fix(authorization): inherited permissions with wildcard

ConduitPlatform · May 16, 2024 · 46f801d · 46f801d
1 parent 9bd9ba9
commit 46f801d
Showing 1 changed file with 37 additions and 40 deletions.
diff --git a/modules/authorization/src/utils/index.ts b/modules/authorization/src/utils/index.ts
@@ -40,15 +40,16 @@ export const constructObjectIndex = (
  object: string,
  inheritanceTree: string[],
 ): Partial<ObjectIndex> => {
+ const wildcard = role === '*' || object === '*';
  return {
  subject: `${subject}#${permission}`,
  subjectId: subject.split(':')[1],
- subjectType: `${subject}#${permission}`.split(':')[0],
- subjectPermission: `${object}#${permission}`.split('#')[1],
- entity: role === '*' ? '*' : `${object}#${role}`,
- entityId: role === '*' ? '*' : object.split(':')[1],
- entityType: role === '*' ? '*' : `${object}#${role}`.split(':')[0],
- relation: role === '*' ? '*' : `${object}#${role}`.split('#')[1],
+ subjectType: subject.split(':')[0],
+ subjectPermission: permission,
+ entity: wildcard ? '*' : `${object}#${role}`,
+ entityId: wildcard ? '*' : object.split(':')[1],
+ entityType: wildcard ? '*' : object.split(':')[0],
+ relation: wildcard ? '*' : role,
  inheritanceTree: inheritanceTree,
  };
 };
@@ -61,27 +62,22 @@ export function getPostgresAccessListQuery(
  action: string,
 ) {
  return `
- SELECT s.* FROM "${objectTypeCollection}" as s 
- INNER JOIN (
- (
- SELECT obj.entity
- FROM (
- SELECT * FROM "cnd_ActorIndex" 
- WHERE subject = '${subject}'
- ) as actors
- INNER JOIN (
- SELECT * FROM "cnd_ObjectIndex"
- WHERE "subjectType" = '${objectType}' AND "subjectPermission" = '${action}'
- ) as obj 
- ON actors.entity = obj.entity OR obj.entity = '*'
- )
- UNION (
- SELECT "computedTuple" 
- FROM "cnd_Permission" 
- WHERE "computedTuple" LIKE '${computedTuple}%'
- )
- ) idx
- ON idx.entity LIKE '%' || TEXT(s._id) || '%'
+ SELECT s.*
+ FROM "${objectTypeCollection}" as s
+ INNER JOIN ((SELECT obj.entity
+ FROM (SELECT *
+ FROM "cnd_ActorIndex"
+ WHERE subject = '${subject}') as actors
+ INNER JOIN (SELECT *
+ FROM "cnd_ObjectIndex"
+ WHERE "subjectType" = '${objectType}'
+ AND "subjectPermission" = '${action}') as obj
+ ON actors.entity = obj.entity OR obj.entity = '*')
+ UNION
+ (SELECT "computedTuple"
+ FROM "cnd_Permission"
+ WHERE "computedTuple" LIKE '${computedTuple}%')) idx
+ ON idx.entity LIKE '%' || TEXT(s._id) || '%'
  `;
 }
 
@@ -92,17 +88,18 @@ export function getSQLAccessListQuery(
  objectType: string,
  action: string,
 ) {
- return `SELECT ${objectTypeCollection}.* FROM ${objectTypeCollection}
- INNER JOIN (
- SELECT * FROM cnd_Permission
- WHERE computedTuple LIKE '${computedTuple}%'
- ) permissions ON permissions.computedTuple = '${computedTuple}:' || ${objectTypeCollection}._id
- INNER JOIN (
- SELECT * FROM cnd_ActorIndex
- WHERE subject = '${subject}'
- ) actors ON 1=1
- INNER JOIN (
- SELECT * FROM cnd_ObjectIndex
- WHERE "subjectType" = '${objectType}' AND "subjectPermission" = '${action}'
- ) objects ON actors.entity = obj.entity OR obj.entity = '*';`;
+ return `SELECT ${objectTypeCollection}.*
+ FROM ${objectTypeCollection}
+ INNER JOIN (SELECT *
+ FROM cnd_Permission
+ WHERE computedTuple LIKE '${computedTuple}%') permissions
+ ON permissions.computedTuple = '${computedTuple}:' || ${objectTypeCollection}._id
+ INNER JOIN (SELECT *
+ FROM cnd_ActorIndex
+ WHERE subject = '${subject}') actors ON 1 = 1
+ INNER JOIN (SELECT *
+ FROM cnd_ObjectIndex
+ WHERE "subjectType" = '${objectType}'
+ AND "subjectPermission" = '${action}') objects
+ ON actors.entity = obj.entity OR obj.entity = '*';`;
 }