348 lines
9.3 KiB
JavaScript
348 lines
9.3 KiB
JavaScript
/**
|
|
* Role-Based Access Control (RBAC) System
|
|
* Defines granular permissions for different roles
|
|
*/
|
|
|
|
// Define specific permissions
|
|
const PERMISSIONS = {
|
|
// General tenant management
|
|
'tenant.view': 'View tenant information',
|
|
'tenant.edit': 'Edit basic tenant settings',
|
|
|
|
// Branding permissions
|
|
'branding.view': 'View branding settings',
|
|
'branding.edit': 'Edit branding and appearance',
|
|
|
|
// Security permissions
|
|
'security.view': 'View security settings',
|
|
'security.edit': 'Edit security settings and IP restrictions',
|
|
|
|
// User management permissions
|
|
'users.view': 'View user list',
|
|
'users.create': 'Create new users',
|
|
'users.edit': 'Edit user details',
|
|
'users.delete': 'Delete or deactivate users',
|
|
'users.manage_roles': 'Change user roles',
|
|
|
|
// Authentication permissions
|
|
'auth.view': 'View authentication settings',
|
|
'auth.edit': 'Edit authentication provider settings',
|
|
|
|
// Operational permissions
|
|
'dashboard.view': 'View dashboard',
|
|
'devices.view': 'View devices',
|
|
'devices.manage': 'Add, edit, delete devices',
|
|
'devices.create': 'Create new devices',
|
|
'devices.update': 'Update existing devices',
|
|
'devices.delete': 'Delete devices',
|
|
'detections.view': 'View detections',
|
|
'detections.create': 'Create detections',
|
|
'alerts.view': 'View alerts',
|
|
'alerts.manage': 'Manage alert configurations',
|
|
'debug.access': 'Access debug information'
|
|
};
|
|
|
|
// Role definitions with their permissions
|
|
const ROLES = {
|
|
// Full tenant administrator
|
|
'admin': [
|
|
'tenant.view', 'tenant.edit',
|
|
'branding.view', 'branding.edit',
|
|
'security.view', 'security.edit',
|
|
'users.view', 'users.create', 'users.edit', 'users.delete', 'users.manage_roles',
|
|
'auth.view', 'auth.edit',
|
|
'dashboard.view',
|
|
'devices.view', 'devices.create', 'devices.update', 'devices.delete',
|
|
'detections.view', 'detections.create',
|
|
'alerts.view', 'alerts.manage',
|
|
'debug.access'
|
|
],
|
|
|
|
// User management specialist
|
|
'user_admin': [
|
|
'tenant.view',
|
|
'users.view', 'users.create', 'users.edit', 'users.delete', 'users.manage_roles',
|
|
'dashboard.view',
|
|
'devices.view',
|
|
'detections.view',
|
|
'alerts.view'
|
|
],
|
|
|
|
// Security specialist
|
|
'security_admin': [
|
|
'tenant.view',
|
|
'security.view', 'security.edit',
|
|
'auth.view', 'auth.edit',
|
|
'users.view',
|
|
'dashboard.view',
|
|
'devices.view',
|
|
'detections.view',
|
|
'alerts.view', 'alerts.manage'
|
|
],
|
|
|
|
// Branding/marketing specialist
|
|
'branding_admin': [
|
|
'tenant.view',
|
|
'branding.view', 'branding.edit',
|
|
'dashboard.view',
|
|
'devices.view',
|
|
'detections.view',
|
|
'alerts.view'
|
|
],
|
|
|
|
// Operations manager
|
|
'operator': [
|
|
'tenant.view',
|
|
'dashboard.view',
|
|
'devices.view', 'devices.create', 'devices.update',
|
|
'detections.view', 'detections.create',
|
|
'alerts.view', 'alerts.manage'
|
|
],
|
|
|
|
// Read-only user
|
|
'viewer': [
|
|
'dashboard.view',
|
|
'devices.view',
|
|
'detections.view',
|
|
'alerts.view'
|
|
]
|
|
};
|
|
|
|
/**
|
|
* Check if a user has a specific permission
|
|
* @param {string} userRole - The user's role
|
|
