feat: refactor access control implementation and update resource paths in controllers

Author: tacxou

apps/api/src/_common/guards/ac.guard.ts

@@ -1,14 +1,17 @@
-import { CanActivate, ExecutionContext, Inject, Injectable, Type } from '@nestjs/common';
+import { CanActivate, ExecutionContext, Inject, Injectable, Logger, Type } from '@nestjs/common';
 import { Reflector } from '@nestjs/core';
 import { ACGuard as AcGuardInternal, RolesBuilder } from 'nest-access-control';
 import { META_UNPROTECTED } from '~/_common/decorators/public.decorator';
+import { AC_ADMIN_ROLE, AC_GUEST_ROLE } from '../types/ac-types';
 
 export function AcGuard(): Type<CanActivate> {
   @Injectable()
   class CustomAcGuard<User extends any = any> extends AcGuardInternal<User> implements CanActivate {
     @Inject(Reflector)
     public readonly __reflector!: Reflector;
 
+    protected logger: Logger = new Logger(CustomAcGuard.name);
+
     public constructor(reflector: Reflector, roleBuilder: RolesBuilder) {
       super(reflector, roleBuilder);
     }
@@ -23,31 +26,37 @@ export function AcGuard(): Type<CanActivate> {
     public async canActivate(context: ExecutionContext): Promise<boolean> {
       const roleOrRoles = await this.getUserRoles(context)
       const roles = Array.isArray(roleOrRoles) ? roleOrRoles : [roleOrRoles]
-      console.log('canActivate', roles)
-      if (roles.includes('admin')) {
+      //console.log('canActivate', roles)
+      if (roles.includes(AC_ADMIN_ROLE)) {
         return true;
       }
 
-      return this.isUnProtected(context) || super.canActivate(context);
+      const result = this.isUnProtected(context) || await super.canActivate(context);
+
+      const path = context.switchToHttp().getRequest().route.path;
+      const method = context.switchToHttp().getRequest().method;
+      this.logger.verbose(`User wants to access <${method}::${path}>. Roles: [${roles.join(', ')}] -> [${result ? 'is allowed' : 'is not allowed'}]`);
+
+      return result;
     }
 
     public async getUser(context: ExecutionContext): Promise<User> {
-      console.log('isUnProtected', this.isUnProtected(context))
+      //console.log('isUnProtected', this.isUnProtected(context))
       if (this.isUnProtected(context)) {
         return {} as User;
       }
 
-      console.log('getUser', await super.getUser(context))
+      //console.log('getUser', await super.getUser(context))
       return await super.getUser(context);
     }
 
     public async getUserRoles(context: ExecutionContext): Promise<string | string[]> {
       const roles = await super.getUserRoles(context);
 
-      console.log('getUserRoles', roles)
+      //console.log('getUserRoles', roles)
 
       if (!roles || roles.length === 0) {
-        return ['guest'];
+        return [AC_GUEST_ROLE];
       }
 
       return roles;

apps/api/src/app.module.ts

@@ -29,8 +29,8 @@ import { ExtensionsModule } from './extensions/extensions.module';
 import { SentryModule, SentryGlobalFilter } from '@sentry/nestjs/setup';
 import { isConsoleEntrypoint } from './_common/functions/is-cli';
 import { AccessControlModule, ACGuard, RolesBuilder } from 'nest-access-control';
-import { RolesService } from './core/roles/roles.service';
 import { AcGuard } from './_common/guards/ac.guard';
+import { AclRuntimeService } from './core/roles/acl-runtime.service';
 
