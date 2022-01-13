Description

The rbac module for Nest. Support NestJS 8 || 7

Installation

npm i --save nestjs-rbac

Quick Start

For using RBAC there is need to implement IStorageRbac

export interface IStorageRbac { roles: string []; permissions: object; grants: object; filters: { [key: string ]: any | IFilterPermission }; }

For instance:

export const RBAC: IStorageRbac = { roles: [ 'admin' , 'user' ], permissions: { permission1: [ 'create' , 'update' , 'delete' ], permission2: [ 'create' , 'update' , 'delete' ], permission3: [ 'filter1' , 'filter2' , RBAC_REQUEST_FILTER], permission4: [ 'create' , 'update' , 'delete' ], permission5: [ 'ASYNC_filter1' , 'ASYNC_filter2' , ASYNC_RBAC_REQUEST_FILTER], }, grants: { admin: [ '&user' , 'permission1' , 'permission3' , 'permission5' , ], user: [ '&userRoot' , 'permission2' , 'permission1@create' , 'permission3@filter1' , 'permission5@ASYNC_filter1' ], userRoot: [ 'permission4' ], }, filters: { filter1: TestFilterOne, filter2: TestFilterTwo, ASYNC_filter1: TestAsyncFilterOne, ASYNC_filter2: TestAsyncFilterTwo, [RBAC_REQUEST_FILTER]: RequestFilter, [ASYNC_RBAC_REQUEST_FILTER]: RequestAsyncFilter, }, };

Storage consists of the following keys:

roles : array of roles

permissions : objects of permissions which content actions

grants : objects of assigned permission to roles

filters : objects of customized behavior

prefix ASYNC_ use for async operations

Grant symbols

& : extends grant by another grant, for instance admin extends user (only support one level inheritance)

@ : a particular action from permission, for instance permission1@update

Using RBAC like an unchangeable storage

import { Module } from '@nestjs/common' ; import { RBAcModule } from 'nestjs-rbac' ; ({ imports: [ RBAcModule.forRoot(IStorageRbac), ], controllers: [] }) export class AppModule {}

Using RBAC like a dynamic storage

There is enough to implement IDynamicStorageRbac interface.

import { Module } from '@nestjs/common' ; import { RBAcModule } from 'nestjs-rbac' ; ({ imports: [ RBAcModule.forDynamic(DynamicStorageService), ], controllers: [] }) export class AppModule {} import { IDynamicStorageRbac, IStorageRbac } from 'nestjs-rbac' ; () export class DynamicStorageService implements IDynamicStorageRbac { constructor ( private readonly repository: AnyRepository ) { } async getRbac(): Promise <IStorageRbac> { return await this .repository.getRbac(); } }

Using for routers RBAcPermissions

import {RBAcPermissions, RBAcGuard} from 'nestjs-rbac' ; import {RBAcAsyncPermissions} from "./rbac.permissions.decorator" ; () export class RbacTestController { ( 'permission' , 'permission@create' ) ( GuardIsForAddingUserToRequestGuard, RBAcGuard, ) ( '/' ) async test1(): Promise < boolean > { return true ; } } () export class RbacAsyncTestController { ( 'permission1' ) ( AuthGuard, RBAcGuard, ) ( '/admin-permission1' ) async test1(): Promise < boolean > { return true ; } ( 'permission2' , 'permission1' ) ( AuthGuard, RBAcGuard, ) ( '/admin-permission1-and-permission2' ) async test2(): Promise < boolean > { return true ; } ( 'permission4' ) ( AuthGuard, RBAcGuard, ) ( '/admin-permission4' ) async test3(): Promise < boolean > { return true ; } ( `permission5@ ${ASYNC_RBAC_REQUEST_FILTER} ` ) ( AuthGuard, RBAcGuard, ) ( '/admin-request-filter' ) async test4(): Promise < boolean > { return true ; } ( `permission4` ) ( AuthGuard, RBAcGuard, ) ( '/user-extends-userRoot' ) async test5(): Promise < boolean > { return true ; } ( `permission1@create` ) ( AuthGuard, RBAcGuard, ) ( '/user-permission1@create' ) async test7(): Promise < boolean > { return true ; } ( `permission1@delete` ) ( AuthGuard, RBAcGuard, ) ( '/user-permission1@delete' ) async test8(): Promise < boolean > { return true ; } ( [ `permission1@delete` ], [ `permission1@create` ] ) ( AuthGuard, RBAcGuard, ) ( '/user-permission1@deleteOrCreate' ) async test9(): Promise < boolean > { return true ; } } export class RbacTestController { ( 'permission1' ) ( AuthGuard, RBAcGuard, ) ( '/admin-permission1' ) async test1(): Promise < boolean > { return true ; } ( 'permission2' , 'permission1' ) ( AuthGuard, RBAcGuard, ) ( '/admin-permission1-and-permission2' ) async test2(): Promise < boolean > { return true ; } ( 'permission4' ) ( AuthGuard, RBAcGuard, ) ( '/admin-permission4' ) async test3(): Promise < boolean > { return true ; } ( `permission3@ ${RBAC_REQUEST_FILTER} ` ) ( AuthGuard, RBAcGuard, ) ( '/admin-request-filter' ) async test4(): Promise < boolean > { return true ; } ( `permission4` ) ( AuthGuard, RBAcGuard, ) ( '/user-extends-userRoot' ) async test5(): Promise < boolean > { return true ; } ( `permission1@create` ) ( AuthGuard, RBAcGuard, ) ( '/user-permission1@create' ) async test7(): Promise < boolean > { return true ; } ( `permission1@delete` ) ( AuthGuard, RBAcGuard, ) ( '/user-permission1@delete' ) async test8(): Promise < boolean > { return true ; } ( [ `permission1@delete` ], [ `permission1@create` ] ) ( AuthGuard, RBAcGuard, ) ( '/user-permission1@deleteOrCreate' ) async test9(): Promise < boolean > { return true ; }

