opensource/magistrala
1
0
Fork 0
mirror of https://github.com/absmach/magistrala.git synced 2026-06-23 04:10:28 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

SMQ-2757 - Combine Authorization and AuthorizationPAT to single gRPC endpoint and combine service functions (#3292)

Browse Source 
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
This commit is contained in:
Steve Munene
2025-12-19 19:51:06 +03:00
committed by GitHub
parent 1e7e65d642
commit 1355bc8bb7
13 changed files with 700 additions and 723 deletions
Download Patch File Download Diff File Expand all files Collapse all files
api/grpc/auth/v1/auth.pb.go
+295 -187
View File
@@ -70,10 +70,11 @@ func (x *AuthNReq) GetToken() string {
type AuthNRes struct {
state protoimpl.MessageState `protogen:"open.v1"`
Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` // token id
UserId string `protobuf:"bytes,2,opt,name=user_id,json=userId,proto3" json:"user_id,omitempty"` // user id
UserRole uint32 `protobuf:"varint,3,opt,name=user_role,json=userRole,proto3" json:"user_role,omitempty"` // user role
Verified bool `protobuf:"varint,4,opt,name=verified,proto3" json:"verified,omitempty"` // verified user
Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` // token id
UserId string `protobuf:"bytes,2,opt,name=user_id,json=userId,proto3" json:"user_id,omitempty"` // user id
UserRole uint32 `protobuf:"varint,3,opt,name=user_role,json=userRole,proto3" json:"user_role,omitempty"` // user role
Verified bool `protobuf:"varint,4,opt,name=verified,proto3" json:"verified,omitempty"` // verified user
TokenType uint32 `protobuf:"varint,5,opt,name=token_type,json=tokenType,proto3" json:"token_type,omitempty"` // token type
unknownFields protoimpl.UnknownFields
sizeCache protoimpl.SizeCache
}
@@ -136,24 +137,227 @@ func (x *AuthNRes) GetVerified() bool {
return false
}
type AuthZReq struct {
func (x *AuthNRes) GetTokenType() uint32 {
if x != nil {
return x.TokenType
}
return 0
}
type PolicyReq struct {
state protoimpl.MessageState `protogen:"open.v1"`
Domain string `protobuf:"bytes,1,opt,name=domain,proto3" json:"domain,omitempty"` // Domain
SubjectType string `protobuf:"bytes,2,opt,name=subject_type,json=subjectType,proto3" json:"subject_type,omitempty"` // Client or User
SubjectKind string `protobuf:"bytes,3,opt,name=subject_kind,json=subjectKind,proto3" json:"subject_kind,omitempty"` // ID or Token
SubjectRelation string `protobuf:"bytes,4,opt,name=subject_relation,json=subjectRelation,proto3" json:"subject_relation,omitempty"` // Subject relation
Subject string `protobuf:"bytes,5,opt,name=subject,proto3" json:"subject,omitempty"` // Subject value (id or token, depending on kind)
Relation string `protobuf:"bytes,6,opt,name=relation,proto3" json:"relation,omitempty"` // Relation to filter
Permission string `protobuf:"bytes,7,opt,name=permission,proto3" json:"permission,omitempty"` // Action
Object string `protobuf:"bytes,8,opt,name=object,proto3" json:"object,omitempty"` // Object ID
ObjectType string `protobuf:"bytes,9,opt,name=object_type,json=objectType,proto3" json:"object_type,omitempty"` // Client, User, Group
TokenType uint32 `protobuf:"varint,1,opt,name=token_type,json=tokenType,proto3" json:"token_type,omitempty"` // Token type
Domain string `protobuf:"bytes,2,opt,name=domain,proto3" json:"domain,omitempty"` // Domain
SubjectType string `protobuf:"bytes,3,opt,name=subject_type,json=subjectType,proto3" json:"subject_type,omitempty"` // Client or User
SubjectKind string `protobuf:"bytes,4,opt,name=subject_kind,json=subjectKind,proto3" json:"subject_kind,omitempty"` // ID or Token
SubjectRelation string `protobuf:"bytes,5,opt,name=subject_relation,json=subjectRelation,proto3" json:"subject_relation,omitempty"` // Subject relation
Subject string `protobuf:"bytes,6,opt,name=subject,proto3" json:"subject,omitempty"` // Subject value
Relation string `protobuf:"bytes,7,opt,name=relation,proto3" json:"relation,omitempty"` // Relation to filter
Permission string `protobuf:"bytes,8,opt,name=permission,proto3" json:"permission,omitempty"` // Action
Object string `protobuf:"bytes,9,opt,name=object,proto3" json:"object,omitempty"` // Object ID
ObjectType string `protobuf:"bytes,10,opt,name=object_type,json=objectType,proto3" json:"object_type,omitempty"` // Client, User, Group
unknownFields protoimpl.UnknownFields
sizeCache protoimpl.SizeCache
}
func (x *PolicyReq) Reset() {
*x = PolicyReq{}
mi := &file_auth_v1_auth_proto_msgTypes[2]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
func (x *PolicyReq) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*PolicyReq) ProtoMessage() {}
func (x *PolicyReq) ProtoReflect() protoreflect.Message {
mi := &file_auth_v1_auth_proto_msgTypes[2]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use PolicyReq.ProtoReflect.Descriptor instead.
func (*PolicyReq) Descriptor() ([]byte, []int) {
return file_auth_v1_auth_proto_rawDescGZIP(), []int{2}
}
func (x *PolicyReq) GetTokenType() uint32 {
if x != nil {
return x.TokenType
}
return 0
}
func (x *PolicyReq) GetDomain() string {
if x != nil {
return x.Domain
}
return ""
}
func (x *PolicyReq) GetSubjectType() string {
if x != nil {
return x.SubjectType
}
return ""
}
func (x *PolicyReq) GetSubjectKind() string {
if x != nil {
return x.SubjectKind
}
return ""
}
func (x *PolicyReq) GetSubjectRelation() string {
if x != nil {
return x.SubjectRelation
}
return ""
}
func (x *PolicyReq) GetSubject() string {
if x != nil {
return x.Subject
}
return ""
}
func (x *PolicyReq) GetRelation() string {
if x != nil {
return x.Relation
}
return ""
}
func (x *PolicyReq) GetPermission() string {
if x != nil {
return x.Permission
}
return ""
}
func (x *PolicyReq) GetObject() string {
if x != nil {
return x.Object
}
return ""
}
func (x *PolicyReq) GetObjectType() string {
if x != nil {
return x.ObjectType
}
return ""
}
type PATReq struct {
state protoimpl.MessageState `protogen:"open.v1"`
UserId string `protobuf:"bytes,1,opt,name=user_id,json=userId,proto3" json:"user_id,omitempty"` // User id (PAT)
PatId string `protobuf:"bytes,2,opt,name=pat_id,json=patId,proto3" json:"pat_id,omitempty"` // Pat id
EntityType uint32 `protobuf:"varint,3,opt,name=entity_type,json=entityType,proto3" json:"entity_type,omitempty"` // Entity type (PAT)
OptionalDomainId string `protobuf:"bytes,4,opt,name=optional_domain_id,json=optionalDomainId,proto3" json:"optional_domain_id,omitempty"` // Optional domain id (PAT)
Operation uint32 `protobuf:"varint,5,opt,name=operation,proto3" json:"operation,omitempty"` // Operation (PAT)
EntityId string `protobuf:"bytes,6,opt,name=entity_id,json=entityId,proto3" json:"entity_id,omitempty"` // EntityID (PAT)
unknownFields protoimpl.UnknownFields
sizeCache protoimpl.SizeCache
}
func (x *PATReq) Reset() {
*x = PATReq{}
mi := &file_auth_v1_auth_proto_msgTypes[3]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
func (x *PATReq) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*PATReq) ProtoMessage() {}
func (x *PATReq) ProtoReflect() protoreflect.Message {
mi := &file_auth_v1_auth_proto_msgTypes[3]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use PATReq.ProtoReflect.Descriptor instead.
func (*PATReq) Descriptor() ([]byte, []int) {
return file_auth_v1_auth_proto_rawDescGZIP(), []int{3}
}
func (x *PATReq) GetUserId() string {
if x != nil {
return x.UserId
}
return ""
}
func (x *PATReq) GetPatId() string {
if x != nil {
return x.PatId
}
return ""
}
func (x *PATReq) GetEntityType() uint32 {
if x != nil {
return x.EntityType
}
return 0
}
func (x *PATReq) GetOptionalDomainId() string {
if x != nil {
return x.OptionalDomainId
}
return ""
}
func (x *PATReq) GetOperation() uint32 {
if x != nil {
return x.Operation
}
return 0
}
func (x *PATReq) GetEntityId() string {
if x != nil {
return x.EntityId
}
return ""
}
type AuthZReq struct {
state protoimpl.MessageState `protogen:"open.v1"`
// Types that are valid to be assigned to AuthType:
//
// *AuthZReq_Policy
// *AuthZReq_Pat
AuthType isAuthZReq_AuthType `protobuf_oneof:"auth_type"`
unknownFields protoimpl.UnknownFields
sizeCache protoimpl.SizeCache
}
func (x *AuthZReq) Reset() {
*x = AuthZReq{}
mi := &file_auth_v1_auth_proto_msgTypes[2]
mi := &file_auth_v1_auth_proto_msgTypes[4]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@@ -165,7 +369,7 @@ func (x *AuthZReq) String() string {
func (*AuthZReq) ProtoMessage() {}
func (x *AuthZReq) ProtoReflect() protoreflect.Message {
mi := &file_auth_v1_auth_proto_msgTypes[2]
mi := &file_auth_v1_auth_proto_msgTypes[4]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@@ -178,155 +382,49 @@ func (x *AuthZReq) ProtoReflect() protoreflect.Message {
// Deprecated: Use AuthZReq.ProtoReflect.Descriptor instead.
