feat(provider): add ability to override metadata permissions (#96)

Surbhi-sharma1 · web-flow · commit 7fd0f937960f · 2023-07-10T12:06:49.000+05:30
* feat(provider): add ability to override metadata permissions add ability to override metadata permissions with the permission object passed by the user. GH-95 * feat(provider): add ability to override user permissions add ability to provide user permissions GH-95 * docs(provider): add description to overrride the permissions in readme file add description to overrride the permissions in readme file GH-95
diff --git a/README.md b/README.md
@@ -267,7 +267,28 @@ export const enum PermissionKey {
   DeleteAudit = 'DeleteAudit',
 }
 ```
-- Serving the static files:
+- To Override the permissions provided in enum `permissionKey` file:
+
+  If the userPermission object is provided,it overrides the default permissions in the authorizationMetadata object.
+
+  For providing a userPermission object with custom permissions for specific controller methods, you can bind the following in `application.ts` file in your application.
+
+```ts
+
+this.bind(AuthorizationBindings.PERMISSION).to({
+   MessageController:{
+      create:['CreateMessage','ViewMessage'],
+      updateAll:['UpdateMessage','ViewMessage','ViewMessageNum]
+   }
+   AttachmentFileController:{
+      create:['CreateAttachmentFile','ViewAttachmentFile'],
+      updateAll:['UpdateAttachmentFile','ViewAttachmentFileNum']
+   }
+})
+
+```
+
+# Serving the static files:
 
 Authorization  configuration binding sets up paths that can be accessed without any authorization checks, allowing static files to be served directly  from the root URL of the application.The allowAlwaysPaths property is used to define these paths for the files in public directory  i.e for a test.html file in public directory ,one can provide its path as follows:
 
diff --git a/src/__tests__/unit/authorization-metadata.provider.unit.ts b/src/__tests__/unit/authorization-metadata.provider.unit.ts
@@ -0,0 +1,53 @@
+import {expect} from '@loopback/testlab';
+import {getAuthorizeMetadata} from '../../providers';
+import {AuthorizationMetadata, PermissionObject} from '../../types';
+import {authorize} from '../../decorators';
+import {get} from '@loopback/rest';
+
+describe('getAuthorizeMetadata()', function () {
+  it('should return the authorization metadata when userPermission is provided', () => {
+    class TestController {
+      @authorize({permissions: ['default1', 'default2']})
+      @get('/')
+      async testMethod() {
+        // This is intentional.
+      }
+    }
+    const methodName = 'testMethod';
+    const mockUserPermission: PermissionObject = {
+      TestController: {
+        testMethod: ['permission1', 'permission2'],
+      },
+    };
+
+    const authorizationMetadata = getAuthorizeMetadata(
+      TestController,
+      methodName,
+      mockUserPermission,
+    );
+    expect(authorizationMetadata?.permissions).which.eql(
+      mockUserPermission.TestController[methodName],
+    );
+  });
+
+  it('should return permissions from metadata if userpermission is not provided', () => {
+    class TestController {
+      @authorize({permissions: ['default1', 'default2']})
+      @get('/')
+      async testMethod() {
+        // This is intentional.
