NOISSUE - Update Authorization method (#418)

* fix authorization Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * fetch supermq Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * address comments Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> * fetch supermq Signed-off-by: nyagamunene <stevenyaga2014@gmail.com> --------- Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
2026-06-23 02:10:17 +00:00 · 2026-03-02 14:55:07 +03:00
parent 28e809b9d8
commit 9a3a07cd2e
10 changed files with 168 additions and 16 deletions
@@ -56,7 +56,7 @@ func (am *authorizationMiddleware) UpdateAlarm(ctx context.Context, session auth
 			Permission:  policies.MembershipPermission,
 			ObjectType:  policies.DomainType,
 			Object:      session.DomainID,
-		}); err != nil {
+		}, nil); err != nil {
 			return alarms.Alarm{}, err
 		}
 	}
@@ -108,5 +108,22 @@ func (am *authorizationMiddleware) authorize(ctx context.Context, op permissions
 		Permission:  perm,
 	}

-	return am.authz.Authorize(ctx, pr)
+	var pat *smqauthz.PATReq
+	if session.PatID != "" {
+		opName := alarms.OperationName(op)
+		pat = &smqauthz.PATReq{
+			UserID:     session.UserID,
+			PatID:      session.PatID,
+			EntityID:   session.DomainID,
+			EntityType: alarms.EntityType,
+			Operation:  opName,
+			Domain:     session.DomainID,
+		}
+	}
+
+	if err := am.authz.Authorize(ctx, pr, pat); err != nil {
+		return err
+	}
+
+	return nil
 }
@@ -9,6 +9,8 @@ import (
 	"github.com/absmach/supermq/pkg/policies"
 )

+const EntityType = "alarms"
+
 const (
 	OpAddAlarm = iota
 	OpViewAlarm
@@ -17,6 +19,14 @@ const (
 	OpDeleteAlarm
 )

+const (
+	OpAddAlarmStr    = "OpAddAlarm"
+	OpViewAlarmStr   = "OpViewAlarm"
+	OpListAlarmsStr  = "OpListAlarms"
+	OpUpdateAlarmStr = "OpUpdateAlarm"
+	OpDeleteAlarmStr = "OpDeleteAlarm"
+)
+
 func GetPermission(op permissions.Operation) (string, error) {
 	if op < OpAddAlarm || op > OpDeleteAlarm {
 		return "", errors.New("invalid operation")
@@ -28,3 +38,20 @@ func GetPermission(op permissions.Operation) (string, error) {

 	return policies.MembershipPermission, nil
 }
+
+func OperationName(op permissions.Operation) string {
+	switch op {
+	case OpAddAlarm:
+		return OpAddAlarmStr
+	case OpViewAlarm:
+		return OpViewAlarmStr
+	case OpListAlarms:
+		return OpListAlarmsStr
+	case OpUpdateAlarm:
+		return OpUpdateAlarmStr
+	case OpDeleteAlarm:
+		return OpDeleteAlarmStr
+	default:
+		return "unknown"
+	}
+}
@@ -127,7 +127,7 @@ func (am *authorizationMiddleware) checkSuperAdmin(ctx context.Context, adminID
 		Permission:  policies.AdminPermission,
 		ObjectType:  policies.PlatformType,
 		Object:      policies.SuperMQObject,
-	}); err != nil {
+	}, nil); err != nil {
 		return err
 	}
 	return nil
@@ -143,7 +143,7 @@ func (am *authorizationMiddleware) authorize(ctx context.Context, domain, subjTy
 		ObjectType:  objType,
 		Object:      obj,
 	}
-	if err := am.authz.Authorize(ctx, req); err != nil {
+	if err := am.authz.Authorize(ctx, req, nil); err != nil {
 		return err
 	}
 	return nil
@@ -1,7 +1,7 @@
 # Copyright (c) Abstract Machines
 # SPDX-License-Identifier: Apache-2.0