func (*AuthZReq) Descriptor() ([]byte, []int) {
return file_auth_v1_auth_proto_rawDescGZIP(), []int{2}
return file_auth_v1_auth_proto_rawDescGZIP(), []int{4}
}
func (x *AuthZReq) GetDomain() string {
func (x *AuthZReq) GetAuthType() isAuthZReq_AuthType {
if x != nil {
return x.Domain
return x.AuthType
}
return ""
return nil
}
func (x *AuthZReq) GetSubjectType() string {
func (x *AuthZReq) GetPolicy() *PolicyReq {
if x != nil {
return x.SubjectType
}
return ""
}
func (x *AuthZReq) GetSubjectKind() string {
if x != nil {
return x.SubjectKind
}
return ""
}
func (x *AuthZReq) GetSubjectRelation() string {
if x != nil {
return x.SubjectRelation
}
return ""
}
func (x *AuthZReq) GetSubject() string {
if x != nil {
return x.Subject
}
return ""
}
func (x *AuthZReq) GetRelation() string {
if x != nil {
return x.Relation
}
return ""
}
func (x *AuthZReq) GetPermission() string {
if x != nil {
return x.Permission
}
return ""
}
func (x *AuthZReq) GetObject() string {
if x != nil {
return x.Object
}
return ""
}
func (x *AuthZReq) GetObjectType() string {
if x != nil {
return x.ObjectType
}
return ""
}
type AuthZPatReq struct {
state protoimpl.MessageState `protogen:"open.v1"`
UserId string `protobuf:"bytes,1,opt,name=user_id,json=userId,proto3" json:"user_id,omitempty"` // User id
PatId string `protobuf:"bytes,2,opt,name=pat_id,json=patId,proto3" json:"pat_id,omitempty"` // Pat id
EntityType uint32 `protobuf:"varint,3,opt,name=entity_type,json=entityType,proto3" json:"entity_type,omitempty"` // Entity type
OptionalDomainId string `protobuf:"bytes,4,opt,name=optional_domain_id,json=optionalDomainId,proto3" json:"optional_domain_id,omitempty"` // Optional domain id
Operation uint32 `protobuf:"varint,6,opt,name=operation,proto3" json:"operation,omitempty"` // Operation
EntityId string `protobuf:"bytes,7,opt,name=entity_id,json=entityId,proto3" json:"entity_id,omitempty"` // EntityID
unknownFields protoimpl.UnknownFields
sizeCache protoimpl.SizeCache
}
func (x *AuthZPatReq) Reset() {
*x = AuthZPatReq{}
mi := &file_auth_v1_auth_proto_msgTypes[3]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
func (x *AuthZPatReq) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*AuthZPatReq) ProtoMessage() {}
func (x *AuthZPatReq) ProtoReflect() protoreflect.Message {
mi := &file_auth_v1_auth_proto_msgTypes[3]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
if x, ok := x.AuthType.(*AuthZReq_Policy); ok {
return x.Policy
}
return ms
}
return mi.MessageOf(x)
return nil
}
// Deprecated: Use AuthZPatReq.ProtoReflect.Descriptor instead.
func (*AuthZPatReq) Descriptor() ([]byte, []int) {
return file_auth_v1_auth_proto_rawDescGZIP(), []int{3}
}
func (x *AuthZPatReq) GetUserId() string {
func (x *AuthZReq) GetPat() *PATReq {
if x != nil {
return x.UserId
if x, ok := x.AuthType.(*AuthZReq_Pat); ok {
return x.Pat
}
}
return ""
return nil
}
func (x *AuthZPatReq) GetPatId() string {
if x != nil {
return x.PatId
}
return ""
type isAuthZReq_AuthType interface {
isAuthZReq_AuthType()
}
func (x *AuthZPatReq) GetEntityType() uint32 {
if x != nil {
return x.EntityType
}
return 0
type AuthZReq_Policy struct {
Policy *PolicyReq `protobuf:"bytes,1,opt,name=policy,proto3,oneof"` // Policy-based authorization
}
func (x *AuthZPatReq) GetOptionalDomainId() string {
if x != nil {
return x.OptionalDomainId
}
return ""
type AuthZReq_Pat struct {
Pat *PATReq `protobuf:"bytes,2,opt,name=pat,proto3,oneof"` // PAT authorization
}
func (x *AuthZPatReq) GetOperation() uint32 {
if x != nil {
return x.Operation
}
return 0
}
func (*AuthZReq_Policy) isAuthZReq_AuthType() {}
func (x *AuthZPatReq) GetEntityId() string {
if x != nil {
return x.EntityId
}
return ""
}
func (*AuthZReq_Pat) isAuthZReq_AuthType() {}
type AuthZRes struct {
state protoimpl.MessageState `protogen:"open.v1"`
@@ -338,7 +436,7 @@ type AuthZRes struct {
func (x *AuthZRes) Reset() {
*x = AuthZRes{}
mi := &file_auth_v1_auth_proto_msgTypes[4]
mi := &file_auth_v1_auth_proto_msgTypes[5]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@@ -350,7 +448,7 @@ func (x *AuthZRes) String() string {
func (*AuthZRes) ProtoMessage() {}
func (x *AuthZRes) ProtoReflect() protoreflect.Message {
mi := &file_auth_v1_auth_proto_msgTypes[4]
mi := &file_auth_v1_auth_proto_msgTypes[5]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@@ -363,7 +461,7 @@ func (x *AuthZRes) ProtoReflect() protoreflect.Message {
// Deprecated: Use AuthZRes.ProtoReflect.Descriptor instead.
func (*AuthZRes) Descriptor() ([]byte, []int) {
return file_auth_v1_auth_proto_rawDescGZIP(), []int{4}
return file_auth_v1_auth_proto_rawDescGZIP(), []int{5}
}
func (x *AuthZRes) GetAuthorized() bool {
@@ -386,43 +484,50 @@ const file_auth_v1_auth_proto_rawDesc = "" +
"\n" +
"\x12auth/v1/auth.proto\x12\aauth.v1\" \n" +
"\bAuthNReq\x12\x14\n" +
"\x05token\x18\x01 \x01(\tR\x05token\"l\n" +
"\x05token\x18\x01 \x01(\tR\x05token\"\x8b\x01\n" +
"\bAuthNRes\x12\x0e\n" +
"\x02id\x18\x01 \x01(\tR\x02id\x12\x17\n" +
"\auser_id\x18\x02 \x01(\tR\x06userId\x12\x1b\n" +
"\tuser_role\x18\x03 \x01(\rR\buserRole\x12\x1a\n" +
"\bverified\x18\x04 \x01(\bR\bverified\"\xa2\x02\n" +
"\bAuthZReq\x12\x16\n" +
"\x06domain\x18\x01 \x01(\tR\x06domain\x12!\n" +
"\fsubject_type\x18\x02 \x01(\tR\vsubjectType\x12!\n" +
"\fsubject_kind\x18\x03 \x01(\tR\vsubjectKind\x12)\n" +
"\x10subject_relation\x18\x04 \x01(\tR\x0fsubjectRelation\x12\x18\n" +
"\asubject\x18\x05 \x01(\tR\asubject\x12\x1a\n" +
"\brelation\x18\x06 \x01(\tR\brelation\x12\x1e\n" +
"\bverified\x18\x04 \x01(\bR\bverified\x12\x1d\n" +
"\n" +
"permission\x18\a \x01(\tR\n" +
"token_type\x18\x05 \x01(\rR\ttokenType\"\xc2\x02\n" +
"\tPolicyReq\x12\x1d\n" +
"\n" +
"token_type\x18\x01 \x01(\rR\ttokenType\x12\x16\n" +
"\x06domain\x18\x02 \x01(\tR\x06domain\x12!\n" +
"\fsubject_type\x18\x03 \x01(\tR\vsubjectType\x12!\n" +
"\fsubject_kind\x18\x04 \x01(\tR\vsubjectKind\x12)\n" +
"\x10subject_relation\x18\x05 \x01(\tR\x0fsubjectRelation\x12\x18\n" +
"\asubject\x18\x06 \x01(\tR\asubject\x12\x1a\n" +
"\brelation\x18\a \x01(\tR\brelation\x12\x1e\n" +
"\n" +
"permission\x18\b \x01(\tR\n" +
"permission\x12\x16\n" +
"\x06object\x18\b \x01(\tR\x06object\x12\x1f\n" +
"\vobject_type\x18\t \x01(\tR\n" +
"objectType\"\xc7\x01\n" +
"\vAuthZPatReq\x12\x17\n" +
"\x06object\x18\t \x01(\tR\x06object\x12\x1f\n" +
"\vobject_type\x18\n" +
" \x01(\tR\n" +
"objectType\"\xc2\x01\n" +
"\x06PATReq\x12\x17\n" +
"\auser_id\x18\x01 \x01(\tR\x06userId\x12\x15\n" +
"\x06pat_id\x18\x02 \x01(\tR\x05patId\x12\x1f\n" +
"\ventity_type\x18\x03 \x01(\rR\n" +
"entityType\x12,\n" +
