feat: expand access control for keyrings resource

- Added comprehensive access grants for the `keyrings` resource, including permissions for read, create, update, and delete actions for the `AC_INTERNAL_ROLE_GESTION`.
- Updated the `KeyringsController` to utilize the new `@UseRoles` decorator for enforcing access control on keyrings operations.
- Enhanced the `useAccessControl` composable to improve type safety and normalize action patterns for better access management.

Author: tacxou

apps/api/src/_common/types/ac-types.ts

@@ -69,6 +69,16 @@ export const AC_INTERNAL_DEFAULT_ROLES_GRANTS: IAccessInfo[] = [
   { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.UPDATE, resource: '/core/cron' },
   { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.DELETE, resource: '/core/cron' },
 
+  { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.READ, resource: '/core/roles' },
+  { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.CREATE, resource: '/core/roles' },
+  { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.UPDATE, resource: '/core/roles' },
+  { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.DELETE, resource: '/core/roles' },
+
+  { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.READ, resource: '/core/keyrings' },
+  { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.CREATE, resource: '/core/keyrings' },
+  { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.UPDATE, resource: '/core/keyrings' },
+  { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.DELETE, resource: '/core/keyrings' },
+
   { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.READ, resource: '/core/jobs' },
   { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.CREATE, resource: '/core/jobs' },
   { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.UPDATE, resource: '/core/jobs' },

apps/api/src/core/keyrings/keyrings.controller.ts

@@ -5,7 +5,6 @@ import { ApiParam, ApiTags } from '@nestjs/swagger';
 import { ApiDeletedResponseDecorator } from '~/_common/decorators/api-deleted-response.decorator';
 import { ObjectIdValidationPipe } from '~/_common/pipes/object-id-validation.pipe';
 import { Response } from 'express';
-import { ApiReadResponseDecorator } from '~/_common/decorators/api-read-response.decorator';
 import { PickProjectionHelper } from '~/_common/helpers/pick-projection.helper';
 import {
   FilterOptions,
@@ -18,6 +17,8 @@ import { ApiPaginatedDecorator } from '~/_common/decorators/api-paginated.decora
 import { PartialProjectionType } from '~/_common/types/partial-projection.type';
 import { KeyringsService } from '~/core/keyrings/keyrings.service';
 import { KeyringsCreateDto, KeyringsDto } from '~/core/keyrings/_dto/keyrings.dto';
+import { UseRoles } from '~/_common/decorators/use-roles.decorator';
+import { AC_ACTIONS, AC_DEFAULT_POSSESSION } from '~/_common/types/ac-types';
 
 @ApiTags('core/keyrings')
 @Controller('keyrings')
@@ -38,6 +39,11 @@ export class KeyringsController extends AbstractController {
   }
 
   @Post()
+  @UseRoles({
+    resource: '/core/keyrings',
+    action: AC_ACTIONS.CREATE,
+    possession: AC_DEFAULT_POSSESSION,
+  })
   @ApiCreateDecorator(KeyringsCreateDto, KeyringsDto)
   public async create(@Res() res: Response, @Body() body: KeyringsCreateDto): Promise<Response> {
     const data = await this._service.create(body);
@@ -48,6 +54,11 @@ export class KeyringsController extends AbstractController {
   }
 
   @Get()
+  @UseRoles({
+    resource: '/core/keyrings',
+    action: AC_ACTIONS.READ,
+    possession: AC_DEFAULT_POSSESSION,
+  })
   @ApiPaginatedDecorator(PickProjectionHelper(KeyringsDto, KeyringsController.projection))
   public async search(
     @Res() res: Response,
@@ -76,6 +87,11 @@ export class KeyringsController extends AbstractController {
   }
 
   @Delete(':_id([0-9a-fA-F]{24})')
+  @UseRoles({
+    resource: '/core/keyrings',
+    action: AC_ACTIONS.DELETE,
+    possession: AC_DEFAULT_POSSESSION,
+  })
   @ApiParam({ name: '_id', type: String })
   @ApiDeletedResponseDecorator(KeyringsDto)
   public async remove(

apps/web/src/composables/useAccessControl.ts

@@ -68,7 +68,7 @@ export const useAccessControl = () => {
       visiting.add(role)
       result.add(role)
 
-      const grants = access?.[role] as any
+      const grants = access?.[role] as (AccessObjectAction & { $extend?: string[] }) | undefined
       const extend = grants?.$extend
       if (Array.isArray(extend)) {
         for (const parent of extend) {
@@ -159,6 +159,7 @@ export const useAccessControl = () => {
     }
 
     const effectiveRoles = resolveEffectiveRoles(roles)
+    const normalizedPatterns = (Array.isArray(patterns) ? patterns : [patterns]).map((pattern) => pattern.replace(/^\//, ''))
 
     // Cas "menu public" : si aucun rôle et aucune ACL chargée, on laisse afficher les tuiles non restreintes.
     if (!effectiveRoles.length && (!access || Object.keys(access).length === 0)) {
@@ -168,8 +169,11 @@ export const useAccessControl = () => {
     for (const role of effectiveRoles) {
       const actions = access[role] as AccessObjectAction || {}
       for (const action of Object.keys(actions)) {
+        if (action.startsWith('$')) {
+          continue
+        }
         const normalizedKey = action.replace(/^\//, '')
-        if (Array.isArray(patterns) ? patterns.some((pattern) => normalizedKey.startsWith(pattern)) : normalizedKey.startsWith(patterns)) {
+        if (normalizedPatterns.some((pattern) => normalizedKey.startsWith(pattern))) {
           return true
         }
       }