mirror of
https://github.com/danny-avila/LibreChat.git
synced 2025-12-17 00:40:14 +01:00
65c81955f0
* feat: Add granular role-based permissions system with Entra ID integration
- Implement RBAC with viewer/editor/owner roles using bitwise permissions
- Add AccessRole, AclEntry, and Group models for permission management
- Create PermissionService for core permission logic and validation
- Integrate Microsoft Graph API for Entra ID user/group search
- Add middleware for resource access validation with custom ID resolvers
- Implement bulk permission updates with transaction support
- Create permission management UI with people picker and role selection
- Add public sharing capabilities for resources
- Include database migration for existing agent ownership
- Support hybrid local/Entra ID identity management
- Add comprehensive test coverage for all new services
chore: Update @librechat/data-schemas to version 0.0.9 and export common module in index.ts
fix: Update userGroup tests to mock logger correctly and change principalId expectation from null to undefined
* fix(data-schemas): use partial index for group idOnTheSource uniqueness
Replace sparse index with partial filter expression to allow multiple local groups
while maintaining unique constraint for external source IDs. The sparse option
on compound indexes doesn't work as expected when one field is always present.
* fix: imports in migrate-agent-permissions.js
* chore(data-schemas): add comprehensive README for data schemas package
- Introduced a detailed README.md file outlining the structure, architecture patterns, and best practices for the LibreChat Data Schemas package.
- Included guidelines for creating new entities, type definitions, schema files, model factory functions, and database methods.
- Added examples and common patterns to enhance understanding and usage of the package.
* chore: remove unused translation keys from localization file
* ci: fix existing tests based off new permission handling
- Renamed test cases to reflect changes in permission checks being handled at the route level.
- Updated assertions to verify that agents are returned regardless of user permissions due to the new permission system.
- Adjusted mocks in AppService and PermissionService tests to ensure proper functionality without relying on actual implementations.
* ci: add unit tests for access control middleware
- Introduced tests for the `canAccessAgentResource` middleware to validate permission checks for agent resources.
- Implemented tests for various scenarios including user roles, ACL entries, and permission levels.
- Added tests for the `checkAccess` function to ensure proper permission handling based on user roles and permissions.
- Utilized MongoDB in-memory server for isolated test environments.
* refactor: remove unused mocks from GraphApiService tests
* ci: enhance AgentFooter tests with improved mocks and permission handling
- Updated mocks for `useWatch`, `useAuthContext`, `useHasAccess`, and `useResourcePermissions` to streamline test setup.
- Adjusted assertions to reflect changes in UI based on agent ID and user roles.
- Replaced `share-agent` component with `grant-access-dialog` in tests to align with recent UI updates.
- Added tests for handling null agent data and permissions loading scenarios.
* ci: enhance GraphApiService tests with MongoDB in-memory server
- Updated test setup to use MongoDB in-memory server for isolated testing.
- Refactored beforeEach to beforeAll for database connection management.
- Cleared database before each test to ensure a clean state.
- Retained existing mocks while improving test structure for better clarity.
* ci: enhance GraphApiService tests with additional logger mocks
- Added mock implementation for logger methods in GraphApiService tests to improve error and debug logging during test execution.
- Ensured existing mocks remain intact while enhancing test coverage and clarity.
