Initial implementation of Authorize

Signed-off-by: nyagamunene <[email protected]>
absmach · Oct 31, 2024 · 001bcaa · 001bcaa
1 parent 3008c8d
commit 001bcaa
Show file tree

Hide file tree

Showing 23 changed files with 468 additions and 97 deletions.
diff --git a/auth/api/grpc/auth/client.go b/auth/api/grpc/auth/client.go
@@ -19,6 +19,7 @@ const authSvcName = "auth.v1.AuthService"
 type authGrpcClient struct {
 	authenticate endpoint.Endpoint
 	authorize    endpoint.Endpoint
+	authorizePAT endpoint.Endpoint
 	timeout      time.Duration
 }
 
@@ -43,7 +44,6 @@ func NewAuthClient(conn *grpc.ClientConn, timeout time.Duration) grpcAuthV1.Auth
 			decodeAuthorizeResponse,
 			grpcAuthV1.AuthZRes{},
 		).Endpoint(),
-		timeout: timeout,
 		authorizePAT: kitgrpc.NewClient(
 			conn,
 			authSvcName,
@@ -119,19 +119,18 @@ func encodeAuthorizeRequest(_ context.Context, grpcReq interface{}) (interface{}
 	}, nil
 }
 
-func (client authGrpcClient) AuthorizePAT(ctx context.Context, req *grpcAuthV1.AuthZReq, _ ...grpc.CallOption) (r *grpcAuthV1.AuthZRes, err error) {
+func (client authGrpcClient) AuthorizePAT(ctx context.Context, req *grpcAuthV1.AuthZpatReq, _ ...grpc.CallOption) (r *grpcAuthV1.AuthZRes, err error) {
 	ctx, cancel := context.WithTimeout(ctx, client.timeout)
 	defer cancel()
 
-	res, err := client.authorize(ctx, authReq{
-		Domain:      req.GetDomain(),
-		SubjectType: req.GetSubjectType(),
-		Subject:     req.GetSubject(),
-		SubjectKind: req.GetSubjectKind(),
-		Relation:    req.GetRelation(),
-		Permission:  req.GetPermission(),
-		ObjectType:  req.GetObjectType(),
-		Object:      req.GetObject(),
+	res, err := client.authorizePAT(ctx, authPATReq{
+		userID:                   req.GetUserID(),
+		patID:                    req.GetPatID(),
+		platformEntityType:       req.GetPlatformEntityType(),
+		optionalDomainID:         req.GetOptionalDomainID(),
+		optionalDomainEntityType: req.GetOptionalDomainEntityType(),
+		operation:                req.GetOperation(),
+		entityIDs:                req.GetEntityIDs(),
 	})
 	if err != nil {
 		return &grpcAuthV1.AuthZRes{}, grpcapi.DecodeError(err)
@@ -144,7 +143,8 @@ func (client authGrpcClient) AuthorizePAT(ctx context.Context, req *grpcAuthV1.A
 func encodeAuthorizePATRequest(_ context.Context, grpcReq interface{}) (interface{}, error) {
 	req := grpcReq.(authPATReq)
 	return &grpcAuthV1.AuthZpatReq{
-		PaToken:                  req.paToken,
+		UserID:                   req.userID,
+		PatID:                    req.patID,
 		PlatformEntityType:       req.platformEntityType,
 		OptionalDomainID:         req.optionalDomainID,
 		OptionalDomainEntityType: req.optionalDomainEntityType,

diff --git a/auth/api/grpc/auth/endpoint.go b/auth/api/grpc/auth/endpoint.go
@@ -58,7 +58,7 @@ func authorizePATEndpoint(svc auth.Service) endpoint.Endpoint {
 		if err := req.validate(); err != nil {
 			return authorizeRes{}, err
 		}
-		err := svc.AuthorizePAT(ctx, req.paToken, req.platformEntityType, req.optionalDomainID,req.optionalDomainEntityType, req.operation, req.entityIDs)
+		err := svc.AuthorizePAT(ctx, req.userID, req.patID, req.platformEntityType, req.optionalDomainID,req.optionalDomainEntityType, req.operation, req.entityIDs)
 		if err != nil {
 			return authorizeRes{authorized: false}, err
 		}