"\x12optional_domain_id\x18\x04 \x01(\tR\x10optionalDomainId\x12\x1c\n" +
"\toperation\x18\x06 \x01(\rR\toperation\x12\x1b\n" +
"\tentity_id\x18\a \x01(\tR\bentityId\":\n" +
"\toperation\x18\x05 \x01(\rR\toperation\x12\x1b\n" +
"\tentity_id\x18\x06 \x01(\tR\bentityId\"j\n" +
"\bAuthZReq\x12,\n" +
"\x06policy\x18\x01 \x01(\v2\x12.auth.v1.PolicyReqH\x00R\x06policy\x12#\n" +
"\x03pat\x18\x02 \x01(\v2\x0f.auth.v1.PATReqH\x00R\x03patB\v\n" +
"\tauth_type\":\n" +
"\bAuthZRes\x12\x1e\n" +
"\n" +
"authorized\x18\x01 \x01(\bR\n" +
"authorized\x12\x0e\n" +
"\x02id\x18\x02 \x01(\tR\x02id2\xf0\x01\n" +
"\x02id\x18\x02 \x01(\tR\x02id2z\n" +
"\vAuthService\x123\n" +
"\tAuthorize\x12\x11.auth.v1.AuthZReq\x1a\x11.auth.v1.AuthZRes\"\x00\x129\n" +
"\fAuthorizePAT\x12\x14.auth.v1.AuthZPatReq\x1a\x11.auth.v1.AuthZRes\"\x00\x126\n" +
"\fAuthenticate\x12\x11.auth.v1.AuthNReq\x1a\x11.auth.v1.AuthNRes\"\x00\x129\n" +
"\x0fAuthenticatePAT\x12\x11.auth.v1.AuthNReq\x1a\x11.auth.v1.AuthNRes\"\x00B-Z+github.com/absmach/supermq/api/grpc/auth/v1b\x06proto3"
"\tAuthorize\x12\x11.auth.v1.AuthZReq\x1a\x11.auth.v1.AuthZRes\"\x00\x126\n" +
"\fAuthenticate\x12\x11.auth.v1.AuthNReq\x1a\x11.auth.v1.AuthNRes\"\x00B-Z+github.com/absmach/supermq/api/grpc/auth/v1b\x06proto3"
var (
file_auth_v1_auth_proto_rawDescOnce sync.Once
@@ -436,28 +541,27 @@ func file_auth_v1_auth_proto_rawDescGZIP() []byte {
return file_auth_v1_auth_proto_rawDescData
}
var file_auth_v1_auth_proto_msgTypes = make([]protoimpl.MessageInfo, 5)
var file_auth_v1_auth_proto_msgTypes = make([]protoimpl.MessageInfo, 6)
var file_auth_v1_auth_proto_goTypes = []any{
(*AuthNReq)(nil), // 0: auth.v1.AuthNReq
(*AuthNRes)(nil), // 1: auth.v1.AuthNRes
(*AuthZReq)(nil), // 2: auth.v1.AuthZReq
(*AuthZPatReq)(nil), // 3: auth.v1.AuthZPatReq
(*AuthZRes)(nil), // 4: auth.v1.AuthZRes
(*AuthNReq)(nil), // 0: auth.v1.AuthNReq
(*AuthNRes)(nil), // 1: auth.v1.AuthNRes
(*PolicyReq)(nil), // 2: auth.v1.PolicyReq
(*PATReq)(nil), // 3: auth.v1.PATReq
(*AuthZReq)(nil), // 4: auth.v1.AuthZReq
(*AuthZRes)(nil), // 5: auth.v1.AuthZRes
}
var file_auth_v1_auth_proto_depIdxs = []int32{
2, // 0: auth.v1.AuthService.Authorize:input_type -> auth.v1.AuthZReq
3, // 1: auth.v1.AuthService.AuthorizePAT:input_type -> auth.v1.AuthZPatReq
0, // 2: auth.v1.AuthService.Authenticate:input_type -> auth.v1.AuthNReq
0, // 3: auth.v1.AuthService.AuthenticatePAT:input_type -> auth.v1.AuthNReq
4, // 4: auth.v1.AuthService.Authorize:output_type -> auth.v1.AuthZRes
4, // 5: auth.v1.AuthService.AuthorizePAT:output_type -> auth.v1.AuthZRes
1, // 6: auth.v1.AuthService.Authenticate:output_type -> auth.v1.AuthNRes
1, // 7: auth.v1.AuthService.AuthenticatePAT:output_type -> auth.v1.AuthNRes
4, // [4:8] is the sub-list for method output_type
0, // [0:4] is the sub-list for method input_type
0, // [0:0] is the sub-list for extension type_name
0, // [0:0] is the sub-list for extension extendee
0, // [0:0] is the sub-list for field type_name
2, // 0: auth.v1.AuthZReq.policy:type_name -> auth.v1.PolicyReq
3, // 1: auth.v1.AuthZReq.pat:type_name -> auth.v1.PATReq
4, // 2: auth.v1.AuthService.Authorize:input_type -> auth.v1.AuthZReq
0, // 3: auth.v1.AuthService.Authenticate:input_type -> auth.v1.AuthNReq
5, // 4: auth.v1.AuthService.Authorize:output_type -> auth.v1.AuthZRes
1, // 5: auth.v1.AuthService.Authenticate:output_type -> auth.v1.AuthNRes
4, // [4:6] is the sub-list for method output_type
2, // [2:4] is the sub-list for method input_type
2, // [2:2] is the sub-list for extension type_name
2, // [2:2] is the sub-list for extension extendee
0, // [0:2] is the sub-list for field type_name
}
func init() { file_auth_v1_auth_proto_init() }
@@ -465,13 +569,17 @@ func file_auth_v1_auth_proto_init() {
if File_auth_v1_auth_proto != nil {
return
}
file_auth_v1_auth_proto_msgTypes[4].OneofWrappers = []any{
(*AuthZReq_Policy)(nil),
(*AuthZReq_Pat)(nil),
}
type x struct{}
out := protoimpl.TypeBuilder{
File: protoimpl.DescBuilder{
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: unsafe.Slice(unsafe.StringData(file_auth_v1_auth_proto_rawDesc), len(file_auth_v1_auth_proto_rawDesc)),
NumEnums: 0,
NumMessages: 5,
NumMessages: 6,
NumExtensions: 0,
NumServices: 1,
},
api/grpc/auth/v1/auth_grpc.pb.go
+2 -78
View File
@@ -22,10 +22,8 @@ import (
const _ = grpc.SupportPackageIsVersion9
const (
AuthService_Authorize_FullMethodName = "/auth.v1.AuthService/Authorize"
AuthService_AuthorizePAT_FullMethodName = "/auth.v1.AuthService/AuthorizePAT"
AuthService_Authenticate_FullMethodName = "/auth.v1.AuthService/Authenticate"
AuthService_AuthenticatePAT_FullMethodName = "/auth.v1.AuthService/AuthenticatePAT"
AuthService_Authorize_FullMethodName = "/auth.v1.AuthService/Authorize"
AuthService_Authenticate_FullMethodName = "/auth.v1.AuthService/Authenticate"
)
// AuthServiceClient is the client API for AuthService service.
@@ -36,9 +34,7 @@ const (
// and authorization functionalities for SuperMQ services.
type AuthServiceClient interface {
Authorize(ctx context.Context, in *AuthZReq, opts ...grpc.CallOption) (*AuthZRes, error)
AuthorizePAT(ctx context.Context, in *AuthZPatReq, opts ...grpc.CallOption) (*AuthZRes, error)
Authenticate(ctx context.Context, in *AuthNReq, opts ...grpc.CallOption) (*AuthNRes, error)
AuthenticatePAT(ctx context.Context, in *AuthNReq, opts ...grpc.CallOption) (*AuthNRes, error)
}
type authServiceClient struct {
@@ -59,16 +55,6 @@ func (c *authServiceClient) Authorize(ctx context.Context, in *AuthZReq, opts ..
return out, nil
}
func (c *authServiceClient) AuthorizePAT(ctx context.Context, in *AuthZPatReq, opts ...grpc.CallOption) (*AuthZRes, error) {
cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
out := new(AuthZRes)
err := c.cc.Invoke(ctx, AuthService_AuthorizePAT_FullMethodName, in, out, cOpts...)
if err != nil {
return nil, err
}
return out, nil
}
func (c *authServiceClient) Authenticate(ctx context.Context, in *AuthNReq, opts ...grpc.CallOption) (*AuthNRes, error) {
cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
out := new(AuthNRes)
@@ -79,16 +65,6 @@ func (c *authServiceClient) Authenticate(ctx context.Context, in *AuthNReq, opts
return out, nil
}
func (c *authServiceClient) AuthenticatePAT(ctx context.Context, in *AuthNReq, opts ...grpc.CallOption) (*AuthNRes, error) {
cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
out := new(AuthNRes)
err := c.cc.Invoke(ctx, AuthService_AuthenticatePAT_FullMethodName, in, out, cOpts...)
if err != nil {
return nil, err
}
return out, nil
}
// AuthServiceServer is the server API for AuthService service.
