Merge pull request #102 from hypersign-protocol/implemented/permission-policy

storing user access list based on default and user permission

Author: Vishwas1

src/app-auth/dtos/create-app.dto.ts

@@ -19,6 +19,7 @@ import {
   SERVICE_TYPES,
   APP_ENVIRONMENT,
 } from 'src/supported-service/services/iServiceList';
+import { IsUrlOrBase64Image } from 'src/utils/customDecorator/IsUrlOrBase64Image.decorator';
 
 export class CreateAppDto {
   @ApiProperty({
@@ -60,7 +61,7 @@ export class CreateAppDto {
   })
   @IsOptional()
   @IsString()
-  @IsUrlEmpty()
+  @IsUrlOrBase64Image()
   logoUrl?: string;
   @ApiProperty({
     description: 'services',

src/app-auth/services/app-auth.service.ts

@@ -34,7 +34,7 @@ import { WebPageConfigRepository } from 'src/webpage-config/repositories/webpage
 import { InjectModel } from '@nestjs/mongoose';
 import { CustomerOnboarding } from 'src/customer-onboarding/schemas/customer-onboarding.schema';
 import { Model } from 'mongoose';
-import { getAccessListForModule } from 'src/utils/utils';
+import { evaluateAccessPolicy, getAccessListForModule } from 'src/utils/utils';
 import { TokenModule } from 'src/config/access-matrix';
 import { redisClient } from 'src/utils/redis.provider';
 import {
@@ -68,7 +68,7 @@ export class AppAuthService {
     @InjectModel(CustomerOnboarding.name)
     private readonly onboardModel: Model<CustomerOnboarding>,
     private readonly webpageConfigRepo: WebPageConfigRepository,
-  ) { }
+  ) {}
 
   async createAnApp(
     createAppDto: CreateAppDto,
@@ -752,10 +752,15 @@ export class AppAuthService {
     switch (serviceType) {
       case SERVICE_TYPES.SSI_API: {
         grant_type = GRANT_TYPES.access_service_ssi;
-        accessList = getAccessListForModule(
+        const defaultAccessList = getAccessListForModule(
           TokenModule.APP_AUTH,
           SERVICE_TYPES.SSI_API,
         );
+        accessList = evaluateAccessPolicy(
+          defaultAccessList,
+          SERVICE_TYPES.SSI_API,
+          [],
+        );
         break;
       }
       case SERVICE_TYPES.CAVACH_API: {
@@ -769,18 +774,28 @@ export class AppAuthService {
           ]);
         }
         grant_type = grantType || GRANT_TYPES.access_service_kyc;
-        accessList = getAccessListForModule(
+        const defaultAccessList = getAccessListForModule(
           TokenModule.APP_AUTH,
           SERVICE_TYPES.CAVACH_API,
         );
+        accessList = evaluateAccessPolicy(
+          defaultAccessList,
+          SERVICE_TYPES.CAVACH_API,
+          [],
+        );
         break;
       }
       case SERVICE_TYPES.QUEST: {
         grant_type = GRANT_TYPES.access_service_quest;
-        accessList = getAccessListForModule(
+        const defaultAccessList = getAccessListForModule(
           TokenModule.APP_AUTH,
           SERVICE_TYPES.QUEST,
         );
+        accessList = evaluateAccessPolicy(
+          defaultAccessList,
+          SERVICE_TYPES.QUEST,
+          [],
+        );
         break;
       }
       default: {
@@ -865,8 +880,13 @@ export class AppAuthService {
     grantType: string,
     appId: string,
     user,
+    session?,
   ): Promise<{ access_token; expiresIn; tokenType }> {
-    const sessionId = `${appId}_${Context.idDashboard}`;
+    const context = Context.idDashboard;
+    let sessionId = `${appId}_${context}_${session.userId}`;
+    if (session && session.tenantId) {
+      sessionId = `${sessionId}_tenant`;
+    }
     const savedSession = await redisClient.get(sessionId);
     switch (grantType) {
       case GRANT_TYPES.access_service_ssi:
@@ -924,10 +944,16 @@ export class AppAuthService {
             'Invalid grant type for this service ' + appId,
           ]);
         }
-        accessList = getAccessListForModule(
+        const defaultAccessList = getAccessListForModule(
           TokenModule.DASHBOARD,
           SERVICE_TYPES.SSI_API,
         );
+        accessList = evaluateAccessPolicy(
+          defaultAccessList,
+          SERVICE_TYPES.SSI_API,
+          user.accessList,
+          context,
+        );
         break;
       }
       case SERVICE_TYPES.CAVACH_API: {
@@ -939,10 +965,16 @@ export class AppAuthService {
             'Invalid grant type for this service ' + appId,
           ]);
         }
-        accessList = getAccessListForModule(
+        const defaultAccessList = getAccessListForModule(
           TokenModule.DASHBOARD,
           SERVICE_TYPES.CAVACH_API,
         );
+        accessList = evaluateAccessPolicy(
+          defaultAccessList,
+          SERVICE_TYPES.CAVACH_API,
+          user.accessList,
+          context,
+        );
         break;
       }
       case SERVICE_TYPES.QUEST: {
@@ -951,10 +983,16 @@ export class AppAuthService {
             'Invalid grant type for this service ' + appId,
           ]);
         }
-        accessList = getAccessListForModule(
+        const defaultAccessList = getAccessListForModule(
           TokenModule.DASHBOARD,
           SERVICE_TYPES.QUEST,
         );
+        accessList = evaluateAccessPolicy(
+          defaultAccessList,
+          SERVICE_TYPES.QUEST,
+          user.accessList,
+          context,
+        );
         break;
       }
       default: {

src/app-oauth/app-oauth.controller.ts

@@ -134,9 +134,15 @@ export class AppOauthController {
     @Req() request,
   ): Promise<{ access_token; expiresIn; tokenType }> {
     const { user } = request;
+    const { session } = request;
     //
     Logger.log('reGenerateAppSecretKey() method: starts', 'AppOAuthController');
 
