feat(auth): delete policies in one req

Signed-off-by: Rodney Osodo <[email protected]>
absmach · Jun 27, 2024 · 1854625 · 1854625
1 parent e47a3fa
commit 1854625
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 76 deletions.
diff --git a/auth/service.go b/auth/service.go
@@ -1008,30 +1008,12 @@ func DecodeDomainUserID(domainUserID string) (string, string) {
 func (svc service) DeleteEntityPolicies(ctx context.Context, entityType, id string) (err error) {
 	switch entityType {
 	case ThingType:
-		// Remove policy of groups
 		req := PolicyReq{
-			SubjectType: GroupType,
-			Object:      id,
-			ObjectType:  ThingType,
-		}
-
-		if err := svc.DeletePolicyFilter(ctx, req); err != nil {
-			return err
+			Object:     id,
+			ObjectType: ThingType,
 		}
 
-		// Remove policy from domain
-		req.SubjectType = DomainType
-		if err := svc.DeletePolicyFilter(ctx, req); err != nil {
-			return err
-		}
-
-		// Remove policy of users
-		req.SubjectType = UserType
-		if err := svc.DeletePolicyFilter(ctx, req); err != nil {
-			return err
-		}
-
-		return nil
+		return svc.DeletePolicyFilter(ctx, req)
 	case UserType:
 		domainsPage, err := svc.domains.ListDomains(ctx, Page{SubjectID: id, Limit: defLimit})
 		if err != nil {
@@ -1053,82 +1035,39 @@ func (svc service) DeleteEntityPolicies(ctx context.Context, entityType, id stri
 			policy := PolicyReq{
 				Subject:     EncodeDomainUserID(domain.ID, id),
 				SubjectType: UserType,
-				ObjectType:  ThingType,
 			}
 			if err := svc.agent.DeletePolicyFilter(ctx, policy); err != nil {
 				return err
 			}
-
-			policy.ObjectType = GroupType
-			if err := svc.agent.DeletePolicy(ctx, policy); err != nil {
-				return err
-			}
-
-			policy.Object = domain.ID
-			policy.ObjectType = DomainType
-			if err := svc.agent.DeletePolicy(ctx, policy); err != nil {
-				return err
-			}
 		}
 
 		req := PolicyReq{
 			Subject:     id,
 			SubjectType: UserType,
-			ObjectType:  ThingType,
 		}
 		if err := svc.agent.DeletePolicyFilter(ctx, req); err != nil {
 			return err
 		}
-		req.ObjectType = GroupType
-		if err := svc.agent.DeletePolicyFilter(ctx, req); err != nil {
-			return err
-		}
-		req.ObjectType = DomainType
-		if err := svc.agent.DeletePolicyFilter(ctx, req); err != nil {
-			return err
-		}
-		req.ObjectType = PlatformType
-		req.Object = MagistralaObject
-		if err := svc.agent.DeletePolicyFilter(ctx, req); err != nil {
-			return err
-		}
 
 		if err := svc.domains.DeleteUserPolicies(ctx, id); err != nil {
 			return err
 		}
 
 		return nil
 	case GroupType:
-		// Remove policy of child groups
 		req := PolicyReq{
 			SubjectType: GroupType,
 			Subject:     id,
-			ObjectType:  GroupType,
 		}
 		if err := svc.DeletePolicyFilter(ctx, req); err != nil {
 			return err
 		}
 
-		// Remove policy of things
-		req.ObjectType = ThingType
-		if err := svc.DeletePolicyFilter(ctx, req); err != nil {
-			return err
+		req = PolicyReq{
+			Object:     id,
+			ObjectType: GroupType,
 		}
-
-		// Remove policy from domain
-		req.SubjectType = DomainType
-		req.ObjectType = GroupType
-		if err := svc.DeletePolicyFilter(ctx, req); err != nil {
-			return err
-		}
-
-		// Remove policy of users
-		req.SubjectType = UserType
-		if err := svc.DeletePolicyFilter(ctx, req); err != nil {
-			return err
-		}
-
-		return nil
+		return svc.DeletePolicyFilter(ctx, req)
 	default:
 		return errInvalidEntityType
 	}

diff --git a/auth/spicedb/policies.go b/auth/spicedb/policies.go
@@ -158,16 +158,27 @@ func (pa *policyAgent) DeletePolicyFilter(ctx context.Context, pr auth.PolicyReq
 		RelationshipFilter: &v1.RelationshipFilter{
 			ResourceType:       pr.ObjectType,
 			OptionalResourceId: pr.Object,
-			OptionalRelation:   pr.Relation,
-			OptionalSubjectFilter: &v1.SubjectFilter{
-				OptionalSubjectId: pr.Subject,
-				SubjectType:       pr.SubjectType,
-				OptionalRelation: &v1.SubjectFilter_RelationFilter{
-					Relation: pr.SubjectRelation,
-				},
-			},
 		},
 	}
+
+	if pr.Relation != "" {
+		req.RelationshipFilter.OptionalRelation = pr.Relation
+	}
+
+	if pr.SubjectType != "" {
+		req.RelationshipFilter.OptionalSubjectFilter = &v1.SubjectFilter{
+			SubjectType: pr.SubjectType,
+		}
+		if pr.Subject != "" {
+			req.RelationshipFilter.OptionalSubjectFilter.OptionalSubjectId = pr.Subject
+		}
+		if pr.SubjectRelation != "" {
+			req.RelationshipFilter.OptionalSubjectFilter.OptionalRelation = &v1.SubjectFilter_RelationFilter{
+				Relation: pr.SubjectRelation,
+			}
+		}
+	}
+
 	if _, err := pa.permissionClient.DeleteRelationships(ctx, req); err != nil {
 		return errors.Wrap(errRemovePolicies, handleSpicedbError(err))
 	}