RFIT-188 basic authorisation use case implemented using casbin

vineet-suri · vineet-suri · commit c166348bd30a · 2020-09-04T11:53:36.000+05:30
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -51,13 +51,15 @@
     "@loopback/rest": "^1.16.3"
   },
   "dependencies": {
+    "casbin": "^5.1.3",
+    "casbin-pg-adapter": "^1.4.0",
     "lodash": "^4.17.15"
   },
   "devDependencies": {
     "@loopback/boot": "^1.4.4",
     "@loopback/build": "^2.0.3",
-    "@loopback/context": "^1.20.2",
-    "@loopback/core": "^1.8.5",
+    "@loopback/context": "^3.8.2",
+    "@loopback/core": "^2.7.0",
     "@loopback/rest": "^1.16.3",
     "@loopback/testlab": "^1.6.3",
     "@loopback/tslint-config": "^2.1.0",
diff --git a/src/component.ts b/src/component.ts
@@ -1,10 +1,13 @@
-import {Component, ProviderMap, Binding, inject} from '@loopback/core';
+import { Component, ProviderMap, Binding, inject } from '@loopback/core';
 
-import {AuthorizationBindings} from './keys';
-import {AuthorizeActionProvider} from './providers/authorization-action.provider';
-import {AuthorizationMetadataProvider} from './providers/authorization-metadata.provider';
-import {UserPermissionsProvider} from './providers/user-permissions.provider';
-import {AuthorizationConfig} from './types';
+import { AuthorizationBindings } from './keys';
+import { AuthorizeActionProvider } from './providers/authorization-action.provider';
+import { AuthorizationMetadataProvider } from './providers/authorization-metadata.provider';
+import { UserPermissionsProvider } from './providers/user-permissions.provider';
+import { AuthorizationConfig } from './types';
+import { CasbinAuthorizationProvider } from './providers/casbin-authorization-action.provider';
+import { CasbinAuthorizationMetadataProvider } from './providers/casbin-authorisation-metadata.provider';
+import { CasbinEnforcerProvider } from './providers';
 
 export class AuthorizationComponent implements Component {
   providers?: ProviderMap;
@@ -16,8 +19,11 @@ export class AuthorizationComponent implements Component {
   ) {
     this.providers = {
       [AuthorizationBindings.AUTHORIZE_ACTION.key]: AuthorizeActionProvider,
+      [AuthorizationBindings.CASBIN_AUTHORIZE_ACTION.key]: CasbinAuthorizationProvider,
       [AuthorizationBindings.METADATA.key]: AuthorizationMetadataProvider,
+      [AuthorizationBindings.CASBIN_METADATA.key]: CasbinAuthorizationMetadataProvider,
       [AuthorizationBindings.USER_PERMISSIONS.key]: UserPermissionsProvider,
+      [AuthorizationBindings.CASBIN_ENFORCER.key]: CasbinEnforcerProvider,
     };
 
     if (
diff --git a/src/decorators/casbin-authorise.decorator.ts b/src/decorators/casbin-authorise.decorator.ts
@@ -0,0 +1,16 @@
+import { MethodDecoratorFactory } from '@loopback/core';
+import { CasbinAuthorizationMetadata } from '../types';
+import { CASBIN_AUTHORIZATION_METADATA_ACCESSOR } from '../keys';
+
+export function casbinAuthorize(metadata: CasbinAuthorizationMetadata) {
+  return MethodDecoratorFactory.createDecorator<CasbinAuthorizationMetadata>(
+    CASBIN_AUTHORIZATION_METADATA_ACCESSOR,
+    {
+      allowedRoles: metadata.allowedRoles || [],
+      deniedRoles: metadata.deniedRoles || [],
+      resource: metadata.resource || '',
+      scopes: metadata.scopes || [],
+      skip: metadata.skip || false
+    },
+  );
+}
diff --git a/src/decorators/index.ts b/src/decorators/index.ts
@@ -0,0 +1,2 @@
+export * from './authorize.decorator';
+export * from './casbin-authorise.decorator';
diff --git a/src/index.ts b/src/index.ts
@@ -2,5 +2,5 @@ export * from './component';
 export * from './types';
 export * from './keys';
 export * from './error-keys';
-export * from './decorators/authorize.decorator';
+export * from './decorators';
 export * from './providers';
diff --git a/src/keys.ts b/src/keys.ts
@@ -1,10 +1,13 @@
-import {BindingKey} from '@loopback/context';
-import {MetadataAccessor} from '@loopback/metadata';
+import { BindingKey } from '@loopback/context';
+import { MetadataAccessor } from '@loopback/metadata';
 import {
   AuthorizeFn,
   AuthorizationMetadata,
   UserPermissionsFn,
   AuthorizationConfig,
+  CasbinAuthorizationMetadata,
+  CasbinEnforcerFn,
+  CasbinAuthorizeFn,
 } from './types';
 
