WIP Roles and permissions access control.

server/src/database/factories/index.js

@@ -7,7 +7,6 @@ const factory = knexFactory(knex);
 
 factory.define('user', 'users', async () => {
   const hashedPassword = await hashPassword('admin');
-
   return {
     first_name: faker.name.firstName(),
     last_name: faker.name.lastName(),
@@ -32,7 +31,6 @@ factory.define('account_type', 'account_types', async () => ({
 
 factory.define('account', 'accounts', async () => {
   const accountType = await factory.create('account_type');
-
   return {
     name: faker.lorem.word(),
     account_type_id: accountType.id,
@@ -59,7 +57,6 @@ factory.define('item_metadata', 'items_metadata', async () => {
 factory.define('item', 'items', async () => {
   const category = await factory.create('item_category');
   const account = await factory.create('account');
-
   return {
     name: faker.lorem.word(),
     note: faker.lorem.paragraph(),
@@ -73,7 +70,6 @@ factory.define('item', 'items', async () => {
 
 factory.define('setting', 'settings', async () => {
   const user = await factory.create('user');
-
   return {
     key: faker.lorem.slug(),
     user_id: user.id,
@@ -83,4 +79,45 @@ factory.define('setting', 'settings', async () => {
   };
 });
 
+factory.define('role', 'roles', async () => ({
+  name: faker.lorem.word(),
+  description: faker.lorem.words(),
+  predefined: false,
+}));
+
+factory.define('user_has_role', 'user_has_roles', async () => {
+  const user = await factory.create('user');
+  const role = await factory.create('role');
+
+  return {
+    user_id: user.id,
+    role_id: role.id,
+  };
+});
+
+factory.define('permission', 'permissions', async () => {
+  const permissions = ['create', 'edit', 'delete', 'view', 'owner'];
+  const randomPermission = permissions[Math.floor(Math.random() * permissions.length)];
+
+  return {
+    name: randomPermission,
+  };
+});
+
+factory.define('role_has_permission', 'role_has_permissions', async () => {
+  const permission = await factory.create('permission');
+  const role = await factory.create('role');
+  const resource = await factory.create('resource');
+
+  return {
+    role_id: role.id,
+    permission_id: permission.id,
+    resource_id: resource.id,
+  };
+});
+
+factory.define('resource', 'resources', () => ({
+  name: faker.lorem.word(),
+}));
+
 export default factory;

server/src/database/migrations/20190423085238_create_permissions_table.js

@@ -0,0 +1,11 @@
+
+exports.up = function (knex) {
+  return knex.schema.createTable('permissions', (table) => {
+    table.increments();
+    table.string('name');
+  });
+};
+
+exports.down = function (knex) {
+  return knex.schema.dropTable('permissions');
+};

server/src/database/migrations/20190423085240_create_resources_table.js

@@ -0,0 +1,11 @@
+
+exports.up = function (knex) {
+  return knex.schema.createTable('resources', (table) => {
+    table.increments();
+    table.string('name');
+  });
+};
+
+exports.down = function (knex) {
+  return knex.schema.dropTable('resources');
+};

server/src/database/migrations/20190822214242_create_users_table.js

@@ -1,5 +1,5 @@
 
-exports.up = function(knex) {
+exports.up = function (knex) {
   return knex.schema.createTable('users', (table) => {
     table.increments();
     table.string('first_name');
@@ -15,6 +15,6 @@ exports.up = function(knex) {
   });
 };
 
-exports.down = function(knex) {
+exports.down = function (knex) {
   return knex.schema.dropTableIfExists('users');
 };

server/src/database/migrations/20190822214244_create_user_has_roles_table.js

@@ -0,0 +1,12 @@
+
+exports.up = function (knex) {
+  return knex.schema.createTable('user_has_roles', (table) => {
+    table.increments();
+    table.integer('user_id').unsigned().references('id').inTable('users');
+    table.integer('role_id').unsigned().references('id').inTable('roles');
+  });
+};
+
+exports.down = function (knex) {
+  return knex.schema.dropTableIfExists('user_has_roles');
+};

