2013-07-01 18:51:28 +00:00
|
|
|
/**
|
2013-11-10 06:22:16 +00:00
|
|
|
Schema ACL options
|
2013-06-26 23:25:51 +00:00
|
|
|
|
2013-11-10 06:22:16 +00:00
|
|
|
Object level permissions, for example, an album owned by a user
|
2013-06-26 23:25:51 +00:00
|
|
|
|
2013-11-10 06:22:16 +00:00
|
|
|
Factors to be authorized against:
|
2013-06-26 23:25:51 +00:00
|
|
|
|
2013-11-10 06:22:16 +00:00
|
|
|
* model name: Album
|
|
|
|
|
* model instance properties: userId of the album, friends, shared
|
|
|
|
|
* methods
|
|
|
|
|
* app and/or user ids/roles
|
2013-07-01 18:51:28 +00:00
|
|
|
** loggedIn
|
|
|
|
|
** roles
|
|
|
|
|
** userId
|
|
|
|
|
** appId
|
|
|
|
|
** none
|
|
|
|
|
** everyone
|
|
|
|
|
** relations: owner/friend/granted
|
2013-06-26 23:25:51 +00:00
|
|
|
|
2013-11-10 06:22:16 +00:00
|
|
|
Class level permissions, for example, Album
|
2013-07-01 18:51:28 +00:00
|
|
|
* model name: Album
|
|
|
|
|
* methods
|
2013-07-15 21:07:17 +00:00
|
|
|
|
2013-11-10 06:22:16 +00:00
|
|
|
URL/Route level permissions
|
2013-07-18 18:44:25 +00:00
|
|
|
* url pattern
|
|
|
|
|
* application id
|
|
|
|
|
* ip addresses
|
|
|
|
|
* http headers
|
2013-07-15 21:07:17 +00:00
|
|
|
|
2013-11-10 06:22:16 +00:00
|
|
|
Map to oAuth 2.0 scopes
|
|
|
|
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
var loopback = require('../loopback');
|
|
|
|
|
|
2013-11-12 06:16:51 +00:00
|
|
|
/**
|
|
|
|
|
* Schema for Scope which represents the permissions that are granted to client applications by the resource owner
|
|
|
|
|
*/
|
2013-11-10 06:22:16 +00:00
|
|
|
var ScopeSchema = {
|
|
|
|
|
name: {type: String, required: true},
|
|
|
|
|
description: String
|
2013-11-04 21:19:02 +00:00
|
|
|
};
|
|
|
|
|
|
2013-11-10 06:22:16 +00:00
|
|
|
|
|
|
|
|
/**
|
2013-11-12 06:16:51 +00:00
|
|
|
* Resource owner grants/delegates permissions to client applications
|
|
|
|
|
*
|
|
|
|
|
* For a protected resource, does the client application have the authorization from the resource owner (user or system)?
|
|
|
|
|
*
|
2013-11-10 06:22:16 +00:00
|
|
|
* Scope has many resource access entries
|
|
|
|
|
* @type {createModel|*}
|
|
|
|
|
*/
|
2013-11-13 18:02:59 +00:00
|
|
|
var Scope = loopback.createModel('Scope', ScopeSchema);
|
2013-11-10 06:22:16 +00:00
|
|
|
|
2013-11-12 06:16:51 +00:00
|
|
|
/**
|
|
|
|
|
* System grants permissions to principals (users/applications, can be grouped into roles).
|
|
|
|
|
*
|
|
|
|
|
* Protected resource: the model data and operations (model/property/method/relation/…)
|
|
|
|
|
*
|
|
|
|
|
* For a given principal, such as client application and/or user, is it allowed to access (read/write/execute)
|
|
|
|
|
* the protected resource?
|
|
|
|
|
*
|
|
|
|
|
*/
|
2013-07-18 18:44:25 +00:00
|
|
|
var ACLSchema = {
|
2013-11-10 06:22:16 +00:00
|
|
|
model: String, // The name of the model
|
|
|
|
|
property: String, // The name of the property, method, scope, or relation
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Name of the access type - READ/WRITE/EXEC
|
|
|
|
|
*/
|
|
|
|
|
accessType: String,
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* ALARM - Generate an alarm, in a system dependent way, the access specified in the permissions component of the ACL entry.
|
|
|
|
|
* ALLOW - Explicitly grants access to the resource.
|
|
|
|
|
* AUDIT - Log, in a system dependent way, the access specified in the permissions component of the ACL entry.
