feat: add authorization component

packages/authorization/.npmrc

@@ -0,0 +1 @@
+package-lock=false

packages/authorization/LICENSE

@@ -0,0 +1,25 @@
+Copyright (c) IBM Corp. 2018. All Rights Reserved.
+Node module: @loopback/authorization
+This project is licensed under the MIT License, full text below.
+
+--------
+
+MIT license
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

packages/authorization/README.md

@@ -0,0 +1,56 @@
+# @loopback/authorization
+
+A LoopBack 4 component for authorization support.
+
+**This is a reference implementation showing how to implement an authorization
+component, it is not production ready.**
+
+## Overview
+
+## Installation
+
+```shell
+npm install --save @loopback/authorization
+```
+
+## Basic use
+
+Start by decorating your controller methods with `@authorize` to require the
+request to be authorized.
+
+In this example, we make the user profile available via dependency injection
+using a key available from `@loopback/authorization` package.
+
+```ts
+import {inject} from '@loopback/context';
+import {authorize} from '@loopback/authorization';
+import {get} from '@loopback/rest';
+
+export class MyController {
+  @authorize({allow: ['ADMIN']})
+  @get('/number-of-views')
+  numOfViews(): number {
+    return 100;
+  }
+}
+```
+
+## Related resources
+
+## Contributions
+
+- [Guidelines](https://github.com/strongloop/loopback-next/blob/master/docs/CONTRIBUTING.md)
+- [Join the team](https://github.com/strongloop/loopback-next/issues/110)
+
+## Tests
+
+run `npm test` from the root folder.
+
+## Contributors
+
+See
+[all contributors](https://github.com/strongloop/loopback-next/graphs/contributors).
+
+## License
+
+MIT

packages/authorization/docs.json

@@ -0,0 +1,12 @@
+{
+  "content": [
+    "index.ts",
+    "src/index.ts",
+    "src/decorators/authorize.ts",
+    "src/providers/authorization-metadata.ts",
+    "src/providers/authorize.ts",
+    "src/authorization-component.ts",
+    "src/keys.ts"
+  ],
+  "codeSectionDepth": 4
+}

packages/authorization/index.d.ts

@@ -0,0 +1,6 @@
+// Copyright IBM Corp. 2017,2018. All Rights Reserved.
+// Node module: @loopback/authorization
+// This file is licensed under the MIT License.
+// License text available at https://opensource.org/licenses/MIT
+
+export * from './dist';

packages/authorization/index.js

@@ -0,0 +1,6 @@
+// Copyright IBM Corp. 2017,2018. All Rights Reserved.
+// Node module: @loopback/authorization
+// This file is licensed under the MIT License.
+// License text available at https://opensource.org/licenses/MIT
+
+module.exports = require('./dist');

packages/authorization/index.ts

@@ -0,0 +1,8 @@
+// Copyright IBM Corp. 2017,2018. All Rights Reserved.
+// Node module: @loopback/authorization
+// This file is licensed under the MIT License.
+// License text available at https://opensource.org/licenses/MIT
+
+// DO NOT EDIT THIS FILE
+// Add any additional (re)exports to src/index.ts instead.
+export * from './src';

packages/authorization/package.json

@@ -0,0 +1,47 @@
+{
+  "name": "@loopback/authorization",
+  "version": "0.1.0",
+  "description": "A LoopBack component for authorization support.",
+  "engines": {
+    "node": ">=8"
+  },
+  "scripts": {
+    "acceptance": "lb-mocha \"dist/test/acceptance/**/*.js\"",
+    "build": "lb-tsc es2017 --outDir dist",
+    "build:apidocs": "lb-apidocs",
+    "clean": "lb-clean loopback-authorization*.tgz dist package api-docs",
+    "integration": "lb-mocha \"dist/test/integration/**/*.js\"",
+    "prepublishOnly": "npm run build && npm run build:apidocs",
+    "pretest": "npm run build",
+    "test": "lb-mocha \"dist/test/unit/**/*.js\" \"dist/test/integration/**/*.js\" \"dist/test/acceptance/**/*.js\"",
+    "unit": "lb-mocha \"dist/test/unit/**/*.js\"",
+    "verify": "npm pack && tar xf loopback-authorization*.tgz && tree package && npm run clean"
+  },
+  "author": "IBM",
+  "copyright.owner": "IBM Corp.",
+  "license": "MIT",
+  "dependencies": {
+    "@loopback/context": "^1.0.0",
+    "@loopback/core": "^1.0.0"
+  },
+  "devDependencies": {
+    "@loopback/build": "^1.0.0",
+    "@loopback/testlab": "^1.0.0"
+  },
+  "keywords": [
+    "LoopBack",
+    "Authorization"
+  ],
+  "files": [
+    "README.md",
+    "index.js",
+    "index.d.ts",
+    "dist/src",
+    "dist/index*",
+    "src"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/strongloop/loopback-next.git"
+  }
+}

packages/authorization/src/authorization-component.ts

@@ -0,0 +1,20 @@
+// Copyright IBM Corp. 2018. All Rights Reserved.
+// Node module: @loopback/authorization
+// This file is licensed under the MIT License.
+// License text available at https://opensource.org/licenses/MIT
+
+import {AuthorizationBindings} from './keys';
+import {Component, ProviderMap} from '@loopback/core';
+import {AuthorizationProvider} from './providers/authorize';
+import {AuthMetadataProvider} from './providers/authorization-metadata';
+
+export class AuthenticationComponent implements Component {
+  providers?: ProviderMap;
+
+  constructor() {
+    this.providers = {
+      [AuthorizationBindings.AUTHORIZE_ACTION]: AuthorizationProvider,
+      [AuthorizationBindings.METADATA]: AuthMetadataProvider,
+    };
+  }
+}