diff --git a/auth/api/grpc/auth/requests.go b/auth/api/grpc/auth/requests.go
@@ -51,7 +51,8 @@ func (req authReq) validate() error {
 }
 
 type authPATReq struct {
-	paToken                  string
+	userID                   string
+	patID                    string
 	platformEntityType       string
 	optionalDomainID         string
 	optionalDomainEntityType string
@@ -60,8 +61,26 @@ type authPATReq struct {
 }
 
 func (req authPATReq) validate() error {
-	if req.paToken == "" {
+	if req.userID == "" {
 		return apiutil.ErrBearerToken
 	}
+	if req.patID == "" {
+		return apiutil.ErrBearerToken
+	}
+	return nil
+}
+
+type retrievePATReq struct {
+	userID string
+	patID  string
+}
+
+func (req retrievePATReq) validate() error {
+	if req.userID == "" {
+		return apiutil.ErrMissingID
+	}
+	if req.patID == "" {
+		return apiutil.ErrMissingID
+	}
 	return nil
-}
+}
diff --git a/auth/api/grpc/auth/responses.go b/auth/api/grpc/auth/responses.go
@@ -13,3 +13,7 @@ type authorizeRes struct {
 	id         string
 	authorized bool
 }
+
+type retrievePATRes struct {
+	pat string
+}
diff --git a/auth/api/grpc/auth/server.go b/auth/api/grpc/auth/server.go
@@ -19,6 +19,7 @@ type authGrpcServer struct {
 	authorize    kitgrpc.Handler
 	authenticate kitgrpc.Handler
 	authorizePAT kitgrpc.Handler
+	retrievePAT  kitgrpc.Handler
 }
 
 // NewAuthServer returns new AuthnServiceServer instance.
@@ -92,11 +93,20 @@ func encodeAuthorizeResponse(_ context.Context, grpcRes interface{}) (interface{
 func decodeAuthorizePATRequest(_ context.Context, grpcReq interface{}) (interface{}, error) {
 	req := grpcReq.(*grpcAuthV1.AuthZpatReq)
 	return authPATReq{
-		paToken:                  req.GetPaToken(),
+		userID:                   req.GetUserID(),
+		patID:                    req.GetPatID(),
 		platformEntityType:       req.GetPlatformEntityType(),
 		optionalDomainID:         req.GetOptionalDomainID(),
 		optionalDomainEntityType: req.GetOptionalDomainEntityType(),
 		operation:                req.GetOperation(),
 		entityIDs:                req.GetEntityIDs(),
 	}, nil
 }
+
+func (s *authGrpcServer) AuthorizePAT(ctx context.Context, req *grpcAuthV1.AuthZpatReq) (*grpcAuthV1.AuthZRes, error) {
+	_, res, err := s.authorizePAT.ServeGRPC(ctx, req)
+	if err != nil {
+		return nil, grpcapi.EncodeError(err)
+	}
+	return res.(*grpcAuthV1.AuthZRes), nil
+}
diff --git a/auth/api/grpc/utils.go b/auth/api/grpc/utils.go
@@ -25,7 +25,9 @@ func EncodeError(err error) error {
 		err == apiutil.ErrMissingMemberType,
 		err == apiutil.ErrMissingPolicySub,
 		err == apiutil.ErrMissingPolicyObj,
-		err == apiutil.ErrMalformedPolicyAct:
+		err == apiutil.ErrMalformedPolicyAct,
+		err == apiutil.ErrMissingUserID,
+		err == apiutil.ErrMissingPATID:
 		return status.Error(codes.InvalidArgument, err.Error())
 	case errors.Contains(err, svcerr.ErrAuthentication),
 		errors.Contains(err, auth.ErrKeyExpired),