// All implementations must embed UnimplementedAuthServiceServer
// for forward compatibility.
@@ -97,9 +73,7 @@ func (c *authServiceClient) AuthenticatePAT(ctx context.Context, in *AuthNReq, o
// and authorization functionalities for SuperMQ services.
type AuthServiceServer interface {
Authorize(context.Context, *AuthZReq) (*AuthZRes, error)
AuthorizePAT(context.Context, *AuthZPatReq) (*AuthZRes, error)
Authenticate(context.Context, *AuthNReq) (*AuthNRes, error)
AuthenticatePAT(context.Context, *AuthNReq) (*AuthNRes, error)
mustEmbedUnimplementedAuthServiceServer()
}
@@ -113,15 +87,9 @@ type UnimplementedAuthServiceServer struct{}
func (UnimplementedAuthServiceServer) Authorize(context.Context, *AuthZReq) (*AuthZRes, error) {
return nil, status.Errorf(codes.Unimplemented, "method Authorize not implemented")
}
func (UnimplementedAuthServiceServer) AuthorizePAT(context.Context, *AuthZPatReq) (*AuthZRes, error) {
return nil, status.Errorf(codes.Unimplemented, "method AuthorizePAT not implemented")
}
func (UnimplementedAuthServiceServer) Authenticate(context.Context, *AuthNReq) (*AuthNRes, error) {
return nil, status.Errorf(codes.Unimplemented, "method Authenticate not implemented")
}
func (UnimplementedAuthServiceServer) AuthenticatePAT(context.Context, *AuthNReq) (*AuthNRes, error) {
return nil, status.Errorf(codes.Unimplemented, "method AuthenticatePAT not implemented")
}
func (UnimplementedAuthServiceServer) mustEmbedUnimplementedAuthServiceServer() {}
func (UnimplementedAuthServiceServer) testEmbeddedByValue() {}
@@ -161,24 +129,6 @@ func _AuthService_Authorize_Handler(srv interface{}, ctx context.Context, dec fu
return interceptor(ctx, in, info, handler)
}
func _AuthService_AuthorizePAT_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
in := new(AuthZPatReq)
if err := dec(in); err != nil {
return nil, err
}
if interceptor == nil {
return srv.(AuthServiceServer).AuthorizePAT(ctx, in)
}
info := &grpc.UnaryServerInfo{
Server: srv,
FullMethod: AuthService_AuthorizePAT_FullMethodName,
}
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
return srv.(AuthServiceServer).AuthorizePAT(ctx, req.(*AuthZPatReq))
}
return interceptor(ctx, in, info, handler)
}
func _AuthService_Authenticate_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
in := new(AuthNReq)
if err := dec(in); err != nil {
@@ -197,24 +147,6 @@ func _AuthService_Authenticate_Handler(srv interface{}, ctx context.Context, dec
return interceptor(ctx, in, info, handler)
}
func _AuthService_AuthenticatePAT_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
in := new(AuthNReq)
if err := dec(in); err != nil {
return nil, err
}
if interceptor == nil {
return srv.(AuthServiceServer).AuthenticatePAT(ctx, in)
}
info := &grpc.UnaryServerInfo{
Server: srv,
FullMethod: AuthService_AuthenticatePAT_FullMethodName,
}
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
return srv.(AuthServiceServer).AuthenticatePAT(ctx, req.(*AuthNReq))
}
return interceptor(ctx, in, info, handler)
}
// AuthService_ServiceDesc is the grpc.ServiceDesc for AuthService service.
// It's only intended for direct use with grpc.RegisterService,
// and not to be introspected or modified (even as a copy)
@@ -226,18 +158,10 @@ var AuthService_ServiceDesc = grpc.ServiceDesc{
MethodName: "Authorize",
Handler: _AuthService_Authorize_Handler,
},
{
MethodName: "AuthorizePAT",
Handler: _AuthService_AuthorizePAT_Handler,
},
{
MethodName: "Authenticate",
Handler: _AuthService_Authenticate_Handler,
},
{
MethodName: "AuthenticatePAT",
Handler: _AuthService_AuthenticatePAT_Handler,
},
},
Streams: []grpc.StreamDesc{},
Metadata: "auth/v1/auth.proto",
auth/api/grpc/auth/client.go
+58 -86
View File
@@ -18,11 +18,9 @@ import (
const authSvcName = "auth.v1.AuthService"
type authGrpcClient struct {
authenticate endpoint.Endpoint
authenticatePAT endpoint.Endpoint
authorize endpoint.Endpoint
authorizePAT endpoint.Endpoint
timeout time.Duration
authenticate endpoint.Endpoint
authorize endpoint.Endpoint
timeout time.Duration
}
var _ grpcAuthV1.AuthServiceClient = (*authGrpcClient)(nil)
@@ -38,14 +36,6 @@ func NewAuthClient(conn *grpc.ClientConn, timeout time.Duration) grpcAuthV1.Auth
decodeIdentifyResponse,
grpcAuthV1.AuthNRes{},
).Endpoint(),
authenticatePAT: kitgrpc.NewClient(
conn,
authSvcName,
"AuthenticatePAT",
encodeIdentifyRequest,
decodeIdentifyPATResponse,
grpcAuthV1.AuthNRes{},
).Endpoint(),
authorize: kitgrpc.NewClient(
conn,
authSvcName,
@@ -54,14 +44,6 @@ func NewAuthClient(conn *grpc.ClientConn, timeout time.Duration) grpcAuthV1.Auth
decodeAuthorizeResponse,
grpcAuthV1.AuthZRes{},
).Endpoint(),
authorizePAT: kitgrpc.NewClient(
conn,
authSvcName,
"AuthorizePAT",
encodeAuthorizePATRequest,
decodeAuthorizeResponse,
grpcAuthV1.AuthZRes{},
).Endpoint(),
timeout: timeout,
}
}
@@ -88,37 +70,36 @@ func decodeIdentifyResponse(_ context.Context, grpcRes any) (any, error) {
return authenticateRes{id: res.GetId(), userID: res.GetUserId(), userRole: auth.Role(res.UserRole), verified: res.GetVerified()}, nil
}
func (client authGrpcClient) AuthenticatePAT(ctx context.Context, token *grpcAuthV1.AuthNReq, _ ...grpc.CallOption) (*grpcAuthV1.AuthNRes, error) {
ctx, cancel := context.WithTimeout(ctx, client.timeout)
defer cancel()
res, err := client.authenticatePAT(ctx, authenticateReq{token: token.GetToken()})
if err != nil {
return &grpcAuthV1.AuthNRes{}, grpcapi.DecodeError(err)
}
ir := res.(authenticateRes)
return &grpcAuthV1.AuthNRes{Id: ir.id, UserId: ir.userID, UserRole: uint32(ir.userRole)}, nil
}
func decodeIdentifyPATResponse(_ context.Context, grpcRes any) (any, error) {
res := grpcRes.(*grpcAuthV1.AuthNRes)
return authenticateRes{id: res.GetId(), userID: res.GetUserId(), userRole: auth.Role(res.UserRole)}, nil
}
func (client authGrpcClient) Authorize(ctx context.Context, req *grpcAuthV1.AuthZReq, _ ...grpc.CallOption) (r *grpcAuthV1.AuthZRes, err error) {
ctx, cancel := context.WithTimeout(ctx, client.timeout)
defer cancel()
res, err := client.authorize(ctx, authReq{
Domain: req.GetDomain(),
SubjectType: req.GetSubjectType(),
Subject: req.GetSubject(),
SubjectKind: req.GetSubjectKind(),
Relation: req.GetRelation(),
Permission: req.GetPermission(),
ObjectType: req.GetObjectType(),
Object: req.GetObject(),
})
var authReqData authReq
if policy := req.GetPolicy(); policy != nil {
authReqData = authReq{
TokenType: policy.GetTokenType(),
Domain: policy.GetDomain(),
SubjectType: policy.GetSubjectType(),
Subject: policy.GetSubject(),
SubjectKind: policy.GetSubjectKind(),
Relation: policy.GetRelation(),
Permission: policy.GetPermission(),
ObjectType: policy.GetObjectType(),
Object: policy.GetObject(),
}
} else if pat := req.GetPat(); pat != nil {
authReqData = authReq{
UserID: pat.GetUserId(),
PatID: pat.GetPatId(),
EntityType: auth.EntityType(pat.GetEntityType()),
OptionalDomainID: pat.GetOptionalDomainId(),
Operation: auth.Operation(pat.GetOperation()),
EntityID: pat.GetEntityId(),
}
}
res, err := client.authorize(ctx, authReqData)
if err != nil {
return &grpcAuthV1.AuthZRes{}, grpcapi.DecodeError(err)
}
@@ -134,46 +115,37 @@ func decodeAuthorizeResponse(_ context.Context, grpcRes any) (any, error) {
func encodeAuthorizeRequest(_ context.Context, grpcReq any) (any, error) {
req := grpcReq.(authReq)
return &grpcAuthV1.AuthZReq{
Domain: req.Domain,
SubjectType: req.SubjectType,
Subject: req.Subject,
SubjectKind: req.SubjectKind,
Relation: req.Relation,
Permission: req.Permission,
ObjectType: req.ObjectType,
Object: req.Object,
}, nil
}
func (client authGrpcClient) AuthorizePAT(ctx context.Context, req *grpcAuthV1.AuthZPatReq, _ ...grpc.CallOption) (r *grpcAuthV1.AuthZRes, err error) {
ctx, cancel := context.WithTimeout(ctx, client.timeout)
defer cancel()
res, err := client.authorizePAT(ctx, authPATReq{