-    return this.appAuthService.grantPermission(grantType, serviceId, user);
+    return this.appAuthService.grantPermission(
+      grantType,
+      serviceId,
+      user,
+      session,
+    );
   }
 }

src/config/access-matrix.ts

@@ -3,6 +3,8 @@ export enum TokenModule {
   DASHBOARD = 'DASHBOARD',
   VERIFIER = 'VERIFIER',
   APP_AUTH = 'APP_AUTH',
+  SUPER_ADMIN = 'SUPER_ADMIN',
+  ID_SERVICE = 'ID_SERVICE',
 }
 export const KYC_ACCESS_MATRIX = {
   [TokenModule.DASHBOARD]: [
@@ -38,12 +40,33 @@ export const KYC_ACCESS_MATRIX = {
     SERVICES.CAVACH_API.ACCESS_TYPES.READ_WIDGET_CONFIG,
     SERVICES.CAVACH_API.ACCESS_TYPES.READ_USER_CONSENT,
   ],
+  [TokenModule.SUPER_ADMIN]: [SERVICES.SSI_API.ACCESS_TYPES.WRITE_CREDIT],
 };
 export const SSI_ACCESS_MATRIX = {
-  // will modify its access later. Assigning ALL for the time being
-  [TokenModule.DASHBOARD]: [SERVICES.SSI_API.ACCESS_TYPES.ALL],
-  [TokenModule.VERIFIER]: [SERVICES.SSI_API.ACCESS_TYPES.ALL],
-  [TokenModule.APP_AUTH]: [SERVICES.SSI_API.ACCESS_TYPES.ALL],
+  [TokenModule.DASHBOARD]: [
+    SERVICES.SSI_API.ACCESS_TYPES.READ_DID,
+    SERVICES.SSI_API.ACCESS_TYPES.WRITE_DID,
+    SERVICES.SSI_API.ACCESS_TYPES.WRITE_CREDIT,
+    SERVICES.SSI_API.ACCESS_TYPES.READ_CREDIT,
+    SERVICES.SSI_API.ACCESS_TYPES.WRITE_SCHEMA,
+    SERVICES.SSI_API.ACCESS_TYPES.READ_SCHEMA,
+    SERVICES.SSI_API.ACCESS_TYPES.CHECK_LIVE_STATUS,
+    SERVICES.SSI_API.ACCESS_TYPES.READ_TX,
+    SERVICES.SSI_API.ACCESS_TYPES.READ_CREDENTIAL,
+    SERVICES.SSI_API.ACCESS_TYPES.VERIFY_CREDENTIAL,
+    SERVICES.SSI_API.ACCESS_TYPES.WRITE_CREDENTIAL,
+    SERVICES.SSI_API.ACCESS_TYPES.READ_USAGE,
+    SERVICES.SSI_API.ACCESS_TYPES.WRITE_PRESENTATION,
+    SERVICES.SSI_API.ACCESS_TYPES.VERIFY_PRESENTATION,
+  ],
+  [TokenModule.VERIFIER]: [SERVICES.SSI_API.ACCESS_TYPES.READ_DID],
+  [TokenModule.APP_AUTH]: [],
+  [TokenModule.ID_SERVICE]: [
+    SERVICES.SSI_API.ACCESS_TYPES.READ_TX,
+    SERVICES.SSI_API.ACCESS_TYPES.WRITE_CREDENTIAL,
+    SERVICES.SSI_API.ACCESS_TYPES.VERIFY_PRESENTATION,
+  ],
+  [TokenModule.SUPER_ADMIN]: [SERVICES.SSI_API.ACCESS_TYPES.WRITE_CREDIT],
 };
 export const QUEST_ACCESS_MATRIX = {
   [TokenModule.DASHBOARD]: [],

src/customer-onboarding/constants/enum.ts

@@ -133,7 +133,7 @@ export enum OnboardingStep {
   CREATE_DID = 'CREATE_DID',
   REGISTER_DID = 'REGISTER_DID',
   CREATE_KYC_SERVICE = 'CREATE_KYC_SERVICE',
-  GIVE_KYC_DASHBOARD_ACCESS = 'GIVE_KYC_DASHBOARD_ACCESS',
+  GIVE_DASHBOARD_ACCESS = 'GIVE_DASHBOARD_ACCESS',
   CREDIT_KYC_SERVICE = 'CREDIT_KYC_SERVICE',
   SETUP_KYC_WIDGET = 'SETUP_KYC_WIDGET',
   CONFIGURE_KYC_VERIFIER_PAGE = 'CONFIGURE_KYC_VERIFIER_PAGE',