initial implementation

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>

Author: nyagamunene

channels/middleware/authorization.go

@@ -48,8 +48,8 @@ type authorizationMiddleware struct {
 	svc     channels.Service
 	repo    channels.Repository
 	authz   smqauthz.Authorization
-	opp     svcutil.OperationPerm
-	extOpp  svcutil.ExternalOperationPerm
+	opp     channels.OperationPerm
+	extOpp  channels.ExternalOperationPerm
 	callout callout.Callout
 	rmMW.RoleManagerAuthorizationMiddleware
 }
@@ -59,8 +59,8 @@ func AuthorizationMiddleware(
 	svc channels.Service,
 	repo channels.Repository,
 	authz smqauthz.Authorization,
-	channelsOpPerm, rolesOpPerm map[svcutil.Operation]svcutil.Permission,
-	extOpPerm map[svcutil.ExternalOperation]svcutil.Permission,
+	channelsOpPerm, rolesOpPerm map[channels.Operation]channels.Permission,
+	extOpPerm map[channels.ExternalOperation]channels.Permission,
 	callout callout.Callout,
 ) (channels.Service, error) {
 	opp := channels.NewOperationPerm()
@@ -78,7 +78,13 @@ func AuthorizationMiddleware(
 	if err := extOpp.Validate(); err != nil {
 		return nil, err
 	}
-	ram, err := rmMW.NewRoleManagerAuthorizationMiddleware(policies.ChannelType, svc, authz, rolesOpPerm)
+
+	res := make(map[svcutil.Operation]svcutil.Permission, len(rolesOpPerm))
+	for op, perm := range rolesOpPerm {
+		res[svcutil.Operation(op)] = svcutil.Permission(perm)
+	}
+
+	ram, err := rmMW.NewRoleManagerAuthorizationMiddleware(policies.ChannelType, svc, authz, res)
 	if err != nil {
 		return nil, err
 	}
@@ -134,7 +140,7 @@ func (am *authorizationMiddleware) CreateChannels(ctx context.Context, session a
 		"entities": chs,
 		"count":    len(chs),
 	}
-	if err := am.callOut(ctx, session, channels.OpCreateChannel.String(channels.OperationNames), params); err != nil {
+	if err := am.callOut(ctx, session, channels.OpCreateChannel.String(), params); err != nil {
 		return []channels.Channel{}, []roles.RoleProvision{}, err
 	}
 
