forked from baron/baron-sso
320 lines
12 KiB
TypeScript
320 lines
12 KiB
TypeScript
import { Namespace, Context, SubjectSet } from "@ory/keto-definitions"
|
|
|
|
class User implements Namespace {}
|
|
|
|
class System implements Namespace {
|
|
related: {
|
|
super_admins: User[]
|
|
authenticated_users: User[]
|
|
|
|
// 🌟 신규 글로벌 메뉴 권한 (Admin Control) 정의 - 조회(Read)
|
|
overview_viewers: User[]
|
|
tenants_viewers: User[]
|
|
org_chart_viewers: User[]
|
|
worksmobile_viewers: User[]
|
|
ory_ssot_viewers: User[]
|
|
data_integrity_viewers: User[]
|
|
users_viewers: User[]
|
|
permissions_direct_viewers: User[]
|
|
auth_guard_viewers: User[]
|
|
api_keys_viewers: User[]
|
|
audit_logs_viewers: User[]
|
|
|
|
// 🌟 신규 글로벌 메뉴 권한 (Admin Control) 정의 - 수정(Write)
|
|
overview_managers: User[]
|
|
tenants_managers: User[]
|
|
org_chart_managers: User[]
|
|
worksmobile_managers: User[]
|
|
ory_ssot_managers: User[]
|
|
data_integrity_managers: User[]
|
|
users_managers: User[]
|
|
permissions_direct_managers: User[]
|
|
auth_guard_managers: User[]
|
|
api_keys_managers: User[]
|
|
audit_logs_managers: User[]
|
|
}
|
|
|
|
permits = {
|
|
manage_all: (ctx: Context): boolean =>
|
|
this.related.super_admins.includes(ctx.subject),
|
|
|
|
// 🌟 글로벌 메뉴 허가 규칙 (Permit Rules) - 조회(access_)와 수정(manage_) 완전 분리 이원화
|
|
access_overview: (ctx: Context): boolean =>
|
|
this.related.overview_viewers.includes(ctx.subject) ||
|
|
this.permits.manage_overview(ctx),
|
|
|
|
manage_overview: (ctx: Context): boolean =>
|
|
this.related.overview_managers.includes(ctx.subject) ||
|
|
this.permits.manage_all(ctx),
|
|
|
|
access_tenants: (ctx: Context): boolean =>
|
|
this.related.tenants_viewers.includes(ctx.subject) ||
|
|
this.permits.manage_tenants(ctx),
|
|
|
|
manage_tenants: (ctx: Context): boolean =>
|
|
this.related.tenants_managers.includes(ctx.subject) ||
|
|
this.permits.manage_all(ctx),
|
|
|
|
access_org_chart: (ctx: Context): boolean =>
|
|
this.related.org_chart_viewers.includes(ctx.subject) ||
|
|
this.permits.manage_org_chart(ctx),
|
|
|
|
manage_org_chart: (ctx: Context): boolean =>
|
|
this.related.org_chart_managers.includes(ctx.subject) ||
|
|
this.permits.manage_all(ctx),
|
|
|
|
access_worksmobile: (ctx: Context): boolean =>
|
|
this.related.worksmobile_viewers.includes(ctx.subject) ||
|
|
this.permits.manage_worksmobile(ctx),
|
|
|
|
manage_worksmobile: (ctx: Context): boolean =>
|
|
this.related.worksmobile_managers.includes(ctx.subject) ||
|
|
this.permits.manage_all(ctx),
|
|
|
|
access_ory_ssot: (ctx: Context): boolean =>
|
|
this.related.ory_ssot_viewers.includes(ctx.subject) ||
|
|
this.permits.manage_ory_ssot(ctx),
|
|
|
|
manage_ory_ssot: (ctx: Context): boolean =>
|
|
this.related.ory_ssot_managers.includes(ctx.subject) ||
|
|
this.permits.manage_all(ctx),
|
|
|
|
access_data_integrity: (ctx: Context): boolean =>
|
|
this.related.data_integrity_viewers.includes(ctx.subject) ||
|
|
this.permits.manage_data_integrity(ctx),
|
|
|
|
manage_data_integrity: (ctx: Context): boolean =>
|
|
this.related.data_integrity_managers.includes(ctx.subject) ||
|
|
this.permits.manage_all(ctx),
