opensource/supermq
1
0
Fork 0
mirror of https://github.com/absmach/supermq.git synced 2026-06-23 04:20:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
Files
9a3a07cd2e102f34a7fdd058c6cdb8c7df2451a4
supermq/re/middleware/authorization.go
T
Steve Munene 9a3a07cd2e NOISSUE - Update Authorization method (#418) 
* fix authorization

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>

* fetch supermq

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>

* address comments

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>

* fetch supermq

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>

---------

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
2026-03-02 12:55:07 +01:00

157 lines
4.8 KiB
Go
Raw Blame History

// Copyright (c) Abstract Machines
// SPDX-License-Identifier: Apache-2.0
package middleware
import (
"context"
"github.com/absmach/magistrala/re"
"github.com/absmach/supermq/pkg/authn"
smqauthz "github.com/absmach/supermq/pkg/authz"
"github.com/absmach/supermq/pkg/errors"
"github.com/absmach/supermq/pkg/messaging"
"github.com/absmach/supermq/pkg/permissions"
"github.com/absmach/supermq/pkg/policies"
)
var (
errDomainCreateRules = errors.New("not authorized to create rules in domain")
errDomainViewRules = errors.New("not authorized to view rules in domain")
errDomainUpdateRules = errors.New("not authorized to update rules in domain")
errDomainDeleteRules = errors.New("not authorized to delete rules in domain")
)
type authorizationMiddleware struct {
svc re.Service
authz smqauthz.Authorization
}
// AuthorizationMiddleware adds authorization to the re service.
func AuthorizationMiddleware(svc re.Service, authz smqauthz.Authorization) (re.Service, error) {
return &authorizationMiddleware{
svc: svc,
authz: authz,
}, nil
}
func (am *authorizationMiddleware) AddRule(ctx context.Context, session authn.Session, r re.Rule) (re.Rule, error) {
if err := am.authorize(ctx, re.OpAddRule, session); err != nil {
return re.Rule{}, errors.Wrap(errDomainCreateRules, err)
}
return am.svc.AddRule(ctx, session, r)
}
func (am *authorizationMiddleware) ViewRule(ctx context.Context, session authn.Session, id string) (re.Rule, error) {
if err := am.authorize(ctx, re.OpViewRule, session); err != nil {
return re.Rule{}, errors.Wrap(errDomainViewRules, err)
}
return am.svc.ViewRule(ctx, session, id)
}
func (am *authorizationMiddleware) UpdateRule(ctx context.Context, session authn.Session, r re.Rule) (re.Rule, error) {
if err := am.authorize(ctx, re.OpUpdateRule, session); err != nil {
return re.Rule{}, errors.Wrap(errDomainUpdateRules, err)
}
return am.svc.UpdateRule(ctx, session, r)
}
func (am *authorizationMiddleware) UpdateRuleTags(ctx context.Context, session authn.Session, r re.Rule) (re.Rule, error) {
if err := am.authorize(ctx, re.OpUpdateRuleTags, session); err != nil {
return re.Rule{}, errors.Wrap(errDomainUpdateRules, err)
}
return am.svc.UpdateRuleTags(ctx, session, r)
}
func (am *authorizationMiddleware) UpdateRuleSchedule(ctx context.Context, session authn.Session, r re.Rule) (re.Rule, error) {
if err := am.authorize(ctx, re.OpUpdateRuleSchedule, session); err != nil {
return re.Rule{}, errors.Wrap(errDomainUpdateRules, err)
}
return am.svc.UpdateRuleSchedule(ctx, session, r)
}
func (am *authorizationMiddleware) ListRules(ctx context.Context, session authn.Session, pm re.PageMeta) (re.Page, error) {
if err := am.authorize(ctx, re.OpListRules, session); err != nil {
return re.Page{}, errors.Wrap(errDomainViewRules, err)
}
return am.svc.ListRules(ctx, session, pm)
}
func (am *authorizationMiddleware) RemoveRule(ctx context.Context, session authn.Session, id string) error {
if err := am.authorize(ctx, re.OpRemoveRule, session); err != nil {
return errors.Wrap(errDomainDeleteRules, err)
}
return am.svc.RemoveRule(ctx, session, id)
}
func (am *authorizationMiddleware) EnableRule(ctx context.Context, session authn.Session, id string) (re.Rule, error) {
if err := am.authorize(ctx, re.OpEnableRule, session); err != nil {
return re.Rule{}, errors.Wrap(errDomainUpdateRules, err)
}
return am.svc.EnableRule(ctx, session, id)
}
func (am *authorizationMiddleware) DisableRule(ctx context.Context, session authn.Session, id string) (re.Rule, error) {
if err := am.authorize(ctx, re.OpDisableRule, session); err != nil {
return re.Rule{}, errors.Wrap(errDomainUpdateRules, err)
}
return am.svc.DisableRule(ctx, session, id)
}
func (am *authorizationMiddleware) StartScheduler(ctx context.Context) error {
return am.svc.StartScheduler(ctx)
}
func (am *authorizationMiddleware) Handle(msg *messaging.Message) error {
return am.svc.Handle(msg)
}
func (am *authorizationMiddleware) Cancel() error {
return am.svc.Cancel()
}
func (am *authorizationMiddleware) authorize(ctx context.Context, op permissions.Operation, session authn.Session) error {
perm, err := re.GetPermission(op)
if err != nil {
return err
}
pr := smqauthz.PolicyReq{
Domain: session.DomainID,
SubjectType: policies.UserType,
SubjectKind: policies.UsersKind,
Subject: session.DomainUserID,
Object: session.DomainID,
ObjectType: policies.DomainType,
Permission: perm,
}
var pat *smqauthz.PATReq
if session.PatID != "" {
opName := re.OperationName(op)
pat = &smqauthz.PATReq{
UserID: session.UserID,
PatID: session.PatID,
EntityID: session.DomainID,
EntityType: re.EntityType,
Operation: opName,
Domain: session.DomainID,
}
}
if err := am.authz.Authorize(ctx, pr, pat); err != nil {
return err
}
return nil
}
Reference in New Issue View Git Blame Copy Permalink