@lifeomic/abac
Advanced tools
Comparing version 1.3.0 to 2.0.0
'use strict'; | ||
var _asyncToGenerator2 = require('babel-runtime/helpers/asyncToGenerator'); | ||
var _asyncToGenerator3 = _interopRequireDefault(_asyncToGenerator2); | ||
var _keys = require('babel-runtime/core-js/object/keys'); | ||
@@ -11,10 +7,2 @@ | ||
var _slicedToArray2 = require('babel-runtime/helpers/slicedToArray'); | ||
var _slicedToArray3 = _interopRequireDefault(_slicedToArray2); | ||
var _getIterator2 = require('babel-runtime/core-js/get-iterator'); | ||
var _getIterator3 = _interopRequireDefault(_getIterator2); | ||
var _entries = require('babel-runtime/core-js/object/entries'); | ||
@@ -58,52 +46,31 @@ | ||
var _iteratorNormalCompletion = true; | ||
var _didIteratorError = false; | ||
var _iteratorError = undefined; | ||
for (const policy of policies) { | ||
validate(policy); | ||
(0, _entries2.default)(policy.rules).forEach(([operation, rules]) => { | ||
if (rules === true) { | ||
// It is safe to ignore the injection attach here because the operation | ||
// name has been validated by the policy schema before getting this far | ||
// eslint-disable-next-line security/detect-object-injection | ||
result[operation] = true; | ||
try { | ||
for (var _iterator = (0, _getIterator3.default)(policies), _step; !(_iteratorNormalCompletion = (_step = _iterator.next()).done); _iteratorNormalCompletion = true) { | ||
const policy = _step.value; | ||
validate(policy); | ||
(0, _entries2.default)(policy.rules).forEach(([operation, rules]) => { | ||
if (rules === true) { | ||
// It is safe to ignore the injection attach here because the operation | ||
// name has been validated by the policy schema before getting this far | ||
// eslint-disable-next-line security/detect-object-injection | ||
} else if (result[operation]) { | ||
// It is safe to ignore the injection attach here because the operation | ||
// name has been validated by the policy schema before getting this far | ||
// eslint-disable-next-line security/detect-object-injection | ||
if (result[operation] !== true) { | ||
// It is safe to ignore the injection attach here because the operation | ||
// name has been validated by the policy schema before getting this far | ||
// eslint-disable-next-line security/detect-object-injection | ||
result[operation] = true; | ||
// It is safe to ignore the injection attach here because the operation | ||
// name has been validated by the policy schema before getting this far | ||
// eslint-disable-next-line security/detect-object-injection | ||
} else if (result[operation]) { | ||
// It is safe to ignore the injection attach here because the operation | ||
// name has been validated by the policy schema before getting this far | ||
// eslint-disable-next-line security/detect-object-injection | ||
if (result[operation] !== true) { | ||
// It is safe to ignore the injection attach here because the operation | ||
// name has been validated by the policy schema before getting this far | ||
// eslint-disable-next-line security/detect-object-injection | ||
result[operation].push(...rules); | ||
} | ||
} else { | ||
// It is safe to ignore the injection attach here because the operation | ||
// name has been validated by the policy schema before getting this far | ||
// eslint-disable-next-line security/detect-object-injection | ||
result[operation] = [...rules]; | ||
result[operation].push(...rules); | ||
} | ||
}); | ||
} | ||
} catch (err) { | ||
_didIteratorError = true; | ||
_iteratorError = err; | ||
} finally { | ||
try { | ||
if (!_iteratorNormalCompletion && _iterator.return) { | ||
_iterator.return(); | ||
} else { | ||
// It is safe to ignore the injection attach here because the operation | ||
// name has been validated by the policy schema before getting this far | ||