@@ -167,7 +173,7 @@ func (am *authorizationMiddleware) ViewChannel(ctx context.Context, session auth
 	params := map[string]any{
 		"entity_id": id,
 	}
-	if err := am.callOut(ctx, session, channels.OpViewChannel.String(channels.OperationNames), params); err != nil {
+	if err := am.callOut(ctx, session, channels.OpViewChannel.String(), params); err != nil {
 		return channels.Channel{}, err
 	}
 	return am.svc.ViewChannel(ctx, session, id, withRoles)
@@ -193,7 +199,7 @@ func (am *authorizationMiddleware) ListChannels(ctx context.Context, session aut
 	params := map[string]any{
 		"pagemeta": pm,
 	}
-	if err := am.callOut(ctx, session, channels.OpListChannels.String(channels.OperationNames), params); err != nil {
+	if err := am.callOut(ctx, session, channels.OpListChannels.String(), params); err != nil {
 		return channels.ChannelsPage{}, err
 	}
 	return am.svc.ListChannels(ctx, session, pm)
@@ -219,7 +225,7 @@ func (am *authorizationMiddleware) ListUserChannels(ctx context.Context, session
 		"user_id":  userID,
 		"pagemeta": pm,
 	}
-	if err := am.callOut(ctx, session, channels.OpListUserChannels.String(channels.OperationNames), params); err != nil {
+	if err := am.callOut(ctx, session, channels.OpListUserChannels.String(), params); err != nil {
 		return channels.ChannelsPage{}, err
 	}
 	return am.svc.ListUserChannels(ctx, session, userID, pm)
@@ -251,7 +257,7 @@ func (am *authorizationMiddleware) UpdateChannel(ctx context.Context, session au
 	params := map[string]any{
 		"entity_id": channel.ID,
 	}
-	if err := am.callOut(ctx, session, channels.OpUpdateChannel.String(channels.OperationNames), params); err != nil {
+	if err := am.callOut(ctx, session, channels.OpUpdateChannel.String(), params); err != nil {
 		return channels.Channel{}, err
 	}
 	return am.svc.UpdateChannel(ctx, session, channel)
@@ -283,7 +289,7 @@ func (am *authorizationMiddleware) UpdateChannelTags(ctx context.Context, sessio
 	params := map[string]any{
 		"entity_id": channel.ID,
 	}
-	if err := am.callOut(ctx, session, channels.OpUpdateChannelTags.String(channels.OperationNames), params); err != nil {
+	if err := am.callOut(ctx, session, channels.OpUpdateChannelTags.String(), params); err != nil {
 		return channels.Channel{}, err
 	}
 	return am.svc.UpdateChannelTags(ctx, session, channel)
@@ -315,7 +321,7 @@ func (am *authorizationMiddleware) EnableChannel(ctx context.Context, session au
 	params := map[string]any{
 		"entity_id": id,
 	}
-	if err := am.callOut(ctx, session, channels.OpEnableChannel.String(channels.OperationNames), params); err != nil {
+	if err := am.callOut(ctx, session, channels.OpEnableChannel.String(), params); err != nil {
 		return channels.Channel{}, err
 	}
 	return am.svc.EnableChannel(ctx, session, id)
@@ -347,7 +353,7 @@ func (am *authorizationMiddleware) DisableChannel(ctx context.Context, session a
 	params := map[string]any{
 		"entity_id": id,
 	}
-	if err := am.callOut(ctx, session, channels.OpDisableChannel.String(channels.OperationNames), params); err != nil {
+	if err := am.callOut(ctx, session, channels.OpDisableChannel.String(), params); err != nil {
 		return channels.Channel{}, err
 	}
 	return am.svc.DisableChannel(ctx, session, id)
@@ -378,7 +384,7 @@ func (am *authorizationMiddleware) RemoveChannel(ctx context.Context, session au
 	params := map[string]any{
 		"entity_id": id,
 	}
-	if err := am.callOut(ctx, session, channels.OpDeleteChannel.String(channels.OperationNames), params); err != nil {
+	if err := am.callOut(ctx, session, channels.OpDeleteChannel.String(), params); err != nil {
 		return err
 	}
 
@@ -440,7 +446,7 @@ func (am *authorizationMiddleware) Connect(ctx context.Context, session authn.Se
 		"client_ids":       thIDs,
 		"connection_types": connTypes,
 	}
-	if err := am.callOut(ctx, session, channels.OpConnectClient.String(channels.OperationNames), params); err != nil {
+	if err := am.callOut(ctx, session, channels.OpConnectClient.String(), params); err != nil {
 		return err
 	}
 	return am.svc.Connect(ctx, session, chIDs, thIDs, connTypes)
@@ -502,7 +508,7 @@ func (am *authorizationMiddleware) Disconnect(ctx context.Context, session authn
 		"client_ids":       thIDs,
 		"connection_types": connTypes,
 	}
-	if err := am.callOut(ctx, session, channels.OpDisconnectClient.String(channels.OperationNames), params); err != nil {
+	if err := am.callOut(ctx, session, channels.OpDisconnectClient.String(), params); err != nil {
 		return err
 	}
 	return am.svc.Disconnect(ctx, session, chIDs, thIDs, connTypes)
@@ -545,7 +551,7 @@ func (am *authorizationMiddleware) SetParentGroup(ctx context.Context, session a
 		"entity_id":       id,
 		"parent_group_id": parentGroupID,
 	}
-	if err := am.callOut(ctx, session, channels.OpSetParentGroup.String(channels.OperationNames), params); err != nil {
+	if err := am.callOut(ctx, session, channels.OpSetParentGroup.String(), params); err != nil {
 		return err
 	}
 	return am.svc.SetParentGroup(ctx, session, parentGroupID, id)
@@ -593,15 +599,15 @@ func (am *authorizationMiddleware) RemoveParentGroup(ctx context.Context, sessio
 			"entity_id":       id,
 			"parent_group_id": ch.ParentGroup,
 		}
-		if err := am.callOut(ctx, session, channels.OpRemoveParentGroup.String(channels.OperationNames), params); err != nil {
+		if err := am.callOut(ctx, session, channels.OpRemoveParentGroup.String(), params); err != nil {
 			return err
 		}
 		return am.svc.RemoveParentGroup(ctx, session, id)
 	}
 	return nil
 }
 
