Readjustement of the introduction image and first version of casbin authorization mechanism

[Ghita2002]

No description provided.

[coveralls]

Pull Request Test Coverage Report for Build 3517567483

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

• For more information on this, see Tracking coverage changes with pull request builds.
• To avoid this issue with future PRs, see these Recommended CI Configurations.
• For a quick fix, rebase this PR at GitHub. Your next report should be accurate.

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• 4 unchanged lines in 1 file lost coverage.
• Overall coverage decreased (-7.2%) to 56.825%

---

Files with Coverage Reduction	New Missed Lines	%
services/dkg/pedersen/controller/action.go	4	48.97%

Totals
Change from base Build 3320078377:	-7.2%
Covered Lines:	3272
Relevant Lines:	5758

---

💛 - Coveralls

[pierluca]

Nice progress !
I just made a quick pass on the codebase, this is not a full in-depth review and I'll let @emduc and @nkcr give their own feedback.

There are a couple of remarks that apply throughout. Let me know if you have questions 😄

[pierluca]

feel free to delete code that is not relevant anymore. Commented out code is generally frowned upon 😄

[pierluca]

are you sure that express supports async handlers natively?

[Ghita2002]

It's my mistake, I forgot to delete it. I was just trying some things while testing.

[pierluca]

if you have an async function, you don't need to do .then and .catch, you can just use await where you would use a then, and try/catch instead of .catch.

see https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/await

[pierluca]

avoid french words in the codebase 😁
also, you can reuse the same variable name, as it's scoped just to that function.

[Ghita2002]

Thanks for the view, it is fixed.

[pierluca]

Do you need a Promise.all if you're looking at just one promise resolving?
Why can't you do the following ?

Suggested change

	Promise.all([enforcerLoading])
	.then((res) => {
	[enf] = res;
	enforcerLoading
	.then((enf) => {

I may be missing something here, so do let me know if I'm wrong 😁

[pierluca]

this looks unused

[pierluca]

do you need this to be in the global scope, or could you put it (along with the promise resolution below) in an initialization function ?

[pierluca]

is there are a reason not to use isAuthorized here?

[Ghita2002]

I just forget it. It is fixed !

[pierluca]

As per our discussion today, this should work:

Suggested change

	e.then((enforcer) => {
	enforcer
	.enforce(req.session.userid, 'election', 'create')
	.then((isOk) => {
	if (isOk) {
	next();
	} else {
	res.status(400).send('Unauthorized - only admins and operators allowed');
	}
	})
	.catch((error) => console.log('error', error));
	}).catch((error1) => console.log('error', error1));
	e.then((enforcer) => {
	return enforcer
	.enforce(req.session.userid, 'election', 'create')
	.then((isOk) => {
	if (isOk) {
	next();
	} else {
	res.status(400).send('Unauthorized - only admins and operators allowed');
	}
	})
	}).catch((error) => console.log('error', error));

No need to do a double-catch 😁
And since you're directly returning a value, you could also do this (notice the absence of {} and return):

Suggested change

	e.then((enforcer) => {
	enforcer
	.enforce(req.session.userid, 'election', 'create')
	.then((isOk) => {
	if (isOk) {
	next();
	} else {
	res.status(400).send('Unauthorized - only admins and operators allowed');
	}
	})
	.catch((error) => console.log('error', error));
	}).catch((error1) => console.log('error', error1));
	e.then((enforcer) =>
	enforcer
	.enforce(req.session.userid, 'election', 'create')
	.then((isOk) => {
	if (isOk) {
	next();
	} else {
	res.status(400).send('Unauthorized - only admins and operators allowed');
	}
	})).catch((error) => console.log('error', error));

[Ghita2002]

I modify that using the proposition of Noemien.

[pierluca]

feel free to delete code, no need to comment it out 😁

[pierluca]

you could define and use the constants on the front-end as well.

[pierluca]

and here

[pierluca]

and here

[pierluca]

and here

[pierluca]

this kind of complex operations probably deserves its own function, that you can write a short test for.

[pierluca]

outside the scope of this PR: would it make sense to memoize this for performance reasons?

[pierluca]

do you really need the ? if you already have called m.has ?
conversely, why not just do m.get and do the push if the result is not null ?

[Ghita2002]

Even if I check m.has I still have the error (Object is possibly 'undefined') This why I used ?. However it can be a good way to test the result of m.get. I was just wondering how it is better than using ?

[pierluca]

I was thinking that here (and elsewhere) you're mixing up the details of the implementation (authorization is a map, permissions an array) and the actual concern (verifying access).

Could you add a helper function that will deal with these details ?
So that here (and elsewhere) you can just call something like hasAuthorization(authCtx, ROLES, LIST) ?
This will make it easier to refactor (if needed, in the future) the actual implementation details.

[Ghita2002]

Thanks for this review. It is quite a good idea. I implement it !

[nkcr]

The comment is for the statement bellow, not the setMapAuthorization function, which must also have its own comment describing what it does.

[nkcr]

This function is hard to understand without any explanation. You should at least describe what contains list: string[][]).

[Ghita2002]

I added some comments and while doing it I noticed that the iteration on j isn't necessary.

[nkcr]

you should explain (1) what is contained in list[0], and (2) why you are doing += 2.

[Ghita2002]

I delete that.

[nkcr]

you probably used it for debugging. To be removed.

[nkcr]

If the user is not logged you can avoid calling setMapAuthorization and return an empty map.

[Ghita2002]

Fixed !

[nkcr]

This is way too generic. You should prefix the variable name to indicate how the variable is used:

SUBJECT_ROLES = 'roles';
SUBJECT_PROXIES = 'proxies';
...
ACTION_LIST = 'list';
ACTION_REMOVE = 'remove';
...

[nkcr]

You should prefix the variable name:

SUBJECT_ELECTION = ...
...
ACTION_CREATE = ...

[nkcr]

Suggested change

	authCtx.authorization.has(subject) && authCtx.authorization.get(subject).indexOf(action) > -1
	authCtx.authorization.has(subject) && authCtx.authorization.get(subject).indexOf(action) !== -1

[pierluca]

Not absolutely perfect, but sooooo much better, great job ! 👍

I've some minor remarks, but at this point it looks nearly mergeable to me :)

[pierluca]

do you want to use String the object or just string the plain data type?

[Ghita2002]

When searching which one use, I found that it is better to avoid bugs to use string

[pierluca]

in typescript it's good to explicitly indicate the return type.

Suggested change

	function setMapAuthorization(list: string[][]) {
	function setMapAuthorization(list: string[][]): Map<string, Array<string>> {

[Ghita2002]

Done !

[pierluca]

much cleaner :)

[pierluca]

do you still need this variable?

[Ghita2002]

I decide to delete it

[nkcr]

The comment is already a great improvement. 👍

Now, the next step is self-explanatory code.. ;)

You could do:

const [subject, action] = list[i][1], list[i][2];
if (m.has(subject)) {
...

[Ghita2002]

Thanks for the review ! Done

[nkcr]

I'm not sure I understand the ?. Is it to prevent adding multiple times the same action ?

[Ghita2002]

It's necessary, however I check that m.has(list[i][1], to make sure that m.get(list[i][1] is not undefined.

[nkcr]

I think you can just use authorization: new Map<String, Array<String>>(),
or even just authorization: {},

[Ghita2002]

Fixed !

[sonarqubecloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
9 Code Smells

0.0% Coverage
0.0% Duplication

[nkcr]

Good to go 🚀