fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! feat(permissions): Addeding system user support for permission check v2

2025-08-23 15:28:21 +00:00 · 2025-03-19 10:34:38 +04:00
parent ed74dcbb44
commit 7b9d4e5d81
6 changed files with 11 additions and 7 deletions
--- a/internal/api/authz/authorization.go
+++ b/internal/api/authz/authorization.go
@@ -21,7 +21,7 @@ const (
 // - the organisation (**either** provided by ID or verified domain) exists
 // - the user is permitted to call the requested endpoint (permission option in proto)
 // it will pass the [CtxData] and permission of the user into the ctx [context.Context]
-func CheckUserAuthorization(ctx context.Context, req interface{}, token, orgID, orgDomain string, verifier APITokenVerifier, SystemAuthConfig Config, authConfig Config, requiredAuthOption Option, method string) (ctxSetter func(context.Context) context.Context, err error) {
+func CheckUserAuthorization(ctx context.Context, req interface{}, token, orgID, orgDomain string, verifier APITokenVerifier, systemRolePermissionMapping []RoleMapping, rolePermissionMapping []RoleMapping, requiredAuthOption Option, method string) (ctxSetter func(context.Context) context.Context, err error) {
 	ctx, span := tracing.NewServerInterceptorSpan(ctx)
 	defer func() { span.EndWithError(err) }()

@@ -32,12 +32,12 @@ func CheckUserAuthorization(ctx context.Context, req interface{}, token, orgID,

 	if requiredAuthOption.Permission == authenticated {
 		return func(parent context.Context) context.Context {
-			parent = addGetSystemUserRolesFuncToCtx(parent, SystemAuthConfig.RolePermissionMappings, ctxData)
+			parent = addGetSystemUserRolesFuncToCtx(parent, systemRolePermissionMapping, ctxData)
 			return context.WithValue(parent, dataKey, ctxData)
 		}, nil
 	}

-	requestedPermissions, allPermissions, err := getUserPermissions(ctx, verifier, requiredAuthOption.Permission, SystemAuthConfig.RolePermissionMappings, authConfig.RolePermissionMappings, ctxData, ctxData.OrgID)
+	requestedPermissions, allPermissions, err := getUserPermissions(ctx, verifier, requiredAuthOption.Permission, systemRolePermissionMapping, rolePermissionMapping, ctxData, ctxData.OrgID)
 	if err != nil {
 		return nil, err
 	}
@@ -53,7 +53,7 @@ func CheckUserAuthorization(ctx context.Context, req interface{}, token, orgID,
 		parent = context.WithValue(parent, dataKey, ctxData)
 		parent = context.WithValue(parent, allPermissionsKey, allPermissions)
 		parent = context.WithValue(parent, requestPermissionsKey, requestedPermissions)
-		parent = addGetSystemUserRolesFuncToCtx(parent, SystemAuthConfig.RolePermissionMappings, ctxData)
+		parent = addGetSystemUserRolesFuncToCtx(parent, systemRolePermissionMapping, ctxData)
 		return parent
 	}, nil
 }
--- a/internal/api/authz/context.go
+++ b/internal/api/authz/context.go
@@ -52,7 +52,7 @@ type Membership struct {
 	MemberType  MemberType
 	AggregateID string
 	InstanceID  string
-	//  ObjectID differs from aggregate id if object is sub of an aggregate
+	// ObjectID differs from aggregate id if object is sub of an aggregate
 	ObjectID string

 	Roles []string
--- a/internal/api/grpc/server/middleware/auth_interceptor.go
+++ b/internal/api/grpc/server/middleware/auth_interceptor.go
@@ -34,7 +34,7 @@ func authorize(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo,
 	}

 	orgID, orgDomain := orgIDAndDomainFromRequest(authCtx, req)
-	ctxSetter, err := authz.CheckUserAuthorization(authCtx, req, authToken, orgID, orgDomain, verifier, systemUserPermissions, authConfig, authOpt, info.FullMethod)
+	ctxSetter, err := authz.CheckUserAuthorization(authCtx, req, authToken, orgID, orgDomain, verifier, systemUserPermissions.RolePermissionMappings, authConfig.RolePermissionMappings, authOpt, info.FullMethod)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/user/v2/integration_test/query_test.go
+++ b/internal/api/grpc/user/v2/integration_test/query_test.go
@@ -1248,6 +1248,7 @@ func TestServer_SystemUsers_ListUsers(t *testing.T) {
 				retryDuration, tick := integration.WaitForAndTickWithMaxDuration(tt.ctx, 1*time.Minute)
 				require.EventuallyWithT(t, func(ttt *assert.CollectT) {
 					got, err := Client.ListUsers(tt.ctx, tt.req)
+					fmt.Printf("@@ >>>>>>>>>>>>>>>>>>>>>>>>>>>> got = %+v\n", got)
 					require.NoError(ttt, err)

 					if tt.checkNumberOfUsersReturned {
--- a/internal/api/http/middleware/auth_interceptor.go
+++ b/internal/api/http/middleware/auth_interceptor.go
@@ -71,7 +71,8 @@ func authorize(r *http.Request, verifier authz.APITokenVerifier, authConfig auth
 		return nil, zerrors.ThrowUnauthenticated(nil, "AUT-1179", "auth header missing")
 	}

-	ctxSetter, err := authz.CheckUserAuthorization(authCtx, &httpReq{}, authToken, http_util.GetOrgID(r), "", verifier, authConfig, authConfig, authOpt, r.RequestURI)
+	// TODO look into this
+	ctxSetter, err := authz.CheckUserAuthorization(authCtx, &httpReq{}, authToken, http_util.GetOrgID(r), "", verifier, nil, authConfig.RolePermissionMappings, authOpt, r.RequestURI)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/query/permission.go
+++ b/internal/query/permission.go
@@ -60,7 +60,9 @@ func wherePermittedOrgsOrCurrentUser(ctx context.Context, query sq.SelectBuilder
 		}
 		systemUserPermissionsJson = string(systemUserPermissionsBytes)
 	}
+	fmt.Printf("@@ >>>>>>>>>>>>>>>>>>>>>>>>>>>> authz.GetInstance(ctx).InstanceID() = %+v\n", authz.GetInstance(ctx).InstanceID())
 	fmt.Printf("@@ >>>>>>>>>>>>>>>>>>>>>>>>>>>> systemUserPermissionsJson = %+v\n", systemUserPermissionsJson)
+	fmt.Printf("@@ >>>>>>>>>>>>>>>>>>>>>>>>>>>> permission = %+v\n", permission)

 	return query.Where(
 		fmt.Sprintf(wherePermittedOrgsOrCurrentUserClause, orgIDColumn, userIdColum),