feat(system-server): add system-server built-in roles & permissions;

packages/system-server/src/api/application.ts

@@ -0,0 +1,109 @@
+/*
+ * @Author: Maslow<wangfugen@126.com>
+ * @Date: 2021-08-28 22:00:45
+ * @LastEditTime: 2021-08-30 17:32:14
+ * @Description: Application APIs
+ */
+
+import { Constants } from "../constants"
+import { DatabaseAgent } from "../lib/db-agent"
+import * as assert from 'assert'
+import { MongoAccessor } from "less-api/dist"
+
+/**
+ * The application structure in db
+ */
+export interface ApplicationStruct {
+  _id?: string
+  name: string
+  created_by: string
+  app_secret: string
+  status: 'created' | 'starting' | 'running' | 'stopped'
+  config: {
+    db_name: string
+    db_uri: string
+    db_max_pool_size: number
+    server_secret_salt: string
+    file_system_driver?: string
+    file_system_enable_unauthorized_upload: string
+    file_system_http_cache_control?: string
+    log_level?: string
+    enable_cloud_function_log?: string
+  }
+  collaborators: {
+    uid: string
+    roles: string[]
+    created_at: number
+  }[]
+  created_at?: number
+  updated_at?: number
+}
+
+/**
+ * Get an application created by account_id
+ */
+export async function getApplicationById(appid: string) {
+  if (!appid) return null
+
+  const db = DatabaseAgent.sys_db
+  const ret = await db.collection(Constants.cn.applications)
+    .where({ _id: appid })
+    .getOne<ApplicationStruct>()
+
+  assert.ok(ret.ok, `getMyApplicationById() got error: ${appid}`)
+  return ret.data
+}
+
+/**
+ * Get application created by account_id
+ * @param account_id 
+ * @returns 
+ */
+export async function getMyApplications(account_id: string) {
+  assert.ok(account_id, 'empty account_id got')
+
+  const db = DatabaseAgent.sys_db
+  const ret = await db.collection(Constants.cn.applications)
+    .where({
+      'collaborators.uid': account_id
+    })
+    .get<ApplicationStruct>()
+
+  assert.ok(ret.ok, `getMyApplications() got error: ${account_id}`)
+  return ret.data
+}
+
+/**
+ * Get applications of account_id joined
+ * @param account_id 
+ * @returns 
+ */
+export async function getMyJoinedApplications(account_id: string) {
+  assert.ok(account_id, 'empty account_id got')
+
+  const db = DatabaseAgent.sys_db
+  const ret = await db.collection(Constants.cn.applications)
+    .where({ created_by: account_id })
+    .get<ApplicationStruct>()
+
+  assert.ok(ret.ok, `getMyApplications() got error: ${account_id}`)
+  return ret.data
+}
+
+
+/**
+ * Get application database connection & ORM instance
+ * @param app 
+ * @returns 
+ */
+export async function getApplicationDbAccessor(app: ApplicationStruct) {
+  const db_name = app.config.db_name
+  const db_uri = app.config.db_uri
+
+  assert.ok(db_name)
+  assert.ok(db_uri)
+  const accessor = new MongoAccessor(db_name, db_uri, { directConnection: true })
+  await accessor.init()
+
+  return accessor
+}

packages/system-server/src/constants/index.ts

@@ -0,0 +1,66 @@
+/*
+ * @Author: Maslow<wangfugen@126.com>
+ * @Date: 2021-07-30 10:30:29
+ * @LastEditTime: 2021-08-30 14:38:36
+ * @Description: 
+ */
+
+import { deepFreeze } from "../lib/utils/lang"
+import { permissions } from "./permissions"
+import { roles } from "./roles"
+
+const coll_prefix = 'devops_'
+
+/**
+ * Constants collection
+ */
+export const Constants = {
+  /**
+   *  collection name of cloud functions deployed to app db
+   */
+  function_collection: '__deployed__functions',
+
+  /**
+   * collection name of triggers deployed to app db
+   */
+  trigger_collection: '__deployed__triggers',
+
+  /**
+   * collection name of policies deployed to app db
+   */
+  policy_collection: '__deployed__policies',
+
+  /**
+   * prefix of sys db collection name
+   */
+  coll_prefix: coll_prefix,
+
+  /**
+   * sys db collection names
+   */
+  cn: {
+    accounts: coll_prefix + 'accounts',
+    permissions: coll_prefix + 'permissions',
+    roles: coll_prefix + 'roles',
+    policies: coll_prefix + 'policies',
+    functions: coll_prefix + 'functions',
+    function_history: coll_prefix + 'function_history',
+    triggers: coll_prefix + 'triggers',
+    deploy_targets: coll_prefix + 'deploy_targets',
+    deploy_requests: coll_prefix + 'deploy_requests',
+    password: coll_prefix + 'password',
+    applications: coll_prefix + 'applications',
+  },
+
+  /**
+   * built-in permissions
+   */
+  permissions: permissions,
+
+  /**
+   * built-in roles for applications
+   */
+  roles: roles
+}
+
+deepFreeze(Constants)

