diff --git a/alarms/middleware/authorization.go b/alarms/middleware/authorization.go index fd75f97ca..49f2a77ab 100644 --- a/alarms/middleware/authorization.go +++ b/alarms/middleware/authorization.go @@ -56,7 +56,7 @@ func (am *authorizationMiddleware) UpdateAlarm(ctx context.Context, session auth Permission: policies.MembershipPermission, ObjectType: policies.DomainType, Object: session.DomainID, - }); err != nil { + }, nil); err != nil { return alarms.Alarm{}, err } } @@ -108,5 +108,22 @@ func (am *authorizationMiddleware) authorize(ctx context.Context, op permissions Permission: perm, } - return am.authz.Authorize(ctx, pr) + var pat *smqauthz.PATReq + if session.PatID != "" { + opName := alarms.OperationName(op) + pat = &smqauthz.PATReq{ + UserID: session.UserID, + PatID: session.PatID, + EntityID: session.DomainID, + EntityType: alarms.EntityType, + Operation: opName, + Domain: session.DomainID, + } + } + + if err := am.authz.Authorize(ctx, pr, pat); err != nil { + return err + } + + return nil } diff --git a/alarms/operations.go b/alarms/operations.go index 5ca9e8149..cb3ade574 100644 --- a/alarms/operations.go +++ b/alarms/operations.go @@ -9,6 +9,8 @@ import ( "github.com/absmach/supermq/pkg/policies" ) +const EntityType = "alarms" + const ( OpAddAlarm = iota OpViewAlarm @@ -17,6 +19,14 @@ const ( OpDeleteAlarm ) +const ( + OpAddAlarmStr = "OpAddAlarm" + OpViewAlarmStr = "OpViewAlarm" + OpListAlarmsStr = "OpListAlarms" + OpUpdateAlarmStr = "OpUpdateAlarm" + OpDeleteAlarmStr = "OpDeleteAlarm" +) + func GetPermission(op permissions.Operation) (string, error) { if op < OpAddAlarm || op > OpDeleteAlarm { return "", errors.New("invalid operation") @@ -28,3 +38,20 @@ func GetPermission(op permissions.Operation) (string, error) { return policies.MembershipPermission, nil } + +func OperationName(op permissions.Operation) string { + switch op { + case OpAddAlarm: + return OpAddAlarmStr + case OpViewAlarm: + return OpViewAlarmStr + case OpListAlarms: + return OpListAlarmsStr + case OpUpdateAlarm: + return OpUpdateAlarmStr + case OpDeleteAlarm: + return OpDeleteAlarmStr + default: + return "unknown" + } +} diff --git a/bootstrap/middleware/authorization.go b/bootstrap/middleware/authorization.go index 2c5227069..5c790a442 100644 --- a/bootstrap/middleware/authorization.go +++ b/bootstrap/middleware/authorization.go @@ -127,7 +127,7 @@ func (am *authorizationMiddleware) checkSuperAdmin(ctx context.Context, adminID Permission: policies.AdminPermission, ObjectType: policies.PlatformType, Object: policies.SuperMQObject, - }); err != nil { + }, nil); err != nil { return err } return nil @@ -143,7 +143,7 @@ func (am *authorizationMiddleware) authorize(ctx context.Context, domain, subjTy ObjectType: objType, Object: obj, } - if err := am.authz.Authorize(ctx, req); err != nil { + if err := am.authz.Authorize(ctx, req, nil); err != nil { return err } return nil diff --git a/docker/supermq-docker/Dockerfile b/docker/supermq-docker/Dockerfile index b7b4ed096..7d292a60b 100644 --- a/docker/supermq-docker/Dockerfile +++ b/docker/supermq-docker/Dockerfile @@ -1,7 +1,7 @@ # Copyright (c) Abstract Machines # SPDX-License-Identifier: Apache-2.0 -FROM golang:1.25.7-alpine3.22 AS builder +FROM golang:1.26.0-alpine3.22 AS builder ARG SVC ARG GOARCH ARG GOARM diff --git a/go.mod b/go.mod index d156a9f42..8cad27619 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ require ( github.com/0x6flab/namegenerator v1.4.0 github.com/absmach/callhome v0.18.2 github.com/absmach/certs v0.18.5 - github.com/absmach/supermq v0.18.6-0.20260210121246-e3a3e052d283 + github.com/absmach/supermq v0.18.6-0.20260226153547-15a6c026e943 github.com/authzed/authzed-go v1.8.0 github.com/authzed/grpcutil v0.0.0-20250221190651-1985b19b35b8 