Build Roles Authorization

Zenfection · Sep 23, 2023 · 4ea237a · 4ea237a
1 parent 524dac1
commit 4ea237a
Show file tree

Hide file tree

Showing 17 changed files with 116 additions and 16 deletions.
diff --git a/.../migrations/20230922152747_/migration.sql → ...grations/20230923052222_dev/migration.sql b/.../migrations/20230922152747_/migration.sql → ...grations/20230923052222_dev/migration.sql
@@ -18,7 +18,6 @@ CREATE TABLE "Role" (
     "role_id" SERIAL NOT NULL,
     "name" TEXT NOT NULL,
     "description" TEXT,
-    "userId" INTEGER,
 
     CONSTRAINT "Role_pkey" PRIMARY KEY ("role_id")
 );
@@ -113,6 +112,12 @@ CREATE TABLE "Activity" (
     CONSTRAINT "Activity_pkey" PRIMARY KEY ("activity_id")
 );
 
+-- CreateTable
+CREATE TABLE "_RoleToUser" (
+    "A" INTEGER NOT NULL,
+    "B" INTEGER NOT NULL
+);
+
 -- CreateTable
 CREATE TABLE "_PermissionToRole" (
     "A" INTEGER NOT NULL,
@@ -152,6 +157,12 @@ CREATE INDEX "user_email_idx" ON "User"("email");
 -- CreateIndex
 CREATE UNIQUE INDEX "Label_name_key" ON "Label"("name");
 
+-- CreateIndex
+CREATE UNIQUE INDEX "_RoleToUser_AB_unique" ON "_RoleToUser"("A", "B");
+
+-- CreateIndex
+CREATE INDEX "_RoleToUser_B_index" ON "_RoleToUser"("B");
+
 -- CreateIndex
 CREATE UNIQUE INDEX "_PermissionToRole_AB_unique" ON "_PermissionToRole"("A", "B");
 
@@ -170,9 +181,6 @@ CREATE UNIQUE INDEX "_LabelToTask_AB_unique" ON "_LabelToTask"("A", "B");
 -- CreateIndex
 CREATE INDEX "_LabelToTask_B_index" ON "_LabelToTask"("B");
 
--- AddForeignKey
-ALTER TABLE "Role" ADD CONSTRAINT "Role_userId_fkey" FOREIGN KEY ("userId") REFERENCES "User"("user_id") ON DELETE CASCADE ON UPDATE CASCADE;
-
 -- AddForeignKey
 ALTER TABLE "Condition" ADD CONSTRAINT "Condition_policyId_fkey" FOREIGN KEY ("policyId") REFERENCES "Policy"("policy_id") ON DELETE CASCADE ON UPDATE CASCADE;
 
@@ -188,6 +196,12 @@ ALTER TABLE "Activity" ADD CONSTRAINT "Activity_taskId_fkey" FOREIGN KEY ("taskI
 -- AddForeignKey
 ALTER TABLE "Activity" ADD CONSTRAINT "Activity_userId_fkey" FOREIGN KEY ("userId") REFERENCES "User"("user_id") ON DELETE RESTRICT ON UPDATE CASCADE;
 
+-- AddForeignKey
+ALTER TABLE "_RoleToUser" ADD CONSTRAINT "_RoleToUser_A_fkey" FOREIGN KEY ("A") REFERENCES "Role"("role_id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "_RoleToUser" ADD CONSTRAINT "_RoleToUser_B_fkey" FOREIGN KEY ("B") REFERENCES "User"("user_id") ON DELETE CASCADE ON UPDATE CASCADE;
+
 -- AddForeignKey
 ALTER TABLE "_PermissionToRole" ADD CONSTRAINT "_PermissionToRole_A_fkey" FOREIGN KEY ("A") REFERENCES "Permission"("permission_id") ON DELETE CASCADE ON UPDATE CASCADE;
 

diff --git a/server/prisma/schema.prisma b/server/prisma/schema.prisma
@@ -16,8 +16,7 @@ model Role {
   description String?
   permissions Permission[]
   policies    Policy[]
-  User        User?        @relation(fields: [userId], references: [id], onDelete: Cascade)
-  userId      Int?
+  User        User[]
 }
 
 model Permission {

diff --git a/...thentication/controllers/session-authentication/session-authentication.controller.spec.ts b/...thentication/controllers/session-authentication/session-authentication.controller.spec.ts
@@ -9,7 +9,9 @@ describe('SessionAuthenticationController', () => {
       controllers: [SessionAuthenticationController],
     }).compile();
 
