Merge 07780cb into 3a1dded

roggervalf · Nov 9, 2021 · b4d35b3 · b4d35b3
2 parents 3a1dded + 07780cb
commit b4d35b3
Show file tree

Hide file tree

Showing 8 changed files with 130 additions and 3 deletions.
diff --git a/dist/main.d.ts b/dist/main.d.ts
@@ -215,7 +215,9 @@ declare class ActionBasedPolicy<T extends object> extends Policy<T, ActionBasedT
     getStatements(this: ActionBasedPolicy<T>): ActionBasedType[];
     evaluate(this: ActionBasedPolicy<T>, { action, context }: EvaluateActionBasedInterface<T>): boolean;
     can(this: ActionBasedPolicy<T>, { action, context }: EvaluateActionBasedInterface<T>): boolean;
+    whyCan(this: ActionBasedPolicy<T>, { action, context }: EvaluateActionBasedInterface<T>): ActionBasedType[];
     cannot(this: ActionBasedPolicy<T>, { action, context }: EvaluateActionBasedInterface<T>): boolean;
+    whyCannot(this: ActionBasedPolicy<T>, { action, context }: EvaluateActionBasedInterface<T>): ActionBasedType[];
     generateProxy<U extends object>(this: ActionBasedPolicy<T>, obj: U, options?: ProxyOptions): U;
 }
 
@@ -233,6 +235,7 @@ declare class IdentityBasedPolicy<T extends object> extends Policy<T, IdentityBa
     getStatements(this: IdentityBasedPolicy<T>): IdentityBasedType[];
     evaluate(this: IdentityBasedPolicy<T>, { action, resource, context }: EvaluateIdentityBasedInterface<T>): boolean;
     can(this: IdentityBasedPolicy<T>, { action, resource, context }: EvaluateIdentityBasedInterface<T>): boolean;
+    whyCan(this: IdentityBasedPolicy<T>, { action, resource, context }: EvaluateIdentityBasedInterface<T>): IdentityBasedType[];
     cannot(this: IdentityBasedPolicy<T>, { action, resource, context }: EvaluateIdentityBasedInterface<T>): boolean;
 }
 

diff --git a/dist/main.es.js b/dist/main.es.js
diff --git a/dist/main.es.js.map b/dist/main.es.js.map
diff --git a/dist/main.js b/dist/main.js
diff --git a/dist/main.js.map b/dist/main.js.map
diff --git a/src/ActionBasedPolicy.test.ts b/src/ActionBasedPolicy.test.ts
@@ -328,6 +328,10 @@ describe('ActionBasedPolicy Class', () => {
               'getUser/${user.id}',
               'updateUser/${user.id}'
             ]
+          },
+          {
+            effect: 'allow',
+            action: ['createAccount']
           }
         ]
       });
@@ -376,6 +380,10 @@ describe('ActionBasedPolicy Class', () => {
               'getUser/${user.id}',
               'updateUser/${user.id}'
             ]
+          },
+          {
+            effect: 'deny',
+            action: ['createAccount']
           }
         ]
       });

diff --git a/src/IdentityBasedPolicy.test.ts b/src/IdentityBasedPolicy.test.ts
@@ -366,7 +366,7 @@ describe('IdentityBasedPolicy Class', () => {
         policy.evaluate({
           action: 'read',
           resource: 'secrets:123:ultra',
-          context: { user: {  } }
+          context: { user: {} }
         })
       ).toBe(true);
       expect(
@@ -401,6 +401,11 @@ describe('IdentityBasedPolicy Class', () => {
             effect: 'allow',
             resource: ['posts:${user.id}:*'],
             action: ['write', 'read', 'update']
+          },
+          {
+            effect: 'allow',
+            resource: ['projects:${user.id}:*'],
+            action: ['write', 'read']
           }
         ]
       });
@@ -412,6 +417,19 @@ describe('IdentityBasedPolicy Class', () => {
           context: { user: { id: 123 } }
         })
       ).toBe(true);
+      expect(
+        policy.whyCan({
+          action: 'read',
+          resource: 'posts:123:sshhh',
+          context: { user: { id: 123 } }
+        })
+      ).toMatchObject([
+        {
+          effect: 'allow',
+          resource: ['posts:${user.id}:*'],
+          action: ['write', 'read', 'update']
+        }
+      ]);
       expect(
         policy.can({
           action: 'read',

diff --git a/src/IdentityBasedPolicy.ts b/src/IdentityBasedPolicy.ts
@@ -77,6 +77,24 @@ export class IdentityBasedPolicy<T extends object> extends Policy<
     );
   }
 
+  whyCan(
+    this: IdentityBasedPolicy<T>,
+    { action, resource, context }: EvaluateIdentityBasedInterface<T>
+  ): IdentityBasedType[] {
+    return this.allowStatements.reduce((statements, currentStatement) => {
+      const matches = currentStatement.matches({
+        action,
+        resource,
+        context: context || this.context,
+        conditionResolver: this.conditionResolver
+      });
+      if (matches) {
+        return [...statements, currentStatement.getStatement()];
+      }
+      return statements;
+    }, [] as IdentityBasedType[]);
+  }
+
   cannot(
     this: IdentityBasedPolicy<T>,
     { action, resource, context }: EvaluateIdentityBasedInterface<T>