 @Module({
   imports: [
@@ -125,9 +125,9 @@ import { AcGuard } from './_common/guards/ac.guard';
     }),
     AccessControlModule.forRootAsync({
       imports: [CoreModule],
-      inject: [RolesService],
-      useFactory: async (service: RolesService): Promise<RolesBuilder> => {
-        return await service.getRolesBuilder()
+      inject: [AclRuntimeService],
+      useFactory: async (service: AclRuntimeService): Promise<RolesBuilder> => {
+        return await service.getGuardRolesBuilder()
       },
     }),
     FactorydriveModule.forRootAsync({

apps/api/src/core/agents/agents.controller.ts

@@ -110,7 +110,7 @@ export class AgentsController extends AbstractController {
    */
   @Get()
   @UseRoles({
-    resource: 'core/agents',
+    resource: '/core/agents',
     action: AC_ACTIONS.READ,
     possession: AC_DEFAULT_POSSESSION,
   })
@@ -161,7 +161,7 @@ export class AgentsController extends AbstractController {
    */
   @Get(':_id([0-9a-fA-F]{24})')
   @UseRoles({
-    resource: 'core/agents',
+    resource: '/core/agents',
     action: AC_ACTIONS.READ,
     possession: AC_DEFAULT_POSSESSION,
   })
@@ -197,7 +197,7 @@ export class AgentsController extends AbstractController {
    */
   @Patch(':_id([0-9a-fA-F]{24})')
   @UseRoles({
-    resource: 'core/agents',
+    resource: '/core/agents',
     action: AC_ACTIONS.UPDATE,
     possession: AC_DEFAULT_POSSESSION,
   })
@@ -228,7 +228,7 @@ export class AgentsController extends AbstractController {
    */
   @Delete(':_id([0-9a-fA-F]{24})')
   @UseRoles({
-    resource: 'core/agents',
+    resource: '/core/agents',
     action: AC_ACTIONS.DELETE,
     possession: AC_DEFAULT_POSSESSION,
   })

apps/api/src/core/auth/auth.controller.ts

@@ -50,8 +50,8 @@ export class AuthController extends AbstractController {
       user: {
         ...omit(user, ['security', 'metadata']),
         sseToken: hash('sha256', user.security.secretKey),
+        access: ac.getGrants(),
       },
-      access: ac.getGrants(),
     });
   }
 

apps/api/src/core/cron/cron.controller.ts

@@ -3,6 +3,13 @@ import { Controller, Get, Res, HttpStatus, Query } from '@nestjs/common'
 import { ApiTags } from '@nestjs/swagger'
 import { CronService } from './cron.service'
 import { Response } from 'express'
+import { UseRoles } from '~/_common/decorators/use-roles.decorator'
+import { AC_ACTIONS, AC_DEFAULT_POSSESSION } from '~/_common/types/ac-types'
+import { ApiPaginatedDecorator } from '~/_common/decorators/api-paginated.decorator'
+import { PickProjectionHelper } from '~/_common/helpers/pick-projection.helper'
+import { CronDto } from './_dto/cron.dto'
+import { PartialProjectionType } from '~/_common/types/partial-projection.type'
+import { ApiReadResponseDecorator } from '~/_common/decorators/api-read-response.decorator'
 
 /**
  * Contrôleur Cron - Endpoints pour les tâches planifiées.
@@ -14,6 +21,12 @@ import { Response } from 'express'
 export class CronController {
   public constructor(private readonly cronService: CronService) { }
 
+  protected static readonly projection: PartialProjectionType<CronDto> = {
+    name: 1,
+    description: 1,
+    schedule: 1,
+  }
+
   /**
    * Endpoint pour rechercher et lister les tâches cron configurées.
    *
@@ -24,6 +37,12 @@ export class CronController {
    * @returns Une liste paginée des tâches cron avec leurs détails d'exécution
    */
   @Get()
+  @UseRoles({
+    resource: '/core/cron',
+    action: AC_ACTIONS.READ,
+    possession: AC_DEFAULT_POSSESSION,
+  })
+  @ApiPaginatedDecorator(PickProjectionHelper(CronDto, CronController.projection))
   public async search(
     @Query('search') search: string,
     @Query('page') page: number,
@@ -43,6 +62,12 @@ export class CronController {
   }
 
