Skip to content

Commit 03c5c6a

Browse files
nyagamunenenyagamunene
committed
initial implementation
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
1 parent 73d66b7 commit 03c5c6a

File tree

3 files changed

+188
-60
lines changed

3 files changed

+188
-60
lines changed

domains/middleware/authorization.go

Lines changed: 22 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -30,13 +30,13 @@ var ErrMemberExist = errors.New("user is already a member of the domain")
3030
type authorizationMiddleware struct {
3131
svc domains.Service
3232
authz smqauthz.Authorization
33-
opp svcutil.OperationPerm
33+
opp domains.OperationPerm
3434
callout callout.Callout
3535
rmMW.RoleManagerAuthorizationMiddleware
3636
}
3737

3838
// AuthorizationMiddleware adds authorization to the clients service.
39-
func AuthorizationMiddleware(entityType string, svc domains.Service, authz smqauthz.Authorization, domainsOpPerm, rolesOpPerm map[svcutil.Operation]svcutil.Permission, callout callout.Callout) (domains.Service, error) {
39+
func AuthorizationMiddleware(entityType string, svc domains.Service, authz smqauthz.Authorization, domainsOpPerm, rolesOpPerm map[domains.Operation]domains.Permission, callout callout.Callout) (domains.Service, error) {
4040
opp := domains.NewOperationPerm()
4141
if err := opp.AddOperationPermissionMap(domainsOpPerm); err != nil {
4242
return nil, err
@@ -45,7 +45,12 @@ func AuthorizationMiddleware(entityType string, svc domains.Service, authz smqau
4545
return nil, err
4646
}
4747

48-
ram, err := rmMW.NewRoleManagerAuthorizationMiddleware(entityType, svc, authz, rolesOpPerm, callout)
48+
res := make(map[svcutil.Operation]svcutil.Permission, len(rolesOpPerm))
49+
for op, perm := range rolesOpPerm {
50+
res[svcutil.Operation(op)] = svcutil.Permission(perm)
51+
}
52+
53+
ram, err := rmMW.NewRoleManagerAuthorizationMiddleware(entityType, svc, authz, res, callout)
4954
if err != nil {
5055
return nil, err
5156
}
@@ -62,7 +67,7 @@ func (am *authorizationMiddleware) CreateDomain(ctx context.Context, session aut
6267
params := map[string]any{
6368
"domain": d,
6469
}
65-
if err := am.callOut(ctx, session, domains.OpCreateDomain.String(domains.OperationNames), params); err != nil {
70+
if err := am.callOut(ctx, session, domains.OpCreateDomain.String(), params); err != nil {
6671
return domains.Domain{}, nil, err
6772
}
6873
return am.svc.CreateDomain(ctx, session, d)
@@ -87,7 +92,7 @@ func (am *authorizationMiddleware) RetrieveDomain(ctx context.Context, session a
8792
"domain": id,
8893
"with_roles": withRoles,
8994
}
90-
if err := am.callOut(ctx, session, domains.OpRetrieveDomain.String(domains.OperationNames), params); err != nil {
95+
if err := am.callOut(ctx, session, domains.OpRetrieveDomain.String(), params); err != nil {
9196
return domains.Domain{}, err
9297
}
9398
return am.svc.RetrieveDomain(ctx, session, id, withRoles)
@@ -107,7 +112,7 @@ func (am *authorizationMiddleware) UpdateDomain(ctx context.Context, session aut
107112
"domain": id,
108113
"domain_req": d,
109114
}
110-
if err := am.callOut(ctx, session, domains.OpUpdateDomain.String(domains.OperationNames), params); err != nil {
115+
if err := am.callOut(ctx, session, domains.OpUpdateDomain.String(), params); err != nil {
111116
return domains.Domain{}, err
112117
}
113118
return am.svc.UpdateDomain(ctx, session, id, d)
@@ -126,7 +131,7 @@ func (am *authorizationMiddleware) EnableDomain(ctx context.Context, session aut
126131
params := map[string]any{
127132
"domain": id,
128133
}
129-
if err := am.callOut(ctx, session, domains.OpEnableDomain.String(domains.OperationNames), params); err != nil {
134+
if err := am.callOut(ctx, session, domains.OpEnableDomain.String(), params); err != nil {
130135
return domains.Domain{}, err
131136
}
132137
return am.svc.EnableDomain(ctx, session, id)
@@ -145,7 +150,7 @@ func (am *authorizationMiddleware) DisableDomain(ctx context.Context, session au
145150
params := map[string]any{
146151
"domain": id,
147152
}
148-
if err := am.callOut(ctx, session, domains.OpDisableDomain.String(domains.OperationNames), params); err != nil {
153+
if err := am.callOut(ctx, session, domains.OpDisableDomain.String(), params); err != nil {
149154
return domains.Domain{}, err
150155
}
151156
return am.svc.DisableDomain(ctx, session, id)
@@ -166,7 +171,7 @@ func (am *authorizationMiddleware) FreezeDomain(ctx context.Context, session aut
166171
params := map[string]any{
167172
"domain": id,
168173
}
169-
if err := am.callOut(ctx, session, domains.OpFreezeDomain.String(domains.OperationNames), params); err != nil {
174+
if err := am.callOut(ctx, session, domains.OpFreezeDomain.String(), params); err != nil {
170175
return domains.Domain{}, err
171176
}
172177
return am.svc.FreezeDomain(ctx, session, id)
@@ -179,7 +184,7 @@ func (am *authorizationMiddleware) ListDomains(ctx context.Context, session auth
179184
params := map[string]any{
180185
"page": page,
181186
}
182-
if err := am.callOut(ctx, session, domains.OpListDomains.String(domains.OperationNames), params); err != nil {
187+
if err := am.callOut(ctx, session, domains.OpListDomains.String(), params); err != nil {
183188
return domains.DomainsPage{}, err
184189
}
185190
return am.svc.ListDomains(ctx, session, page)
@@ -199,7 +204,7 @@ func (am *authorizationMiddleware) SendInvitation(ctx context.Context, session a
199204
"invitation": invitation,
200205
"domain": invitation.DomainID,
201206
}
202-
if err := am.callOut(ctx, session, domains.OpSendInvitation.String(domains.OperationNames), params); err != nil {
207+
if err := am.callOut(ctx, session, domains.OpSendInvitation.String(), params); err != nil {
203208
return err
204209
}
205210

