relations

entity relationship, role, and permissions API for Node.js

relations

entity relationship, role, and permissions API for Node.js

relations is a simple permissions API which uses a natural language approach.

First, you'll create a context, which contains a list of roles which map to actions. Here we'll create a context called repos, to model Github repositories.

var relations = require('relations');
 
relations.define('repos', {
  owner: ['pull', 'push', 'administrate'],
  collaborator: ['pull', 'push'],
  watcher: ['pull']
});

Defining the context makes available a method on relations that matches the context name, in this case, relations.repos(). For permission checks, this is the only method we'll need to call.

To add or modify roles at runtime, you can also use the following methods:

// add a role dynamically 
relations.repos.addRole('scientist', ['test', 'hyphothesize']);
// update the actions for a role 
relations.repos.updateRole('scientist', ['test', 'hypothesize', 'absquatulate']);
// remove a role 
relations.repos.removeRole('scientist');

Please note that the role -> action map is defined exclusively in the code, and not stored. If you run a cluster of servers, and choose to use dynamic roles, you must call addRole() etc on ALL servers in the cluster (I suggest using pub/sub).

Now, we need to tell our app who has those roles for which repos.

relations.repos('Carlos is the owner of buffet.');

This assigns the role owner to the subject Carlos for the object buffet.

Note that the API has multiple syntaxes, and this is functionally equivalent:

relations.repos(':user is owner of :repo', {user: 'Carlos', repo: 'buffet'});

As is this:

relations.repos('%s is an owner of %s', 'Carlos', 'buffet');

To assign a role which should apply to all objects, simply leave the object out of the sentence:

relations.repos('%s is a watcher.', 'Brian');

Note: Using token replacements is recommended, to prevent injection attacks!

The syntax for a declaration consists of:

<subject> is [ a / an / the ] <role> [ [ of / to / from / in / with ] <object> ] [.]

To ask if a user can perform an action:

relations.repos('Can %s pull?', 'Brian', function (errcan) {
  // can = true (based on "watcher" role) 
});

We can also check if an action can be performed on a specific object:

relations.repos('Can %s push to buffet?', 'Brian', function (errcan) {
  // can = false (Brian doesn't have "owner" or "collaborator" roles) 
});

The syntax for an verb question consists of:

( Can | can ) <subject> <verb> [ [ of / to / from / in / with ] <object> ] [?]

To check if a user has a role:

relations.repos('Is %s a collaborator of %s?', 'Brian', 'buffet', function (erris) {
  // is = false 
});

We can also leave the object out to check for a global role:

relations.repos('Is %s a %s?', 'Brian', 'watcher', function (erris) {
  // is = true 
});

The syntax for a role question consists of:

( Is | is ) <subject> [ a / an / the ] <role> [ [ of / to / from / in / with ] <object> ] [?]

In addition to true/false checks, relations can return an array of objects which match certain criteria. For example:

relations.repos('What can %s pull from?', 'Carlos', function (errrepos) {
  // repos = ['buffet'] 
});

The syntax for a verb request consists of:

( What | what ) can <subject> <verb> [ of / to / from / in / with ] [?]

Also, we can ask for an array of objects a user has a role for:

relations.repos('What is %s the owner of?', 'Carlos', function (errrepos) {
  // repos = ['buffet'] 
});

The syntax for a role request consists of:

( What | what ) is <subject> [ a / an / the ] <role> [ of / to / from / in / with ] [?]

To request an array of subjects who can perform an action on an object:

relations.repos('Who can pull from %s?', 'buffet', function (errusers) {
  // users = ['Carlos'] 
});
( Who | who ) can <verb> [ of / to / from / in / with ] <object> [?]

To request an array of subjects who have a role for an object:

relations.repos('Who is the owner of %s?', 'buffet', function (errusers) {
  // users = ['Carlos'] 
});
( Who | who ) is [ a / an / the ] <role> [ of / to / from / in / with ] <object> [?]

To request an array of verbs a subject can perform on an object:

relations.repos('What actions can %s do with %s?', 'Carlos', 'buffet', function (errverbs) {
  // verbs = ['pull', 'push', 'administrate'] 
});
What actions can <subject> do [ of / to / from / in / with ] <object> [?]

