feat: enhance role management and access control features

- Introduced new internal roles and their associated permissions to improve access control granularity.
- Updated the roles controller to support dynamic role filtering based on query parameters for admin and guest roles.
- Enhanced the roles service with validation for role inheritance and restrictions on role naming conventions.
- Improved DTOs to enforce validation rules for role creation and updates, ensuring compliance with naming standards.
- Added comprehensive access control grants for internal roles, streamlining permission management across resources.

Author: tacxou

apps/api/src/_common/types/ac-types.ts

@@ -1,6 +1,29 @@
+import { IAccessInfo } from "nest-access-control"
+
 export const AC_ADMIN_ROLE = 'admin'
 export const AC_GUEST_ROLE = 'guest'
 
+export const AC_INTERNAL_ROLE_PREFIX = 'interne_'
+export const AC_INTERNAL_ROLE_LECTURE = 'interne_lecture'
+export const AC_INTERNAL_ROLE_ECRITURE = 'interne_ecriture'
+export const AC_INTERNAL_ROLE_GESTION = 'interne_gestion'
+
+export const AC_DEFAULT_ROLES = [
+  { name: AC_ADMIN_ROLE, displayName: 'Administrateur', description: 'Accès total au système.', inherits: [] },
+  { name: AC_GUEST_ROLE, displayName: 'Invité', description: 'Accès minimal (base commune).', inherits: [] },
+] as const
+
+export const AC_INTERNAL_DEFAULT_ROLES = [
+  { name: AC_INTERNAL_ROLE_LECTURE, displayName: 'Interne - Lecture', description: 'Lecture sur les ressources internes.', inherits: [AC_GUEST_ROLE] },
+  { name: AC_INTERNAL_ROLE_ECRITURE, displayName: 'Interne - Écriture', description: 'Création / mise à jour sur les ressources internes.', inherits: [AC_INTERNAL_ROLE_LECTURE] },
+  { name: AC_INTERNAL_ROLE_GESTION, displayName: 'Interne - Gestion', description: 'Gestion avancée (dont suppression) sur les ressources internes.', inherits: [AC_INTERNAL_ROLE_ECRITURE] },
+] as const
+
+export const AC_ALL_DEFAULT_ROLES = [
+  ...AC_DEFAULT_ROLES,
+  ...AC_INTERNAL_DEFAULT_ROLES,
+] as const
+
 export enum AC_ACTIONS {
   CREATE = 'create',
   READ = 'read',
@@ -14,3 +37,55 @@ export enum AC_POSSESSIONS {
 }
 
