diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..4a7ea30 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,12 @@ +root = true + +[*] +indent_style = space +indent_size = 2 +end_of_line = lf +charset = utf-8 +trim_trailing_whitespace = true +insert_final_newline = true + +[*.md] +trim_trailing_whitespace = false diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..d0d776d --- /dev/null +++ b/.gitignore @@ -0,0 +1,67 @@ +# Created by https://www.gitignore.io/api/node + +### Node ### +# Logs +logs +*.log +npm-debug.log* +yarn-debug.log* +yarn-error.log* + +# Runtime data +pids +*.pid +*.seed +*.pid.lock + +# Directory for instrumented libs generated by jscoverage/JSCover +lib-cov + +# Coverage directory used by tools like istanbul +coverage + +# nyc test coverage +.nyc_output + +# Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files) +.grunt + +# Bower dependency directory (https://bower.io/) +bower_components + +# node-waf configuration +.lock-wscript + +# Compiled binary addons (http://nodejs.org/api/addons.html) +build/Release + +# Dependency directories +node_modules/ +jspm_packages/ + +# Typescript v1 declaration files +typings/ + +# Optional npm cache directory +.npm + +# Optional eslint cache +.eslintcache + +# Optional REPL history +.node_repl_history + +# Output of 'npm pack' +*.tgz + +# Yarn Integrity file +.yarn-integrity + +# Yarn lock file +yarn.lock + +# dotenv environment variables file +.env + + +# End of https://www.gitignore.io/api/node diff --git a/.npmignore b/.npmignore new file mode 100644 index 0000000..cea163b --- /dev/null +++ b/.npmignore @@ -0,0 +1,7 @@ +node_modules +npm-debug.log +yarn-debug.log +yarn-error.log +yarn.lock +.travis.yml +.editorconfig diff --git a/LICENSE.md b/LICENSE.md new file mode 100644 index 0000000..50ea37d --- /dev/null +++ b/LICENSE.md @@ -0,0 +1,9 @@ +The MIT License (MIT) + +Copyright (c) 2017 Evgeny Razumov + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..814b09b --- /dev/null +++ b/README.md @@ -0,0 +1,19 @@ +# Adonis ACL + +Adonis ACL adds role based permissions to built in Auth System of Adonis Framework. + +## Documentation + +Follow along the [Wiki](https://github.com/enniel/adonis-acl/wiki) to find out more. + +## Credits + +- [Evgeni Razumov](https://github.com/enniel) + +## Support + +Having trouble? [Open an issue](https://github.com/enniel/adonis-acl/issues/new)! + +## License + +The MIT License (MIT). Please see [License File](LICENSE.md) for more information. diff --git a/commands/Permission.js b/commands/Permission.js new file mode 100644 index 0000000..af700d7 --- /dev/null +++ b/commands/Permission.js @@ -0,0 +1,51 @@ +'use strict' + +const Ioc = require('adonis-fold').Ioc +const Command = Ioc.use('Adonis/Src/Command') +const Permission = Ioc.use('Adonis/Acl/Permission') +const Database = Ioc.use('Adonis/Src/Database') + +class PermissionCommand extends Command { + /** + * signature defines the requirements and name + * of command. + * + * @return {String} + */ + get signature () { + return 'acl:permission {slug} {name?} {description?}' + } + + /** + * description is the little helpful information displayed + * on the console. + * + * @return {String} + */ + get description () { + return 'Create or update permission' + } + + /** + * handle method is invoked automatically by ace, once your + * command has been executed. + * + * @param {Object} args [description] + * @param {Object} options [description] + */ + * handle ({ slug, name, description }, { permissions }) { + name = name || slug + let permission = yield Permission.query().where('slug', slug).first() + if (!permission) { + permission = new Permission({ slug }) + } + permission.fill({ + name, description + }) + yield permission.save() + this.success(`${this.icon('success')} permission ${name} is updated.