import type { AuthInfo } from "../types"; const legacyToModuleScopes: Record = { "campaign:read": "campaigns:campaign:read", "campaign:create": "campaigns:campaign:create", "campaign:update": "campaigns:campaign:update", "campaign:copy": "campaigns:campaign:copy", "campaign:archive": "campaigns:campaign:archive", "campaign:delete": "campaigns:campaign:delete", "campaign:share": "campaigns:campaign:share", "campaign:validate": "campaigns:campaign:validate", "campaign:build": "campaigns:campaign:build", "campaign:review": "campaigns:campaign:review", "campaign:send_test": "campaigns:campaign:send_test", "campaign:queue": "campaigns:campaign:queue", "campaign:control": "campaigns:campaign:control", "campaign:send": "campaigns:campaign:send", "campaign:retry": "campaigns:campaign:retry", "campaign:reconcile": "campaigns:campaign:reconcile", "recipients:read": "campaigns:recipient:read", "recipients:write": "campaigns:recipient:write", "recipients:import": "campaigns:recipient:import", "recipients:export": "campaigns:recipient:export", "reports:read": "campaigns:report:read", "reports:export": "campaigns:report:export", "reports:send": "campaigns:report:send", "files:read": "files:file:read", "files:download": "files:file:download", "files:upload": "files:file:upload", "files:organize": "files:file:organize", "files:share": "files:file:share", "files:delete": "files:file:delete", "files:admin": "files:file:admin", "mail_servers:read": "mail:profile:read", "mail_servers:use": "mail:profile:use", "mail_servers:test": "mail:profile:test", "mail_servers:mailbox_read": "mail:mailbox:read", "mail_servers:write": "mail:profile:write", "mail_servers:manage_credentials": "mail:secret:manage" }; const moduleToLegacyScopes = Object.fromEntries(Object.entries(legacyToModuleScopes).map(([legacy, module]) => [module, legacy])); const legacyAliases: Record = { "campaign:write": ["campaign:create", "campaign:update", "campaign:copy", "campaign:archive", "campaign:delete", "campaign:share", "recipients:read", "recipients:write", "recipients:import"], "attachments:read": ["files:read", "files:download"], "attachments:write": ["files:upload", "files:organize", "files:share", "files:delete"], "admin:users": ["admin:users:read", "admin:users:create", "admin:users:update", "admin:users:suspend", "admin:groups:read", "admin:groups:write", "admin:groups:manage_members", "admin:roles:read", "admin:roles:write", "admin:roles:assign"], "admin:users:write": ["admin:users:create", "admin:users:update", "admin:users:suspend", "admin:roles:assign", "admin:groups:manage_members"], "admin:api_keys:write": ["admin:api_keys:create", "admin:api_keys:revoke"], "admin:settings": ["admin:settings:read", "admin:settings:write", "admin:api_keys:read", "admin:api_keys:create", "admin:api_keys:revoke"], "system:tenants:write": ["system:tenants:create", "system:tenants:update", "system:tenants:suspend"], "system:access:write": ["system:access:assign", "system:roles:assign", "system:accounts:create", "system:accounts:update", "system:accounts:suspend"] }; function compatibleScopes(scope: string): string[] { const mapped = legacyToModuleScopes[scope] ?? moduleToLegacyScopes[scope]; return mapped ? [scope, mapped] : [scope]; } function primitiveScopeGrants(granted: string, required: string): boolean { if (granted === required) return true; if (legacyAliases[granted]?.some((alias) => primitiveScopeGrants(alias, required))) return true; if (granted === "*") return true; if (granted === "tenant:*") { return required === "tenant:*" || !required.startsWith("system:"); } if (granted === "system:*") return required.startsWith("system:") || required.startsWith("access:"); if (granted.endsWith(":*") && required.startsWith(granted.slice(0, -1))) return true; return false; } export function scopeGrants(granted: string, required: string): boolean { for (const grantedCandidate of compatibleScopes(granted)) { for (const requiredCandidate of compatibleScopes(required)) { if (primitiveScopeGrants(grantedCandidate, requiredCandidate)) return true; } } return false; } export function hasTenantWildcard(scopes: string[]): boolean { return scopes.includes("*") || scopes.includes("tenant:*"); } export function hasScope(auth: AuthInfo | null | undefined, required: string): boolean { return Boolean(auth?.scopes?.some((scope) => scopeGrants(scope, required))); } export function hasAnyScope(auth: AuthInfo | null | undefined, required: string[]): boolean { return required.some((scope) => hasScope(auth, scope)); } export const adminReadScopes = [ "admin:users:read", "admin:groups:read", "admin:roles:read", "admin:api_keys:read", "admin:settings:read", "admin:policies:read", "mail:profile:read", "mail_servers:read", "audit:read", "system:tenants:read", "system:accounts:read", "system:access:read", "system:roles:read", "system:audit:read", "system:settings:read", "system:governance:read", "access:tenant:read", "access:account:read", "access:governance:read" ];