Skip to content

Commit

Permalink
feat: add db migration for resource id (#97)
Browse files Browse the repository at this point in the history 
* feat: add db migration for resource id

* feat: use id for resource throughout

* fix: add error handling
  • Loading branch information
@krtkvrm
krtkvrm authored Apr 4, 2022
1 parent 6265f2b commit 85d9f0a
Show file tree
Hide file tree
Showing 23 changed files with 835 additions and 762 deletions.
3 changes: 2 additions & 1 deletion api/handler/v1beta1/resource.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -181,7 +181,8 @@ func transformResourceToPB(from model.Resource) (shieldv1beta1.Resource, error)
}

return shieldv1beta1.Resource{
Id: from.Id,
Id: from.Idxa,
Urn: from.Urn,
Name: from.Name,
Namespace: &namespace,
Organization: &org,
Expand Down
2 changes: 1 addition & 1 deletion buf.gen.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#!/usr/bin/env -S buf generate buf.build/odpf/proton:50f3663dc011ea70cf65886bfebd28774ceb740a --path odpf/shield --template
#!/usr/bin/env -S buf generate buf.build/odpf/proton:6e1e1020ca1ea2cd440d5e1417470af31c91c76a --path odpf/shield --template
---
version: "v1"
plugins:
Expand Down
4 changes: 2 additions & 2 deletions cmd/serve.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ func serve(logger log.Logger, appConfig *config.Shield) error {
Store: serviceStore,
IdentityProxyHeader: appConfig.App.IdentityProxyHeader,
ResourcesRepository: resourceConfig,
})
}, serviceStore)

cleanUpFunc, cleanUpProxies, err = startProxy(logger, appConfig, ctx, deps, cleanUpFunc, cleanUpProxies, AuthzCheckService)
if err != nil {
Expand Down Expand Up @@ -315,7 +315,7 @@ func apiDependencies(ctx context.Context, db *sql.SQL, appConfig *config.Shield,
ActionService: schemaService,
NamespaceService: schemaService,
IdentityProxyHeader: appConfig.App.IdentityProxyHeader,
PermissionCheckService: permission.NewCheckService(permissions),
PermissionCheckService: permission.NewCheckService(permissions, serviceStore),
},
}
return dependencies, nil
Expand Down
2 changes: 1 addition & 1 deletion hook/authz/authz.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -179,7 +179,7 @@ func (a Authz) ServeHook(res *http.Response, err error) (*http.Response, error)
a.log.Error(err.Error())
return a.escape.ServeHook(res, fmt.Errorf(err.Error()))
}
a.log.Info(fmt.Sprintf("Resource %s created", newResource.Id))
a.log.Info(fmt.Sprintf("Resource %s created with ID %s", newResource.Urn, newResource.Idxa))
}

return a.next.ServeHook(res, nil)
Expand Down
8 changes: 4 additions & 4 deletions internal/group/groups.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@ func (s Service) AddUsersToGroup(ctx context.Context, groupId string, userIds []
}

isAuthorized, err := s.Permissions.CheckPermission(ctx, currentUser, model.Resource{
Id: groupId,
Idxa: groupId,
Namespace: definition.TeamNamespace,
},
definition.ManageTeamAction,
Expand Down Expand Up @@ -137,7 +137,7 @@ func (s Service) RemoveUserFromGroup(ctx context.Context, groupId string, userId
}

isAuthorized, err := s.Permissions.CheckPermission(ctx, currentUser, model.Resource{
Id: groupId,
Idxa: groupId,
Namespace: definition.TeamNamespace,
},
definition.ManageTeamAction,
Expand Down Expand Up @@ -194,7 +194,7 @@ func (s Service) AddAdminsToGroup(ctx context.Context, groupId string, userIds [
}

isAuthorized, err := s.Permissions.CheckPermission(ctx, currentUser, model.Resource{
Id: groupId,
Idxa: groupId,
Namespace: definition.TeamNamespace,
},
definition.ManageTeamAction,
Expand Down Expand Up @@ -241,7 +241,7 @@ func (s Service) RemoveAdminFromGroup(ctx context.Context, groupId string, userI
}

isAuthorized, err := s.Permissions.CheckPermission(ctx, currentUser, model.Resource{
Id: groupId,
Idxa: groupId,
Namespace: definition.TeamNamespace,
},
definition.ManageTeamAction,
Expand Down
4 changes: 2 additions & 2 deletions internal/org/org.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@ func (s Service) AddAdmin(ctx context.Context, id string, userIds []string) ([]m
}

isAuthorized, err := s.Permissions.CheckPermission(ctx, currentUser, model.Resource{
Id: id,
Idxa: id,
Namespace: definition.OrgNamespace,
},
definition.ManageOrganizationAction,
Expand Down Expand Up @@ -128,7 +128,7 @@ func (s Service) RemoveAdmin(ctx context.Context, id string, userId string) ([]m
}

isAuthorized, err := s.Permissions.CheckPermission(ctx, currentUser, model.Resource{
Id: id,
Idxa: id,
Namespace: definition.OrgNamespace,
},
definition.ManageOrganizationAction,
Expand Down
18 changes: 14 additions & 4 deletions internal/permission/check.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,15 @@ import (

