♻️ Add Casbin admin scopes

src/_staart/helpers/authorization.ts

@@ -1,18 +1,8 @@
-import {
-  accessTokens,
-  apiKeys,
-  groups,
-  memberships,
-  users,
-} from "@prisma/client";
-import { INVALID_TOKEN, USER_NOT_FOUND } from "@staart/errors";
-import { OrgScopes, SudoScopes, Tokens, UserScopes } from "../interfaces/enum";
-import { getGroupById } from "../services/group.service";
 import { getUserById } from "../services/user.service";
 import { AccessTokenResponse, ApiKeyResponse } from "./jwt";
 import { newEnforcer, Model } from "casbin";
 import { prisma } from "./prisma";
-import { ScopesUser, ScopesGroup } from "../../config";
+import { ScopesUser, ScopesGroup, ScopesAdmin } from "../../config";
 import { readFileSync } from "fs-extra";
 import { join } from "path";
 
@@ -46,6 +36,13 @@ export const BaseScopesGroup = {
   TRANSACTIONS: "groups/transactions",
   WEBHOOKS: "groups/webhooks",
 };
+export const BaseScopesAdmin = {
+  GROUPS: "admin/groups",
+  USERS: "admin/users",
+  COUPONS: "admin/coupons",
+  PAYMENT_EVENTS: "admin/payment-events",
+  SERVER_LOGS: "admin/server-logs",
+};
 
 const getPolicyForUser = async (userId: number) => {
   let policy = "";
@@ -79,6 +76,13 @@ const getPolicyForUser = async (userId: number) => {
       }
     });
   }
+  const userDetails = await getUserById(userId);
+  if (userDetails.role === "SUDO") {
+    Object.values(ScopesAdmin).forEach((scope) => {
+      policy += `p, user-${userId}, ${Acts.READ}, ${scope}\n`;
+      policy += `p, user-${userId}, ${Acts.WRITE}, ${scope}\n`;
+    });
+  }
   console.log(policy);
   return policy;
 };

src/_staart/rest/admin.ts

@@ -6,86 +6,92 @@ import {
 import { INSUFFICIENT_PERMISSION } from "@staart/errors";
 import { getEvents } from "@staart/payments";
 import { ms, randomString } from "@staart/text";
-import { ELASTIC_LOGS_INDEX } from "../../config";
-import { can } from "../helpers/authorization";
+import { ELASTIC_LOGS_INDEX, ScopesAdmin } from "../../config";
+import { can, Acts } from "../helpers/authorization";
 import { couponCodeJwt } from "../helpers/jwt";
 import {
   paginatedResult,
   prisma,
   queryParamsToSelect,
 } from "../helpers/prisma";
-import { SudoScopes } from "../interfaces/enum";
 
 export const getAllGroupForUser = async (
   tokenUserId: number,
   queryParams: any
 ) => {
-  if (await can(tokenUserId, SudoScopes.READ, "sudo"))
-    return paginatedResult(
-      await prisma.groups.findMany(queryParamsToSelect(queryParams)),
-      { take: queryParams.take }
-    );
-  throw new Error(INSUFFICIENT_PERMISSION);
+  if (!(await can(tokenUserId, Acts.READ, ScopesAdmin.GROUPS)))
+    throw new Error(INSUFFICIENT_PERMISSION);
+
+  return paginatedResult(
+    await prisma.groups.findMany(queryParamsToSelect(queryParams)),
+    { take: queryParams.take }
+  );
 };
 
 export const getAllUsersForUser = async (
   tokenUserId: number,
   queryParams: any
 ) => {
-  if (await can(tokenUserId, SudoScopes.READ, "sudo"))
-    return paginatedResult(
-      await prisma.users.findMany(queryParamsToSelect(queryParams)),
-      { take: queryParams.take }
-    );
-  throw new Error(INSUFFICIENT_PERMISSION);
+  if (!(await can(tokenUserId, Acts.READ, ScopesAdmin.USERS)))
+    throw new Error(INSUFFICIENT_PERMISSION);
+
+  return paginatedResult(
+    await prisma.users.findMany(queryParamsToSelect(queryParams)),
+    { take: queryParams.take }
+  );
 };
 
