budget:ProductLine': 'kazoo' },
+         });
+
+         expect(allowed).to.strictlyEqual(true);
+      });
+
+      it('allows viewing kazoo marketing budget', () => {
+         const allowed = authorizer.isAllowed('budget:View', mockBudget, {
+            context: { 'budget:OwningDepartment': 'marketing', 'budget:ProductLine': 'kazoo' },
+         });
+
+         expect(allowed).to.strictlyEqual(true);
+      });
+
+      it('denies viewing rubber-duck manufacturing budget', () => {
+         const allowed = authorizer.isAllowed('budget:View', mockBudget, {
+            context: { 'budget:OwningDepartment': 'manufacturing', 'budget:ProductLine': 'rubber-duck' },
+         });
+
+         expect(allowed).to.strictlyEqual(false);
+      });
+   });
+
+   describe('BUDGET_VIEWER_ACCOUNTING_HEAD (manufacturing + marketing + office)', () => {
+      const authorizer = factory.makeAuthorizerForSubject(BUDGET_VIEWER_ACCOUNTING_HEAD);
+
+      it('allows viewing kazoo manufacturing budget', () => {
+         const allowed = authorizer.isAllowed('budget:View', mockBudget, {
+            context: { 'budget:OwningDepartment': 'manufacturing', 'budget:ProductLine': 'kazoo' },
+         });
+
+         expect(allowed).to.strictlyEqual(true);
+      });
+
+      it('allows viewing rubber-duck marketing budget', () => {
+         const allowed = authorizer.isAllowed('budget:View', mockBudget, {
+            context: { 'budget:OwningDepartment': 'marketing', 'budget:ProductLine': 'rubber-duck' },
+         });
+
+         expect(allowed).to.strictlyEqual(true);
+      });
+
+      it('allows viewing any office budget (wildcard product)', () => {
+         const supplies = authorizer.isAllowed('budget:View', mockBudget, {
+            context: { 'budget:OwningDepartment': 'office', 'budget:ProductLine': 'supplies' },
+         });
+
+         const equipment = authorizer.isAllowed('budget:View', mockBudget, {
+            context: { 'budget:OwningDepartment': 'office', 'budget:ProductLine': 'equipment' },
+         });
+
+         expect(supplies).to.strictlyEqual(true);
+
+         expect(equipment).to.strictlyEqual(true);
+      });
+
+      it('denies viewing HR department budget', () => {
+         const allowed = authorizer.isAllowed('budget:View', mockBudget, {
+            context: { 'budget:OwningDepartment': 'hr', 'budget:ProductLine': 'kazoo' },
+         });
+
+         expect(allowed).to.strictlyEqual(false);
+      });
+   });
+});
diff --git a/tests/sample-data.ts b/tests/sample-data.ts
@@ -236,6 +236,71 @@ export const ORG_BUSINESS_ACCOUNT_ADMIN_ROOT_ARRAY: Claims = {
    ],
 };
 
+export const VIEW_BUDGET: RoleDefinition = {
+   roleID: 'view-budget',
+   policies: [
+      {
+         effect: PolicyEffect.Allow,
+         actions: [ 'budget:View' ],
+         resources: [ 'budget:*' ],
+         conditions: [
+            {
+               type: PolicyConditionMatchType.StringMatches,
+               field: 'budget:OwningDepartment',
+               value: '{CONTEXT_VALUE:department}',
+            },
+            {
+               type: PolicyConditionMatchType.StringMatches,
+               field: 'budget:ProductLine',
+               value: '{CONTEXT_VALUE:product}',
+            },
+         ],
+      },
+   ],
+};
+
+export const BUDGET_VIEWER_SINGLE_ID = 'a1b2c3d4-e5f6-7890-abcd-ef1234567890';
+
+export const BUDGET_VIEWER_SINGLE: Claims = {
+   subjectID: BUDGET_VIEWER_SINGLE_ID,
+   roles: [
+      { roleID: VIEW_BUDGET.roleID, contextValue: { product: 'kazoo', department: 'manufacturing' } },
+   ],
+};
+
+export const BUDGET_VIEWER_MFG_HEAD_ID = 'b2c3d4e5-f6a7-8901-bcde-f23456789012';
+
+export const BUDGET_VIEWER_MFG_HEAD: Claims = {
+   subjectID: BUDGET_VIEWER_MFG_HEAD_ID,
+   roles: [
+      { roleID: VIEW_BUDGET.roleID, contextValue: { product: 'kazoo', department: 'manufacturing' } },
+      { roleID: VIEW_BUDGET.roleID, contextValue: { product: 'rubber-duck', department: 'manufacturing' } },
+   ],
+};
+
+export const BUDGET_VIEWER_KAZOO_PM_ID = 'c3d4e5f6-a7b8-9012-cdef-345678901234';
+
+export const BUDGET_VIEWER_KAZOO_PM: Claims = {
+   subjectID: BUDGET_VIEWER_KAZOO_PM_ID,
+   roles: [
+      { roleID: VIEW_BUDGET.roleID, contextValue: { product: 'kazoo', department: 'manufacturing' } },