diff --git a/internal/api/common.go b/internal/api/common.go
@@ -165,7 +165,9 @@ func EncodeError(_ context.Context, err error, w http.ResponseWriter) {
 		errors.Contains(err, apiutil.ErrEmptySearchQuery),
 		errors.Contains(err, apiutil.ErrLenSearchQuery),
 		errors.Contains(err, apiutil.ErrMissingDomainID),
-		errors.Contains(err, certs.ErrFailedReadFromPKI):
+		errors.Contains(err, certs.ErrFailedReadFromPKI),
+		errors.Contains(err, apiutil.ErrMissingUserID),
+		errors.Contains(err, apiutil.ErrMissingPATID):
 		err = unwrap(err)
 		w.WriteHeader(http.StatusBadRequest)
 

diff --git a/internal/grpc/auth/v1/auth.pb.go b/internal/grpc/auth/v1/auth.pb.go
diff --git a/internal/proto/auth/v1/auth.proto b/internal/proto/auth/v1/auth.proto
@@ -38,12 +38,13 @@ message AuthZReq {
 }
 
 message AuthZpatReq {
-  string paToken = 1;                     // PaToken
-  string platform_entity_type = 2;        // Platform entity type
-  string optional_domainID = 3;           // Optional domain id
-  string optional_domain_entity_type = 4; // Optional domain entity type 
-  string operation = 5;                   // Operation
-  repeated string entityIDs = 6;          // EntityIDs
+  string userID = 1;                      // User id
+  string patID = 2;                       // Pat id
+  string platform_entity_type = 3;        // Platform entity type
+  string optional_domainID = 4;           // Optional domain id
+  string optional_domain_entity_type = 5; // Optional domain entity type 
+  string operation = 6;                   // Operation
+  repeated string entityIDs = 7;          // EntityIDs
 }
 
 message AuthZRes {

diff --git a/pat/api/http/endpoint.go b/pat/api/http/endpoint.go
@@ -46,7 +46,7 @@ func retrievePATEndpoint(svc pat.Service) endpoint.Endpoint {
 			return nil, svcerr.ErrAuthentication
 		}
 
-		pat, err := svc.RetrievePAT(ctx, session, req.id)
+		pat, err := svc.RetrievePAT(ctx, session.UserID, req.id)
 		if err != nil {
 			return nil, err
 		}

diff --git a/pat/events/streams.go b/pat/events/streams.go
@@ -49,8 +49,8 @@ func (es *eventStore) UpdatePATDescription(ctx context.Context, session authn.Se
 	return es.svc.UpdatePATDescription(ctx, session, patID, description)
 }
 
-func (es *eventStore) RetrievePAT(ctx context.Context, session authn.Session, patID string) (pat.PAT, error) {
-	return es.svc.RetrievePAT(ctx, session, patID)
+func (es *eventStore) RetrievePAT(ctx context.Context, userID string, patID string) (pat.PAT, error) {
+	return es.svc.RetrievePAT(ctx, userID, patID)
 }
 
 func (es *eventStore) ListPATS(ctx context.Context, session authn.Session, pm pat.PATSPageMeta) (pat.PATSPage, error) {
@@ -85,8 +85,8 @@ func (es *eventStore) IdentifyPAT(ctx context.Context, paToken string) (pat.PAT,
 	return es.svc.IdentifyPAT(ctx, paToken)
 }
 
-func (es *eventStore) AuthorizePAT(ctx context.Context, paToken string, platformEntityType pat.PlatformEntityType, optionalDomainID string, optionalDomainEntityType pat.DomainEntityType, operation pat.OperationType, entityIDs ...string) error {
-	return es.svc.AuthorizePAT(ctx, paToken, platformEntityType, optionalDomainID, optionalDomainEntityType, operation, entityIDs...)
+func (es *eventStore) AuthorizePAT(ctx context.Context, userID, patID string, platformEntityType pat.PlatformEntityType, optionalDomainID string, optionalDomainEntityType pat.DomainEntityType, operation pat.OperationType, entityIDs ...string) error {
+	return es.svc.AuthorizePAT(ctx, userID, patID, platformEntityType, optionalDomainID, optionalDomainEntityType, operation, entityIDs...)
 }
 
 func (es *eventStore) CheckPAT(ctx context.Context, userID, patID string, platformEntityType pat.PlatformEntityType, optionalDomainID string, optionalDomainEntityType pat.DomainEntityType, operation pat.OperationType, entityIDs ...string) error {