feat: wip - adding rbac

crazyoptimist · May 31, 2024 · d7a55f9 · d7a55f9
1 parent 978f5db
commit d7a55f9
Show file tree

Hide file tree

Showing 10 changed files with 176 additions and 4 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -23,6 +23,7 @@
     "prepare": "husky install"
   },
   "dependencies": {
+    "@casl/ability": "^6.7.1",
     "@nestjs/common": "^10.3.8",
     "@nestjs/config": "^3.2.2",
     "@nestjs/core": "^10.3.8",

diff --git a/src/modules/infrastructure/casl/action.enum.ts b/src/modules/infrastructure/casl/action.enum.ts
@@ -0,0 +1,7 @@
+export enum Action {
+  Manage = 'manage',
+  Create = 'create',
+  Read = 'read',
+  Update = 'update',
+  Delete = 'delete',
+}
diff --git a/src/modules/infrastructure/casl/casl-ability.factory.ts b/src/modules/infrastructure/casl/casl-ability.factory.ts
@@ -0,0 +1,30 @@
+import {
+  AbilityBuilder,
+  ExtractSubjectType,
+  InferSubjects,
+  PureAbility,
+  AbilityClass,
+} from '@casl/ability';
+import { Injectable } from '@nestjs/common';
+import { Action } from './action.enum';
+import { User } from '@app/modules/user/user.entity';
+
+type Subjects = InferSubjects<typeof User | User> | 'all';
+
+export type AppAbility = PureAbility<[Action, Subjects]>;
+
+@Injectable()
+export class CaslAbilityFactory {
+  createForUser(user: User) {
+    const { can, cannot, build } = new AbilityBuilder<AppAbility>(
+      PureAbility as AbilityClass<AppAbility>,
+    );
+
+    // TODO: Build abilities
+
+    return build({
+      detectSubjectType: (subject) =>
+        subject.constructor as ExtractSubjectType<Subjects>,
+    });
+  }
+}
diff --git a/src/modules/infrastructure/casl/casl.module.ts b/src/modules/infrastructure/casl/casl.module.ts
@@ -0,0 +1,9 @@
+import { Global, Module } from '@nestjs/common';
+import { CaslAbilityFactory } from './casl-ability.factory';
+
+@Global()
+@Module({
+  providers: [CaslAbilityFactory],
+  exports: [CaslAbilityFactory],
+})
+export class CaslModule {}
diff --git a/src/modules/infrastructure/casl/check-policies.decorator.ts b/src/modules/infrastructure/casl/check-policies.decorator.ts
@@ -0,0 +1,6 @@
+import { SetMetadata } from '@nestjs/common';
+import { PolicyHandler } from './policies.guard';
+
+export const CHECK_POLICIES_KEY = 'check_policy';
+export const CheckPolicies = (...handlers: PolicyHandler[]) =>
+  SetMetadata(CHECK_POLICIES_KEY, handlers);
diff --git a/src/modules/infrastructure/casl/policies.guard.ts b/src/modules/infrastructure/casl/policies.guard.ts
@@ -0,0 +1,42 @@
+import { CanActivate, ExecutionContext, Injectable } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { AppAbility, CaslAbilityFactory } from './casl-ability.factory';
+import { CHECK_POLICIES_KEY } from './check-policies.decorator';
+
+interface IPolicyHandler {
+  handle(ability: AppAbility): boolean;
+}
+
+type PolicyHandlerCallback = (ability: AppAbility) => boolean;
+
+export type PolicyHandler = IPolicyHandler | PolicyHandlerCallback;
+
+@Injectable()
+export class PoliciesGuard implements CanActivate {
+  constructor(
+    private reflector: Reflector,
+    private caslAbilityFactory: CaslAbilityFactory,
+  ) {}
+
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    const policyHandlers =
+      this.reflector.get<PolicyHandler[]>(
+        CHECK_POLICIES_KEY,
+        context.getHandler(),
+      ) || [];
+
+    const { user } = context.switchToHttp().getRequest();
+    const ability = this.caslAbilityFactory.createForUser(user);
+
+    return policyHandlers.every((handler) =>
+      this.execPolicyHandler(handler, ability),
+    );
+  }
+
+  private execPolicyHandler(handler: PolicyHandler, ability: AppAbility) {
+    if (typeof handler === 'function') {
+      return handler(ability);
+    }
+    return handler.handle(ability);
+  }
+}
diff --git a/src/modules/user/role.entity.ts b/src/modules/user/role.entity.ts
@@ -0,0 +1,18 @@
+import { Column, Entity, PrimaryGeneratedColumn } from 'typeorm';
+
+@Entity({
+  name: 'roles',
+})
+export class Role {
+  @PrimaryGeneratedColumn()
+  id: number;
+
+  @Column({ length: 50 })
+  name: string;
+}
+
+// We treat roles as schema
+export enum RoleEnum {
+  Admin = 'admin',
+  User = 'user',
+}
diff --git a/src/modules/user/user.entity.ts b/src/modules/user/user.entity.ts
@@ -4,15 +4,21 @@ import {
   PrimaryGeneratedColumn,
   CreateDateColumn,
   UpdateDateColumn,
+  ManyToMany,
+  JoinTable,
 } from 'typeorm';
 import { Exclude } from 'class-transformer';
 
 import { PasswordTransformer } from '../common/transformer/password.transformer';
+import { Role } from './role.entity';
 
 @Entity({
   name: 'users',
 })
 export class User {
+  @PrimaryGeneratedColumn()
+  id: number;
+
   @CreateDateColumn()
   @Exclude()
   created_at: Date;
@@ -21,9 +27,6 @@ export class User {
   @Exclude()
   updated_at: Date;
 
-  @PrimaryGeneratedColumn()
-  id: number;
-
   @Column({ name: 'first_name', length: 255 })
   firstName: string;
 
@@ -40,4 +43,16 @@ export class User {
   })
   @Exclude()
   password: string;
+
+  @ManyToMany(() => Role, { eager: true })
+  @JoinTable({
+    name: 'users_roles',
+    joinColumn: {
+      name: 'user_id',
+    },
+    inverseJoinColumn: {
+      name: 'role_id',
+    },
+  })
+  roles: Role[];
 }
diff --git a/src/modules/user/user.module.ts b/src/modules/user/user.module.ts
@@ -3,9 +3,10 @@ import { TypeOrmModule } from '@nestjs/typeorm';
 import { User } from './user.entity';
 import { UserController } from './user.controller';
 import { UserService } from './user.service';
+import { Role } from './role.entity';
 
 @Module({
-  imports: [TypeOrmModule.forFeature([User])],
+  imports: [TypeOrmModule.forFeature([User, Role])],
   controllers: [UserController],
   providers: [UserService],
   exports: [UserService],