 /**
@@ -15,22 +18,42 @@ export namespace AuthorizationBindings {
     'sf.userAuthorization.actions.authorize',
   );
 
+  export const CASBIN_AUTHORIZE_ACTION = BindingKey.create<CasbinAuthorizeFn>(
+    'sf.userCasbinAuthorization.actions.authorize',
+  );
+
   export const METADATA = BindingKey.create<AuthorizationMetadata | undefined>(
     'sf.userAuthorization.operationMetadata',
   );
 
+  export const CASBIN_METADATA = BindingKey.create<CasbinAuthorizationMetadata | undefined>(
+    'sf.userCasbinAuthorization.operationMetadata',
+  );
+
   export const USER_PERMISSIONS = BindingKey.create<UserPermissionsFn<string>>(
     'sf.userAuthorization.actions.userPermissions',
   );
 
+  export const CASBIN_ENFORCER = BindingKey.create<CasbinEnforcerFn<string>>(
+    'sf.userCasbinAuthorization.casbinenforcer',
+  );
+
   export const CONFIG = BindingKey.create<AuthorizationConfig>(
     'sf.userAuthorization.config',
   );
 
   export const PATHS_TO_ALLOW_ALWAYS = 'sf.userAuthorization.allowAlways';
+
+
+  export const RESOURCE_ID = BindingKey.create<string>('sf.resourceId');
 }
 
 export const AUTHORIZATION_METADATA_ACCESSOR = MetadataAccessor.create<
   AuthorizationMetadata,
   MethodDecorator
 >('sf.userAuthorization.accessor.operationMetadata');
+
+export const CASBIN_AUTHORIZATION_METADATA_ACCESSOR = MetadataAccessor.create<
+  CasbinAuthorizationMetadata,
+  MethodDecorator
+>('sf.userCasbinAuthorization.accessor.operationMetadata');
diff --git a/src/providers/casbin-authorisation-metadata.provider.ts b/src/providers/casbin-authorisation-metadata.provider.ts
@@ -0,0 +1,36 @@
+import {
+  Constructor,
+  inject,
+  MetadataInspector,
+  Provider,
+} from '@loopback/context';
+import { CoreBindings } from '@loopback/core';
+
+import { CASBIN_AUTHORIZATION_METADATA_ACCESSOR } from '../keys';
+import { CasbinAuthorizationMetadata } from '../types';
+
+export class CasbinAuthorizationMetadataProvider
+  implements Provider<CasbinAuthorizationMetadata | undefined> {
+  constructor(
+    @inject(CoreBindings.CONTROLLER_CLASS, { optional: true })
+    private readonly controllerClass: Constructor<{}>,
+    @inject(CoreBindings.CONTROLLER_METHOD_NAME, { optional: true })
+    private readonly methodName: string,
+  ) { }
+
+  value(): CasbinAuthorizationMetadata | undefined {
+    if (!this.controllerClass || !this.methodName) return;
+    return getCasbinAuthorizeMetadata(this.controllerClass, this.methodName);
+  }
+}
+
+export function getCasbinAuthorizeMetadata(
+  controllerClass: Constructor<{}>,
+  methodName: string,
+): CasbinAuthorizationMetadata | undefined {
+  return MetadataInspector.getMethodMetadata<CasbinAuthorizationMetadata>(
+    CASBIN_AUTHORIZATION_METADATA_ACCESSOR,
+    controllerClass.prototype,
+    methodName,
+  );
+}
diff --git a/src/providers/casbin-authorization-action.provider.ts b/src/providers/casbin-authorization-action.provider.ts
@@ -0,0 +1,58 @@
+import { inject, Provider, Getter, InvocationContext } from '@loopback/core';
+import * as casbin from 'casbin';
+import { CasbinAuthorizeFn, CasbinAuthorizationMetadata } from '../types';
+import { AuthorizationBindings } from '../keys';
+const DEFAULT_SCOPE = 'execute';
+
+export class CasbinAuthorizationProvider implements Provider<CasbinAuthorizeFn> {
+  constructor(
+    @inject.getter(AuthorizationBindings.CASBIN_METADATA)
+    private readonly getCasbinMetadata: Getter<CasbinAuthorizationMetadata>,
+    private readonly invocationCtx: InvocationContext
+  ) { }
+
+  value(): CasbinAuthorizeFn {
+    return (response, req) => this.action(response, req);
+  }
+
+  async action(enforcer: casbin.Enforcer, userId: string): Promise<boolean> {
+
+    // await enforcer.loadPolicy();
+
+    const metadata: CasbinAuthorizationMetadata = await this.getCasbinMetadata();
+
+    console.log(this.invocationCtx);
+
+    const subject = this.getUserName(userId);
+
+    const object = metadata.resource;
+
+    const action = metadata.scopes && metadata.scopes.length > 0 ? metadata.scopes[0] : DEFAULT_SCOPE;
+
+    const request = {
+      subject,
+      object,
+      action,
+    };
+
+    const allowedRoles = metadata.allowedRoles;
+
+    if (!allowedRoles) return true;
+    if (allowedRoles.length < 1) return false;
+
+    const allowedByRole = await enforcer.enforce(
+      request.subject,
+      request.object,
+      request.action,
+    );
+
+    return allowedByRole;
+  }
+
+  // Generate the user name according to the naming convention
+  // in casbin policy
+  // A user's name would be `u${id}`
+  getUserName(id: string): string {
+    return `u${id}`;
+  }
+}
diff --git a/src/providers/casbin-enforcer.provider.ts b/src/providers/casbin-enforcer.provider.ts
@@ -0,0 +1,18 @@
+import { Provider } from '@loopback/context';
+
+import { CasbinEnforcerFn } from '../types';
+import { HttpErrors } from '@loopback/rest';
+import PostgresAdapter from 'casbin-pg-adapter';
+
+export class CasbinEnforcerProvider
+  implements Provider<CasbinEnforcerFn<string>> {
+  constructor() { }
+
+  value(): CasbinEnforcerFn<string> {
+    return async (model: string, policy: string | PostgresAdapter) => {
+      throw new HttpErrors.NotImplemented(
+        `CasinEnforcerFn Provider is not implemented`,
+      );
+    };
+  }
+}
diff --git a/src/providers/index.ts b/src/providers/index.ts
@@ -1,3 +1,6 @@
 export * from './authorization-metadata.provider';
 export * from './authorization-action.provider';
 export * from './user-permissions.provider';
+export * from './casbin-authorisation-metadata.provider';
+export * from './casbin-authorization-action.provider';
+export * from './casbin-enforcer.provider';
diff --git a/src/types.ts b/src/types.ts
@@ -1,4 +1,7 @@
-import {Request} from '@loopback/rest';
+import { Request } from '@loopback/rest';
+import * as casbin from 'casbin';
+import PostgresAdapter from "casbin-pg-adapter";
+
 