@@ -218,7 +223,7 @@ func (am *authorizationMiddleware) ViewInvitation(ctx context.Context, session a
218223
"invitee_user_id": inviteeUserID,
219224
"domain": domain,
220225
}
221-
if err := am.callOut(ctx, session, domains.OpViewInvitation.String(domains.OperationNames), params); err != nil {
226+
if err := am.callOut(ctx, session, domains.OpViewInvitation.String(), params); err != nil {
222227
return domains.Invitation{}, err
223228
}
224229

@@ -246,7 +251,7 @@ func (am *authorizationMiddleware) ListInvitations(ctx context.Context, session
246251
params := map[string]any{
247252
"page": page,
248253
}
249-
if err := am.callOut(ctx, session, domains.OpListInvitations.String(domains.OperationNames), params); err != nil {
254+
if err := am.callOut(ctx, session, domains.OpListInvitations.String(), params); err != nil {
250255
return domains.InvitationPage{}, err
251256
}
252257

@@ -257,7 +262,7 @@ func (am *authorizationMiddleware) AcceptInvitation(ctx context.Context, session
257262
params := map[string]any{
258263
"domain": domainID,
259264
}
260-
if err := am.callOut(ctx, session, domains.OpAcceptInvitation.String(domains.OperationNames), params); err != nil {
265+
if err := am.callOut(ctx, session, domains.OpAcceptInvitation.String(), params); err != nil {
261266
return domains.Invitation{}, err
262267
}
263268
return am.svc.AcceptInvitation(ctx, session, domainID)
@@ -267,7 +272,7 @@ func (am *authorizationMiddleware) RejectInvitation(ctx context.Context, session
267272
params := map[string]any{
268273
"domain": domainID,
269274
}
270-
if err := am.callOut(ctx, session, domains.OpRejectInvitation.String(domains.OperationNames), params); err != nil {
275+
if err := am.callOut(ctx, session, domains.OpRejectInvitation.String(), params); err != nil {
271276
return err
272277
}
273278
return am.svc.RejectInvitation(ctx, session, domainID)
@@ -283,14 +288,14 @@ func (am *authorizationMiddleware) DeleteInvitation(ctx context.Context, session
283288
"invitee_user_id": inviteeUserID,
284289
"domain": domainID,
285290
}
286-
if err := am.callOut(ctx, session, domains.OpDeleteInvitation.String(domains.OperationNames), params); err != nil {
291+
if err := am.callOut(ctx, session, domains.OpDeleteInvitation.String(), params); err != nil {
287292
return err
288293
}
289294