 export const AC_DEFAULT_POSSESSION = AC_POSSESSIONS.ANY
+
+export const AC_INTERNAL_DEFAULT_ROLES_GRANTS: IAccessInfo[] = [
+  // AC_INTERNAL_ROLE_LECTURE
+  { role: AC_INTERNAL_ROLE_LECTURE, action: AC_ACTIONS.READ, resource: '/management/identities' },
+
+  { role: AC_INTERNAL_ROLE_LECTURE, action: AC_ACTIONS.READ, resource: '/management/lifecycle' },
+
+  // AC_INTERNAL_ROLE_ECRITURE
+  { role: AC_INTERNAL_ROLE_ECRITURE, action: AC_ACTIONS.CREATE, resource: '/management/identities' },
+  { role: AC_INTERNAL_ROLE_ECRITURE, action: AC_ACTIONS.UPDATE, resource: '/management/identities' },
+  { role: AC_INTERNAL_ROLE_ECRITURE, action: AC_ACTIONS.DELETE, resource: '/management/identities' },
+
+  { role: AC_INTERNAL_ROLE_ECRITURE, action: AC_ACTIONS.CREATE, resource: '/management/lifecycle' },
+  { role: AC_INTERNAL_ROLE_ECRITURE, action: AC_ACTIONS.UPDATE, resource: '/management/lifecycle' },
+  { role: AC_INTERNAL_ROLE_ECRITURE, action: AC_ACTIONS.DELETE, resource: '/management/lifecycle' },
+
+  // AC_INTERNAL_ROLE_GESTION
+  { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.READ, resource: '/core/agents' },
+  { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.CREATE, resource: '/core/agents' },
+  { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.UPDATE, resource: '/core/agents' },
+  { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.DELETE, resource: '/core/agents' },
+
+  { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.READ, resource: '/core/audits' },
+  { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.CREATE, resource: '/core/audits' },
+  { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.UPDATE, resource: '/core/audits' },
+  { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.DELETE, resource: '/core/audits' },
+
+  { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.READ, resource: '/core/cron' },
+  { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.CREATE, resource: '/core/cron' },
+  { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.UPDATE, resource: '/core/cron' },
+  { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.DELETE, resource: '/core/cron' },
+
+  { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.READ, resource: '/core/jobs' },
+  { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.CREATE, resource: '/core/jobs' },
+  { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.UPDATE, resource: '/core/jobs' },
+  { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.DELETE, resource: '/core/jobs' },
+
+  { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.READ, resource: '/settings/mailadm' },
+  { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.CREATE, resource: '/settings/mailadm' },
+  { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.UPDATE, resource: '/settings/mailadm' },
+  { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.DELETE, resource: '/settings/mailadm' },
+
+  { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.READ, resource: '/settings/passwdadm' },
+  { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.CREATE, resource: '/settings/passwdadm' },
+  { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.UPDATE, resource: '/settings/passwdadm' },
+  { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.DELETE, resource: '/settings/passwdadm' },
+
+  { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.READ, resource: '/settings/smsadm' },
+  { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.CREATE, resource: '/settings/smsadm' },
+  { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.UPDATE, resource: '/settings/smsadm' },
+  { role: AC_INTERNAL_ROLE_GESTION, action: AC_ACTIONS.DELETE, resource: '/settings/smsadm' },
+] as const

apps/api/src/core/roles/_dto/parts/access.part.dto.ts

@@ -1,20 +1,22 @@
 import { ApiProperty } from '@nestjs/swagger'
-import { IsString, IsNotEmpty, IsNumber, IsDate, IsOptional, IsArray, IsEnum, IsUrl, IsDataURI } from 'class-validator'
+import { IsString, IsNotEmpty, IsOptional, IsArray, IsEnum, Matches } from 'class-validator'
 import { AC_ACTIONS, AC_POSSESSIONS } from '~/_common/types/ac-types'
 
 export class AccessPartDTO {
   @IsString()
   @IsNotEmpty()
   @ApiProperty()
-  @IsDataURI()
+  @Matches(/^\/(?!.*\/$).+$/, {
+    message: 'Le champ resource doit correspondre au chemin d\'accès d\'une route NestJS ex: "/core/roles" (doit commencer par / et ne pas finir par /)',
+  })
   public resource: string
 
   @IsArray()
   @IsString({ each: true })
   @IsNotEmpty()
   @IsEnum(AC_ACTIONS, { each: true })
   @ApiProperty({ enum: AC_ACTIONS })
-  public actions: AC_ACTIONS[]
+  public action: AC_ACTIONS[]
 
   @IsString()
   @IsOptional()

apps/api/src/core/roles/_dto/roles.dto.ts

@@ -1,9 +1,11 @@
 import { ApiProperty, PartialType } from "@nestjs/swagger"
 import { Type } from "class-transformer"
-import { IsArray, IsMongoId, IsNotEmpty, IsOptional, IsString, ValidateNested } from "class-validator"
+import { IsArray, IsMongoId, IsNotEmpty, IsOptional, IsString, Matches, ValidateNested } from "class-validator"
 import { CustomFieldsDto } from "~/_common/abstracts/dto/custom-fields.dto"
 import { AccessPartDTO } from "./parts/access.part.dto"
 