 /**
  * Authorize action method interface
@@ -10,6 +13,15 @@ export interface AuthorizeFn {
   (userPermissions: string[], request?: Request): Promise<boolean>;
 }
 
+/**
+ * Authorize action method interface
+ */
+export interface CasbinAuthorizeFn {
+  // userPermissions - Array of permission keys granted to the user
+  // This is actually a union of permissions picked up based on role
+  // attached to the user and allowed permissions at specific user level
+  (enforcer: casbin.Enforcer, userId: string): Promise<boolean>;
+}
 /**
  * Authorization metadata interface for the method decorator
  */
@@ -19,6 +31,74 @@ export interface AuthorizationMetadata {
   permissions: string[];
 }
 
+export interface CasbinAuthorizationMetadata {
+  /**
+   * Roles that are allowed access
+   */
+  allowedRoles?: string[];
+  /**
+   * Roles that are denied access
+   */
+  deniedRoles?: string[];
+  /**
+   * Voters that help make the authorization decision
+   */
+  // voters?: (Authorizer | BindingAddress<Authorizer>)[];
+  /**
+   * Name of the resource, default to the method name
+   */
+  resource?: string;
+  /**
+   * Define the access scopes
+   */
+  scopes?: string[];
+  /**
+   * A flag to skip authorization
+   */
+  skip?: boolean;
+}
+
+/**
+ * Request context for authorization
+ */
+// export interface AuthorizationContext {
+//   /**
+//    * An array of principals identified for the request - it should come from
+//    * authentication
+//    */
+//   principals: Principal[];
+//   /**
+//    * An array of roles for principals
+//    */
+//   roles: Role[];
+//   /**
+//    * An array of scopes representing granted permissions - usually come from
+//    * access tokens
+//    */
+//   scopes: string[];
+//   /**
+//    * An name for the target resource to be accessed, such as
+//    * `OrderController.prototype.cancelOrder`
+//    */
+//   resource: string;
+//   /**
+//    * Context for the invocation
+//    */
+//   invocationContext: InvocationContext;
+// }
+
+// export interface Principal {
+//   /**
+//    * Name/id
+//    */
+//   id: string;
+//   [attribute: string]: any;
+// }
+
+// export interface Role extends Principal {
+//   name: string;
+// }
+
 /**
  * Authorization config type for providing config to the component
  */
@@ -63,3 +143,7 @@ export interface UserPermission<T> {
 export interface UserPermissionsFn<T> {
   (userPermissions: UserPermission<T>[], rolePermissions: T[]): T[];
 }
+
+export interface CasbinEnforcerFn<T> {
+  (model: T, policy: T | PostgresAdapter): Promise<casbin.Enforcer>;
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+export * from './authorize.decorator';`
	`2`	`+export * from './casbin-authorise.decorator';`