-    controller = module.get<SessionAuthenticationController>(SessionAuthenticationController);
+    controller = module.get<SessionAuthenticationController>(
+      SessionAuthenticationController,
+    );
   });
 
   it('should be defined', () => {

diff --git a/server/src/iam/authentication/guards/access-token/access-token.guard.ts b/server/src/iam/authentication/guards/access-token/access-token.guard.ts
@@ -20,7 +20,7 @@ export class AccessTokenGuard extends AuthGuard('jwt') implements CanActivate {
 
   handleRequest(err: any, user: any, info: any) {
     // You can throw an exception based on either "info" or "err" arguments
-    if (err || !user) {
+    if (err || !user || info) {
       throw err || new UnauthorizedException('No access token found');
     }
     return user;

diff --git a/server/src/iam/authentication/interfaces/active-user-data.interface.ts b/server/src/iam/authentication/interfaces/active-user-data.interface.ts
@@ -1,4 +1,5 @@
 export interface ActiveUserData {
   sub: number;
   email: string;
+  roles?: string[];
 }
diff --git a/server/src/iam/authentication/services/authentication.service.ts b/server/src/iam/authentication/services/authentication.service.ts
@@ -84,6 +84,7 @@ export class AuthenticationService {
 
     const payload = {
       email: user.email,
+      roles: user.roles.map((role) => role.name),
     };
 
     const [accessToken, refreshToken] = await Promise.all([
@@ -133,7 +134,7 @@ export class AuthenticationService {
         throw new UnauthorizedException('Invalid refresh token');
       }
 
-      return await this.generateToken(user);
+      return await this.generateToken(user as UserEntity);
     } catch (error) {
       if (error instanceof RefreshTokenIdsStorageError) {
         throw new UnauthorizedException('Invalid refresh token');

diff --git a/...iam/authentication/services/session-authentication/session-authentication.service.spec.ts b/...iam/authentication/services/session-authentication/session-authentication.service.spec.ts
@@ -9,7 +9,9 @@ describe('SessionAuthenticationService', () => {
       providers: [SessionAuthenticationService],
     }).compile();
 
-    service = module.get<SessionAuthenticationService>(SessionAuthenticationService);
+    service = module.get<SessionAuthenticationService>(
+      SessionAuthenticationService,
+    );
   });
 
   it('should be defined', () => {

diff --git a/server/src/iam/authentication/utils/user-serializer/user-serializer.ts b/server/src/iam/authentication/utils/user-serializer/user-serializer.ts
@@ -1,13 +1,13 @@
 import { PassportSerializer } from '@nestjs/passport';
-import { User } from '@prisma/client';
+import { UserEntity } from 'src/users/entity/user.entity';
 import passport from 'passport';
 import { ActiveUserData } from '../../interfaces/active-user-data.interface';
 
 export class UserSerializer implements PassportSerializer {
   constructor() {
     const passportInstance = this.getPassportInstance();
     passportInstance.serializeUser((user, done) =>
-      this.serializeUser(user as User, done),
+      this.serializeUser(user as UserEntity, done),
     );
     passportInstance.deserializeUser((payload, done) =>
       this.deserializeUser(payload as ActiveUserData, done),
@@ -18,12 +18,15 @@ export class UserSerializer implements PassportSerializer {
     return passport;
   }
 
-  serializeUser(user: User, done: (err: Error, user: ActiveUserData) => void) {
+  serializeUser(
+    user: UserEntity,
+    done: (err: Error, user: ActiveUserData) => void,
+  ) {
     // store user info authenticated in session
     done(null, {
       sub: user.id,
       email: user.email,
-      //   role: user.role,
+      role: user.roles,
       //   permissions: user.permissions as any,
     });
   }