-FROM golang:1.25.7-alpine3.22 AS builder
+FROM golang:1.26.0-alpine3.22 AS builder
 ARG SVC
 ARG GOARCH
 ARG GOARM
@@ -6,7 +6,7 @@ require (
 	github.com/0x6flab/namegenerator v1.4.0
 	github.com/absmach/callhome v0.18.2
 	github.com/absmach/certs v0.18.5
-	github.com/absmach/supermq v0.18.6-0.20260210121246-e3a3e052d283
+	github.com/absmach/supermq v0.18.6-0.20260226153547-15a6c026e943
 	github.com/authzed/authzed-go v1.8.0
 	github.com/authzed/grpcutil v0.0.0-20250221190651-1985b19b35b8
 	github.com/caarlos0/env/v11 v11.4.0
@@ -95,7 +95,7 @@ require (
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jzelinskie/stringz v0.0.3 // indirect
 	github.com/klauspost/compress v1.18.1 // indirect
-	github.com/lib/pq v1.11.1 // indirect
+	github.com/lib/pq v1.11.2 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-sqlite3 v1.14.32 // indirect
@@ -30,8 +30,8 @@ github.com/absmach/mgate v0.5.0 h1:RV2Aalra3xIm+XTs13TM7iE7v4WTL2SKhKcPbKr22Ac=
 github.com/absmach/mgate v0.5.0/go.mod h1:0KVq7mxM0wayosmyXPPxp1EL0c2d9kRp5V8NZCKdetA=
 github.com/absmach/senml v1.0.8 h1:+opem/r4g6c6eA/JLyCIuksyEhj7eBdysY3pEmy1mqo=
 github.com/absmach/senml v1.0.8/go.mod h1:DRhzHLgvQoIUHroBgpFrSWso+bJZO9E96RlHAHy+VRI=
-github.com/absmach/supermq v0.18.6-0.20260210121246-e3a3e052d283 h1:N6Nm4L+o6sEXfmRoQA3G904F1GuZ5OqIvYcUYVq7erY=
-github.com/absmach/supermq v0.18.6-0.20260210121246-e3a3e052d283/go.mod h1:TwnZrRd60FjzcZFJPxGbp3DH2khJ48hoG2n/jtEPutk=
+github.com/absmach/supermq v0.18.6-0.20260226153547-15a6c026e943 h1:DbQ0t46WNqMVHcks8D4XcMIYU3m5lZ6hmbhr2Wcln+Y=
+github.com/absmach/supermq v0.18.6-0.20260226153547-15a6c026e943/go.mod h1:VLInclhsnLm/mo1qng3ac7T0bJnteqH/y2mPxML6H+4=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
@@ -324,8 +324,8 @@ github.com/lib/pq v1.1.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.10.2/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
-github.com/lib/pq v1.11.1 h1:wuChtj2hfsGmmx3nf1m7xC2XpK6OtelS2shMY+bGMtI=
-github.com/lib/pq v1.11.1/go.mod h1:/p+8NSbOcwzAEI7wiMXFlgydTwcgTr3OSKMsD2BitpA=
+github.com/lib/pq v1.11.2 h1:x6gxUeu39V0BHZiugWe8LXZYZ+Utk7hSJGThs8sdzfs=
+github.com/lib/pq v1.11.2/go.mod h1:/p+8NSbOcwzAEI7wiMXFlgydTwcgTr3OSKMsD2BitpA=
 github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ=
 github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
 github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
@@ -385,8 +385,8 @@ github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3v
 github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
 github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
-github.com/pion/dtls/v3 v3.0.10 h1:k9ekkq1kaZoxnNEbyLKI8DI37j/Nbk1HWmMuywpQJgg=
-github.com/pion/dtls/v3 v3.0.10/go.mod h1:YEmmBYIoBsY3jmG56dsziTv/Lca9y4Om83370CXfqJ8=
+github.com/pion/dtls/v3 v3.1.2 h1:gqEdOUXLtCGW+afsBLO0LtDD8GnuBBjEy6HRtyofZTc=
+github.com/pion/dtls/v3 v3.1.2/go.mod h1:Hw/igcX4pdY69z1Hgv5x7wJFrUkdgHwAn/Q/uo7YHRo=
 github.com/pion/logging v0.2.4 h1:tTew+7cmQ+Mc1pTBLKH2puKsOvhm32dROumOZ655zB8=
 github.com/pion/logging v0.2.4/go.mod h1:DffhXTKYdNZU+KtJ5pyQDjvOAh/GsNSyv1lbkFbe3so=
 github.com/pion/transport/v4 v4.0.1 h1:sdROELU6BZ63Ab7FrOLn13M6YdJLY20wldXW2Cu2k8o=
@@ -126,7 +126,6 @@ func (am *authorizationMiddleware) authorize(ctx context.Context, op permissions
 	}

 	pr := smqauthz.PolicyReq{
-		UserID:      session.UserID,
 		Domain:      session.DomainID,
 		SubjectType: policies.UserType,
 		SubjectKind: policies.UsersKind,
@@ -136,5 +135,22 @@ func (am *authorizationMiddleware) authorize(ctx context.Context, op permissions
 		Permission:  perm,
 	}

