diff --git a/packages/system-server/src/actions.ts b/packages/system-server/src/actions.ts new file mode 100644 index 0000000000..779dc3d048 --- /dev/null +++ b/packages/system-server/src/actions.ts @@ -0,0 +1,85 @@ + +export interface IActionDef { + [key: string]: string +} + +export const FunctionActionDef = { + ListFunctions: 'fn:ListFunctions', + GetFunction: 'fn:GetFunction', + CreateFunction: 'fn:CreateFunction', + UpdateFunction: 'fn:UpdateFunction', + DeleteFunction: 'fn:DeleteFunction', + InvokeFunction: 'fn:InvokeFunction', + PublishFunction: 'fn:PublishFunction', + ListLogs: 'fn:ListLogs', +} + +export const ApplicationActionDef = { + ListApplications: 'app:ListApplications', + GetApplication: 'app:GetApplication', + CreateApplication: 'app:CreateApplication', + UpdateApplication: 'app:UpdateApplication', + DeleteApplication: 'app:DeleteApplication', + StartInstance: 'app:StartInstance', + StopInstance: 'app:StopInstance', +} + +export const DatabaseActionDef = { + ListCollections: 'db:ListCollections', + GetCollection: 'db:GetCollection', + CreateCollection: 'db:CreateCollection', + UpdateCollection: 'db:UpdateCollection', + DeleteCollection: 'db:DeleteCollection', + ListDocuments: 'db:ListDocuments', + GetDocument: 'db:GetDocument', + CreateDocument: 'db:CreateDocument', + UpdateDocument: 'db:UpdateDocument', + DeleteDocument: 'db:DeleteDocument', + ListPolicies: 'db:ListPolicies', + GetPolicy: 'db:GetPolicy', + CreatePolicy: 'db:CreatePolicy', + UpdatePolicy: 'db:UpdatePolicy', + DeletePolicy: 'db:DeletePolicy', + PublishPolicy: 'db:PublishPolicy', +} + +export const StorageActionDef = { + ListBuckets: 'oss:ListBuckets', + GetBucket: 'oss:GetBucket', + CreateBucket: 'oss:CreateBucket', + UpdateBucket: 'oss:UpdateBucket', + DeleteBucket: 'oss:DeleteBucket', + CreateServiceAccount: 'oss:CreateServiceAccount', +} + +export const ReplicationActionDef = { + ListReplicateAuth: 'rep:ListReplicateAuth', + GetReplicateAuth: 'rep:GetReplicateAuth', + CreateReplicateAuth: 'rep:CreateReplicateAuth', + UpdateReplicateAuth: 'rep:UpdateReplicateAuth', + DeleteReplicateAuth: 'rep:DeleteReplicateAuth', + ListReplicateRequest: 'rep:ListReplicateRequest', + GetReplicateRequest: 'rep:GetReplicateRequest', + CreateReplicateRequest: 'rep:CreateReplicateRequest', + UpdateReplicateRequest: 'rep:UpdateReplicateRequest', + DeleteReplicateRequest: 'rep:DeleteReplicateRequest', +} + +export const WebsiteActionDef = { + ListWebsites: 'web:ListWebsites', + GetWebsite: 'web:GetWebsite', + CreateWebsite: 'web:CreateWebsite', + UpdateWebsite: 'web:UpdateWebsite', + DeleteWebsite: 'web:DeleteWebsite', +} + + +export function get_actions(action_def: IActionDef) { + const actions: string[] = [] + for (const key in action_def) { + if (action_def.hasOwnProperty(key)) { + actions.push(action_def[key]) + } + } + return actions +} \ No newline at end of file diff --git a/packages/system-server/src/constants.ts b/packages/system-server/src/constants.ts index 539b89a527..1711725cb1 100644 --- a/packages/system-server/src/constants.ts +++ b/packages/system-server/src/constants.ts @@ -6,8 +6,6 @@ */ import { deepFreeze } from './support/util-lang' -import { permissions } from './permissions' -import { roles } from './permissions' /** prefix of sys db collection name */ const coll_prefix = 'sys_' @@ -50,17 +48,6 @@ export const CN_REPLICATE_AUTH = _('replicate_auth') export const CN_REPLICATE_REQUESTS = _('replicate_requests') export const CN_OSS_SERVICE_ACCOUNT = _('oss_service_account') export const CN_WEBSITE_HOSTING = _('website_hosting') -/** - * Constants collection - */ -export const CONST_DICTS = deepFreeze({ - /** built-in permissions */ - permissions: permissions, - - /** built-in roles for applications */ - roles: roles, -}) - /** RESPONSE ERROR CODE */ export const RESP_INVALID_BUCKET_NAME = deepFreeze({ code: 'INVALID_BUCKET_NAME', error: 'INVALID_BUCKET_NAME' }) \ No newline at end of file diff --git a/packages/system-server/src/groups.ts b/packages/system-server/src/groups.ts new file mode 100644 index 0000000000..1a846cf2ea --- /dev/null +++ b/packages/system-server/src/groups.ts @@ -0,0 +1,139 @@ + +import { get_actions, FunctionActionDef, DatabaseActionDef, StorageActionDef, ReplicationActionDef, ApplicationActionDef, WebsiteActionDef } from './actions' + + +export const FunctionReadyOnly = { + name: 'FunctionReadyOnly', + label: 'Function Ready Only', + actions: [ + FunctionActionDef.ListFunctions, + FunctionActionDef.GetFunction, + FunctionActionDef.ListLogs + ] +} + +export const FunctionFullAccess = { + name: 'FunctionFullAccess', + label: 'Function Full Access', + actions: get_actions(FunctionActionDef) +} + +export const DatabaseReadyOnly = { + name: 'DatabaseReadyOnly', + label: 'Database Ready Only', + actions: [ + DatabaseActionDef.ListCollections, + DatabaseActionDef.GetCollection, + DatabaseActionDef.ListDocuments, + DatabaseActionDef.GetDocument, + DatabaseActionDef.ListPolicies, + DatabaseActionDef.GetPolicy, + ] +} + +export const DatabaseFullAccess = { + name: 'DatabaseFullAccess', + label: 'Database Full Access', + actions: get_actions(DatabaseActionDef) +} + +export const StorageReadOnly = { + name: 'StorageReadOnly', + label: 'Storage Read Only', + actions: [ + StorageActionDef.ListBuckets, + StorageActionDef.GetBucket, + ] +} + +export const StorageFullAccess = { + name: 'StorageFullAccess', + label: 'Storage Full Access', + actions: get_actions(StorageActionDef) +} + +export const ReplicationReadOnly = { + name: 'ReplicationReadOnly', + label: 'Replication Read Only', + actions: [ + ReplicationActionDef.ListReplicateAuth, + ReplicationActionDef.GetReplicateAuth, + ReplicationActionDef.ListReplicateRequest, + ReplicationActionDef.GetReplicateRequest, + ] +} + +export const ReplicationFullAccess = { + name: 'ReplicationFullAccess', + label: 'Replication Full Access', + actions: get_actions(ReplicationActionDef) +} + +export const ApplicationReadOnly = { + name: 'ApplicationReadOnly', + label: 'Application Read Only', + actions: [ + ApplicationActionDef.ListApplications, + ApplicationActionDef.GetApplication, + ] +} + +export const InstanceOperator = { + name: 'InstanceOperator', + label: 'Instance Operator', + actions: [ + ApplicationActionDef.StartInstance, + ApplicationActionDef.StopInstance, + ] +} + +export const ApplicationFullAccess = { + name: 'ApplicationFullAccess', + label: 'Application Full Access', + actions: get_actions(ApplicationActionDef) +} + +export const WebsiteReadOnly = { + name: 'WebsiteReadOnly', + label: 'Website Read Only', + actions: [ + WebsiteActionDef.ListWebsites, + WebsiteActionDef.GetWebsite, + ] +} + +export const WebsiteFullAccess = { + name: 'WebsiteFullAccess', + label: 'Website Full Access', + actions: get_actions(WebsiteActionDef) +} + +export const Admin = { + name: 'Admin', + label: 'Admin', + actions: [ + ...get_actions(FunctionActionDef), + ...get_actions(DatabaseActionDef), + ...get_actions(StorageActionDef), + ...get_actions(ReplicationActionDef), + ...get_actions(ApplicationActionDef), + ...get_actions(WebsiteActionDef), + ] +} + +export const Groups = [ + FunctionReadyOnly, + FunctionFullAccess, + DatabaseReadyOnly, + DatabaseFullAccess, + StorageReadOnly, + StorageFullAccess, + ReplicationReadOnly, + ReplicationFullAccess, + ApplicationReadOnly, + InstanceOperator, + ApplicationFullAccess, + WebsiteReadOnly, + WebsiteFullAccess, + Admin +] diff --git a/packages/system-server/src/handler/application/collaborator.ts b/packages/system-server/src/handler/application/collaborator.ts index 42bc65c29b..7d83a01c8e 100644 --- a/packages/system-server/src/handler/application/collaborator.ts +++ b/packages/system-server/src/handler/application/collaborator.ts @@ -10,12 +10,12 @@ import { getApplicationByAppid } from '../../support/application' import { checkPermission } from '../../support/permission' import { CN_ACCOUNTS, CN_APPLICATIONS } from '../../constants' import { DatabaseAgent } from '../../db' -import { permissions } from '../../permissions' -import { getAccountByUsername, getRoles, isValidAccountId, isValidRoleNames } from '../../support/account' +import { ApplicationActionDef } from '../../actions' +import { getAccountByUsername, isValidAccountId, isValidRoleNames } from '../../support/account' import { array2map, mergeMap2ArrayByKey } from '../../support/util-lang' import { ObjectId } from 'mongodb' +import { Groups } from '../../groups' -const { APPLICATION_UPDATE } = permissions /** * The handler of getting collaborators of an application @@ -31,6 +31,12 @@ export async function handleGetCollaborators(req: Request, res: Response) { if (!app) return res.status(422).send('invalid appid') + // check permission + const code = await checkPermission(uid, ApplicationActionDef.GetApplication, app) + if (code) { + return res.status(code).send() + } + if (!app.collaborators?.length) { return res.send({ data: [] }) } @@ -75,7 +81,7 @@ export async function handleInviteCollaborator(req: Request, res: Response) { } // check permission - const code = await checkPermission(uid, APPLICATION_UPDATE.name, app) + const code = await checkPermission(uid, ApplicationActionDef.UpdateApplication, app) if (code) { return res.status(code).send() } @@ -144,13 +150,9 @@ export async function handleGetRoles(req: Request, res: Response) { if (!uid) return res.status(401).send() - const roles = getRoles() - const rets = Object.keys(roles) - // .filter(key => key !