rocketadmin/backend/src/entities/cedar-authorization/cedar-entity-builder.ts at 2f89f2241316ec8aed0bef7a307ac08ed5dc5c67 · rocket-admin/rocketadmin · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
import { GroupEntity } from '../group/group.entity.js';

export interface CedarEntityRecord {
	uid: { type: string; id: string };
	attrs: Record<string, unknown>;
	parents: Array<{ type: string; id: string }>;
}

export function buildCedarEntities(
	userId: string,
	userGroups: Array<GroupEntity>,
	connectionId: string,
	tableName?: string,
	dashboardId?: string,
	panelId?: string,
	actionEventId?: string,
): Array<CedarEntityRecord> {
	const entities: Array<CedarEntityRecord> = [];

	// User entity with group memberships
	entities.push({
		uid: { type: 'RocketAdmin::User', id: userId },
		attrs: { suspended: false },
		parents: [],
	});

	// Group entities
	for (const group of userGroups) {
		entities.push({
			uid: { type: 'RocketAdmin::Group', id: group.id },
			attrs: {
				isMain: group.isMain,
				connectionId: connectionId,
			},
			parents: [],
		});
	}

	// Connection entity
	entities.push({
		uid: { type: 'RocketAdmin::Connection', id: connectionId },
		attrs: {},
		parents: [],
	});

	// Table entity (if table-level check, or as parent for an ActionEvent)
	if (tableName) {
		entities.push({
			uid: { type: 'RocketAdmin::Table', id: `${connectionId}/${tableName}` },
			attrs: { connectionId: connectionId },
			parents: [{ type: 'RocketAdmin::Connection', id: connectionId }],
		});
	}

	// ActionEvent entity, parented by its Table — required so `resource in Table::"..."`
	// policies authorize triggering specific events without naming each event.
	if (actionEventId && tableName) {
		entities.push({
			uid: { type: 'RocketAdmin::ActionEvent', id: `${connectionId}/${tableName}/${actionEventId}` },
			attrs: { connectionId: connectionId, tableName: tableName },
			parents: [{ type: 'RocketAdmin::Table', id: `${connectionId}/${tableName}` }],
		});
	}

	if (dashboardId) {
		entities.push({
			uid: { type: 'RocketAdmin::Dashboard', id: `${connectionId}/${dashboardId}` },
			attrs: { connectionId: connectionId },
			parents: [{ type: 'RocketAdmin::Connection', id: connectionId }],
		});
	}

	if (panelId) {
		entities.push({
			uid: { type: 'RocketAdmin::Panel', id: `${connectionId}/${panelId}` },
			attrs: { connectionId: connectionId },
			parents: [{ type: 'RocketAdmin::Connection', id: connectionId }],
		});
	}

	return entities;
}