feat: update dependencies and implement access control for agents management

Author: tacxou

apps/api/package.json

@@ -59,6 +59,7 @@
     "microdiff": "^1.5.0",
     "mjml": "^4.15.3",
     "mongoose": "^8.9.5",
+    "nest-access-control": "^3.2.0",
     "nest-commander": "^3.13.0",
     "nest-winston": "^1.10.0",
     "nestjs-request-context": "^3.0.0",

apps/api/src/_common/decorators/use-roles.decorator.ts

@@ -0,0 +1,16 @@
+import { applyDecorators, SetMetadata } from '@nestjs/common'
+import { UseRoles as AccessControlUseRoles } from 'nest-access-control'
+
+export const META_AC_RULE = 'ac:rule'
+
+export type AcRule = {
+  resource: string
+  action: string
+  possession?: string
+}
+
+export const UseRoles = (rule: AcRule) =>
+  applyDecorators(
+    AccessControlUseRoles(rule as any),
+    SetMetadata(META_AC_RULE, rule),
+  )

apps/api/src/_common/guards/ac.guard.ts

@@ -0,0 +1,58 @@
+import { CanActivate, ExecutionContext, Inject, Injectable, Type } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { ACGuard as AcGuardInternal, RolesBuilder } from 'nest-access-control';
+import { META_UNPROTECTED } from '~/_common/decorators/public.decorator';
+
+export function AcGuard(): Type<CanActivate> {
+  @Injectable()
+  class CustomAcGuard<User extends any = any> extends AcGuardInternal<User> implements CanActivate {
+    @Inject(Reflector)
+    public readonly __reflector!: Reflector;
+
+    public constructor(reflector: Reflector, roleBuilder: RolesBuilder) {
+      super(reflector, roleBuilder);
+    }
+
+    protected isUnProtected(context: ExecutionContext): boolean {
+      return this.__reflector.getAllAndOverride<boolean>(META_UNPROTECTED, [
+        context.getClass(),
+        context.getHandler(),
+      ]);
+    }
+
+    public async canActivate(context: ExecutionContext): Promise<boolean> {
+      const roleOrRoles = await this.getUserRoles(context)
+      const roles = Array.isArray(roleOrRoles) ? roleOrRoles : [roleOrRoles]
+      console.log('canActivate', roles)
+      if (roles.includes('admin')) {
+        return true;
+      }
+
+      return this.isUnProtected(context) || super.canActivate(context);
+    }
+
+    public async getUser(context: ExecutionContext): Promise<User> {
+      console.log('isUnProtected', this.isUnProtected(context))
+      if (this.isUnProtected(context)) {
+        return {} as User;
+      }
+
+      console.log('getUser', await super.getUser(context))
+      return await super.getUser(context);
+    }
+
+    public async getUserRoles(context: ExecutionContext): Promise<string | string[]> {
+      const roles = await super.getUserRoles(context);
+
+      console.log('getUserRoles', roles)
+
+      if (!roles || roles.length === 0) {
+        return ['guest'];
+      }
+
+      return roles;
+    }
+  }
+
+  return CustomAcGuard;
+}

apps/api/src/_common/types/ac-types.ts

@@ -0,0 +1,16 @@
+export const AC_ADMIN_ROLE = 'admin'
+export const AC_GUEST_ROLE = 'guest'
+
+export enum AC_ACTIONS {
+  CREATE = 'create',
+  READ = 'read',
+  UPDATE = 'update',
+  DELETE = 'delete',
+}
+
+export enum AC_POSSESSIONS {
+  OWN = 'own',
+  ANY = 'any',
+}
+
+export const AC_DEFAULT_POSSESSION = AC_POSSESSIONS.ANY

apps/api/src/app.module.ts

@@ -28,6 +28,9 @@ import { HttpModule } from '@nestjs/axios';
 import { ExtensionsModule } from './extensions/extensions.module';
 import { SentryModule, SentryGlobalFilter } from '@sentry/nestjs/setup';
 import { isConsoleEntrypoint } from './_common/functions/is-cli';
+import { AccessControlModule, ACGuard, RolesBuilder } from 'nest-access-control';
+import { RolesService } from './core/roles/roles.service';
+import { AcGuard } from './_common/guards/ac.guard';
 