* chore: address ESLint Warnings
* - add cursor-based pagination to getListAgentsByAccess and update handler
- add index on updatedAt and _id in agent schema for improved query performance
* refactor permission service with reuse of model methods from data-schema package
* - Fix ObjectId comparison in getListAgentsHandler using .equals() method instead of strict equality
- Add findPubliclyAccessibleResources function to PermissionService for bulk public resource queries
- Add hasPublicPermission function to PermissionService for individual resource public permission checks
- Update getAgentHandler to use hasPublicPermission for accurate individual agent public status
- Replace instanceProjectId-based global checks with isPublic property from backend in client code
- Add isPublic property to Agent type definition
- Add NODE_TLS_REJECT_UNAUTHORIZED debug setting to VS Code launch config
* feat: add check for People.Read scope in searchContacts
* fix: add roleId parameter to grantPermission and update tests for GraphApiService
* refactor: remove problematic projection pipelines in getResourcePermissions for document db aws compatibility
* feat: enhance agent permissions migration with DocumentDB compatibility and add dry-run script
* feat: add support for including Entra ID group owners as members in permissions management + fix Group members paging
* feat: enforce at least one owner requirement for permission updates and add corresponding localization messages
* refactor: remove German locale (must be added via i18n)
* chore: linting in `api/models/Agent.js` and removed unused variables
* chore: linting, remove unused vars, and remove project-related parameters from `updateAgentHandler`
* chore: address ESLint errors
* chore: revert removal of unused vars for versioning
---------
Co-authored-by: Atef Bellaaj <slalom.bellaaj@external.daimlertruck.com>
721 lines
24 KiB
JavaScript
721 lines
24 KiB
JavaScript
const mongoose = require('mongoose');
|
|
const { getTransactionSupport, logger } = require('@librechat/data-schemas');
|
|
const { isEnabled } = require('~/server/utils');
|
|
const {
|
|
entraIdPrincipalFeatureEnabled,
|
|
getUserEntraGroups,
|
|
getUserOwnedEntraGroups,
|
|
getGroupMembers,
|
|
getGroupOwners,
|
|
} = require('~/server/services/GraphApiService');
|
|
const {
|
|
findGroupByExternalId,
|
|
findRoleByIdentifier,
|
|
getUserPrincipals,
|
|
createGroup,
|
|
createUser,
|
|
updateUser,
|
|
findUser,
|
|
grantPermission: grantPermissionACL,
|
|
findAccessibleResources: findAccessibleResourcesACL,
|
|
hasPermission,
|
|
getEffectivePermissions: getEffectivePermissionsACL,
|
|
findEntriesByPrincipalsAndResource,
|
|
} = require('~/models');
|
|
const { AclEntry, AccessRole, Group } = require('~/db/models');
|
|
|
|
/** @type {boolean|null} */
|
|
let transactionSupportCache = null;
|
|
|
|
/**
|
|
* @import { TPrincipal } from 'librechat-data-provider'
|
|
*/
|
|
/**
|
|
* Grant a permission to a principal for a resource using a role
|
|
* @param {Object} params - Parameters for granting role-based permission
|
|
* @param {string} params.principalType - 'user', 'group', or 'public'
|
|
* @param {string|mongoose.Types.ObjectId|null} params.principalId - The ID of the principal (null for 'public')
|
|
* @param {string} params.resourceType - Type of resource (e.g., 'agent')
|
|
* @param {string|mongoose.Types.ObjectId} params.resourceId - The ID of the resource
|
|
* @param {string} params.accessRoleId - The ID of the role (e.g., 'agent_viewer', 'agent_editor')
|
|
* @param {string|mongoose.Types.ObjectId} params.grantedBy - User ID granting the permission
|
|
* @param {mongoose.ClientSession} [params.session] - Optional MongoDB session for transactions
|
|
* @returns {Promise<Object>} The created or updated ACL entry
