RFIT-188 basic casbin flow with option for using casbin policy or giving provider with business logic

Author: vineet-suri

package-lock.json

@@ -51,6 +51,7 @@
     "@loopback/rest": "^1.16.3"
   },
   "dependencies": {
+    "@sourceloop/core": "^1.0.0-alpha.9",
     "casbin": "^5.1.3",
     "casbin-pg-adapter": "^1.4.0",
     "lodash": "^4.17.15"
@@ -59,7 +60,7 @@
     "@loopback/boot": "^1.4.4",
     "@loopback/build": "^2.0.3",
     "@loopback/context": "^3.8.2",
-    "@loopback/core": "^2.7.0",
+    "@loopback/core": "^2.9.5",
     "@loopback/rest": "^1.16.3",
     "@loopback/testlab": "^1.6.3",
     "@loopback/tslint-config": "^2.1.0",

package.json

@@ -1,43 +1,44 @@
-import { Component, ProviderMap, Binding, inject } from '@loopback/core';
-
+import { bind, Binding, Component, ContextTags, CoreBindings, inject, ProviderMap } from '@loopback/core';
+import { RestApplication } from '@loopback/rest';
 import { AuthorizationBindings } from './keys';
 import { AuthorizeActionProvider } from './providers/authorization-action.provider';
 import { AuthorizationMetadataProvider } from './providers/authorization-metadata.provider';
+import { CasbinAuthorizationProvider } from './providers/casbin-authorization-action.provider';
 import { UserPermissionsProvider } from './providers/user-permissions.provider';
 import { AuthorizationConfig } from './types';
-import { CasbinAuthorizationProvider } from './providers/casbin-authorization-action.provider';
-import { CasbinAuthorizationMetadataProvider } from './providers/casbin-authorisation-metadata.provider';
-import { CasbinEnforcerProvider } from './providers';
 
+
+@bind({ tags: { [ContextTags.KEY]: AuthorizationBindings.COMPONENT.key } })
 export class AuthorizationComponent implements Component {
   providers?: ProviderMap;
-  bindings?: Binding[];
+  bindings1?: Binding[];
 
   constructor(
+    @inject(CoreBindings.APPLICATION_INSTANCE)
+    private readonly application: RestApplication,
     @inject(AuthorizationBindings.CONFIG)
     private readonly config?: AuthorizationConfig,
   ) {
     this.providers = {
       [AuthorizationBindings.AUTHORIZE_ACTION.key]: AuthorizeActionProvider,
       [AuthorizationBindings.CASBIN_AUTHORIZE_ACTION.key]: CasbinAuthorizationProvider,
       [AuthorizationBindings.METADATA.key]: AuthorizationMetadataProvider,
-      [AuthorizationBindings.CASBIN_METADATA.key]: CasbinAuthorizationMetadataProvider,
       [AuthorizationBindings.USER_PERMISSIONS.key]: UserPermissionsProvider,
-      [AuthorizationBindings.CASBIN_ENFORCER.key]: CasbinEnforcerProvider,
     };
 
+
     if (
       config &&
       config.allowAlwaysPaths &&
       config.allowAlwaysPaths.length > 0
     ) {
-      this.bindings = [
+      this.bindings1 = [
         Binding.bind(AuthorizationBindings.PATHS_TO_ALLOW_ALWAYS).to(
           config.allowAlwaysPaths,
         ),
       ];
     } else {
-      this.bindings = [
+      this.bindings1 = [
         Binding.bind(AuthorizationBindings.PATHS_TO_ALLOW_ALWAYS).to([
           '/explorer',
         ]),

src/component.ts

@@ -1,12 +1,14 @@
-import {MethodDecoratorFactory} from '@loopback/core';
-import {AuthorizationMetadata} from '../types';
-import {AUTHORIZATION_METADATA_ACCESSOR} from '../keys';
+import { MethodDecoratorFactory } from '@loopback/core';
+import { AuthorizationMetadata } from '../types';
+import { AUTHORIZATION_METADATA_ACCESSOR } from '../keys';
 
-export function authorize(permissions: string[]) {
+export function authorize(metadata: AuthorizationMetadata) {
   return MethodDecoratorFactory.createDecorator<AuthorizationMetadata>(
     AUTHORIZATION_METADATA_ACCESSOR,
     {
-      permissions: permissions || [],
+      permissions: metadata.permissions || [],
+      resource: metadata.resource || '',
+      isCasbinPolicy: metadata.isCasbinPolicy || false
     },
   );
 }

src/decorators/authorize.decorator.ts

@@ -1,2 +1 @@
 export * from './authorize.decorator';
-export * from './casbin-authorise.decorator';

src/decorators/casbin-authorise.decorator.ts

@@ -5,15 +5,22 @@ import {
   AuthorizationMetadata,
   UserPermissionsFn,
   AuthorizationConfig,
-  CasbinAuthorizationMetadata,
   CasbinEnforcerFn,
   CasbinAuthorizeFn,
+  CasbinEnforcerConfigGetterFn,
 } from './types';
+import { CoreBindings } from '@loopback/core';
+import { AuthorizationComponent } from './component';
 
 /**
  * Binding keys used by this component.
  */
 export namespace AuthorizationBindings {
+
+  export const COMPONENT = BindingKey.create<AuthorizationComponent>(
+    `${CoreBindings.COMPONENTS}.AuthorizationComponent`,
+  );
+
   export const AUTHORIZE_ACTION = BindingKey.create<AuthorizeFn>(
     'sf.userAuthorization.actions.authorize',
   );
@@ -26,10 +33,6 @@ export namespace AuthorizationBindings {
     'sf.userAuthorization.operationMetadata',
   );
 
