chore(): initial commit

Author: dreamdevil00

.editorconfig

@@ -0,0 +1,8 @@
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true

.gitignore

@@ -59,3 +59,12 @@ typings/
 
 # next.js build output
 .next
+
+### VisualStudioCode ###
+.vscode/*
+!.vscode/settings.json
+!.vscode/tasks.json
+!.vscode/launch.json
+!.vscode/extensions.json
+
+/dist

.prettierrc

@@ -0,0 +1,3 @@
+{
+  "singleQuote": true
+}

README.md

@@ -0,0 +1,101 @@
+# nest-authz
+
+基于 node-casbin 实现的 RBAC 权限控制模块。
+
+## 如何使用
+
+```typescript
+// app.module.ts
+@Module({
+  imports: [
+    AuthZModule.register({
+      model: 'model.conf',
+      policy: 'policy.csv'
+    })
+  ],
+  controllers: [AppController],
+  providers: [AppService]
+})
+export class AppModule {}
+```
+
+其中 `policy` 也可以为 adapter， 如:
+
+```typescript
+import { TypeOrmModule } from '@nestjs/typeorm';
+
+@Module({
+  imports: [
+    AuthZModule.register({
+      model: 'model.conf',
+      policy: TypeORMAdapter.newAdapter({
+        name: 'casbin',
+        type: 'mysql',
+        host: 'localhost',
+        port: 3306,
+        username: 'root',
+        password: 'password',
+        database: 'nestdb'
+      })
+    }),
+  ],
+  controllers: [AppController],
+  providers: [AppService]
+})
+```
+
+```typescript
+// app.controller.ts
+import { Controller, Get } from '@nestjs/common';
+import { AppService } from './app.service';
+import {
+  AuthZGuard,
+  AuthZService,
+  AuthAction,
+  AuthPossession,
+  UsePermissions
+} from 'nest-authz';
+
+@Controller()
+export class AppController {
+  constructor(
+    private readonly authzSrv: AuthZService, // 对 enforcer api 的封装
+    private readonly appService: AppService
+  ) {}
+
+  @Get()
+  getHello(): string {
+    return this.appService.getHello();
+  }
+
+  // 只有对用户有任意访问权限的用户才可以读取用户列表
+  @Get('users')
+  @UseGuards(AuthZGuard)
+  @UsePermissions({
+    action: AuthAction.READ,
+    resource: 'USER', // 此处为演示使用的 magic string， 其值建议使用变量获取
+    possession: AuthPossession.ANY
+  })
+  async findAllUsers() {
+    // your code
+  }
+
+  @Get(':id/roles')
+  @UseGuards(AuthZGuard)
+  @UsePermissions({
+    action: AuthAction.READ,
+    resource: 'USER_ROLES',
+    possession: AuthPossession.OWN_ANY, // 只有对此资源拥有所有权或者任意权限的用户才可以访问
+    isOwn: (req: any): boolean => {
+      // 用户可以添加自定义函数 isOwn， 判别用户是否拥有该资源的所有权
+      return Number(req.user.id) === Number(req.params.id);
+    }
+  })
+  async findUserRoles(@Param('id') id: string): Promise<string[]> {
+    return this.authzSrv.getRolesForUser(username);
+  }
+}
+```
+
+一般来说，认证后的用户数据保存于请求对象的 `user` 属性中。
+AuthGuard 使用从请求对象 `user` 属性中获取到的 `username` 属性判别用户权限。

index.ts

@@ -0,0 +1 @@
+export * from './src';

package.json

@@ -0,0 +1,59 @@
+{
+  "name": "authz",
+  "version": "0.0.0-placeholder",
+  "description": "基于 node-casbin 实现的 RBAC 权限控制模块。",
+  "main": "dist/index.js",
+  "directories": {
+    "test": "test"
+  },
+  "scripts": {
+    "build": "rimraf dist && tsc -p tsconfig.json",
+    "format": "prettier --write \"src/**/*.ts\"",
+    "lint": "tslint -p tsconfig.json -c tslint.json",
+    "test": "jest"
+  },
+  "keywords": [],
+  "author": "dreamdevil00",
+  "license": "MIT",
+  "dependencies": {
+    "casbin": "^2.0.1",
+    "reflect-metadata": "^0.1.12",
+    "rxjs": "^6.2.2"
+  },
+  "devDependencies": {
+    "@types/jest": "^24.0.8",
+    "jest": "^23.5.0",
+    "prettier": "^1.14.2",
+    "rimraf": "^2.6.3",
+    "ts-jest": "^23.1.3",
+    "ts-node": "^7.0.1",
+    "tslint": "5.11.0",
+    "typescript": "^2.9.2"
+  },
+  "peerDependencies": {
+    "@nestjs/common": "^5.4.0",
+    "@nestjs/core": "^5.4.0"
+  },
+  "files": [
+    "dist",
+    "LICENSE",
+    "README.md"
+  ],
+  "jest": {
+    "testURL": "http://localhost",
+    "transform": {
+      "^.+\\.(ts|tsx)$": "ts-jest"
+    },
+    "testMatch": [
+      "**/test/*.+(ts|tsx)"
+    ],
+    "moduleFileExtensions": [
+      "ts",
+      "tsx",
+      "js",
+      "jsx",
+      "json",
+      "node"
+    ]
+  }
+}

