Add getRolePermissions

Change-type: minor
balena-io · Feb 13, 2024 · 7e6b462 · 7e6b462
1 parent 8ec2162
commit 7e6b462
Show file tree

Hide file tree

Showing 3 changed files with 94 additions and 0 deletions.
diff --git a/docs/CustomServerCode.md b/docs/CustomServerCode.md
@@ -62,6 +62,9 @@ This returns a promise that resolves to the user permissions for the given userI
 #### getApiKeyPermissions(apiKey)
 This returns a promise that resolves to the api key permissions for the given apiKey
 
+#### getRolePermissions(roleName, userId)
+This returns a promise that resolves to the roleName permissions if the user given by userId has this role
+
 #### apiKeyMiddleware(req, res, next)
 This is a default `customApiKeyMiddleware`, which is useful to avoid having to create your own default one.
 

diff --git a/src/config-loader/env.ts b/src/config-loader/env.ts
@@ -47,6 +47,7 @@ export const cache = {
 	userPermissions: false as CacheOpts,
 	apiKeyPermissions: false as CacheOpts,
 	apiKeyActorId: false as CacheOpts,
+	rolePermissions: false as CacheOpts,
 };
 
 import { boolVar } from '@balena/env-parsing';

diff --git a/src/sbvr-api/permissions.ts b/src/sbvr-api/permissions.ts
@@ -1273,6 +1273,96 @@ export const getUserPermissions = async (
 	}
 };
 
+export const getRolePermissions = async (
+	roleName: string,
+	userId: number,
+	tx?: Tx,
+): Promise<string[]> => {
+	try {
+		return await $getRolePermissions(roleName, userId, tx);
+	} catch (err: unknown) {
+		sbvrUtils.api.Auth.logger.error('Error loading role permissions', err);
+		throw err;
+	}
+};
+
+const $getRolePermissions = (() => {
+	const getRolePermissionsQuery = _.once(() =>
+		sbvrUtils.api.Auth.prepare<{ roleName: string; userId: number }>({
+			resource: 'permission',
+			passthrough: {
+				req: rootRead,
+			},
+			options: {
+				$select: 'name',
+				$filter: {
+					is_of__role: {
+						$any: {
+							$alias: 'rhp',
+							$expr: {
+								rhp: {
+									role: {
+										$any: {
+											$alias: 'r',
+											$expr: {
+												r: {
+													name: { '@': 'roleName' },
+													is_of__user: {
+														$any: {
+															$alias: 'uhr',
+															$expr: {
+																uhr: { user: { '@': 'userId' } },
+																$or: [
+																	{
+																		uhr: { expiry_date: null },
+																	},
+																	{
+																		uhr: {
+																			expiry_date: { $gt: { $now: null } },
+																		},
+																	},
+																],
+															},
+														},
+													},
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+				// We orderby to increase the hit rate for the `_checkPermissions` memoisation
+				$orderby: {
+					name: 'asc',
+				},
+			},
+		}),
+	);
+
+	return env.createCache(
+		'rolePermissions',
+		async (roleName: string, userId: number, tx?: Tx) => {
+			const permissions = (await getRolePermissionsQuery()(
+				{
+					roleName,
+					userId,
+				},
+				undefined,
+				{ tx },
+			)) as Array<{ name: string }>;
+			return permissions.map((permission) => permission.name);
+		},
+		{
+			primitive: true,
+			promise: true,
+			normalizer: ([roleName, userId]) => `${roleName}${userId}`,
+		},
+	);
+})();
+
 const $getApiKeyPermissions = (() => {
 	const getApiKeyPermissionsQuery = _.once(() =>
 		sbvrUtils.api.Auth.prepare<{ apiKey: string }>({