-	return am.authz.Authorize(ctx, pr)
+	var pat *smqauthz.PATReq
+	if session.PatID != "" {
+		opName := re.OperationName(op)
+		pat = &smqauthz.PATReq{
+			UserID:     session.UserID,
+			PatID:      session.PatID,
+			EntityID:   session.DomainID,
+			EntityType: re.EntityType,
+			Operation:  opName,
+			Domain:     session.DomainID,
+		}
+	}
+
+	if err := am.authz.Authorize(ctx, pr, pat); err != nil {
+		return err
+	}
+
+	return nil
 }
@@ -9,6 +9,8 @@ import (
 	"github.com/absmach/supermq/pkg/policies"
 )

+const EntityType = "rules"
+
 const (
 	OpAddRule permissions.Operation = iota
 	OpViewRule
@@ -39,3 +41,28 @@ func GetPermission(op permissions.Operation) (string, error) {
 	}
 	return policies.MembershipPermission, nil
 }
+
+func OperationName(op permissions.Operation) string {
+	switch op {
+	case OpAddRule:
+		return OpAddRuleStr
+	case OpViewRule:
+		return OpViewRuleStr
+	case OpUpdateRule:
+		return OpUpdateRuleStr
+	case OpUpdateRuleTags:
+		return OpUpdateRuleTagsStr
+	case OpUpdateRuleSchedule:
+		return OpUpdateRuleScheduleStr
+	case OpListRules:
+		return OpListRulesStr
+	case OpRemoveRule:
+		return OpRemoveRuleStr
+	case OpEnableRule:
+		return OpEnableRuleStr
+	case OpDisableRule:
+		return OpDisableRuleStr
+	default:
+		return "unknown"
+	}
+}
@@ -155,5 +155,22 @@ func (am *authorizationMiddleware) authorize(ctx context.Context, op permissions
 		Permission:  perm,
 	}

-	return am.authz.Authorize(ctx, pr)
+	var pat *smqauthz.PATReq
+	if session.PatID != "" {
+		opName := reports.OperationName(op)
+		pat = &smqauthz.PATReq{
+			UserID:     session.UserID,
+			PatID:      session.PatID,
+			EntityID:   session.DomainID,
+			EntityType: reports.EntityType,
+			Operation:  opName,
+			Domain:     session.DomainID,
+		}
+	}
+
+	if err := am.authz.Authorize(ctx, pr, pat); err != nil {
+		return err
+	}
+
+	return nil
 }
@@ -9,6 +9,8 @@ import (
 	"github.com/absmach/supermq/pkg/policies"
 )

+const EntityType = "reports"
+
 const (
 	OpAddReportConfig = iota
 	OpViewReportConfig
@@ -24,9 +26,55 @@ const (
 	OpDeleteReportTemplate
 )

+const (
+	OpAddReportConfigStr      = "OpAddReportConfig"
+	OpViewReportConfigStr     = "OpViewReportConfig"
+	OpUpdateReportConfigStr   = "OpUpdateReportConfig"
+	OpUpdateReportScheduleStr = "OpUpdateReportSchedule"
+	OpRemoveReportConfigStr   = "OpRemoveReportConfig"
+	OpListReportsConfigStr    = "OpListReportsConfig"
+	OpEnableReportConfigStr   = "OpEnableReportConfig"
+	OpDisableReportConfigStr  = "OpDisableReportConfig"
+	OpGenerateReportStr       = "OpGenerateReport"
+	OpUpdateReportTemplateStr = "OpUpdateReportTemplate"
+	OpViewReportTemplateStr   = "OpViewReportTemplate"
+	OpDeleteReportTemplateStr = "OpDeleteReportTemplate"
+)
+
 func GetPermission(op permissions.Operation) (string, error) {
 	if op < OpAddReportConfig || op > OpDeleteReportTemplate {
 		return "", errors.New("invalid operation")
 	}
 	return policies.MembershipPermission, nil
 }
+
+func OperationName(op permissions.Operation) string {
+	switch op {
+	case OpAddReportConfig:
+		return OpAddReportConfigStr
+	case OpViewReportConfig:
+		return OpViewReportConfigStr
+	case OpUpdateReportConfig:
+		return OpUpdateReportConfigStr
+	case OpUpdateReportSchedule:
+		return OpUpdateReportScheduleStr
+	case OpRemoveReportConfig:
+		return OpRemoveReportConfigStr
+	case OpListReportsConfig:
+		return OpListReportsConfigStr
+	case OpEnableReportConfig:
+		return OpEnableReportConfigStr
+	case OpDisableReportConfig:
+		return OpDisableReportConfigStr
+	case OpGenerateReport:
+		return OpGenerateReportStr
+	case OpUpdateReportTemplate:
+		return OpUpdateReportTemplateStr
+	case OpViewReportTemplate:
+		return OpViewReportTemplateStr
+	case OpDeleteReportTemplate:
+		return OpDeleteReportTemplateStr
+	default:
+		return "unknown"
+	}
+}