// eslint-disable-next-line security/detect-object-injection | ||
result[operation] = [...rules]; | ||
} | ||
} finally { | ||
if (_didIteratorError) { | ||
throw _iteratorError; | ||
} | ||
} | ||
}); | ||
} | ||
@@ -121,32 +88,11 @@ | ||
const path = name.split('.'); | ||
var _iteratorNormalCompletion2 = true; | ||
var _didIteratorError2 = false; | ||
var _iteratorError2 = undefined; | ||
try { | ||
for (var _iterator2 = (0, _getIterator3.default)(path), _step2; !(_iteratorNormalCompletion2 = (_step2 = _iterator2.next()).done); _iteratorNormalCompletion2 = true) { | ||
const field = _step2.value; | ||
if (attributes) { | ||
// It is safe to ignore the injection attach here because the attribute | ||
// name has been validated by the policy schema before getting this far | ||
// eslint-disable-next-line security/detect-object-injection | ||
attributes = attributes[field]; | ||
} else { | ||
return undefined; | ||
} | ||
for (const field of path) { | ||
if (attributes) { | ||
// It is safe to ignore the injection attach here because the attribute | ||
// name has been validated by the policy schema before getting this far | ||
// eslint-disable-next-line security/detect-object-injection | ||
attributes = attributes[field]; | ||
} else { | ||
return undefined; | ||
} | ||
} catch (err) { | ||
_didIteratorError2 = true; | ||
_iteratorError2 = err; | ||
} finally { | ||
try { | ||
if (!_iteratorNormalCompletion2 && _iterator2.return) { | ||
_iterator2.return(); | ||
} | ||
} finally { | ||
if (_didIteratorError2) { | ||
throw _iteratorError2; | ||
} | ||
} | ||
} | ||
@@ -157,3 +103,3 @@ | ||
const getCompareValue = function getCompareValue(condition, attributes) { | ||
const getCompareValue = function (condition, attributes) { | ||
if ('target' in condition) { | ||
@@ -191,38 +137,12 @@ return getAttribute(attributes, condition.target); | ||
const result = {}; | ||
var _iteratorNormalCompletion3 = true; | ||
var _didIteratorError3 = false; | ||
var _iteratorError3 = undefined; | ||
try { | ||
for (var _iterator3 = (0, _getIterator3.default)((0, _entries2.default)(rule)), _step3; !(_iteratorNormalCompletion3 = (_step3 = _iterator3.next()).done); _iteratorNormalCompletion3 = true) { | ||
const _ref = _step3.value; | ||
var _ref2 = (0, _slicedToArray3.default)(_ref, 2); | ||
const name = _ref2[0]; | ||
const condition = _ref2[1]; | ||
const value = getAttribute(attributes, name); | ||
if (value === undefined) { | ||
// It is safe to ignore the injection attach here because the attribute | ||
// name has been validated by the policy schema before getting this far | ||
// eslint-disable-next-line security/detect-object-injection | ||
result[name] = condition; | ||
} else if (!compare(condition, value, attributes)) { | ||
return false; | ||
} | ||
for (const [name, condition] of (0, _entries2.default)(rule)) { | ||
const value = getAttribute(attributes, name); | ||
if (value === undefined) { | ||
// It is safe to ignore the injection attach here because the attribute | ||
// name has been validated by the policy schema before getting this far | ||
// eslint-disable-next-line security/detect-object-injection | ||
result[name] = condition; | ||
} else if (!compare(condition, value, attributes)) { | ||
return false; | ||
} | ||
} catch (err) { | ||
_didIteratorError3 = true; | ||
_iteratorError3 = err; | ||
} finally { | ||
try { | ||
if (!_iteratorNormalCompletion3 && _iterator3.return) { | ||
_iterator3.return(); | ||
} | ||
} finally { | ||
if (_didIteratorError3) { | ||
throw _iteratorError3; | ||
} | ||
} | ||
} | ||
@@ -244,30 +164,9 @@ | ||
var _iteratorNormalCompletion4 = true; | ||
var _didIteratorError4 = false; | ||
var _iteratorError4 = undefined; | ||
try { | ||