 @Module({
   imports: [
@@ -120,6 +123,13 @@ import { isConsoleEntrypoint } from './_common/functions/is-cli';
         blockingConnection: true,
       }),
     }),
+    AccessControlModule.forRootAsync({
+      imports: [CoreModule],
+      inject: [RolesService],
+      useFactory: async (service: RolesService): Promise<RolesBuilder> => {
+        return await service.getRolesBuilder()
+      },
+    }),
     FactorydriveModule.forRootAsync({
       imports: [ConfigModule],
       inject: [ConfigService],
@@ -150,6 +160,10 @@ import { isConsoleEntrypoint } from './_common/functions/is-cli';
       provide: APP_GUARD,
       useClass: AuthGuard('jwt'),
     },
+    {
+      provide: APP_GUARD,
+      useClass: AcGuard(),
+    },
     // {
     //   provide: APP_FILTER,
     //   useClass: AllExceptionFilter,

apps/api/src/core/agents/_dto/agents.dto.ts

@@ -130,6 +130,18 @@ export class AgentsCreateDto extends CustomFieldsDto {
   @ApiProperty()
   public baseURL?: string
 
+  /**
+   * Rôles de l'agent.
+   *
+   * @type {string[]}
+   * @optional
+   * @default []
+   */
+  @IsString({ each: true })
+  @IsOptional()
+  @ApiProperty()
+  public roles?: string[]
+
   /**
    * Configuration de sécurité de l'agent.
    * Contient les clés, restrictions et paramètres de sécurité.

apps/api/src/core/agents/_schemas/agents.schema.ts

@@ -165,6 +165,19 @@ export class Agents extends AbstractSchema {
   })
   public security: SecurityPart
 
+  /**
+   * Rôles de l'agent.
+   * Permet de définir les rôles de l'agent.
+   *
+   * @type {string[]}
+   * @default []
+   */
+  @Prop({
+    type: [String],
+    default: [],
+  })
+  public roles: string[]
+
   /**
    * Champs personnalisés définis par l'utilisateur.
    * Permet de stocker des données métier spécifiques sans modifier le schéma.

apps/api/src/core/agents/agents.controller.ts

@@ -19,6 +19,8 @@ import { ObjectIdValidationPipe } from '~/_common/pipes/object-id-validation.pip
 import { PartialProjectionType } from '~/_common/types/partial-projection.type'
 import { AgentsCreateDto, AgentsDto, AgentsUpdateDto } from '~/core/agents/_dto/agents.dto'
 import { AgentsService } from './agents.service'
+import { AC_ACTIONS, AC_DEFAULT_POSSESSION } from '~/_common/types/ac-types'
+import { UseRoles } from '~/_common/decorators/use-roles.decorator'
 