|
|
*/
|
|
const grantPermission = async ({
|
|
principalType,
|
|
principalId,
|
|
resourceType,
|
|
resourceId,
|
|
accessRoleId,
|
|
grantedBy,
|
|
session,
|
|
}) => {
|
|
try {
|
|
if (!['user', 'group', 'public'].includes(principalType)) {
|
|
throw new Error(`Invalid principal type: ${principalType}`);
|
|
}
|
|
|
|
if (principalType !== 'public' && !principalId) {
|
|
throw new Error('Principal ID is required for user and group principals');
|
|
}
|
|
|
|
if (principalId && !mongoose.Types.ObjectId.isValid(principalId)) {
|
|
throw new Error(`Invalid principal ID: ${principalId}`);
|
|
}
|
|
|
|
if (!resourceId || !mongoose.Types.ObjectId.isValid(resourceId)) {
|
|
throw new Error(`Invalid resource ID: ${resourceId}`);
|
|
}
|
|
|
|
// Get the role to determine permission bits
|
|
const role = await findRoleByIdentifier(accessRoleId);
|
|
if (!role) {
|
|
throw new Error(`Role ${accessRoleId} not found`);
|
|
}
|
|
|
|
// Ensure the role is for the correct resource type
|
|
if (role.resourceType !== resourceType) {
|
|
throw new Error(
|
|
`Role ${accessRoleId} is for ${role.resourceType} resources, not ${resourceType}`,
|
|
);
|
|
}
|
|
return await grantPermissionACL(
|
|
principalType,
|
|
principalId,
|
|
resourceType,
|
|
resourceId,
|
|
role.permBits,
|
|
grantedBy,
|
|
session,
|
|
role._id,
|
|
);
|
|
} catch (error) {
|
|
logger.error(`[PermissionService.grantPermission] Error: ${error.message}`);
|
|
throw error;
|
|
}
|
|
};
|
|
|
|
/**
|
|
* Check if a user has specific permission bits on a resource
|
|
* @param {Object} params - Parameters for checking permissions
|
|
* @param {string|mongoose.Types.ObjectId} params.userId - The ID of the user
|
|
* @param {string} params.resourceType - Type of resource (e.g., 'agent')
|
|
* @param {string|mongoose.Types.ObjectId} params.resourceId - The ID of the resource
|
|
* @param {number} params.requiredPermissions - The permission bits required (e.g., 1 for VIEW, 3 for VIEW+EDIT)
|
|
* @returns {Promise<boolean>} Whether the user has the required permission bits
|
|
*/
|
|
const checkPermission = async ({ userId, resourceType, resourceId, requiredPermission }) => {
|
|
try {
|
|
if (typeof requiredPermission !== 'number' || requiredPermission < 1) {
|
|
throw new Error('requiredPermission must be a positive number');
|
|
}
|
|
|
|
// Get all principals for the user (user + groups + public)
|
|
const principals = await getUserPrincipals(userId);
|
|
|
|
if (principals.length === 0) {
|
|
return false;
|
|
}
|
|
|
|
return await hasPermission(principals, resourceType, resourceId, requiredPermission);
|
|
} catch (error) {
|
|
logger.error(`[PermissionService.checkPermission] Error: ${error.message}`);
|
|
// Re-throw validation errors
|
|
if (error.message.includes('requiredPermission must be')) {
|
|
throw error;
|
|
}
|
|
return false;
|
|
}
|
|
};
|
|
|
|
/**
|
|
* Get effective permission bitmask for a user on a resource
|
|
* @param {Object} params - Parameters for getting effective permissions
|
|
* @param {string|mongoose.Types.ObjectId} params.userId - The ID of the user
|
|
* @param {string} params.resourceType - Type of resource (e.g., 'agent')
|
|
* @param {string|mongoose.Types.ObjectId} params.resourceId - The ID of the resource
|
|
* @returns {Promise<number>} Effective permission bitmask
|
|
*/
|
|
const getEffectivePermissions = async ({ userId, resourceType, resourceId }) => {
|
|
try {
|
|
// Get all principals for the user (user + groups + public)
|
|
const principals = await getUserPrincipals(userId);
|
|
|
|
if (principals.length === 0) {
|
|
return 0;
|
|
}
|
|
return await getEffectivePermissionsACL(principals, resourceType, resourceId);
|
|
} catch (error) {
|
|
