Merge pull request #37 from warrant-dev/feat/AddPolicySupport

stanleyphu · web-flow · commit 4a21d9a3c5cb · 2023-07-13T14:22:01.000-07:00
Add policy support for creating / deleting warrants
diff --git a/src/modules/Authorization.ts b/src/modules/Authorization.ts
@@ -1,20 +1,18 @@
 import Feature from "./Feature";
 import Permission from "./Permission";
-import Check, { AccessCheckRequest, CheckMany, FeatureCheck, PermissionCheck } from "../types/Check";
+import Check, { AccessCheckRequest, CheckMany, CheckWarrant, FeatureCheck, PermissionCheck } from "../types/Check";
 import Warrant, { isSubject, isWarrantObject } from "../types/Warrant";
 import WarrantClient from "../WarrantClient";
 
 export default class Authorization {
     public static async check(check: Check): Promise<boolean> {
         const accessCheckRequest: AccessCheckRequest = {
             warrants: [{
-                objectType: isWarrantObject(check.object) ? check.object.getObjectType() : check.object.objectType,
-                objectId: isWarrantObject(check.object) ? check.object.getObjectId() : check.object.objectId,
+                object: check.object,
                 relation: check.relation,
-                subject: isSubject(check.subject) ? check.subject : { objectType: check.subject.getObjectType(), objectId: check.subject.getObjectId() },
+                subject: check.subject,
                 context: check.context
             }],
-            consistentRead: check.consistentRead,
             debug: check.debug
         }
         if (WarrantClient.config.authorizeEndpoint) {
@@ -25,19 +23,17 @@ export default class Authorization {
     }
 
     public static async checkMany(check: CheckMany): Promise<boolean> {
-        let warrants: Warrant[] = check.warrants.map((warrant) => {
+        let warrants: CheckWarrant[] = check.warrants.map((warrant) => {
             return {
-                objectType: isWarrantObject(warrant.object) ? warrant.object.getObjectType() : warrant.object.objectType,
-                objectId: isWarrantObject(warrant.object) ? warrant.object.getObjectId() : warrant.object.objectId,
+                object: warrant.object,
                 relation: warrant.relation,
-                subject: isSubject(warrant.subject) ? warrant.subject : { objectType: warrant.subject.getObjectType(), objectId: warrant.subject.getObjectId() },
+                subject: warrant.subject,
                 context: warrant.context
             }
         })
         const accessCheckRequest: AccessCheckRequest = {
             op: check.op,
             warrants: warrants,
-            consistentRead: check.consistentRead,
             debug: check.debug
         }
 
@@ -54,7 +50,6 @@ export default class Authorization {
             relation: "member",
             subject: featureCheck.subject,
             context: featureCheck.context,
-            consistentRead: featureCheck.consistentRead,
             debug: featureCheck.debug
         })
     }
@@ -65,17 +60,20 @@ export default class Authorization {
             relation: "member",
             subject: permissionCheck.subject,
             context: permissionCheck.context,
-            consistentRead: permissionCheck.consistentRead,
             debug: permissionCheck.debug
         })
     }
 
     // Private methods
     private static async authorize(accessCheckRequest: AccessCheckRequest): Promise<boolean> {
         try {
+
             const response = await WarrantClient.httpClient.post({
                 url: "/v2/authorize",
-                data: accessCheckRequest,
+                data: {
+                    ...accessCheckRequest,
+                    warrants: this.mapWarrantsForRequest(accessCheckRequest.warrants),
+                },
             });
 
             return response.code === 200;
@@ -84,21 +82,36 @@ export default class Authorization {
         }
     }
 
