Skip to content

Commit

Permalink
seperate pats middleware
Browse files Browse the repository at this point in the history
Signed-off-by: nyagamunene <[email protected]>
  • Loading branch information
nyagamunene committed Jan 8, 2025
1 parent 8de72f8 commit f38844a
Show file tree
Hide file tree
Showing 14 changed files with 815 additions and 428 deletions.
9 changes: 2 additions & 7 deletions auth/service.go
Original file line number Diff line number Diff line change
Expand Up @@ -514,13 +514,8 @@ func (svc service) UpdatePATDescription(ctx context.Context, token, patID, descr
return pat, nil
}

func (svc service) RetrievePAT(ctx context.Context, token, patID string) (PAT, error) {
key, err := svc.Identify(ctx, token)
if err != nil {
return PAT{}, err
}

pat, err := svc.pats.Retrieve(ctx, key.User, patID)
func (svc service) RetrievePAT(ctx context.Context, userID, patID string) (PAT, error) {
pat, err := svc.pats.Retrieve(ctx, userID, patID)
if err != nil {
return PAT{}, errors.Wrap(errRetrievePAT, err)
}
Expand Down
154 changes: 0 additions & 154 deletions clients/middleware/authorization.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@ package middleware
import (
"context"

"github.com/absmach/supermq/auth"
"github.com/absmach/supermq/clients"
"github.com/absmach/supermq/pkg/authn"
smqauthz "github.com/absmach/supermq/pkg/authz"
Expand Down Expand Up @@ -75,20 +74,6 @@ func AuthorizationMiddleware(entityType string, svc clients.Service, authz smqau
}

func (am *authorizationMiddleware) CreateClients(ctx context.Context, session authn.Session, client ...clients.Client) ([]clients.Client, []roles.RoleProvision, error) {
if session.Type == authn.PersonalAccessToken {
if err := am.authz.AuthorizePAT(ctx, smqauthz.PatReq{
UserID: session.UserID,
PatID: session.ID,
PlatformEntityType: auth.PlatformDomainsScope,
OptionalDomainID: session.DomainID,
OptionalDomainEntityType: auth.DomainClientsScope,
Operation: auth.CreateOp,
EntityIDs: auth.AnyIDs{}.Values(),
}); err != nil {
return []clients.Client{}, []roles.RoleProvision{}, errors.Wrap(svcerr.ErrUnauthorizedPAT, err)
}
}

if err := am.extAuthorize(ctx, clients.DomainOpCreateClient, smqauthz.PolicyReq{
Domain: session.DomainID,
SubjectType: policies.UserType,
Expand All @@ -103,20 +88,6 @@ func (am *authorizationMiddleware) CreateClients(ctx context.Context, session au
}

func (am *authorizationMiddleware) View(ctx context.Context, session authn.Session, id string) (clients.Client, error) {
if session.Type == authn.PersonalAccessToken {
if err := am.authz.AuthorizePAT(ctx, smqauthz.PatReq{
UserID: session.UserID,
PatID: session.ID,
PlatformEntityType: auth.PlatformDomainsScope,
OptionalDomainID: session.DomainID,
OptionalDomainEntityType: auth.DomainClientsScope,
Operation: auth.ReadOp,
EntityIDs: []string{id},
}); err != nil {
return clients.Client{}, errors.Wrap(svcerr.ErrUnauthorizedPAT, err)
}
}

if err := am.authorize(ctx, clients.OpViewClient, smqauthz.PolicyReq{
Domain: session.DomainID,
SubjectType: policies.UserType,
Expand All @@ -130,20 +101,6 @@ func (am *authorizationMiddleware) View(ctx context.Context, session authn.Sessi
}

func (am *authorizationMiddleware) ListClients(ctx context.Context, session authn.Session, reqUserID string, pm clients.Page) (clients.ClientsPage, error) {
if session.Type == authn.PersonalAccessToken {
if err := am.authz.AuthorizePAT(ctx, smqauthz.PatReq{
UserID: session.UserID,
PatID: session.ID,
PlatformEntityType: auth.PlatformDomainsScope,
OptionalDomainID: session.DomainID,
OptionalDomainEntityType: auth.DomainClientsScope,
Operation: auth.ListOp,
EntityIDs: auth.AnyIDs{}.Values(),
}); err != nil {
return clients.ClientsPage{}, errors.Wrap(svcerr.ErrUnauthorizedPAT, err)
}
}