   @Get(':name')
+  @UseRoles({
+    resource: '/core/cron',
+    action: AC_ACTIONS.READ,
+    possession: AC_DEFAULT_POSSESSION,
+  })
+  @ApiReadResponseDecorator(CronDto)
   public async read(
     @Res() res: Response,
   ): Promise<Response> {

apps/api/src/core/jobs/jobs.controller.ts

@@ -16,6 +16,8 @@ import { ObjectIdValidationPipe } from '~/_common/pipes/object-id-validation.pip
 import { PartialProjectionType } from '~/_common/types/partial-projection.type';
 import { JobsDto } from './_dto/jobs.dto';
 import { JobsService } from './jobs.service';
+import { UseRoles } from '~/_common/decorators/use-roles.decorator';
+import { AC_ACTIONS, AC_DEFAULT_POSSESSION } from '~/_common/types/ac-types';
 
 @ApiTags('core/jobs')
 @Controller('jobs')
@@ -35,6 +37,11 @@ export class JobsController extends AbstractController {
   }
 
   @Get()
+  @UseRoles({
+    resource: '/core/jobs',
+    action: AC_ACTIONS.READ,
+    possession: AC_DEFAULT_POSSESSION,
+  })
   @ApiPaginatedDecorator(PickProjectionHelper(JobsDto, JobsController.projection))
   public async search(
     @Res() res: Response,
@@ -58,6 +65,11 @@ export class JobsController extends AbstractController {
   }
 
   @Get(':_id([0-9a-fA-F]{24})')
+  @UseRoles({
+    resource: '/core/jobs',
+    action: AC_ACTIONS.READ,
+    possession: AC_DEFAULT_POSSESSION,
+  })
   @ApiParam({ name: '_id', type: String })
   @ApiReadResponseDecorator(JobsDto)
   public async read(

apps/api/src/core/roles/acl-runtime.service.ts

@@ -0,0 +1,57 @@
+import { Injectable, Logger } from '@nestjs/common'
+import { RolesBuilder } from 'nest-access-control'
+import { RolesService } from './roles.service'
+
+@Injectable()
+export class AclRuntimeService {
+  private readonly logger = new Logger(AclRuntimeService.name)
+  private rolesBuilder: RolesBuilder | null = null
+  private refreshPromise: Promise<RolesBuilder> | null = null
+  private readonly guardRolesBuilder: RolesBuilder
+
+  public constructor(
+    private readonly rolesService: RolesService,
+  ) {
+    this.guardRolesBuilder = new Proxy({} as RolesBuilder, {
+      get: (_target, property, _receiver) => {
+        if (!this.rolesBuilder) {
+          throw new Error('ACL roles builder is not initialized yet')
+        }
+
+        const value = Reflect.get(this.rolesBuilder as unknown as object, property)
+        return typeof value === 'function' ? value.bind(this.rolesBuilder) : value
+      },
+    })
+  }
+
+  public async getGuardRolesBuilder(): Promise<RolesBuilder> {
+    await this.getRolesBuilder()
+    return this.guardRolesBuilder
+  }
+
+  public async getRolesBuilder(): Promise<RolesBuilder> {
+    if (this.rolesBuilder) {
+      return this.rolesBuilder
+    }
+
+    return this.refresh()
+  }
+
+  public async refresh(): Promise<RolesBuilder> {
+    if (this.refreshPromise) {
+      return this.refreshPromise
+    }
+
+    this.refreshPromise = this.rolesService.getRolesBuilder()
+      .then((rolesBuilder) => {
+        this.rolesBuilder = rolesBuilder
+        this.logger.log('ACL reloaded from roles collection')
+        return rolesBuilder
+      })
+      .finally(() => {
+        this.refreshPromise = null
+      })
+
+    return this.refreshPromise
+  }
+}

apps/api/src/core/roles/roles.controller.ts

@@ -17,6 +17,7 @@ import { ApiDeletedResponseDecorator } from "~/_common/decorators/api-deleted-re
 import { UseRoles } from "~/_common/decorators/use-roles.decorator"
 import { AC_ACTIONS, AC_ADMIN_ROLE, AC_DEFAULT_POSSESSION, AC_GUEST_ROLE } from "~/_common/types/ac-types"
 import { Roles } from "./_schemas/roles.schema"
+import { AclRuntimeService } from "./acl-runtime.service"
 
 @ApiTags('core/roles')
 @Controller('roles')
@@ -32,13 +33,16 @@ export class RolesController extends AbstractController {
     description: 1,
   };
 