-func (am *authorizationMiddleware) authorize(ctx context.Context, op svcutil.Operation, req smqauthz.PolicyReq) error {
+func (am *authorizationMiddleware) authorize(ctx context.Context, op channels.Operation, req smqauthz.PolicyReq) error {
 	perm, err := am.opp.GetPermission(op)
 	if err != nil {
 		return err
@@ -616,7 +622,7 @@ func (am *authorizationMiddleware) authorize(ctx context.Context, op svcutil.Ope
 	return nil
 }
 
-func (am *authorizationMiddleware) extAuthorize(ctx context.Context, extOp svcutil.ExternalOperation, req smqauthz.PolicyReq) error {
+func (am *authorizationMiddleware) extAuthorize(ctx context.Context, extOp channels.ExternalOperation, req smqauthz.PolicyReq) error {
 	perm, err := am.extOpp.GetPermission(extOp)
 	if err != nil {
 		return err

channels/operationperm.go

@@ -0,0 +1,186 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package channels
+
+import "fmt"
+
+type Operation int
+
+func (op Operation) String() string {
+	switch op {
+	case OpViewChannel:
+		return OpViewChannelStr
+	case OpUpdateChannel:
+		return OpUpdateChannelStr
+	case OpUpdateChannelTags:
+		return OpUpdateChannelTagsStr
+	case OpEnableChannel:
+		return OpEnableChannelStr
+	case OpDisableChannel:
+		return OpDisableChannelStr
+	case OpDeleteChannel:
+		return OpDeleteChannelStr
+	case OpSetParentGroup:
+		return OpSetParentGroupStr
+	case OpRemoveParentGroup:
+		return OpRemoveParentGroupStr
+	case OpConnectClient:
+		return OpConnectClientStr
+	case OpDisconnectClient:
+		return OpDisconnectClientStr
+	case OpCreateChannel:
+		return OpCreateChannelStr
+	case OpListChannels:
+		return OpListChannelsStr
+	case OpListUserChannels:
+		return OpListUserChannelsStr
+	default:
+		return fmt.Sprintf("unknown operation: %d", op)
+	}
+}
+
+type OperationPerm struct {
+	opPerm      map[Operation]Permission
+	expectedOps []Operation
+}
+
+func newOperationPerm(expectedOps []Operation) OperationPerm {
+	return OperationPerm{
+		opPerm:      make(map[Operation]Permission),
+		expectedOps: expectedOps,
+	}
+}
+
+func (opp OperationPerm) AddOperationPermissionMap(opMap map[Operation]Permission) error {
+	// First iteration check all the keys are valid, If any one key is invalid then no key should be added.
+	for op := range opMap {
+		if !opp.isKeyRequired(op) {
+			return fmt.Errorf("%v is not a valid operation", op.String())
+		}
+	}
+	for op, perm := range opMap {
+		opp.opPerm[op] = perm
+	}
+	return nil
+}
+
+func (opp OperationPerm) isKeyRequired(op Operation) bool {
+	for _, key := range opp.expectedOps {
+		if key == op {
+			return true
+		}
+	}
+	return false
+}
+
+func (opp OperationPerm) AddOperationPermission(op Operation, perm Permission) error {
+	if !opp.isKeyRequired(op) {
+		return fmt.Errorf("%v is not a valid operation", op.String())
+	}
+	opp.opPerm[op] = perm
+	return nil
+}
+
+func (opp OperationPerm) Validate() error {