logger.error(`[PermissionService.getEffectivePermissions] Error: ${error.message}`);
|
|
return 0;
|
|
}
|
|
};
|
|
|
|
/**
|
|
* Find all resources of a specific type that a user has access to with specific permission bits
|
|
* @param {Object} params - Parameters for finding accessible resources
|
|
* @param {string|mongoose.Types.ObjectId} params.userId - The ID of the user
|
|
* @param {string} params.resourceType - Type of resource (e.g., 'agent')
|
|
* @param {number} params.requiredPermissions - The minimum permission bits required (e.g., 1 for VIEW, 3 for VIEW+EDIT)
|
|
* @returns {Promise<Array>} Array of resource IDs
|
|
*/
|
|
const findAccessibleResources = async ({ userId, resourceType, requiredPermissions }) => {
|
|
try {
|
|
if (typeof requiredPermissions !== 'number' || requiredPermissions < 1) {
|
|
throw new Error('requiredPermissions must be a positive number');
|
|
}
|
|
|
|
// Get all principals for the user (user + groups + public)
|
|
const principalsList = await getUserPrincipals(userId);
|
|
|
|
if (principalsList.length === 0) {
|
|
return [];
|
|
}
|
|
return await findAccessibleResourcesACL(principalsList, resourceType, requiredPermissions);
|
|
} catch (error) {
|
|
logger.error(`[PermissionService.findAccessibleResources] Error: ${error.message}`);
|
|
// Re-throw validation errors
|
|
if (error.message.includes('requiredPermissions must be')) {
|
|
throw error;
|
|
}
|
|
return [];
|
|
}
|
|
};
|
|
|
|
/**
|
|
* Find all publicly accessible resources of a specific type
|
|
* @param {Object} params - Parameters for finding publicly accessible resources
|
|
* @param {string} params.resourceType - Type of resource (e.g., 'agent')
|
|
* @param {number} params.requiredPermissions - The minimum permission bits required (e.g., 1 for VIEW, 3 for VIEW+EDIT)
|
|
* @returns {Promise<Array>} Array of resource IDs
|
|
*/
|
|
const findPubliclyAccessibleResources = async ({ resourceType, requiredPermissions }) => {
|
|
try {
|
|
if (typeof requiredPermissions !== 'number' || requiredPermissions < 1) {
|
|
throw new Error('requiredPermissions must be a positive number');
|
|
}
|
|
|
|
// Find all public ACL entries where the public principal has at least the required permission bits
|
|
const entries = await AclEntry.find({
|
|
principalType: 'public',
|
|
resourceType,
|
|
permBits: { $bitsAllSet: requiredPermissions },
|
|
}).distinct('resourceId');
|
|
|
|
return entries;
|
|
} catch (error) {
|
|
logger.error(`[PermissionService.findPubliclyAccessibleResources] Error: ${error.message}`);
|
|
// Re-throw validation errors
|
|
if (error.message.includes('requiredPermissions must be')) {
|
|
throw error;
|
|
}
|
|
return [];
|
|
}
|
|
};
|
|
|
|
/**
|
|
* Get available roles for a resource type
|
|
* @param {Object} params - Parameters for getting available roles
|
|
* @param {string} params.resourceType - Type of resource (e.g., 'agent')
|
|
* @returns {Promise<Array>} Array of role definitions
|
|
*/
|
|
const getAvailableRoles = async ({ resourceType }) => {
|
|
try {
|
|
return await AccessRole.find({ resourceType }).lean();
|
|
} catch (error) {
|
|
logger.error(`[PermissionService.getAvailableRoles] Error: ${error.message}`);
|
|
return [];
|
|
}
|
|
};
|
|
|
|
/**
|
|
* Ensures a principal exists in the database based on TPrincipal data
|
|
* Creates user if it doesn't exist locally (for Entra ID users)
|
|
* @param {Object} principal - TPrincipal object from frontend
|
|
* @param {string} principal.type - 'user', 'group', or 'public'
|
|
* @param {string} [principal.id] - Local database ID (null for Entra ID principals not yet synced)
|
|
* @param {string} principal.name - Display name
|
|
* @param {string} [principal.email] - Email address
|
|
* @param {string} [principal.source] - 'local' or 'entra'
|
