address comments

Signed-off-by: nyagamunene <[email protected]>
absmach · Dec 16, 2024 · e1eb192 · e1eb192
1 parent 265bdd0
commit e1eb192
Show file tree

Hide file tree

Showing 8 changed files with 260 additions and 98 deletions.
diff --git a/auth/api/grpc/auth/endpoint_test.go b/auth/api/grpc/auth/endpoint_test.go
@@ -41,12 +41,15 @@ const (
 	invalidDuration = 7 * 24 * time.Hour
 	validToken      = "valid"
 	inValidToken    = "invalid"
+	validPATToken   = "valid"
+	inValidPATToken = "invalid"
 	validPolicy     = "valid"
 )
 
 var (
 	domainID = testsutil.GenerateUUID(&testing.T{})
 	authAddr = fmt.Sprintf("localhost:%d", port)
+	clientID = testsutil.GenerateUUID(&testing.T{})
 )
 
 func startGRPCServer(svc auth.Service, port int) *grpc.Server {
@@ -96,13 +99,15 @@ func TestIdentify(t *testing.T) {
 	}
 
 	for _, tc := range cases {
-		svcCall := svc.On("Identify", mock.Anything, mock.Anything).Return(auth.Key{Subject: id, User: email, Domain: domainID}, tc.svcErr)
-		idt, err := grpcClient.Authenticate(context.Background(), &grpcAuthV1.AuthNReq{Token: tc.token})
-		if idt != nil {
-			assert.Equal(t, tc.idt, idt, fmt.Sprintf("%s: expected %v got %v", tc.desc, tc.idt, idt))
-		}
-		assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
-		svcCall.Unset()
+		t.Run(tc.desc, func(t *testing.T) {
+			svcCall := svc.On("Identify", mock.Anything, mock.Anything).Return(auth.Key{Subject: id, User: email, Domain: domainID}, tc.svcErr)
+			idt, err := grpcClient.Authenticate(context.Background(), &grpcAuthV1.AuthNReq{Token: tc.token})
+			if idt != nil {
+				assert.Equal(t, tc.idt, idt, fmt.Sprintf("%s: expected %v got %v", tc.desc, tc.idt, idt))
+			}
+			assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
+			svcCall.Unset()
+		})
 	}
 }
 