+	for op := range opp.opPerm {
+		if !opp.isKeyRequired(op) {
+			return fmt.Errorf("OperationPerm: \"%s\" is not a valid operation", op.String())
+		}
+	}
+	for _, eeo := range opp.expectedOps {
+		if _, ok := opp.opPerm[eeo]; !ok {
+			return fmt.Errorf("OperationPerm: \"%s\" operation is missing", eeo.String())
+		}
+	}
+	return nil
+}
+
+func (opp OperationPerm) GetPermission(op Operation) (Permission, error) {
+	if perm, ok := opp.opPerm[op]; ok {
+		return perm, nil
+	}
+	return "", fmt.Errorf("operation \"%s\" doesn't have any permissions", op.String())
+}
+
+type Permission string
+
+func (p Permission) String() string {
+	return string(p)
+}
+
+type ExternalOperation int
+
+func (ep ExternalOperation) String() string {
+	switch ep {
+	case DomainOpCreateChannel:
+		return DomainOpCreateChannelStr
+	case DomainOpListChannel:
+		return DomainOpListChannelStr
+	case GroupOpSetChildChannel:
+		return GroupOpSetChildChannelStr
+	case GroupsOpRemoveChildChannel:
+		return GroupsOpRemoveChildChannelStr
+	case ClientsOpConnectChannel:
+		return ClientsOpConnectChannelStr
+	case ClientsOpDisconnectChannel:
+		return ClientsOpDisconnectChannelStr
+	default:
+		return fmt.Sprintf("unknown external operation: %d", ep)
+	}
+}
+
+type ExternalOperationPerm struct {
+	opPerm      map[ExternalOperation]Permission
+	expectedOps []ExternalOperation
+}
+
+func newExternalOperationPerm(expectedOps []ExternalOperation) ExternalOperationPerm {
+	return ExternalOperationPerm{
+		opPerm:      make(map[ExternalOperation]Permission),
+		expectedOps: expectedOps,
+	}
+}
+
+func (eopp ExternalOperationPerm) isKeyRequired(eop ExternalOperation) bool {
+	for _, key := range eopp.expectedOps {
+		if key == eop {
+			return true
+		}
+	}
+	return false
+}
+
+func (eopp ExternalOperationPerm) AddOperationPermissionMap(eopMap map[ExternalOperation]Permission) error {
+	// First iteration check all the keys are valid, If any one key is invalid then no key should be added.
+	for eop := range eopMap {
+		if !eopp.isKeyRequired(eop) {
+			return fmt.Errorf("%v is not a valid external operation", eop.String())
+		}
+	}
+	for eop, perm := range eopMap {
+		eopp.opPerm[eop] = perm
+	}
+	return nil
+}
+
+func (eopp ExternalOperationPerm) Validate() error {
+	for eop := range eopp.opPerm {
+		if !eopp.isKeyRequired(eop) {
+			return fmt.Errorf("ExternalOperationPerm: \"%s\" is not a valid external operation", eop.String())
+		}
+	}
+	for _, eeo := range eopp.expectedOps {
+		if _, ok := eopp.opPerm[eeo]; !ok {
+			return fmt.Errorf("ExternalOperationPerm: \"%s\" external operation is missing", eeo.String())
+		}
+	}
+	return nil
+}
+
+func (eopp ExternalOperationPerm) GetPermission(eop ExternalOperation) (Permission, error) {
+	if perm, ok := eopp.opPerm[eop]; ok {
+		return perm, nil
+	}
+	return "", fmt.Errorf("external operation \"%s\" doesn't have any permissions", eop.String())
+}