type CheckService struct {
PermissionsService Permissions
ResourceStore ResourceStore
}

func NewCheckService(permissionService Permissions) CheckService {
return CheckService{PermissionsService: permissionService}
type ResourceStore interface {
GetResourceByURN(ctx context.Context, urn string) (model.Resource, error)
}

func NewCheckService(permissionService Permissions, resourceStore ResourceStore) CheckService {
return CheckService{PermissionsService: permissionService, ResourceStore: resourceStore}
}

func (c CheckService) CheckAuthz(ctx context.Context, resource model.Resource, action model.Action) (bool, error) {
Expand All @@ -21,6 +26,11 @@ func (c CheckService) CheckAuthz(ctx context.Context, resource model.Resource, a
return false, err
}

resource.Id = utils.CreateResourceId(resource)
return c.PermissionsService.CheckPermission(ctx, user, resource, action)
resource.Urn = utils.CreateResourceURN(resource)
fetchedResource, err := c.ResourceStore.GetResourceByURN(ctx, resource.Urn)
if err != nil {
return false, err
}

return c.PermissionsService.CheckPermission(ctx, user, fetchedResource, action)
}
10 changes: 5 additions & 5 deletions internal/permission/relation.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -222,7 +222,7 @@ func (s Service) AddProjectToResource(ctx context.Context, project model.Project

rel := model.Relation{
ObjectNamespace: resourceNS,
ObjectId: resource.Id,
ObjectId: resource.Idxa,
SubjectId: project.Id,
SubjectNamespace: definition.ProjectNamespace,
Role: model.Role{
Expand All @@ -241,7 +241,7 @@ func (s Service) AddOrgToResource(ctx context.Context, org model.Organization, r

rel := model.Relation{
ObjectNamespace: resourceNS,
ObjectId: resource.Id,
ObjectId: resource.Idxa,
SubjectId: org.Id,
SubjectNamespace: definition.OrgNamespace,
Role: model.Role{
Expand All @@ -260,7 +260,7 @@ func (s Service) AddTeamToResource(ctx context.Context, team model.Group, resour

rel := model.Relation{
ObjectNamespace: resourceNS,
ObjectId: resource.Id,
ObjectId: resource.Idxa,
SubjectId: team.Id,
SubjectNamespace: definition.TeamNamespace,
Role: model.Role{
Expand All @@ -279,7 +279,7 @@ func (s Service) CheckPermission(ctx context.Context, user model.User, resource

rel := model.Relation{
ObjectNamespace: resourceNS,
ObjectId: resource.Id,
ObjectId: resource.Idxa,
SubjectId: user.Id,
SubjectNamespace: definition.UserNamespace,
}
Expand Down Expand Up @@ -307,7 +307,7 @@ func (s Service) AddOwnerToResource(ctx context.Context, user model.User, resour

rel := model.Relation{
ObjectNamespace: resourceNS,
ObjectId: resource.Id,
ObjectId: resource.Idxa,
SubjectId: user.Id,
SubjectNamespace: definition.UserNamespace,
Role: role,
Expand Down
4 changes: 2 additions & 2 deletions internal/project/project.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ func (s Service) AddAdmin(ctx context.Context, id string, userIds []string) ([]m
}

isAuthorized, err := s.Permissions.CheckPermission(ctx, currentUser, model.Resource{
Id: id,
Idxa: id,
Namespace: definition.ProjectNamespace,
},
definition.ManageProjectAction,
Expand Down Expand Up @@ -136,7 +136,7 @@ func (s Service) RemoveAdmin(ctx context.Context, id string, userId string) ([]m
}

isAuthorized, err := s.Permissions.CheckPermission(ctx, currentUser, model.Resource{
Id: id,
Idxa: id,
Namespace: definition.ProjectNamespace,
},
definition.ManageProjectAction,
Expand Down
4 changes: 2 additions & 2 deletions internal/resource/resource.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ func (s Service) Get(ctx context.Context, id string) (model.Resource, error) {
}

func (s Service) Create(ctx context.Context, resource model.Resource) (model.Resource, error) {
id := utils.CreateResourceId(resource)
urn := utils.CreateResourceURN(resource)

user, err := s.Permissions.FetchCurrentUser(ctx)

Expand All @@ -46,7 +46,7 @@ func (s Service) Create(ctx context.Context, resource model.Resource) (model.Res
}

newResource, err := s.Store.CreateResource(ctx, model.Resource{
Id: id,
Urn: urn,
Name: resource.Name,
OrganizationId: resource.OrganizationId,
ProjectId: resource.ProjectId,
Expand Down
3 changes: 2 additions & 1 deletion model/model.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,8 @@ type Relation struct {
}

type Resource struct {
Id string
Idxa string
Urn string
Name string
ProjectId string `json:"project_id"`
Project Project
Expand Down
3 changes: 3 additions & 0 deletions proto/apidocs.swagger.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2646,6 +2646,9 @@
},
"user": {
"$ref": "#/definitions/v1beta1User"
},
"urn": {
"type": "string"
}
}
},
Expand Down
Loading

0 comments on commit 85d9f0a

Please sign in to comment.