feat(authorization): support dynamic model schema

Author: MatthewPattell

microservices/authorization/__tests__/services/fields-filter-test.ts

@@ -259,4 +259,121 @@ describe('services/fields-filter', () => {
       userId: input.userId,
     });
   });
+
+  it('should correctly filter field: dynamic schema', async () => {
+    const input1 = {
+      value: {
+        test1: {
+          user: 'name',
+          email: 'email',
+        },
+      },
+    };
+    const input2 = {
+      value: {
+        test2: {
+          response: {
+            test: true,
+            private: 'private',
+          },
+        },
+      },
+    };
+    const input1Model = modelRepository.create({
+      alias: 'aliasToInput1',
+      schema: {
+        test1: {
+          object: {
+            user: {
+              in: { users: FieldPolicy.allow },
+              out: { users: FieldPolicy.allow },
+            },
+            email: {
+              in: { admins: FieldPolicy.allow },
+              out: { admins: FieldPolicy.allow },
+            },
+          },
+        },
+      },
+    });
+    const input2Model = modelRepository.create({
+      alias: 'aliasToInput2',
+      schema: {
+        test2: {
+          object: {
+            response: {
+              object: {
+                test: {
+                  in: { users: FieldPolicy.deny },
+                  out: { users: FieldPolicy.allow },
+                },
+                private: {
+                  in: { admins: FieldPolicy.deny },
+                  out: { admins: FieldPolicy.allow },
+                },
+              },
+            },
+          },
+        },
+      },
+    });
+    const getModel = (modelAlias = 'input1') =>
+      modelRepository.create({
+        alias: 'alias',
+        schema: {
+          value: {
+            case: {
+              template: `<%= "${modelAlias}" %>`,
+            },
+            object: {
+              input1: 'aliasToInput1',
+              input2: 'aliasToInput2',
+            },
+          },
+        },
+      });
+
+    // resolve allow schema on first call (on second call return cached schema)
+    TypeormMock.entityManager.findOne.callsFake((...args) => {
+      const [, { alias }] = args;
+
+      if (alias === 'aliasToInput1') {
+        return input1Model;
+      } else if (alias === 'aliasToInput2') {
+        return input2Model;
+      }
+
+      return null;
+    });
+
+    const res1 = await service.filter(FilterType.OUT, getModel(), input1);
+    const res2 = await service.filter(FilterType.OUT, getModel('input2'), input2);
+    const res3 = await service.filter(FilterType.IN, getModel('input2'), input2);
+    const res4 = await service.filter(FilterType.IN, getModel(), input2); // mismatch input data and caseValue
+
+    expect(res1).to.deep.equal({
+      value: {
+        test1: {
+          user: 'name',
+        },
+      },
+    });
+    expect(res2).to.deep.equal({
+      value: {
+        test2: {
+          response: {
+            test: true,
+          },
+        },
+      },
+    });
+    expect(res3).to.deep.equal({
+      value: {
+        test2: {
+          response: {},
+        },
+      },
+    });
+    expect(res4).to.deep.equal({});
+  });
 });

microservices/authorization/src/entities/model.ts

@@ -24,6 +24,11 @@ export interface IModelSchema {
   [fieldName: string]:
     | string // related model alias
     | { object: IModelSchema; isCustom?: boolean }
+    | {
+        case: IFieldCondition;
+        object: { [key: string]: string | IModelSchema };
+        isCustom?: boolean;
+      }
     | {
         in?: IRolePermissions;
         out?: IRolePermissions;
@@ -58,6 +63,12 @@ class Model {
       { '*': 'allow' },
       { '*': 'deny' },
       { field1: 'aliasAnotherModel', field2: { object: { nestedField: 'aliasModel' } } }, // aliases
+      {
+        field1: {
+          case: 'case2', // dynamic choose scheme
+          cases: { case1: 'aliasModel', case2: 'modelAlias' },
+        },
+      }, // dynamic schema => { field1: 'modelAlias' }
       { simpleField: { in: { guests: 'deny', users: 'allow' }, out: { guest: 'allow' } } }, // standard fields
       {
         // standard field

microservices/authorization/src/services/fields-filter.ts

@@ -129,6 +129,15 @@ class FieldsFilter {
         const nestedSchema = await this.getSchemaByAlias(policy);
 
         newValue = await this.filterBySchema(nestedSchema, type, value);
+      } else if ('case' in policy) {
+        const caseValue = this.templateValue(policy.case.template, value);
+        const dynamicSchema = { [field]: policy.object[caseValue] } as IModelSchema;
+
+        newValue = (await this.filterBySchema(dynamicSchema, type, { [field]: value }))?.[field];
+
+        if (_.isEmpty(newValue)) {
+          newValue = undefined;
+        }
       } else if ('object' in policy) {
         // nested schema
         newValue = await this.filterBySchema(policy.object, type, value);
@@ -166,14 +175,7 @@ class FieldsFilter {
       }
 
       if (permission.template) {
-        const newValue = _.template(permission.template)({
-          value,
-          params: this.templateOptions,
-          current: {
-            userId: this.userId,
-            roles: this.userRoles,
-          },
-        });
+        const newValue = this.templateValue(permission.template, value);
 
         if (newValue === 'undefined') {
           return undefined;
@@ -187,6 +189,21 @@ class FieldsFilter {
     }
   }
 
+  /**
+   * Template value
+   * @private
+   */
+  private templateValue(template: string, value?: any): string {
+    return _.template(template)({
+      value,
+      params: this.templateOptions,
+      current: {
+        userId: this.userId,
+        roles: this.userRoles,
+      },
+    });
+  }
+
   /**
    * Filter fields in array
    * @private