== roles.owner.name) - .map(key => roles[key]) - + const roles = Groups return res.send({ - data: rets + data: roles }) } @@ -168,7 +170,7 @@ export async function handleRemoveCollaborator(req: Request, res: Response) { return res.status(422).send('invalid appid') // check permission - const code = await checkPermission(uid, APPLICATION_UPDATE.name, app) + const code = await checkPermission(uid, ApplicationActionDef.UpdateApplication, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/handler/application/exporter.ts b/packages/system-server/src/handler/application/exporter.ts index a6176278ba..5d460de207 100644 --- a/packages/system-server/src/handler/application/exporter.ts +++ b/packages/system-server/src/handler/application/exporter.ts @@ -8,10 +8,9 @@ import { Request, Response } from 'express' import { getApplicationByAppid } from '../../support/application' import { checkPermission } from '../../support/permission' -import { CONST_DICTS } from '../../constants' import { ApplicationExporter } from '../../support/exporter' +import { ApplicationActionDef } from '../../actions' -const { APPLICATION_READ } = CONST_DICTS.permissions /** * The handler of getting application by id @@ -26,7 +25,7 @@ export async function handleExportApplication(req: Request, res: Response) { if (!app) return res.status(422).send('invalid appid') // check permission - const code = await checkPermission(uid, APPLICATION_READ.name, app) + const code = await checkPermission(uid, ApplicationActionDef.GetApplication, app) if (code) return res.status(code).send() const exporter = new ApplicationExporter(app) diff --git a/packages/system-server/src/handler/application/get.ts b/packages/system-server/src/handler/application/get.ts index bf1ea82043..ac004610f3 100644 --- a/packages/system-server/src/handler/application/get.ts +++ b/packages/system-server/src/handler/application/get.ts @@ -7,13 +7,12 @@ import { Request, Response } from 'express' import { getApplicationByAppid, getMyApplications, getMyJoinedApplications, getUserRolesOfApplication } from '../../support/application' -import { getPermissionsOfRoles } from '../../support/permission' -import { CONST_DICTS } from '../../constants' +import { getActionsOfRoles } from '../../support/permission' import { getToken } from '../../support/token' import Config from '../../config' import { ApplicationSpecSupport } from '../../support/application-spec' +import { FunctionActionDef } from '../../actions' -const { FUNCTION_DEBUG } = CONST_DICTS.permissions /** * The handler of getting my applications(created & joined) @@ -57,12 +56,12 @@ export async function handleGetApplicationByAppid(req: Request, res: Response) { } // get user permissions of the application - const permissions = getPermissionsOfRoles(roles) + const permissions = getActionsOfRoles(roles) // generate token of debugging cloud function const exp = Math.floor(Date.now() / 1000) + 60 * 60 * Config.TOKEN_EXPIRED_TIME let debug_token = undefined - if (permissions.includes(FUNCTION_DEBUG.name)) { + if (permissions.includes(FunctionActionDef.InvokeFunction)) { debug_token = getToken({ appid, type: 'debug', exp }, app.config.server_secret_salt) } diff --git a/packages/system-server/src/handler/application/importer.ts b/packages/system-server/src/handler/application/importer.ts index 22382e34a8..04b00cfe2b 100644 --- a/packages/system-server/src/handler/application/importer.ts +++ b/packages/system-server/src/handler/application/importer.ts @@ -14,13 +14,13 @@ import { import { publishFunctions } from '../../support/function' import { checkPermission } from '../../support/permission' import { publishAccessPolicies } from '../../support/policy' -import { CN_APP_TEMPLATES, CONST_DICTS } from '../../constants' +import { CN_APP_TEMPLATES } from '../../constants' import { ApplicationImporter } from '../../support/importer' import { logger } from '../../support/logger' import { DatabaseAgent } from '../../db' import { Binary, ObjectId } from 'mongodb' +import { ApplicationActionDef } from '../../actions' -const { APPLICATION_ADD } = CONST_DICTS.permissions /** * The handler of import application by id @@ -37,7 +37,7 @@ export async function handleImportApplication(req: Request, res: Response) { if (!file) return res.status(422).send('import file cannot be empty') // check permission - const code = await checkPermission(uid, APPLICATION_ADD.name, app) + const code = await checkPermission(uid, ApplicationActionDef.UpdateApplication, app) if (code) return res.status(code).send() try { @@ -70,7 +70,7 @@ export async function handleInitApplicationWithTemplate( if (!app) return res.status(422).send('invalid appid') // check permission - const code = await checkPermission(uid, APPLICATION_ADD.name, app) + const code = await checkPermission(uid, ApplicationActionDef.UpdateApplication, app) if (code) return res.status(code).send() const coll = DatabaseAgent.db.collection(CN_APP_TEMPLATES) diff --git a/packages/system-server/src/handler/application/instance-restart.ts b/packages/system-server/src/handler/application/instance-restart.ts index aac39fae6e..ac7de66022 100644 --- a/packages/system-server/src/handler/application/instance-restart.ts +++ b/packages/system-server/src/handler/application/instance-restart.ts @@ -8,9 +8,7 @@ import { Request, Response } from 'express' import { getApplicationByAppid, InstanceStatus, updateApplicationStatus } from '../../support/application' import { checkPermission } from '../../support/permission' -import { permissions } from '../../permissions' - -const { APPLICATION_UPDATE } = permissions +import { ApplicationActionDef } from '../../actions' /** @@ -25,7 +23,7 @@ export async function handleRestartInstance(req: Request, res: Response) { return res.status(422).send('app not found') // check permission - const code = await checkPermission(uid, APPLICATION_UPDATE.name, app) + const code = await checkPermission(uid, ApplicationActionDef.StopInstance, app) if (code) return res.status(code).send() diff --git a/packages/system-server/src/handler/application/instance-start.ts b/packages/system-server/src/handler/application/instance-start.ts index 6e090e135c..83ea4f6cc8 100644 --- a/packages/system-server/src/handler/application/instance-start.ts +++ b/packages/system-server/src/handler/application/instance-start.ts @@ -8,9 +8,8 @@ import { Request, Response } from 'express' import { getApplicationByAppid, InstanceStatus, updateApplicationStatus } from '../../support/application' import { checkPermission } from '../../support/permission' -import { permissions } from '../../permissions' +import { ApplicationActionDef } from '../../actions' -const { APPLICATION_UPDATE } = permissions /** * The handler of starting application instance @@ -24,7 +23,7 @@ export async function handleStartInstance(req: Request, res: Response) { return res.status(422).send('app not found') // check permission - const code = await checkPermission(uid, APPLICATION_UPDATE.name, app) + const code = await checkPermission(uid, ApplicationActionDef.StartInstance, app) if (code) return res.status(code).send() diff --git a/packages/system-server/src/handler/application/instance-stop.ts b/packages/system-server/src/handler/application/instance-stop.ts index 0ccabcdf6c..74580feaf5 100644 --- a/packages/system-server/src/handler/application/instance-stop.ts +++ b/packages/system-server/src/handler/application/instance-stop.ts @@ -8,9 +8,8 @@ import { Request, Response } from 'express' import { getApplicationByAppid, InstanceStatus, updateApplicationStatus } from '../../support/application' import { checkPermission } from '../../support/permission' -import { permissions } from '../../permissions' +import { ApplicationActionDef } from '../../actions' -const { APPLICATION_UPDATE } = permissions /** * The handler of stopping application @@ -23,7 +22,7 @@ export async function handleStopInstance(req: Request, res: Response) { return res.status(422).send('app not found') // check permission - const code = await checkPermission(uid, APPLICATION_UPDATE.name, app) + const code = await checkPermission(uid, ApplicationActionDef.StopInstance, app) if (code) return res.status(code).send() diff --git a/packages/system-server/src/handler/application/packages.ts b/packages/system-server/src/handler/application/packages.ts index d9c0e01c69..363f68011d 100644 --- a/packages/system-server/src/handler/application/packages.ts +++ b/packages/system-server/src/handler/application/packages.ts @@ -10,9 +10,7 @@ import { IApplicationData, getApplicationByAppid, publishApplicationPackages } f import { checkPermission } from '../../support/permission' import { CN_APPLICATIONS } from '../../constants' import { DatabaseAgent } from '../../db' -import { permissions } from '../../permissions' - -const { APPLICATION_READ, APPLICATION_UPDATE } = permissions +import { ApplicationActionDef } from '../../actions' /** * Get packages from app @@ -25,7 +23,7 @@ export async function handleGetPackages(req: Request, res: Response) { return res.status(422).send('app not found') // check permission - const code = await checkPermission(uid, APPLICATION_READ.name, app) + const code = await checkPermission(uid, ApplicationActionDef.GetApplication, app) if (code) { return res.status(code).send() } @@ -53,7 +51,7 @@ export async function handleAddPackage(req: Request, res: Response) { return res.status(422).send('app not found') // check permission - const code = await