loopback/lib/models/acl.js

/**
 Schema ACL options

 Object level permissions, for example, an album owned by a user

 Factors to be authorized against:

 * model name: Album
 * model instance properties: userId of the album, friends, shared
 * methods
 * app and/or user ids/roles
 ** loggedIn
 ** roles
 ** userId
 ** appId
 ** none
 ** everyone
 ** relations: owner/friend/granted

 Class level permissions, for example, Album
 * model name: Album
 * methods

 URL/Route level permissions
 * url pattern
 * application id
 * ip addresses
 * http headers

 Map to oAuth 2.0 scopes

 */

var loopback = require('../loopback');

/**
 * Schema for Scope which represents the permissions that are granted to client applications by the resource owner
 */
var ScopeSchema = {
  name: {type: String, required: true},
  description: String
};

var ScopeACLSchema = {
  model: String, // The name of the model
  property: String, // The name of the property, method, scope, or relation

  /**
   * Name of the access type - READ/WRITE/EXEC
   */
  accessType: String,

  /**
   * ALARM - Generate an alarm, in a system dependent way, the access specified in the permissions component of the ACL entry.
   * ALLOW - Explicitly grants access to the resource.
   * AUDIT - Log, in a system dependent way, the access specified in the permissions component of the ACL entry.
   * DENY - Explicitly denies access to the resource.
   */
  permission: String,
  scopeId: Number
};

var ScopeACL = loopback.createModel('ScopeACL', ScopeACLSchema, {
  relations: {
    scope: {
      type: 'belongsTo',
      model: 'Scope',
      foreignKey: 'scopeId'
    }
  }
});

/**
 * Resource owner grants/delegates permissions to client applications
 *
 * For a protected resource, does the client application have the authorization from the resource owner (user or system)?
 *
 * Scope has many resource access entries
 * @type {createModel|*}
 */
var Scope = loopback.createModel('Scope', ScopeSchema, {
  relations: {
    resources: {
      type: 'hasMany',
      model: 'ScopeACL',
      foreignKey: 'scopeId'
    }
  }
});

/**
 * System grants permissions to principals (users/applications, can be grouped into roles).
 *
 * Protected resource: the model data and operations (model/property/method/relation/…)
 *
 * For a given principal, such as client application and/or user, is it allowed to access (read/write/execute)
 * the protected resource?
 *
 */
var ACLSchema = {
  model: String, // The name of the model
  property: String, // The name of the property, method, scope, or relation

  /**
   * Name of the access type - READ/WRITE/EXEC
   */
  accessType: String,

  /**
   * ALARM - Generate an alarm, in a system dependent way, the access specified in the permissions component of the ACL entry.
   * ALLOW - Explicitly grants access to the resource.
   * AUDIT - Log, in a system dependent way, the access specified in the permissions component of the ACL entry.
   * DENY - Explicitly denies access to the resource.
   */
  permission: String,
  /**
   * Type of the principal - Application/User/Role
   */
  principalType: String,
  /**
   * Id of the principal - such as appId, userId or roleId
   */
  principalId: String
};

var ACL = loopback.createModel('ACL', ACLSchema);

module.exports = {
  ACL: ACL,
  Scope: Scope,
  ScopeACL: ScopeACL
};

/**
 * Check if the given principal is allowed to access the model/property
 * @param principalType
 * @param principalId
 * @param model
 * @param property
 * @param accessType
 * @param callback
 */
ACL.checkPermission = function (principalType, principalId, model, property, accessType, callback) {
  ACL.find({where: {principalType: principalType, principalId: principalId,
      model: model, property: {inq: [property, '*']}, accessType: {inq: [accessType, '*']}}},
    function (err, acls) {
      if (err) {
        callback && callback(err);
        return;
      }
      var resolvedPermission = acls.reduce(function (previousValue, currentValue, index, array) {
        // If the property is the same or the previous one is '*' (ALL)
        if (previousValue.property === currentValue.property || (previousValue.property === '*' && currentValue.property)) {
          previousValue.property = currentValue.property;
          if (previousValue.accessType === currentValue.accessType || (previousValue.accessType === '*' && currentValue.accessType)) {
            previousValue.accessType = currentValue.accessType;
          }
        }
        return previousValue;
      }, {principalType: principalType, principalId: principalId, model: model, property: '*', accessType: '*', permission: 'Allow'});
      callback && callback(resolvedPermission);
    });
};