+      }
+    }
+    const methodName = 'testMethod';
+    const authorizationMetadata = getAuthorizeMetadata(
+      TestController,
+      methodName,
+    );
+    const expectedResult: AuthorizationMetadata = {
+      permissions: ['default1', 'default2'],
+    };
+    expect(authorizationMetadata?.permissions).which.eql(
+      expectedResult.permissions,
+    );
+  });
+});
diff --git a/src/component.ts b/src/component.ts
@@ -9,11 +9,13 @@ import {AuthorizationConfig} from './types';
 
 export class AuthorizationComponent implements Component {
   providers?: ProviderMap;
-  bindings?: Binding[];
+  bindings?: Binding[] = [];
 
   constructor(
     @inject(AuthorizationBindings.CONFIG)
     private readonly config?: AuthorizationConfig,
+    @inject(AuthorizationBindings.PERMISSION, {optional: true})
+    private readonly permission?: unknown,
   ) {
     this.providers = {
       [AuthorizationBindings.AUTHORIZE_ACTION.key]: AuthorizeActionProvider,
@@ -22,22 +24,26 @@ export class AuthorizationComponent implements Component {
       [AuthorizationBindings.METADATA.key]: AuthorizationMetadataProvider,
       [AuthorizationBindings.USER_PERMISSIONS.key]: UserPermissionsProvider,
     };
-
+    if (!this.permission) {
+      this.bindings?.push(
+        Binding.bind(AuthorizationBindings.PERMISSION).to(null),
+      );
+    }
     if (
       this.config?.allowAlwaysPaths &&
       this.config?.allowAlwaysPaths?.length > 0
     ) {
-      this.bindings = [
+      this.bindings?.push(
         Binding.bind(AuthorizationBindings.PATHS_TO_ALLOW_ALWAYS).to(
           this.config.allowAlwaysPaths,
         ),
-      ];
+      );
     } else {
-      this.bindings = [
+      this.bindings?.push(
         Binding.bind(AuthorizationBindings.PATHS_TO_ALLOW_ALWAYS).to([
           '/explorer',
         ]),
-      ];
+      );
     }
   }
 }
diff --git a/src/keys.ts b/src/keys.ts
@@ -8,6 +8,7 @@ import {
   CasbinAuthorizeFn,
   CasbinEnforcerConfigGetterFn,
   CasbinResourceModifierFn,
+  PermissionObject,
 } from './types';
 
 /**
@@ -17,6 +18,9 @@ export namespace AuthorizationBindings {
   export const AUTHORIZE_ACTION = BindingKey.create<AuthorizeFn>(
     'sf.userAuthorization.actions.authorize',
   );
+  export const PERMISSION = BindingKey.create<PermissionObject | null>(
+    `sf.userAuthorization.authorize.permissions`,
+  );
 
   export const CASBIN_AUTHORIZE_ACTION = BindingKey.create<CasbinAuthorizeFn>(
     'sf.userAuthorization.actions.casbin.authorize',
diff --git a/src/providers/authorization-metadata.provider.ts b/src/providers/authorization-metadata.provider.ts
@@ -6,8 +6,8 @@ import {
 } from '@loopback/context';
 import {CoreBindings} from '@loopback/core';
 
-import {AUTHORIZATION_METADATA_ACCESSOR} from '../keys';
-import {AuthorizationMetadata} from '../types';
+import {AUTHORIZATION_METADATA_ACCESSOR, AuthorizationBindings} from '../keys';
+import {AuthorizationMetadata, PermissionObject} from '../types';
 
 export class AuthorizationMetadataProvider
   implements Provider<AuthorizationMetadata | undefined>
@@ -17,21 +17,37 @@ export class AuthorizationMetadataProvider
     private readonly controllerClass: Constructor<{}>,
     @inject(CoreBindings.CONTROLLER_METHOD_NAME, {optional: true})
     private readonly methodName: string,
+    @inject(AuthorizationBindings.PERMISSION)
+    private permissionObject: PermissionObject,
   ) {}
 
   value(): AuthorizationMetadata | undefined {
     if (!this.controllerClass || !this.methodName) return;
-    return getAuthorizeMetadata(this.controllerClass, this.methodName);
+    return getAuthorizeMetadata(
+      this.controllerClass,
+      this.methodName,
+      this.permissionObject,
+    );
   }
 }
 
 export function getAuthorizeMetadata(
   controllerClass: Constructor<{}>,
   methodName: string,
+  userPermission?: PermissionObject,
 ): AuthorizationMetadata | undefined {
-  return MetadataInspector.getMethodMetadata<AuthorizationMetadata>(
-    AUTHORIZATION_METADATA_ACCESSOR,
-    controllerClass.prototype,
-    methodName,
-  );
+  const authorizationMetadata =
+    MetadataInspector.getMethodMetadata<AuthorizationMetadata>(
+      AUTHORIZATION_METADATA_ACCESSOR,
+      controllerClass.prototype,
+      methodName,
+    ) ?? {permissions: []};
+  if (userPermission) {
+    const methodPermissions =
+      userPermission?.[controllerClass.name]?.[methodName];
+    if (methodPermissions) {
+      authorizationMetadata.permissions = methodPermissions;
+    }
+  }
+  return authorizationMetadata;
 }
diff --git a/src/types.ts b/src/types.ts
@@ -24,6 +24,11 @@ export interface CasbinAuthorizeFn {
     request: Request,
   ): Promise<boolean>;
 }
+export type PermissionObject = {
+  [controller: string]: {
+    [method: string]: string[];
+  };
+};
 /**
  * Authorization metadata interface for the method decorator
  */