if err := am.checkSuperAdmin(ctx, session.UserID); err != nil {
session.SuperAdmin = true
}
Expand All @@ -152,20 +109,6 @@ func (am *authorizationMiddleware) ListClients(ctx context.Context, session auth
}

func (am *authorizationMiddleware) Update(ctx context.Context, session authn.Session, client clients.Client) (clients.Client, error) {
if session.Type == authn.PersonalAccessToken {
if err := am.authz.AuthorizePAT(ctx, smqauthz.PatReq{
UserID: session.UserID,
PatID: session.ID,
PlatformEntityType: auth.PlatformDomainsScope,
OptionalDomainID: session.DomainID,
OptionalDomainEntityType: auth.DomainClientsScope,
Operation: auth.UpdateOp,
EntityIDs: []string{client.ID},
}); err != nil {
return clients.Client{}, errors.Wrap(svcerr.ErrUnauthorizedPAT, err)
}
}

if err := am.authorize(ctx, clients.OpUpdateClient, smqauthz.PolicyReq{
Domain: session.DomainID,
SubjectType: policies.UserType,
Expand All @@ -180,20 +123,6 @@ func (am *authorizationMiddleware) Update(ctx context.Context, session authn.Ses
}

func (am *authorizationMiddleware) UpdateTags(ctx context.Context, session authn.Session, client clients.Client) (clients.Client, error) {
if session.Type == authn.PersonalAccessToken {
if err := am.authz.AuthorizePAT(ctx, smqauthz.PatReq{
UserID: session.UserID,
PatID: session.ID,
PlatformEntityType: auth.PlatformDomainsScope,
OptionalDomainID: session.DomainID,
OptionalDomainEntityType: auth.DomainClientsScope,
Operation: auth.UpdateOp,
EntityIDs: []string{client.ID},
}); err != nil {
return clients.Client{}, errors.Wrap(svcerr.ErrUnauthorizedPAT, err)
}
}

if err := am.authorize(ctx, clients.OpUpdateClientTags, smqauthz.PolicyReq{
Domain: session.DomainID,
SubjectType: policies.UserType,
Expand All @@ -208,20 +137,6 @@ func (am *authorizationMiddleware) UpdateTags(ctx context.Context, session authn
}

func (am *authorizationMiddleware) UpdateSecret(ctx context.Context, session authn.Session, id, key string) (clients.Client, error) {
if session.Type == authn.PersonalAccessToken {
if err := am.authz.AuthorizePAT(ctx, smqauthz.PatReq{
UserID: session.UserID,
PatID: session.ID,
PlatformEntityType: auth.PlatformDomainsScope,
OptionalDomainID: session.DomainID,
OptionalDomainEntityType: auth.DomainClientsScope,
Operation: auth.UpdateOp,
EntityIDs: []string{id},
}); err != nil {
return clients.Client{}, errors.Wrap(svcerr.ErrUnauthorizedPAT, err)
}
}

if err := am.authorize(ctx, clients.OpUpdateClientSecret, smqauthz.PolicyReq{
Domain: session.DomainID,
SubjectType: policies.UserType,
Expand All @@ -235,20 +150,6 @@ func (am *authorizationMiddleware) UpdateSecret(ctx context.Context, session aut
}

func (am *authorizationMiddleware) Enable(ctx context.Context, session authn.Session, id string) (clients.Client, error) {
if session.Type == authn.PersonalAccessToken {
if err := am.authz.AuthorizePAT(ctx, smqauthz.PatReq{
UserID: session.UserID,
PatID: session.ID,
PlatformEntityType: auth.PlatformDomainsScope,
OptionalDomainID: session.DomainID,
OptionalDomainEntityType: auth.DomainClientsScope,
Operation: auth.UpdateOp,
EntityIDs: []string{id},
}); err != nil {
return clients.Client{}, errors.Wrap(svcerr.ErrUnauthorizedPAT, err)
}
}