+      { roleID: VIEW_BUDGET.roleID, contextValue: { product: 'kazoo', department: 'marketing' } },
+   ],
+};
+
+export const BUDGET_VIEWER_ACCOUNTING_HEAD_ID = 'd4e5f6a7-b8c9-0123-def0-456789012345';
+
+export const BUDGET_VIEWER_ACCOUNTING_HEAD: Claims = {
+   subjectID: BUDGET_VIEWER_ACCOUNTING_HEAD_ID,
+   roles: [
+      { roleID: VIEW_BUDGET.roleID, contextValue: { product: 'kazoo', department: 'manufacturing' } },
+      { roleID: VIEW_BUDGET.roleID, contextValue: { product: 'rubber-duck', department: 'manufacturing' } },
+      { roleID: VIEW_BUDGET.roleID, contextValue: { product: 'kazoo', department: 'marketing' } },
+      { roleID: VIEW_BUDGET.roleID, contextValue: { product: 'rubber-duck', department: 'marketing' } },
+      { roleID: VIEW_BUDGET.roleID, contextValue: { product: '*', department: 'office' } },
+   ],
+};
+
 export const ALL_ROLES = [
    ADMINISTER_OWN_AUTH,
    ADMINISTER_OTHER_AUTH,
@@ -244,4 +309,5 @@ export const ALL_ROLES = [
    ADMINISTER_OWN_MONEY,
    ADMINISTER_ORG_BUSINESS_ACCOUNTS_CONJUNCTIVE,
    ADMINISTER_ORG_BUSINESS_ACCOUNTS_ROOT_ARRAY,
+   VIEW_BUDGET,
 ];
diff --git a/tests/utils/substitute-values.test.ts b/tests/utils/substitute-values.test.ts
@@ -2,9 +2,63 @@ import { expect } from 'chai';
 import substituteValues from '../../src/utils/substitute-values';
 
 describe('substituteValues', () => {
-   it('throws an error when CONTEXT_VALUE not supplied', () => {
-      expect(() => { substituteValues({ subjectID: 'foo' }, 'some-role', 'some:{CONTEXT_VALUE}'); })
-         .to
-         .throw('Role "some-role" depends on a context value, but none was supplied');
+
+   describe('simple {CONTEXT_VALUE}', () => {
+      it('replaces CONTEXT_VALUE with string contextValue', () => {
+         const result = substituteValues({ subjectID: 'user1', contextValue: 'foo' }, 'role', 'resource:{CONTEXT_VALUE}');
+
+         expect(result).to.strictlyEqual('resource:foo');
+      });
+
+      it('throws when contextValue is object but simple placeholder used', () => {
+         expect(() => { substituteValues({ subjectID: 'user1', contextValue: { a: 'x' } }, 'role', 'resource:{CONTEXT_VALUE}'); })
+            .to
+            .throw('Role "role" uses {CONTEXT_VALUE} but contextValue is not a string');
+      });
+
+      it('throws an error when CONTEXT_VALUE not supplied', () => {
+         expect(() => { substituteValues({ subjectID: 'foo' }, 'some-role', 'some:{CONTEXT_VALUE}'); })
+            .to
+            .throw('Role "some-role" depends on a context value, but none was supplied');
+      });
+   });
+
+   describe('keyed {CONTEXT_VALUE:key}', () => {
+      it('extracts key from object contextValue', () => {
+         const result = substituteValues(
+            { subjectID: 'user1', contextValue: { product: 'kazoo', department: 'mfg' } },
+            'role',
+            'budget:{CONTEXT_VALUE:department}:{CONTEXT_VALUE:product}'
+         );
+
+         expect(result).to.strictlyEqual('budget:mfg:kazoo');
+      });
+
+      it('throws when contextValue is string but keyed placeholder used', () => {
+         expect(() => { substituteValues({ subjectID: 'user1', contextValue: 'foo' }, 'role', 'resource:{CONTEXT_VALUE:key}'); })
+            .to
+            .throw('Role "role" uses {CONTEXT_VALUE:key} but contextValue is not a StringMap');
+      });
+
+      it('throws when referenced key does not exist', () => {
+         expect(() => { substituteValues({ subjectID: 'user1', contextValue: { a: 'x' } }, 'role', 'resource:{CONTEXT_VALUE:missing}'); })
+            .to
+            .throw('Role "role" references context key "missing" but it was not provided');
+      });
+
+      it('throws when contextValue not supplied', () => {
+         expect(() => { substituteValues({ subjectID: 'user1' }, 'role', 'resource:{CONTEXT_VALUE:key}'); })
+            .to
+            .throw('Role "role" depends on a context value, but none was supplied');
+      });
    });
+
+   describe('SUBJECT_ID', () => {
+      it('replaces SUBJECT_ID', () => {
+         const result = substituteValues({ subjectID: 'user123' }, 'role', 'auth:principals/{SUBJECT_ID}');
+
+         expect(result).to.strictlyEqual('auth:principals/user123');
+      });
+   });
+
 });