server/src/database/migrations/20190822214247_create_oauth_tokens_table.js

@@ -1,6 +1,6 @@
 
 exports.up = function(knex) {
-  return knex.schema.createTable('oauth_tokens', table => {
+  return knex.schema.createTable('oauth_tokens', (table) => {
     table.increments();
     table.string('access_token');
     table.date('access_token_expires_on');

server/src/database/migrations/20190822214905_create_role_has_accounts.js

@@ -0,0 +1,10 @@
+
+exports.up = function (knex) {
+  return knex.schema.createTable('role_has_accounts', (table) => {
+    table.increments();
+    table.integer('role_id').unsigned().references('id').inTable('roles');
+    table.integer('account_id').unsigned().references('id').inTable('accounts');
+  });
+};
+
+exports.down = (knex) => knex.schema.dropTableIfExists('role_has_accounts');

server/src/database/migrations/20190822214905_create_role_has_permissions.js

@@ -0,0 +1,11 @@
+
+exports.up = function (knex) {
+  return knex.schema.createTable('role_has_permissions', (table) => {
+    table.increments();
+    table.integer('role_id').unsigned().references('id').inTable('roles');
+    table.integer('permission_id').unsigned().references('id').inTable('permissions');
+    table.integer('resource_id').unsigned().references('id').inTable('resources');
+  });
+};
+
+exports.down = (knex) => knex.schema.dropTableIfExists('role_has_permissions');