@@ -220,12 +225,154 @@ func TestAuthorize(t *testing.T) {
 		},
 	}
 	for _, tc := range cases {
-		svccall := svc.On("Authorize", mock.Anything, mock.Anything).Return(tc.err)
-		ar, err := grpcClient.Authorize(context.Background(), tc.authRequest)
-		if ar != nil {
-			assert.Equal(t, tc.authResponse, ar, fmt.Sprintf("%s: expected %v got %v", tc.desc, tc.authResponse, ar))
-		}
-		assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
-		svccall.Unset()
+		t.Run(tc.desc, func(t *testing.T) {
+			svccall := svc.On("Authorize", mock.Anything, mock.Anything).Return(tc.err)
+			ar, err := grpcClient.Authorize(context.Background(), tc.authRequest)
+			if ar != nil {
+				assert.Equal(t, tc.authResponse, ar, fmt.Sprintf("%s: expected %v got %v", tc.desc, tc.authResponse, ar))
+			}
+			assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
+			svccall.Unset()
+		})
+	}
+}
+
+func TestIdentifyPAT(t *testing.T) {
+	conn, err := grpc.NewClient(authAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
+	assert.Nil(t, err, fmt.Sprintf("Unexpected error creating client connection %s", err))
+	defer conn.Close()
+	grpcClient := grpcapi.NewAuthClient(conn, time.Second)
+
+	cases := []struct {
+		desc   string
+		token  string
+		idt    *grpcAuthV1.AuthNPATRes
+		svcErr error
+		err    error
+	}{
+		{
+			desc:  "authenticate user with valid user token",
+			token: validToken,
+			idt:   &grpcAuthV1.AuthNPATRes{Id: id, UserId: clientID},
+			err:   nil,
+		},
+		{
+			desc:   "authenticate user with invalid user token",
+			token:  "invalid",
+			idt:    &grpcAuthV1.AuthNPATRes{},
+			svcErr: svcerr.ErrAuthentication,
+			err:    svcerr.ErrAuthentication,
+		},
+		{
+			desc:  "authenticate user with empty token",
+			token: "",
+			idt:   &grpcAuthV1.AuthNPATRes{},
+			err:   apiutil.ErrBearerToken,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.desc, func(t *testing.T) {
+			svcCall := svc.On("IdentifyPAT", mock.Anything, tc.token).Return(auth.PAT{ID: id, User: clientID, IssuedAt: time.Now()}, tc.svcErr)
+			idt, err := grpcClient.AuthenticatePAT(context.Background(), &grpcAuthV1.AuthNReq{Token: tc.token})
+			if idt != nil {
+				assert.Equal(t, tc.idt, idt, fmt.Sprintf("%s: expected %v got %v", tc.desc, tc.idt, idt))
+			}
+			assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
+			svcCall.Unset()
+		})
+	}
+}
+
+func TestAuthorizePAT(t *testing.T) {
+	conn, err := grpc.NewClient(authAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
+	assert.Nil(t, err, fmt.Sprintf("Unexpected error creating client connection %s", err))
+	defer conn.Close()
+
+	grpcClient := grpcapi.NewAuthClient(conn, time.Second)
+	cases := []struct {
+		desc         string
+		token        string
+		authRequest  *grpcAuthV1.AuthZpatReq
+		authResponse *grpcAuthV1.AuthZRes
+		err          error
+	}{
+		{
+			desc:  "authorize user with authorized token",
+			token: validPATToken,
+			authRequest: &grpcAuthV1.AuthZpatReq{
+				UserId:                   id,
+				PatId:                    id,
+				PlatformEntityType:       uint32(auth.PlatformDomainsScope),
+				OptionalDomainId:         domainID,
+				OptionalDomainEntityType: uint32(auth.DomainClientsScope),
+				Operation:                uint32(auth.CreateOp),
+				EntityIds:                []string{clientID},
+			},
+			authResponse: &grpcAuthV1.AuthZRes{Authorized: true},
+			err:          nil,
+		},
+		{
+			desc:  "authorize user with unauthorized token",
+			token: inValidPATToken,
+			authRequest: &grpcAuthV1.AuthZpatReq{
+				UserId:                   id,
+				PatId:                    id,
+				PlatformEntityType:       uint32(auth.PlatformDomainsScope),
+				OptionalDomainId:         domainID,
+				OptionalDomainEntityType: uint32(auth.DomainClientsScope),
+				Operation:                uint32(auth.CreateOp),
+				EntityIds:                []string{clientID},
+			},
+			authResponse: &grpcAuthV1.AuthZRes{Authorized: false},
+			err:          svcerr.ErrAuthorization,
+		},
+		{
+			desc:  "authorize user with missing user id",
+			token: validPATToken,
+			authRequest: &grpcAuthV1.AuthZpatReq{
+				PatId:                    id,
+				PlatformEntityType:       uint32(auth.PlatformDomainsScope),
+				OptionalDomainId:         domainID,
+				OptionalDomainEntityType: uint32(auth.DomainClientsScope),
+				Operation:                uint32(auth.CreateOp),
+				EntityIds:                []string{clientID},
+			},
+			authResponse: &grpcAuthV1.AuthZRes{Authorized: false},
+			err:          apiutil.ErrMissingUserID,
+		},
+		{
+			desc:  "authorize user with missing pat id",
+			token: validPATToken,
+			authRequest: &grpcAuthV1.AuthZpatReq{
+				UserId:                   id,
+				PlatformEntityType:       uint32(auth.PlatformDomainsScope),
+				OptionalDomainId:         domainID,
+				OptionalDomainEntityType: uint32(auth.DomainClientsScope),
+				Operation:                uint32(auth.CreateOp),
+				EntityIds:                []string{clientID},
+			},
+			authResponse: &grpcAuthV1.AuthZRes{Authorized: false},
+			err:          apiutil.ErrMissingPATID,
+		},
+	}
+	for _, tc := range cases {
+		t.Run(tc.desc, func(t *testing.T) {
+			svccall := svc.On("AuthorizePAT",
+				mock.Anything,
+				tc.authRequest.UserId,
+				tc.authRequest.PatId,
+				mock.Anything,
+				tc.authRequest.OptionalDomainId,
+				mock.Anything,
+				mock.Anything,
+				mock.Anything).Return(tc.err)
+			ar, err := grpcClient.AuthorizePAT(context.Background(), tc.authRequest)
+			if ar != nil {
+				assert.Equal(t, tc.authResponse, ar, fmt.Sprintf("%s: expected %v got %v", tc.desc, tc.authResponse, ar))
+			}
+			assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
+			svccall.Unset()
+		})
 	}
 }
diff --git a/auth/api/grpc/auth/requests.go b/auth/api/grpc/auth/requests.go
@@ -63,10 +63,10 @@ type authPATReq struct {
 
 func (req authPATReq) validate() error {
 	if req.userID == "" {
-		return apiutil.ErrBearerToken
+		return apiutil.ErrMissingUserID
 	}
 	if req.patID == "" {
-		return apiutil.ErrBearerToken
+		return apiutil.ErrMissingPATID
 	}
 	return nil
 }
diff --git a/auth/api/http/pats/responses.go b/auth/api/http/pats/responses.go
@@ -152,7 +152,7 @@ type addPatScopeEntryRes struct {
 }
 
 func (res addPatScopeEntryRes) Code() int {
-	return http.StatusAccepted
+	return http.StatusOK
 }
 
 func (res addPatScopeEntryRes) Headers() map[string]string {
@@ -168,7 +168,7 @@ type removePatScopeEntryRes struct {
 }
 
 func (res removePatScopeEntryRes) Code() int {
-	return http.StatusAccepted
+	return http.StatusOK
 }
 
 func (res removePatScopeEntryRes) Headers() map[string]string {

diff --git a/auth/api/http/pats/transport.go b/auth/api/http/pats/transport.go
@@ -37,75 +37,81 @@ func MakeHandler(svc auth.Service, mux *chi.Mux, logger *slog.Logger) *chi.Mux {
 			opts...,
 		).ServeHTTP)
 