+import { AC_INTERNAL_ROLE_PREFIX } from "~/_common/types/ac-types"
+
 export class RolesCreateDto extends CustomFieldsDto {
   /**
    * Nom du rôle.
@@ -13,6 +15,9 @@ export class RolesCreateDto extends CustomFieldsDto {
    */
   @IsString()
   @IsNotEmpty()
+  @Matches(new RegExp(`^(?!${AC_INTERNAL_ROLE_PREFIX}).+$`), {
+    message: `Le nom ne peut pas commencer par "${AC_INTERNAL_ROLE_PREFIX}" (préfixe réservé)`,
+  })
   @ApiProperty()
   public name: string
 

apps/api/src/core/roles/_schemas/roles.schema.ts

@@ -1,7 +1,7 @@
 import { Prop, Schema, SchemaFactory } from "@nestjs/mongoose"
 import { AbstractSchema } from "~/_common/abstracts/schemas/abstract.schema"
 import { AccessPart, AccessPartSchema } from "./_parts/access.part.schema"
-import { AC_ADMIN_ROLE, AC_GUEST_ROLE } from "~/_common/types/ac-types"
+import { AC_ADMIN_ROLE, AC_GUEST_ROLE, AC_INTERNAL_ROLE_PREFIX } from "~/_common/types/ac-types"
 
 @Schema({ versionKey: false })
 export class Roles extends AbstractSchema {
@@ -16,6 +16,7 @@ export class Roles extends AbstractSchema {
         return v.length > 0
           && !v.includes(' ')
           && !!/[a-z0-9-_]+/.test(v)
+          && !v.startsWith(AC_INTERNAL_ROLE_PREFIX)
           && ![AC_ADMIN_ROLE, AC_GUEST_ROLE].includes(v)
       },
       message: 'Le nom doit être composé de lettres, de chiffres, de tirets et de underscores et ne peut pas être un mot reservé.',
@@ -37,7 +38,7 @@ export class Roles extends AbstractSchema {
 
   @Prop({
     type: [String],
-    default: [],
+    default: ['guest'],
     trim: true,
     lowercase: true,
   })

apps/api/src/core/roles/roles.controller.ts

@@ -3,7 +3,7 @@ import { RolesService } from "./roles.service"
 import { ApiParam, ApiTags } from "@nestjs/swagger"
 import { Body, Controller, Delete, Get, HttpStatus, Param, Patch, Post, Query, Res, UseGuards } from "@nestjs/common"
 import { ApiCreateDecorator } from "~/_common/decorators/api-create.decorator"
-import { RolesCreateDto, RolesDto } from "./_dto/roles.dto"
+import { RolesCreateDto, RolesDto, RolesUpdateDto } from "./_dto/roles.dto"
 import { Response } from "express"
 import { ApiPaginatedDecorator } from "~/_common/decorators/api-paginated.decorator"
 import { PickProjectionHelper } from "~/_common/helpers/pick-projection.helper"
@@ -12,10 +12,9 @@ import { FilterOptions, FilterSchema, ObjectIdValidationPipe, SearchFilterOption
 import { ApiReadResponseDecorator } from "~/_common/decorators/api-read-response.decorator"
 import { Types } from "mongoose"
 import { ApiUpdateDecorator } from "~/_common/decorators/api-update.decorator"
-import { AgentsDto, AgentsUpdateDto } from "../agents/_dto/agents.dto"
 import { ApiDeletedResponseDecorator } from "~/_common/decorators/api-deleted-response.decorator"
 import { UseRoles } from "~/_common/decorators/use-roles.decorator"
-import { AC_ACTIONS, AC_ADMIN_ROLE, AC_DEFAULT_POSSESSION, AC_GUEST_ROLE } from "~/_common/types/ac-types"
+import { AC_ACTIONS, AC_ALL_DEFAULT_ROLES, AC_DEFAULT_POSSESSION, AC_GUEST_ROLE } from "~/_common/types/ac-types"
 import { Roles } from "./_schemas/roles.schema"
 import { AclRuntimeService } from "./acl-runtime.service"
 
