/** * Role-Based Access Control (RBAC) System * Defines granular permissions for different roles */ // Define specific permissions const PERMISSIONS = { // General tenant management 'tenant.view': 'View tenant information', 'tenant.edit': 'Edit basic tenant settings', // Branding permissions 'branding.view': 'View branding settings', 'branding.edit': 'Edit branding and appearance', // Security permissions 'security.view': 'View security settings', 'security.edit': 'Edit security settings and IP restrictions', // User management permissions 'users.view': 'View user list', 'users.create': 'Create new users', 'users.edit': 'Edit user details', 'users.delete': 'Delete or deactivate users', 'users.manage_roles': 'Change user roles', // Authentication permissions 'auth.view': 'View authentication settings', 'auth.edit': 'Edit authentication provider settings', // Operational permissions 'dashboard.view': 'View dashboard', 'devices.view': 'View devices', 'devices.manage': 'Add, edit, delete devices', 'detections.view': 'View detections', 'alerts.view': 'View alerts', 'alerts.manage': 'Manage alert configurations', 'debug.access': 'Access debug information' }; // Role definitions with their permissions const ROLES = { // Full tenant administrator 'admin': [ 'tenant.view', 'tenant.edit', 'branding.view', 'branding.edit', 'security.view', 'security.edit', 'users.view', 'users.create', 'users.edit', 'users.delete', 'users.manage_roles', 'auth.view', 'auth.edit', 'dashboard.view', 'devices.view', 'devices.manage', 'detections.view', 'alerts.view', 'alerts.manage', 'debug.access' ], // User management specialist 'user_admin': [ 'tenant.view', 'users.view', 'users.create', 'users.edit', 'users.delete', 'users.manage_roles', 'dashboard.view', 'devices.view', 'detections.view', 'alerts.view' ], // Security specialist 'security_admin': [ 'tenant.view', 'security.view', 'security.edit', 'auth.view', 'auth.edit', 'users.view', 'dashboard.view', 'devices.view', 'detections.view', 'alerts.view' ], // Branding/marketing specialist 'branding_admin': [ 'tenant.view', 'branding.view', 'branding.edit', 'dashboard.view', 'devices.view', 'detections.view', 'alerts.view' ], // Operations manager 'operator': [ 'tenant.view', 'dashboard.view', 'devices.view', 'devices.manage', 'detections.view', 'alerts.view', 'alerts.manage' ], // Read-only user 'viewer': [ 'dashboard.view', 'devices.view', 'detections.view', 'alerts.view' ] }; /** * Check if a user has a specific permission * @param {string} userRole - The user's role * @param {string} permission - The permission to check * @returns {boolean} - True if user has permission */ const hasPermission = (userRole, permission) => { if (!userRole || !ROLES[userRole]) { return false; } return ROLES[userRole].includes(permission); }; /** * Check permission using resource and action (for backwards compatibility) * @param {string} userRole - The user's role * @param {string} resource - The resource (e.g., 'devices', 'users') * @param {string} action - The action (e.g., 'create', 'read', 'update', 'delete') * @returns {boolean} - True if user has permission */ const checkPermission = (userRole, resource, action) => { // Map resource + action to permission strings const permissionMappings = { // Device permissions 'devices.create': 'devices.manage', 'devices.read': 'devices.view', 'devices.update': 'devices.manage', 'devices.delete': 'devices.manage', // User permissions 'users.create': 'users.create', 'users.read': 'users.view', 'users.update': 'users.edit', 'users.delete': 'users.delete', // Tenant permissions 'tenants.create': 'tenant.edit', 'tenants.read': 'tenant.view', 'tenants.update': 'tenant.edit', 'tenants.delete': 'tenant.edit', // Role permissions 'roles.read': 'users.manage_roles', // Alert permissions 'alerts.create': 'alerts.manage', 'alerts.read': 'alerts.view', 'alerts.update': 'alerts.manage', 'alerts.delete': 'alerts.manage', // Detection permissions 'detections.create': 'detections.view', 'detections.read': 'detections.view', 'detections.update': 'detections.view', 'detections.delete': 'detections.view', // Security permissions 'ip_restrictions.update': 'security.edit', 'audit_logs.read': 'security.view', // Branding permissions 'branding.update': 'branding.edit', 'ui_customization.create': 'branding.edit', 'logo.upload': 'branding.edit', // Dashboard permissions 'dashboard.read': 'dashboard.view' }; const permissionKey = `${resource}.${action}`; const permission = permissionMappings[permissionKey]; if (!permission) { return false; // Unknown permission } return hasPermission(userRole, permission); }; /** * Check if a user has any of the specified permissions * @param {string} userRole - The user's role * @param {Array} permissions - Array of permissions to check * @returns {boolean} - True if user has at least one permission */ const hasAnyPermission = (userRole, permissions) => { return permissions.some(permission => hasPermission(userRole, permission)); }; /** * Check if a user has all of the specified permissions * @param {string} userRole - The user's role * @param {Array} permissions - Array of permissions to check * @returns {boolean} - True if user has all permissions */ const hasAllPermissions = (userRole, permissions) => { return permissions.every(permission => hasPermission(userRole, permission)); }; /** * Get all permissions for a role * @param {string} userRole - The user's role * @returns {Array} - Array of permissions */ const getPermissions = (userRole) => { return ROLES[userRole] || []; }; /** * Get all available roles * @returns {Array} - Array of role names */ const getRoles = () => { return Object.keys(ROLES); }; /** * Express middleware to check permissions * @param {Array} requiredPermissions - Required permissions * @returns {Function} - Express middleware function */ const requirePermissions = (requiredPermissions) => { return (req, res, next) => { if (!req.user || !req.user.role) { return res.status(401).json({ success: false, message: 'Authentication required' }); } const userRole = req.user.role; const hasRequiredPermissions = requiredPermissions.every(permission => hasPermission(userRole, permission) ); if (!hasRequiredPermissions) { return res.status(403).json({ success: false, message: 'Insufficient permissions', required_permissions: requiredPermissions, user_role: userRole }); } next(); }; }; /** * Express middleware to check if user has any of the specified permissions * @param {Array} permissions - Array of permissions * @returns {Function} - Express middleware function */ const requireAnyPermission = (permissions) => { return (req, res, next) => { if (!req.user || !req.user.role) { return res.status(401).json({ success: false, message: 'Authentication required' }); } const userRole = req.user.role; const hasRequiredPermission = permissions.some(permission => hasPermission(userRole, permission) ); if (!hasRequiredPermission) { return res.status(403).json({ success: false, message: 'Insufficient permissions', required_permissions: permissions, user_role: userRole }); } next(); }; }; module.exports = { PERMISSIONS, ROLES, hasPermission, checkPermission, hasAnyPermission, hasAllPermissions, getPermissions, getRoles, requirePermissions, requireAnyPermission };