To get a map of object->role pairs for a subject:

relations.repos('Describe what %s can do', 'Carlos', function (errmap) {
  // map = { '': [ 'watcher' ], 
             'buffet': [ 'owner' ] }
});
[ Describe / detail / explain / get ] what <subject> can do [.]

To get a map of subject->role pairs, optionally pertaining to an object:

relations.repos('Get who can act', function (errmap) {
  // map = { 'carlos': [ 'watcher' ], 
             'brian': [ 'watcher' ] }
});
relations.repos('Explain who can act on %s', 'buffet', function (errmap) {
  // map = { 'carlos': [ 'owner' ] } 
});
[ Describe / detail / explain / get ] who can act [ on <object> ] [.]

To revoke a role:

relations.repos('%s is not the owner of %s', 'Carlos', 'buffet');
<subject> ( is not | isn't ) [ a / an / the ] <role> [ [ of / to / from / in / with ] <object> ] [.]

Data can be persisted through database plugins or a flat file. To use a flat file, initialize relations like this:

var relations = require('relations');
relations.use(relations.stores.memory, {dataFile: '/path/to/datafile.json'});

relations will store and load data, as a JSON blob, in the specified file.

Two additional data stores are provided: Redis and MySQL.

To use the redis store, your app must make a node_redis client and pass it like so:

var relations = require('relations')
  , redis = require('redis')
 
relations.use(relations.stores.redis, {
  client: redis.createClient(),
  prefix: 'optional-key-prefix'
});

To use the MySQL store, your app must make a node-mysql client and pass it like so:

var relations = require('relations')
  , mysql = require('mysql')
 
relations.use(relations.stores.mysql, {client: mysql.createConnection({user: 'root', database: 'test'})});

A relations store is simply a node module that exports an event emitter and responds to the following events:

Initialize the store with options (from relations.use()) and call cb(err) when done.

Respond to a declaration and call cb() when done. cmd will be an object containing the properties:

  • ctx - context object
  • subject
  • role
  • object (optional)

Respond to a revocation and call cb() when done. cmd will be an object containing the properties:

  • ctx - context object
  • subject
  • role
  • object (optional)

Respond to a verb question and call cb(err, /* boolean */ can) with the result. cmd will be an object containing the properties:

  • ctx - context object
  • subject
  • verb
  • object (optional)

Respond to a role question and call cb(err, /* boolean */ is) with the result. cmd will be an object containing the properties:

  • ctx - context object
  • subject
  • role
  • object (optional)

Respond to a verb request and call cb(err, /* array */ objects) with the result. cmd will be an object containing the properties:

  • ctx - context object
  • subject
  • verb

Respond to a role request and call cb(err, /* array */ objects) with the result. cmd will be an object containing the properties:

  • ctx - context object
  • subject
  • role

Respond to a verb subject request and call cb(err, /* array */ subjects) with the result. cmd will be an object containing the properties:

  • ctx - context object
  • verb
  • object

Respond to a role subject request and call cb(err, /* array */ subjects) with the result. cmd will be an object containing the properties:

  • ctx - context object
  • role
  • object

Respond to an object verb request and call cb(err, /* array */ verbs) with the result. cmd will be an object containing the properties:

  • ctx - context object
  • object
  • subject

Respond to an object-role map request and call cb(err, /* object */ map) with the result. cmd will be an object containing the properties:

  • ctx - context object
  • subject

Respond to a subject-role map request and call cb(err, /* object */ map) with the result. cmd will be an object containing the properties:

  • ctx - context object
  • object (optional)

Reset the store, dumping all storage and structure, calling cb(err) when done.


Developed by Terra Eclipse

Terra Eclipse, Inc. is a nationally recognized political technology and strategy firm located in Aptos, CA and Washington, D.C.


  • Copyright (C) 2012 Carlos Rodriguez (http://s8f.org/)
  • Copyright (C) 2012 Terra Eclipse, Inc. (http://www.terraeclipse.com/)

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.