for (var _iterator4 = (0, _getIterator3.default)(rules), _step4; !(_iteratorNormalCompletion4 = (_step4 = _iterator4.next()).done); _iteratorNormalCompletion4 = true) { | ||
const rule = _step4.value; | ||
const reducedRule = reduceRule(rule, attributes); | ||
if (reducedRule === true) { | ||
return true; | ||
} else if (reducedRule) { | ||
result.push(reducedRule); | ||
} | ||
for (const rule of rules) { | ||
const reducedRule = reduceRule(rule, attributes); | ||
if (reducedRule === true) { | ||
return true; | ||
} else if (reducedRule) { | ||
result.push(reducedRule); | ||
} | ||
} catch (err) { | ||
_didIteratorError4 = true; | ||
_iteratorError4 = err; | ||
} finally { | ||
try { | ||
if (!_iteratorNormalCompletion4 && _iterator4.return) { | ||
_iterator4.return(); | ||
} | ||
} finally { | ||
if (_didIteratorError4) { | ||
throw _iteratorError4; | ||
} | ||
} | ||
} | ||
@@ -285,24 +184,32 @@ | ||
*/ | ||
const reduce = (() => { | ||
var _ref3 = (0, _asyncToGenerator3.default)(function* (policy, attributes) { | ||
const result = {}; | ||
const reduce = async (policy, attributes) => { | ||
return reduceSync(policy, attributes); | ||
}; | ||
validate(policy); | ||
(0, _entries2.default)(policy.rules).forEach(function ([operation, rules]) { | ||
rules = reduceRules(rules, attributes); | ||
if (rules === true || Array.isArray(rules) && rules.length > 0) { | ||
// It is safe to ignore the injection attach here because the operation name | ||
// comes from the policy which has been validated already. | ||
// eslint-disable-next-line security/detect-object-injection | ||
result[operation] = rules; | ||
} | ||
}); | ||
/** | ||
* Performs a synchronous reduction for whether the given policy might | ||
* allow the operations. This function's intended use is for | ||
* client applications that need a simple check to disable | ||
* or annotate UI elements. | ||
* @param {object} policy - the policy to evaluate | ||
* @param {object} attributes - the attributes to use for the evaluation | ||
* @returns {object} the policy reduced to conditions involving attributes not not given | ||
* @throws {Error} if the policy is invalid | ||
*/ | ||
const reduceSync = (policy, attributes) => { | ||
const result = {}; | ||
return { rules: result }; | ||
validate(policy); | ||
(0, _entries2.default)(policy.rules).forEach(([operation, rules]) => { | ||
rules = reduceRules(rules, attributes); | ||
if (rules === true || Array.isArray(rules) && rules.length > 0) { | ||
// It is safe to ignore the injection attach here because the operation name | ||
// comes from the policy which has been validated already. | ||
// eslint-disable-next-line security/detect-object-injection | ||
result[operation] = rules; | ||
} | ||
}); | ||
return function reduce(_x, _x2) { | ||
return _ref3.apply(this, arguments); | ||
}; | ||
})(); | ||
return { rules: result }; | ||
}; | ||
@@ -317,37 +224,34 @@ /** | ||
*/ | ||
const enforce = (() => { | ||
var _ref4 = (0, _asyncToGenerator3.default)(function* (operation, policy, attributes) { | ||
// Before using the policy, make sure it's valid | ||
validate(policy); | ||
const enforce = async (operation, policy, attributes) => { | ||
// Before using the policy, make sure it's valid | ||
validate(policy); | ||
// It is safe to ignore the injection attach here because the operation name has been validated | ||
// against the allowed operation names | ||
// eslint-disable-next-line security/detect-object-injection | ||
const rules = policy.rules && policy.rules[operation] ? policy.rules[operation] : []; | ||
return (yield reduceRules(rules, attributes)) === true; | ||
}); | ||
// It is safe to ignore the injection attach here because the operation name has been validated | ||
// against the allowed operation names | ||
