review access-control

Author: Francesca-Bit

lib/accessControl.js

@@ -43,8 +43,10 @@ function AccessControl(cloudAPIUrl, params) {
     this.setJwtToken(params.jwt);
   } else if (params.token) {
     this.setApiToken(params.token);
+  } else if (params.key) {
+    this.setApiKey(params.key);
+    this.user = params.user;
   }
-
   this.defaultOrganization = this.getDefaultOrganization(params);
 }
 
@@ -68,7 +70,7 @@ AccessControl.prototype.setJwtToken = function (jwt) {
     throw new Error('TerminusX Access token required');
   }
 
-  this.apiJwtToken = jwt;
+  this.apiKey = jwt;
   this.apiType = 'jwt';
 };
 
@@ -81,10 +83,23 @@ AccessControl.prototype.setApiToken = function (token) {
     throw new Error('TerminusX Access token required');
   }
 
-  this.apiToken = token;
+  this.apiKey = token;
   this.apiType = 'apikey';
 };
 
+/**
+ * Sets the API token for the object, to request a token create an account in  https://terminusdb.com/
+ * @param {string} atokenpi  -  The API token to use to connect with TerminusX
+ */
+AccessControl.prototype.setApiKey = function (key) {
+  if (!key) {
+    throw new Error('TerminusDB bacis authentication key required');
+  }
+
+  this.apiKey = key;
+  this.apiType = 'basic';
+};
+
 /**
  * Get a API url from cloudAPIUrl
  * @param {string} cloudAPIUrl -  The base url for cloud
@@ -112,14 +127,11 @@ AccessControl.prototype.dispatch = function (requestUrl, action, payload) {
       ),
     );
   }
-
-  const apiToken = this.apiJwtToken || this.apiToken;
-
   return DispatchRequest(
     requestUrl,
     action,
     payload,
-    { type: this.apiType, key: apiToken },
+    { type: this.apiType, key: this.apiKey, user: this.user },
   );
 };
 
@@ -132,8 +144,19 @@ AccessControl.prototype.getAccessRoles = function () {
 };
 
 /**
- * Any user can create their own organization.
- * IMPORTANT This does not work with the API-TOKEN.
+ * This end point works only in basic authentication admin user
+ * Get all the system organizations list
+ * @return {Promise} A promise that returns the call response object, or an Error if rejected.
+ */
+
+AccessControl.prototype.getAllOrganizations = function () {
+  return this.dispatch(`${this.baseURL}/organizations`, CONST.GET);
+};
+
+/**
+ * This works only in the local database
+ * TerminusX - Any user can create their own organization. -
+ * TerminusX - IMPORTANT This does not work with the API-TOKEN.
  * @param {string} orgName -  The organization name to create
  * @return {Promise} A promise that returns the call response object, or an Error if rejected.
  * @example
@@ -142,20 +165,21 @@ AccessControl.prototype.getAccessRoles = function () {
  * })
  */
 AccessControl.prototype.createOrganization = function (orgName) {
-  if (!orgName) {
-    return Promise.reject(
-      new Error(
-        ErrorMessage.getInvalidParameterMessage(
-          'POST',
-          'Please provide a organization name',
-        ),
-      ),
-    );
-  }
+  // maybe we have to review this
+  return this.dispatch(`${this.baseURL}/organizations/${UTILS.encodeURISegment(orgName)}`, CONST.POST, {});
+};
 
-  return this.dispatch(`${this.baseURL}/private/organizations`, CONST.POST, {
-    organization: orgName,
-  });
+/**
+ * This api works only in the local installation
+ * @param {string} orgName -  The organization name to create
+ * @return {Promise} A promise that returns the call response object, or an Error if rejected.
+ * @example
+ * accessControl.createOrganization("my_org_name").then(result=>{
+ *      console.log(result)
+ * })
+ */
+AccessControl.prototype.deleteOrganization = function (orgName) {
+  return this.dispatch(`${this.baseURL}/organizations/${UTILS.encodeURISegment(orgName)}`, CONST.DELETE);
 };
 
 /**
@@ -433,6 +457,53 @@ AccessControl.prototype.getTeamUserRole = function (orgName) {
   return this.dispatch(`${this.baseURL}/organizations/${UTILS.encodeURISegment(org)}/role`, CONST.GET);
 };
 