packages/system-server/src/constants/permissions.ts

@@ -0,0 +1,49 @@
+export const permissions = {
+  APPLICATION_ADD: { name: 'application.add', label: '创建应用' },
+  APPLICATION_READ: { name: 'application.read', label: '获取应用' },
+  APPLICATION_UPDATE: { name: 'application.update', label: '编辑应用' },
+  APPLICATION_REMOVE: { name: 'application.remove', label: '删除应用' },
+
+  POLICY_ADD: { name: 'policy.add', label: '创建访问策略' },
+  POLICY_READ: { name: 'policy.read', label: '获取访问策略' },
+  POLICY_UPDATE: { name: 'policy.update', label: '编辑访问策略' },
+  POLICY_REMOVE: { name: 'policy.remove', label: '删除访问策略' },
+
+  FUNCTION_ADD: { name: 'function.add', label: '创建云函数' },
+  FUNCTION_READ: { name: 'function.read', label: '获取云函数' },
+  FUNCTION_UPDATE: { name: 'function.update', label: '编辑云函数' },
+  FUNCTION_REMOVE: { name: 'function.remove', label: '删除云函数' },
+  FUNCTION_DEBUG: { name: 'function.debug', label: '调试云函数' },
+
+  TRIGGER_ADD: { name: 'trigger.add', label: '创建触发器' },
+  TRIGGER_READ: { name: 'trigger.read', label: '获取触发器' },
+  TRIGGER_UPDATE: { name: 'trigger.update', label: '编辑访触发器' },
+  TRIGGER_REMOVE: { name: 'trigger.remove', label: '删除触发器' },
+
+  DATABASE_MANAGE: { name: 'database.manage', label: '数据库数据管理' },
+
+  PUBLISH_POLICY: { name: 'publish.policy', label: '发布数据访问策略' },
+  PUBLISH_FUNCTION: { name: 'publish.function', label: '发布云函数' },
+  PUBLISH_TRIGGER: { name: 'publish.trigger', label: '发布触发器' },
+
+  DEPLOY_TARGET_READ: { name: 'deploy_target.read', label: '读取部署目标' },
+  DEPLOY_TARGET_UPDATE: { name: 'deploy_target.update', label: '编辑部署目标' },
+  DEPLOY_TARGET_ADD: { name: 'deploy_target.add', label: '添加部署目标' },
+  DEPLOY_TARGET_REMOVE: { name: 'deploy_target.remove', label: '删除部署目标' },
+
+  DEPLOY_REQUEST_READ: { name: 'deploy_request.read', label: '读取部署请求' },
+  DEPLOY_REQUEST_UPDATE: { name: 'deploy_request.update', label: '编辑部署请求' },
+  DEPLOY_REQUEST_ADD: { name: 'deploy_request.add', label: '添加部署请求' },
+  DEPLOY_REQUEST_REMOVE: { name: 'deploy_request.remove', label: '删除部署请求' },
+  DEPLOY_REQUEST_APPLY: { name: 'deploy_request.apply', label: '应用部署请求' },
+
+  DEPLOY_TOKEN_CREATE: { name: 'deploy.create_token', label: '创建部署令牌' },
+
+  FILE_READ: { name: 'file.read', label: '文件管理-读取文件列表' },
+  FILE_UPDATE: { name: 'file.update', label: '文件管理-更新文件' },
+  FILE_ADD: { name: 'file.add', label: '文件管理-创建文件' },
+  FILE_REMOVE: { name: 'file.remove', label: '文件管理-删除文件' },
+
+  FILE_BUCKET_ADD: { name: 'file.bucket.add', label: '文件管理-创建文件桶' },
+  FILE_BUCKET_REMOVE: { name: 'file.bucket.remove', label: '文件管理-删除文件桶' },
+}

packages/system-server/src/constants/roles.ts

@@ -0,0 +1,51 @@
+import { permissions as pns } from "./permissions"
+
+
+const developer = [
+  pns.POLICY_ADD, pns.POLICY_READ, pns.POLICY_REMOVE, pns.POLICY_UPDATE,
+  pns.PUBLISH_POLICY,
+  pns.FUNCTION_ADD, pns.FUNCTION_READ, pns.FUNCTION_REMOVE, pns.FUNCTION_UPDATE,
+  pns.FUNCTION_DEBUG, pns.PUBLISH_FUNCTION,
+  pns.TRIGGER_ADD, pns.TRIGGER_READ, pns.TRIGGER_REMOVE, pns.TRIGGER_UPDATE,
+  pns.PUBLISH_TRIGGER
+]
+
+const dba = [
+  pns.DATABASE_MANAGE,
+  pns.FILE_ADD, pns.FILE_READ, pns.FILE_REMOVE, pns.FILE_UPDATE,
+  pns.FILE_BUCKET_ADD, pns.FILE_BUCKET_REMOVE
+]
+
+const operator = [
+  pns.DEPLOY_REQUEST_ADD, pns.DEPLOY_REQUEST_READ, pns.DEPLOY_REQUEST_REMOVE,
+  pns.DEPLOY_REQUEST_UPDATE, pns.DEPLOY_REQUEST_APPLY,
+  pns.DEPLOY_TARGET_ADD, pns.DEPLOY_TARGET_READ, pns.DEPLOY_TARGET_REMOVE,
+  pns.DEPLOY_TARGET_UPDATE, pns.DEPLOY_TOKEN_CREATE
+]
+
+const owner = [
+  pns.APPLICATION_ADD, pns.APPLICATION_READ, pns.APPLICATION_REMOVE,
+  pns.APPLICATION_UPDATE,
+  ...developer,
+  ...dba,
+  ...operator
+]
+
+export const roles = {
+  developer: {
+    label: 'Application Developer',
+    permissions: developer
+  },
+  dba: {
+    label: 'Application Database Administrator',
+    permissions: dba
+  },
+  operator: {
+    label: 'Application Operator',
+    permissions: operator
+  },
+  owner: {
+    label: 'Application Owner',
+    permissions: owner
+  }
+}