userID: req.GetUserId(),
patID: req.GetPatId(),
entityType: auth.EntityType(req.GetEntityType()),
optionalDomainID: req.GetOptionalDomainId(),
operation: auth.Operation(req.GetOperation()),
entityID: req.GetEntityId(),
})
if err != nil {
return &grpcAuthV1.AuthZRes{}, grpcapi.DecodeError(err)
// Check if this is a PAT request (has PatID) or policy request
if req.PatID != "" {
return &grpcAuthV1.AuthZReq{
AuthType: &grpcAuthV1.AuthZReq_Pat{
Pat: &grpcAuthV1.PATReq{
UserId: req.UserID,
PatId: req.PatID,
EntityType: uint32(req.EntityType),
OptionalDomainId: req.OptionalDomainID,
Operation: uint32(req.Operation),
EntityId: req.EntityID,
},
},
}, nil
}
ar := res.(authorizeRes)
return &grpcAuthV1.AuthZRes{Authorized: ar.authorized, Id: ar.id}, nil
}
func encodeAuthorizePATRequest(_ context.Context, grpcReq any) (any, error) {
req := grpcReq.(authPATReq)
return &grpcAuthV1.AuthZPatReq{
UserId: req.userID,
PatId: req.patID,
EntityType: uint32(req.entityType),
OptionalDomainId: req.optionalDomainID,
Operation: uint32(req.operation),
EntityId: req.entityID,
// Otherwise, it's a policy request
return &grpcAuthV1.AuthZReq{
AuthType: &grpcAuthV1.AuthZReq_Policy{
Policy: &grpcAuthV1.PolicyReq{
TokenType: req.TokenType,
Domain: req.Domain,
SubjectType: req.SubjectType,
Subject: req.Subject,
SubjectKind: req.SubjectKind,
Relation: req.Relation,
Permission: req.Permission,
ObjectType: req.ObjectType,
Object: req.Object,
},
},
}, nil
}
auth/api/grpc/auth/endpoint.go
+17 -40
View File
@@ -23,23 +23,7 @@ func authenticateEndpoint(svc auth.Service) endpoint.Endpoint {
return authenticateRes{}, err
}
return authenticateRes{userID: key.Subject, userRole: key.Role, verified: key.Verified}, nil
}
}
func authenticatePATEndpoint(svc auth.Service) endpoint.Endpoint {
return func(ctx context.Context, request any) (any, error) {
req := request.(authenticateReq)
if err := req.validate(); err != nil {
return authenticateRes{}, err
}
pat, err := svc.IdentifyPAT(ctx, req.token)
if err != nil {
return authenticateRes{}, err
}
return authenticateRes{id: pat.ID, userID: pat.User, userRole: pat.Role}, nil
return authenticateRes{id: key.ID, userID: key.Subject, userRole: key.Role, verified: key.Verified}, nil
}
}
@@ -50,15 +34,23 @@ func authorizeEndpoint(svc auth.Service) endpoint.Endpoint {
if err := req.validate(); err != nil {
return authorizeRes{}, err
}
err := svc.Authorize(ctx, policies.Policy{
Domain: req.Domain,
SubjectType: req.SubjectType,
SubjectKind: req.SubjectKind,
Subject: req.Subject,
Relation: req.Relation,
Permission: req.Permission,
ObjectType: req.ObjectType,
Object: req.Object,
TokenType: req.TokenType,
Domain: req.Domain,
SubjectType: req.SubjectType,
SubjectKind: req.SubjectKind,
Subject: req.Subject,
Relation: req.Relation,
Permission: req.Permission,
ObjectType: req.ObjectType,
Object: req.Object,
UserID: req.UserID,
PatID: req.PatID,
EntityType: uint32(req.EntityType),
OptionalDomainID: req.OptionalDomainID,
Operation: uint32(req.Operation),
EntityID: req.EntityID,
})
if err != nil {
return authorizeRes{authorized: false}, err
@@ -66,18 +58,3 @@ func authorizeEndpoint(svc auth.Service) endpoint.Endpoint {
return authorizeRes{authorized: true}, nil
}
}
func authorizePATEndpoint(svc auth.Service) endpoint.Endpoint {
return func(ctx context.Context, request any) (any, error) {
req := request.(authPATReq)
if err := req.validate(); err != nil {
return authorizeRes{}, err
}
err := svc.AuthorizePAT(ctx, req.userID, req.patID, req.entityType, req.optionalDomainID, req.operation, req.entityID)
if err != nil {
return authorizeRes{authorized: false}, err
}
return authorizeRes{authorized: true}, nil
}
}
auth/api/grpc/auth/endpoint_test.go
+159 -190
View File
@@ -25,25 +25,14 @@ import (
const (
port = 8081
secret = "secret"
email = "test@example.com"
id = "testID"
clientsType = "clients"
usersType = "users"
description = "Description"
groupName = "smqx"
adminPermission = "admin"
authoritiesObj = "authorities"
memberRelation = "member"
loginDuration = 30 * time.Minute
refreshDuration = 24 * time.Hour
invalidDuration = 7 * 24 * time.Hour
validToken = "valid"
inValidToken = "invalid"
validPATToken = "valid"
inValidPATToken = "invalid"
validPolicy = "valid"
)
var (
@@ -73,6 +62,7 @@ func TestIdentify(t *testing.T) {
cases := []struct {
desc string
token string
key auth.Key
idt *grpcAuthV1.AuthNRes
svcErr error
err error
@@ -80,12 +70,14 @@ func TestIdentify(t *testing.T) {
{
desc: "authenticate user with valid user token",
token: validToken,
key: auth.Key{ID: "", Subject: id, Role: auth.UserRole},
idt: &grpcAuthV1.AuthNRes{UserId: id, UserRole: uint32(auth.UserRole)},
err: nil,
},
{
desc: "authenticate user with invalid user token",
token: "invalid",
key: auth.Key{},
idt: &grpcAuthV1.AuthNRes{},
svcErr: svcerr.ErrAuthentication,
err: svcerr.ErrAuthentication,
@@ -96,11 +88,26 @@ func TestIdentify(t *testing.T) {
idt: &grpcAuthV1.AuthNRes{},
err: apiutil.ErrBearerToken,
},
{
desc: "authenticate user with valid PAT token",
token: "pat_" + validPATToken,
key: auth.Key{ID: id, Type: auth.PersonalAccessToken, Subject: clientID, Role: auth.UserRole},
idt: &grpcAuthV1.AuthNRes{Id: id, UserId: clientID, UserRole: uint32(auth.UserRole)},
err: nil,
},
{
desc: "authenticate user with invalid PAT token",
token: "pat_invalid",
key: auth.Key{},
idt: &grpcAuthV1.AuthNRes{},
svcErr: svcerr.ErrAuthentication,
err: svcerr.ErrAuthentication,
},
}
for _, tc := range cases {
t.Run(tc.desc, func(t *testing.T) {
svcCall := svc.On("Identify", mock.Anything, mock.Anything).Return(auth.Key{Subject: id, Role: auth.UserRole}, tc.svcErr)
svcCall := svc.On("Identify", mock.Anything, tc.token).Return(tc.key, tc.svcErr)
idt, err := grpcClient.Authenticate(context.Background(), &grpcAuthV1.AuthNReq{Token: tc.token})
if idt != nil {
assert.Equal(t, tc.idt, idt, fmt.Sprintf("%s: expected %v got %v", tc.desc, tc.idt, idt))
@@ -129,12 +136,16 @@ func TestAuthorize(t *testing.T) {
desc: "authorize user with authorized token",
token: validToken,
authRequest: &grpcAuthV1.AuthZReq{
Subject: id,
SubjectType: usersType,
Object: authoritiesObj,
ObjectType: usersType,
Relation: memberRelation,
Permission: adminPermission,
AuthType: &grpcAuthV1.AuthZReq_Policy{
Policy: &grpcAuthV1.PolicyReq{
Subject: id,
SubjectType: usersType,
Object: authoritiesObj,
ObjectType: usersType,
Relation: memberRelation,
Permission: adminPermission,
},
},
},
authResponse: &grpcAuthV1.AuthZRes{Authorized: true},
err: nil,
@@ -143,12 +154,16 @@ func TestAuthorize(t *testing.T) {
desc: "authorize user with unauthorized token",
token: inValidToken,
authRequest: &grpcAuthV1.AuthZReq{
Subject: id,
SubjectType: usersType,
Object: authoritiesObj,
ObjectType: usersType,
Relation: memberRelation,
Permission: adminPermission,
AuthType: &grpcAuthV1.AuthZReq_Policy{
Policy: &grpcAuthV1.PolicyReq{
Subject: id,
SubjectType: usersType,
Object: authoritiesObj,
ObjectType: usersType,
Relation: memberRelation,
Permission: adminPermission,
},
},
},
authResponse: &grpcAuthV1.AuthZRes{Authorized: false},
err: svcerr.ErrAuthorization,
@@ -157,12 +172,16 @@ func TestAuthorize(t *testing.T) {
desc: "authorize user with empty subject",
token: validToken,
authRequest: &grpcAuthV1.AuthZReq{
Subject: "",
SubjectType: usersType,
Object: authoritiesObj,
ObjectType: usersType,
Relation: memberRelation,
Permission: adminPermission,
AuthType: &grpcAuthV1.AuthZReq_Policy{
Policy: &grpcAuthV1.PolicyReq{
Subject: "",
SubjectType: usersType,
Object: authoritiesObj,
ObjectType: usersType,
Relation: memberRelation,
Permission: adminPermission,
},
},
},
authResponse: &grpcAuthV1.AuthZRes{Authorized: false},
err: apiutil.ErrMissingPolicySub,
@@ -171,12 +190,16 @@ func TestAuthorize(t *testing.T) {
desc: "authorize user with empty subject type",