Variety of the decorators

@RBAcPermissions : obtain 'permission', 'permission@create'

@RBAcAnyPermissions : obtain ['permission'], ['permission@create']

@RBAcAsyncPermissions : obtain ['permission'], ['permission@create']

@RBAcAnyAsyncPermissions obtain ['permission'], ['permission@create'] and async filter

Async filter

For using async filter add ASYNC_

Using for a whole controller

It's applicable with the crud library, for example nestjsx/crud

import { RBAcPermissions, RBAcGuard } from 'nestjs-rbac' ; ({ model: { type : Company, }, }) ( 'permission2' ) ( AuthGuard, RBAcGuard, ) ( 'companies' ) export class CompaniesController implements CrudController<Company> { constructor ( public service: CompaniesService ) {} }

one more example

({ model: { type : Company, }, routes: { getManyBase: { interceptors : [], decorators: [RBAcPermissions( 'permission1' )], }, createOneBase: { interceptors : [], decorators: [RBAcPermissions( 'permission2' )], }, }, }) ( AuthGuard, RBAcGuard, ) ( 'companies' ) export class CompaniesController implements CrudController<Company> { constructor ( public service: CompaniesService ) { } }

Using like service

import { RbacService } from 'nestjs-rbac' ; () export class RbacTestController { constructor ( private readonly rbac: RbacService ){} ( '/' ) async test1(): Promise < boolean > { return await ( await this .rbac.getRole(role)).can( 'permission' , 'permission@create' ); return true ; } }

Using the custom filters

filter is a great opportunity of customising behaviour RBAC. For creating filter , there is need to implement IFilterPermission interface, which requires for implementing can method, and bind a key filter with filter implementation, like below:

export const RBAC: IStorageRbac = { roles: [ 'role' ], permissions: { permission1: [ 'filter1' , 'filter2' ], }, grants: { role: [ `permission1@filter1` `permission1@filter2` ], }, filters: { filter1: TestFilter, filter2: TestAsyncFilter, }, }; import { IFilterPermission } from 'nestjs-rbac' ; export class TestFilter implements IFilterPermission { can(params?: any []): boolean { return params[ 0 ]; } } import { IFilterPermission } from 'nestjs-rbac' ; () export class TestAsyncFilter implements IFilterPermission { constructor ( private readonly myService: MyService ) {} async canAsync(params?: any []): Promise < boolean > { const myResult = await this .myService.someAsyncOperation() return myResult; } }

⚠️ - A single filter can implement both can and canAsync . If you use the RBAcGuard, they will be evaluated with an AND condition.

ParamsFilter services for passing arguments into particular filter:

const filter = new ParamsFilter(); filter.setParam( 'filter1' , some payload); const res = await ( await rbacService.getRole( 'admin' , filter)).can( 'permission1@filter1' , );

Also RBAC has a default filter RBAC_REQUEST_FILTER which has request object as argument:

export class RequestFilter implements IFilterPermission { can(params?: any []): boolean { return params[ 0 ].headers[ 'test-header' ] === 'test' ; } } export const RBAC: IStorageRbac = { roles: [ 'role' ], permissions: { permission1: [ 'filter1' , 'filter2' , RBAC_REQUEST_FILTER], }, grants: { role: [ `permission1@ ${RBAC_REQUEST_FILTER} ` ], }, filters: { [RBAC_REQUEST_FILTER]: RequestFilter, }, }; ( `permission1@ ${RBAC_REQUEST_FILTER} ` ) ( AuthGuard, RBAcGuard, ) ( '/' ) async test4(): Promise < boolean > { return true ; }

Performance

By default, RBAC storage always parses grants for each request, in some cases, it can be a very expensive operation. The bigger RBAC storage, the more taking time for parsing. For saving performance RBAC has built-in a cache, based on node-cache

Using cache

import { RbacCache } from 'nestjs-rbac' ; ({ imports: [ RBAcModule.useCache(RbacCache, {KEY: 'RBAC' , TTL: 400 }).forDynamic(AsyncService), ], })

if you need to change a cache storage, there is enough to implement ICacheRBAC

ICacheRBAC

export interface ICacheRBAC { KEY: string ; TTL: number ; get (): object | null ; set (value: object): void ; del(): void ; }

Inject ICacheRBAC