* @param {string} permission - The permission to check
|
|
* @returns {boolean} - True if user has permission
|
|
*/
|
|
const hasPermission = (userRole, permission) => {
|
|
if (!userRole) {
|
|
return false;
|
|
}
|
|
|
|
// Handle case-insensitive role lookup
|
|
const normalizedRole = userRole.toLowerCase();
|
|
if (!ROLES[normalizedRole]) {
|
|
return false;
|
|
}
|
|
|
|
return ROLES[normalizedRole].includes(permission);
|
|
};
|
|
|
|
/**
|
|
* Check permission using resource and action (for backwards compatibility)
|
|
* @param {string} userRole - The user's role
|
|
* @param {string} resource - The resource (e.g., 'devices', 'users')
|
|
* @param {string} action - The action (e.g., 'create', 'read', 'update', 'delete')
|
|
* @returns {boolean} - True if user has permission
|
|
*/
|
|
const checkPermission = (userRole, resource, action) => {
|
|
// Map resource + action to permission strings
|
|
const permissionMappings = {
|
|
// Device permissions
|
|
'devices.create': 'devices.create',
|
|
'devices.read': 'devices.view',
|
|
'devices.update': 'devices.update',
|
|
'devices.delete': 'devices.delete',
|
|
|
|
// User permissions
|
|
'users.create': 'users.create',
|
|
'users.read': 'users.view',
|
|
'users.update': 'users.edit',
|
|
'users.delete': 'users.delete',
|
|
|
|
// Tenant permissions
|
|
'tenants.create': 'tenant.edit',
|
|
'tenants.read': 'tenant.view',
|
|
'tenants.update': 'tenant.edit',
|
|
'tenants.delete': 'tenant.edit',
|
|
|
|
// Role permissions
|
|
'roles.read': 'users.manage_roles',
|
|
|
|
// Alert permissions
|
|
'alerts.create': 'alerts.manage',
|
|
'alerts.read': 'alerts.view',
|
|
'alerts.update': 'alerts.manage',
|
|
'alerts.delete': 'alerts.manage',
|
|
|
|
// Detection permissions
|
|
'detections.create': 'detections.create',
|
|
'detections.read': 'detections.view',
|
|
'detections.update': 'detections.view',
|
|
'detections.delete': 'detections.view',
|
|
|
|
// Security permissions
|
|
'ip_restrictions.read': 'security.view',
|
|
'ip_restrictions.update': 'security.edit',
|
|
'audit_logs.read': 'security.view',
|
|
|
|
// Branding permissions
|
|
'branding.update': 'branding.edit',
|
|
'ui_customization.create': 'branding.edit',
|
|
'logo.upload': 'branding.edit',
|
|
|
|
// Dashboard permissions
|
|
'dashboard.read': 'dashboard.view'
|
|
};
|
|
|
|
const permissionKey = `${resource}.${action}`;
|
|
const permission = permissionMappings[permissionKey];
|
|
|
|
if (!permission) {
|
|
return false; // Unknown permission
|
|
}
|
|
|
|
return hasPermission(userRole, permission);
|
|
};
|
|
|
|
/**
|
|
* Check if a user has any of the specified permissions
|
|
* @param {string} userRole - The user's role
|
|
* @param {Array<string>} permissions - Array of permissions to check
|
|
* @returns {boolean} - True if user has at least one permission
|
|
*/
|
|
const hasAnyPermission = (userRole, permissions) => {
|
|
return permissions.some(permission => hasPermission(userRole, permission));
|
|
};
|
|
|
|
/**
|
|
* Check if a user has all of the specified permissions
|
|
* @param {string} userRole - The user's role
|
|
* @param {Array<string>} permissions - Array of permissions to check
|
|
* @returns {boolean} - True if user has all permissions
|
|
*/
|
|
const hasAllPermissions = (userRole, permissions) => {
|
|
