entity relationship, role, and permissions API for Node.js
npm install relationsrelations
=========
entity relationship, role, and permissions API for Node.js
relations is a simple permissions API which uses a natural language approach.
Contexts
--------
First, you'll create a context, which contains a list of roles which map to
actions. Here we'll create a context called repos, to model Github repositories.
``js
var relations = require('relations');
relations.define('repos', {
owner: ['pull', 'push', 'administrate'],
collaborator: ['pull', 'push'],
watcher: ['pull']
});
`
Defining the context makes available a method on relations that matches therelations.repos()
context name, in this case, . For permission checks, this is
the only method we'll need to call.
To add or modify roles at runtime, you can also use the following methods:
`js`
// add a role dynamically
relations.repos.addRole('scientist', ['test', 'hyphothesize']);
// update the actions for a role
relations.repos.updateRole('scientist', ['test', 'hypothesize', 'absquatulate']);
// remove a role
relations.repos.removeRole('scientist');
Please note that the role -> action map is defined exclusively in the code,
and not stored. If you run a cluster of servers, and choose to use dynamic roles,
you must call addRole() etc on ALL servers in the cluster (I suggest using
pub/sub).
Declarations
------------
Now, we need to tell our app who has those roles for which repos.
`js`
relations.repos('Carlos is the owner of buffet.');
This assigns the role owner to the subject Carlos for the object buffet.
Note that the API has multiple syntaxes, and this is functionally equivalent:
`js`
relations.repos(':user is owner of :repo', {user: 'Carlos', repo: 'buffet'});
As is this:
`js`
relations.repos('%s is an owner of %s', 'Carlos', 'buffet');
To assign a role which should apply to all objects, simply leave the object out
of the sentence:
`js`
relations.repos('%s is a watcher.', 'Brian');
Note: Using token replacements is recommended, to prevent injection attacks!
The syntax for a declaration consists of:
`
Verb question
-------------
To ask if a user can perform an action:
`js`
relations.repos('Can %s pull?', 'Brian', function (err, can) {
// can = true (based on "watcher" role)
});
We can also check if an action can be performed on a specific object:
`js`
relations.repos('Can %s push to buffet?', 'Brian', function (err, can) {
// can = false (Brian doesn't have "owner" or "collaborator" roles)
});
The syntax for an verb question consists of:
`
( Can | can )
Role question
-------------
To check if a user has a role:
`js`
relations.repos('Is %s a collaborator of %s?', 'Brian', 'buffet', function (err, is) {
// is = false
});
We can also leave the object out to check for a global role:
`js`
relations.repos('Is %s a %s?', 'Brian', 'watcher', function (err, is) {
// is = true
});
The syntax for a role question consists of:
`
( Is | is )
Verb request
------------
In addition to true/false checks, relations can return an array of objects
which match certain criteria. For example:
`js`
relations.repos('What can %s pull from?', 'Carlos', function (err, repos) {
// repos = ['buffet']
});
The syntax for a verb request consists of:
`
( What | what ) can
Role request
------------
Also, we can ask for an array of objects a user has a role for:
`js`
relations.repos('What is %s the owner of?', 'Carlos', function (err, repos) {
// repos = ['buffet']
});
The syntax for a role request consists of:
`
( What | what ) is
Verb subject request
--------------------
To request an array of subjects who can perform an action on an object:
`js`
relations.repos('Who can pull from %s?', 'buffet', function (err, users) {
// users = ['Carlos']
});
`
( Who | who ) can
Role subject request
--------------------
To request an array of subjects who have a role for an object:
`js`
relations.repos('Who is the owner of %s?', 'buffet', function (err, users) {
// users = ['Carlos']
});
`
( Who | who ) is [ a / an / the ]
Object verb request
-------------------
To request an array of verbs a subject can perform on an object:
`js`
relations.repos('What actions can %s do with %s?', 'Carlos', 'buffet', function (err, verbs) {
// verbs = ['pull', 'push', 'administrate']
});
`
What actions can
