@synanetics/iam-scope-parser

Parses and applies scopes against a list of targets.

Usage

import { parseScope } from '@synanetics/iam-scope-parser';

const result = parseScope('read:YHCR.* read:LLRCR.* !read:YHCR.DEF !read:LLRCR.ABC', 'read', [
    'YHCR.ABC',
    'YHCR.DEF',
    'YHCR.GHI',
    'LLRCR.ABC',
    'LLRCR.DEF',
    'LLRCR.GHI',
    'DDCR.ABC',
]);

console.log(result);
/**
{
    allow: [
        'YHCR.ABC',
        'YHCR.GHI',
        'LLRCR.DEF',
        'LLRCR.GHI',
    ],
    deny: [
        'YHCR.DEF',
        'LLRCR.ABC',
        'DDCR.ABC',
    ]
}
*/

Detailed description

This package has been created to support the Interweave NRL project which requires providers to opt-in to data sharing with out-of-region consumers. Scopes will be applied by the IAM service to generated JWT tokens and can be evaluated against a set of target providers using this package.

This package employs a deny-by-default approach where anything not matching a scope is automatically denied and deny rules take precedence.

Examples

• read:YHCR.* !read:YHCR.ABC - This would allow reads from all consumers in the YHCR region, excluding the consumer with prefix ABC.
• read:YHCR.ABC - This would only allow reads from the consumer with prefix ABC in the YHCR region.
• read:YHCR.* read:LLRCR.* - This would allow reads from all consumers in the YHCR and LLRCR regions.
• read:YHCR.* !read:LLRCR.* - While this is a valid scope, the !read:LLRCR.* is redundant as it would be denied by default if not present.
• read:YHCR.* read:DDCR.ABC - This would allow reads from all consumers in the YHCR region and the single ABC provider in the DDCR region.
• !read:YHCR.* read:YHCR.ABC - This would deny from all as the !read:YHCR.* is a deny which takes precedence.

Dependencies

This package has no dependencies outside of vitest for testing.

Testing

npm run test