@@ -48,24 +47,30 @@ export class RolesController extends AbstractController {
   })
   public async list(
     @Res() res: Response,
+    @Query('excludeAdmin') excludeAdmin: string,
+    @Query('excludeGuest') excludeGuest: string,
   ): Promise<Response> {
-    const data = await this._service.find(null, { name: 1, displayName: 1 }) as unknown as Roles[]
+    const data = await this._service.find(null, { name: 1, displayName: 1, description: 1 }) as unknown as Roles[]
+
+    const shouldExcludeAdmin = `${excludeAdmin ?? ''}`.toLowerCase() === 'true'
+    const shouldExcludeGuest = `${excludeGuest ?? ''}`.toLowerCase() === 'true'
+    const filter = (r: { name: string }) =>
+      (!shouldExcludeAdmin || r.name !== 'admin')
+      && (!shouldExcludeGuest || r.name !== 'guest')
 
     return res.status(HttpStatus.OK).json({
       statusCode: HttpStatus.OK,
       data: [
-        {
-          name: AC_ADMIN_ROLE,
-          displayName: AC_ADMIN_ROLE.charAt(0).toUpperCase() + AC_ADMIN_ROLE.slice(1),
-        },
-        {
-          name: AC_GUEST_ROLE,
-          displayName: AC_GUEST_ROLE.charAt(0).toUpperCase() + AC_GUEST_ROLE.slice(1),
-        },
+        ...AC_ALL_DEFAULT_ROLES.map((r) => ({
+          name: r.name,
+          displayName: r.displayName,
+          description: (r as any).description,
+        })).filter(filter),
         ...data.map((role) => ({
           name: role.name,
           displayName: role.displayName || role.name.charAt(0).toUpperCase() + role.name.slice(1),
-        })),
+          description: role.description,
+        })).filter(filter),
       ],
     })
   }
@@ -155,7 +160,9 @@ export class RolesController extends AbstractController {
     @Param('_id', ObjectIdValidationPipe) _id: Types.ObjectId,
     @Res() res: Response,
   ): Promise<Response> {
-    const data = await this._service.findById(_id)
+    const data = await this._service.findById(_id) as unknown as Roles
+    data.inherits = data.inherits.filter((inherit) => inherit !== AC_GUEST_ROLE)
+
     return res.status(HttpStatus.OK).json({
       statusCode: HttpStatus.OK,
       data,
@@ -169,14 +176,15 @@ export class RolesController extends AbstractController {
     possession: AC_DEFAULT_POSSESSION,
   })
   @ApiParam({ name: '_id', type: String })
-  @ApiUpdateDecorator(AgentsUpdateDto, AgentsDto)
+  @ApiUpdateDecorator(RolesUpdateDto, RolesDto)
   public async update(
     @Param('_id', ObjectIdValidationPipe) _id: Types.ObjectId,
-    @Body() body: AgentsUpdateDto,
+    @Body() body: RolesUpdateDto,
     @Res() res: Response,
   ): Promise<Response> {
     const data = await this._service.update(_id, body)
     await this._aclRuntimeService.refresh()
+
     return res.status(HttpStatus.OK).json({
       statusCode: HttpStatus.OK,
       data,
@@ -190,7 +198,7 @@ export class RolesController extends AbstractController {
     possession: AC_DEFAULT_POSSESSION,
   })
   @ApiParam({ name: '_id', type: String })
-  @ApiDeletedResponseDecorator(AgentsDto)
+  @ApiDeletedResponseDecorator(RolesDto)
   public async remove(
     @Param('_id', ObjectIdValidationPipe) _id: Types.ObjectId,
     @Res() res: Response,