token: validToken,
authRequest: &grpcAuthV1.AuthZReq{
Subject: id,
SubjectType: "",
Object: authoritiesObj,
ObjectType: usersType,
Relation: memberRelation,
Permission: adminPermission,
AuthType: &grpcAuthV1.AuthZReq_Policy{
Policy: &grpcAuthV1.PolicyReq{
Subject: id,
SubjectType: "",
Object: authoritiesObj,
ObjectType: usersType,
Relation: memberRelation,
Permission: adminPermission,
},
},
},
authResponse: &grpcAuthV1.AuthZRes{Authorized: false},
err: apiutil.ErrMissingPolicySub,
@@ -185,12 +208,16 @@ func TestAuthorize(t *testing.T) {
desc: "authorize user with empty object",
token: validToken,
authRequest: &grpcAuthV1.AuthZReq{
Subject: id,
SubjectType: usersType,
Object: "",
ObjectType: usersType,
Relation: memberRelation,
Permission: adminPermission,
AuthType: &grpcAuthV1.AuthZReq_Policy{
Policy: &grpcAuthV1.PolicyReq{
Subject: id,
SubjectType: usersType,
Object: "",
ObjectType: usersType,
Relation: memberRelation,
Permission: adminPermission,
},
},
},
authResponse: &grpcAuthV1.AuthZRes{Authorized: false},
err: apiutil.ErrMissingPolicyObj,
@@ -199,12 +226,16 @@ func TestAuthorize(t *testing.T) {
desc: "authorize user with empty object type",
token: validToken,
authRequest: &grpcAuthV1.AuthZReq{
Subject: id,
SubjectType: usersType,
Object: authoritiesObj,
ObjectType: "",
Relation: memberRelation,
Permission: adminPermission,
AuthType: &grpcAuthV1.AuthZReq_Policy{
Policy: &grpcAuthV1.PolicyReq{
Subject: id,
SubjectType: usersType,
Object: authoritiesObj,
ObjectType: "",
Relation: memberRelation,
Permission: adminPermission,
},
},
},
authResponse: &grpcAuthV1.AuthZRes{Authorized: false},
err: apiutil.ErrMissingPolicyObj,
@@ -213,16 +244,90 @@ func TestAuthorize(t *testing.T) {
desc: "authorize user with empty permission",
token: validToken,
authRequest: &grpcAuthV1.AuthZReq{
Subject: id,
SubjectType: usersType,
Object: authoritiesObj,
ObjectType: usersType,
Relation: memberRelation,
Permission: "",
AuthType: &grpcAuthV1.AuthZReq_Policy{
Policy: &grpcAuthV1.PolicyReq{
Subject: id,
SubjectType: usersType,
Object: authoritiesObj,
ObjectType: usersType,
Relation: memberRelation,
Permission: "",
},
},
},
authResponse: &grpcAuthV1.AuthZRes{Authorized: false},
err: apiutil.ErrMalformedPolicyPer,
},
{
desc: "authorize user with valid PAT token",
token: validPATToken,
authRequest: &grpcAuthV1.AuthZReq{
AuthType: &grpcAuthV1.AuthZReq_Pat{
Pat: &grpcAuthV1.PATReq{
UserId: id,
PatId: id,
EntityType: uint32(auth.ClientsType),
OptionalDomainId: domainID,
Operation: uint32(auth.CreateOp),
EntityId: clientID,
},
},
},
authResponse: &grpcAuthV1.AuthZRes{Authorized: true},
err: nil,
},
{
desc: "authorize user with unauthorized PAT token",
token: inValidToken,
authRequest: &grpcAuthV1.AuthZReq{
AuthType: &grpcAuthV1.AuthZReq_Pat{
Pat: &grpcAuthV1.PATReq{
UserId: id,
PatId: id,
EntityType: uint32(auth.ClientsType),
OptionalDomainId: domainID,
Operation: uint32(auth.CreateOp),
EntityId: clientID,
},
},
},
authResponse: &grpcAuthV1.AuthZRes{Authorized: false},
err: svcerr.ErrAuthorization,
},
{
desc: "authorize PAT with missing user id",
token: validPATToken,
authRequest: &grpcAuthV1.AuthZReq{
AuthType: &grpcAuthV1.AuthZReq_Pat{
Pat: &grpcAuthV1.PATReq{
PatId: id,
EntityType: uint32(auth.ClientsType),
OptionalDomainId: domainID,
Operation: uint32(auth.CreateOp),
EntityId: clientID,
},
},
},
authResponse: &grpcAuthV1.AuthZRes{Authorized: false},
err: apiutil.ErrMissingUserID,
},
{
desc: "authorize PAT with missing entity id",
token: validPATToken,
authRequest: &grpcAuthV1.AuthZReq{
AuthType: &grpcAuthV1.AuthZReq_Pat{
Pat: &grpcAuthV1.PATReq{
UserId: id,
PatId: id,
EntityType: uint32(auth.ClientsType),
OptionalDomainId: domainID,
Operation: uint32(auth.CreateOp),
},
},
},
authResponse: &grpcAuthV1.AuthZRes{Authorized: false},
err: apiutil.ErrMissingID,
},
}
for _, tc := range cases {
t.Run(tc.desc, func(t *testing.T) {
@@ -236,139 +341,3 @@ func TestAuthorize(t *testing.T) {
})
}
}
func TestIdentifyPAT(t *testing.T) {
conn, err := grpc.NewClient(authAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
assert.Nil(t, err, fmt.Sprintf("Unexpected error creating client connection %s", err))
defer conn.Close()
grpcClient := grpcapi.NewAuthClient(conn, time.Second)
cases := []struct {
desc string
token string
idt *grpcAuthV1.AuthNRes
svcErr error
err error
}{
{
desc: "authenticate user with valid user token",
token: validToken,
idt: &grpcAuthV1.AuthNRes{Id: id, UserId: clientID},
err: nil,
},
{
desc: "authenticate user with invalid user token",
token: "invalid",
idt: &grpcAuthV1.AuthNRes{},
svcErr: svcerr.ErrAuthentication,
err: svcerr.ErrAuthentication,
},
{
desc: "authenticate user with empty token",
token: "",
idt: &grpcAuthV1.AuthNRes{},
err: apiutil.ErrBearerToken,
},
}
for _, tc := range cases {
t.Run(tc.desc, func(t *testing.T) {
svcCall := svc.On("IdentifyPAT", mock.Anything, tc.token).Return(auth.PAT{ID: id, User: clientID, IssuedAt: time.Now()}, tc.svcErr)
idt, err := grpcClient.AuthenticatePAT(context.Background(), &grpcAuthV1.AuthNReq{Token: tc.token})
if idt != nil {
assert.Equal(t, tc.idt, idt, fmt.Sprintf("%s: expected %v got %v", tc.desc, tc.idt, idt))
}
assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
svcCall.Unset()
})
}
}
func TestAuthorizePAT(t *testing.T) {
conn, err := grpc.NewClient(authAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
assert.Nil(t, err, fmt.Sprintf("Unexpected error creating client connection %s", err))
defer conn.Close()
grpcClient := grpcapi.NewAuthClient(conn, time.Second)
cases := []struct {
desc string
token string
authRequest *grpcAuthV1.AuthZPatReq
authResponse *grpcAuthV1.AuthZRes
err error
}{
{
desc: "authorize user with authorized token",
token: validPATToken,
authRequest: &grpcAuthV1.AuthZPatReq{
UserId: id,
PatId: id,
EntityType: uint32(auth.ClientsType),
OptionalDomainId: domainID,
Operation: uint32(auth.CreateOp),
EntityId: clientID,
},
authResponse: &grpcAuthV1.AuthZRes{Authorized: true},
err: nil,
},
{
desc: "authorize user with unauthorized token",
token: inValidPATToken,
authRequest: &grpcAuthV1.AuthZPatReq{
UserId: id,
PatId: id,
EntityType: uint32(auth.ClientsType),
OptionalDomainId: domainID,
Operation: uint32(auth.CreateOp),
EntityId: clientID,
},
authResponse: &grpcAuthV1.AuthZRes{Authorized: false},
err: svcerr.ErrAuthorization,
},
{
desc: "authorize user with missing user id",
token: validPATToken,
authRequest: &grpcAuthV1.AuthZPatReq{
PatId: id,
EntityType: uint32(auth.ClientsType),
OptionalDomainId: domainID,
Operation: uint32(auth.CreateOp),
EntityId: clientID,
},
authResponse: &grpcAuthV1.AuthZRes{Authorized: false},
err: apiutil.ErrMissingUserID,
},
{
desc: "authorize user with missing pat id",
token: validPATToken,
authRequest: &grpcAuthV1.AuthZPatReq{
UserId: id,
EntityType: uint32(auth.ClientsType),
OptionalDomainId: domainID,
Operation: uint32(auth.CreateOp),
EntityId: clientID,
},
authResponse: &grpcAuthV1.AuthZRes{Authorized: false},
err: apiutil.ErrMissingPATID,
},
}
for _, tc := range cases {
t.Run(tc.desc, func(t *testing.T) {
svcCall := svc.On("AuthorizePAT",
mock.Anything,
tc.authRequest.UserId,
tc.authRequest.PatId,
mock.Anything,
tc.authRequest.OptionalDomainId,
mock.Anything,
mock.Anything,
mock.Anything).Return(tc.err)
ar, err := grpcClient.AuthorizePAT(context.Background(), tc.authRequest)
if ar != nil {
assert.Equal(t, tc.authResponse, ar, fmt.Sprintf("%s: expected %v got %v", tc.desc, tc.authResponse, ar))
}
assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
svcCall.Unset()
})
}
}
auth/api/grpc/auth/requests.go
+19 -19
View File
@@ -25,6 +25,7 @@ func (req authenticateReq) validate() error {
// 2. object - an entity over which action will be executed
// 3. action - type of action that will be executed (read/write).