-    private static async edgeAuthorize(warrantCheck: AccessCheckRequest): Promise<boolean> {
+    private static async edgeAuthorize(accessCheckRequest: AccessCheckRequest): Promise<boolean> {
         try {
             const response = await WarrantClient.httpClient.post({
                 baseUrl: WarrantClient.config.authorizeEndpoint,
                 url: "/v2/authorize",
-                data: warrantCheck,
+                data: {
+                    ...accessCheckRequest,
+                    warrants: this.mapWarrantsForRequest(accessCheckRequest.warrants),
+                },
             });
 
             return response.code === 200;
         } catch (e) {
             if (e.code === "cache_not_ready") {
-                return this.authorize(warrantCheck);
+                return this.authorize(accessCheckRequest);
             }
 
             throw e;
         }
     }
+
+    private static mapWarrantsForRequest(warrants: CheckWarrant[]): any[] {
+        return warrants.map((warrant) => {
+            return {
+                objectType: isWarrantObject(warrant.object) ? warrant.object.getObjectType() : warrant.object.objectType,
+                objectId: isWarrantObject(warrant.object) ? warrant.object.getObjectId() : warrant.object.objectId,
+                relation: warrant.relation,
+                subject: isSubject(warrant.subject) ? warrant.subject : { objectType: warrant.subject.getObjectType(), objectId: warrant.subject.getObjectId() },
+                context: warrant.context
+            }
+        })
+    }
 }
diff --git a/src/modules/PricingTier.ts b/src/modules/PricingTier.ts
@@ -5,7 +5,7 @@ import WarrantClient from "../WarrantClient";
 import { ListFeatureOptions } from "../types/Feature";
 import { ObjectType } from "../types/ObjectType";
 import { CreatePricingTierParams, ListPricingTierOptions } from "../types/PricingTier";
-import Warrant, { Context, WarrantObject } from "../types/Warrant";
+import Warrant, { PolicyContext, WarrantObject } from "../types/Warrant";
 
 export default class PricingTier implements WarrantObject {
     pricingTierId: string;
@@ -160,7 +160,7 @@ export default class PricingTier implements WarrantObject {
         return Feature.removeFeatureFromPricingTier(this.pricingTierId, featureId);
     }
 
-    public async hasFeature(featureId: string, context: Context = {}): Promise<boolean> {
+    public async hasFeature(featureId: string, context: PolicyContext = {}): Promise<boolean> {
         return Authorization.hasFeature({ featureId: featureId, subject: { objectType: ObjectType.PricingTier, objectId: this.pricingTierId }, context: context });
     }
 
diff --git a/src/modules/Role.ts b/src/modules/Role.ts
@@ -5,7 +5,7 @@ import WarrantClient from "../WarrantClient";
 import { ObjectType } from "../types/ObjectType";
 import { ListPermissionOptions } from "../types/Permission";
 import { CreateRoleParams, ListRoleOptions, UpdateRoleParams } from "../types/Role";
-import Warrant, { Context, WarrantObject } from "../types/Warrant";
+import Warrant, { PolicyContext, WarrantObject } from "../types/Warrant";
 
 export default class Role implements WarrantObject {
     roleId: string;
@@ -136,7 +136,7 @@ export default class Role implements WarrantObject {
         return Permission.removePermissionFromRole(this.roleId, permissionId);
     }
 
-    public async hasPermission(permissionId: string, context: Context = {}): Promise<boolean> {
+    public async hasPermission(permissionId: string, context: PolicyContext = {}): Promise<boolean> {
         return Authorization.hasPermission({ permissionId: permissionId, subject: { objectType: ObjectType.Role, objectId: this.roleId }, context: context });
     }
 
diff --git a/src/modules/Tenant.ts b/src/modules/Tenant.ts
@@ -9,7 +9,7 @@ import { ObjectType } from "../types/ObjectType";
 import { ListPricingTierOptions } from "../types/PricingTier";
 import { CreateTenantParams, ListTenantOptions, UpdateTenantParams } from "../types/Tenant";
 import { ListUserOptions } from "../types/User";
-import { Context, WarrantObject } from "../types/Warrant";
+import { PolicyContext, WarrantObject } from "../types/Warrant";
 
 export default class Tenant implements WarrantObject {
     // Tenant properties
@@ -150,7 +150,7 @@ export default class Tenant implements WarrantObject {
         return Feature.removeFeatureFromTenant(this.tenantId, featureId);
     }
 