github.com/caarlos0/env/v11 v11.4.0 @@ -95,7 +95,7 @@ require ( github.com/jackc/puddle/v2 v2.2.2 // indirect github.com/jzelinskie/stringz v0.0.3 // indirect github.com/klauspost/compress v1.18.1 // indirect - github.com/lib/pq v1.11.1 // indirect + github.com/lib/pq v1.11.2 // indirect github.com/mattn/go-colorable v0.1.14 // indirect github.com/mattn/go-isatty v0.0.20 // indirect github.com/mattn/go-sqlite3 v1.14.32 // indirect diff --git a/go.sum b/go.sum index fb16e22cf..7067e6b60 100644 --- a/go.sum +++ b/go.sum @@ -30,8 +30,8 @@ github.com/absmach/mgate v0.5.0 h1:RV2Aalra3xIm+XTs13TM7iE7v4WTL2SKhKcPbKr22Ac= github.com/absmach/mgate v0.5.0/go.mod h1:0KVq7mxM0wayosmyXPPxp1EL0c2d9kRp5V8NZCKdetA= github.com/absmach/senml v1.0.8 h1:+opem/r4g6c6eA/JLyCIuksyEhj7eBdysY3pEmy1mqo= github.com/absmach/senml v1.0.8/go.mod h1:DRhzHLgvQoIUHroBgpFrSWso+bJZO9E96RlHAHy+VRI= -github.com/absmach/supermq v0.18.6-0.20260210121246-e3a3e052d283 h1:N6Nm4L+o6sEXfmRoQA3G904F1GuZ5OqIvYcUYVq7erY= -github.com/absmach/supermq v0.18.6-0.20260210121246-e3a3e052d283/go.mod h1:TwnZrRd60FjzcZFJPxGbp3DH2khJ48hoG2n/jtEPutk= +github.com/absmach/supermq v0.18.6-0.20260226153547-15a6c026e943 h1:DbQ0t46WNqMVHcks8D4XcMIYU3m5lZ6hmbhr2Wcln+Y= +github.com/absmach/supermq v0.18.6-0.20260226153547-15a6c026e943/go.mod h1:VLInclhsnLm/mo1qng3ac7T0bJnteqH/y2mPxML6H+4= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= @@ -324,8 +324,8 @@ github.com/lib/pq v1.1.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.10.2/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= -github.com/lib/pq v1.11.1 h1:wuChtj2hfsGmmx3nf1m7xC2XpK6OtelS2shMY+bGMtI= -github.com/lib/pq v1.11.1/go.mod h1:/p+8NSbOcwzAEI7wiMXFlgydTwcgTr3OSKMsD2BitpA= +github.com/lib/pq v1.11.2 h1:x6gxUeu39V0BHZiugWe8LXZYZ+Utk7hSJGThs8sdzfs= +github.com/lib/pq v1.11.2/go.mod h1:/p+8NSbOcwzAEI7wiMXFlgydTwcgTr3OSKMsD2BitpA= github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ= github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= @@ -385,8 +385,8 @@ github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3v github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4= github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY= -github.com/pion/dtls/v3 v3.0.10 h1:k9ekkq1kaZoxnNEbyLKI8DI37j/Nbk1HWmMuywpQJgg= -github.com/pion/dtls/v3 v3.0.10/go.mod h1:YEmmBYIoBsY3jmG56dsziTv/Lca9y4Om83370CXfqJ8= +github.com/pion/dtls/v3 v3.1.2 h1:gqEdOUXLtCGW+afsBLO0LtDD8GnuBBjEy6HRtyofZTc= +github.com/pion/dtls/v3 v3.1.2/go.mod h1:Hw/igcX4pdY69z1Hgv5x7wJFrUkdgHwAn/Q/uo7YHRo= github.com/pion/logging v0.2.4 h1:tTew+7cmQ+Mc1pTBLKH2puKsOvhm32dROumOZ655zB8= github.com/pion/logging v0.2.4/go.mod h1:DffhXTKYdNZU+KtJ5pyQDjvOAh/GsNSyv1lbkFbe3so= github.com/pion/transport/v4 v4.0.1 h1:sdROELU6BZ63Ab7FrOLn13M6YdJLY20wldXW2Cu2k8o= diff --git a/re/middleware/authorization.go b/re/middleware/authorization.go index f322e7215..bdebdd35f 100644 --- a/re/middleware/authorization.go +++ b/re/middleware/authorization.go @@ -126,7 +126,6 @@ func (am *authorizationMiddleware) authorize(ctx context.Context, op permissions } pr := smqauthz.PolicyReq{ - UserID: session.UserID, Domain: session.DomainID, SubjectType: policies.UserType, SubjectKind: policies.UsersKind, @@ -136,5 +135,22 @@ func (am *authorizationMiddleware) authorize(ctx context.Context, op permissions Permission: perm, } - return am.authz.Authorize(ctx, pr) + var pat *smqauthz.PATReq + if session.PatID != "" { + opName := re.OperationName(op) + pat = &smqauthz.PATReq{ + UserID: session.UserID, + PatID: session.PatID, + EntityID: session.DomainID, + EntityType: re.EntityType, + Operation: opName, + Domain: session.DomainID, + } + } + + if err := am.authz.Authorize(ctx, pr, pat); err != nil { + return err + } + + return nil } diff --git a/re/operations.go b/re/operations.go index fbd0b9dd5..8ca795a54 100644 --- a/re/operations.go +++ b/re/operations.go @@ -9,6 +9,8 @@ import ( "github.com/absmach/supermq/pkg/policies" ) +const EntityType = "rules" + const ( OpAddRule permissions.Operation = iota OpViewRule @@ -39,3 +41,28 @@ func GetPermission(op permissions.Operation) (string, error) { } return policies.MembershipPermission, nil } + +func OperationName(op permissions.Operation) string { + switch op { + case OpAddRule: + return OpAddRuleStr + case OpViewRule: + return OpViewRuleStr + case OpUpdateRule: + return OpUpdateRuleStr + case OpUpdateRuleTags: + return OpUpdateRuleTagsStr + case OpUpdateRuleSchedule: + return OpUpdateRuleScheduleStr + case OpListRules: + return OpListRulesStr + case OpRemoveRule: + return OpRemoveRuleStr + case OpEnableRule: + return OpEnableRuleStr + case OpDisableRule: + return OpDisableRuleStr + default: + return "unknown" + } +} diff --git a/reports/middleware/authorization.go b/reports/middleware/authorization.go index f8ecf8521..d91370f1c 100644 --- a/reports/middleware/authorization.go +++ b/reports/middleware/authorization.go @@ -155,5 +155,22 @@ func (am *authorizationMiddleware) authorize(ctx context.Context, op permissions Permission: perm, } - return am.authz.Authorize(ctx, pr) + var pat *smqauthz.PATReq + if session.PatID != "" { + opName := reports.OperationName(op) + pat = &smqauthz.PATReq{ + UserID: session.UserID, + PatID: session.PatID, + EntityID: session.DomainID, + EntityType: reports.EntityType, + Operation: opName, + Domain: session.DomainID, + } + } + + if err := am.authz.Authorize(ctx, pr, pat); err != nil { + return err + } + + return nil } diff --git a/reports/operations.go b/reports/operations.go index 3ea0afcb6..de03f8569 100644 --- a/reports/operations.go +++ b/reports/operations.go @@ -9,6 +9,8 @@ import ( "github.com/absmach/supermq/pkg/policies" ) +const EntityType = "reports" + const ( OpAddReportConfig = iota OpViewReportConfig @@ -24,9 +26,55 @@ const ( OpDeleteReportTemplate ) +const ( + OpAddReportConfigStr = "OpAddReportConfig" + OpViewReportConfigStr = "OpViewReportConfig" + OpUpdateReportConfigStr = "OpUpdateReportConfig" + OpUpdateReportScheduleStr = "OpUpdateReportSchedule" + OpRemoveReportConfigStr = "OpRemoveReportConfig" + OpListReportsConfigStr = "OpListReportsConfig" + OpEnableReportConfigStr = "OpEnableReportConfig" + OpDisableReportConfigStr = "OpDisableReportConfig" + OpGenerateReportStr = "OpGenerateReport" + OpUpdateReportTemplateStr = "OpUpdateReportTemplate" + OpViewReportTemplateStr = "OpViewReportTemplate" + OpDeleteReportTemplateStr = "OpDeleteReportTemplate" +) + func GetPermission(op permissions.Operation) (string, error) { if op < OpAddReportConfig || op > OpDeleteReportTemplate { return "", errors.New("invalid operation") } return policies.MembershipPermission, nil } + +func OperationName(op permissions.Operation) string { + switch op { + case OpAddReportConfig: + return OpAddReportConfigStr + case OpViewReportConfig: + return OpViewReportConfigStr + case OpUpdateReportConfig: + return OpUpdateReportConfigStr + case OpUpdateReportSchedule: + return OpUpdateReportScheduleStr + case OpRemoveReportConfig: + return OpRemoveReportConfigStr + case OpListReportsConfig: + return OpListReportsConfigStr + case OpEnableReportConfig: + return OpEnableReportConfigStr + case OpDisableReportConfig: + return OpDisableReportConfigStr + case OpGenerateReport: + return OpGenerateReportStr + case OpUpdateReportTemplate: + return OpUpdateReportTemplateStr + case OpViewReportTemplate: + return OpViewReportTemplateStr + case OpDeleteReportTemplate: + return OpDeleteReportTemplateStr + default: + return "unknown" + } +}