+/**
+ * Get the user role for a given organization or the default organization,
+ * @param {string} [userName] -  The organization name.
+ * @param {string} [orgName] -  The organization name.
+ * @return {Promise} A promise that returns the call response object, or an Error if rejected.
+ * @example
+ * accessControl.getTeamUserRole("myUser").then(result=>{
+ *  console.log(result)
+ * })
+ *
+ * //response object example
+ * {
+ *  "@id": "User/myUser",
+ *   "capability": [
+ *         {
+ *           "@id":"Capability/server_access",
+ *           "@type":"Capability",
+ *           "role": [{
+ *              "@id":"Role/reader",
+ *               "@type":"Role",
+ *              "action": [
+ *                 "instance_read_access",
+ *              ],
+ *               "name":"reader"
+ *             }],
+ *           "scope":"Organization/myteam"
+ *         }
+ *       ],
+ *   "name": "myUser"
+ *}
+ */
+
+AccessControl.prototype.getTeamUserRoles = function (userName, orgName) {
+  if (!orgName && !this.defaultOrganization) {
+    return Promise.reject(
+      new Error(
+        ErrorMessage.getInvalidParameterMessage(
+          'GET',
+          'Please provide a organization name',
+        ),
+      ),
+    );
+  }
+  const org = orgName || this.defaultOrganization;
+  return this.dispatch(`${this.baseURL}/organizations/${UTILS.encodeURISegment(org)}/users/${UTILS.encodeURISegment(userName)}`, CONST.GET);
+};
+
 /**
  * Remove an user from an organization, only an admin user can remove an user from an organization
  * @param {string} userId -  The id of the user to be removed. (this is the document user's @id)
@@ -693,4 +764,100 @@ AccessControl.prototype.deleteAccessRequest = function (acceId, orgName) {
   return this.dispatch(`${this.baseURL}/organizations/${UTILS.encodeURISegment(org)}/access_requests/${acceId}`, CONST.DELETE);
 };
 
+/**
+ * Create a new role in the system database, (this api is enabled only in the local installation)
+ * @param {string} [name] -  The role name.
+ * @param {array} [actions] - A list of actions
+ * @return {Promise} A promise that returns the call response object, or an Error if rejected.
+ * @example
+ * accessControl.createRole("Reader",[ACTIONS.INSTANCE_READ_ACCESS]).then(result=>{
+ *  console.log(result)
+ * })
+ *
+ */
+AccessControl.prototype.createRole = function (name, actions) {
+  const payload = { name, action: actions };
+  return this.dispatch(`${this.baseURL}/roles`, CONST.POST, payload);
+};
+
+/**
+ * Delete role in the system database, (this api is enabled only in the local installation)
+ * @param {string} [name] -  The role name.
+ * @return {Promise} A promise that returns the call response object, or an Error if rejected.
+ * @example
+ * accessControl.deleteRole("Reader").then(result=>{
+ *  console.log(result)
+ * })
+ *
+ */
+AccessControl.prototype.deleteRole = function (name) {
+  return this.dispatch(`${this.baseURL}/roles/${UTILS.encodeURISegment(name)}`, CONST.DELETE);
+};
+
+/**
+ * Return the list of all the users (this api is enabled only in the local installation)
+ * @return {Promise} A promise that returns the call response object, or an Error if rejected.
+ * @example
+ * accessControl.getAllUsers().then(result=>{
+ *  console.log(result)
+ * })
+ *
+ */
+
+AccessControl.prototype.getAllUsers = function () {
+  return this.dispatch(`${this.baseURL}/users`, CONST.GET);
+};
+
+/**
+ * Remove the user from the system database (this api is enabled only in the local installation)
+ * @param  {string}  userId - the document user id
+ * @return {Promise} A promise that returns the call response object, or an Error if rejected.
+ * @example
+ * accessControl.deleteUser(userId).then(result=>{
+ *  console.log(result)
+ * })
+ *
+ */
+
+AccessControl.prototype.deleteUser = function (userId) {
+  return this.dispatch(`${this.baseURL}/users/${UTILS.encodeURISegment(userId)}`, CONST.DELETE);
+};
+
+/**
+ * Add the user into the system database (this api is enabled only in the local installation)
+ * @param  {string}  name - the user name
+ * @param  {string}  [password] - you need the password for basic authentication
+ * @return {Promise} A promise that returns the call response object, or an Error if rejected.
+ * @example
+ * accessControl.deleteUser(userId).then(result=>{
+ *  console.log(result)
+ * })
+ *
+ */
+
+AccessControl.prototype.createUser = function (name, password) {
+  const payload = { name, password };
+  return this.dispatch(`${this.baseURL}/users`, CONST.POST, payload);
+};
+
+/**
+ * Grant/Revoke Capability (this api is enabled only in the local installation)
+ * @param  {string}  userId - the document user id
+ * @param  {string}  resourceId - the resource id (database or team)
+ * @param  {array}   rolesArr - the roles list
+ * @param  {string}  operation - grant/revoke operation
+ * @return {Promise} A promise that returns the call response object, or an Error if rejected.
+ * @example
+ { "operation" : "grant",
+  "scope" : "Organization/myteam",
+  "user" : "User/myUser",
+  "roles" : ["Role/reader"] }
+ */
+AccessControl.prototype.manageCapability = function (userId, resourceId, rolesArr, operation) {
+  const payload = {
+    operation, user: userId, roles: rolesArr, scope: resourceId,
+  };
+  return this.dispatch(`${this.baseURL}/capabilities`, CONST.POST, payload);
+};
+
 module.exports = AccessControl;