|
|
|
|
access_users: (ctx: Context): boolean =>
|
|
this.related.users_viewers.includes(ctx.subject) ||
|
|
this.permits.manage_users(ctx),
|
|
|
|
manage_users: (ctx: Context): boolean =>
|
|
this.related.users_managers.includes(ctx.subject) ||
|
|
this.permits.manage_all(ctx),
|
|
|
|
access_permissions_direct: (ctx: Context): boolean =>
|
|
this.related.permissions_direct_viewers.includes(ctx.subject) ||
|
|
this.permits.manage_permissions_direct(ctx),
|
|
|
|
manage_permissions_direct: (ctx: Context): boolean =>
|
|
this.related.permissions_direct_managers.includes(ctx.subject) ||
|
|
this.permits.manage_all(ctx),
|
|
|
|
access_auth_guard: (ctx: Context): boolean =>
|
|
this.related.auth_guard_viewers.includes(ctx.subject) ||
|
|
this.permits.manage_auth_guard(ctx),
|
|
|
|
manage_auth_guard: (ctx: Context): boolean =>
|
|
this.related.auth_guard_managers.includes(ctx.subject) ||
|
|
this.permits.manage_all(ctx),
|
|
|
|
access_api_keys: (ctx: Context): boolean =>
|
|
this.related.api_keys_viewers.includes(ctx.subject) ||
|
|
this.permits.manage_api_keys(ctx),
|
|
|
|
manage_api_keys: (ctx: Context): boolean =>
|
|
this.related.api_keys_managers.includes(ctx.subject) ||
|
|
this.permits.manage_all(ctx),
|
|
|
|
access_audit_logs: (ctx: Context): boolean =>
|
|
this.related.audit_logs_viewers.includes(ctx.subject) ||
|
|
this.permits.manage_audit_logs(ctx),
|
|
|
|
manage_audit_logs: (ctx: Context): boolean =>
|
|
this.related.audit_logs_managers.includes(ctx.subject) ||
|
|
this.permits.manage_all(ctx)
|
|
}
|
|
}
|
|
|
|
class Tenant implements Namespace {
|
|
related: {
|
|
owners: (User | SubjectSet<System, "super_admins">)[]
|
|
admins: (User | SubjectSet<System, "super_admins">)[]
|
|
members: (User | SubjectSet<System, "super_admins"> | SubjectSet<Tenant, "admins"> | SubjectSet<Tenant, "owners">)[]
|
|
parents: Tenant[]
|
|
developer_console_viewer: (User | SubjectSet<System, "super_admins">)[]
|
|
developer_console_grant_manager: (User | SubjectSet<System, "super_admins">)[]
|
|
|
|
// 🌟 신규 직접 관계 (Direct Relations) 정의
|
|
profile_viewers: (User | SubjectSet<System, "super_admins">)[]
|
|
profile_managers: (User | SubjectSet<System, "super_admins">)[]
|
|
|
|
permissions_viewers: (User | SubjectSet<System, "super_admins">)[]
|
|
permissions_managers: (User | SubjectSet<System, "super_admins">)[]
|
|
|
|
organization_viewers: (User | SubjectSet<System, "super_admins">)[]
|
|
organization_managers: (User | SubjectSet<System, "super_admins">)[]
|
|
|
|
schema_viewers: (User | SubjectSet<System, "super_admins">)[]
|
|
schema_managers: (User | SubjectSet<System, "super_admins">)[]
|
|
}
|
|
|
|
permits = {
|
|
// 1. 프로필 (Profile) 탭 허가 규칙
|
|
view_profile: (ctx: Context): boolean =>
|
|
this.related.profile_viewers.includes(ctx.subject) ||
|
|
this.permits.manage_profile(ctx) ||
|
|
this.permits.view(ctx), // 멤버/관리자/소유자는 기본 조회 가능
|
|
|
|
manage_profile: (ctx: Context): boolean =>
|
|
this.related.profile_managers.includes(ctx.subject) ||
|
|
this.permits.manage(ctx), // 관리자/소유자는 기본 수정 가능
|
|
|
|
// 2. 권한 관리 (Permissions) 탭 허가 규칙
|
|
view_permissions: (ctx: Context): boolean =>