-  public constructor(private readonly _service: RolesService) {
+  public constructor(
+    private readonly _service: RolesService,
+    private readonly _aclRuntimeService: AclRuntimeService,
+  ) {
     super()
   }
 
   @Get('list')
   @UseRoles({
-    resource: 'core/roles',
+    resource: '/core/roles',
     action: AC_ACTIONS.READ,
     possession: AC_DEFAULT_POSSESSION,
   })
@@ -68,7 +72,7 @@ export class RolesController extends AbstractController {
 
   @Get('resources')
   @UseRoles({
-    resource: 'core/roles',
+    resource: '/core/roles',
     action: AC_ACTIONS.READ,
     possession: AC_DEFAULT_POSSESSION,
   })
@@ -85,7 +89,7 @@ export class RolesController extends AbstractController {
 
   @Get()
   @UseRoles({
-    resource: 'core/roles',
+    resource: '/core/roles',
     action: AC_ACTIONS.READ,
     possession: AC_DEFAULT_POSSESSION,
   })
@@ -125,13 +129,14 @@ export class RolesController extends AbstractController {
 
   @Post()
   @UseRoles({
-    resource: 'core/roles',
+    resource: '/core/roles',
     action: AC_ACTIONS.CREATE,
     possession: AC_DEFAULT_POSSESSION,
   })
   @ApiCreateDecorator(RolesCreateDto, RolesDto)
   public async create(@Res() res: Response, @Body() body: RolesCreateDto): Promise<Response> {
     const data = await this._service.create(body)
+    await this._aclRuntimeService.refresh()
     return res.status(HttpStatus.CREATED).json({
       statusCode: HttpStatus.CREATED,
       data,
@@ -140,7 +145,7 @@ export class RolesController extends AbstractController {
 
   @Get(':_id([0-9a-fA-F]{24})')
   @UseRoles({
-    resource: 'core/roles',
+    resource: '/core/roles',
     action: AC_ACTIONS.READ,
     possession: AC_DEFAULT_POSSESSION,
   })
@@ -159,7 +164,7 @@ export class RolesController extends AbstractController {
 
   @Patch(':_id([0-9a-fA-F]{24})')
   @UseRoles({
-    resource: 'core/roles',
+    resource: '/core/roles',
     action: AC_ACTIONS.UPDATE,
     possession: AC_DEFAULT_POSSESSION,
   })
@@ -171,6 +176,7 @@ export class RolesController extends AbstractController {
     @Res() res: Response,
   ): Promise<Response> {
     const data = await this._service.update(_id, body)
+    await this._aclRuntimeService.refresh()
     return res.status(HttpStatus.OK).json({
       statusCode: HttpStatus.OK,
       data,
@@ -179,7 +185,7 @@ export class RolesController extends AbstractController {
 
   @Delete(':_id([0-9a-fA-F]{24})')
   @UseRoles({
-    resource: 'core/roles',
+    resource: '/core/roles',
     action: AC_ACTIONS.DELETE,
     possession: AC_DEFAULT_POSSESSION,
   })
@@ -190,6 +196,7 @@ export class RolesController extends AbstractController {
     @Res() res: Response,
   ): Promise<Response> {
     const data = await this._service.delete(_id)
+    await this._aclRuntimeService.refresh()
     return res.status(HttpStatus.OK).json({
       statusCode: HttpStatus.OK,
       data,

apps/api/src/core/roles/roles.module.ts

@@ -4,6 +4,7 @@ import { MongooseModule } from '@nestjs/mongoose'
 import { Roles, RolesSchema } from './_schemas/roles.schema'
 import { RolesService } from './roles.service'
 import { RolesController } from './roles.controller'
+import { AclRuntimeService } from './acl-runtime.service'
 
 @Module({
   imports: [
@@ -15,8 +16,8 @@ import { RolesController } from './roles.controller'
       },
     ]),
   ],
-  providers: [RolesService],
+  providers: [RolesService, AclRuntimeService],
   controllers: [RolesController],
-  exports: [RolesService],
+  exports: [RolesService, AclRuntimeService],
 })
 export class RolesModule { }