return permissions.every(permission => hasPermission(userRole, permission));
|
|
};
|
|
|
|
/**
|
|
* Get all permissions for a role
|
|
* @param {string} userRole - The user's role
|
|
* @returns {Array<string>} - Array of permissions
|
|
*/
|
|
const getPermissions = (userRole) => {
|
|
return ROLES[userRole] || [];
|
|
};
|
|
|
|
/**
|
|
* Get all available roles
|
|
* @returns {Array<string>} - Array of role names
|
|
*/
|
|
const getRoles = () => {
|
|
return Object.keys(ROLES);
|
|
};
|
|
|
|
/**
|
|
* Express middleware to check permissions based on resource and action
|
|
* @param {string} resource - The resource being accessed
|
|
* @param {string} action - The action being performed
|
|
* @returns {Function} - Express middleware function
|
|
*/
|
|
const requirePermission = (resource, action) => {
|
|
return (req, res, next) => {
|
|
if (!req.user) {
|
|
return res.status(401).json({
|
|
success: false,
|
|
message: 'User not authenticated'
|
|
});
|
|
}
|
|
|
|
if (!req.user.role) {
|
|
return res.status(403).json({
|
|
success: false,
|
|
message: 'Insufficient permissions'
|
|
});
|
|
}
|
|
|
|
const userRole = req.user.role;
|
|
const hasRequiredPermission = checkPermission(userRole, resource, action);
|
|
|
|
if (!hasRequiredPermission) {
|
|
return res.status(403).json({
|
|
success: false,
|
|
message: 'Insufficient permissions'
|
|
});
|
|
}
|
|
|
|
next();
|
|
};
|
|
};
|
|
|
|
/**
|
|
* Express middleware to check permissions
|
|
* @param {Array<string>} requiredPermissions - Required permissions
|
|
* @returns {Function} - Express middleware function
|
|
*/
|
|
const requirePermissions = (requiredPermissions) => {
|
|
return (req, res, next) => {
|
|
if (!req.user || !req.user.role) {
|
|
return res.status(401).json({
|
|
success: false,
|
|
message: 'Authentication required'
|
|
});
|
|
}
|
|
|
|
const userRole = req.user.role;
|
|
const hasRequiredPermissions = requiredPermissions.every(permission =>
|
|
hasPermission(userRole, permission)
|
|
);
|
|
|
|
if (!hasRequiredPermissions) {
|
|
return res.status(403).json({
|
|
success: false,
|
|
message: 'Insufficient permissions',
|
|
required_permissions: requiredPermissions,
|
|
user_role: userRole
|
|
});
|
|
}
|
|
|
|
next();
|
|
};
|
|
};
|
|
|
|
/**
|
|
* Express middleware to check if user has any of the specified permissions
|
|
* @param {Array<string>} permissions - Array of permissions
|
|
* @returns {Function} - Express middleware function
|
|
*/
|
|
const requireAnyPermission = (permissions) => {
|
|
return (req, res, next) => {
|
|
if (!req.user || !req.user.role) {
|
|
return res.status(401).json({
|
|
success: false,
|
|
message: 'Authentication required'
|
|
});
|
|
}
|
|
|
|
const userRole = req.user.role;
|
|
const hasRequiredPermission = permissions.some(permission =>
|
|
hasPermission(userRole, permission)
|
|
);
|
|
|
|
if (!hasRequiredPermission) {
|
|
return res.status(403).json({
|
|
success: false,
|
|
message: 'Insufficient permissions',
|
|
required_permissions: permissions,
|
|
user_role: userRole
|
|
});
|
|
}
|
|
|
|
next();
|
|
};
|
|
};
|
|
|
|
module.exports = {
|
|
PERMISSIONS,
|
|
ROLES,
|
|
hasPermission,
|
|
checkPermission,
|
|
hasAnyPermission,
|
|
hasAllPermissions,
|
|
getPermissions,
|
|
getRoles,
|
|
requirePermission,
|
|
requirePermissions,
|
|
requireAnyPermission
|
|
};
|