// eslint-disable-next-line security/detect-object-injection | ||
const rules = policy.rules && policy.rules[operation] ? policy.rules[operation] : []; | ||
return reduceRules(rules, attributes) === true; | ||
}; | ||
return function enforce(_x3, _x4, _x5) { | ||
return _ref4.apply(this, arguments); | ||
}; | ||
})(); | ||
/** | ||
* Performs a synchronous check for whether the given partially | ||
* evaluated policy allows the operation. It's intended use is for | ||
* client applications that need a simple check to disable UI elements. | ||
* Performs a synchronous check for whether the given policy might | ||
* allow the operation. This function's intended use is for | ||
* client applications that need a simple check to disable | ||
* or annotate UI elements. | ||
* @param {string} operation - the requested operation | ||
* @param {object} policy - the policy to use to check access | ||
* @param {object} attributes - the attributes to use to check access | ||
* @returns {boolean} true iff access is allowed, and false otherwise | ||
* @throws {Error} Error if the policy is invalid | ||
*/ | ||
const enforceSync = (operation, policy) => { | ||
const enforceSync = (operation, policy, attributes) => { | ||
// Before using the policy, make sure it's valid | ||
validate(policy); | ||
// TODO: Add support for supplying attributes for rule evaluation | ||
// It is safe to ignore the injection attach here because the operation name has been validated | ||
// against the allowed operation names | ||
// eslint-disable-next-line security/detect-object-injection | ||
return policy.rules && policy.rules[operation] === true; | ||
const rules = policy.rules && policy.rules[operation] ? policy.rules[operation] : []; | ||
const reducedRules = reduceRules(rules, attributes); | ||
return reducedRules && (reducedRules === true || reducedRules.length > 0); | ||
}; | ||
@@ -364,39 +268,40 @@ | ||
*/ | ||
const enforceAny = (() => { | ||
var _ref5 = (0, _asyncToGenerator3.default)(function* (operations, policy, attributes) { | ||
var _iteratorNormalCompletion5 = true; | ||
var _didIteratorError5 = false; | ||
var _iteratorError5 = undefined; | ||
const enforceAny = async (operations, policy, attributes) => { | ||
for (const operation of operations) { | ||
if (await enforce(operation, policy, attributes)) { | ||
return operation; | ||
} | ||
} | ||
try { | ||
for (var _iterator5 = (0, _getIterator3.default)(operations), _step5; !(_iteratorNormalCompletion5 = (_step5 = _iterator5.next()).done); _iteratorNormalCompletion5 = true) { | ||
const operation = _step5.value; | ||
return false; | ||
}; | ||
if (yield enforce(operation, policy, attributes)) { | ||
return operation; | ||
} | ||
} | ||
} catch (err) { | ||
_didIteratorError5 = true; | ||
_iteratorError5 = err; | ||
} finally { | ||
try { | ||
if (!_iteratorNormalCompletion5 && _iterator5.return) { | ||
_iterator5.return(); | ||
} | ||
} finally { | ||
if (_didIteratorError5) { | ||
throw _iteratorError5; | ||
} | ||
} | ||
} | ||
/** | ||
* Return the list of privileges that the given policy | ||
* allows against the given attributes. | ||
* @param {object} policy - the policy to use to check access | ||
* @param {object} attributes - the attributes to use to check access | ||
* @returns {string[]} - the list of privileges | ||
* @throws {Error} Error if the policy is invalid | ||
*/ | ||
const privileges = async (policy, attributes) => { | ||
const rules = (await reduce(policy, attributes)).rules; | ||
return (0, _entries2.default)(rules).filter(([, rules]) => rules === true).map(([privilege]) => privilege); | ||
}; | ||
return false; | ||
}); | ||
/** | ||
* Synchronously return the list of privileges that the given policy | ||
* might allow against the given attributes. This function's intended use is for | ||