-    public async hasFeature(featureId: string, context: Context = {}): Promise<boolean> {
+    public async hasFeature(featureId: string, context: PolicyContext = {}): Promise<boolean> {
         return Authorization.hasFeature({ featureId: featureId, subject: { objectType: ObjectType.Tenant, objectId: this.tenantId }, context: context });
     }
 
diff --git a/src/modules/User.ts b/src/modules/User.ts
@@ -13,7 +13,7 @@ import { ListPricingTierOptions } from "../types/PricingTier";
 import { ListRoleOptions } from "../types/Role";
 import { CreateUserParams, ListUserOptions, UpdateUserParams } from "../types/User";
 import { ListTenantOptions } from "../types/Tenant";
-import { Context, WarrantObject } from "../types/Warrant";
+import { PolicyContext, WarrantObject } from "../types/Warrant";
 import WarrantModule from "./WarrantModule";
 
 export default class User implements WarrantObject {
@@ -174,7 +174,7 @@ export default class User implements WarrantObject {
         return Permission.removePermissionFromUser(this.userId, permissionId);
     }
 
-    public async hasPermission(permissionId: string, context: Context = {}): Promise<boolean> {
+    public async hasPermission(permissionId: string, context: PolicyContext = {}): Promise<boolean> {
         return Authorization.hasPermission({ permissionId: permissionId, subject: { objectType: ObjectType.User, objectId: this.userId }, context: context });
     }
 
@@ -202,7 +202,7 @@ export default class User implements WarrantObject {
         return Feature.removeFeatureFromUser(this.userId, featureId);
     }
 
-    public async hasFeature(featureId: string, context: Context = {}): Promise<boolean> {
+    public async hasFeature(featureId: string, context: PolicyContext = {}): Promise<boolean> {
         return Authorization.hasFeature({ featureId: featureId, subject: { objectType: ObjectType.User, objectId: this.userId }, context: context });
     }
 
diff --git a/src/modules/WarrantModule.ts b/src/modules/WarrantModule.ts
@@ -12,7 +12,7 @@ export default class WarrantModule {
                     objectId: isWarrantObject(warrant.object) ? warrant.object.getObjectId() : warrant.object.objectId,
                     relation: warrant.relation,
                     subject: isSubject(warrant.subject) ? warrant.subject : { objectType: warrant.subject.getObjectType(), objectId: warrant.subject.getObjectId() },
-                    context: warrant.context
+                    policy: warrant.policy
                 },
             });
         } catch (e) {
@@ -29,7 +29,7 @@ export default class WarrantModule {
                     objectId: isWarrantObject(warrant.object) ? warrant.object.getObjectId() : warrant.object.objectId,
                     relation: warrant.relation,
                     subject: isSubject(warrant.subject) ? warrant.subject : { objectType: warrant.subject.getObjectType(), objectId: warrant.subject.getObjectId() },
-                    context: warrant.context
+                    policy: warrant.policy
                 },
             });
         } catch (e) {
diff --git a/src/types/Check.ts b/src/types/Check.ts
@@ -1,4 +1,4 @@
-import Warrant, { Context, Subject, WarrantObject, WarrantObjectLiteral } from "./Warrant";
+import Warrant, { PolicyContext, Subject, WarrantObject, WarrantObjectLiteral } from "./Warrant";
 
 export enum CheckOp {
     AllOf = "allOf",
@@ -9,40 +9,35 @@ export interface CheckWarrant {
     object: WarrantObject | WarrantObjectLiteral;
     relation: string;
     subject: WarrantObject | Subject;
-    context?: Context;
+    context?: PolicyContext;
 }
 
 export default interface Check extends CheckWarrant {
-    consistentRead?: boolean;
     debug?: boolean;
 }
 
 export interface CheckMany {
     op?: CheckOp;
     warrants: CheckWarrant[];
-    consistentRead?: boolean;
     debug?: boolean;
 }
 
 export interface FeatureCheck {
     featureId: string;
     subject: WarrantObject | Subject;
-    context?: Context;
-    consistentRead?: boolean;
+    context?: PolicyContext;
     debug?: boolean;
 }
 