/**
 * Check if the given scope is allowed to access the model/property
 * @param scope
 * @param model
 * @param property
 * @param accessType
 * @param callback
 */
Scope.checkPermission = function (scope, model, property, accessType, callback) {
  Scope.findOne({where: {name: scope}}, function (err, scope) {
    if (err) {
      callback && callback(err);
    } else {
      scope.resources({where: {model: model, property: {inq: [property, '*']}, accessType: {inq: [accessType, '*']}}}, function (err, resources) {
          if (err) {
            callback && callback(err);
            return;
          }
          // Try to resolve the permission
          var resolvedPermission = resources.reduce(function (previousValue, currentValue, index, array) {
            // If the property is the same or the previous one is '*' (ALL)
            if (previousValue.property === currentValue.property || (previousValue.property === '*' && currentValue.property)) {
              previousValue.property = currentValue.property;
              if (previousValue.accessType === currentValue.accessType || (previousValue.accessType === '*' && currentValue.accessType)) {
                previousValue.accessType = currentValue.accessType;
              }
            }
            return previousValue;
          }, {model: model, property: '*', accessType: '*', permission: 'Allow'});
          callback && callback(resolvedPermission);
        }
      );
    }
  });
};
Add more information to the logical models 2013-07-01 18:51:28 +00:00			`/**`
Start to build the ACL models 2013-11-10 06:22:16 +00:00			`Schema ACL options`
Add schema skeletons for built-in models 2013-06-26 23:25:51 +00:00
Start to build the ACL models 2013-11-10 06:22:16 +00:00			`Object level permissions, for example, an album owned by a user`
Add schema skeletons for built-in models 2013-06-26 23:25:51 +00:00
Start to build the ACL models 2013-11-10 06:22:16 +00:00			`Factors to be authorized against:`
Add schema skeletons for built-in models 2013-06-26 23:25:51 +00:00
Start to build the ACL models 2013-11-10 06:22:16 +00:00			`* model name: Album`
			`* model instance properties: userId of the album, friends, shared`
			`* methods`
			`* app and/or user ids/roles`
Add more information to the logical models 2013-07-01 18:51:28 +00:00			`** loggedIn`
			`** roles`
			`** userId`
			`** appId`
			`** none`
			`** everyone`
			`** relations: owner/friend/granted`
Add schema skeletons for built-in models 2013-06-26 23:25:51 +00:00
Start to build the ACL models 2013-11-10 06:22:16 +00:00			`Class level permissions, for example, Album`
Add more information to the logical models 2013-07-01 18:51:28 +00:00			`* model name: Album`
			`* methods`
Added bcrypt for password hashing 2013-07-15 21:07:17 +00:00
Start to build the ACL models 2013-11-10 06:22:16 +00:00			`URL/Route level permissions`
Add more functions and tests for Application model 2013-07-18 18:44:25 +00:00			`* url pattern`
			`* application id`
			`* ip addresses`
			`* http headers`
Added bcrypt for password hashing 2013-07-15 21:07:17 +00:00
Start to build the ACL models 2013-11-10 06:22:16 +00:00			`Map to oAuth 2.0 scopes`

