From ca908070dc5d4e5af2d4efb351a44633c3b61c68 Mon Sep 17 00:00:00 2001 From: getlarge Date: Tue, 12 Nov 2024 15:48:47 +0100 Subject: [PATCH 1/4] refactor(keto-client-wrapper): update factory types in OryAuthorizationGuard for more flexibility --- .../src/lib/ory-authorization.guard.ts | 13 +++++++++---- .../src/lib/ory-permission-checks.decorator.ts | 3 ++- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/packages/keto-client-wrapper/src/lib/ory-authorization.guard.ts b/packages/keto-client-wrapper/src/lib/ory-authorization.guard.ts index 48b3507..795124d 100644 --- a/packages/keto-client-wrapper/src/lib/ory-authorization.guard.ts +++ b/packages/keto-client-wrapper/src/lib/ory-authorization.guard.ts @@ -15,8 +15,9 @@ import { PermissionApiExpandPermissionsRequest } from '@ory/client'; import type { Observable } from 'rxjs'; import { - EnhancedRelationTupleFactory, getOryPermissionChecks, + RelationTupleCondition, + RelationTupleFactory, } from './ory-permission-checks.decorator'; import { OryPermissionsService } from './ory-permissions'; @@ -40,7 +41,7 @@ export abstract class IAuthorizationGuard implements CanActivate { ): boolean | Promise | Observable; abstract evaluateConditions( - factory: EnhancedRelationTupleFactory, + factory: RelationTupleFactory | RelationTupleCondition, context: ExecutionContext ): Promise<{ allowed: boolean; @@ -72,7 +73,7 @@ export const OryAuthorizationGuard = ( } async evaluateConditions( - factory: EnhancedRelationTupleFactory, + factory: RelationTupleFactory | RelationTupleCondition, context: ExecutionContext ): Promise<{ allowed: boolean; @@ -138,7 +139,11 @@ export const OryAuthorizationGuard = ( return true; } const { postCheck, unauthorizedFactory } = this.options; - for (const factory of factories) { + for (const firstLevelFactory of factories) { + const factory = + typeof firstLevelFactory === 'function' + ? firstLevelFactory(context) + : firstLevelFactory; const { allowed, relationTuple } = await this.evaluateConditions( factory, context diff --git a/packages/keto-client-wrapper/src/lib/ory-permission-checks.decorator.ts b/packages/keto-client-wrapper/src/lib/ory-permission-checks.decorator.ts index 773cb06..45df15d 100644 --- a/packages/keto-client-wrapper/src/lib/ory-permission-checks.decorator.ts +++ b/packages/keto-client-wrapper/src/lib/ory-permission-checks.decorator.ts @@ -12,7 +12,8 @@ export type RelationTupleCondition = { export type EnhancedRelationTupleFactory = | RelationTupleFactory - | RelationTupleCondition; + | RelationTupleCondition + | ((ctx: ExecutionContext) => RelationTupleCondition); /** * @description Decorator to add permission checks to a handler, will be consumed by the `OryAuthorizationGuard` {@link OryAuthorizationGuard} using the `getOryPermissionChecks` {@link getOryPermissionChecks} function From dab1835f2f56e78527b84ba774b98ff0d041df05 Mon Sep 17 00:00:00 2001 From: getlarge Date: Tue, 12 Nov 2024 15:49:02 +0100 Subject: [PATCH 2/4] feat(keto-client-wrapper): export types --- packages/keto-client-wrapper/src/index.ts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/packages/keto-client-wrapper/src/index.ts b/packages/keto-client-wrapper/src/index.ts index 41b3e1d..70d33ac 100644 --- a/packages/keto-client-wrapper/src/index.ts +++ b/packages/keto-client-wrapper/src/index.ts @@ -3,8 +3,11 @@ export { OryAuthorizationGuardOptions, } from './lib/ory-authorization.guard'; export { + EnhancedRelationTupleFactory, getOryPermissionChecks, OryPermissionChecks, + RelationTupleCondition, + RelationTupleFactory, } from './lib/ory-permission-checks.decorator'; export { OryPermissionsModule, From 7196696a547fdc3cdce1958da2d3f1fbff4dede7 Mon Sep 17 00:00:00 2001 From: getlarge Date: Tue, 12 Nov 2024 15:49:35 +0100 Subject: [PATCH 3/4] test(keto-client-wrapper): test dynamic RelationTupleCondition --- .../test/app.controller.mock.ts | 28 ++++++++----------- 1 file changed, 12 insertions(+), 16 deletions(-) diff --git a/packages/keto-client-wrapper/test/app.controller.mock.ts b/packages/keto-client-wrapper/test/app.controller.mock.ts index 4590b35..339d775 100644 --- a/packages/keto-client-wrapper/test/app.controller.mock.ts +++ b/packages/keto-client-wrapper/test/app.controller.mock.ts @@ -110,25 +110,21 @@ export class ExampleController { return this.exampleService.getExample(); } - @OryPermissionChecks({ - type: 'OR', - conditions: [ - (ctx) => { - const req = ctx.switchToHttp().getRequest(); - const resourceId = req.params.id; - return `Toy:${resourceId}#owners`; - }, - (ctx) => { - const req = ctx.switchToHttp().getRequest(); - const currentUserId = req.headers['x-current-user-id'] as string; - const resourceId = req.params.id; - return new RelationTupleBuilder() + @OryPermissionChecks((ctx) => { + const req = ctx.switchToHttp().getRequest(); + const resourceId = req.params.id; + const currentUserId = req.headers['x-current-user-id'] as string; + return { + type: 'OR', + conditions: [ + `Toy:${resourceId}#owners`, + new RelationTupleBuilder() .subject('User', currentUserId) .isIn('owners') .of('Toy', resourceId) - .toString(); - }, - ], + .toString(), + ], + }; }) @UseGuards(AuthorizationGuard()) @Get('poly/:id') From b99ab010c99ec14202e8cb060775a7dc3841f0c4 Mon Sep 17 00:00:00 2001 From: getlarge Date: Tue, 12 Nov 2024 15:49:47 +0100 Subject: [PATCH 4/4] chore: update ory/client --- package-lock.json | 8 ++++---- package.json | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package-lock.json b/package-lock.json index 89135ad..c9893d8 100644 --- a/package-lock.json +++ b/package-lock.json @@ -13,7 +13,7 @@ "@nestjs/common": "^10.4.4", "@nestjs/config": "^3.2.3", "@nestjs/core": "^10.4.4", - "@ory/client": "^1.15.5", + "@ory/client": "^1.15.10", "axios": "1.7.7", "class-transformer": "^0.5.1", "class-validator": "^0.14.1", @@ -3659,9 +3659,9 @@ } }, "node_modules/@ory/client": { - "version": "1.15.5", - "resolved": "https://registry.npmjs.org/@ory/client/-/client-1.15.5.tgz", - "integrity": "sha512-VUxcF5aNdnYjMo0NiweaC8s++Bvhq4iEPyAwgrftOxkkQz1/RyFJPaK9JpkIxOtzZ2j6SIegFYlX2OEdEtBipw==", + "version": "1.15.10", + "resolved": "https://registry.npmjs.org/@ory/client/-/client-1.15.10.tgz", + "integrity": "sha512-GUetl5RiNsu1O0HQBN8dbeKVE/7gshkfGn/yNvO2z/0r1PirsndA3IqvPjxtisnHkSERcpKLHOYpwF66myMWsA==", "license": "Apache-2.0", "dependencies": { "axios": "^1.6.1" diff --git a/package.json b/package.json index 89b46ef..e51b9db 100644 --- a/package.json +++ b/package.json @@ -9,7 +9,7 @@ "@nestjs/common": "^10.4.4", "@nestjs/config": "^3.2.3", "@nestjs/core": "^10.4.4", - "@ory/client": "^1.15.5", + "@ory/client": "^1.15.10", "axios": "1.7.7", "class-transformer": "^0.5.1", "class-validator": "^0.14.1",