-  export const CASBIN_METADATA = BindingKey.create<CasbinAuthorizationMetadata | undefined>(
-    'sf.userCasbinAuthorization.operationMetadata',
-  );
-
   export const USER_PERMISSIONS = BindingKey.create<UserPermissionsFn<string>>(
     'sf.userAuthorization.actions.userPermissions',
   );
@@ -38,6 +41,10 @@ export namespace AuthorizationBindings {
     'sf.userCasbinAuthorization.casbinenforcer',
   );
 
+  export const CASBIN_ENFORCER_CONFIG_GETTER = BindingKey.create<CasbinEnforcerConfigGetterFn>(
+    'sf.userCasbinAuthorization.casbinEnforcerConfigGetter',
+  );
+
   export const CONFIG = BindingKey.create<AuthorizationConfig>(
     'sf.userAuthorization.config',
   );
@@ -53,7 +60,4 @@ export const AUTHORIZATION_METADATA_ACCESSOR = MetadataAccessor.create<
   MethodDecorator
 >('sf.userAuthorization.accessor.operationMetadata');
 
-export const CASBIN_AUTHORIZATION_METADATA_ACCESSOR = MetadataAccessor.create<
-  CasbinAuthorizationMetadata,
-  MethodDecorator
->('sf.userCasbinAuthorization.accessor.operationMetadata');
+

src/decorators/index.ts

@@ -1,58 +1,86 @@
-import { inject, Provider, Getter, InvocationContext } from '@loopback/core';
+import { Getter, inject, Provider } from '@loopback/core';
+import { IAuthUserWithPermissions } from '@sourceloop/core';
 import * as casbin from 'casbin';
-import { CasbinAuthorizeFn, CasbinAuthorizationMetadata } from '../types';
+import * as fs from 'fs';
+import * as path from 'path';
 import { AuthorizationBindings } from '../keys';
+import { AuthorizationMetadata, CasbinAuthorizeFn, CasbinEnforcerConfigGetterFn } from '../types';
+const fsPromises = fs.promises;
+
 const DEFAULT_SCOPE = 'execute';
 
 export class CasbinAuthorizationProvider implements Provider<CasbinAuthorizeFn> {
   constructor(
-    @inject.getter(AuthorizationBindings.CASBIN_METADATA)
-    private readonly getCasbinMetadata: Getter<CasbinAuthorizationMetadata>,
-    private readonly invocationCtx: InvocationContext
+    @inject.getter(AuthorizationBindings.METADATA)
+    private readonly getCasbinMetadata: Getter<AuthorizationMetadata>,
+    @inject.getter(AuthorizationBindings.CASBIN_ENFORCER_CONFIG_GETTER)
+    private readonly getCasbinEnforcerConfig: Getter<CasbinEnforcerConfigGetterFn>,
   ) { }
 
   value(): CasbinAuthorizeFn {
-    return (response, req) => this.action(response, req);
+    return (response) => this.action(response);
   }
 
-  async action(enforcer: casbin.Enforcer, userId: string): Promise<boolean> {
+  async action(user: IAuthUserWithPermissions): Promise<boolean> {
+    let authDecision = false;
+    try {
+      const metadata: AuthorizationMetadata = await this.getCasbinMetadata();
 
-    // await enforcer.loadPolicy();
+      const subject = this.getUserName(`${user.id}`);
 
-    const metadata: CasbinAuthorizationMetadata = await this.getCasbinMetadata();
+      const object = metadata.resource;
 
-    console.log(this.invocationCtx);
+      const action = metadata.permissions && metadata.permissions.length > 0 ? metadata.permissions[0] : DEFAULT_SCOPE;
 
-    const subject = this.getUserName(userId);
+      const fn = await this.getCasbinEnforcerConfig();
 
-    const object = metadata.resource;
+      const result = await fn(user, metadata.resource);
 
-    const action = metadata.scopes && metadata.scopes.length > 0 ? metadata.scopes[0] : DEFAULT_SCOPE;
+      let enforcer: casbin.Enforcer;
 
-    const request = {
-      subject,
-      object,
-      action,
-    };
+      if (metadata.isCasbinPolicy) {
+        enforcer = await casbin.newEnforcer(result.model, result.policy);
+      } else if (!metadata.isCasbinPolicy && result.allowedRes) {
+        const policy = this.createCasbinPolicy(result.allowedRes, subject, action);
+        const baseDir = path.join(__dirname, '../../src/policy.csv');
+        await fsPromises.writeFile(baseDir, policy);
 
-    const allowedRoles = metadata.allowedRoles;
+        enforcer = await casbin.newEnforcer(result.model, baseDir);
+      } else {
+        return false;
+      }
 
-    if (!allowedRoles) return true;
-    if (allowedRoles.length < 1) return false;
+      authDecision = await enforcer.enforce(
+        subject,
+        object,
+        action,
+      );
+    }
 
-    const allowedByRole = await enforcer.enforce(
-      request.subject,
-      request.object,
-      request.action,
-    );
+    catch (err) {
+      console.log(err);
+    }
 
-    return allowedByRole;
+    return authDecision;
   }
 
   // Generate the user name according to the naming convention
   // in casbin policy
-  // A user's name would be `u${id}`
+  // A user's name would be `u${ id }`
   getUserName(id: string): string {
     return `u${id}`;
   }
+
+  createCasbinPolicy(allowedRes: string[], subject: string, action: string): string {
+    //Expected format for allowedRes: ['ping', 'ping2', 'ping3'];
+
+    let result = '';
+    allowedRes.forEach(res => {
+      const policy = `p, ${subject}, ${res}, ${action}
+      `;
+      result += policy;
+    })
+
+    return result;
+  }
 }