server/src/http/controllers/Roles.js

@@ -0,0 +1,351 @@
+/* eslint-disable no-unused-vars */
+import express from 'express';
+import { check, validationResult } from 'express-validator';
+import { difference } from 'lodash';
+import asyncMiddleware from '@/http/middleware/asyncMiddleware';
+import Role from '@/models/Role';
+import Permission from '@/models/Permission';
+import Resource from '@/models/Resource';
+import knex from '@/database/knex';
+
+const AccessControllSchema = [
+  {
+    resource: 'items',
+    label: 'products_services',
+    permissions: ['create', 'edit', 'delete', 'view'],
+    fullAccess: true,
+    ownControl: true,
+  },
+];
+
+// eslint-disable-next-line arrow-body-style
+const getResourceSchema = (resource) => AccessControllSchema.find((schema) => {
+  return schema.resource === resource;
+});
+
+const getResourcePermissions = (resource) => {
+  const foundResource = getResourceSchema(resource);
+  return foundResource ? foundResource.permissions : [];
+};
+
+export default {
+
+  findNotFoundResources(resourcesSlugs) {
+    const schemaResourcesSlugs = AccessControllSchema.map((s) => s.resource);
+    return difference(resourcesSlugs, schemaResourcesSlugs);
+  },
+
+  findNotFoundPermissions(permissions, resourceSlug) {
+    const schemaPermissions = getResourcePermissions(resourceSlug);
+    return difference(permissions, schemaPermissions);
+  },
+
+  /**
+   * Router constructor method.
+   */
+  router() {
+    const router = express.Router();
+
+    router.post('/:id',
+      this.editRole.validation,
+      asyncMiddleware(this.editRole.handler.bind(this)));
+
+    // router.post('/',
+    //   this.newRole.validation,
+    //   asyncMiddleware(this.newRole.handler));
+
+    router.delete('/:id',
+      this.deleteRole.validation,
+      asyncMiddleware(this.deleteRole.handler));
+
+    return router;
+  },
+
+  /**
+   * Creates a new role.
+   */
+  newRole: {
+    validation: [
+      check('name').exists().trim().escape(),
+      check('description').optional().trim().escape(),
+      check('permissions').isArray({ min: 0 }),
+      check('permissions.*.resource_slug').exists().whitelist('^[a-z0-9]+(?:-[a-z0-9]+)*$'),
+      check('permissions.*.permissions').isArray({ min: 1 }),
+    ],
+    async handler(req, res) {
+      const validationErrors = validationResult(req);
+
+      if (!validationErrors.isEmpty()) {
+        return res.boom.badData(null, {
+          code: 'validation_error', ...validationErrors,
+        });
+      }
+
+      const { name, description, permissions } = req.body;
+
+      const resourcesSlugs = permissions.map((perm) => perm.resource_slug);
+      const permissionsSlugs = [];
+
+      const resourcesNotFound = this.findNotFoundResources(resourcesSlugs);
+      const errorReasons = [];
+      const notFoundPermissions = [];
+
+      if (resourcesNotFound.length > 0) {
+        errorReasons.push({
+          type: 'RESOURCE_SLUG_NOT_FOUND',
+          code: 100,
+          resources: resourcesNotFound,
+        });
+      }
+      permissions.forEach((perm) => {
+        const abilities = perm.permissions.map((ability) => ability);
+
+        // Gets the not found permissions in the schema.
+        const notFoundAbilities = this.findNotFoundPermissions(abilities, perm.resource_slug);
+
+        if (notFoundAbilities.length > 0) {
+          notFoundPermissions.push({
+            resource_slug: perm.resource_slug, permissions: notFoundAbilities,
+          });
+        } else {
+          const perms = perm.permissions || [];
+          perms.forEach((permission) => {
+            if (perms.indexOf(permission) !== -1) {
+              permissionsSlugs.push(permission);
+            }
+          });
+        }
+      });
+      if (notFoundPermissions.length > 0) {
+        errorReasons.push({
+          type: 'PERMISSIONS_SLUG_NOT_FOUND',
+          code: 200,
+          permissions: notFoundPermissions,
+        });
+      }
+      if (errorReasons.length > 0) {
+        return res.boom.badRequest(null, { errors: errorReasons });
+      }
+      // Permissions.
+      const [resourcesCollection, permsCollection] = await Promise.all([
+        Resource.query((query) => { query.whereIn('name', resourcesSlugs); }).fetchAll(),
+        Permission.query((query) => { query.whereIn('name', permissionsSlugs); }).fetchAll(),
+      ]);
+
+      const notStoredResources = difference(
+        resourcesSlugs, resourcesCollection.map((s) => s.name),
+      );
+      const notStoredPermissions = difference(
+        permissionsSlugs, permsCollection.map((perm) => perm.slug),
+      );
+
+      const insertThread = [];
+
+      if (notStoredResources.length > 0) {
+        insertThread.push(knex('resources').insert([
+          ...notStoredResources.map((resource) => ({ name: resource })),
+        ]));
+      }
+      if (notStoredPermissions.length > 0) {
+        insertThread.push(knex('permissions').insert([
+          ...notStoredPermissions.map((permission) => ({ name: permission })),
+        ]));
+      }
+
+      await Promise.all(insertThread);
+
+      const [storedPermissions, storedResources] = await Promise.all([
+        Permission.query((q) => { q.whereIn('name', permissionsSlugs); }).fetchAll(),
+        Resource.query((q) => { q.whereIn('name', resourcesSlugs); }).fetchAll(),
+      ]);
+
+      const storedResourcesSet = new Map(storedResources.map((resource) => [
+        resource.attributes.name, resource.attributes.id,
+      ]));
+      const storedPermissionsSet = new Map(storedPermissions.map((perm) => [
+        perm.attributes.name, perm.attributes.id,
+      ]));
+      const role = Role.forge({ name, description });
+
+      await role.save();
+