-		r.Get("/{id}", kithttp.NewServer(
-			(retrievePATEndpoint(svc)),
-			decodeRetrievePATRequest,
-			api.EncodeResponse,
-			opts...,
-		).ServeHTTP)
-
-		r.Patch("/{id}/name", kithttp.NewServer(
-			(updatePATNameEndpoint(svc)),
-			decodeUpdatePATNameRequest,
-			api.EncodeResponse,
-			opts...,
-		).ServeHTTP)
-
-		r.Patch("/{id}/description", kithttp.NewServer(
-			(updatePATDescriptionEndpoint(svc)),
-			decodeUpdatePATDescriptionRequest,
-			api.EncodeResponse,
-			opts...,
-		).ServeHTTP)
-
 		r.Get("/", kithttp.NewServer(
-			(listPATSEndpoint(svc)),
+			listPATSEndpoint(svc),
 			decodeListPATSRequest,
 			api.EncodeResponse,
 			opts...,
 		).ServeHTTP)
 
-		r.Delete("/{id}", kithttp.NewServer(
-			(deletePATEndpoint(svc)),
-			decodeDeletePATRequest,
-			api.EncodeResponse,
-			opts...,
-		).ServeHTTP)
-
-		r.Patch("/{id}/secret/reset", kithttp.NewServer(
-			(resetPATSecretEndpoint(svc)),
-			decodeResetPATSecretRequest,
-			api.EncodeResponse,
-			opts...,
-		).ServeHTTP)
-
-		r.Patch("/{id}/secret/revoke", kithttp.NewServer(
-			(revokePATSecretEndpoint(svc)),
-			decodeRevokePATSecretRequest,
-			api.EncodeResponse,
-			opts...,
-		).ServeHTTP)
-
-		r.Patch("/{id}/scope/add", kithttp.NewServer(
-			(addPATScopeEntryEndpoint(svc)),
-			decodeAddPATScopeEntryRequest,
-			api.EncodeResponse,
-			opts...,
-		).ServeHTTP)
-
-		r.Patch("/{id}/scope/remove", kithttp.NewServer(
-			(removePATScopeEntryEndpoint(svc)),
-			decodeRemovePATScopeEntryRequest,
-			api.EncodeResponse,
-			opts...,
-		).ServeHTTP)
-
-		r.Delete("/{id}/scope", kithttp.NewServer(
-			(clearPATAllScopeEntryEndpoint(svc)),
-			decodeClearPATAllScopeEntryRequest,
-			api.EncodeResponse,
-			opts...,
-		).ServeHTTP)
+		r.Route("/{id}", func(r chi.Router) {
+			r.Get("/", kithttp.NewServer(
+				retrievePATEndpoint(svc),
+				decodeRetrievePATRequest,
+				api.EncodeResponse,
+				opts...,
+			).ServeHTTP)
+
+			r.Patch("/name", kithttp.NewServer(
+				updatePATNameEndpoint(svc),
+				decodeUpdatePATNameRequest,
+				api.EncodeResponse,
+				opts...,
+			).ServeHTTP)
+
+			r.Patch("/description", kithttp.NewServer(
+				updatePATDescriptionEndpoint(svc),
+				decodeUpdatePATDescriptionRequest,
+				api.EncodeResponse,
+				opts...,
+			).ServeHTTP)
+
+			r.Delete("/", kithttp.NewServer(
+				deletePATEndpoint(svc),
+				decodeDeletePATRequest,
+				api.EncodeResponse,
+				opts...,
+			).ServeHTTP)
+
+			r.Route("/secret", func(r chi.Router) {
+				r.Patch("/reset", kithttp.NewServer(
+					resetPATSecretEndpoint(svc),
+					decodeResetPATSecretRequest,
+					api.EncodeResponse,
+					opts...,
+				).ServeHTTP)
+
+				r.Patch("/revoke", kithttp.NewServer(
+					revokePATSecretEndpoint(svc),
+					decodeRevokePATSecretRequest,
+					api.EncodeResponse,
+					opts...,
+				).ServeHTTP)
+			})
+
+			r.Route("/scope", func(r chi.Router) {
+				r.Patch("/add", kithttp.NewServer(
+					addPATScopeEntryEndpoint(svc),
+					decodeAddPATScopeEntryRequest,
+					api.EncodeResponse,
+					opts...,
+				).ServeHTTP)
+
+				r.Patch("/remove", kithttp.NewServer(
+					removePATScopeEntryEndpoint(svc),
+					decodeRemovePATScopeEntryRequest,
+					api.EncodeResponse,
+					opts...,
+				).ServeHTTP)
+
+				r.Delete("/", kithttp.NewServer(
+					clearPATAllScopeEntryEndpoint(svc),
+					decodeClearPATAllScopeEntryRequest,
+					api.EncodeResponse,
+					opts...,
+				).ServeHTTP)
+			})
+		})
 	})
 	return mux
 }