From 5af41ffddaf2ee87e1f8c184abc40236dbd071e1 Mon Sep 17 00:00:00 2001 From: sbriat Date: Thu, 4 May 2023 17:04:59 +0200 Subject: [PATCH] remove uuid from policies --- opa/ad/delete.rego | 2 +- opa/ad/update.rego | 2 +- .../adapters/primaries/authorization.controller.ts | 10 +++++----- .../adapters/primaries/authorization.proto | 7 +++---- .../adapters/secondaries/opa.decision-maker.ts | 8 +++----- .../authorization/domain/dtos/decision.request.ts | 6 +----- .../authorization/domain/interfaces/decision-maker.ts | 1 - .../authorization/domain/usecases/decision.usecase.ts | 1 - src/modules/authorization/queries/decision.query.ts | 9 +-------- .../authorization/tests/unit/decision.usecase.spec.ts | 2 -- .../tests/unit/opa.decision-maker.spec.ts | 9 +++------ 11 files changed, 18 insertions(+), 39 deletions(-) diff --git a/opa/ad/delete.rego b/opa/ad/delete.rego index 27a0e1a..7059eee 100644 --- a/opa/ad/delete.rego +++ b/opa/ad/delete.rego @@ -3,7 +3,7 @@ package AD.DELETE default allow := false allow { - input.userUuid == input.owner + input.owner == input.requester } allow { diff --git a/opa/ad/update.rego b/opa/ad/update.rego index 94a0699..6f528fe 100644 --- a/opa/ad/update.rego +++ b/opa/ad/update.rego @@ -3,7 +3,7 @@ package AD.UPDATE default allow := false allow { - input.userUuid == input.owner + input.owner == input.requester } allow { diff --git a/src/modules/authorization/adapters/primaries/authorization.controller.ts b/src/modules/authorization/adapters/primaries/authorization.controller.ts index b975371..a3eacd3 100644 --- a/src/modules/authorization/adapters/primaries/authorization.controller.ts +++ b/src/modules/authorization/adapters/primaries/authorization.controller.ts @@ -18,17 +18,17 @@ import { AuthorizationPresenter } from './authorization.presenter'; @Controller() export class AuthorizationController { constructor( - private readonly _queryBus: QueryBus, - @InjectMapper() private readonly _mapper: Mapper, + private readonly queryBus: QueryBus, + @InjectMapper() private readonly mapper: Mapper, ) {} @GrpcMethod('AuthorizationService', 'Decide') async decide(data: DecisionRequest): Promise { try { - const authorization: Authorization = await this._queryBus.execute( - new DecisionQuery(data.uuid, data.domain, data.action, data.context), + const authorization: Authorization = await this.queryBus.execute( + new DecisionQuery(data.domain, data.action, data.context), ); - return this._mapper.map( + return this.mapper.map( authorization, Authorization, AuthorizationPresenter, diff --git a/src/modules/authorization/adapters/primaries/authorization.proto b/src/modules/authorization/adapters/primaries/authorization.proto index 679febd..be05049 100644 --- a/src/modules/authorization/adapters/primaries/authorization.proto +++ b/src/modules/authorization/adapters/primaries/authorization.proto @@ -7,10 +7,9 @@ service AuthorizationService { } message AuthorizationRequest { - string uuid = 1; - string domain = 2; - string action = 3; - repeated Item context = 4; + string domain = 1; + string action = 2; + repeated Item context = 3; } message Item { diff --git a/src/modules/authorization/adapters/secondaries/opa.decision-maker.ts b/src/modules/authorization/adapters/secondaries/opa.decision-maker.ts index 0e9d5e8..bc86940 100644 --- a/src/modules/authorization/adapters/secondaries/opa.decision-maker.ts +++ b/src/modules/authorization/adapters/secondaries/opa.decision-maker.ts @@ -18,12 +18,11 @@ export class OpaDecisionMaker extends IMakeDecision { super(); } - async decide( - uuid: string, + decide = async ( domain: Domain, action: Action, context: Array, - ): Promise { + ): Promise => { const reducedContext = context.reduce( (obj, item) => Object.assign(obj, { [item.name]: item.value }), {}, @@ -34,7 +33,6 @@ export class OpaDecisionMaker extends IMakeDecision { this._configService.get('OPA_URL') + domain + '/' + action, { input: { - uuid, ...reducedContext, }, }, @@ -44,5 +42,5 @@ export class OpaDecisionMaker extends IMakeDecision { } catch (e) { return new Authorization(false); } - } + }; } diff --git a/src/modules/authorization/domain/dtos/decision.request.ts b/src/modules/authorization/domain/dtos/decision.request.ts index adfe51b..7ab1da6 100644 --- a/src/modules/authorization/domain/dtos/decision.request.ts +++ b/src/modules/authorization/domain/dtos/decision.request.ts @@ -1,13 +1,9 @@ -import { IsArray, IsEnum, IsNotEmpty, IsString } from 'class-validator'; +import { IsArray, IsEnum, IsNotEmpty } from 'class-validator'; import { ContextItem } from './context-item'; import { Action } from './action.enum'; import { Domain } from './domain.enum'; export class DecisionRequest { - @IsString() - @IsNotEmpty() - uuid: string; - @IsEnum(Domain) @IsNotEmpty() domain: Domain; diff --git a/src/modules/authorization/domain/interfaces/decision-maker.ts b/src/modules/authorization/domain/interfaces/decision-maker.ts index 7a6139c..4492f27 100644 --- a/src/modules/authorization/domain/interfaces/decision-maker.ts +++ b/src/modules/authorization/domain/interfaces/decision-maker.ts @@ -6,7 +6,6 @@ import { Authorization } from '../entities/authorization'; @Injectable() export abstract class IMakeDecision { abstract decide( - uuid: string, domain: Domain, action: Action, context: Array<{ name: string; value: string }>, diff --git a/src/modules/authorization/domain/usecases/decision.usecase.ts b/src/modules/authorization/domain/usecases/decision.usecase.ts index 55e5830..dea61f7 100644 --- a/src/modules/authorization/domain/usecases/decision.usecase.ts +++ b/src/modules/authorization/domain/usecases/decision.usecase.ts @@ -9,7 +9,6 @@ export class DecisionUseCase { async execute(decisionQuery: DecisionQuery): Promise { return this._decisionMaker.decide( - decisionQuery.uuid, decisionQuery.domain, decisionQuery.action, decisionQuery.context, diff --git a/src/modules/authorization/queries/decision.query.ts b/src/modules/authorization/queries/decision.query.ts index 7110acf..16a5875 100644 --- a/src/modules/authorization/queries/decision.query.ts +++ b/src/modules/authorization/queries/decision.query.ts @@ -3,18 +3,11 @@ import { Action } from '../domain/dtos/action.enum'; import { Domain } from '../domain/dtos/domain.enum'; export class DecisionQuery { - readonly uuid: string; readonly domain: Domain; readonly action: Action; readonly context: Array; - constructor( - uuid: string, - domain: Domain, - action: Action, - context?: Array, - ) { - this.uuid = uuid; + constructor(domain: Domain, action: Action, context?: Array) { this.domain = domain; this.action = action; this.context = context; diff --git a/src/modules/authorization/tests/unit/decision.usecase.spec.ts b/src/modules/authorization/tests/unit/decision.usecase.spec.ts index 7d647da..1e2cc07 100644 --- a/src/modules/authorization/tests/unit/decision.usecase.spec.ts +++ b/src/modules/authorization/tests/unit/decision.usecase.spec.ts @@ -40,14 +40,12 @@ describe('DecisionUseCase', () => { describe('execute', () => { it('should validate an authorization', async () => { const decisionRequest: DecisionRequest = new DecisionRequest(); - decisionRequest.uuid = 'bb281075-1b98-4456-89d6-c643d3044a91'; decisionRequest.domain = Domain.USER; decisionRequest.action = Action.CREATE; decisionRequest.context = [new ContextItem('context1', 'value1')]; expect( decisionUseCase.execute( new DecisionQuery( - decisionRequest.uuid, decisionRequest.domain, decisionRequest.action, decisionRequest.context, diff --git a/src/modules/authorization/tests/unit/opa.decision-maker.spec.ts b/src/modules/authorization/tests/unit/opa.decision-maker.spec.ts index 40cdedd..4874ae9 100644 --- a/src/modules/authorization/tests/unit/opa.decision-maker.spec.ts +++ b/src/modules/authorization/tests/unit/opa.decision-maker.spec.ts @@ -71,28 +71,25 @@ describe('OpaDecisionMaker', () => { describe('execute', () => { it('should return a truthy authorization', async () => { const authorization = await opaDecisionMaker.decide( - 'bb281075-1b98-4456-89d6-c643d3044a91', Domain.USER, Action.READ, - [], + [{ name: 'uuid', value: 'bb281075-1b98-4456-89d6-c643d3044a91' }], ); expect(authorization.allow).toBeTruthy(); }); it('should return a falsy authorization', async () => { const authorization = await opaDecisionMaker.decide( - 'bb281075-1b98-4456-89d6-c643d3044a91', Domain.USER, Action.READ, - [], + [{ name: 'uuid', value: 'bb281075-1b98-4456-89d6-c643d3044a91' }], ); expect(authorization.allow).toBeFalsy(); }); it('should return a falsy authorization when an error happens', async () => { const authorization = await opaDecisionMaker.decide( - 'bb281075-1b98-4456-89d6-c643d3044a91', Domain.USER, Action.READ, - [], + [{ name: 'uuid', value: 'bb281075-1b98-4456-89d6-c643d3044a91' }], ); expect(authorization.allow).toBeFalsy(); });