|
|
this.related.permissions_viewers.includes(ctx.subject) ||
|
|
this.permits.manage_permissions(ctx) ||
|
|
this.permits.view(ctx),
|
|
|
|
manage_permissions: (ctx: Context): boolean =>
|
|
this.related.permissions_managers.includes(ctx.subject) ||
|
|
this.permits.manage_admins(ctx), // 소유자는 기본 관리 가능
|
|
|
|
// 3. 조직 관리 (Organization) 탭 허가 규칙
|
|
view_organization: (ctx: Context): boolean =>
|
|
this.related.organization_viewers.includes(ctx.subject) ||
|
|
this.permits.manage_organization(ctx) ||
|
|
this.permits.view(ctx),
|
|
|
|
manage_organization: (ctx: Context): boolean =>
|
|
this.related.organization_managers.includes(ctx.subject) ||
|
|
this.permits.manage(ctx),
|
|
|
|
// 4. 사용자 스키마 (Schema) 탭 허가 규칙
|
|
view_schema: (ctx: Context): boolean =>
|
|
this.related.schema_viewers.includes(ctx.subject) ||
|
|
this.permits.manage_schema(ctx) ||
|
|
this.permits.view(ctx),
|
|
|
|
manage_schema: (ctx: Context): boolean =>
|
|
this.related.schema_managers.includes(ctx.subject) ||
|
|
this.permits.manage(ctx),
|
|
|
|
// --- 기존 마스터 및 상속 규칙 보존 ---
|
|
view: (ctx: Context): boolean =>
|
|
this.related.members.includes(ctx.subject) ||
|
|
this.related.admins.includes(ctx.subject) ||
|
|
this.related.owners.includes(ctx.subject) ||
|
|
this.related.parents.traverse((p) => p.permits.view(ctx)),
|
|
|
|
manage: (ctx: Context): boolean =>
|
|
this.related.admins.includes(ctx.subject) ||
|
|
this.related.owners.includes(ctx.subject) ||
|
|
this.related.parents.traverse((p) => p.permits.manage(ctx)),
|
|
|
|
manage_admins: (ctx: Context): boolean =>
|
|
this.related.owners.includes(ctx.subject) ||
|
|
this.related.parents.traverse((p) => p.permits.manage_admins(ctx)),
|
|
|
|
create_subtenant: (ctx: Context): boolean =>
|
|
this.permits.manage(ctx),
|
|
|
|
view_dev_console: (ctx: Context): boolean =>
|
|
this.related.developer_console_viewer.includes(ctx.subject) ||
|
|
this.permits.grant_dev_permissions(ctx) ||
|
|
this.permits.manage(ctx) ||
|
|
this.related.parents.traverse((p) => p.permits.view_dev_console(ctx)),
|
|
|
|
grant_dev_permissions: (ctx: Context): boolean =>
|
|
this.related.developer_console_grant_manager.includes(ctx.subject) ||
|
|
this.permits.manage_admins(ctx) ||
|
|
this.related.parents.traverse((p) => p.permits.grant_dev_permissions(ctx))
|
|
}
|
|
}
|
|
|
|
class RelyingParty implements Namespace {
|
|
related: {
|
|
admins: (User | SubjectSet<System, "super_admins"> | SubjectSet<Tenant, "admins"> | SubjectSet<Tenant, "owners">)[]
|
|
parents: Tenant[]
|
|
access: (User | SubjectSet<Tenant, "members"> | SubjectSet<System, "authenticated_users"> | SubjectSet<System, "super_admins">)[]
|
|
creator: (User | SubjectSet<System, "super_admins">)[]
|
|
config_editor: (User | SubjectSet<System, "super_admins">)[]
|
|
secret_viewer: (User | SubjectSet<System, "super_admins">)[]
|
|
secret_rotator: (User | SubjectSet<System, "super_admins">)[]
|
|
jwks_viewer: (User | SubjectSet<System, "super_admins">)[]
|
|
jwks_operator: (User | SubjectSet<System, "super_admins">)[]
|
|
consent_viewer: (User | SubjectSet<System, "super_admins">)[]
|
|
consent_revoker: (User | SubjectSet<System, "super_admins">)[]
|
|
relationship_viewer: (User | SubjectSet<System, "super_admins">)[]
|
|
audit_viewer: (User | SubjectSet<System, "super_admins">)[]
|
|
status_operator: (User | SubjectSet<System, "super_admins">)[]
|
|
}
|
|
|
|
permits = {
|
|
view: (ctx: Context): boolean =>
|
|
this.related.admins.includes(ctx.subject) ||
|
|
this.related.config_editor.includes(ctx.subject) ||
|
|
this.related.secret_viewer.includes(ctx.subject) ||
|
|
this.related.secret_rotator.includes(ctx.subject) ||
|
|
this.related.jwks_viewer.includes(ctx.subject) ||
|
|
this.related.jwks_operator.includes(ctx.subject) ||
|
|
this.related.consent_viewer.includes(ctx.subject) ||
|
|
this.related.consent_revoker.includes(ctx.subject) ||
|
|
this.related.relationship_viewer.includes(ctx.subject) ||
|
|
this.related.audit_viewer.includes(ctx.subject) ||
|
|
this.related.status_operator.includes(ctx.subject) ||
|
|
this.related.parents.traverse((t) => t.permits.view(ctx)) ||
|
|
this.related.parents.traverse((t) => t.permits.view_dev_console(ctx)),
|
|
|
|
manage: (ctx: Context): boolean =>
|
|
this.related.admins.includes(ctx.subject) ||
|
|
this.related.parents.traverse((t) => t.permits.manage(ctx)),
|
|
|
|
create: (ctx: Context): boolean =>
|
|
this.related.creator.includes(ctx.subject) ||
|
|
this.related.parents.traverse((t) => t.permits.grant_dev_permissions(ctx)) ||
|
|
this.permits.manage(ctx),
|
|
|
|
edit_config: (ctx: Context): boolean =>
|
|
this.related.config_editor.includes(ctx.subject) ||
|
|
this.permits.manage(ctx),
|
|
|
|
view_secret: (ctx: Context): boolean =>
|
|
this.related.secret_viewer.includes(ctx.subject) ||
|
|
this.permits.rotate_secret(ctx) ||
|
|
this.permits.manage(ctx),
|
|
|
|
rotate_secret: (ctx: Context): boolean =>
|
|
this.related.secret_rotator.includes(ctx.subject) ||
|
|
this.permits.manage(ctx),
|
|
|
|
view_jwks: (ctx: Context): boolean =>
|
|
this.related.jwks_viewer.includes(ctx.subject) ||
|
|
this.permits.operate_jwks(ctx) ||
|
|
this.permits.manage(ctx),
|
|
|
|
operate_jwks: (ctx: Context): boolean =>
|
|
this.related.jwks_operator.includes(ctx.subject) ||
|
|
this.permits.manage(ctx),
|
|
|
|
view_consents: (ctx: Context): boolean =>
|
|
this.related.consent_viewer.includes(ctx.subject) ||
|
|
this.permits.revoke_consents(ctx) ||
|
|
this.permits.manage(ctx),
|
|
|
|
revoke_consents: (ctx: Context): boolean =>
|
|
this.related.consent_revoker.includes(ctx.subject) ||
|
|
this.permits.manage(ctx),
|
|
|
|
view_relationships: (ctx: Context): boolean =>
|
|
this.related.relationship_viewer.includes(ctx.subject) ||
|
|
this.related.parents.traverse((t) => t.permits.grant_dev_permissions(ctx)) ||
|
|
this.permits.manage(ctx),
|
|
|
|
view_audit_logs: (ctx: Context): boolean =>
|
|
this.related.audit_viewer.includes(ctx.subject) ||
|
|
this.permits.manage(ctx),
|
|
|
|
change_status: (ctx: Context): boolean =>
|
|
this.related.status_operator.includes(ctx.subject) ||
|
|
this.permits.manage(ctx),
|
|
|
|
access: (ctx: Context): boolean =>
|
|
this.related.access.includes(ctx.subject) ||
|
|
this.permits.manage(ctx)
|
|
}
|
|
}
|