|
|
|
|
|
* DENY - Explicitly denies access to the resource.
|
|
|
|
|
*/
|
|
|
|
|
permission: String,
|
|
|
|
|
/**
|
|
|
|
|
* Type of the principal - Application/User/Role
|
|
|
|
|
*/
|
|
|
|
|
principalType: String,
|
|
|
|
|
/**
|
|
|
|
|
* Id of the principal - such as appId, userId or roleId
|
|
|
|
|
*/
|
|
|
|
|
principalId: String
|
2013-10-28 17:44:05 +00:00
|
|
|
};
|
2013-07-18 18:44:25 +00:00
|
|
|
|
2013-11-04 21:19:02 +00:00
|
|
|
var ACL = loopback.createModel('ACL', ACLSchema);
|
|
|
|
|
|
2013-11-12 18:10:32 +00:00
|
|
|
ACL.ALL = '*';
|
|
|
|
|
|
|
|
|
|
ACL.ALLOW = 'ALLOW';
|
|
|
|
|
ACL.ALARM = 'ALARM';
|
|
|
|
|
ACL.AUDIT = 'AUDIT';
|
|
|
|
|
ACL.DENY = 'DENY';
|
|
|
|
|
|
|
|
|
|
ACL.READ = 'READ';
|
|
|
|
|
ACL.WRITE = 'WRITE';
|
|
|
|
|
ACL.EXECUTE = 'EXECUTE';
|
|
|
|
|
|
|
|
|
|
ACL.USER = 'USER';
|
|
|
|
|
ACL.APP = ACL.APPLICATION = 'APP';
|
|
|
|
|
ACL.ROLE = 'ROLE';
|
2013-11-13 18:02:59 +00:00
|
|
|
ACL.SCOPE = 'SCOPE';
|
2013-11-12 18:10:32 +00:00
|
|
|
|
|
|
|
|
var permissionOrder = {
|
|
|
|
|
ALLOW: 1,
|
|
|
|
|
ALARM: 2,
|
|
|
|
|
AUDIT: 3,
|
|
|
|
|
DENY: 4
|
2013-11-10 06:22:16 +00:00
|
|
|
};
|
|
|
|
|
|
2013-11-12 18:10:32 +00:00
|
|
|
function overridePermission(p1, p2) {
|
|
|
|
|
p1 = permissionOrder[p1] ? p1 : ACL.ALLOW;
|
|
|
|
|
p2 = permissionOrder[p2] ? p2 : ACL.ALLOW;
|
|
|
|
|
var i1 = permissionOrder[p1];
|
|
|
|
|
var i2 = permissionOrder[p2];
|
|
|
|
|
return i1 > i2 ? p1 : p2;
|
|
|
|
|
}
|
|
|
|
|
|
2013-11-15 17:41:26 +00:00
|
|
|
/*!
|
|
|
|
|
* Resolve permission from the ACLs
|
|
|
|
|
* @param acls
|
|
|
|
|
* @param defaultPermission
|
|
|
|
|
* @returns {*|Object|Mixed}
|
|
|
|
|
*/
|
|
|
|
|
function resolvePermission(acls, defaultPermission) {
|
|
|
|
|
var resolvedPermission = acls.reduce(function (previousValue, currentValue, index, array) {
|
|
|
|
|
// If the property is the same or the previous one is ACL.ALL (ALL)
|
|
|
|
|
if (previousValue.property === currentValue.property || (previousValue.property === ACL.ALL && currentValue.property)) {
|
|
|
|
|
previousValue.property = currentValue.property;
|
|
|
|
|
// Check if the accessType applies
|
|
|
|
|
if (previousValue.accessType === currentValue.accessType
|
|
|
|
|
|| previousValue.accessType === ACL.ALL
|
|
|
|
|
|| currentValue.accessType === ACL.ALL
|
|
|
|
|
|| !currentValue.accessType) {
|
|
|
|
|
previousValue.permission = overridePermission(previousValue.permission, currentValue.permission);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return previousValue;
|
|
|
|
|
}, defaultPermission);
|
|
|
|
|
return resolvedPermission;
|
|
|
|
|
}
|
|
|
|
|
|
2013-11-12 06:16:51 +00:00
|
|
|
/**
|
|
|
|
|
* Check if the given principal is allowed to access the model/property
|
|
|
|
|
* @param principalType
|
|
|
|
|
* @param principalId
|
|
|
|
|
* @param model
|
|
|
|
|
* @param property
|
|
|
|
|
* @param accessType
|
|
|
|
|
* @param callback
|
|
|
|
|
*/
|
|
|
|
|
ACL.checkPermission = function (principalType, principalId, model, property, accessType, callback) {
|
2013-11-14 01:14:13 +00:00
|
|
|
property = property || ACL.ALL;
|
2013-11-14 01:24:42 +00:00
|
|
|
var propertyQuery = (property === ACL.ALL) ? undefined : {inq: [property, ACL.ALL]};
