ncaron
/
auth
mirror of https://gitlab.com/mobicoop/v3/service/auth.git
1
0
Fork 1
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'removeUuid' into 'main' 

remove uuid from policies

See merge request v3/service/auth!37
This commit is contained in:
Sylvain Briat 2023-05-04 15:08:37 +00:00
parent c1c6a78b85 5af41ffdda
commit 39d6fd4a40
11 changed files with 18 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
opa/ad/delete.rego
View File

@ -3,7 +3,7 @@ package AD.DELETE
default allow := false
allow {
input.userUuid == input.owner
input.owner == input.requester
}
allow {

2
opa/ad/update.rego
View File

@ -3,7 +3,7 @@ package AD.UPDATE
default allow := false
allow {
input.userUuid == input.owner
input.owner == input.requester
}
allow {

10
src/modules/authorization/adapters/primaries/authorization.controller.ts
View File

@ -18,17 +18,17 @@ import { AuthorizationPresenter } from './authorization.presenter';
@Controller()
export class AuthorizationController {
constructor(
private readonly _queryBus: QueryBus,
@InjectMapper() private readonly _mapper: Mapper,
private readonly queryBus: QueryBus,
@InjectMapper() private readonly mapper: Mapper,
) {}
@GrpcMethod('AuthorizationService', 'Decide')
async decide(data: DecisionRequest): Promise<AuthorizationPresenter> {
try {
const authorization: Authorization = await this._queryBus.execute(
new DecisionQuery(data.uuid, data.domain, data.action, data.context),
const authorization: Authorization = await this.queryBus.execute(
new DecisionQuery(data.domain, data.action, data.context),
);
return this._mapper.map(
return this.mapper.map(
authorization,
Authorization,
AuthorizationPresenter,

7
src/modules/authorization/adapters/primaries/authorization.proto
View File

@ -7,10 +7,9 @@ service AuthorizationService {
}
message AuthorizationRequest {
string uuid = 1;
string domain = 2;
string action = 3;
repeated Item context = 4;
string domain = 1;
string action = 2;
repeated Item context = 3;
}
message Item {

8
src/modules/authorization/adapters/secondaries/opa.decision-maker.ts
View File

@ -18,12 +18,11 @@ export class OpaDecisionMaker extends IMakeDecision {
super();
}
async decide(
uuid: string,
decide = async (
domain: Domain,
action: Action,
context: Array<ContextItem>,
): Promise<Authorization> {
): Promise<Authorization> => {
const reducedContext = context.reduce(
(obj, item) => Object.assign(obj, { [item.name]: item.value }),
{},
@ -34,7 +33,6 @@ export class OpaDecisionMaker extends IMakeDecision {
this._configService.get<string>('OPA_URL') + domain + '/' + action,
{
input: {
uuid,
...reducedContext,
},
},
@ -44,5 +42,5 @@ export class OpaDecisionMaker extends IMakeDecision {
} catch (e) {
return new Authorization(false);
}
}
};
}

6
src/modules/authorization/domain/dtos/decision.request.ts
View File

@ -1,13 +1,9 @@
import { IsArray, IsEnum, IsNotEmpty, IsString } from 'class-validator';
import { IsArray, IsEnum, IsNotEmpty } from 'class-validator';
import { ContextItem } from './context-item';
import { Action } from './action.enum';
import { Domain } from './domain.enum';
export class DecisionRequest {
@IsString()
@IsNotEmpty()
uuid: string;
@IsEnum(Domain)
@IsNotEmpty()
domain: Domain;

1
src/modules/authorization/domain/interfaces/decision-maker.ts
View File

@ -6,7 +6,6 @@ import { Authorization } from '../entities/authorization';
@Injectable()
export abstract class IMakeDecision {
abstract decide(
uuid: string,
domain: Domain,
action: Action,
context: Array<{ name: string; value: string }>,

1
src/modules/authorization/domain/usecases/decision.usecase.ts
View File

@ -9,7 +9,6 @@ export class DecisionUseCase {
async execute(decisionQuery: DecisionQuery): Promise<Authorization> {
return this._decisionMaker.decide(
decisionQuery.uuid,
decisionQuery.domain,
decisionQuery.action,
decisionQuery.context,

9
src/modules/authorization/queries/decision.query.ts
View File

@ -3,18 +3,11 @@ import { Action } from '../domain/dtos/action.enum';
import { Domain } from '../domain/dtos/domain.enum';
export class DecisionQuery {
readonly uuid: string;
readonly domain: Domain;
readonly action: Action;
readonly context: Array<ContextItem>;
constructor(
uuid: string,
domain: Domain,
action: Action,
context?: Array<ContextItem>,
) {
this.uuid = uuid;
constructor(domain: Domain, action: Action, context?: Array<ContextItem>) {
this.domain = domain;
this.action = action;
this.context = context;

2
src/modules/authorization/tests/unit/decision.usecase.spec.ts
View File

@ -40,14 +40,12 @@ describe('DecisionUseCase', () => {
describe('execute', () => {
it('should validate an authorization', async () => {
const decisionRequest: DecisionRequest = new DecisionRequest();
decisionRequest.uuid = 'bb281075-1b98-4456-89d6-c643d3044a91';
decisionRequest.domain = Domain.USER;
decisionRequest.action = Action.CREATE;
decisionRequest.context = [new ContextItem('context1', 'value1')];
expect(
decisionUseCase.execute(
new DecisionQuery(
decisionRequest.uuid,
decisionRequest.domain,
decisionRequest.action,
decisionRequest.context,

9
src/modules/authorization/tests/unit/opa.decision-maker.spec.ts
View File

@ -71,28 +71,25 @@ describe('OpaDecisionMaker', () => {
describe('execute', () => {
it('should return a truthy authorization', async () => {
const authorization = await opaDecisionMaker.decide(
'bb281075-1b98-4456-89d6-c643d3044a91',
Domain.USER,
Action.READ,
[],
[{ name: 'uuid', value: 'bb281075-1b98-4456-89d6-c643d3044a91' }],
);
expect(authorization.allow).toBeTruthy();
});
it('should return a falsy authorization', async () => {
const authorization = await opaDecisionMaker.decide(
'bb281075-1b98-4456-89d6-c643d3044a91',
Domain.USER,
Action.READ,
[],
[{ name: 'uuid', value: 'bb281075-1b98-4456-89d6-c643d3044a91' }],
);
expect(authorization.allow).toBeFalsy();
});
it('should return a falsy authorization when an error happens', async () => {
const authorization = await opaDecisionMaker.decide(
'bb281075-1b98-4456-89d6-c643d3044a91',
Domain.USER,
Action.READ,
[],
[{ name: 'uuid', value: 'bb281075-1b98-4456-89d6-c643d3044a91' }],
);
expect(authorization.allow).toBeFalsy();
});