`) + Database.close() + } +} + +module.exports = PermissionCommand diff --git a/commands/Role.js b/commands/Role.js new file mode 100644 index 0000000..1f1b63c --- /dev/null +++ b/commands/Role.js @@ -0,0 +1,73 @@ +'use strict' + +const Ioc = require('adonis-fold').Ioc +const Command = Ioc.use('Adonis/Src/Command') +const Role = Ioc.use('Adonis/Acl/Role') +const Permission = Ioc.use('Adonis/Acl/Permission') +const Database = Ioc.use('Adonis/Src/Database') +const series = require('co-series') +const _ = require('lodash') + +class RoleCommand extends Command { + /** + * signature defines the requirements and name + * of command. + * + * @return {String} + */ + get signature () { + return 'acl:role {slug} {name?} {description?} {--permissions=@value}' + } + + /** + * description is the little helpful information displayed + * on the console. + * + * @return {String} + */ + get description () { + return 'Create or update role' + } + + /** + * handle method is invoked automatically by ace, once your + * command has been executed. + * + * @param {Object} args [description] + * @param {Object} options [description] + */ + * handle ({ slug, name, description }, { permissions }) { + name = name || slug + let role = yield Role.query().where('slug', slug).first() + if (!role) { + role = new Role({ slug }) + } + role.fill({ + name, description + }) + yield role.save() + permissions = _.reduce(_.split(permissions, ','), (result, permission) => { + permission = _.trim(permission) + if (permission.length) { + result.push(permission) + } + return result + }, []) + permissions = yield _.map(permissions, series(function * (permission) { + let entry = yield Permission.query().where('slug', permission).first() + if (!entry) { + entry = yield Permission.create({ + slug: permission, name: permission + }) + } + return entry.id + })) + if (permissions.length) { + yield role.permissions().sync(permissions) + } + this.success(`${this.icon('success')} role ${name} is updated.`) + Database.close() + } +} + +module.exports = RoleCommand diff --git a/commands/Setup.js b/commands/Setup.js new file mode 100644 index 0000000..2b4413b --- /dev/null +++ b/commands/Setup.js @@ -0,0 +1,42 @@ +'use strict' + +/** + * adonis-acl + * Copyright(c) 2017 Evgeny Razumov + * MIT Licensed + */ + +const Ace = require('adonis-ace') +const Ioc = require('adonis-fold').Ioc +const path = require('path') +const Command = Ioc.use('Adonis/Src/Command') + +class SetupCommand extends Command { + get signature () { + return 'acl:setup' + } + + get description () { + return 'Setup migration for ACL' + } + + * handle () { + yield Ace.call('make:migration', ['create_roles_table'], { + template: path.join(__dirname, './templates/roles_schema.mustache') + }) + yield Ace.call('make:migration', ['create_permissions_table'], { + template: path.join(__dirname, './templates/permissions_schema.mustache') + }) + yield Ace.call('make:migration', ['create_role_user_table'], { + template: path.join(__dirname, './templates/role_user_schema.mustache') + }) + yield Ace.call('make:migration', ['create_permission_role_table'], { + template: path.join(__dirname, './templates/permission_role_schema.mustache') + }) + yield Ace.call('make:migration', ['create_permission_user_table'], { + template: path.join(__dirname, './templates/permission_user_schema.mustache') + }) + } +} + +module.exports = SetupCommand diff --git a/commands/templates/permission_role_schema.mustache b/commands/templates/permission_role_schema.mustache new file mode 100644 index 0000000..6abf837 --- /dev/null +++ b/commands/templates/permission_role_schema.mustache @@ -0,0 +1,24 @@ +'use strict' + +const Schema = use('Schema') + +class PermissionRoleTableSchema extends Schema { + + up () { + this.create('permission_role', table => { + table.increments() + table.integer('permission_id').unsigned().index() + table.foreign('permission_id').references('id').on('permissions').onDelete('cascade') + table.integer('role_id').unsigned().index() + table.foreign('role_id').references('id').on('roles').onDelete('cascade') + table.timestamps() + }) + } + + down () { + this.drop('permission_role') + } + +} + +module.exports = PermissionRoleTableSchema diff --git a/commands/templates/permission_user_schema.mustache b/commands/templates/permission_user_schema.mustache