|
* @param {string} [principal.idOnTheSource] - Entra ID object ID for external principals
|
|
* @returns {Promise<string|null>} Returns the principalId for database operations, null for public
|
|
*/
|
|
const ensurePrincipalExists = async function (principal) {
|
|
if (principal.type === 'public') {
|
|
return null;
|
|
}
|
|
|
|
if (principal.id) {
|
|
return principal.id;
|
|
}
|
|
|
|
if (principal.type === 'user' && principal.source === 'entra') {
|
|
if (!principal.email || !principal.idOnTheSource) {
|
|
throw new Error('Entra ID user principals must have email and idOnTheSource');
|
|
}
|
|
|
|
let existingUser = await findUser({ idOnTheSource: principal.idOnTheSource });
|
|
|
|
if (!existingUser) {
|
|
existingUser = await findUser({ email: principal.email.toLowerCase() });
|
|
}
|
|
|
|
if (existingUser) {
|
|
if (!existingUser.idOnTheSource && principal.idOnTheSource) {
|
|
await updateUser(existingUser._id, {
|
|
idOnTheSource: principal.idOnTheSource,
|
|
provider: 'openid',
|
|
});
|
|
}
|
|
return existingUser._id.toString();
|
|
}
|
|
|
|
const userData = {
|
|
name: principal.name,
|
|
email: principal.email.toLowerCase(),
|
|
emailVerified: false,
|
|
provider: 'openid',
|
|
idOnTheSource: principal.idOnTheSource,
|
|
};
|
|
|
|
const userId = await createUser(userData, true, false);
|
|
return userId.toString();
|
|
}
|
|
|
|
if (principal.type === 'group') {
|
|
throw new Error('Group principals should be handled by group-specific methods');
|
|
}
|
|
|
|
throw new Error(`Unsupported principal type: ${principal.type}`);
|
|
};
|
|
|
|
/**
|
|
* Ensures a group principal exists in the database based on TPrincipal data
|
|
* Creates group if it doesn't exist locally (for Entra ID groups)
|
|
* For Entra ID groups, always synchronizes member IDs when authentication context is provided
|
|
* @param {Object} principal - TPrincipal object from frontend
|
|
* @param {string} principal.type - Must be 'group'
|
|
* @param {string} [principal.id] - Local database ID (null for Entra ID principals not yet synced)
|
|
* @param {string} principal.name - Display name
|
|
* @param {string} [principal.email] - Email address
|
|
* @param {string} [principal.description] - Group description
|
|
* @param {string} [principal.source] - 'local' or 'entra'
|
|
* @param {string} [principal.idOnTheSource] - Entra ID object ID for external principals
|
|
* @param {Object} [authContext] - Optional authentication context for fetching member data
|
|
* @param {string} [authContext.accessToken] - Access token for Graph API calls
|
|
* @param {string} [authContext.sub] - Subject identifier
|
|
* @returns {Promise<string>} Returns the groupId for database operations
|
|
*/
|
|
const ensureGroupPrincipalExists = async function (principal, authContext = null) {
|
|
if (principal.type !== 'group') {
|
|
throw new Error(`Invalid principal type: ${principal.type}. Expected 'group'`);
|
|
}
|
|
|
|
if (principal.source === 'entra') {
|
|
if (!principal.name || !principal.idOnTheSource) {
|
|
throw new Error('Entra ID group principals must have name and idOnTheSource');
|
|
}
|
|
|
|
let memberIds = [];
|
|
if (authContext && authContext.accessToken && authContext.sub) {
|
|
try {
|
|
memberIds = await getGroupMembers(
|
|
authContext.accessToken,
|
|
authContext.sub,
|
|
principal.idOnTheSource,
|
|
);
|
|
|
|
// Include group owners as members if feature is enabled
|
|
if (isEnabled(process.env.ENTRA_ID_INCLUDE_OWNERS_AS_MEMBERS)) {
|
|
const ownerIds = await getGroupOwners(
|
|
authContext.accessToken,
|
|
authContext.sub,
|
|
principal.idOnTheSource,
|
|
);
|
|
if (ownerIds && ownerIds.length > 0) {
|
|
memberIds.push(...ownerIds);
|
|
// Remove duplicates
|
|
memberIds = [...new Set(memberIds)];
|
|
}
|
|
}
|
|