 /**
  * Contrôleur pour la gestion des agents
@@ -79,6 +81,11 @@ export class AgentsController extends AbstractController {
    * @throws {BadRequestException} Si les données fournies sont invalides
    */
   @Post()
+  @UseRoles({
+    resource: 'core/agents',
+    action: AC_ACTIONS.CREATE,
+    possession: AC_DEFAULT_POSSESSION,
+  })
   @ApiCreateDecorator(AgentsCreateDto, AgentsDto)
   public async create(@Res() res: Response, @Body() body: AgentsCreateDto): Promise<Response> {
     const data = await this._service.create(body)
@@ -102,6 +109,11 @@ export class AgentsController extends AbstractController {
    * @todo Implémenter la recherche arborescente par parentId
    */
   @Get()
+  @UseRoles({
+    resource: 'core/agents',
+    action: AC_ACTIONS.READ,
+    possession: AC_DEFAULT_POSSESSION,
+  })
   @ApiPaginatedDecorator(PickProjectionHelper(AgentsDto, AgentsController.projection))
   public async search(
     @Res() res: Response,
@@ -148,6 +160,11 @@ export class AgentsController extends AbstractController {
    * @throws {NotFoundException} Si l'agent n'est pas trouvé
    */
   @Get(':_id([0-9a-fA-F]{24})')
+  @UseRoles({
+    resource: 'core/agents',
+    action: AC_ACTIONS.READ,
+    possession: AC_DEFAULT_POSSESSION,
+  })
   @ApiParam({ name: '_id', type: String })
   @ApiReadResponseDecorator(AgentsDto)
   public async read(
@@ -179,6 +196,11 @@ export class AgentsController extends AbstractController {
    * @throws {BadRequestException} Si les données fournies sont invalides
    */
   @Patch(':_id([0-9a-fA-F]{24})')
+  @UseRoles({
+    resource: 'core/agents',
+    action: AC_ACTIONS.UPDATE,
+    possession: AC_DEFAULT_POSSESSION,
+  })
   @ApiParam({ name: '_id', type: String })
   @ApiUpdateDecorator(AgentsUpdateDto, AgentsDto)
   public async update(
@@ -205,6 +227,11 @@ export class AgentsController extends AbstractController {
    * @throws {NotFoundException} Si l'agent n'est pas trouvé
    */
   @Delete(':_id([0-9a-fA-F]{24})')
+  @UseRoles({
+    resource: 'core/agents',
+    action: AC_ACTIONS.DELETE,
+    possession: AC_DEFAULT_POSSESSION,
+  })
   @ApiParam({ name: '_id', type: String })
   @ApiDeletedResponseDecorator(AgentsDto)
   public async remove(

apps/api/src/core/auth/_strategies/jwt.strategy.ts

@@ -36,11 +36,18 @@ export class JwtStrategy extends PassportStrategy(Strategy, 'jwt') {
     const user = await this.auth.verifyIdentity(payload);
 
     if (!user) return done(new ForbiddenException(), false);
+
+    const roles = [...Array.isArray(payload.identity?.roles) ? payload.identity.roles : []]
+    if (!roles.includes('admin') && payload.identity?._id === '000000000000000000000000') {
+      roles.push('admin')
+    }
+
     return done(null, {
       $ref: !payload.scopes.includes('api')
         ? Agents.name
         : Keyrings.name,
       ...payload?.identity,
+      roles,
     });
   }
 }

apps/api/src/core/auth/auth.controller.ts

@@ -9,7 +9,8 @@ import { Response } from 'express';
 import { ReqIdentity } from '~/_common/decorators/params/req-identity.decorator';
 import { AgentType } from '~/_common/types/agent.type';
 import { hash } from 'crypto';
-import { omit, pick } from 'radash';
+import { omit } from 'radash';
+import { RolesService } from '../roles/roles.service';
 
 @Public()
 @ApiTags('core/auth')
@@ -18,6 +19,7 @@ export class AuthController extends AbstractController {
   constructor(
     protected moduleRef: ModuleRef,
     private readonly service: AuthService,
+    private readonly rolesService: RolesService,
   ) {
     super();
   }
@@ -40,11 +42,16 @@ export class AuthController extends AbstractController {
     this.logger.debug(`Session request for ${identity._id} (${identity.email})`);
     const user = await this.service.getSessionData(identity);
     this.logger.debug(`Session data delivered for ${identity._id} (${identity.email}) with ${JSON.stringify(user)}`);
+
+    const ac = await this.rolesService.getRolesBuilder()
+    console.log('ac.getGrants()', ac.getGrants())
+
     return res.status(HttpStatus.OK).json({
       user: {
         ...omit(user, ['security', 'metadata']),
         sseToken: hash('sha256', user.security.secretKey),
       },
+      access: ac.getGrants(),
     });
   }