packages/authorization/src/decorators/authorize.ts

@@ -0,0 +1,152 @@
+// Copyright IBM Corp. 2017,2018. All Rights Reserved.
+// Node module: @loopback/authorization
+// This file is licensed under the MIT License.
+// License text available at https://opensource.org/licenses/MIT
+
+import {
+  MetadataInspector,
+  Constructor,
+  MethodDecoratorFactory,
+  MetadataMap,
+  BindingAddress,
+} from '@loopback/context';
+import {AuthorizationBindings} from '../keys';
+import {
+  AuthorizationMetadata,
+  Voter,
+  EVERYONE,
+  ANONYMOUS,
+  AUTHENTICATED,
+  UNAUTHENTICATED,
+} from '../types';
+
+export class AuthorizeMethodDecoratorFactory extends MethodDecoratorFactory<
+  AuthorizationMetadata
+> {
+  protected mergeWithOwn(
+    ownMetadata: MetadataMap<AuthorizationMetadata>,
+    target: Object,
+    methodName?: string,
+    // tslint:disable-next-line:no-any
+    methodDescriptor?: TypedPropertyDescriptor<any> | number,
+  ) {
+    ownMetadata = ownMetadata || {};
+    const methodMeta = ownMetadata[methodName!];
+    methodMeta.allowedRoles = this.merge(
+      methodMeta.allowedRoles,
+      this.spec.allowedRoles,
+    );
+    methodMeta.deniedRoles = this.merge(
+      methodMeta.deniedRoles,
+      this.spec.deniedRoles,
+    );
+    methodMeta.scopes = this.merge(methodMeta.scopes, this.spec.scopes);
+    methodMeta.voters = this.merge(methodMeta.voters, this.spec.voters);
+
+    return ownMetadata;
+  }
+
+  private merge<T>(src?: T[], target?: T[]): T[] {
+    const list: T[] = [];
+    const set = new Set<T>(src || []);
+    if (target) {
+      for (const i of target) {
+        set.add(i);
+      }
+    }
+    for (const i of set.values()) list.push(i);
+    return list;
+  }
+}
+/**
+ * Mark a controller method as requiring authorized user.
+ *
+ * @param spec Authorization metadata
+ */
+export function authorize(spec: AuthorizationMetadata) {
+  return AuthorizeMethodDecoratorFactory.createDecorator(
+    AuthorizationBindings.METADATA,
+    spec,
+  );
+}
+
+export namespace authorize {
+  /**
+   * Shortcut to configure allowed roles
+   * @param roles
+   */
+  export const allow = (...roles: string[]) => authorize({allowedRoles: roles});
+  /**
+   * Shortcut to configure denied roles
+   * @param roles
+   */
+  export const deny = (...roles: string[]) => authorize({deniedRoles: roles});
+  /**
+   * Shortcut to specify access scopes
+   * @param scopes
+   */
+  export const scope = (...scopes: string[]) => authorize({scopes});
+
+  /**
+   * Shortcut to configure voters
+   * @param voters
+   */
+  export const vote = (...voters: (Voter | BindingAddress<Voter>)[]) =>
+    authorize({voters});
+
+  /**
+   * Allows all
+   */
+  export const allowAll = () => allow(EVERYONE);
+
+  /**
+   * Allow all but the given roles
+   * @param roles
+   */
+  export const allowAllExcept = (...roles: string[]) =>
+    authorize({
+      deniedRoles: roles,
+      allowedRoles: [EVERYONE],
+    });
+
+  /**
+   * Deny all
+   */
+  export const denyAll = () => deny(EVERYONE);
+
+  /**
+   * Deny all but the given roles
+   * @param roles
+   */
+  export const denyAllExcept = (...roles: string[]) =>
+    authorize({
+      allowedRoles: roles,
+      deniedRoles: [EVERYONE],
+    });
+
+  /**
+   * Allow authenticated users
+   */
+  export const allowAuthenticated = () => allow(AUTHENTICATED);
+  /**
+   * Deny unauthenticated users
+   */
+  export const denyUnauthenticated = () => deny(UNAUTHENTICATED);
+}
+
+/**
+ * Fetch authorization metadata stored by `@authorize` decorator.
+ *
+ * @param controllerClass Target controller
+ * @param methodName Target method
+ */
+export function getAuthorizeMetadata(
+  controllerClass: Constructor<{}>,
+  methodName: string,
+): AuthorizationMetadata | undefined {
+  return MetadataInspector.getMethodMetadata<AuthorizationMetadata>(
+    AuthorizationBindings.METADATA,
+    controllerClass.prototype,
+    methodName,
+  );
+}

packages/authorization/src/index.ts

@@ -0,0 +1,13 @@
+// Copyright IBM Corp. 2018. All Rights Reserved.
+// Node module: @loopback/authorization
+// This file is licensed under the MIT License.
+// License text available at https://opensource.org/licenses/MIT
+
+export * from './types';
+export * from './authorization-component';
+export * from './decorators/authorize';
+export * from './keys';
+
+// internals for tests
+export * from './providers/authorization-metadata';
+export * from './providers/authorize';

packages/authorization/src/keys.ts

@@ -0,0 +1,12 @@
+// Copyright IBM Corp. 2018. All Rights Reserved.
+// Node module: @loopback/authorization
+// This file is licensed under the MIT License.
+// License text available at https://opensource.org/licenses/MIT
+
+/**
+ * Binding keys used by this component.
+ */
+export namespace AuthorizationBindings {
+  export const AUTHORIZE_ACTION = 'authorization.actions.authorize';
+  export const METADATA = 'authorization.operationMetadata';
+}