|
2013-11-15 17:41:26 +00:00
|
|
|
accessType = accessType || ACL.ALL;
|
2013-11-14 01:24:42 +00:00
|
|
|
var accessTypeQuery = (accessType === ACL.ALL) ? undefined : {inq: [accessType, ACL.ALL]};
|
2013-11-14 01:14:13 +00:00
|
|
|
|
2013-11-15 17:41:26 +00:00
|
|
|
var staticACLs = [];
|
|
|
|
|
var modelClass = loopback.getModel(model); {
|
|
|
|
|
if(modelClass && modelClass.settings.acls) {
|
|
|
|
|
modelClass.settings.acls.forEach(function(acl) {
|
|
|
|
|
staticACLs.push({
|
|
|
|
|
model: model,
|
|
|
|
|
property: ACL.ALL,
|
|
|
|
|
principalType: acl.principalType,
|
|
|
|
|
principalId: acl.principalId, // TODO: Should it be a name?
|
|
|
|
|
accessType: acl.accessType,
|
|
|
|
|
permission: acl.permission
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
var prop = modelClass && modelClass.definition.properties[property];
|
|
|
|
|
if(prop && prop.acls) {
|
|
|
|
|
prop.acls.forEach(function(acl) {
|
|
|
|
|
staticACLs.push({
|
|
|
|
|
model: model,
|
|
|
|
|
property: property,
|
|
|
|
|
principalType: acl.principalType,
|
|
|
|
|
principalId: acl.principalId,
|
|
|
|
|
accessType: acl.accessType,
|
|
|
|
|
permission: acl.permission
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var defaultPermission = {principalType: principalType, principalId: principalId,
|
|
|
|
|
model: model, property: ACL.ALL, accessType: accessType, permission: ACL.ALLOW};
|
|
|
|
|
|
|
|
|
|
defaultPermission = resolvePermission(staticACLs, defaultPermission);
|
|
|
|
|
|
|
|
|
|
if(defaultPermission.permission === ACL.DENY) {
|
|
|
|
|
// Fail fast
|
|
|
|
|
callback && callback(null, defaultPermission);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2013-11-12 06:16:51 +00:00
|
|
|
ACL.find({where: {principalType: principalType, principalId: principalId,
|
2013-11-14 01:14:13 +00:00
|
|
|
model: model, property: propertyQuery, accessType: accessTypeQuery}},
|
2013-11-12 06:16:51 +00:00
|
|
|
function (err, acls) {
|
|
|
|
|
if (err) {
|
|
|
|
|
callback && callback(err);
|
|
|
|
|
return;
|
|
|
|
|
}
|
2013-11-15 17:41:26 +00:00
|
|
|
var resolvedPermission = resolvePermission(acls, defaultPermission);
|
2013-11-12 18:10:32 +00:00
|
|
|
callback && callback(null, resolvedPermission);
|
2013-11-12 06:16:51 +00:00
|
|
|
});
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Check if the given scope is allowed to access the model/property
|
|
|
|
|
* @param scope
|
|
|
|
|
* @param model
|
|
|
|
|
* @param property
|
|
|
|
|
* @param accessType
|
|
|
|
|
* @param callback
|
|
|
|
|
*/
|
|
|
|
|
Scope.checkPermission = function (scope, model, property, accessType, callback) {
|
2013-11-10 06:22:16 +00:00
|
|
|
Scope.findOne({where: {name: scope}}, function (err, scope) {
|
|
|
|
|
if (err) {
|
|
|
|
|
callback && callback(err);
|
|
|
|
|
} else {
|
2013-11-14 01:14:13 +00:00
|
|
|
ACL.checkPermission(ACL.SCOPE, scope.id, model, property, accessType, callback);
|
2013-11-10 06:22:16 +00:00
|
|
|
}
|
|
|
|
|
});
|
2013-11-12 18:10:32 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
module.exports = {
|
|
|
|
|
ACL: ACL,
|
2013-11-13 18:02:59 +00:00
|
|
|
Scope: Scope
|
2013-11-12 18:10:32 +00:00
|
|
|
};
|