diff --git a/server/src/iam/authorization/authorization.module.ts b/server/src/iam/authorization/authorization.module.ts
@@ -0,0 +1,13 @@
+import { Module } from '@nestjs/common';
+import { APP_GUARD } from '@nestjs/core';
+import { RolesGuard } from './guards/roles/roles.guard';
+
+@Module({
+  providers: [
+    {
+      provide: APP_GUARD,
+      useClass: RolesGuard,
+    },
+  ],
+})
+export class AuthorizationModule {}
diff --git a/server/src/iam/authorization/decorators/roles/roles.decorator.ts b/server/src/iam/authorization/decorators/roles/roles.decorator.ts
@@ -0,0 +1,5 @@
+import { SetMetadata } from '@nestjs/common';
+import { RoleEntity } from 'src/users/entity/role.entity';
+
+export const ROLES_KEY = 'roles';
+export const Roles = (...roles: RoleEntity[]) => SetMetadata(ROLES_KEY, roles);
diff --git a/server/src/iam/authorization/guards/roles/roles.guard.spec.ts b/server/src/iam/authorization/guards/roles/roles.guard.spec.ts
@@ -0,0 +1,7 @@
+import { RolesGuard } from './roles.guard';
+
+describe('RolesGuard', () => {
+  it('should be defined', () => {
+    expect(new RolesGuard()).toBeDefined();
+  });
+});
diff --git a/server/src/iam/authorization/guards/roles/roles.guard.ts b/server/src/iam/authorization/guards/roles/roles.guard.ts
@@ -0,0 +1,30 @@
+import { CanActivate, ExecutionContext, Injectable } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { Observable } from 'rxjs';
+import { RoleEntity } from 'src/users/entity/role.entity';
+import { ActiveUserData } from 'src/iam/authentication/interfaces/active-user-data.interface';
+import { REQUEST_USER_KEY } from '../../../constants/iam.contant';
+import { ROLES_KEY } from '../../decorators/roles/roles.decorator';
+
+@Injectable()
+export class RolesGuard implements CanActivate {
+  constructor(private readonly reflector: Reflector) {}
+  canActivate(
+    context: ExecutionContext,
+  ): boolean | Promise<boolean> | Observable<boolean> {
+    const contextRole = this.reflector.getAllAndOverride<RoleEntity[]>(
+      ROLES_KEY,
+      [context.getHandler(), context.getClass()],
+    );
+
+    if (contextRole) {
+      const user: ActiveUserData = context.switchToHttp().getRequest()[
+        REQUEST_USER_KEY
+      ];
+
+      return contextRole.some((role) => user.roles?.includes(role.name));
+    }
+
+    return true;
+  }
+}
diff --git a/server/src/iam/iam.module.ts b/server/src/iam/iam.module.ts
@@ -1,9 +1,10 @@
 import { Module } from '@nestjs/common';
 import { AuthenticationModule } from './authentication/authentication.module';
+import { AuthorizationModule } from './authorization/authorization.module';
 
 @Module({
   providers: [],
   controllers: [],
-  imports: [AuthenticationModule],
+  imports: [AuthenticationModule, AuthorizationModule],
 })
 export class IamModule {}
diff --git a/server/src/users/entity/role.entity.ts b/server/src/users/entity/role.entity.ts
@@ -0,0 +1,11 @@
+import { Role } from '@prisma/client';
+
+export class RoleEntity implements Role {
+  name: string;
+
+  constructor(name: string) {
+    this.name = name;
+  }
+  id: number;
+  description: string;
+}
diff --git a/server/src/users/entity/user.entity.ts b/server/src/users/entity/user.entity.ts
@@ -1,6 +1,7 @@
 import { User } from '@prisma/client';
 import { ApiProperty } from '@nestjs/swagger';
 import { IsDate, IsOptional } from 'class-validator';
+import { RoleEntity } from './role.entity';
 
 export class UserEntity implements User {
   @ApiProperty()
@@ -25,6 +26,9 @@ export class UserEntity implements User {
   @IsOptional()
   tfaSecret: string | null;
 
+  @ApiProperty()
+  roles: RoleEntity[];
+
   @IsDate()
   createdAt: Date;
 

diff --git a/server/src/users/users.controller.ts b/server/src/users/users.controller.ts
@@ -11,6 +11,8 @@ import { UsersService } from './users.service';
 import { Prisma } from '@prisma/client';
 import { CreateUserDto } from './dto/create-user.dto';
 import { updateUserDto } from './dto/update-user.dto';
+import { Roles } from '../iam/authorization/decorators/roles/roles.decorator';
+import { RoleEntity } from './entity/role.entity';
 
 @Controller('users')
 export class UsersController {
@@ -21,6 +23,8 @@ export class UsersController {
     return this.usersService.create(createUserDto);
   }
 
+  @Get()
+  @Roles(new RoleEntity('ADMIN'))
   @Get()
   async findAll() {
     return this.usersService.findAll();

diff --git a/server/src/users/users.service.ts b/server/src/users/users.service.ts
@@ -35,9 +35,12 @@ export class UsersService {
     });
   }
 
-  async findOne(where: Prisma.UserWhereUniqueInput): Promise<User | null> {
+  async findOne(where: Prisma.UserWhereUniqueInput) {
     return this.prismaService.user.findUnique({
       where,
+      include: {
+        roles: true,
+      },
     });
   }