 export interface PermissionCheck {
     permissionId: string;
     subject: WarrantObject | Subject;
-    context?: Context;
-    consistentRead?: boolean;
+    context?: PolicyContext;
     debug?: boolean;
 }
 
 export interface AccessCheckRequest {
     op?: CheckOp;
-    warrants: Warrant[];
-    consistentRead?: boolean;
+    warrants: CheckWarrant[];
     debug?: boolean;
 }
diff --git a/src/types/Query.ts b/src/types/Query.ts
@@ -1,17 +1,17 @@
-import { Context, isSubject, isWarrantObject, Subject, WarrantObject, WarrantObjectLiteral } from "./Warrant";
+import { isSubject, isWarrantObject, PolicyContext, Subject, WarrantObject, WarrantObjectLiteral } from "./Warrant";
 
 export interface ForClause {
     object?: WarrantObject | WarrantObjectLiteral;
     relation?: string;
     subject?: Subject | WarrantObject;
-    context?: Context;
+    context?: PolicyContext;
 }
 
 export interface WhereClause {
     object?: WarrantObject | WarrantObjectLiteral;
     relation?: string;
     subject?: Subject | WarrantObject;
-    context?: Context;
+    context?: PolicyContext;
 }
 
 export default class Query {
diff --git a/src/types/Session.ts b/src/types/Session.ts
@@ -1,9 +1,9 @@
-import { Context } from "./Warrant";
+import { PolicyContext } from "./Warrant";
 
 export interface SessionParams {
     userId: string;
     ttl?: number;
-    context?: Context;
+    context?: PolicyContext;
 }
 
 export interface SelfServiceSessionParams extends SessionParams {
diff --git a/src/types/Warrant.ts b/src/types/Warrant.ts
@@ -7,8 +7,8 @@ export interface ListWarrantOptions extends ListOptions {
     userId?: string;
 }
 
-export interface Context {
-    [key: string]: string;
+export interface PolicyContext {
+    [key: string]: any;
 }
 
 export interface Subject {
@@ -27,7 +27,7 @@ export default interface Warrant {
     objectId: string;
     relation: string;
     subject: Subject;
-    context?: Context;
+    policy?: string;
 }
 
 export interface WarrantObject {
@@ -48,5 +48,5 @@ export interface WarrantParams {
     object: WarrantObject | WarrantObjectLiteral;
     relation: string;
     subject: WarrantObject | Subject;
-    context?: Context;
+    policy?: string;
 }
diff --git a/src/types/index.ts b/src/types/index.ts
@@ -8,5 +8,5 @@ export { CreateRoleParams, ListRoleOptions, UpdateRoleParams } from "./Role";
 export { SessionParams, SelfServiceSessionParams, SelfServiceStrategy } from "./Session";
 export { CreateTenantParams, ListTenantOptions, UpdateTenantParams } from "./Tenant";
 export { CreateUserParams, ListUserOptions, UpdateUserParams } from "./User";
-export { default as Warrant, ListWarrantOptions, Context, Subject, WarrantObject } from "./Warrant";
+export { default as Warrant, ListWarrantOptions, PolicyContext, Subject, WarrantObject } from "./Warrant";
 export { default as Check, CheckMany, CheckOp, CheckWarrant, FeatureCheck, PermissionCheck } from "./Check";
diff --git a/test/LiveTest.spec.js b/test/LiveTest.spec.js
@@ -536,4 +536,64 @@ describe.skip('Live Test', function () {
         await this.warrant.User.delete(newUser.userId);
         await this.warrant.Permission.delete(newPermission.permissionId);
     });
+
+    it('warrant with policy', async function() {
+        await this.warrant.Warrant.create({
+            object: {
+                objectType: "permission",
+                objectId: "test-permission"
+            },
+            relation: "member",
+            subject: {
+                objectType: "user",
+                objectId: "user-1"
+            },
+            policy: `geo == "us"`
+        });
+
+        checkResult = await this.warrant.Authorization.check({
+            object: {
+                objectType: "permission",
+                objectId: "test-permission"
+            },
+            relation: "member",
+            subject: {
+                objectType: "user",
+                objectId: "user-1"
+            },
+            context: {
+                "geo": "us",
+            }
+        });
+        assert.strictEqual(checkResult, true);
+
+        checkResult = await this.warrant.Authorization.check({
+            object: {
+                objectType: "permission",
+                objectId: "test-permission"
+            },
+            relation: "member",
+            subject: {
+                objectType: "user",
+                objectId: "user-1"
+            },
+            context: {
+                "geo": "eu",
+            }
+        });
+        assert.strictEqual(checkResult, false);
+
+        await this.warrant.Warrant.delete({
+            object: {
+                objectType: "permission",
+                objectId: "test-permission"
+            },
+            relation: "member",
+            subject: {
+                objectType: "user",
+                objectId: "user-1"
+            },
+            policy: `geo == "us"`
+        });
+    });
 })

Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@ import WarrantClient from "../WarrantClient";`
`5`	`5`	`import { ListFeatureOptions } from "../types/Feature";`
`6`	`6`	`import { ObjectType } from "../types/ObjectType";`
`7`	`7`	`import { CreatePricingTierParams, ListPricingTierOptions } from "../types/PricingTier";`
`8`		`-import Warrant, { Context, WarrantObject } from "../types/Warrant";`
	`8`	`+import Warrant, { PolicyContext, WarrantObject } from "../types/Warrant";`
`9`	`9`
`10`	`10`	`export default class PricingTier implements WarrantObject {`
`11`	`11`	`pricingTierId: string;`
`@@ -160,7 +160,7 @@ export default class PricingTier implements WarrantObject {`
`160`	`160`	`return Feature.removeFeatureFromPricingTier(this.pricingTierId, featureId);`
`161`	`161`	`}`
`162`	`162`
`163`		`- public async hasFeature(featureId: string, context: Context = {}): Promise<boolean> {`
	`163`	`+ public async hasFeature(featureId: string, context: PolicyContext = {}): Promise<boolean> {`
`164`	`164`	`return Authorization.hasFeature({ featureId: featureId, subject: { objectType: ObjectType.PricingTier, objectId: this.pricingTierId }, context: context });`
`165`	`165`	`}`
`166`	`166`
Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@ import WarrantClient from "../WarrantClient";`
`5`	`5`	`import { ObjectType } from "../types/ObjectType";`
`6`	`6`	`import { ListPermissionOptions } from "../types/Permission";`
`7`	`7`	`import { CreateRoleParams, ListRoleOptions, UpdateRoleParams } from "../types/Role";`
`8`		`-import Warrant, { Context, WarrantObject } from "../types/Warrant";`
	`8`	`+import Warrant, { PolicyContext, WarrantObject } from "../types/Warrant";`
`9`	`9`
`10`	`10`	`export default class Role implements WarrantObject {`
`11`	`11`	`roleId: string;`
`@@ -136,7 +136,7 @@ export default class Role implements WarrantObject {`
`136`	`136`	`return Permission.removePermissionFromRole(this.roleId, permissionId);`
`137`	`137`	`}`
`138`	`138`
`139`		`- public async hasPermission(permissionId: string, context: Context = {}): Promise<boolean> {`
	`139`	`+ public async hasPermission(permissionId: string, context: PolicyContext = {}): Promise<boolean> {`
`140`	`140`	`return Authorization.hasPermission({ permissionId: permissionId, subject: { objectType: ObjectType.Role, objectId: this.roleId }, context: context });`
`141`	`141`	`}`
`142`	`142`
Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@ import { ObjectType } from "../types/ObjectType";`
`9`	`9`	`import { ListPricingTierOptions } from "../types/PricingTier";`
`10`	`10`	`import { CreateTenantParams, ListTenantOptions, UpdateTenantParams } from "../types/Tenant";`
`11`	`11`	`import { ListUserOptions } from "../types/User";`
`12`		`-import { Context, WarrantObject } from "../types/Warrant";`
	`12`	`+import { PolicyContext, WarrantObject } from "../types/Warrant";`
`13`	`13`
`14`	`14`	`export default class Tenant implements WarrantObject {`
`15`	`15`	`// Tenant properties`
`@@ -150,7 +150,7 @@ export default class Tenant implements WarrantObject {`
`150`	`150`	`return Feature.removeFeatureFromTenant(this.tenantId, featureId);`