} catch (error) {
|
|
logger.error('Failed to fetch group members from Graph API:', error);
|
|
}
|
|
}
|
|
|
|
let existingGroup = await findGroupByExternalId(principal.idOnTheSource, 'entra');
|
|
|
|
if (!existingGroup && principal.email) {
|
|
existingGroup = await Group.findOne({ email: principal.email.toLowerCase() }).lean();
|
|
}
|
|
|
|
if (existingGroup) {
|
|
const updateData = {};
|
|
let needsUpdate = false;
|
|
|
|
if (!existingGroup.idOnTheSource && principal.idOnTheSource) {
|
|
updateData.idOnTheSource = principal.idOnTheSource;
|
|
updateData.source = 'entra';
|
|
needsUpdate = true;
|
|
}
|
|
|
|
if (principal.description && existingGroup.description !== principal.description) {
|
|
updateData.description = principal.description;
|
|
needsUpdate = true;
|
|
}
|
|
|
|
if (principal.email && existingGroup.email !== principal.email.toLowerCase()) {
|
|
updateData.email = principal.email.toLowerCase();
|
|
needsUpdate = true;
|
|
}
|
|
|
|
if (authContext && authContext.accessToken && authContext.sub) {
|
|
updateData.memberIds = memberIds;
|
|
needsUpdate = true;
|
|
}
|
|
|
|
if (needsUpdate) {
|
|
await Group.findByIdAndUpdate(existingGroup._id, { $set: updateData }, { new: true });
|
|
}
|
|
|
|
return existingGroup._id.toString();
|
|
}
|
|
|
|
const groupData = {
|
|
name: principal.name,
|
|
source: 'entra',
|
|
idOnTheSource: principal.idOnTheSource,
|
|
memberIds: memberIds, // Store idOnTheSource values of group members (empty if no auth context)
|
|
};
|
|
|
|
if (principal.email) {
|
|
groupData.email = principal.email.toLowerCase();
|
|
}
|
|
|
|
if (principal.description) {
|
|
groupData.description = principal.description;
|
|
}
|
|
|
|
const newGroup = await createGroup(groupData);
|
|
return newGroup._id.toString();
|
|
}
|
|
if (principal.id && authContext == null) {
|
|
return principal.id;
|
|
}
|
|
|
|
throw new Error(`Unsupported group principal source: ${principal.source}`);
|
|
};
|
|
|
|
/**
|
|
* Synchronize user's Entra ID group memberships on sign-in
|
|
* Gets user's group IDs from GraphAPI and updates memberships only for existing groups in database
|
|
* Optionally includes groups the user owns if ENTRA_ID_INCLUDE_OWNERS_AS_MEMBERS is enabled
|
|
* @param {Object} user - User object with authentication context
|
|
* @param {string} user.openidId - User's OpenID subject identifier
|
|
* @param {string} user.idOnTheSource - User's Entra ID (oid from token claims)
|
|
* @param {string} user.provider - Authentication provider ('openid')
|
|
* @param {string} accessToken - Access token for Graph API calls
|
|
* @param {mongoose.ClientSession} [session] - Optional MongoDB session for transactions
|
|
* @returns {Promise<void>}
|
|
*/
|
|
const syncUserEntraGroupMemberships = async (user, accessToken, session = null) => {
|
|
try {
|
|
if (!entraIdPrincipalFeatureEnabled(user) || !accessToken || !user.idOnTheSource) {
|
|
return;
|
|
}
|
|
|
|
const memberGroupIds = await getUserEntraGroups(accessToken, user.openidId);
|
|
let allGroupIds = [...(memberGroupIds || [])];
|
|
|
|
// Include owned groups if feature is enabled
|
|
if (isEnabled(process.env.ENTRA_ID_INCLUDE_OWNERS_AS_MEMBERS)) {
|
|
const ownedGroupIds = await getUserOwnedEntraGroups(accessToken, user.openidId);
|
|
if (ownedGroupIds && ownedGroupIds.length > 0) {
|
|
allGroupIds.push(...ownedGroupIds);
|
|
// Remove duplicates
|
|
allGroupIds = [...new Set(allGroupIds)];
|
|
}
|
|
}
|
|
|
|
if (!allGroupIds || allGroupIds.length === 0) {
|
|
return;
|
|
}
|
|
|
|
const sessionOptions = session ? { session } : {};
|
|
|
|
await Group.updateMany(
|
|
{
|
|
idOnTheSource: { $in: allGroupIds },
|
|
source: 'entra',
|
|
memberIds: { $ne: user.idOnTheSource },
|
|
},
|
|
{ $addToSet: { memberIds: user.idOnTheSource } },