new file mode 100644 index 0000000..f5b05ee --- /dev/null +++ b/commands/templates/permission_user_schema.mustache @@ -0,0 +1,24 @@ +'use strict' + +const Schema = use('Schema') + +class PermissionUserTableSchema extends Schema { + + up () { + this.create('permission_user', table => { + table.increments() + table.integer('permission_id').unsigned().index() + table.foreign('permission_id').references('id').on('permissions').onDelete('cascade') + table.integer('user_id').unsigned().index() + table.foreign('user_id').references('id').on('users').onDelete('cascade') + table.timestamps() + }) + } + + down () { + this.drop('permission_user') + } + +} + +module.exports = PermissionUserTableSchema diff --git a/commands/templates/permissions_schema.mustache b/commands/templates/permissions_schema.mustache new file mode 100644 index 0000000..a7e97ac --- /dev/null +++ b/commands/templates/permissions_schema.mustache @@ -0,0 +1,23 @@ +'use strict' + +const Schema = use('Schema') + +class PermissionsTableSchema extends Schema { + + up () { + this.create('permissions', table => { + table.increments() + table.string('slug').notNullable().unique() + table.string('name').notNullable().unique() + table.text('description').nullable() + table.timestamps() + }) + } + + down () { + this.drop('permissions') + } + +} + +module.exports = PermissionsTableSchema diff --git a/commands/templates/role_user_schema.mustache b/commands/templates/role_user_schema.mustache new file mode 100644 index 0000000..c7265dd --- /dev/null +++ b/commands/templates/role_user_schema.mustache @@ -0,0 +1,24 @@ +'use strict' + +const Schema = use('Schema') + +class RoleUserTableSchema extends Schema { + + up () { + this.create('role_user', table => { + table.increments() + table.integer('role_id').unsigned().index() + table.foreign('role_id').references('id').on('roles').onDelete('cascade') + table.integer('user_id').unsigned().index() + table.foreign('user_id').references('id').on('users').onDelete('cascade') + table.timestamps() + }) + } + + down () { + this.drop('role_user') + } + +} + +module.exports = RoleUserTableSchema diff --git a/commands/templates/roles_schema.mustache b/commands/templates/roles_schema.mustache new file mode 100644 index 0000000..e3ee7b7 --- /dev/null +++ b/commands/templates/roles_schema.mustache @@ -0,0 +1,23 @@ +'use strict' + +const Schema = use('Schema') + +class RolesTableSchema extends Schema { + + up () { + this.create('roles', table => { + table.increments() + table.string('slug').notNullable().unique() + table.string('name').notNullable().unique() + table.text('description').nullable() + table.timestamps() + }) + } + + down () { + this.drop('roles') + } + +} + +module.exports = RolesTableSchema diff --git a/package.json b/package.json new file mode 100644 index 0000000..91a9ded --- /dev/null +++ b/package.json @@ -0,0 +1,36 @@ +{ + "name": "adonis-acl", + "version": "0.0.1", + "description": "Adonis ACL system", + "main": "src/Acl/index.js", + "directories": { + "test": "test" + }, + "scripts": { + "fix": "standard --fix src/**/*.js providers/*.js commands/*.js", + "lint": "standard src/**/*.js providers/*.js commands/*.js" + }, + "author": "Evgeny Razumov (enniel)", + "license": "MIT", + "dependencies": { + "adonis-fold": "^3.0.3", + "co-series": "^3.0.2", + "lodash": "^4.17.4", + "node-exceptions": "^2.0.1" + }, + "devDependencies": { + "standard": "^10.0.2" + }, + "repository": { + "type": "git", + "url": "git+https://github.com/enniel/adonis-acl.git" + }, + "keywords": [ + "acl", + "adonis" + ], + "bugs": { + "url": "https://github.com/enniel/adonis-acl/issues" + }, + "homepage": "https://github.com/enniel/adonis-acl#readme" +} diff --git a/providers/AclProvider.js b/providers/AclProvider.js new file mode 100644 index 0000000..bd6fced --- /dev/null +++ b/providers/AclProvider.js @@ -0,0 +1,36 @@ +'use strict' + +/** + * adonis-acl + * Copyright(c) 2017 Evgeny Razumov + * MIT Licensed + */ + +const ServiceProvider = require('adonis-fold').ServiceProvider + +class AclProvider extends ServiceProvider { + * register () { + this.app.bind('Adonis/Acl/Role', function () { + return require('../src/Models/Role') + }) + this.app.bind('Adonis/Acl/Permission', function () { + return require('../src/Models/Permission') + }) + this.app.bind('Adonis/Acl/HasRole', function () { + return require('../src/Traits/HasRole') + }) + this.app.bind('Adonis/Acl/HasPermission', function () { + return require('../src/Traits/HasPermission') + }) + this.app.bind('Adonis/Acl/Is', function () { + const Is = require('../src/Middlewares/Is') + return new Is() + }) + this.app.bind('Adonis/Acl/Can', function () { + const Can = require('../src/Middlewares/Can') + return new Can() + }) + } +} + +module.exports = AclProvider diff --git a/providers/CommandsProvider.js b/providers/CommandsProvider.js new file mode 100644 index 0000000..b43e616 --- /dev/null +++ b/providers/CommandsProvider.js @@ -0,0 +1,28 @@ +'use strict' + +/** + * adonis-acl + * Copyright(c) 2017 Evgeny Razumov + * MIT Licensed + */ + +const ServiceProvider = require('adonis-fold').ServiceProvider + +class CommandsProvider extends ServiceProvider { + * register () { + this.app.bind('Adonis/Commands/Acl:Setup', function () { + const Setup = require('../commands/Setup') + return new Setup() + }) + this.app.bind('Adonis/Commands/Acl:Role', function () { + const Role = require('../commands/Role') + return new Role() + }) + this.app.bind('Adonis/Commands/Acl:Permission', function () { + const Permission = require('../commands/Permission') + return new Permission() + }) + } +} + +module.exports = CommandsProvider diff --git a/src/Acl/index.js b/src/Acl/index.js new file mode 100644 index 0000000..959cc41 --- /dev/null +++ b/src/Acl/index.js @@ -0,0 +1,40 @@ +'use strict' + +/** + * adonis-acl + * Copyright(c) 2017 Evgeny Razumov + * MIT Licensed + */ + +const Acl = exports = module.exports = {} +const _ = require('lodash') +const NE = require('node-exceptions') + +Acl.and = (slug, items) => { + return _.every(slug, (check) => { + if (!_.includes(items, check)) { + return false + } + return true + }) +} + +Acl.or = (slug, items) => { + return _.some(slug, (check) => { + if (_.includes(items, check)) { + return true + } + return false + }) +} + +Acl.check = (items, slug, operator = 'and') => { + if (_.isArray(slug)) { + if (!_.includes(['or', 'and'], operator)) { + throw new NE.InvalidArgumentException('Invalid operator, available operators are "and", "or".') + } + return Acl[operator](slug, items) + } + + return _.includes(items, slug) +} diff --git a/src/Exceptions/ForbiddenException.js b/src/Exceptions/ForbiddenException.js new file mode 100644 index 0000000..9dd0270 --- /dev/null +++ b/src/Exceptions/ForbiddenException.js @@ -0,0 +1,21 @@ +'use strict' + +/** + * adonis-acl + * Copyright(c) 2017 Evgeny Razumov + * MIT Licensed + */ + +const NE = require('node-exceptions') + +class ForbiddenException extends NE.HttpException { + static get defaultMessage () { + return 'Access forbidden. You are not allowed to this resource.' + } + + constructor (message) { + super(message || ForbiddenException.defaultMessage, 403) + } +} + +module.exports = ForbiddenException diff --git a/src/Middlewares/Can.js b/src/Middlewares/Can.js new file mode 100644 index 0000000..3b68ee7 --- /dev/null +++ b/src/Middlewares/Can.js @@ -0,0 +1,32 @@ +'use strict' + +/** + * adonis-acl + * Copyright(c) 2017 Evgeny Razumov + * MIT Licensed + */ + +const ForbiddenException = require('../Exceptions/ForbiddenException') +const _ = require('lodash') + +class Can { + * handle (request, response, next, ...args) { + try { + let operator = 'and' + if (_.includes(['or', 'and'], args[0])) { + operator = args[0] + args = _.drop(args) + } + const currentUser = request.currentUser || request.authUser + const can = yield currentUser.can(args, operator) + if (!can) { + throw new ForbiddenException() + } + } catch (e) { + throw e + } + yield next + } +} + +module.exports = Can diff --git a/src/Middlewares/Is.js b/src/Middlewares/Is.js new file mode 100644 index 0000000..384513f --- /dev/null +++ b/src/Middlewares/Is.js @@ -0,0 +1,32 @@ +'use strict' + +/** + * adonis-acl + * Copyright(c) 2017 Evgeny Razumov + * MIT Licensed + */ + +const ForbiddenException = require('../Exceptions/ForbiddenException') +const _ = require('lodash') + +class Is { + * handle (request, response, next, ...args) { + try { + let operator = 'and' + if (_.includes(['or', 'and'], args[0])) { + operator = args[0] + args = _.drop(args) + } + const currentUser = request.currentUser || request.authUser + const is = yield currentUser.is(args, operator) + if (!is) { + throw new ForbiddenException() + } + } catch (e) { + throw e + } + yield next + } +} + +module.exports = Is diff --git a/src/Models/Permission.js b/src/Models/Permission.js new file mode 100644 index 0000000..d2abbb3 --- /dev/null +++ b/src/Models/Permission.js @@ -0,0 +1,22 @@ +'use strict' + +/** + * adonis-acl + * Copyright(c) 2017 Evgeny Razumov + * MIT Licensed + */ + +const Ioc = require('adonis-fold').Ioc +const Model = Ioc.use('Adonis/Src/Lucid') + +class Permission extends Model { + static get rules () { + return { + slug: 'required|min:3|max:255|regex:^[a-zA-Z0-9_-]+$', + name: 'required|min:3|max:255', + description: 'min:3|max:1000' + } + } +} + +module.exports = Permission diff --git a/src/Models/Role.js b/src/Models/Role.js new file mode 100644 index 0000000..2365f5f --- /dev/null +++ b/src/Models/Role.js @@ -0,0 +1,34 @@ +'use strict' + +/** + * adonis-acl + * Copyright(c) 2017 Evgeny Razumov + * MIT Licensed + */ + +const Ioc = require('adonis-fold').Ioc +const Model = Ioc.use('Adonis/Src/Lucid') +const _ = require('lodash') + +class Role extends Model { + static get rules () { + return { + slug: 'required|min:3|max:255|regex:^[a-zA-Z0-9_-]+$', + name: 'required|min:3|max:255', + description: 'min:3|max:1000' + } + } + + permissions () { + return this.belongsToMany('Adonis/Acl/Permission') + } + + * getPermissions () { + let permissions = (yield this.permissions().fetch()).toJSON() + return _.map(permissions, ({ slug }) => { + return slug + }) + } +} + +module.exports = Role diff --git a/src/Traits/HasPermission.js b/src/Traits/HasPermission.js new file mode 100644 index 0000000..0dd9a2b --- /dev/null +++ b/src/Traits/HasPermission.js @@ -0,0 +1,42 @@ +'use strict' + +/** + * adonis-acl + * Copyright(c) 2017 Evgeny Razumov + * MIT Licensed + */ + +const series = require('co-series') +const _ = require('lodash') +const Acl = require('../Acl') + +module.exports = { + register (Model) { + Model.prototype.permissions = function () { + return this.belongsToMany('Adonis/Acl/Permission') + } + + Model.prototype.getPermissions = function * () { + let permissions = (yield this.permissions().fetch()).toJSON() + permissions = _.map(permissions, ({ slug }) => { + return slug + }) + if (typeof this.roles === 'function') { + const roles = yield this.roles().fetch() + const rolePermissions = yield roles.reduce(series(function * (result, role) { + const chain = yield role.getPermissions() + result = _.concat(result, chain) + return result + }), []) + permissions = _.uniq(_.concat(permissions, rolePermissions)) + } + return permissions + } + + Model.prototype.can = function * (slug, operator = 'and') { + const permissions = yield this.getPermissions() + + return Acl.check(permissions, slug, operator) + } + } +} diff --git a/src/Traits/HasRole.js b/src/Traits/HasRole.js new file mode 100644 index 0000000..b66fa47 --- /dev/null +++ b/src/Traits/HasRole.js @@ -0,0 +1,31 @@ +'use strict' + +/** + * adonis-acl + * Copyright(c) 2017 Evgeny Razumov + * MIT Licensed + */ + +const _ = require('lodash') +const Acl = require('../Acl') + +module.exports = { + register (Model) { + Model.prototype.roles = function () { + return this.belongsToMany('Adonis/Acl/Role') + } + + Model.prototype.getRoles = function * () { + const roles = (yield this.roles().fetch()).toJSON() + return _.map(roles, ({ slug }) => { + return slug + }) + } + + Model.prototype.is = function * (slug, operator = 'and') { + const roles = yield this.getRoles() + + return Acl.check(roles, slug, operator) + } + } +}