From cc551734db79ce4c4ef004fef29ce5126fc48678 Mon Sep 17 00:00:00 2001 From: Valentin Yanakiev Date: Tue, 26 Nov 2024 23:37:34 +0200 Subject: [PATCH] More stable auth --- package-lock.json | 4 ++-- package.json | 2 +- .../link/link.resolver.mutations.ts | 2 +- .../authorization.policy.service.ts | 16 ++++++++++++---- .../profile/profile.service.authorization.ts | 6 +++--- .../reference/reference.resolver.mutations.ts | 2 +- .../common/visual/visual.resolver.mutations.ts | 2 +- .../profile.documents.service.ts | 2 +- .../account/account.service.authorization.ts | 1 - .../document/document.service.authorization.ts | 7 ++++--- .../storage.aggregator.service.authorization.ts | 2 +- .../storage.bucket.service.authorization.ts | 9 +++++---- .../avatars/admin.avatarresolver.mutations.ts | 2 +- .../whiteboards/admin.whiteboard.service.ts | 2 +- 14 files changed, 34 insertions(+), 25 deletions(-) diff --git a/package-lock.json b/package-lock.json index 1e634fe09c..52f309e933 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "alkemio-server", - "version": "0.96.1", + "version": "0.96.2", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "alkemio-server", - "version": "0.96.1", + "version": "0.96.2", "license": "EUPL-1.2", "dependencies": { "@alkemio/matrix-adapter-lib": "^0.4.1", diff --git a/package.json b/package.json index ad2a48078c..c1b86d0edd 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "alkemio-server", - "version": "0.96.1", + "version": "0.96.2", "description": "Alkemio server, responsible for managing the shared Alkemio platform", "author": "Alkemio Foundation", "private": false, diff --git a/src/domain/collaboration/link/link.resolver.mutations.ts b/src/domain/collaboration/link/link.resolver.mutations.ts index ccf505fc7a..924347fc09 100644 --- a/src/domain/collaboration/link/link.resolver.mutations.ts +++ b/src/domain/collaboration/link/link.resolver.mutations.ts @@ -123,7 +123,7 @@ export class LinkResolverMutations { document = await this.documentService.saveDocument(document); const documentAuthorizations = - this.documentAuthorizationService.applyAuthorizationPolicy( + await this.documentAuthorizationService.applyAuthorizationPolicy( document, storageBucket.authorization ); diff --git a/src/domain/common/authorization-policy/authorization.policy.service.ts b/src/domain/common/authorization-policy/authorization.policy.service.ts index 09186ab547..53416f4c86 100644 --- a/src/domain/common/authorization-policy/authorization.policy.service.ts +++ b/src/domain/common/authorization-policy/authorization.policy.service.ts @@ -196,10 +196,18 @@ export class AuthorizationPolicyService { } async saveAll(authorizationPolicies: IAuthorizationPolicy[]): Promise { - this.logger.verbose?.( - `Saving ${authorizationPolicies.length} authorization policies`, - LogContext.AUTH - ); + if (authorizationPolicies.length > 500) + this.logger.warn?.( + `Saving ${authorizationPolicies.length} authorization policies of type ${authorizationPolicies[0].type}`, + LogContext.AUTH + ); + else { + this.logger.verbose?.( + `Saving ${authorizationPolicies.length} authorization policies`, + LogContext.AUTH + ); + } + await this.authorizationPolicyRepository.save(authorizationPolicies, { chunk: this.authChunkSize, }); diff --git a/src/domain/common/profile/profile.service.authorization.ts b/src/domain/common/profile/profile.service.authorization.ts index a88003402f..2f7f616deb 100644 --- a/src/domain/common/profile/profile.service.authorization.ts +++ b/src/domain/common/profile/profile.service.authorization.ts @@ -121,12 +121,12 @@ export class ProfileAuthorizationService { } const storageBucketAuthorizations = - this.storageBucketAuthorizationService.applyAuthorizationPolicy( + await this.storageBucketAuthorizationService.applyAuthorizationPolicy( profile.storageBucket, profile.authorization ); updatedAuthorizations.push(...storageBucketAuthorizations); - await this.authorizationPolicyService.saveAll(updatedAuthorizations); - return []; + + return updatedAuthorizations; } } diff --git a/src/domain/common/reference/reference.resolver.mutations.ts b/src/domain/common/reference/reference.resolver.mutations.ts index 0af9342d34..c60215177b 100644 --- a/src/domain/common/reference/reference.resolver.mutations.ts +++ b/src/domain/common/reference/reference.resolver.mutations.ts @@ -133,7 +133,7 @@ export class ReferenceResolverMutations { document = await this.documentService.saveDocument(document); const documentAuthorizations = - this.documentAuthorizationService.applyAuthorizationPolicy( + await this.documentAuthorizationService.applyAuthorizationPolicy( document, storageBucket.authorization ); diff --git a/src/domain/common/visual/visual.resolver.mutations.ts b/src/domain/common/visual/visual.resolver.mutations.ts index f38fd178a5..0517afec1a 100644 --- a/src/domain/common/visual/visual.resolver.mutations.ts +++ b/src/domain/common/visual/visual.resolver.mutations.ts @@ -104,7 +104,7 @@ export class VisualResolverMutations { await this.documentService.saveDocument(visualDocument); // Ensure authorization is updated const documentAuthorizations = - this.documentAuthorizationService.applyAuthorizationPolicy( + await this.documentAuthorizationService.applyAuthorizationPolicy( visualDocument, storageBucket.authorization ); diff --git a/src/domain/profile-documents/profile.documents.service.ts b/src/domain/profile-documents/profile.documents.service.ts index 77fac5f11c..f0be2775ba 100644 --- a/src/domain/profile-documents/profile.documents.service.ts +++ b/src/domain/profile-documents/profile.documents.service.ts @@ -81,7 +81,7 @@ export class ProfileDocumentsService { await this.documentService.saveDocument(newDoc); const authorizations = - this.documentAuthorizationService.applyAuthorizationPolicy( + await this.documentAuthorizationService.applyAuthorizationPolicy( newDoc, storageBucketToCheck.authorization ); diff --git a/src/domain/space/account/account.service.authorization.ts b/src/domain/space/account/account.service.authorization.ts index 72f7844e54..53de8d949e 100644 --- a/src/domain/space/account/account.service.authorization.ts +++ b/src/domain/space/account/account.service.authorization.ts @@ -99,7 +99,6 @@ export class AccountAuthorizationService { account.authorization = await this.authorizationPolicyService.save( account.authorization ); - updatedAuthorizations.push(account.authorization); const childUpdatedAuthorizations = await this.applyAuthorizationPolicyForChildEntities(account); diff --git a/src/domain/storage/document/document.service.authorization.ts b/src/domain/storage/document/document.service.authorization.ts index dc040a695d..01672c62db 100644 --- a/src/domain/storage/document/document.service.authorization.ts +++ b/src/domain/storage/document/document.service.authorization.ts @@ -15,10 +15,10 @@ import { RelationshipNotFoundException } from '@common/exceptions/relationship.n export class DocumentAuthorizationService { constructor(private authorizationPolicyService: AuthorizationPolicyService) {} - applyAuthorizationPolicy( + public async applyAuthorizationPolicy( document: IDocument, parentAuthorization: IAuthorizationPolicy | undefined - ): IAuthorizationPolicy[] { + ): Promise { if (!document.tagset || !document.tagset.authorization) { throw new RelationshipNotFoundException( `Unable to find entities required to reset auth for Document ${document.id} `, @@ -44,7 +44,8 @@ export class DocumentAuthorizationService { ); updatedAuthorizations.push(document.tagset.authorization); - return updatedAuthorizations; + await this.authorizationPolicyService.saveAll(updatedAuthorizations); + return []; } private appendCredentialRules(document: IDocument): IAuthorizationPolicy { diff --git a/src/domain/storage/storage-aggregator/storage.aggregator.service.authorization.ts b/src/domain/storage/storage-aggregator/storage.aggregator.service.authorization.ts index 8ed98839fb..718bb21ab3 100644 --- a/src/domain/storage/storage-aggregator/storage.aggregator.service.authorization.ts +++ b/src/domain/storage/storage-aggregator/storage.aggregator.service.authorization.ts @@ -52,7 +52,7 @@ export class StorageAggregatorAuthorizationService { updatedAuthorizations.push(storageAggregator.authorization); const bucketAuthorizations = - this.storageBucketAuthorizationService.applyAuthorizationPolicy( + await this.storageBucketAuthorizationService.applyAuthorizationPolicy( storageAggregator.directStorage, storageAggregator.authorization ); diff --git a/src/domain/storage/storage-bucket/storage.bucket.service.authorization.ts b/src/domain/storage/storage-bucket/storage.bucket.service.authorization.ts index 45e5198479..35d2fcebeb 100644 --- a/src/domain/storage/storage-bucket/storage.bucket.service.authorization.ts +++ b/src/domain/storage/storage-bucket/storage.bucket.service.authorization.ts @@ -19,10 +19,10 @@ export class StorageBucketAuthorizationService { private documentAuthorizationService: DocumentAuthorizationService ) {} - applyAuthorizationPolicy( + public async applyAuthorizationPolicy( storageBucket: IStorageBucket, parentAuthorization: IAuthorizationPolicy | undefined - ): IAuthorizationPolicy[] { + ): Promise { if (!storageBucket.documents) { throw new RelationshipNotFoundException( `Unable to load entities to reset auth for StorageBucket ${storageBucket.id} `, @@ -49,14 +49,15 @@ export class StorageBucketAuthorizationService { // Cascade down for (const document of storageBucket.documents) { const documentAuthorizations = - this.documentAuthorizationService.applyAuthorizationPolicy( + await this.documentAuthorizationService.applyAuthorizationPolicy( document, storageBucket.authorization ); updatedAuthorizations.push(...documentAuthorizations); } - return updatedAuthorizations; + await this.authorizationPolicyService.saveAll(updatedAuthorizations); + return []; } private appendPrivilegeRules( diff --git a/src/platform/admin/avatars/admin.avatarresolver.mutations.ts b/src/platform/admin/avatars/admin.avatarresolver.mutations.ts index b13351f296..21b62d7716 100644 --- a/src/platform/admin/avatars/admin.avatarresolver.mutations.ts +++ b/src/platform/admin/avatars/admin.avatarresolver.mutations.ts @@ -78,7 +78,7 @@ export class AdminSearchContributorsMutations { } const authorizations = - this.storageBucketAuthorizationService.applyAuthorizationPolicy( + await this.storageBucketAuthorizationService.applyAuthorizationPolicy( profile.storageBucket, profile.authorization ); diff --git a/src/platform/admin/whiteboards/admin.whiteboard.service.ts b/src/platform/admin/whiteboards/admin.whiteboard.service.ts index 1017333331..d939a297ba 100644 --- a/src/platform/admin/whiteboards/admin.whiteboard.service.ts +++ b/src/platform/admin/whiteboards/admin.whiteboard.service.ts @@ -118,7 +118,7 @@ export class AdminWhiteboardService { ); document = await this.documentService.saveDocument(document); const documentAuthorizations = - this.documentAuthorizationService.applyAuthorizationPolicy( + await this.documentAuthorizationService.applyAuthorizationPolicy( document, profile.storageBucket.authorization );