Map group roles to scopes

2018-06-18 14:21:54 -07:00
parent b5c8e7a52a
commit 6cd0601629
5 changed files with 50 additions and 4 deletions
--- a/src/accesscontrol.js
+++ b/src/accesscontrol.js
@@ -16,6 +16,8 @@ exports = module.exports = {

    ROLE_OWNER: 'owner',

+    scopesForRoles: scopesForRoles,
+
    validateRoles: validateRoles,

    validateScopeString: validateScopeString,
@@ -24,6 +26,19 @@ exports = module.exports = {
    canonicalScopeString: canonicalScopeString
 };

+// https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions
+const ROLE_DEFINITIONS = {
+    'owner': {
+        scopes: exports.VALID_SCOPES
+    },
+    'manage_apps': {
+        scopes: [ 'apps', 'domains', 'users' ]
+    },
+    'manage_users': {
+        scopes: [ 'users' ]
+    }
+};
+
 var assert = require('assert'),
    debug = require('debug')('box:accesscontrol'),
    _ = require('underscore');
@@ -80,3 +95,17 @@ function hasScopes(authorizedScopes, requiredScopes) {

    return null;
 }
+
+function scopesForRoles(roles) {
+    assert(Array.isArray(roles), 'Expecting array');
+
+    var scopes = [ 'profile' ];
+
+    for (let r of roles) {
+        if (!ROLE_DEFINITIONS[r]) continue; // unknown or some legacy role
+
+        scopes = scopes.concat(ROLE_DEFINITIONS[r].scopes);
+    }
+
+    return _.uniq(scopes.sort(), true /* isSorted */);
+}