checkPermission(uid, APPLICATION_UPDATE.name, app) + const code = await checkPermission(uid, ApplicationActionDef.UpdateApplication, app) if (code) { return res.status(code).send() } @@ -96,7 +94,7 @@ export async function handleRemovePackage(req: Request, res: Response) { return res.status(422).send('app not found') // check permission - const code = await checkPermission(uid, APPLICATION_UPDATE.name, app) + const code = await checkPermission(uid, ApplicationActionDef.UpdateApplication, app) if (code) { return res.status(code).send() } @@ -141,7 +139,7 @@ export async function handleUpdatePackage(req: Request, res: Response) { return res.status(422).send('app not found') // check permission - const code = await checkPermission(uid, APPLICATION_UPDATE.name, app) + const code = await checkPermission(uid, ApplicationActionDef.UpdateApplication, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/handler/application/remove.ts b/packages/system-server/src/handler/application/remove.ts index 608f04e381..0f43b16082 100644 --- a/packages/system-server/src/handler/application/remove.ts +++ b/packages/system-server/src/handler/application/remove.ts @@ -10,10 +10,10 @@ import { Request, Response } from 'express' import { RecycleCollector } from '../../support/recycle' import { getApplicationByAppid } from '../../support/application' import { checkPermission } from '../../support/permission' -import { CN_APPLICATIONS, CONST_DICTS } from '../../constants' +import { CN_APPLICATIONS } from '../../constants' import { DatabaseAgent } from '../../db' +import { ApplicationActionDef } from '../../actions' -const { APPLICATION_REMOVE } = CONST_DICTS.permissions /** * The handler of removing application @@ -33,7 +33,7 @@ export async function handleRemoveApplication(req: Request, res: Response) { } // check permission - const code = await checkPermission(uid, APPLICATION_REMOVE.name, app) + const code = await checkPermission(uid, ApplicationActionDef.DeleteApplication, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/handler/application/update.ts b/packages/system-server/src/handler/application/update.ts index cea32be851..d978f71645 100644 --- a/packages/system-server/src/handler/application/update.ts +++ b/packages/system-server/src/handler/application/update.ts @@ -10,9 +10,8 @@ import { IApplicationData, getApplicationByAppid } from '../../support/applicati import { checkPermission } from '../../support/permission' import { CN_APPLICATIONS } from '../../constants' import { DatabaseAgent } from '../../db' -import { permissions } from '../../permissions' +import { ApplicationActionDef } from '../../actions' -const { APPLICATION_UPDATE } = permissions /** * The handler of updating application @@ -26,7 +25,7 @@ export async function handleUpdateApplication(req: Request, res: Response) { return res.status(422).send('app not found') // check permission - const code = await checkPermission(uid, APPLICATION_UPDATE.name, app) + const code = await checkPermission(uid, ApplicationActionDef.UpdateApplication, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/handler/dbm/add-index.ts b/packages/system-server/src/handler/dbm/add-index.ts index 6bfc020e48..a1618b3833 100644 --- a/packages/system-server/src/handler/dbm/add-index.ts +++ b/packages/system-server/src/handler/dbm/add-index.ts @@ -7,7 +7,7 @@ import { IApplicationData, getApplicationDbAccessor } from '../../support/application' import { checkPermission } from '../../support/permission' -import { permissions } from '../../permissions' +import { DatabaseActionDef } from '../../actions' import { Request, Response } from 'express' @@ -25,7 +25,7 @@ export async function handleCreateIndex(req: Request, res: Response) { const app: IApplicationData = req['parsed-app'] // check permission - const code = await checkPermission(uid, permissions.DATABASE_MANAGE.name, app) + const code = await checkPermission(uid, DatabaseActionDef.UpdateCollection, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/handler/dbm/create.ts b/packages/system-server/src/handler/dbm/create.ts index 0c6021db3a..89015cd4f8 100644 --- a/packages/system-server/src/handler/dbm/create.ts +++ b/packages/system-server/src/handler/dbm/create.ts @@ -7,7 +7,7 @@ import { IApplicationData, getApplicationDbAccessor } from '../../support/application' import { checkPermission } from '../../support/permission' -import { permissions } from '../../permissions' +import { DatabaseActionDef } from '../../actions' import { Request, Response } from 'express' @@ -19,7 +19,7 @@ export async function handleCreateCollection(req: Request, res: Response) { const app: IApplicationData = req['parsed-app'] // check permission - const code = await checkPermission(uid, permissions.DATABASE_MANAGE.name, app) + const code = await checkPermission(uid, DatabaseActionDef.CreateCollection, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/handler/dbm/delete-index.ts b/packages/system-server/src/handler/dbm/delete-index.ts index de78fbedb4..4f625c7f36 100644 --- a/packages/system-server/src/handler/dbm/delete-index.ts +++ b/packages/system-server/src/handler/dbm/delete-index.ts @@ -7,7 +7,7 @@ import { IApplicationData, getApplicationDbAccessor } from '../../support/application' import { checkPermission } from '../../support/permission' -import { permissions } from '../../permissions' +import { DatabaseActionDef } from '../../actions' import { Request, Response } from 'express' @@ -24,7 +24,7 @@ export async function handleDeleteIndex(req: Request, res: Response) { const app: IApplicationData = req['parsed-app'] // check permission - const code = await checkPermission(uid, permissions.DATABASE_MANAGE.name, app) + const code = await checkPermission(uid, DatabaseActionDef.UpdateCollection, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/handler/dbm/get-indexes.ts b/packages/system-server/src/handler/dbm/get-indexes.ts index ea7c069eb1..ce3ac173c0 100644 --- a/packages/system-server/src/handler/dbm/get-indexes.ts +++ b/packages/system-server/src/handler/dbm/get-indexes.ts @@ -7,7 +7,7 @@ import { IApplicationData, getApplicationDbAccessor } from '../../support/application' import { checkPermission } from '../../support/permission' -import { permissions } from '../../permissions' +import { DatabaseActionDef } from '../../actions' import { Request, Response } from 'express' @@ -24,7 +24,7 @@ export async function handleGetIndexesOfCollection(req: Request, res: Response) const app: IApplicationData = req['parsed-app'] // check permission - const code = await checkPermission(uid, permissions.DATABASE_MANAGE.name, app) + const code = await checkPermission(uid, DatabaseActionDef.ListCollections, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/handler/dbm/get.ts b/packages/system-server/src/handler/dbm/get.ts index f23fd406d3..538a3d38ea 100644 --- a/packages/system-server/src/handler/dbm/get.ts +++ b/packages/system-server/src/handler/dbm/get.ts @@ -7,7 +7,7 @@ import { IApplicationData, getApplicationDbAccessor } from '../../support/application' import { checkPermission } from '../../support/permission' -import { permissions } from '../../permissions' +import { DatabaseActionDef } from '../../actions' import { Request, Response } from 'express' @@ -19,7 +19,7 @@ export async function handleCollectionList(req: Request, res: Response) { const app: IApplicationData = req['parsed-app'] // check permission - const code = await checkPermission(uid, permissions.DATABASE_MANAGE.name, app) + const code = await checkPermission(uid, DatabaseActionDef.ListCollections, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/handler/dbm/proxy.ts b/packages/system-server/src/handler/dbm/proxy.ts index dfe6f25c77..7b70f47ca6 100644 --- a/packages/system-server/src/handler/dbm/proxy.ts +++ b/packages/system-server/src/handler/dbm/proxy.ts @@ -5,10 +5,10 @@ * @Description: */ -import { Proxy, Policy } from 'database-proxy' +import { Proxy, Policy, ActionType } from 'database-proxy' import { IApplicationData, getApplicationDbAccessor } from '../../support/application' import { checkPermission } from '../../support/permission' -import { permissions } from '../../permissions' +import { DatabaseActionDef } from '../../actions' import { Request, Response } from 'express' @@ -19,12 +19,6 @@ export async function handleDbProxy(req: Request, res: Response) { const uid = req['auth']?.uid const app: IApplicationData = req['parsed-app'] - // check permission - const code = await checkPermission(uid, permissions.DATABASE_MANAGE.name, app) - if (code) { - return res.status(code).send() - } - const accessor = await getApplicationDbAccessor(app) // don't need policy rules, open all collections' access permission for dbm use @@ -33,6 +27,14 @@ export async function handleDbProxy(req: Request, res: Response) { // parse params const params = proxy.parseParams(req.body) + // check permission + const code = await checkDatabaseActionPermission(params.action, uid, app) + if (code) { + return res.status(code).send() + } + + params.action + // execute query try { const data = await proxy.execute(params) @@ -57,3 +59,37 @@ export async function handleDbProxy(req: Request, res: Response) { }) } } + + + +async function checkDatabaseActionPermission(dbAction: ActionType, uid: string, app: IApplicationData) { + let action = '' + switch (dbAction) { + case ActionType.ADD: + action = DatabaseActionDef.CreateDocument + break + case ActionType.UPDATE: + action = DatabaseActionDef.UpdateDocument + break + case ActionType.REMOVE: + action = DatabaseActionDef.DeleteDocument + break + case ActionType.READ: + action = DatabaseActionDef.ListDocuments + break + case ActionType.COUNT: + action = DatabaseActionDef.ListDocuments + break + case ActionType.AGGREGATE: + action = DatabaseActionDef.ListDocuments + break + case ActionType.WATCH: + action = DatabaseActionDef.ListDocuments + break + default: + action = DatabaseActionDef.DeleteDocument + } + + const code = await checkPermission(uid, action, app) + return code +} \ No newline at end of file diff --git a/packages/system-server/src/handler/dbm/update.ts b/packages/system-server/src/handler/dbm/update.ts index 07cf8c941c..d5f5110174 100644 --- a/packages/system-server/src/handler/dbm/update.ts +++ b/packages/system-server/src/handler/dbm/update.ts @@ -7,7 +7,7 @@ import { IApplicationData, getApplicationDbAccessor } from '../../support/application' import { checkPermission } from '../../support/permission' -import { permissions } from '../../permissions' +import { DatabaseActionDef } from '../../actions' import { Request, Response } from 'express' @@ -19,7 +19,7 @@ export async function handleUpdateCollection(req: Request, res: Response) { const app: IApplicationData = req['parsed-app'] // check permission - const code = await checkPermission(uid, permissions.DATABASE_MANAGE.name, app) + const code = await checkPermission(uid, DatabaseActionDef.UpdateCollection, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/handler/function/create.ts b/packages/system-server/src/handler/function/create.ts index 8c4d45fca4..c3b2391783 100644 --- a/packages/system-server/src/handler/function/create.ts +++ b/packages/system-server/src/handler/function/create.ts @@ -10,12 +10,11 @@ import { Request, Response } from 'express' import { IApplicationData } from '../../support/application' import { checkPermission } from '../../support/permission' import { CN_FUNCTIONS } from '../../constants' -import { permissions } from '../../permissions' +import { FunctionActionDef } from '../../actions' import { DatabaseAgent } from '../../db' import { hashFunctionCode } from '../../support/util-passwd' import { compileTs2js } from '../../support/util-lang' -const { FUNCTION_ADD } = permissions /** * Create function @@ -26,7 +25,7 @@ export async function handleCreateFunction(req: Request, res: Response) { const app: IApplicationData = req['parsed-app'] // check permission - const code = await checkPermission(uid, FUNCTION_ADD.name, app) + const code = await checkPermission(uid, FunctionActionDef.CreateFunction, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/handler/function/get.ts b/packages/system-server/src/handler/function/get.ts index 75d6587965..d245a0274c 100644 --- a/packages/system-server/src/handler/function/get.ts +++ b/packages/system-server/src/handler/function/get.ts @@ -11,11 +11,9 @@ import { IApplicationData, getApplicationDbAccessor } from '../../support/applic import { ICloudFunctionData, getFunctionById } from '../../support/function' import { checkPermission } from '../../support/permission' import { CN_ACCOUNTS, CN_FUNCTIONS, CN_FUNCTION_HISTORY, CN_PUBLISHED_FUNCTIONS } from '../../constants' -import { permissions } from '../../permissions' +import { FunctionActionDef } from '../../actions' import { DatabaseAgent } from '../../db' -const { FUNCTION_READ } = permissions - /** * Get functions @@ -25,7 +23,7 @@ export async function handleGetFunctions(req: Request, res: Response) { const app: IApplicationData = req['parsed-app'] // check permission - const code = await checkPermission(req['auth']?.uid, FUNCTION_READ.name, app) + const code = await checkPermission(req['auth']?.uid, FunctionActionDef.ListFunctions, app) if (code) { return res.status(code).send() } @@ -87,7 +85,7 @@ export async function handleGetFunctionById(req: Request, res: Response) { const func_id = req.params.func_id // check permission - const code = await checkPermission(req['auth']?.uid, FUNCTION_READ.name, app) + const code = await checkPermission(req['auth']?.uid, FunctionActionDef.GetFunction, app) if (code) { return res.status(code).send() } @@ -105,7 +103,7 @@ export async function handleGetAllFunctionTags(req: Request, res: Response) { const app: IApplicationData = req['parsed-app'] // check permission - const code = await checkPermission(req['auth']?.uid, FUNCTION_READ.name, app) + const code = await checkPermission(req['auth']?.uid, FunctionActionDef.ListFunctions, app) if (code) { return res.status(code).send() } @@ -131,7 +129,7 @@ export async function handleGetPublishedFunctions(req: Request, res: Response) { } // check permission - const code = await checkPermission(req['auth']?.uid, FUNCTION_READ.name, app) + const code = await checkPermission(req['auth']?.uid, FunctionActionDef.ListFunctions, app) if (code) { return res.status(code).send() } @@ -161,7 +159,7 @@ export async function handleGetFunctionHistory(req: Request, res: Response) { const func_id = req.params.func_id // check permission - const code = await checkPermission(req['auth']?.uid, FUNCTION_READ.name, app) + const code = await checkPermission(req['auth']?.uid, FunctionActionDef.ListFunctions, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/handler/function/logs.ts b/packages/system-server/src/handler/function/logs.ts index acc4545e92..0f7d7bf214 100644 --- a/packages/system-server/src/handler/function/logs.ts +++ b/packages/system-server/src/handler/function/logs.ts @@ -8,11 +8,9 @@ import { Request, Response } from 'express' import { IApplicationData, getApplicationDbAccessor } from '../../support/application' import { checkPermission } from '../../support/permission' -import { permissions } from '../../permissions' +import { FunctionActionDef } from '../../actions' import { ObjectId } from 'mongodb' -const { FUNCTION_READ } = permissions - /** * Get function logs @@ -23,7 +21,7 @@ export async function handleGetFunctionLogs(req: Request, res: Response) { const db = accessor.db // check permission - const code = await checkPermission(req['auth']?.uid, FUNCTION_READ.name, app) + const code = await checkPermission(req['auth']?.uid, FunctionActionDef.ListLogs, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/handler/function/publish.ts b/packages/system-server/src/handler/function/publish.ts index dc07657948..c335f11a20 100644 --- a/packages/system-server/src/handler/function/publish.ts +++ b/packages/system-server/src/handler/function/publish.ts @@ -10,11 +10,9 @@ import { IApplicationData } from '../../support/application' import { publishFunctions, publishOneFunction } from '../../support/function' import { checkPermission } from '../../support/permission' import Config from '../../config' -import { permissions } from '../../permissions' +import { FunctionActionDef } from '../../actions' import { logger } from '../../support/logger' -const { PUBLISH_FUNCTION } = permissions - /** * Publish functions @@ -24,7 +22,7 @@ export async function handlePublishFunctions(req: Request, res: Response) { const app: IApplicationData = req['parsed-app'] // check permission - const code = await checkPermission(uid, PUBLISH_FUNCTION.name, app) + const code = await checkPermission(uid, FunctionActionDef.PublishFunction, app) if (code) { return res.status(code).send() } @@ -52,7 +50,7 @@ export async function handlePublishOneFunction(req: Request, res: Response) { const app: IApplicationData = req['parsed-app'] // check permission - const code = await checkPermission(uid, PUBLISH_FUNCTION.name, app) + const code = await checkPermission(uid, FunctionActionDef.PublishFunction, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/handler/function/remove.ts b/packages/system-server/src/handler/function/remove.ts index 2798c23a1d..13911bb447 100644 --- a/packages/system-server/src/handler/function/remove.ts +++ b/packages/system-server/src/handler/function/remove.ts @@ -11,11 +11,9 @@ import { ObjectId } from 'mongodb' import { IApplicationData } from '../../support/application' import { checkPermission } from '../../support/permission' import { CN_FUNCTIONS } from '../../constants' -import { permissions } from '../../permissions' +import { FunctionActionDef } from '../../actions' import { DatabaseAgent } from '../../db' -const { FUNCTION_REMOVE } = permissions - /** * Remove a function by id */ @@ -25,7 +23,7 @@ export async function handleRemoveFunctionById(req: Request, res: Response) { const func_id = req.params.func_id // check permission - const code = await checkPermission(req['auth']?.uid, FUNCTION_REMOVE.name, app) + const code = await checkPermission(req['auth']?.uid, FunctionActionDef.DeleteFunction, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/handler/function/trigger.ts b/packages/system-server/src/handler/function/trigger.ts index 60a08fa367..3a7d3a0c0f 100644 --- a/packages/system-server/src/handler/function/trigger.ts +++ b/packages/system-server/src/handler/function/trigger.ts @@ -11,10 +11,9 @@ import { ObjectId } from 'mongodb' import { IApplicationData } from '../../support/application' import { checkPermission } from '../../support/permission' import { CN_FUNCTIONS } from '../../constants' -import { permissions } from '../../permissions' +import { FunctionActionDef } from '../../actions' import { DatabaseAgent } from '../../db' -const { TRIGGER_ADD } = permissions /** * Create trigger @@ -26,7 +25,7 @@ export async function handleCreateTrigger(req: Request, res: Response) { const func_id = req.params.func_id // check permission - const code = await checkPermission(uid, TRIGGER_ADD.name, app) + const code = await checkPermission(uid, FunctionActionDef.UpdateFunction, app) if (code) { return res.status(code).send() } @@ -96,7 +95,7 @@ export async function handleUpdateTrigger(req: Request, res: Response) { const trigger_id = req.params.trigger_id // check permission - const code = await checkPermission(uid, TRIGGER_ADD.name, app) + const code = await checkPermission(uid, FunctionActionDef.UpdateFunction, app) if (code) { return res.status(code).send() } @@ -149,7 +148,7 @@ export async function handleRemoveTrigger(req: Request, res: Response) { const trigger_id = req.params.trigger_id // check permission - const code = await checkPermission(uid, TRIGGER_ADD.name, app) + const code = await checkPermission(uid, FunctionActionDef.UpdateFunction, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/handler/function/update.ts b/packages/system-server/src/handler/function/update.ts index 2c654e439a..4f6b479a00 100644 --- a/packages/system-server/src/handler/function/update.ts +++ b/packages/system-server/src/handler/function/update.ts @@ -12,12 +12,11 @@ import { IApplicationData } from '../../support/application' import { getFunctionById } from '../../support/function' import { checkPermission } from '../../support/permission' import { CN_FUNCTIONS, CN_FUNCTION_HISTORY } from '../../constants' -import { permissions } from '../../permissions' +import { FunctionActionDef } from '../../actions' import { DatabaseAgent } from '../../db' import { hashFunctionCode } from '../../support/util-passwd' import { compileTs2js } from '../../support/util-lang' -const { FUNCTION_UPDATE, FUNCTION_DEBUG } = permissions /** * Update function's basic info @@ -29,7 +28,7 @@ export async function handleUpdateFunction(req: Request, res: Response) { const func_id = req.params.func_id // check permission - const code = await checkPermission(uid, FUNCTION_UPDATE.name, app) + const code = await checkPermission(uid, FunctionActionDef.UpdateFunction, app) if (code) { return res.status(code).send() } @@ -93,7 +92,7 @@ export async function handleUpdateFunctionCode(req: Request, res: Response) { const func_id = req.params.func_id // check permission - const code = await checkPermission(uid, FUNCTION_UPDATE.name, app) + const code = await checkPermission(uid, FunctionActionDef.UpdateFunction, app) if (code) { return res.status(code).send() } @@ -150,7 +149,7 @@ export async function handleCompileFunctionCode(req: Request, res: Response) { const func_id = req.params.func_id // check permission - const code = await checkPermission(uid, FUNCTION_DEBUG.name, app) + const code = await checkPermission(uid, FunctionActionDef.InvokeFunction, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/handler/oss/add-bucket.ts b/packages/system-server/src/handler/oss/add-bucket.ts index b5d56ed9bb..1b937610f5 100644 --- a/packages/system-server/src/handler/oss/add-bucket.ts +++ b/packages/system-server/src/handler/oss/add-bucket.ts @@ -8,10 +8,11 @@ import { Request, Response } from 'express' import { IApplicationData } from '../../support/application' import { checkPermission } from '../../support/permission' -import { BUCKET_QUOTA_MIN, CN_APPLICATIONS, CONST_DICTS, REGEX_BUCKET_NAME } from '../../constants' +import { BUCKET_QUOTA_MIN, CN_APPLICATIONS, REGEX_BUCKET_NAME } from '../../constants' import { DatabaseAgent } from '../../db' import { BUCKET_ACL, MinioAgent } from '../../support/minio' import { OssSupport } from '../../support/oss' +import { StorageActionDef } from '../../actions' /** * The handler of creating a bucket @@ -42,8 +43,7 @@ export async function handleCreateBucket(req: Request, res: Response) { } // check permission - const { FILE_BUCKET_ADD } = CONST_DICTS.permissions - const code = await checkPermission(uid, FILE_BUCKET_ADD.name, app) + const code = await checkPermission(uid, StorageActionDef.CreateBucket, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/handler/oss/delete-bucket.ts b/packages/system-server/src/handler/oss/delete-bucket.ts index 38c908f8c1..d6f36bf1c4 100644 --- a/packages/system-server/src/handler/oss/delete-bucket.ts +++ b/packages/system-server/src/handler/oss/delete-bucket.ts @@ -8,9 +8,10 @@ import { Request, Response } from 'express' import { IApplicationData } from '../../support/application' import { checkPermission } from '../../support/permission' -import { CN_APPLICATIONS, CONST_DICTS } from '../../constants' +import { CN_APPLICATIONS } from '../../constants' import { DatabaseAgent } from '../../db' import { MinioAgent } from '../../support/minio' +import { StorageActionDef } from '../../actions' /** * The handler of deleting a bucket @@ -22,8 +23,7 @@ export async function handleDeleteBucket(req: Request, res: Response) { const app: IApplicationData = req['parsed-app'] // check permission - const { FILE_BUCKET_REMOVE } = CONST_DICTS.permissions - const code = await checkPermission(uid, FILE_BUCKET_REMOVE.name, app) + const code = await checkPermission(uid, StorageActionDef.DeleteBucket, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/handler/oss/get-buckets.ts b/packages/system-server/src/handler/oss/get-buckets.ts index a584f76031..66f28c3ffd 100644 --- a/packages/system-server/src/handler/oss/get-buckets.ts +++ b/packages/system-server/src/handler/oss/get-buckets.ts @@ -10,7 +10,7 @@ import { IApplicationData } from '../../support/application' import { MinioAgent } from '../../support/minio' import { checkPermission } from '../../support/permission' import Config from '../../config' -import { CONST_DICTS } from '../../constants' +import { StorageActionDef } from '../../actions' /** * The handler of getting bucket lists of an application @@ -20,8 +20,7 @@ export async function handleGetBuckets(req: Request, res: Response) { const app: IApplicationData = req['parsed-app'] // check permission - const { FILE_READ } = CONST_DICTS.permissions - const code = await checkPermission(uid, FILE_READ.name, app) + const code = await checkPermission(uid, StorageActionDef.ListBuckets, app) if (code) { return res.status(code).send() } @@ -41,8 +40,7 @@ export async function handleGetOneBucket(req: Request, res: Response) { const name = req.params.bucket // check permission - const { FILE_READ } = CONST_DICTS.permissions - const code = await checkPermission(uid, FILE_READ.name, app) + const code = await checkPermission(uid, StorageActionDef.GetBucket, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/handler/oss/update-bucket.ts b/packages/system-server/src/handler/oss/update-bucket.ts index 1a275d96dc..6598c425e1 100644 --- a/packages/system-server/src/handler/oss/update-bucket.ts +++ b/packages/system-server/src/handler/oss/update-bucket.ts @@ -8,10 +8,11 @@ import { Request, Response } from 'express' import { IApplicationData } from '../../support/application' import { checkPermission } from '../../support/permission' -import { BUCKET_QUOTA_MIN, CN_APPLICATIONS, CONST_DICTS } from '../../constants' +import { BUCKET_QUOTA_MIN, CN_APPLICATIONS } from '../../constants' import { DatabaseAgent } from '../../db' import { BUCKET_ACL, MinioAgent } from '../../support/minio' import { OssSupport } from '../../support/oss' +import { StorageActionDef } from '../../actions' /** * The handler of updating a bucket @@ -27,8 +28,7 @@ export async function handleSetBucketPolicy(req: Request, res: Response) { const app: IApplicationData = req['parsed-app'] // check permission - const { FILE_BUCKET_ADD } = CONST_DICTS.permissions - const code = await checkPermission(uid, FILE_BUCKET_ADD.name, app) + const code = await checkPermission(uid, StorageActionDef.CreateBucket, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/handler/oss/update-service-account.ts b/packages/system-server/src/handler/oss/update-service-account.ts index 5de251edb1..defc185766 100644 --- a/packages/system-server/src/handler/oss/update-service-account.ts +++ b/packages/system-server/src/handler/oss/update-service-account.ts @@ -8,10 +8,11 @@ import { Request, Response } from 'express' import { IApplicationData } from '../../support/application' import { checkPermission } from '../../support/permission' -import { CN_OSS_SERVICE_ACCOUNT, CONST_DICTS } from '../../constants' +import { CN_OSS_SERVICE_ACCOUNT } from '../../constants' import { DatabaseAgent } from '../../db' import { MinioAgent } from '../../support/minio' import { logger } from '../../support/logger' +import { StorageActionDef } from '../../actions' /** * The handler of creating a bucket @@ -22,8 +23,7 @@ export async function handleUpdateServiceAccount(req: Request, res: Response) { const uid = req['auth']?.uid const app: IApplicationData = req['parsed-app'] // check permission - const { FILE_BUCKET_ADD } = CONST_DICTS.permissions - const code = await checkPermission(uid, FILE_BUCKET_ADD.name, app) + const code = await checkPermission(uid, StorageActionDef.CreateServiceAccount, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/handler/policy/create.ts b/packages/system-server/src/handler/policy/create.ts index ae59f2b14f..4aa8eb2277 100644 --- a/packages/system-server/src/handler/policy/create.ts +++ b/packages/system-server/src/handler/policy/create.ts @@ -10,11 +10,10 @@ import { ObjectId } from 'mongodb' import { IApplicationData } from '../../support/application' import { checkPermission } from '../../support/permission' import { CN_POLICIES } from '../../constants' -import { permissions } from '../../permissions' +import { DatabaseActionDef } from '../../actions' import { DatabaseAgent } from '../../db' import { hashFunctionCode } from '../../support/util-passwd' -const { POLICY_ADD } = permissions /** * Create policy @@ -25,7 +24,7 @@ export async function handleCreatePolicy(req: Request, res: Response) { const app: IApplicationData = req['parsed-app'] // check permission - const code = await checkPermission(uid, POLICY_ADD.name, app) + const code = await checkPermission(uid, DatabaseActionDef.CreatePolicy, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/handler/policy/get.ts b/packages/system-server/src/handler/policy/get.ts index e14a38f75c..d9c2c33656 100644 --- a/packages/system-server/src/handler/policy/get.ts +++ b/packages/system-server/src/handler/policy/get.ts @@ -12,11 +12,9 @@ import { IApplicationData } from '../../support/application' import { checkPermission } from '../../support/permission' import { IPolicyData } from '../../support/policy' import { CN_POLICIES } from '../../constants' -import { permissions } from '../../permissions' +import { DatabaseActionDef } from '../../actions' import { DatabaseAgent } from '../../db' -const { POLICY_READ } = permissions - /** * Get policies @@ -27,7 +25,7 @@ export async function handleGetPolicies(req: Request, res: Response) { const app: IApplicationData = req['parsed-app'] // check permission - const code = await checkPermission(uid, POLICY_READ.name, app) + const code = await checkPermission(uid, DatabaseActionDef.ListPolicies, app) if (code) { return res.status(code).send() } @@ -78,7 +76,7 @@ export async function handleGetPolicyById(req: Request, res: Response) { const policy_id = req.params.policy_id // check permission - const code = await checkPermission(req['auth']?.uid, POLICY_READ.name, app) + const code = await checkPermission(req['auth']?.uid, DatabaseActionDef.GetPolicy, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/handler/policy/publish.ts b/packages/system-server/src/handler/policy/publish.ts index 861fd9f9ff..08d9433bf1 100644 --- a/packages/system-server/src/handler/policy/publish.ts +++ b/packages/system-server/src/handler/policy/publish.ts @@ -10,10 +10,9 @@ import { IApplicationData } from '../../support/application' import { checkPermission } from '../../support/permission' import { publishAccessPolicies } from '../../support/policy' import Config from '../../config' -import { permissions } from '../../permissions' +import { DatabaseActionDef } from '../../actions' import { logger } from '../../support/logger' -const { PUBLISH_POLICY } = permissions /** @@ -24,7 +23,7 @@ export async function handlePublishPolicies(req: Request, res: Response) { const app: IApplicationData = req['parsed-app'] // check permission - const code = await checkPermission(uid, PUBLISH_POLICY.name, app) + const code = await checkPermission(uid, DatabaseActionDef.PublishPolicy, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/handler/policy/remove.ts b/packages/system-server/src/handler/policy/remove.ts index 9fe3f72f9f..8b637ba328 100644 --- a/packages/system-server/src/handler/policy/remove.ts +++ b/packages/system-server/src/handler/policy/remove.ts @@ -11,10 +11,9 @@ import { ObjectId } from 'mongodb' import { IApplicationData } from '../../support/application' import { checkPermission } from '../../support/permission' import { CN_POLICIES } from '../../constants' -import { permissions } from '../../permissions' +import { DatabaseActionDef } from '../../actions' import { DatabaseAgent } from '../../db' -const { POLICY_REMOVE } = permissions /** * Remove a policy by id @@ -25,7 +24,7 @@ export async function handleRemovePolicyById(req: Request, res: Response) { const policy_id = req.params.policy_id // check permission - const code = await checkPermission(req['auth']?.uid, POLICY_REMOVE.name, app) + const code = await checkPermission(req['auth']?.uid, DatabaseActionDef.DeletePolicy, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/handler/policy/update.ts b/packages/system-server/src/handler/policy/update.ts index e40fc5ef26..591b5284bd 100644 --- a/packages/system-server/src/handler/policy/update.ts +++ b/packages/system-server/src/handler/policy/update.ts @@ -12,11 +12,10 @@ import { IApplicationData } from '../../support/application' import { checkPermission } from '../../support/permission' import { IPolicyData } from '../../support/policy' import { CN_POLICIES } from '../../constants' -import { permissions } from '../../permissions' +import { DatabaseActionDef } from '../../actions' import { DatabaseAgent } from '../../db' import { hashFunctionCode } from '../../support/util-passwd' -const { POLICY_UPDATE } = permissions /** @@ -29,7 +28,7 @@ export async function handleUpdatePolicy(req: Request, res: Response) { const policy_id = req.params.policy_id // check permission - const code = await checkPermission(uid, POLICY_UPDATE.name, app) + const code = await checkPermission(uid, DatabaseActionDef.UpdatePolicy, app) if (code) { return res.status(code).send() } @@ -78,7 +77,7 @@ export async function handleUpdatePolicyRules(req: Request, res: Response) { const policy_id = req.params.policy_id // check permission - const code = await checkPermission(uid, POLICY_UPDATE.name, app) + const code = await checkPermission(uid, DatabaseActionDef.UpdatePolicy, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/handler/replicate/auth-accept.ts b/packages/system-server/src/handler/replicate/auth-accept.ts index e604e81492..8d077c54fd 100644 --- a/packages/system-server/src/handler/replicate/auth-accept.ts +++ b/packages/system-server/src/handler/replicate/auth-accept.ts @@ -1,10 +1,10 @@ import { ObjectId } from "mongodb" import { CN_REPLICATE_AUTH } from "../../constants" import { Request, Response } from "express" -import { CONST_DICTS } from "../../constants" import { checkPermission } from "../../support/permission" import { IApplicationData } from "../../support/application" import { DatabaseAgent } from "../../db" +import { ReplicationActionDef } from "../../actions" /** * handle accept replicate auth @@ -18,12 +18,11 @@ export async function handleAcceptReplicateAuth(req: Request, res: Response) { const db = DatabaseAgent.db // check permission - const { REPLICATE_AUTH_UPDATE } = CONST_DICTS.permissions - const code = await checkPermission(uid, REPLICATE_AUTH_UPDATE.name, app) + const code = await checkPermission(uid, ReplicationActionDef.UpdateReplicateAuth, app) if (code) { return res.status(code).send() } - + // check auth const exited = await db .collection(CN_REPLICATE_AUTH) diff --git a/packages/system-server/src/handler/replicate/auth-create.ts b/packages/system-server/src/handler/replicate/auth-create.ts index 22bbb7bb79..a25e1d0a1d 100644 --- a/packages/system-server/src/handler/replicate/auth-create.ts +++ b/packages/system-server/src/handler/replicate/auth-create.ts @@ -1,9 +1,9 @@ import { CN_APPLICATIONS, CN_REPLICATE_AUTH } from "../../constants" import { Request, Response } from "express" -import { CONST_DICTS } from "../../constants" import { DatabaseAgent } from "../../db" import { IApplicationData } from "../../support/application" import { checkPermission } from "../../support/permission" +import { ReplicationActionDef } from "../../actions" /** * handle create replicate auth @@ -34,8 +34,7 @@ export async function handleCreateReplicateAuth(req: Request, res: Response) { } // check permission - const { REPLICATE_AUTH_ADD } = CONST_DICTS.permissions - const code = await checkPermission(uid, REPLICATE_AUTH_ADD.name, app) + const code = await checkPermission(uid, ReplicationActionDef.CreateReplicateAuth, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/handler/replicate/auth-delete.ts b/packages/system-server/src/handler/replicate/auth-delete.ts index 4be301768c..75d782cd45 100644 --- a/packages/system-server/src/handler/replicate/auth-delete.ts +++ b/packages/system-server/src/handler/replicate/auth-delete.ts @@ -1,9 +1,10 @@ import { DatabaseAgent } from '../../db' import { Request, Response } from "express" -import { CN_REPLICATE_AUTH, CONST_DICTS } from "../../constants" +import { CN_REPLICATE_AUTH } from "../../constants" import { IApplicationData } from "../../support/application" import { checkPermission } from "../../support/permission" import { ObjectId } from 'mongodb' +import { ReplicationActionDef } from '../../actions' /** * handle delete replicate auth @@ -19,8 +20,7 @@ export async function handleDeleteReplicateAuth(req: Request, res: Response) { } // check permission - const { REPLICATE_AUTH_REMOVE } = CONST_DICTS.permissions - const code = await checkPermission(uid, REPLICATE_AUTH_REMOVE.name, app) + const code = await checkPermission(uid, ReplicationActionDef.DeleteReplicateAuth, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/handler/replicate/auth-get.ts b/packages/system-server/src/handler/replicate/auth-get.ts index 0ec579f23b..7cb544ed1a 100644 --- a/packages/system-server/src/handler/replicate/auth-get.ts +++ b/packages/system-server/src/handler/replicate/auth-get.ts @@ -1,5 +1,6 @@ import { Request, Response } from "express" -import { CN_REPLICATE_AUTH, CONST_DICTS } from "../../constants" +import { ReplicationActionDef } from "../../actions" +import { CN_REPLICATE_AUTH } from "../../constants" import { DatabaseAgent } from "../../db" import { IApplicationData } from "../../support/application" import { checkPermission } from "../../support/permission" @@ -17,8 +18,7 @@ export async function handleGetReplicateAuth(req: Request, res: Response) { const app: IApplicationData = req["parsed-app"] // check permission - const { REPLICATE_AUTH_READ } = CONST_DICTS.permissions - const code = await checkPermission(uid, REPLICATE_AUTH_READ.name, app) + const code = await checkPermission(uid, ReplicationActionDef.ListReplicateAuth, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/handler/replicate/request-accept.ts b/packages/system-server/src/handler/replicate/request-accept.ts index c40e1dcfbd..48d77edeb6 100644 --- a/packages/system-server/src/handler/replicate/request-accept.ts +++ b/packages/system-server/src/handler/replicate/request-accept.ts @@ -1,11 +1,12 @@ import { Request, Response } from "express" import { DatabaseAgent } from "../../db" -import { CN_REPLICATE_REQUESTS, CONST_DICTS } from "../../constants" +import { CN_REPLICATE_REQUESTS } from "../../constants" import { IApplicationData } from "../../support/application" import { checkPermission } from "../../support/permission" import { ObjectId } from "mongodb" import { deployFunctions, publishFunctions } from "../../support/function" import { deployPolicies, publishAccessPolicies } from "../../support/policy" +import { ReplicationActionDef } from "../../actions" @@ -26,8 +27,7 @@ export async function handleApplyReplicateRequest(req: Request, res: Response) { } // check permission - const { REPLICATE_REQUEST_UPDATE } = CONST_DICTS.permissions - const code = await checkPermission(uid, REPLICATE_REQUEST_UPDATE.name, app) + const code = await checkPermission(uid, ReplicationActionDef.UpdateReplicateRequest, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/handler/replicate/request-create.ts b/packages/system-server/src/handler/replicate/request-create.ts index fae5dd34e0..1a7015d65e 100644 --- a/packages/system-server/src/handler/replicate/request-create.ts +++ b/packages/system-server/src/handler/replicate/request-create.ts @@ -1,9 +1,10 @@ import { Request, Response } from "express" import { DatabaseAgent } from "../../db" -import { CN_APPLICATIONS, CN_FUNCTIONS, CN_POLICIES, CN_REPLICATE_AUTH, CN_REPLICATE_REQUESTS, CONST_DICTS } from "../../constants" +import { CN_APPLICATIONS, CN_FUNCTIONS, CN_POLICIES, CN_REPLICATE_AUTH, CN_REPLICATE_REQUESTS } from "../../constants" import { IApplicationData } from "../../support/application" import { checkPermission } from "../../support/permission" import { ObjectId } from "mongodb" +import { ReplicationActionDef } from "../../actions" /** * handle create replicate Request @@ -23,8 +24,7 @@ export async function handleCreateReplicateRequest(req: Request, res: Response) } // check permission - const { REPLICATE_REQUEST_ADD } = CONST_DICTS.permissions - const code = await checkPermission(uid, REPLICATE_REQUEST_ADD.name, app) + const code = await checkPermission(uid, ReplicationActionDef.CreateReplicateRequest, app) if (code) { return res.status(code).send() } @@ -54,7 +54,7 @@ export async function handleCreateReplicateRequest(req: Request, res: Response) doc.functions = { type: functions.type, items - } + } } if ('part' === functions?.type && functions?.items?.length > 0) { const items = await db.collection(CN_FUNCTIONS) @@ -63,10 +63,10 @@ export async function handleCreateReplicateRequest(req: Request, res: Response) appid: app.appid }) .toArray() - doc.functions = { - type: functions.type, - items - } + doc.functions = { + type: functions.type, + items + } } diff --git a/packages/system-server/src/handler/replicate/request-delete.ts b/packages/system-server/src/handler/replicate/request-delete.ts index aaa7e30149..d9a97b5aa9 100644 --- a/packages/system-server/src/handler/replicate/request-delete.ts +++ b/packages/system-server/src/handler/replicate/request-delete.ts @@ -1,9 +1,10 @@ import { Request, Response } from "express" import { DatabaseAgent } from "../../db" -import { CN_REPLICATE_REQUESTS, CONST_DICTS } from "../../constants" +import { CN_REPLICATE_REQUESTS } from "../../constants" import { IApplicationData } from "../../support/application" import { checkPermission } from "../../support/permission" import { ObjectId } from "mongodb" +import { ReplicationActionDef } from "../../actions" /** * handle delete replicate Request @@ -23,8 +24,7 @@ export async function handleDeleteReplicateRequest(req: Request, res: Response) } // check permission - const { REPLICATE_REQUEST_REMOVE } = CONST_DICTS.permissions - const code = await checkPermission(uid, REPLICATE_REQUEST_REMOVE.name, app) + const code = await checkPermission(uid, ReplicationActionDef.DeleteReplicateRequest, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/handler/replicate/request-get.ts b/packages/system-server/src/handler/replicate/request-get.ts index 53215be346..882229b926 100644 --- a/packages/system-server/src/handler/replicate/request-get.ts +++ b/packages/system-server/src/handler/replicate/request-get.ts @@ -1,8 +1,9 @@ import { Request, Response } from "express" import { DatabaseAgent } from "../../db" -import { CN_REPLICATE_REQUESTS, CONST_DICTS } from "../../constants" +import { CN_REPLICATE_REQUESTS } from "../../constants" import { IApplicationData } from "../../support/application" import { checkPermission } from "../../support/permission" +import { ReplicationActionDef } from "../../actions" /** * handle get replicate request @@ -20,8 +21,7 @@ export async function handleGetReplicateRequest(req: Request, res: Response) { const app: IApplicationData = req["parsed-app"] // check permission - const { REPLICATE_REQUEST_READ } = CONST_DICTS.permissions - const code = await checkPermission(uid, REPLICATE_REQUEST_READ.name, app) + const code = await checkPermission(uid, ReplicationActionDef.ListReplicateRequest, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/handler/website/domain-bind.ts b/packages/system-server/src/handler/website/domain-bind.ts index 900ceab83b..c032b2257b 100644 --- a/packages/system-server/src/handler/website/domain-bind.ts +++ b/packages/system-server/src/handler/website/domain-bind.ts @@ -2,10 +2,10 @@ import { ObjectId } from "mongodb" import * as dns from "node:dns" import { CN_WEBSITE_HOSTING, REGEX_DOMAIN } from "../../constants" import { Request, Response } from "express" -import { CONST_DICTS } from "../../constants" import { checkPermission } from "../../support/permission" import { IApplicationData } from "../../support/application" import { DatabaseAgent } from "../../db" +import { WebsiteActionDef } from "../../actions" /** @@ -24,8 +24,7 @@ export async function handleBindDomain(req: Request, res: Response) { } // check permission - const { WEBSITE_HOSTING_UPDATE } = CONST_DICTS.permissions - const code = await checkPermission(uid, WEBSITE_HOSTING_UPDATE.name, app) + const code = await checkPermission(uid, WebsiteActionDef.UpdateWebsite, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/handler/website/website-create.ts b/packages/system-server/src/handler/website/website-create.ts index aa7d2752fd..8dad3e314b 100644 --- a/packages/system-server/src/handler/website/website-create.ts +++ b/packages/system-server/src/handler/website/website-create.ts @@ -1,11 +1,11 @@ import { CN_WEBSITE_HOSTING } from "../../constants" import { Request, Response } from "express" -import { CONST_DICTS } from "../../constants" import { DatabaseAgent } from "../../db" import { IApplicationData } from "../../support/application" import { checkPermission } from "../../support/permission" import { URL } from "node:url" import Config from "../../config" +import { WebsiteActionDef } from "../../actions" /** * handle create website hosting @@ -25,8 +25,7 @@ export async function handleCreateWebsite(req: Request, res: Response) { } // check permission - const { WEBSITE_HOSTING_ADD } = CONST_DICTS.permissions - const code = await checkPermission(uid, WEBSITE_HOSTING_ADD.name, app) + const code = await checkPermission(uid, WebsiteActionDef.CreateWebsite, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/handler/website/website-delete.ts b/packages/system-server/src/handler/website/website-delete.ts index 2d36a67fde..a462aa0d70 100644 --- a/packages/system-server/src/handler/website/website-delete.ts +++ b/packages/system-server/src/handler/website/website-delete.ts @@ -1,9 +1,10 @@ import { DatabaseAgent } from '../../db' import { Request, Response } from "express" -import { CN_WEBSITE_HOSTING, CONST_DICTS } from "../../constants" +import { CN_WEBSITE_HOSTING } from "../../constants" import { IApplicationData } from "../../support/application" import { checkPermission } from "../../support/permission" import { ObjectId } from 'mongodb' +import { WebsiteActionDef } from '../../actions' /** * handle delete website @@ -22,8 +23,7 @@ export async function handleDeleteWebsite(req: Request, res: Response) { } // check permission - const { WEBSITE_HOSTING_REMOVE } = CONST_DICTS.permissions - const code = await checkPermission(uid, WEBSITE_HOSTING_REMOVE.name, app) + const code = await checkPermission(uid, WebsiteActionDef.DeleteWebsite, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/handler/website/website-get.ts b/packages/system-server/src/handler/website/website-get.ts index 8f9faff73c..23538a4eb5 100644 --- a/packages/system-server/src/handler/website/website-get.ts +++ b/packages/system-server/src/handler/website/website-get.ts @@ -1,5 +1,6 @@ import { Request, Response } from "express" -import { CN_WEBSITE_HOSTING, CONST_DICTS } from "../../constants" +import { WebsiteActionDef } from "../../actions" +import { CN_WEBSITE_HOSTING } from "../../constants" import { DatabaseAgent } from "../../db" import { IApplicationData } from "../../support/application" import { checkPermission } from "../../support/permission" @@ -21,8 +22,7 @@ export async function handleGetWebsites(req: Request, res: Response) { } // check permission - const { WEBSITE_HOSTING_READ } = CONST_DICTS.permissions - const code = await checkPermission(uid, WEBSITE_HOSTING_READ.name, app) + const code = await checkPermission(uid, WebsiteActionDef.ListWebsites, app) if (code) { return res.status(code).send() } diff --git a/packages/system-server/src/permissions.ts b/packages/system-server/src/permissions.ts deleted file mode 100644 index fcd310cd0c..0000000000 --- a/packages/system-server/src/permissions.ts +++ /dev/null @@ -1,112 +0,0 @@ -export const permissions = { - APPLICATION_ADD: { name: 'application.add', label: '创建应用' }, - APPLICATION_READ: { name: 'application.read', label: '获取应用' }, - APPLICATION_UPDATE: { name: 'application.update', label: '编辑应用' }, - APPLICATION_REMOVE: { name: 'application.remove', label: '删除应用' }, - - POLICY_ADD: { name: 'policy.add', label: '创建访问策略' }, - POLICY_READ: { name: 'policy.read', label: '获取访问策略' }, - POLICY_UPDATE: { name: 'policy.update', label: '编辑访问策略' }, - POLICY_REMOVE: { name: 'policy.remove', label: '删除访问策略' }, - - FUNCTION_ADD: { name: 'function.add', label: '创建云函数' }, - FUNCTION_READ: { name: 'function.read', label: '获取云函数' }, - FUNCTION_UPDATE: { name: 'function.update', label: '编辑云函数' }, - FUNCTION_REMOVE: { name: 'function.remove', label: '删除云函数' }, - FUNCTION_DEBUG: { name: 'function.debug', label: '调试云函数' }, - - TRIGGER_ADD: { name: 'trigger.add', label: '创建触发器' }, - TRIGGER_READ: { name: 'trigger.read', label: '获取触发器' }, - TRIGGER_UPDATE: { name: 'trigger.update', label: '编辑访触发器' }, - TRIGGER_REMOVE: { name: 'trigger.remove', label: '删除触发器' }, - - DATABASE_MANAGE: { name: 'database.manage', label: '数据库数据管理' }, - - PUBLISH_POLICY: { name: 'publish.policy', label: '发布数据访问策略' }, - PUBLISH_FUNCTION: { name: 'publish.function', label: '发布云函数' }, - - FILE_READ: { name: 'file.read', label: '文件管理-读取文件列表' }, - FILE_UPDATE: { name: 'file.update', label: '文件管理-更新文件' }, - FILE_ADD: { name: 'file.add', label: '文件管理-创建文件' }, - FILE_REMOVE: { name: 'file.remove', label: '文件管理-删除文件' }, - - FILE_BUCKET_ADD: { name: 'file.bucket.add', label: '文件管理-创建文件桶' }, - FILE_BUCKET_REMOVE: { name: 'file.bucket.remove', label: '文件管理-删除文件桶' }, - - REPLICATE_AUTH_READ: { name: 'replicate_auth.read', label: '授权资源-读取授权应用' }, - REPLICATE_AUTH_ADD: { name: 'replicate_auth.add', label: '授权资源-创建授权应用' }, - REPLICATE_AUTH_REMOVE: { name: 'replicate_auth.remove', label: '授权资源-删除授权应用' }, - REPLICATE_AUTH_UPDATE: { name: 'replicate_auth.update', label: '授权资源-更新授权应用' }, - - REPLICATE_REQUEST_READ: { name: 'replicate_request.read', label: '推送请求-读取推送请求' }, - REPLICATE_REQUEST_ADD: { name: 'replicate_request.add', label: '推送请求-创建推送请求' }, - REPLICATE_REQUEST_REMOVE: { name: 'replicate_request.remove', label: '推送请求-删除推送请求' }, - REPLICATE_REQUEST_UPDATE: { name: 'replicate_request.update', label: '推送请求-更新推送请求' }, - - WEBSITE_HOSTING_READ: { name: 'website_hosting.read', label: '网站托管-读取网站' }, - WEBSITE_HOSTING_ADD: { name: 'website_hosting.add', label: '网站托管-创建网站' }, - WEBSITE_HOSTING_REMOVE: { name: 'website_hosting.remove', label: '网站托管-删除网站' }, - WEBSITE_HOSTING_UPDATE: { name: 'website_hosting.update', label: '网站托管-更新网站' }, - -} - - -const pns = permissions - -const developer = [ - pns.FUNCTION_ADD, pns.FUNCTION_READ, pns.FUNCTION_REMOVE, pns.FUNCTION_UPDATE, - pns.FUNCTION_DEBUG, pns.PUBLISH_FUNCTION, - pns.TRIGGER_ADD, pns.TRIGGER_READ, pns.TRIGGER_REMOVE, pns.TRIGGER_UPDATE -] - -const dba = [ - pns.POLICY_ADD, pns.POLICY_READ, pns.POLICY_REMOVE, pns.POLICY_UPDATE, - pns.PUBLISH_POLICY, - pns.DATABASE_MANAGE, - pns.FILE_ADD, pns.FILE_READ, pns.FILE_REMOVE, pns.FILE_UPDATE, - pns.FILE_BUCKET_ADD, pns.FILE_BUCKET_REMOVE, - pns.WEBSITE_HOSTING_READ, pns.WEBSITE_HOSTING_ADD, pns.WEBSITE_HOSTING_REMOVE, pns.WEBSITE_HOSTING_UPDATE, -] - -const operator = [ - pns.REPLICATE_AUTH_READ, - pns.REPLICATE_AUTH_ADD, - pns.REPLICATE_AUTH_REMOVE, - pns.REPLICATE_REQUEST_REMOVE, - pns.REPLICATE_AUTH_UPDATE, - pns.REPLICATE_REQUEST_READ, - pns.REPLICATE_REQUEST_ADD, - pns.REPLICATE_REQUEST_REMOVE, - pns.REPLICATE_REQUEST_UPDATE -] - -const owner = [ - pns.APPLICATION_ADD, pns.APPLICATION_READ, pns.APPLICATION_REMOVE, - pns.APPLICATION_UPDATE, - ...developer, - ...dba, - ...operator -] - -export const roles = { - developer: { - name: 'developer', - label: 'Developer', - permissions: developer - }, - dba: { - name: 'dba', - label: 'Database Administrator', - permissions: dba - }, - operator: { - name: 'operator', - label: 'Application Operator', - permissions: operator - }, - owner: { - name: 'owner', - label: 'Owner', - permissions: owner - } -} diff --git a/packages/system-server/src/support/account.ts b/packages/system-server/src/support/account.ts index 5bfc498382..7bffe1a2e7 100644 --- a/packages/system-server/src/support/account.ts +++ b/packages/system-server/src/support/account.ts @@ -1,8 +1,9 @@ -import { CN_ACCOUNTS, CONST_DICTS } from "../constants" +import { CN_ACCOUNTS } from "../constants" import { DatabaseAgent } from "../db" import * as assert from 'assert' import { ObjectId } from "mongodb" +import { Groups } from "../groups" /** * Get an account by account_id @@ -49,17 +50,10 @@ export function isValidRoleNames(role_names: string[]): boolean { if (!(role_names instanceof Array)) return false - const roles = getRoles() - for (const rn of role_names) - if (!roles[rn]) return false + for (const rn of role_names) { + const role = Groups.find(r => r.name === rn) + if (!role) return false + } return true -} - -/** - * Get roles - * @returns - */ -export function getRoles() { - return CONST_DICTS.roles } \ No newline at end of file diff --git a/packages/system-server/src/support/application.ts b/packages/system-server/src/support/application.ts index 19584cb876..e4ac396594 100644 --- a/packages/system-server/src/support/application.ts +++ b/packages/system-server/src/support/application.ts @@ -5,7 +5,7 @@ * @Description: Application APIs */ -import { CN_APPLICATIONS, CN_APP_SPECS, CN_PUBLISHED_CONFIG, CONST_DICTS } from "../constants" +import { CN_APPLICATIONS, CN_APP_SPECS, CN_PUBLISHED_CONFIG } from "../constants" import { DatabaseAgent } from "../db" import * as assert from 'assert' import { MongoAccessor } from "database-proxy" @@ -15,6 +15,7 @@ import * as mongodb_uri from 'mongodb-uri' import { logger } from "./logger" import { BUCKET_ACL } from "./minio" import { customAlphabet } from 'nanoid' +import { Admin } from "../groups" /** * Status of application instance @@ -197,7 +198,7 @@ export async function getApplicationDbAccessor(app: IApplicationData) { */ export function getUserRolesOfApplication(uid: string, app: IApplicationData) { if (app.created_by.toHexString() === uid) { - return [CONST_DICTS.roles.owner.name] + return [Admin.name] } // reject if not the collaborator diff --git a/packages/system-server/src/support/permission.ts b/packages/system-server/src/support/permission.ts index a0d43caf3e..522fa7fe02 100644 --- a/packages/system-server/src/support/permission.ts +++ b/packages/system-server/src/support/permission.ts @@ -6,19 +6,19 @@ */ import * as assert from 'assert' -import { CONST_DICTS } from '../constants' +import { Groups } from '../groups' import { IApplicationData } from './application' /** * Check if a user have permission for application * @param uid the account id - * @param permission the permission name + * @param action the permission name * @param app the application which checked for * @returns 0 means ok, 401 means unauthorized, 403 means permission denied */ -export async function checkPermission(uid: string, permission: string, app: IApplicationData): Promise { +export async function checkPermission(uid: string, action: string, app: IApplicationData): Promise { if (!uid) return 401 - assert.ok(permission, 'empty permission got') + assert.ok(action, 'empty permission got') assert.ok(app, 'empty app got') // pass directly while the app owner here @@ -30,8 +30,8 @@ export async function checkPermission(uid: string, permission: string, app: IApp // reject while uid not have the permission const roles = collaborator.roles - const permissions = getPermissionsOfRoles(roles) - if (!permissions.includes(permission)) { + const actions = getActionsOfRoles(roles) + if (!actions.includes(action)) { return 403 } @@ -43,12 +43,18 @@ export async function checkPermission(uid: string, permission: string, app: IApp * @param roles_names The role names * @returns */ -export function getPermissionsOfRoles(roles_names: string[]) { - const permissions = [] +export function getActionsOfRoles(roles_names: string[]) { + const rets = [] for (const name of roles_names) { - const pns = CONST_DICTS.roles[name]?.permissions ?? [] - permissions.push(...pns) + const role = getRoleByName(name) + const actions = role?.actions ?? [] + rets.push(...actions) } - return permissions.map(pn => pn.name) + return rets.map(pn => pn.name) +} + + +function getRoleByName(name: string) { + return Groups.find(it => it.name === name) } \ No newline at end of file