type authReq struct {
TokenType uint32
Domain string
SubjectType string
SubjectKind string
@@ -33,9 +34,27 @@ type authReq struct {
Permission string
ObjectType string
Object string
// PAT authorization fields
UserID string
PatID string
EntityType auth.EntityType
OptionalDomainID string
Operation auth.Operation
EntityID string
}
func (req authReq) validate() error {
if req.PatID != "" {
if req.UserID == "" {
return apiutil.ErrMissingUserID
}
if req.EntityID == "" {
return apiutil.ErrMissingID
}
return nil
}
if req.Subject == "" || req.SubjectType == "" {
return apiutil.ErrMissingPolicySub
}
@@ -50,22 +69,3 @@ func (req authReq) validate() error {
return nil
}
type authPATReq struct {
userID string
patID string
entityType auth.EntityType
optionalDomainID string
operation auth.Operation
entityID string
}
func (req authPATReq) validate() error {
if req.userID == "" {
return apiutil.ErrMissingUserID
}
if req.patID == "" {
return apiutil.ErrMissingPATID
}
return nil
}
auth/api/grpc/auth/server.go
+27 -59
View File
@@ -16,10 +16,8 @@ var _ grpcAuthV1.AuthServiceServer = (*authGrpcServer)(nil)
type authGrpcServer struct {
grpcAuthV1.UnimplementedAuthServiceServer
authorize kitgrpc.Handler
authenticate kitgrpc.Handler
authenticatePAT kitgrpc.Handler
authorizePAT kitgrpc.Handler
authorize kitgrpc.Handler
authenticate kitgrpc.Handler
}
// NewAuthServer returns new AuthnServiceServer instance.
@@ -36,18 +34,6 @@ func NewAuthServer(svc auth.Service) grpcAuthV1.AuthServiceServer {
decodeAuthenticateRequest,
encodeAuthenticateResponse,
),
authenticatePAT: kitgrpc.NewServer(
(authenticatePATEndpoint(svc)),
decodeAuthenticateRequest,
encodeAuthenticatePATResponse,
),
authorizePAT: kitgrpc.NewServer(
(authorizePATEndpoint(svc)),
decodeAuthorizePATRequest,
encodeAuthorizeResponse,
),
}
}
@@ -59,14 +45,6 @@ func (s *authGrpcServer) Authenticate(ctx context.Context, req *grpcAuthV1.AuthN
return res.(*grpcAuthV1.AuthNRes), nil
}
func (s *authGrpcServer) AuthenticatePAT(ctx context.Context, req *grpcAuthV1.AuthNReq) (*grpcAuthV1.AuthNRes, error) {
_, res, err := s.authenticatePAT.ServeGRPC(ctx, req)
if err != nil {
return nil, grpcapi.EncodeError(err)
}
return res.(*grpcAuthV1.AuthNRes), nil
}
func (s *authGrpcServer) Authorize(ctx context.Context, req *grpcAuthV1.AuthZReq) (*grpcAuthV1.AuthZRes, error) {
_, res, err := s.authorize.ServeGRPC(ctx, req)
if err != nil {
@@ -85,46 +63,36 @@ func encodeAuthenticateResponse(_ context.Context, grpcRes any) (any, error) {
return &grpcAuthV1.AuthNRes{Id: res.id, UserId: res.userID, UserRole: uint32(res.userRole), Verified: res.verified}, nil
}
func encodeAuthenticatePATResponse(_ context.Context, grpcRes any) (any, error) {
res := grpcRes.(authenticateRes)
return &grpcAuthV1.AuthNRes{Id: res.id, UserId: res.userID, UserRole: uint32(res.userRole)}, nil
}
func decodeAuthorizeRequest(_ context.Context, grpcReq any) (any, error) {
req := grpcReq.(*grpcAuthV1.AuthZReq)
return authReq{
Domain: req.GetDomain(),
SubjectType: req.GetSubjectType(),
SubjectKind: req.GetSubjectKind(),
Subject: req.GetSubject(),
Relation: req.GetRelation(),
Permission: req.GetPermission(),
ObjectType: req.GetObjectType(),
Object: req.GetObject(),
}, nil
if policy := req.GetPolicy(); policy != nil {
return authReq{
TokenType: policy.GetTokenType(),
Domain: policy.GetDomain(),
SubjectType: policy.GetSubjectType(),
SubjectKind: policy.GetSubjectKind(),
Subject: policy.GetSubject(),
Relation: policy.GetRelation(),
Permission: policy.GetPermission(),
ObjectType: policy.GetObjectType(),
Object: policy.GetObject(),
}, nil
}
if pat := req.GetPat(); pat != nil {
return authReq{
UserID: pat.GetUserId(),
PatID: pat.GetPatId(),
EntityType: auth.EntityType(pat.GetEntityType()),
OptionalDomainID: pat.GetOptionalDomainId(),
Operation: auth.Operation(pat.GetOperation()),
EntityID: pat.GetEntityId(),
}, nil
}
return authReq{}, nil
}
func encodeAuthorizeResponse(_ context.Context, grpcRes any) (any, error) {
res := grpcRes.(authorizeRes)
return &grpcAuthV1.AuthZRes{Authorized: res.authorized, Id: res.id}, nil
}
func decodeAuthorizePATRequest(_ context.Context, grpcReq any) (any, error) {
req := grpcReq.(*grpcAuthV1.AuthZPatReq)
return authPATReq{
userID: req.GetUserId(),
patID: req.GetPatId(),
entityType: auth.EntityType(req.GetEntityType()),
optionalDomainID: req.GetOptionalDomainId(),
operation: auth.Operation(req.GetOperation()),
entityID: req.GetEntityId(),
}, nil
}
func (s *authGrpcServer) AuthorizePAT(ctx context.Context, req *grpcAuthV1.AuthZPatReq) (*grpcAuthV1.AuthZRes, error) {
_, res, err := s.authorizePAT.ServeGRPC(ctx, req)
if err != nil {
return nil, grpcapi.EncodeError(err)
}
return res.(*grpcAuthV1.AuthZRes), nil
}
auth/jwt/tokenizer.go
+5
View File
@@ -42,6 +42,7 @@ const (
oauthProviderField = "oauth_provider"
oauthAccessTokenField = "access_token"
oauthRefreshTokenField = "refresh_token"
patPrefix = "pat"
)
type tokenizer struct {
@@ -84,6 +85,10 @@ func (tok *tokenizer) Issue(key auth.Key) (string, error) {
}
func (tok *tokenizer) Parse(token string) (auth.Key, error) {
if len(token) >= 3 && token[:3] == patPrefix {
return auth.Key{Type: auth.PersonalAccessToken}, nil
}
tkn, err := tok.validateToken(token)
if err != nil {
return auth.Key{}, errors.Wrap(svcerr.ErrAuthentication, err)
auth/service.go
+13
View File
@@ -175,6 +175,12 @@ func (svc service) Identify(ctx context.Context, token string) (Key, error) {
}
switch key.Type {
case PersonalAccessToken:
res, err := svc.IdentifyPAT(ctx, token)
if err != nil {
return Key{}, err
}
return Key{ID: res.ID, Type: PersonalAccessToken, Subject: res.User, Role: res.Role}, nil
case RecoveryKey, AccessKey, InvitationKey, RefreshKey:
return key, nil
case APIKey:
@@ -189,6 +195,13 @@ func (svc service) Identify(ctx context.Context, token string) (Key, error) {
}
func (svc service) Authorize(ctx context.Context, pr policies.Policy) error {
if pr.PatID != "" && pr.TokenType == uint32(PersonalAccessToken) {
if err := svc.AuthorizePAT(ctx, pr.UserID, pr.PatID, EntityType(pr.EntityType), pr.OptionalDomainID, Operation(pr.Operation), pr.EntityID); err != nil {
return err
}
return nil
}
if err := svc.PolicyValidation(pr); err != nil {
return errors.Wrap(svcerr.ErrMalformedEntity, err)
}
internal/proto/auth/v1/auth.proto
+31 -24
View File
@@ -10,9 +10,7 @@ option go_package = "github.com/absmach/supermq/api/grpc/auth/v1";
// and authorization functionalities for SuperMQ services.
