acikyazilimagi · CllDMR · Feb 17, 2023 · Feb 17, 2023 · Feb 18, 2023
diff --git a/.gitattributes b/.gitattributes
@@ -0,0 +1 @@
+text eol=lf
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -21,6 +21,7 @@
     "prepare": "husky install"
   },
   "dependencies": {
+    "@casl/ability": "^6.3.3",
     "@nestjs/axios": "^2.0.0",
     "@nestjs/common": "^9.3.7",
     "@nestjs/config": "^2.3.1",

diff --git a/src/common/casl/abilities.ts b/src/common/casl/abilities.ts
@@ -0,0 +1,35 @@
+import {
+  CreateAbility,
+  createMongoAbility,
+  ForcedSubject,
+  MongoAbility,
+} from '@casl/ability';
+
+export enum Action {
+  Manage = 'manage',
+  Create = 'create',
+  Read = 'read',
+  Update = 'update',
+  Delete = 'delete',
+}
+
+const actions = [
+  Action.Manage,
+  Action.Create,
+  Action.Delete,
+  Action.Read,
+  Action.Update,
+] as const;
+
+const subjects = ['User', 'all'] as const;
+
+type PossibleAbilities = [
+  (typeof actions)[number],
+  (
+    | (typeof subjects)[number]
+    | ForcedSubject<Exclude<(typeof subjects)[number], 'all'>>
+  )
+];
+
+export type AppAbility = MongoAbility<PossibleAbilities>;
+export const createAppAbility = createMongoAbility as CreateAbility<AppAbility>;
diff --git a/src/common/casl/api-main-casl.module.ts b/src/common/casl/api-main-casl.module.ts
@@ -0,0 +1,8 @@
+import { Module } from '@nestjs/common';
+import { CaslAbilityFactory } from './casl-ability.factory';
+
+@Module({
+  providers: [CaslAbilityFactory],
+  exports: [CaslAbilityFactory],
+})
+export class SharedCaslModule {}
diff --git a/src/common/casl/casl-ability.factory.spec.ts b/src/common/casl/casl-ability.factory.spec.ts
@@ -0,0 +1,7 @@
+import { CaslAbilityFactory } from './casl-ability.factory';
+
+describe('CaslAbilityFactory', () => {
+  it('should be defined', () => {
+    expect(new CaslAbilityFactory()).toBeDefined();
+  });
+});
diff --git a/src/common/casl/casl-ability.factory.ts b/src/common/casl/casl-ability.factory.ts
@@ -0,0 +1,20 @@
+import { AbilityBuilder } from '@casl/ability';
+import { Injectable } from '@nestjs/common';
+import { Action, AppAbility, createAppAbility } from './abilities';
+
+type RequestMetaData = {
+  params: {
+    userId: number;
+  };
+};
+
+@Injectable()
+export class CaslAbilityFactory {
+  createForUser(_user: any, _jwyPayload: any, _metaData: RequestMetaData) {
+    const { can, build } = new AbilityBuilder<AppAbility>(createAppAbility);
+
+    can(Action.Manage, 'all');
+
+    return build();
+  }
+}
diff --git a/src/common/casl/index.ts b/src/common/casl/index.ts
@@ -0,0 +1,4 @@
+export * from './abilities';
+export * from './api-main-casl.module';
+export * from './casl-ability.factory';
+export * from './policy-handler';
diff --git a/src/common/casl/policy-handler.ts b/src/common/casl/policy-handler.ts
@@ -0,0 +1,14 @@
+import { SetMetadata } from '@nestjs/common';
+import { AppAbility } from './abilities';
+
+export interface IPolicyHandler {
+  handle(ability: AppAbility): boolean;
+}
+
+type PolicyHandlerCallback = (ability: AppAbility) => boolean;
+
+export type PolicyHandler = IPolicyHandler | PolicyHandlerCallback;
+
+export const CHECK_POLICIES_KEY = 'check_policy';
+export const CheckPolicies = (...handlers: PolicyHandler[]) =>
+  SetMetadata(CHECK_POLICIES_KEY, handlers);
diff --git a/src/common/guards/index.ts b/src/common/guards/index.ts
@@ -0,0 +1 @@
+export * from './policies.guard';
diff --git a/src/common/guards/policies.guard.ts b/src/common/guards/policies.guard.ts
@@ -0,0 +1,40 @@
+import { CanActivate, ExecutionContext, Injectable } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { AppAbility } from '../casl/abilities';
+import { CaslAbilityFactory } from '../casl/casl-ability.factory';
+import { CHECK_POLICIES_KEY, PolicyHandler } from '../casl/policy-handler';
+
+@Injectable()
+export class PoliciesGuard implements CanActivate {
+  constructor(
+    private reflector: Reflector,
+    private caslAbilityFactory: CaslAbilityFactory
+  ) {}
+
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    const policyHandlers =
+      this.reflector.get<PolicyHandler[]>(
+        CHECK_POLICIES_KEY,
+        context.getHandler()
+      ) || [];
+
+    const { jwtPayload, params, user } = context.switchToHttp().getRequest();
+
+    const ability = this.caslAbilityFactory.createForUser(user, jwtPayload, {
+      params: {
+        userId: params.userId ? Number(params.userId) : params.userId,
+      },
+    });
+
+    return policyHandlers.every((handler) =>
+      this.execPolicyHandler(handler, ability)
+    );
+  }
+
+  private execPolicyHandler(handler: PolicyHandler, ability: AppAbility) {
+    if (typeof handler === 'function') {
+      return handler(ability);
+    }
+    return handler.handle(ability);
+  }
+}
diff --git a/src/common/policies/index.ts b/src/common/policies/index.ts
@@ -0,0 +1 @@
+export * from './user.policy';
diff --git a/src/common/policies/user.policy.ts b/src/common/policies/user.policy.ts
@@ -0,0 +1,32 @@
+import { IPolicyHandler } from '../casl';
+import { Action, AppAbility } from '../casl/abilities';
+
+// naming convention: <Command|Query><Domain><functionality of class>
+//                    <Domain><Event><functionality of class>
+// Commands and Queries are present tense
+// Events are past tense
+// Example: <Create><User><PolicyHandler>
+
+export class CreateUserPolicyHandler implements IPolicyHandler {
+  handle(ability: AppAbility) {
+    return ability.can(Action.Create, 'User');
+  }
+}
+
+export class ReadUserPolicyHandler implements IPolicyHandler {
+  handle(ability: AppAbility) {
+    return ability.can(Action.Read, 'User');
+  }
+}
+
+export class UpdateUserPolicyHandler implements IPolicyHandler {
+  handle(ability: AppAbility) {
+    return ability.can(Action.Update, 'User');
+  }
+}
+
+export class DeleteUserPolicyHandler implements IPolicyHandler {
+  handle(ability: AppAbility) {
+    return ability.can(Action.Delete, 'User');
+  }
+}