All files / src/platform/permissions/schemas permission.schema.ts

0% Statements 0/41
0% Branches 0/4
100% Functions 0/0
0% Lines 0/33

Press n or j to go to the next uncovered block, b, p or k for the previous block.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104                                                                                                                                                                                                               
import { Prop, Schema, SchemaFactory } from '@nestjs/mongoose';
import { Document, Schema as MongooseSchema } from 'mongoose';
 
@Schema({ timestamps: true, collection: 'policy_definitions' })
export class PolicyDefinition extends Document {
  @Prop({ required: true, index: true })
  tenantId: string;
 
  @Prop({ required: true })
  name: string;
 
  @Prop({ default: null })
  description: string;
 
  @Prop({ type: [MongooseSchema.Types.Mixed], required: true })
  statements: Array<{
    effect: 'ALLOW' | 'DENY';
    actions: string[]; // e.g. ['read', 'update', 'delete']
    resources: string[]; // e.g. ['Invoice', 'User']
    dataScope?:
      | 'OWN'
      | 'ASSIGNED'
      | 'CREATED'
      | 'TEAM'
      | 'DEPARTMENT'
      | 'BRANCH'
      | 'COMPANY'
      | 'CUSTOM';
    conditions?: Array<{
      field: string;
      operator: string;
      value: any;
    }>;
  }>;
 
  @Prop({ default: 100 })
  priority: number; // Higher number evaluated first in deny-overrides
}
export const PolicyDefinitionSchema =
  SchemaFactory.createForClass(PolicyDefinition);
PolicyDefinitionSchema.index({ tenantId: 1 });
 
@Schema({ timestamps: true, collection: 'policy_assignments' })
export class PolicyAssignment extends Document {
  @Prop({ required: true, index: true })
  tenantId: string;
 
  @Prop({ required: true, index: true })
  policyId: string;
 
  @Prop({ default: null, index: true })
  userId: string; // Direct user assignment
 
  @Prop({ default: null, index: true })
  roleId: string; // Assignment by role
}
export const PolicyAssignmentSchema =
  SchemaFactory.createForClass(PolicyAssignment);
PolicyAssignmentSchema.index({ tenantId: 1, userId: 1 });
 
@Schema({ timestamps: true, collection: 'field_policies' })
export class FieldPolicy extends Document {
  @Prop({ required: true, index: true })
  tenantId: string;
 
  @Prop({ required: true, index: true })
  roleId: string;
 
  @Prop({ required: true })
  entity: string; // e.g. 'Employee'
 
  @Prop({ required: true })
  field: string; // e.g. 'salary'
 
  @Prop({ required: true, default: 'READ' })
  access: 'READ' | 'WRITE' | 'HIDE';
}
export const FieldPolicySchema = SchemaFactory.createForClass(FieldPolicy);
 
@Schema({ timestamps: true, collection: 'permission_evaluation_logs' })
export class PermissionEvaluationLog extends Document {
  @Prop({ required: true, index: true })
  tenantId: string;
 
  @Prop({ required: true, index: true })
  userId: string;
 
  @Prop({ required: true })
  resource: string;
 
  @Prop({ required: true })
  action: string;
 
  @Prop({ required: true })
  decision: 'ALLOW' | 'DENY';
 
  @Prop({ default: null })
  reason: string;
}
export const PermissionEvaluationLogSchema = SchemaFactory.createForClass(
  PermissionEvaluationLog,
);
PermissionEvaluationLogSchema.index({ tenantId: 1, createdAt: -1 });