-
Notifications
You must be signed in to change notification settings - Fork 610
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: improve groups/teams assignments (external IdPs) (#4349)
- Loading branch information
Showing
11 changed files
with
262 additions
and
181 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,20 @@ | ||
import { | ||
createGroupsTeamsAuthorizer, | ||
type GroupsTeamsAuthorizerConfig | ||
} from "@webiny/api-security"; | ||
|
||
export { createIdentityType } from "./createIdentityType"; | ||
export { createAuthenticator } from "./createAuthenticator"; | ||
export type { AuthenticatorConfig } from "./createAuthenticator"; | ||
export { createGroupAuthorizer } from "./createGroupAuthorizer"; | ||
export type { GroupAuthorizerConfig } from "./createGroupAuthorizer"; | ||
export { createAuth0 } from "./createAuth0"; | ||
|
||
export { createGroupsTeamsAuthorizer, type GroupsTeamsAuthorizerConfig }; | ||
|
||
// Backwards compatibility. | ||
// @deprecated Use `createGroupsTeamsAuthorizer` instead. | ||
const createGroupAuthorizer = createGroupsTeamsAuthorizer; | ||
|
||
// @deprecated Use `GroupsTeamsAuthorizerConfig` instead. | ||
type GroupAuthorizerConfig = GroupsTeamsAuthorizerConfig; | ||
|
||
export { createGroupAuthorizer, type GroupAuthorizerConfig }; |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,20 @@ | ||
import { | ||
createGroupsTeamsAuthorizer, | ||
type GroupsTeamsAuthorizerConfig | ||
} from "@webiny/api-security"; | ||
|
||
export { createIdentityType } from "./createIdentityType"; | ||
export { createAuthenticator } from "./createAuthenticator"; | ||
export type { AuthenticatorConfig } from "./createAuthenticator"; | ||
export { createGroupAuthorizer } from "./createGroupAuthorizer"; | ||
export type { GroupAuthorizerConfig } from "./createGroupAuthorizer"; | ||
export { createOkta } from "./createOkta"; | ||
|
||
export { createGroupsTeamsAuthorizer, type GroupsTeamsAuthorizerConfig }; | ||
|
||
// Backwards compatibility. | ||
// @deprecated Use `createGroupsTeamsAuthorizer` instead. | ||
const createGroupAuthorizer = createGroupsTeamsAuthorizer; | ||
|
||
// @deprecated Use `GroupsTeamsAuthorizerConfig` instead. | ||
type GroupAuthorizerConfig = GroupsTeamsAuthorizerConfig; | ||
|
||
export { createGroupAuthorizer, type GroupAuthorizerConfig }; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
84 changes: 84 additions & 0 deletions
84
packages/api-security/src/utils/createGroupsTeamsAuthorizer.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
import { ContextPlugin } from "@webiny/handler"; | ||
import { SecurityContext } from "~/types"; | ||
import { | ||
GroupsTeamsAuthorizerConfig, | ||
listPermissionsFromGroupsAndTeams | ||
} from "./createGroupsTeamsAuthorizer/listPermissionsFromGroupsAndTeams"; | ||
|
||
export type { GroupsTeamsAuthorizerConfig }; | ||
|
||
export const createGroupsTeamsAuthorizer = <TContext extends SecurityContext = SecurityContext>( | ||
config: GroupsTeamsAuthorizerConfig<TContext> | ||
) => { | ||
return new ContextPlugin<TContext>(context => { | ||
const { security, tenancy } = context; | ||
security.addAuthorizer(async () => { | ||
const identity = security.getIdentity(); | ||
if (!identity) { | ||
return null; | ||
} | ||
|
||
// If `identityType` is specified, we'll only execute this authorizer for a matching identity. | ||
if (config.identityType && identity.type !== config.identityType) { | ||
return null; | ||
} | ||
|
||
// @ts-expect-error Check `packages/api-security/src/plugins/tenantLinkAuthorization.ts:23`. | ||
const locale = context.i18n?.getContentLocale(); | ||
if (!locale) { | ||
return null; | ||
} | ||
|
||
if (config.canAccessTenant) { | ||
const canAccessTenant = await config.canAccessTenant(context); | ||
if (!canAccessTenant) { | ||
return []; | ||
} | ||
} | ||
|
||
const currentTenantPermissions = await listPermissionsFromGroupsAndTeams<TContext>({ | ||
config, | ||
context, | ||
identity, | ||
localeCode: locale.code | ||
}); | ||
|
||
if (Array.isArray(currentTenantPermissions)) { | ||
return currentTenantPermissions; | ||
} | ||
|
||
// If no security groups were found, it could be due to an identity accessing a sub-tenant. In this case, | ||
// let's try loading permissions from the parent tenant. Note that this will work well for flat tenant | ||
// hierarchy where there's a `root` tenant and 1 level of sibling sub-tenants. For multi-level hierarchy, | ||
// the best approach is to code a plugin with the desired permissions-fetching logic. | ||
if (config.inheritGroupsFromParentTenant === false) { | ||
return null; | ||
} | ||
|
||
const parentTenantId = context.tenancy.getCurrentTenant().parent; | ||
if (!parentTenantId) { | ||
return null; | ||
} | ||
|
||
const parentTenant = await tenancy.getTenantById(parentTenantId); | ||
if (!parentTenant) { | ||
return null; | ||
} | ||
|
||
const parentTenantPermissions = await tenancy.withTenant(parentTenant, async () => { | ||
return listPermissionsFromGroupsAndTeams({ | ||
config, | ||
context, | ||
identity, | ||
localeCode: locale.code | ||
}); | ||
}); | ||
|
||
if (Array.isArray(parentTenantPermissions)) { | ||
return parentTenantPermissions; | ||
} | ||
|
||
return null; | ||
}); | ||
}); | ||
}; |
Oops, something went wrong.