* client applications that need a simple check to disable | ||
* or annotate UI elements. | ||
* @param {object} policy - the policy to use to check access | ||
* @param {object} attributes - the attributes to use to check access | ||
* @returns {string[]} - the list of privileges | ||
* @throws {Error} Error if the policy is invalid | ||
*/ | ||
const privilegesSync = (policy, attributes) => { | ||
const rules = reduceSync(policy, attributes).rules; | ||
return (0, _entries2.default)(rules).map(([privilege]) => privilege); | ||
}; | ||
return function enforceAny(_x6, _x7, _x8) { | ||
return _ref5.apply(this, arguments); | ||
}; | ||
})(); | ||
module.exports = { | ||
@@ -408,3 +313,6 @@ validate, | ||
enforceSync, | ||
enforceAny | ||
}; | ||
enforceAny, | ||
privilegesSync, | ||
privileges | ||
}; | ||
//# sourceMappingURL=index.js.map |
@@ -9,2 +9,3 @@ 'use strict'; | ||
OperationNames: require('./OperationNames.json') | ||
}; | ||
}; | ||
//# sourceMappingURL=index.js.map |
{ | ||
"name": "@lifeomic/abac", | ||
"version": "1.3.0", | ||
"version": "2.0.0", | ||
"description": "Lifeomic Attribute Based Access Control Support Module", | ||
"main": "dist/index.js", | ||
"main": "./dist/index.js", | ||
"browser": "./lib/index.js", | ||
"module": "./module/index.js", | ||
"repository": "ssh://git@bitbucket.org/lifeomic/abac.git", | ||
@@ -14,4 +16,8 @@ "author": "LifeOmic <development@lifeomic.com>", | ||
"jenkins-test": "ENV=ava ava --tap | tap-xunit --package unit > test-report.xml", | ||
"build": "babel src --out-dir dist --copy-files", | ||
"lifeomic-publish-npm-package": "lifeomic-publish-npm-package --publish-tagged-commits-only" | ||
"build-browser": "BABEL_ENV=browser babel ./src --out-dir ./lib --source-maps --copy-files", | ||
"build-module": "BABEL_ENV=module babel ./src --out-dir ./module --source-maps --copy-files", | ||
"build-node": "babel ./src --out-dir ./dist --source-maps --copy-files", | ||
"build": "yarn build-node && yarn build-browser && yarn build-module", | ||
"lifeomic-publish-npm-package": "lifeomic-publish-npm-package --publish-tagged-commits-only", | ||
"clean": "rm -rf dist lib module" | ||
}, | ||
@@ -24,2 +30,3 @@ "devDependencies": { | ||
"babel-cli": "6.26.0", | ||
"babel-plugin-transform-class-properties": "^6.24.1", | ||
"babel-plugin-transform-object-rest-spread": "^6.26.0", | ||
@@ -49,16 +56,58 @@ "babel-plugin-transform-runtime": "^6.23.0", | ||
"babel": { | ||
"plugins": [ | ||
"transform-object-rest-spread", | ||
"transform-runtime" | ||
], | ||
"presets": [ | ||
[ | ||
"env", | ||
{ | ||
"targets": { | ||
"node": 6 | ||
} | ||
} | ||
] | ||
] | ||
"env": { | ||
"development": { | ||
"presets": [ | ||
[ | ||
"babel-preset-env", | ||
{ | ||
"targets": { | ||
"node": "8.10" | ||
} | ||
} | ||
] | ||
], | ||
"plugins": [ | ||
"transform-object-rest-spread", | ||
"transform-class-properties", | ||
"transform-runtime" | ||
] | ||
}, | ||
"browser": { | ||
"presets": [ | ||
[ | ||
"babel-preset-env", | ||
{ | ||
"targets": { | ||
"browsers": "last 2 versions, ie 10-11" | ||
}, | ||
"modules": false | ||
} | ||
] | ||
], | ||
"plugins": [ | ||
"transform-object-rest-spread", | ||
"transform-class-properties", | ||
"transform-runtime" | ||
] | ||
}, | ||
"module": { | ||
"presets": [ | ||
[ | ||
"babel-preset-env", | ||
{ | ||
"targets": { | ||
"node": "8.10" | ||
}, | ||
"modules": false | ||
} | ||
] | ||
], | ||
"plugins": [ | ||
"transform-object-rest-spread", | ||
"transform-class-properties", | ||
"transform-runtime" | ||
] | ||
} | ||
}, | ||
"sourceMaps": true | ||
}, | ||
@@ -65,0 +114,0 @@ "dependencies": { |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Major refactor
Supply chain riskPackage has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
29
1373
102622
14
1