lib/dispatchRequest.js

@@ -114,9 +114,9 @@ function DispatchRequest(url, action, payload, local_auth, remote_auth = null, c
         .delete(url, options)
         .then((response) => (getDataVersion ? getResultWithDataVersion(response) : response.data))
         .catch((err) => {
-          const e = new Error(ErrorMessage.getAPIErrorMessage(url, options, err));
-          if (err.response && err.response.data) e.data = err.response.data;
-          throw e;
+          // const e = new Error(ErrorMessage.getAPIErrorMessage(url, options, err));
+          // if (err.response && err.response.data) e.data = err.response.data;
+          throw ErrorMessage.apiErrorFormatted(url, options, err);
         });
     }
     case CONST.HEAD: {
@@ -141,11 +141,7 @@ function DispatchRequest(url, action, payload, local_auth, remote_auth = null, c
         .get(url, options)
         .then((response) => (getDataVersion ? getResultWithDataVersion(response) : response.data))
         .catch((err) => {
-          const e = new Error(ErrorMessage.getAPIErrorMessage(url, options, err));
-          if (err.response && err.response.data) {
-            e.data = err.response.data;
-          }
-          throw e;
+          throw ErrorMessage.apiErrorFormatted(url, options, err);
         });
     }
     case CONST.ADD_CSV:

lib/errorMessage.js

@@ -91,7 +91,15 @@ function parseAPIError(response) {
   return err;
 }
 
+function apiErrorFormatted(url, options, err) {
+  const e = new Error(getAPIErrorMessage(url, options, err));
+  if (err.response && err.response.data) e.data = err.response.data;
+  if (err.response && err.response.status) e.status = err.response.status;
+  return e;
+}
+
 module.exports = {
+  apiErrorFormatted,
   getErrorAsMessage,
   getAPIErrorMessage,
   getAccessDeniedMessage,

lib/utils.js

@@ -12,6 +12,26 @@
  */
 const Utils = {};
 
+Utils.ACTIONS = {
+  CREATE_DATABASE: 'create_database',
+  DELETE_DATABASE: 'delete_database',
+  SCHEMA_READ_ACCESS: 'schema_read_access',
+  SCHEMA_WRITE_ACCESS: 'schema_write_access',
+  INSTANCE_READ_ACCESS: 'instance_read_access',
+  INSTANCE_WRITE_ACCESS: 'instance_write_access',
+  COMMIT_READ_ACCESS: 'commit_read_access',
+  COMMIT_WRITE_ACCESS: 'commit_write_access',
+  META_READ_ACCESS: 'meta_read_access',
+  META_WRITE_ACCESS: 'meta_write_access',
+  CLASS_FRAME: 'class_frame',
+  BRANCH: 'branch',
+  CLONE: 'clone',
+  FETCH: 'fetch',
+  PUSH: 'push',
+  REBASE: 'rebase',
+  /* MANAGE_CAPABILITIES: 'manage_capabilities', */
+};
+
 // ˆˆˆˆˆ&&**(((()*(*#&#&&#$*#*(#(#(#)#)#)_
 // 'Doc%2F%3D%26test'
 //

lib/woqlClient.js

@@ -1439,6 +1439,7 @@ WOQLClient.prototype.getPrefixes = function (dbId) {
  */
 WOQLClient.prototype.getUserOrganizations = function () {
   // this will be change to give back only the organizations list
+  console.log('this.connectionConfig.userOrganizationsURL()', this.connectionConfig.userOrganizationsURL());
   return this.dispatch(
     CONST.GET,
     this.connectionConfig.userOrganizationsURL(),