src/authz.constants.ts

@@ -0,0 +1,3 @@
+export const AUTHZ_MODULE_OPTIONS = 'AUTHZ_MODULE_OPTIONS';
+export const AUTHZ_ENFORCER = 'AUTHZ_ENFORCER';
+export const PERMISSIONS_METADATA = '__PERMISSIONS__';

src/authz.guard.ts

@@ -0,0 +1,70 @@
+import {
+  Injectable,
+  CanActivate,
+  ExecutionContext,
+  Inject
+} from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { Observable } from 'rxjs';
+import { AUTHZ_ENFORCER, PERMISSIONS_METADATA } from './authz.constants';
+import * as casbin from 'casbin';
+import { Permission } from './interfaces/permission.interface';
+import { UnauthorizedException } from '@nestjs/common';
+import { AuthPossession } from './types';
+
+@Injectable()
+export class AuthZGuard implements CanActivate {
+  constructor(
+    private readonly reflector: Reflector,
+    @Inject(AUTHZ_ENFORCER) public enforcer: casbin.Enforcer
+  ) {}
+
+  canActivate(
+    context: ExecutionContext
+  ): boolean | Promise<boolean> | Observable<boolean> {
+    const permissions: Permission[] = this.reflector.get<Permission[]>(
+      PERMISSIONS_METADATA,
+      context.getHandler()
+    );
+
+    if (!permissions) {
+      return true;
+    }
+
+    const request = context.switchToHttp().getRequest();
+    const user = request.user;
+    if (!user) {
+      throw new UnauthorizedException();
+    }
+
+    const { username: uname } = user;
+
+    const hasPermission = (
+      username: string,
+      permission: Permission
+    ): boolean => {
+      const { possession, resource, action } = permission;
+      const poss = [];
+
+      if (possession === AuthPossession.OWN_ANY) {
+        poss.push(AuthPossession.ANY, AuthPossession.OWN);
+      } else {
+        poss.push(possession);
+      }
+
+      return poss.some(p => {
+        if (p === AuthPossession.OWN) {
+          return (permission as any).isOwn(request);
+        } else {
+          return this.enforcer.enforce(username, resource, `${action}:${p}`);
+        }
+      });
+    };
+
+    const result = permissions.every(permission =>
+      hasPermission(uname, permission)
+    );
+
+    return result;
+  }
+}

src/authz.module.ts

@@ -0,0 +1,53 @@
+import { Module, DynamicModule, Global } from '@nestjs/common';
+import { AuthZModuleOptions } from './interfaces';
+
+import { AuthZGuard } from './authz.guard';
+
+import { AUTHZ_MODULE_OPTIONS, AUTHZ_ENFORCER } from './authz.constants';
+import * as casbin from 'casbin';
+import { AuthZService } from './authz.service';
+
+@Global()
+@Module({
+  providers: [],
+  exports: []
+})
+export class AuthZModule {
+  static register(options: AuthZModuleOptions): DynamicModule {
+    const moduleOptionsProvider = {
+      provide: AUTHZ_MODULE_OPTIONS,
+      useValue: options || {}
+    };
+    const enforcerProvider = {
+      provide: AUTHZ_ENFORCER,
+      useFactory: async () => {
+        const isFile = typeof options.policy === 'string';
+
+        let policyOption;
+
+        if (isFile) {
+          policyOption = options.policy as string;
+        } else {
+          policyOption = await options.policy;
+        }
+
+        return await casbin.newEnforcer(options.model, policyOption);
+      }
+    };
+    return {
+      module: AuthZModule,
+      providers: [
+        moduleOptionsProvider,
+        enforcerProvider,
+        AuthZGuard,
+        AuthZService
+      ],
+      exports: [
+        moduleOptionsProvider,
+        enforcerProvider,
+        AuthZGuard,
+        AuthZService
+      ]
+    };
+  }
+}