feat(keto-client-wrapper): create OryAuthorizationGuard

Author: getlarge

packages/keto-client-wrapper/src/index.ts

@@ -1,3 +1,8 @@
+export { OryAuthorizationGuard } from './lib/ory-authorization.guard';
+export {
+  OryPermissionChecks,
+  getOryPermissionChecks,
+} from './lib/ory-permission-checks.decorator';
 export {
   OryPermissionsModule,
   OryPermissionsModuleAsyncOptions,

packages/keto-client-wrapper/src/lib/ory-authorization.guard.ts

@@ -0,0 +1,57 @@
+import {
+  CanActivate,
+  ExecutionContext,
+  Injectable,
+  mixin,
+} from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import {
+  RelationTuple,
+  createPermissionCheckQuery,
+} from '@getlarge/keto-relations-parser';
+
+import { OryPermissionsService } from './ory-permissions';
+import { getOryPermissionChecks } from './ory-permission-checks.decorator';
+
+export const OryAuthorizationGuard = (
+  options: {
+    errorFactory?: (error: Error) => Error;
+    postCheck?: (relationTuple: RelationTuple, isPermitted: boolean) => void;
+  } = {}
+) => {
+  @Injectable()
+  class AuthorizationGuard implements CanActivate {
+    constructor(
+      readonly reflector: Reflector,
+      readonly oryService: OryPermissionsService
+    ) {}
+
+    async canActivate(context: ExecutionContext): Promise<boolean> {
+      const factories =
+        getOryPermissionChecks(this.reflector, context.getHandler()) ?? [];
+      if (!factories?.length) {
+        return true;
+      }
+      for (const { relationTupleFactory } of factories) {
+        const relationTuple = relationTupleFactory(context);
+        const result = createPermissionCheckQuery(relationTuple);
+        if (result.hasError()) {
+          if (options.errorFactory) {
+            throw options.errorFactory(result.error);
+          }
+          return false;
+        }
+        const { data } = await this.oryService.checkPermission(result.value);
+        const isPermitted = data.allowed;
+        if (options.postCheck) {
+          options.postCheck(relationTuple, isPermitted);
+        }
+        if (!isPermitted) {
+          return false;
+        }
+      }
+      return true;
+    }
+  }
+  return mixin(AuthorizationGuard);
+};

packages/keto-client-wrapper/src/lib/ory-permission-checks.decorator.ts

@@ -0,0 +1,45 @@
+import { CustomDecorator, ExecutionContext, SetMetadata } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import {
+  parseRelationTuple,
+  RelationTuple,
+} from '@getlarge/keto-relations-parser';
+
+type OryPermissionCheckMetadataType = {
+  relationTupleFactory: (ctx: ExecutionContext) => RelationTuple;
+};
+
+const ORY_PERMISSION_CHECKS_METADATA_KEY = Symbol('OryPermissionChecksKey');
+
+export const OryPermissionChecks = (
+  ...relationTupleFactories: (string | ((ctx: ExecutionContext) => string))[]
+): CustomDecorator<typeof ORY_PERMISSION_CHECKS_METADATA_KEY> => {
+  const valueToSet: OryPermissionCheckMetadataType[] = [];
+
+  for (const relationTupleFactory of relationTupleFactories) {
+    if (typeof relationTupleFactory === 'string') {
+      valueToSet.push({
+        relationTupleFactory: () =>
+          parseRelationTuple(relationTupleFactory).unwrapOrThrow(),
+      });
+    } else {
+      valueToSet.push({
+        relationTupleFactory: (ctx) =>
+          parseRelationTuple(relationTupleFactory(ctx)).unwrapOrThrow(),
+      });
+    }
+  }
+  return SetMetadata(ORY_PERMISSION_CHECKS_METADATA_KEY, valueToSet);
+};
+
+export const getOryPermissionChecks = (
+  reflector: Reflector,
+  handler: Parameters<Reflector['get']>[1]
+): OryPermissionCheckMetadataType[] | null => {
+  const oryPermissions =
+    reflector.get<
+      OryPermissionCheckMetadataType[],
+      typeof ORY_PERMISSION_CHECKS_METADATA_KEY
+    >(ORY_PERMISSION_CHECKS_METADATA_KEY, handler) ?? [];
+  return oryPermissions.length > 0 ? oryPermissions : null;
+};

packages/keto-relations-parser/src/index.ts

@@ -21,3 +21,13 @@ export {
 export type { RelationTupleStringGenerator } from './lib/with-replacements/relation-tuple-with-replacements-parser';
 export { parseRelationTupleWithReplacements } from './lib/with-replacements/relation-tuple-with-replacements-parser';
 export type { ReplacementValues } from './lib/with-replacements/replacement-values';
+
+export {
+  createFlattenRelationQuery,
+  createRelationQuery,
+  createRelationship,
+} from './lib/keto-converters/tuple-to-relationships-parameters';
+export {
+  createExpandPermissionQuery,
+  createPermissionCheckQuery,
+} from './lib/keto-converters/tuple-to-permissions-parameters';