Object-Role map request
-----------------------
To get a map of object->role pairs for a subject:
`js`
relations.repos('Describe what %s can do', 'Carlos', function (err, map) {
// map = { '': [ 'watcher' ],
'buffet': [ 'owner' ] }
});
`
[ Describe / detail / explain / get ] what
Subject-Role map request
-----------------------
To get a map of subject->role pairs, optionally pertaining to an object:
`js`
relations.repos('Get who can act', function (err, map) {
// map = { 'carlos': [ 'watcher' ],
'brian': [ 'watcher' ] }
});
`js`
relations.repos('Explain who can act on %s', 'buffet', function (err, map) {
// map = { 'carlos': [ 'owner' ] }
});
`
[ Describe / detail / explain / get ] who can act [ on
Revocation
----------
To revoke a role:
`js`
relations.repos('%s is not the owner of %s', 'Carlos', 'buffet');
`
Persistence
-----------
Data can be persisted through database plugins or a flat
file. To use a flat file, initialize relations like this:
`js`
var relations = require('relations');
relations.use(relations.stores.memory, {dataFile: '/path/to/datafile.json'});
relations will store and load data, as a JSON blob, in the specified file.
Pluggable data store
--------------------
Two additional data stores are provided: Redis and MySQL.
To use the redis store, your app must make a
node_redis client and pass it like so:
`js
var relations = require('relations')
, redis = require('redis')
relations.use(relations.stores.redis, {
client: redis.createClient(),
prefix: 'optional-key-prefix'
});
`
To use the MySQL store, your app must make a
node-mysql client and pass it like so:
`js
var relations = require('relations')
, mysql = require('mysql')
relations.use(relations.stores.mysql, {client: mysql.createConnection({user: 'root', database: 'test'})});
`
A relations store is simply a node module that exports an event emitter
and responds to the following events:
#### init (options, cb)
Initialize the store with options (from relations.use()) and call cb(err)
when done.
#### declaration (cmd, cb)
Respond to a declaration and call cb() when done. cmd will be an object
containing the properties:
- ctx - context object
- subject
- role
- object (optional)
#### revocation (cmd, cb)
Respond to a revocation and call cb() when done. cmd will be an object
containing the properties:
- ctx - context object
- subject
- role
- object (optional)
Respond to a verb question and call cb(err, / boolean / can) with the result.cmd will be an object containing the properties:
- ctx - context object
- subject
- verb
- object (optional)
Respond to a role question and call cb(err, / boolean / is) with the result.cmd will be an object containing the properties:
- ctx - context object
- subject
- role
- object (optional)
Respond to a verb request and call cb(err, / array / objects) with the result.cmd will be an object containing the properties:
- ctx - context object
- subject
- verb
Respond to a role request and call cb(err, / array / objects) with the result.cmd will be an object containing the properties:
- ctx - context object
- subject
- role
Respond to a verb subject request and call cb(err, / array / subjects) withcmd
the result. will be an object containing the properties:
- ctx - context object
- verb
- object
Respond to a role subject request and call cb(err, / array / subjects) withcmd
the result. will be an object containing the properties:
- ctx - context object
- role
- object
Respond to an object verb request and call cb(err, / array / verbs) withcmd
the result. will be an object containing the properties:
- ctx - context object
- object
- subject
Respond to an object-role map request and call cb(err, / object / map) withcmd
the result. will be an object containing the properties:
- ctx - context object
- subject
Respond to a subject-role map request and call cb(err, / object / map) withcmd
the result. will be an object containing the properties:
- ctx - context object
- object (optional)
Reset the store, dumping all storage and structure, calling cb(err)` when done.
- - -
- - -
- Copyright (C) 2012 Carlos Rodriguez (http://s8f.org/)
- Copyright (C) 2012 Terra Eclipse, Inc. (http://www.terraeclipse.com/)
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is furnished
to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.