|
|
sessionOptions,
|
|
);
|
|
|
|
await Group.updateMany(
|
|
{
|
|
source: 'entra',
|
|
memberIds: user.idOnTheSource,
|
|
idOnTheSource: { $nin: allGroupIds },
|
|
},
|
|
{ $pull: { memberIds: user.idOnTheSource } },
|
|
sessionOptions,
|
|
);
|
|
} catch (error) {
|
|
logger.error(`[PermissionService.syncUserEntraGroupMemberships] Error syncing groups:`, error);
|
|
}
|
|
};
|
|
|
|
/**
|
|
* Check if public has a specific permission on a resource
|
|
* @param {Object} params - Parameters for checking public permission
|
|
* @param {string} params.resourceType - Type of resource (e.g., 'agent')
|
|
* @param {string|mongoose.Types.ObjectId} params.resourceId - The ID of the resource
|
|
* @param {number} params.requiredPermissions - The permission bits required (e.g., 1 for VIEW, 3 for VIEW+EDIT)
|
|
* @returns {Promise<boolean>} Whether public has the required permission bits
|
|
*/
|
|
const hasPublicPermission = async ({ resourceType, resourceId, requiredPermissions }) => {
|
|
try {
|
|
if (typeof requiredPermissions !== 'number' || requiredPermissions < 1) {
|
|
throw new Error('requiredPermissions must be a positive number');
|
|
}
|
|
|
|
// Use public principal to check permissions
|
|
const publicPrincipal = [{ principalType: 'public' }];
|
|
|
|
const entries = await findEntriesByPrincipalsAndResource(
|
|
publicPrincipal,
|
|
resourceType,
|
|
resourceId,
|
|
);
|
|
|
|
// Check if any entry has the required permission bits
|
|
return entries.some((entry) => (entry.permBits & requiredPermissions) === requiredPermissions);
|
|
} catch (error) {
|
|
logger.error(`[PermissionService.hasPublicPermission] Error: ${error.message}`);
|
|
// Re-throw validation errors
|
|
if (error.message.includes('requiredPermissions must be')) {
|
|
throw error;
|
|
}
|
|
return false;
|
|
}
|
|
};
|
|
|
|
/**
|
|
* Bulk update permissions for a resource (grant, update, revoke)
|
|
* Efficiently handles multiple permission changes in a single transaction
|
|
*
|
|
* @param {Object} params - Parameters for bulk permission update
|
|
* @param {string} params.resourceType - Type of resource (e.g., 'agent')
|
|
* @param {string|mongoose.Types.ObjectId} params.resourceId - The ID of the resource
|
|
* @param {Array<TPrincipal>} params.updatedPrincipals - Array of principals to grant/update permissions for
|
|
* @param {Array<TPrincipal>} params.revokedPrincipals - Array of principals to revoke permissions from
|
|
* @param {string|mongoose.Types.ObjectId} params.grantedBy - User ID making the changes
|
|
* @param {mongoose.ClientSession} [params.session] - Optional MongoDB session for transactions
|
|
* @returns {Promise<Object>} Results object with granted, updated, revoked arrays and error details
|
|
*/
|
|
const bulkUpdateResourcePermissions = async ({
|
|
resourceType,
|
|
resourceId,
|
|
updatedPrincipals = [],
|
|
revokedPrincipals = [],
|
|
grantedBy,
|
|
session,
|
|
}) => {
|
|
const supportsTransactions = await getTransactionSupport(mongoose, transactionSupportCache);
|
|
transactionSupportCache = supportsTransactions;
|
|
let localSession = session;
|
|
let shouldEndSession = false;
|
|
|
|
try {
|
|
if (!Array.isArray(updatedPrincipals)) {
|
|
throw new Error('updatedPrincipals must be an array');
|
|
}
|
|
|
|
if (!Array.isArray(revokedPrincipals)) {
|
|
throw new Error('revokedPrincipals must be an array');
|
|
}
|
|
|
|
if (!resourceId || !mongoose.Types.ObjectId.isValid(resourceId)) {
|
|
throw new Error(`Invalid resource ID: ${resourceId}`);
|
|
}
|
|
|
|
if (!localSession && supportsTransactions) {
|
|
localSession = await mongoose.startSession();
|
|
localSession.startTransaction();
|
|
shouldEndSession = true;
|
|
}
|
|
|
|
const sessionOptions = localSession ? { session: localSession } : {};