service AuthService {
rpc Authorize(AuthZReq) returns (AuthZRes) {}
rpc AuthorizePAT(AuthZPatReq) returns (AuthZRes) {}
rpc Authenticate(AuthNReq) returns (AuthNRes) {}
rpc AuthenticatePAT(AuthNReq) returns (AuthNRes) {}
}
@@ -21,31 +19,40 @@ message AuthNReq {
}
message AuthNRes {
string id = 1; // token id
string user_id = 2; // user id
uint32 user_role = 3; // user role
bool verified = 4; // verified user
string id = 1; // token id
string user_id = 2; // user id
uint32 user_role = 3; // user role
bool verified = 4; // verified user
uint32 token_type = 5; // token type
}
message PolicyReq {
uint32 token_type = 1; // Token type
string domain = 2; // Domain
string subject_type = 3; // Client or User
string subject_kind = 4; // ID or Token
string subject_relation = 5; // Subject relation
string subject = 6; // Subject value
string relation = 7; // Relation to filter
string permission = 8; // Action
string object = 9; // Object ID
string object_type = 10; // Client, User, Group
}
message PATReq {
string user_id = 1; // User id (PAT)
string pat_id = 2; // Pat id
uint32 entity_type = 3; // Entity type (PAT)
string optional_domain_id = 4; // Optional domain id (PAT)
uint32 operation = 5; // Operation (PAT)
string entity_id = 6; // EntityID (PAT)
}
message AuthZReq {
string domain = 1; // Domain
string subject_type = 2; // Client or User
string subject_kind = 3; // ID or Token
string subject_relation = 4; // Subject relation
string subject = 5; // Subject value (id or token, depending on kind)
string relation = 6; // Relation to filter
string permission = 7; // Action
string object = 8; // Object ID
string object_type = 9; // Client, User, Group
}
message AuthZPatReq {
string user_id = 1; // User id
string pat_id = 2; // Pat id
uint32 entity_type = 3; // Entity type
string optional_domain_id = 4; // Optional domain id
uint32 operation = 6; // Operation
string entity_id = 7; // EntityID
oneof auth_type {
PolicyReq policy = 1; // Policy-based authorization
PATReq pat = 2; // PAT authorization
}
}
message AuthZRes {
pkg/authn/authsvc/authn.go
+4 -8
View File
@@ -41,18 +41,14 @@ func NewAuthentication(ctx context.Context, cfg grpcclient.Config) (authn.Authen
}
func (a authentication) Authenticate(ctx context.Context, token string) (authn.Session, error) {
if strings.HasPrefix(token, patPrefix) {
res, err := a.authSvcClient.AuthenticatePAT(ctx, &grpcAuthV1.AuthNReq{Token: token})
if err != nil {
return authn.Session{}, errors.Wrap(errors.ErrAuthentication, err)
}
return authn.Session{Type: authn.PersonalAccessToken, PatID: res.GetId(), UserID: res.GetUserId(), Role: authn.Role(res.GetUserRole())}, nil
}
res, err := a.authSvcClient.Authenticate(ctx, &grpcAuthV1.AuthNReq{Token: token})
if err != nil {
return authn.Session{}, errors.Wrap(errors.ErrAuthentication, err)
}
if strings.HasPrefix(token, patPrefix) {
return authn.Session{Type: authn.PersonalAccessToken, PatID: res.GetId(), UserID: res.GetUserId(), Role: authn.Role(res.GetUserRole())}, nil
}
return authn.Session{Type: authn.AccessToken, UserID: res.GetUserId(), Role: authn.Role(res.GetUserRole()), Verified: res.GetVerified()}, nil
}
pkg/authz/authsvc/authz.go
+52 -32
View File
@@ -61,15 +61,19 @@ func (a authorization) Authorize(ctx context.Context, pr authz.PolicyReq) error
}
req := grpcAuthV1.AuthZReq{
Domain: pr.Domain,
SubjectType: pr.SubjectType,
SubjectKind: pr.SubjectKind,
SubjectRelation: pr.SubjectRelation,
Subject: pr.Subject,
Relation: pr.Relation,
Permission: pr.Permission,
Object: pr.Object,
ObjectType: pr.ObjectType,
AuthType: &grpcAuthV1.AuthZReq_Policy{
Policy: &grpcAuthV1.PolicyReq{
Domain: pr.Domain,
SubjectType: pr.SubjectType,
SubjectKind: pr.SubjectKind,
SubjectRelation: pr.SubjectRelation,
Subject: pr.Subject,
Relation: pr.Relation,
Permission: pr.Permission,
Object: pr.Object,
ObjectType: pr.ObjectType,
},
},
}
res, err := a.authSvcClient.Authorize(ctx, &req)
if err != nil {
@@ -90,31 +94,43 @@ func (a authorization) checkDomain(ctx context.Context, subjectType, subject, do
switch status {
case domains.FreezeStatus:
_, err := a.authSvcClient.Authorize(ctx, &grpcAuthV1.AuthZReq{
Subject: subject,
SubjectType: subjectType,
Permission: policies.AdminPermission,
Object: policies.SuperMQObject,
ObjectType: policies.PlatformType,
AuthType: &grpcAuthV1.AuthZReq_Policy{
Policy: &grpcAuthV1.PolicyReq{
Subject: subject,
SubjectType: subjectType,
Permission: policies.AdminPermission,
Object: policies.SuperMQObject,
ObjectType: policies.PlatformType,
},
},
})
return err
case domains.DisabledStatus:
_, err := a.authSvcClient.Authorize(ctx, &grpcAuthV1.AuthZReq{
Subject: subject,
SubjectType: subjectType,
Permission: policies.AdminPermission,
Object: domainID,
ObjectType: policies.DomainType,
AuthType: &grpcAuthV1.AuthZReq_Policy{
Policy: &grpcAuthV1.PolicyReq{
Subject: subject,
SubjectType: subjectType,
Permission: policies.AdminPermission,
Object: domainID,
ObjectType: policies.DomainType,
},
},
})
return err
case domains.EnabledStatus:
_, err := a.authSvcClient.Authorize(ctx, &grpcAuthV1.AuthZReq{
Subject: subject,
SubjectType: subjectType,
Permission: policies.MembershipPermission,
Object: domainID,
ObjectType: policies.DomainType,
AuthType: &grpcAuthV1.AuthZReq_Policy{
Policy: &grpcAuthV1.PolicyReq{
Subject: subject,
SubjectType: subjectType,
Permission: policies.MembershipPermission,
Object: domainID,
ObjectType: policies.DomainType,
},
},
})
return err
@@ -124,15 +140,19 @@ func (a authorization) checkDomain(ctx context.Context, subjectType, subject, do
}
func (a authorization) AuthorizePAT(ctx context.Context, pr authz.PatReq) error {
req := grpcAuthV1.AuthZPatReq{
UserId: pr.UserID,
PatId: pr.PatID,
EntityType: uint32(pr.EntityType),
OptionalDomainId: pr.OptionalDomainID,
Operation: uint32(pr.Operation),
EntityId: pr.EntityID,
req := grpcAuthV1.AuthZReq{
AuthType: &grpcAuthV1.AuthZReq_Pat{
Pat: &grpcAuthV1.PATReq{
UserId: pr.UserID,
PatId: pr.PatID,
EntityType: uint32(pr.EntityType),
OptionalDomainId: pr.OptionalDomainID,
Operation: uint32(pr.Operation),
EntityId: pr.EntityID,
},
},
}
res, err := a.authSvcClient.AuthorizePAT(ctx, &req)
res, err := a.authSvcClient.Authorize(ctx, &req)
if err != nil {
return errors.Wrap(errors.ErrAuthorization, err)
}
pkg/policies/service.go
+18
View File
@@ -9,6 +9,9 @@ import (
)
type Policy struct {
// TokenType contains the token type.
TokenType uint32 `json:"token_type,omitempty"`
// Domain contains the domain ID.
Domain string `json:"domain,omitempty"`
@@ -46,6 +49,21 @@ type Policy struct {
// Permission contains the permission. Supported permissions are admin, delete, edit, share, view,
// membership, create, admin_only, edit_only, view_only, membership_only, ext_admin, ext_edit, ext_view.
Permission string `json:"permission,omitempty"`
// PAT authorization fields
// UserID contains the user ID who owns the PAT.
UserID string `json:"user_id,omitempty"`
// PatID contains the personal access token ID.
PatID string `json:"pat_id,omitempty"`
// EntityType contains the entity type for PAT authorization.
EntityType uint32 `json:"entity_type,omitempty"`
// OptionalDomainID contains the optional domain ID for PAT scope checking.
OptionalDomainID string `json:"optional_domain_id,omitempty"`
// Operation contains the operation type for PAT authorization.
Operation uint32 `json:"operation,omitempty"`
// EntityID contains the entity ID for PAT authorization.
EntityID string `json:"entity_id,omitempty"`
}
func (pr Policy) String() string {