290295
return am.svc.DeleteInvitation(ctx, session, inviteeUserID, domainID)
291296
}
292297

293-
func (am *authorizationMiddleware) authorize(ctx context.Context, op svcutil.Operation, authReq authz.PolicyReq) error {
298+
func (am *authorizationMiddleware) authorize(ctx context.Context, op domains.Operation, authReq authz.PolicyReq) error {
294299
perm, err := am.opp.GetPermission(op)
295300
if err != nil {
296301
return err

domains/operationperm.go

Lines changed: 110 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,110 @@
1+
// Copyright (c) Abstract Machines
2+
// SPDX-License-Identifier: Apache-2.0
3+
4+
package domains
5+
6+
import "fmt"
7+
8+
type Operation int
9+
10+
func (op Operation) String() string {
11+
switch op {
12+
case OpUpdateDomain:
13+
return OpUpdateDomainStr
14+
case OpRetrieveDomain:
15+
return OpRetrieveDomainStr
16+
case OpEnableDomain:
17+
return OpEnableDomainStr
18+
case OpDisableDomain:
19+
return OpDisableDomainStr
20+
case OpSendInvitation:
21+
return OpSendInvitationStr
22+
case OpAcceptInvitation:
23+
return OpAcceptInvitationStr
24+
case OpCreateDomain:
25+
return OpCreateDomainStr
26+
case OpFreezeDomain:
27+
return OpFreezeDomainStr
28+
case OpListDomains:
29+
return OpListDomainsStr
30+
case OpViewInvitation:
31+
return OpViewInvitationStr
32+
case OpListInvitations:
33+
return OpListInvitationsStr
34+
case OpRejectInvitation:
35+
return OpRejectInvitationStr
36+
case OpDeleteInvitation:
37+
return OpDeleteInvitationStr
38+
default:
39+
return fmt.Sprintf("unknown operation: %d", op)
40+
}
41+
}
42+
43+
type OperationPerm struct {
44+
opPerm map[Operation]Permission
45+
expectedOps []Operation
46+
}
47+
48+
func newOperationPerm(expectedOps []Operation) OperationPerm {
49+
return OperationPerm{
50+
opPerm: make(map[Operation]Permission),
51+
expectedOps: expectedOps,
52+
}
53+
}
54+
55+
func (opp OperationPerm) AddOperationPermissionMap(opMap map[Operation]Permission) error {
56+
// First iteration check all the keys are valid, If any one key is invalid then no key should be added.
57+
for op := range opMap {
58+
if !opp.isKeyRequired(op) {
59+
return fmt.Errorf("%v is not a valid operation", op.String())
60+
}
61+
}
62+
for op, perm := range opMap {
63+
opp.opPerm[op] = perm
64+
}
65+
return nil
66+
}
67+
68+
func (opp OperationPerm) isKeyRequired(op Operation) bool {
69+
for _, key := range opp.expectedOps {
70+
if key == op {
71+
return true
72+
}
73+
}
74+
return false
75+
}
76+
77+
func (opp OperationPerm) AddOperationPermission(op Operation, perm Permission) error {
78+
if !opp.isKeyRequired(op) {
79+
return fmt.Errorf("%v is not a valid operation", op.String())
80+
}
81+
opp.opPerm[op] = perm
82+
return nil
83+
}
84+
85+
func (opp OperationPerm) Validate() error {
86+
for op := range opp.opPerm {
87+
if !opp.isKeyRequired(op) {
88+
return fmt.Errorf("OperationPerm: \"%s\" is not a valid operation", op.String())
89+
}
90+
}
91+
for _, eeo := range opp.expectedOps {
92+
if _, ok := opp.opPerm[eeo]; !ok {
93+
return fmt.Errorf("OperationPerm: \"%s\" operation is missing", eeo.String())
94+
}
95+
}
96+
return nil
97+
}
98+
99+
func (opp OperationPerm) GetPermission(op Operation) (Permission, error) {
100+
if perm, ok := opp.opPerm[op]; ok {
101+
return perm, nil
102+
}
103+
return "", fmt.Errorf("operation \"%s\" doesn't have any permissions", op.String())
104+
}
105+
106+
type Permission string
107+
108+
func (p Permission) String() string {
109+
return string(p)
110+
}

0 commit comments

Comments
 (0)