 export const getAllCouponsForUser = async (
   tokenUserId: number,
   queryParams: any
 ) => {
-  if (await can(tokenUserId, SudoScopes.READ, "sudo"))
-    return paginatedResult(
-      await prisma.couponCodes.findMany(queryParamsToSelect(queryParams)),
-      { take: queryParams.take }
-    );
-  throw new Error(INSUFFICIENT_PERMISSION);
+  if (!(await can(tokenUserId, Acts.READ, ScopesAdmin.COUPONS)))
+    throw new Error(INSUFFICIENT_PERMISSION);
+
+  return paginatedResult(
+    await prisma.couponCodes.findMany(queryParamsToSelect(queryParams)),
+    { take: queryParams.take }
+  );
 };
 
 export const getCouponForUser = async (
   tokenUserId: number,
   couponId: string
 ) => {
-  if (await can(tokenUserId, SudoScopes.READ, "sudo"))
-    return prisma.couponCodes.findOne({ where: { id: parseInt(couponId) } });
-  throw new Error(INSUFFICIENT_PERMISSION);
+  if (!(await can(tokenUserId, Acts.READ, ScopesAdmin.COUPONS)))
+    throw new Error(INSUFFICIENT_PERMISSION);
+
+  return prisma.couponCodes.findOne({ where: { id: parseInt(couponId) } });
 };
 
 export const updateCouponForUser = async (
   tokenUserId: number,
   couponId: string,
   data: couponCodesUpdateInput
 ) => {
-  if (await can(tokenUserId, SudoScopes.READ, "sudo"))
-    return prisma.couponCodes.update({
-      data,
-      where: { id: parseInt(couponId) },
-    });
-  throw new Error(INSUFFICIENT_PERMISSION);
+  if (!(await can(tokenUserId, Acts.WRITE, ScopesAdmin.COUPONS)))
+    throw new Error(INSUFFICIENT_PERMISSION);
+
+  return prisma.couponCodes.update({
+    data,
+    where: { id: parseInt(couponId) },
+  });
 };
 
 export const deleteCouponForUser = async (
   tokenUserId: number,
   couponId: string
 ) => {
-  if (await can(tokenUserId, SudoScopes.READ, "sudo"))
-    return prisma.couponCodes.delete({ where: { id: parseInt(couponId) } });
-  throw new Error(INSUFFICIENT_PERMISSION);
+  if (!(await can(tokenUserId, Acts.WRITE, ScopesAdmin.COUPONS)))
+    throw new Error(INSUFFICIENT_PERMISSION);
+
+  return prisma.couponCodes.delete({ where: { id: parseInt(couponId) } });
 };
 
 export const generateCouponForUser = async (tokenUserId: number, body: any) => {
-  if (!(await can(tokenUserId, SudoScopes.READ, "sudo")))
+  if (!(await can(tokenUserId, Acts.WRITE, ScopesAdmin.COUPONS)))
     throw new Error(INSUFFICIENT_PERMISSION);
+
   if (body.jwt)
     return couponCodeJwt(body.amount, body.currency, body.description);
   delete body.jwt;
@@ -100,8 +106,9 @@ export const getPaymentEventsForUser = async (
   tokenUserId: number,
   body: any
 ) => {
-  if (!(await can(tokenUserId, SudoScopes.READ, "sudo")))
+  if (!(await can(tokenUserId, Acts.READ, ScopesAdmin.PAYMENT_EVENTS)))
     throw new Error(INSUFFICIENT_PERMISSION);
+
   return getEvents(body);
 };
 
@@ -115,8 +122,9 @@ export const getServerLogsForUser = async (
     from?: string;
   }
 ) => {
-  if (!(await can(tokenUserId, SudoScopes.READ, "sudo")))
+  if (!(await can(tokenUserId, Acts.READ, ScopesAdmin.SERVER_LOGS)))
     throw new Error(INSUFFICIENT_PERMISSION);
+
   const range: string = query.range || "7d";
   const from = query.from ? parseInt(query.from) : 0;
   const result = await elasticSearch.search({

src/config.ts

@@ -2,6 +2,7 @@ import { config } from "dotenv";
 import {
   BaseScopesUser,
   BaseScopesGroup,
+  BaseScopesAdmin,
 } from "./_staart/helpers/authorization";
 config();
 
@@ -137,3 +138,4 @@ export const ELASTIC_INSTANCES_INDEX =
 
 export const ScopesUser = { ...BaseScopesUser };
 export const ScopesGroup = { ...BaseScopesGroup };
+export const ScopesAdmin = { ...BaseScopesAdmin };