additional authz condition operator

wermarter · Jan 25, 2024 · fddfcc6 · fddfcc6
1 parent 5773b72
commit fddfcc6
Show file tree

Hide file tree

Showing 6 changed files with 37 additions and 75 deletions.
diff --git a/apps/hcdc-access-service/package.json b/apps/hcdc-access-service/package.json
@@ -27,6 +27,7 @@
     "@nestjs/passport": "^10.0.1",
     "@nestjs/platform-express": "^10.2.8",
     "@nestjs/swagger": "^7.1.16",
+    "@ucast/mongo2js": "^1.3.4",
     "argon2": "^0.31.2",
     "class-transformer": "^0.5.1",
     "class-validator": "^0.14.0",

diff --git a/apps/hcdc-access-service/src/domain/auth/utils.ts b/apps/hcdc-access-service/src/domain/auth/utils.ts
@@ -1,9 +1,22 @@
-import { MongoAbility, subject as assignSubject } from '@casl/ability'
+import {
+  MongoAbility,
+  subject as assignSubject,
+  buildMongoQueryMatcher,
+  createMongoAbility,
+} from '@casl/ability'
+import { $or, or } from '@ucast/mongo2js'
 
 import { AuthAction } from './action'
 import { AuthSubject, SubjectEntityMapping } from './subject'
 import { EAuthzPermissionDenied } from 'src/domain/exception'
 import { AUTH_ACTION_ALL, AUTH_SUBJECT_ALL } from './constants'
+import { PermissionRule } from '../entity'
+
+const conditionsMatcher = buildMongoQueryMatcher({ $or }, { or })
+
+export function createAbility(permissionRules: PermissionRule[]) {
+  return createMongoAbility(permissionRules, { conditionsMatcher })
+}
 
 export function checkPermission<TSubject extends keyof typeof AuthSubject>(
   ability: MongoAbility,

diff --git a/apps/hcdc-access-service/src/domain/use-case/auth/populate-context.ts b/apps/hcdc-access-service/src/domain/use-case/auth/populate-context.ts
@@ -1,7 +1,7 @@
-import { createMongoAbility } from '@casl/ability'
 import { Inject } from '@nestjs/common'
 const buildJSONTemplate = require('json-templates')
 
+import { createAbility } from 'src/domain/auth'
 import { PermissionRule, Role } from 'src/domain/entity'
 import { EAuthnPayloadUserNotFound } from 'src/domain/exception'
 import {
@@ -37,7 +37,7 @@ export class AuthPopulateContextUseCase {
       ...user.inlinePermissions,
     ])
     const permissions = permissionTemplate({ user }) as PermissionRule[]
-    const ability = createMongoAbility(permissions)
+    const ability = createAbility(permissions)
 
     return { user, ability }
   }

diff --git a/apps/hcdc-access-service/src/domain/use-case/user/find-one.ts b/apps/hcdc-access-service/src/domain/use-case/user/find-one.ts
@@ -20,6 +20,7 @@ export class UserFindOneUseCase {
   ) {}
 
   async execute(input: EntityFindOneOptions<User>) {
+    // TODO: check auth and apply populate matcher (+ search API)
     const entity = await this.userRepository.findOne(input)
     const { ability } = this.authContext.getData()
     assertPermission(ability, AuthSubject.User, UserAction.Read, entity)

diff --git a/apps/hcdc-access-service/src/presentation/http/common/exception-filter/domain.ts b/apps/hcdc-access-service/src/presentation/http/common/exception-filter/domain.ts
@@ -16,7 +16,7 @@ export class DomainExceptionFilter implements ExceptionFilter {
   constructor() {}
 
   catch(exception: EDomain, host: ArgumentsHost) {
-    this.logger.warn(exception)
+    this.logger.error(exception)
 
     const ctx = host.switchToHttp()
     const response = ctx.getResponse()

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml