import { GraphqlClient } from './../common/GraphqlClient'; import { ManagementTokenProvider } from './ManagementTokenProvider'; import { IAppAccessPolicy, IAppAccessPolicyQueryFilter, IApplication, IApplicationAccessPolicies, IResourceDto, IResourceQueryFilter, IResourceResponse, IResourceUpdateDto, ManagementClientOptions, Namespace, Namespaces, ProgrammaticAccessAccount, ProgrammaticAccessAccountList } from './types'; import { AuthorizeResourceOpt, CommonMessage, PaginatedAuthorizedResources, PolicyAssignmentTargetType, ResourceType } from '../../types/graphql.v2'; import { HttpClient } from '../common/HttpClient'; /** * @class AclManagementClient Management authority, access control * @description approw builds a permission model based on PBAC (Policy Based Access Control), * can be combined with RBAC (Role Based Access Control) to achieve very flexible and refined access control. * This module abstracts this model into two methods: allow, isAllowed。 * * @example * * Please use the module in the following way instead of initializing the module directly： * * \`\`\`javascript * import { ManagementClient } from "approw-js-sdk" * const managementClient = new ManagementClient({ * userPoolId: "YOUR_USERPOOL_ID", * secret: "YOUR_USERPOOL_SECRET", * }) * managementClient.acl.allow // Allow a user to perform a certain operation on a certain resource * managementClient.acl.isAllowed // Determine whether a user has a certain operation authority for a certain resource * \`\`\` * * @name AclManagementClient */ export declare class AclManagementClient { options: ManagementClientOptions; graphqlClient: GraphqlClient; httpClient: HttpClient; tokenProvider: ManagementTokenProvider; constructor(options: ManagementClientOptions, graphqlClient: GraphqlClient, httpClient: HttpClient, tokenProvider: ManagementTokenProvider); /** * Generate random string * @param randomLenth random length * @returns string */ static randomString(randomLenth?: number): string; /** * @name allow * @name_zh Allow a user to perform a certain operation on a certain resource * * @description Allow a user to perform a certain operation on a certain resource * * @param {string} userId user ID * @param {string} action Operation name, it is recommended to use the format of \:\，such as `books:edit`, `books:list` * @param {string} resource Resource name, must be \:\ format or *, such as `*`, `books:123`, `books:*` * @example * managementClient.acl.allow('USERID1', 'books:123', 'books:read') * managementClient.acl.isAllowed('USERID1', 'books:123', 'books:read') // true * managementClient.acl.isAllowed('USERID1', 'books:123', 'books:edit') // false * * @example * managementClient.acl.allow('USERID2', 'books:*', 'books:*') * managementClient.acl.isAllowed('USERID2', 'books:123', 'books:read') // true * managementClient.acl.isAllowed('USERID2', 'books:124', 'books:edit') // true * * @returns {Promise} * @memberof AclManagementClient */ allow(userId: string, resource: string, action: string, namespace: string): Promise; /** * @name isAllowed * @name_zh Determine whether a user has a certain operation authority for a certain resource * * @description Determine whether a user has a certain operation authority for a certain resource * * @param {string} userId user ID * @param {string} action Operation name, it is recommended to use the format of \:\，such as `books:edit`, `books:list` * @param {string} resource Resource name, must be \:\ format or *, such as `*`, `books:123`, `books:*` * @example * managementClient.acl.isAllowed('USERID', 'books:*', 'books:edit') * * @returns {Promise} whether have operation authority * @memberof AclManagementClient * */ isAllowed(userId: string, resource: string, action: string, opts?: { namespace?: string; }): Promise; /** * @description Get all resources authorized by the user * * @param userId * @param namespace */ listAuthorizedResources(targetType: PolicyAssignmentTargetType, targetIdentifier: string, namespace: string, options?: { resourceType?: ResourceType; }): Promise; /** * @description Authorize a (class) resource to users, roles, groups, and organizations, and you can specify different operation permissions. * */ authorizeResource(params: { namespace: string; resource: string; opts: AuthorizeResourceOpt[]; }): Promise; /** * @description Obtain users, groups, roles, and organizations that have operation permissions for a certain (class) resource. * @param namespace {string} Authorization group identification * @param resource {string} Resource ID * @param actions {string[]} Resource operation ID * @param targetType {string} Filter item, specify the type of returned subject, optional value: 'USER'、'ROLE'、'ORG'、'GROUP' */ getAuthorizedTargets(options: { namespace: string; resource: string; resourceType: 'BUTTON' | 'UI' | 'MENU' | 'API' | 'DATA'; actions?: { op: 'AND' | 'OR'; list: string[]; }; targetType?: 'USER' | 'ROLE' | 'ORG' | 'GROUP'; }): Promise<{ totalCount?: number; list?: { targetType?: PolicyAssignmentTargetType; targetIdentifier?: string; actions?: string[]; }[]; }>; listResources(options?: IResourceQueryFilter): Promise; /** * @deprecated use listResources * @param options */ getResources(options?: IResourceQueryFilter): Promise; createResource(options: IResourceDto): Promise; updateResource(code: string, options: IResourceUpdateDto): Promise; deleteResource(code: string, namespace: string): Promise; getApplicationAccessPolicies(options: IAppAccessPolicyQueryFilter): Promise; enableApplicationAccessPolicy(options: IAppAccessPolicy): Promise<{ code: number; message: string; }>; disableApplicationAccessPolicy(options: IAppAccessPolicy): Promise<{ code: number; message: string; }>; deleteApplicationAccessPolicy(options: IAppAccessPolicy): Promise<{ code: number; message: string; }>; allowAccessApplication(options: IAppAccessPolicy): Promise<{ code: number; message: string; }>; denyAccessApplication(options: IAppAccessPolicy): Promise<{ code: number; message: string; }>; updateDefaultApplicationAccessPolicy(options: { defaultStrategy: 'ALLOW_ALL' | 'DENY_ALL'; appId: string; }): Promise; /** * Programmatic access account list * @param appId application ID * @param page current page number * @param limit Number of items displayed per page * @returns Promise */ programmaticAccessAccountList(appId: string, page?: number, limit?: number): Promise; /** * Add programming access account * @param appId Application ID * @param options.tokenLifetime AccessToken expiration time (seconds) * @param options.remarks Remarks * @returns Promise */ createProgrammaticAccessAccount(appId: string, options?: { tokenLifetime: number; remarks?: string; }): Promise; /** * 添加编程访问账号 * @param programmaticAccessAccountId 编程访问账号 ID * @returns Promise */ deleteProgrammaticAccessAccount(programmaticAccessAccountId: string): Promise; /** * Refresh program access account key * @param programmaticAccessAccountId Programmatic access account ID * @param programmaticAccessAccountSecret Programmatic access account Secret * @returns Promise */ refreshProgrammaticAccessAccountSecret(programmaticAccessAccountId: string, programmaticAccessAccountSecret?: string): Promise; /** * Enable programmatic access account * @param programmaticAccessAccountId Programmatic access account ID * @returns Promise */ enableProgrammaticAccessAccount(programmaticAccessAccountId: string): Promise; /** * Disable Programmatic access account * @param programmaticAccessAccountId Programmatic access account ID * @returns Promise */ disableProgrammaticAccessAccount(programmaticAccessAccountId: string): Promise; /** * Permission group list * @param page current page * @param limit Number of items displayed per page * @returns Promise */ listNamespaces(page?: number, limit?: number): Promise; /** * Delete permission group * @param code Permission group Code * @returns Promise */ deleteNamespace(code: string): Promise; /** * Create permission group * @param code Permission group Code * @param name Permission group name * @param description Permission group description * @returns Promise */ createNamespace(code: string, name: string, description?: string): Promise; /** * Update permission group * @param code Permission group Code * @param name Permission group name * @param code Permission group Code * @param description Permission group descrription * @returns Promise */ updateNamespace(code: string, updates: { name?: string; code?: string; description?: string; }): Promise; }