			`*/`

			`var loopback = require('../loopback');`

Define the models/relations for ACL 2013-11-12 06:16:51 +00:00			`/**`
			`* Schema for Scope which represents the permissions that are granted to client applications by the resource owner`
			`*/`
Start to build the ACL models 2013-11-10 06:22:16 +00:00			`var ScopeSchema = {`
			`name: {type: String, required: true},`
			`description: String`
Update acl/role models 2013-11-04 21:19:02 +00:00			`};`

Define the models/relations for ACL 2013-11-12 06:16:51 +00:00			`var ScopeACLSchema = {`
Start to build the ACL models 2013-11-10 06:22:16 +00:00			`model: String, // The name of the model`
			`property: String, // The name of the property, method, scope, or relation`

			`/**`
			`* Name of the access type - READ/WRITE/EXEC`
			`*/`
			`accessType: String,`

			`/**`
			`* ALARM - Generate an alarm, in a system dependent way, the access specified in the permissions component of the ACL entry.`
			`* ALLOW - Explicitly grants access to the resource.`
			`* AUDIT - Log, in a system dependent way, the access specified in the permissions component of the ACL entry.`
			`* DENY - Explicitly denies access to the resource.`
			`*/`
			`permission: String,`
			`scopeId: Number`
Update acl/role models 2013-11-04 21:19:02 +00:00			`};`
Update ACL model 2013-10-28 17:44:05 +00:00
Define the models/relations for ACL 2013-11-12 06:16:51 +00:00			`var ScopeACL = loopback.createModel('ScopeACL', ScopeACLSchema, {`
Start to build the ACL models 2013-11-10 06:22:16 +00:00			`relations: {`
			`scope: {`
			`type: 'belongsTo',`
			`model: 'Scope',`
			`foreignKey: 'scopeId'`
			`}`
			`}`
			`});`

			`/**`
Define the models/relations for ACL 2013-11-12 06:16:51 +00:00			`* Resource owner grants/delegates permissions to client applications`
			`*`
			`* For a protected resource, does the client application have the authorization from the resource owner (user or system)?`
			`*`
Start to build the ACL models 2013-11-10 06:22:16 +00:00			`* Scope has many resource access entries`
			`* @type {createModel\|*}`
			`*/`
			`var Scope = loopback.createModel('Scope', ScopeSchema, {`
			`relations: {`
			`resources: {`
			`type: 'hasMany',`
Define the models/relations for ACL 2013-11-12 06:16:51 +00:00			`model: 'ScopeACL',`
Start to build the ACL models 2013-11-10 06:22:16 +00:00			`foreignKey: 'scopeId'`
			`}`
			`}`
			`});`

Define the models/relations for ACL 2013-11-12 06:16:51 +00:00			`/**`
			`* System grants permissions to principals (users/applications, can be grouped into roles).`
			`*`
			`* Protected resource: the model data and operations (model/property/method/relation/…)`
			`*`
			`* For a given principal, such as client application and/or user, is it allowed to access (read/write/execute)`
			`* the protected resource?`
			`*`
			`*/`
Add more functions and tests for Application model 2013-07-18 18:44:25 +00:00			`var ACLSchema = {`
Start to build the ACL models 2013-11-10 06:22:16 +00:00			`model: String, // The name of the model`
			`property: String, // The name of the property, method, scope, or relation`

			`/**`
			`* Name of the access type - READ/WRITE/EXEC`
			`*/`
			`accessType: String,`

			`/**`
			`* ALARM - Generate an alarm, in a system dependent way, the access specified in the permissions component of the ACL entry.`
			`* ALLOW - Explicitly grants access to the resource.`
			`* AUDIT - Log, in a system dependent way, the access specified in the permissions component of the ACL entry.`
			`* DENY - Explicitly denies access to the resource.`
			`*/`
			`permission: String,`
			`/**`
			`* Type of the principal - Application/User/Role`
			`*/`
			`principalType: String,`
			`/**`
			`* Id of the principal - such as appId, userId or roleId`
			`*/`
			`principalId: String`
Update ACL model 2013-10-28 17:44:05 +00:00			`};`
Add more functions and tests for Application model 2013-07-18 18:44:25 +00:00
Update acl/role models 2013-11-04 21:19:02 +00:00			`var ACL = loopback.createModel('ACL', ACLSchema);`