+      const roleHasPerms = permissions.map((resource) => resource.permissions.map((perm) => ({
+        role_id: role.id,
+        resource_id: storedResourcesSet.get(resource.resource_slug),
+        permission_id: storedPermissionsSet.get(perm),
+      })));
+
+      if (roleHasPerms.length > 0) {
+        await knex('role_has_permissions').insert(roleHasPerms[0]);
+      }
+      return res.status(200).send({ id: role.get('id') });
+    },
+  },
+
+  /**
+   * Edit the give role.
+   */
+  editRole: {
+    validation: [
+      check('name').exists().trim().escape(),
+      check('description').optional().trim().escape(),
+      check('permissions').isArray({ min: 0 }),
+      check('permissions.*.resource_slug').exists().whitelist('^[a-z0-9]+(?:-[a-z0-9]+)*$'),
+      check('permissions.*.permissions').isArray({ min: 1 }),
+    ],
+    async handler(req, res) {
+      const validationErrors = validationResult(req);
+
+      if (!validationErrors.isEmpty()) {
+        return res.boom.badData(null, {
+          code: 'validation_error', ...validationErrors,
+        });
+      }
+
+      const { id } = req.params;
+      const role = await Role.where('id', id).fetch();
+
+      if (!role) {
+        return res.boom.notFound(null, {
+          errors: [{ type: 'ROLE_NOT_FOUND', code: 100 }],
+        });
+      }
+
+      const { permissions } = req.body;
+      const errorReasons = [];
+      const permissionsSlugs = [];
+      const notFoundPermissions = [];
+
+      const resourcesSlugs = permissions.map((perm) => perm.resource_slug);
+      const resourcesNotFound = this.findNotFoundResources(resourcesSlugs);
+
+      if (resourcesNotFound.length > 0) {
+        errorReasons.push({
+          type: 'RESOURCE_SLUG_NOT_FOUND',
+          code: 100,
+          resources: resourcesNotFound,
+        });
+      }
+
+      permissions.forEach((perm) => {
+        const abilities = perm.permissions.map((ability) => ability);
+        // Gets the not found permissions in the schema.
+        const notFoundAbilities = this.findNotFoundPermissions(abilities, perm.resource_slug);
+
+        if (notFoundAbilities.length > 0) {
+          notFoundPermissions.push({
+            resource_slug: perm.resource_slug, permissions: notFoundAbilities,
+          });
+        } else {
+          const perms = perm.permissions || [];
+          perms.forEach((permission) => {
+            if (perms.indexOf(permission) !== -1) {
+              permissionsSlugs.push(permission);
+            }
+          });
+        }
+      });
+
+      if (notFoundPermissions.length > 0) {
+        errorReasons.push({
+          type: 'PERMISSIONS_SLUG_NOT_FOUND',
+          code: 200,
+          permissions: notFoundPermissions,
+        });
+      }
+      if (errorReasons.length > 0) {
+        return res.boom.badRequest(null, { errors: errorReasons });
+      }
+
+      // Permissions.
+      const [resourcesCollection, permsCollection] = await Promise.all([
+        Resource.query((query) => { query.whereIn('name', resourcesSlugs); }).fetchAll(),
+        Permission.query((query) => { query.whereIn('name', permissionsSlugs); }).fetchAll(),
+      ]);
+
+      const notStoredResources = difference(
+        resourcesSlugs, resourcesCollection.map((s) => s.name),
+      );
+      const notStoredPermissions = difference(
+        permissionsSlugs, permsCollection.map((perm) => perm.slug),
+      );
+      const insertThread = [];
+
+      if (notStoredResources.length > 0) {
+        insertThread.push(knex('resources').insert([
+          ...notStoredResources.map((resource) => ({ name: resource })),
+        ]));
+      }
+      if (notStoredPermissions.length > 0) {
+        insertThread.push(knex('permissions').insert([
+          ...notStoredPermissions.map((permission) => ({ name: permission })),
+        ]));
+      }
+
+      await Promise.all(insertThread);
+
+      const [storedPermissions, storedResources] = await Promise.all([
+        Permission.query((q) => { q.whereIn('name', permissionsSlugs); }).fetchAll(),
+        Resource.query((q) => { q.whereIn('name', resourcesSlugs); }).fetchAll(),
+      ]);
+
+      const storedResourcesSet = new Map(storedResources.map((resource) => [
+        resource.attributes.name, resource.attributes.id,
+      ]));
+      const storedPermissionsSet = new Map(storedPermissions.map((perm) => [
+        perm.attributes.name, perm.attributes.id,
+      ]));
+
+      await role.save();
+
+
+      const savedRoleHasPerms = await knex('role_has_permissions').where({
+        role_id: role.id,
+      });
+
+      console.log(savedRoleHasPerms);
+
+      // const roleHasPerms = permissions.map((resource) => resource.permissions.map((perm) => ({
+      //   role_id: role.id,
+      //   resource_id: storedResourcesSet.get(resource.resource_slug),
+      //   permission_id: storedPermissionsSet.get(perm),
+      // })));
+
+      // if (roleHasPerms.length > 0) {
+      //   await knex('role_has_permissions').insert(roleHasPerms[0]);
+      // }
+      return res.status(200).send({ id: role.get('id') });
+    },
+  },
+
+  deleteRole: {
+    validation: [],
+    async handler(req, res) {
+      const { id } = req.params;
+      const role = await Role.where('id', id).fetch();
+
+      if (!role) {
+        return res.boom.notFound();
+      }
+      if (role.attributes.predefined) {
+        return res.boom.badRequest(null, {
+          errors: [{ type: 'ROLE_PREDEFINED', code: 100 }],
+        });
+      }
+
+      await knex('role_has_permissions')
+        .where('role_id', role.id).delete({ require: false });
+
+      await role.destroy();
+
+      return res.status(200).send();
+    },
+  },
+
+  getRole: {
+    validation: [],
+    handler(req, res) {
+      return res.status(200).send();
+    },
+  },
+};