|
|
|
|
const roles = await AccessRole.find({ resourceType }).lean();
|
|
const rolesMap = new Map();
|
|
roles.forEach((role) => {
|
|
rolesMap.set(role.accessRoleId, role);
|
|
});
|
|
|
|
const results = {
|
|
granted: [],
|
|
updated: [],
|
|
revoked: [],
|
|
errors: [],
|
|
};
|
|
|
|
const bulkWrites = [];
|
|
|
|
for (const principal of updatedPrincipals) {
|
|
try {
|
|
if (!principal.accessRoleId) {
|
|
results.errors.push({
|
|
principal,
|
|
error: 'accessRoleId is required for updated principals',
|
|
});
|
|
continue;
|
|
}
|
|
|
|
const role = rolesMap.get(principal.accessRoleId);
|
|
if (!role) {
|
|
results.errors.push({
|
|
principal,
|
|
error: `Role ${principal.accessRoleId} not found`,
|
|
});
|
|
continue;
|
|
}
|
|
|
|
const query = {
|
|
principalType: principal.type,
|
|
resourceType,
|
|
resourceId,
|
|
};
|
|
|
|
if (principal.type !== 'public') {
|
|
query.principalId = principal.id;
|
|
}
|
|
|
|
const update = {
|
|
$set: {
|
|
permBits: role.permBits,
|
|
roleId: role._id,
|
|
grantedBy,
|
|
grantedAt: new Date(),
|
|
},
|
|
$setOnInsert: {
|
|
principalType: principal.type,
|
|
resourceType,
|
|
resourceId,
|
|
...(principal.type !== 'public' && {
|
|
principalId: principal.id,
|
|
principalModel: principal.type === 'user' ? 'User' : 'Group',
|
|
}),
|
|
},
|
|
};
|
|
|
|
bulkWrites.push({
|
|
updateOne: {
|
|
filter: query,
|
|
update: update,
|
|
upsert: true,
|
|
},
|
|
});
|
|
|
|
results.granted.push({
|
|
type: principal.type,
|
|
id: principal.id,
|
|
name: principal.name,
|
|
email: principal.email,
|
|
source: principal.source,
|
|
avatar: principal.avatar,
|
|
description: principal.description,
|
|
idOnTheSource: principal.idOnTheSource,
|
|
accessRoleId: principal.accessRoleId,
|
|
memberCount: principal.memberCount,
|
|
memberIds: principal.memberIds,
|
|
});
|
|
} catch (error) {
|
|
results.errors.push({
|
|
principal,
|
|
error: error.message,
|
|
});
|
|
}
|
|
}
|
|
|
|
if (bulkWrites.length > 0) {
|
|
await AclEntry.bulkWrite(bulkWrites, sessionOptions);
|
|
}
|
|
|
|
const deleteQueries = [];
|
|
for (const principal of revokedPrincipals) {
|
|
try {
|
|
const query = {
|
|
principalType: principal.type,
|
|
resourceType,
|
|
resourceId,
|
|
};
|
|
|
|
if (principal.type !== 'public') {
|
|
query.principalId = principal.id;
|
|
}
|
|
|
|
deleteQueries.push(query);
|
|
|
|
results.revoked.push({
|
|
type: principal.type,
|
|
id: principal.id,
|
|
name: principal.name,
|
|
email: principal.email,
|
|
source: principal.source,
|
|
avatar: principal.avatar,
|
|
description: principal.description,
|
|
idOnTheSource: principal.idOnTheSource,
|
|
memberCount: principal.memberCount,
|
|
});
|
|
} catch (error) {
|
|
results.errors.push({
|
|
principal,
|
|
error: error.message,
|
|
});
|
|
}
|
|
}
|
|
|
|
if (deleteQueries.length > 0) {
|
|
await AclEntry.deleteMany(
|
|
{
|
|
$or: deleteQueries,
|
|
},
|
|
sessionOptions,
|
|
);
|
|
}
|
|
|
|
if (shouldEndSession && supportsTransactions) {
|
|
await localSession.commitTransaction();
|
|
}
|
|
|
|
return results;
|
|
} catch (error) {
|
|
if (shouldEndSession && supportsTransactions) {
|
|
await localSession.abortTransaction();
|
|
}
|
|
logger.error(`[PermissionService.bulkUpdateResourcePermissions] Error: ${error.message}`);
|
|
throw error;
|
|
} finally {
|
|
if (shouldEndSession && localSession) {
|
|
localSession.endSession();
|
|
}
|
|
}
|
|
};
|
|
|
|
module.exports = {
|
|
grantPermission,
|
|
checkPermission,
|
|
getEffectivePermissions,
|
|
findAccessibleResources,
|
|
findPubliclyAccessibleResources,
|
|
hasPublicPermission,
|
|
getAvailableRoles,
|
|
bulkUpdateResourcePermissions,
|
|
ensurePrincipalExists,
|
|
ensureGroupPrincipalExists,
|
|
syncUserEntraGroupMemberships,
|
|
};
|