if err := am.authorize(ctx, clients.OpEnableClient, smqauthz.PolicyReq{
Domain: session.DomainID,
SubjectType: policies.UserType,
Expand All @@ -263,20 +164,6 @@ func (am *authorizationMiddleware) Enable(ctx context.Context, session authn.Ses
}

func (am *authorizationMiddleware) Disable(ctx context.Context, session authn.Session, id string) (clients.Client, error) {
if session.Type == authn.PersonalAccessToken {
if err := am.authz.AuthorizePAT(ctx, smqauthz.PatReq{
UserID: session.UserID,
PatID: session.ID,
PlatformEntityType: auth.PlatformDomainsScope,
OptionalDomainID: session.DomainID,
OptionalDomainEntityType: auth.DomainClientsScope,
Operation: auth.UpdateOp,
EntityIDs: []string{id},
}); err != nil {
return clients.Client{}, errors.Wrap(svcerr.ErrUnauthorizedPAT, err)
}
}

if err := am.authorize(ctx, clients.OpDisableClient, smqauthz.PolicyReq{
Domain: session.DomainID,
SubjectType: policies.UserType,
Expand All @@ -290,19 +177,6 @@ func (am *authorizationMiddleware) Disable(ctx context.Context, session authn.Se
}

func (am *authorizationMiddleware) Delete(ctx context.Context, session authn.Session, id string) error {
if session.Type == authn.PersonalAccessToken {
if err := am.authz.AuthorizePAT(ctx, smqauthz.PatReq{
UserID: session.UserID,
PatID: session.ID,
PlatformEntityType: auth.PlatformDomainsScope,
OptionalDomainID: session.DomainID,
OptionalDomainEntityType: auth.DomainClientsScope,
Operation: auth.DeleteOp,
EntityIDs: []string{id},
}); err != nil {
return errors.Wrap(svcerr.ErrUnauthorizedPAT, err)
}
}
if err := am.authorize(ctx, clients.OpDeleteClient, smqauthz.PolicyReq{
Domain: session.DomainID,
SubjectType: policies.UserType,
Expand All @@ -317,20 +191,6 @@ func (am *authorizationMiddleware) Delete(ctx context.Context, session authn.Ses
}

func (am *authorizationMiddleware) SetParentGroup(ctx context.Context, session authn.Session, parentGroupID string, id string) error {
if session.Type == authn.PersonalAccessToken {
if err := am.authz.AuthorizePAT(ctx, smqauthz.PatReq{
UserID: session.UserID,
PatID: session.ID,
PlatformEntityType: auth.PlatformDomainsScope,
OptionalDomainID: session.DomainID,
OptionalDomainEntityType: auth.DomainGroupsScope,
Operation: auth.UpdateOp,
EntityIDs: []string{id},
}); err != nil {
return errors.Wrap(svcerr.ErrUnauthorizedPAT, err)
}
}

if err := am.authorize(ctx, clients.OpSetParentGroup, smqauthz.PolicyReq{
Domain: session.DomainID,
SubjectType: policies.UserType,
Expand All @@ -354,20 +214,6 @@ func (am *authorizationMiddleware) SetParentGroup(ctx context.Context, session a
}

func (am *authorizationMiddleware) RemoveParentGroup(ctx context.Context, session authn.Session, id string) error {
if session.Type == authn.PersonalAccessToken {
if err := am.authz.AuthorizePAT(ctx, smqauthz.PatReq{
UserID: session.UserID,
PatID: session.ID,
PlatformEntityType: auth.PlatformDomainsScope,
OptionalDomainID: session.DomainID,
OptionalDomainEntityType: auth.DomainGroupsScope,
Operation: auth.DeleteOp,
EntityIDs: []string{id},
}); err != nil {
return errors.Wrap(svcerr.ErrUnauthorizedPAT, err)
}
}

if err := am.authorize(ctx, clients.OpRemoveParentGroup, smqauthz.PolicyReq{
Domain: session.DomainID,
SubjectType: policies.UserType,
Expand Down
Loading

0 comments on commit f38844a

Please sign in to comment.