server/src/http/index.js

@@ -1,6 +1,7 @@
 // import OAuth2 from '@/http/controllers/OAuth2';
 import Authentication from '@/http/controllers/Authentication';
 import Users from '@/http/controllers/Users';
+import Roles from '@/http/controllers/Roles';
 import Items from '@/http/controllers/Items';
 import ItemCategories from '@/http/controllers/ItemCategories';
 import Accounts from '@/http/controllers/Accounts';
@@ -10,6 +11,7 @@ export default (app) => {
   // app.use('/api/oauth2', OAuth2.router());
   app.use('/api/auth', Authentication.router());
   app.use('/api/users', Users.router());
+  app.use('/api/roles', Roles.router());
   app.use('/api/accounts', Accounts.router());
   app.use('/api/accountOpeningBalance', AccountOpeningBalance.router());
   app.use('/api/items', Items.router());

server/src/http/middleware/authorization.js

@@ -0,0 +1,4 @@
+
+const authorization = (req, res, next) => {
+  const { user } = req;
+};

server/src/models/Account.js

@@ -20,7 +20,7 @@ const Account = bookshelf.Model.extend({
 
   balances() {
     return this.hasMany('AccountBalance', 'accounnt_id');
-  }
+  },
 });
 
 export default bookshelf.model('Account', Account);

server/src/models/AccountBalance.js

@@ -12,9 +12,7 @@ const AccountBalance = bookshelf.Model.extend({
    */
   hasTimestamps: false,
 
-  /**
-   * 
-   */
+
   account() {
     return this.belongsTo('Account', 'account_id');
   },

server/src/models/Permission.js

@@ -0,0 +1,25 @@
+import bookshelf from './bookshelf';
+
+const Permission = bookshelf.Model.extend({
+
+  /**
+   * Table name of Role model.
+   * @type {String}
+   */
+  tableName: 'permissions',
+
+  /**
+   * Timestamp columns.
+   */
+  hasTimestamps: false,
+
+  role() {
+    return this.belongsTo('Role', 'role_id');
+  },
+
+  resource() {
+    return this.belongsTo('Resource', 'resource_id');
+  },
+});
+
+export default bookshelf.model('Permission', Permission);

server/src/models/Resource.js

@@ -0,0 +1,21 @@
+import bookshelf from './bookshelf';
+
+const Resource = bookshelf.Model.extend({
+  /**
+   * Table name.
+   */
+  tableName: 'resources',
+
+  /**
+   * Timestamp columns.
+   */
+  hasTimestamps: false,
+
+  permissions() {
+  },
+
+  roles() {
+  },
+});
+
+export default bookshelf.model('Resource', Resource);

server/src/models/Role.js

@@ -20,11 +20,18 @@ const Role = bookshelf.Model.extend({
     return this.belongsToMany('Permission', 'role_has_permissions', 'role_id', 'permission_id');
   },
 
+  /**
+   * Role may has many resources.
+   */
+  resources() {
+    return this.belongsToMany('Resource', 'role_has_permissions', 'role_id', 'resource_id');
+  },
+
   /**
    * Role model may has many users.
    */
   users() {
-    return this.belongsTo('User');
+    return this.belongsToMany('User', 'user_has_roles');
   },
 });
 

server/src/models/User.js

@@ -21,6 +21,13 @@ const User = bookshelf.Model.extend({
   verifyPassword(password) {
     return bcrypt.compareSync(password, this.get('password'));
   },
+
+  /**
+   * User model may has many associated roles.
+   */
+  roles() {
+    return this.belongsToMany('Role', 'user_has_roles', 'user_id', 'role_id');
+  },
 });
 
 export default bookshelf.model('User', User);