Start to build the ACL models 2013-11-10 06:22:16 +00:00			`module.exports = {`
			`ACL: ACL,`
			`Scope: Scope,`
Define the models/relations for ACL 2013-11-12 06:16:51 +00:00			`ScopeACL: ScopeACL`
Start to build the ACL models 2013-11-10 06:22:16 +00:00			`};`

Define the models/relations for ACL 2013-11-12 06:16:51 +00:00			`/**`
			`* Check if the given principal is allowed to access the model/property`
			`* @param principalType`
			`* @param principalId`
			`* @param model`
			`* @param property`
			`* @param accessType`
			`* @param callback`
			`*/`
			`ACL.checkPermission = function (principalType, principalId, model, property, accessType, callback) {`
			`ACL.find({where: {principalType: principalType, principalId: principalId,`
			`model: model, property: {inq: [property, '']}, accessType: {inq: [accessType, '']}}},`
			`function (err, acls) {`
			`if (err) {`
			`callback && callback(err);`
			`return;`
			`}`
			`var resolvedPermission = acls.reduce(function (previousValue, currentValue, index, array) {`
			`// If the property is the same or the previous one is '*' (ALL)`
			`if (previousValue.property === currentValue.property \|\| (previousValue.property === '*' && currentValue.property)) {`
			`previousValue.property = currentValue.property;`
			`if (previousValue.accessType === currentValue.accessType \|\| (previousValue.accessType === '*' && currentValue.accessType)) {`
			`previousValue.accessType = currentValue.accessType;`
			`}`
			`}`
			`return previousValue;`
			`}, {principalType: principalType, principalId: principalId, model: model, property: '', accessType: '', permission: 'Allow'});`
			`callback && callback(resolvedPermission);`
			`});`
			`};`

			`/**`
			`* Check if the given scope is allowed to access the model/property`
			`* @param scope`
			`* @param model`
			`* @param property`
			`* @param accessType`
			`* @param callback`
			`*/`
			`Scope.checkPermission = function (scope, model, property, accessType, callback) {`
Start to build the ACL models 2013-11-10 06:22:16 +00:00			`Scope.findOne({where: {name: scope}}, function (err, scope) {`
			`if (err) {`
			`callback && callback(err);`
			`} else {`
Define the models/relations for ACL 2013-11-12 06:16:51 +00:00			`scope.resources({where: {model: model, property: {inq: [property, '']}, accessType: {inq: [accessType, '']}}}, function (err, resources) {`
			`if (err) {`
			`callback && callback(err);`
			`return;`
Start to build the ACL models 2013-11-10 06:22:16 +00:00			`}`
Define the models/relations for ACL 2013-11-12 06:16:51 +00:00			`// Try to resolve the permission`
			`var resolvedPermission = resources.reduce(function (previousValue, currentValue, index, array) {`
			`// If the property is the same or the previous one is '*' (ALL)`
			`if (previousValue.property === currentValue.property \|\| (previousValue.property === '*' && currentValue.property)) {`
			`previousValue.property = currentValue.property;`
			`if (previousValue.accessType === currentValue.accessType \|\| (previousValue.accessType === '*' && currentValue.accessType)) {`
			`previousValue.accessType = currentValue.accessType;`
			`}`
			`}`
			`return previousValue;`
			`}, {model: model, property: '', accessType: '', permission: 'Allow'});`
			`callback && callback(resolvedPermission);`
Start to build the ACL models 2013-11-10 06:22:16 +00:00			`}`
Define the models/relations for ACL 2013-11-12 06:16:51 +00:00			`);`
Start to build the ACL models 2013-11-10 06:22:16 +00:00			`}`
			`});`
			`};`