`151`	`151`	`}`
`152`	`152`
`153`		`- public async hasFeature(featureId: string, context: Context = {}): Promise<boolean> {`
	`153`	`+ public async hasFeature(featureId: string, context: PolicyContext = {}): Promise<boolean> {`
`154`	`154`	`return Authorization.hasFeature({ featureId: featureId, subject: { objectType: ObjectType.Tenant, objectId: this.tenantId }, context: context });`
`155`	`155`	`}`
`156`	`156`
Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ import { ListPricingTierOptions } from "../types/PricingTier";`
`13`	`13`	`import { ListRoleOptions } from "../types/Role";`
`14`	`14`	`import { CreateUserParams, ListUserOptions, UpdateUserParams } from "../types/User";`
`15`	`15`	`import { ListTenantOptions } from "../types/Tenant";`
`16`		`-import { Context, WarrantObject } from "../types/Warrant";`
	`16`	`+import { PolicyContext, WarrantObject } from "../types/Warrant";`
`17`	`17`	`import WarrantModule from "./WarrantModule";`
`18`	`18`
`19`	`19`	`export default class User implements WarrantObject {`
`@@ -174,7 +174,7 @@ export default class User implements WarrantObject {`
`174`	`174`	`return Permission.removePermissionFromUser(this.userId, permissionId);`
`175`	`175`	`}`
`176`	`176`
`177`		`- public async hasPermission(permissionId: string, context: Context = {}): Promise<boolean> {`
	`177`	`+ public async hasPermission(permissionId: string, context: PolicyContext = {}): Promise<boolean> {`
`178`	`178`	`return Authorization.hasPermission({ permissionId: permissionId, subject: { objectType: ObjectType.User, objectId: this.userId }, context: context });`
`179`	`179`	`}`
`180`	`180`
`@@ -202,7 +202,7 @@ export default class User implements WarrantObject {`
`202`	`202`	`return Feature.removeFeatureFromUser(this.userId, featureId);`
`203`	`203`	`}`
`204`	`204`
`205`		`- public async hasFeature(featureId: string, context: Context = {}): Promise<boolean> {`
	`205`	`+ public async hasFeature(featureId: string, context: PolicyContext = {}): Promise<boolean> {`
`206`	`206`	`return Authorization.hasFeature({ featureId: featureId, subject: { objectType: ObjectType.User, objectId: this.userId }, context: context });`
`207`	`207`	`}`
`208`	`208`
Original file line number	Diff line number	Diff line change
`@@ -7,8 +7,8 @@ export interface ListWarrantOptions extends ListOptions {`
`7`	`7`	`userId?: string;`
`8`	`8`	`}`
`9`	`9`
`10`		`-export interface Context {`
`11`		`- [key: string]: string;`
	`10`	`+export interface PolicyContext {`
	`11`	`+ [key: string]: any;`
`12`	`12`	`}`
`13`	`13`
`14`	`14`	`export interface Subject {`
`@@ -27,7 +27,7 @@ export default interface Warrant {`
`27`	`27`	`objectId: string;`
`28`	`28`	`relation: string;`
`29`	`29`	`subject: Subject;`
`30`		`- context?: Context;`
	`30`	`+ policy?: string;`
`31`	`31`	`}`
`32`	`32`
`33`	`33`	`export interface WarrantObject {`
`@@ -48,5 +48,5 @@ export interface WarrantParams {`
`48`	`48`	`object: WarrantObject \| WarrantObjectLiteral;`
`49`	`49`	`relation: string;`
`50`	`50`	`subject: WarrantObject \| Subject;`
`51`		`- context?: Context;`
	`51`	`+ policy?: string;`
`52`	`52`	`}`