ncaron
/
auth
mirror of https://gitlab.com/mobicoop/v3/service/auth.git
1
0
Fork 1
Code Issues Packages Projects Releases Wiki Activity

remove uuid from policies

This commit is contained in:
sbriat 2023-05-04 17:04:59 +02:00
parent c1c6a78b85
commit 5af41ffdda
11 changed files with 18 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
opa/ad/delete.rego
View File

@ -3,7 +3,7 @@ package AD.DELETE
default allow := false default allow := false
allow { allow {
input.userUuid == input.owner input.owner == input.requester
} }
allow { allow {

2
opa/ad/update.rego
View File

@ -3,7 +3,7 @@ package AD.UPDATE
default allow := false default allow := false
allow { allow {
input.userUuid == input.owner input.owner == input.requester
} }
allow { allow {

10
src/modules/authorization/adapters/primaries/authorization.controller.ts
View File

@ -18,17 +18,17 @@ import { AuthorizationPresenter } from './authorization.presenter';
@Controller() @Controller()
export class AuthorizationController { export class AuthorizationController {
constructor( constructor(
private readonly _queryBus: QueryBus, private readonly queryBus: QueryBus,
@InjectMapper() private readonly _mapper: Mapper, @InjectMapper() private readonly mapper: Mapper,
) {} ) {}
@GrpcMethod('AuthorizationService', 'Decide') @GrpcMethod('AuthorizationService', 'Decide')
async decide(data: DecisionRequest): Promise<AuthorizationPresenter> { async decide(data: DecisionRequest): Promise<AuthorizationPresenter> {
try { try {
const authorization: Authorization = await this._queryBus.execute( const authorization: Authorization = await this.queryBus.execute(
new DecisionQuery(data.uuid, data.domain, data.action, data.context), new DecisionQuery(data.domain, data.action, data.context),
); );
return this._mapper.map( return this.mapper.map(
authorization, authorization,
Authorization, Authorization,
AuthorizationPresenter, AuthorizationPresenter,

7
src/modules/authorization/adapters/primaries/authorization.proto
View File

@ -7,10 +7,9 @@ service AuthorizationService {
} }
message AuthorizationRequest { message AuthorizationRequest {
string uuid = 1; string domain = 1;
string domain = 2; string action = 2;
string action = 3; repeated Item context = 3;
repeated Item context = 4;
} }
message Item { message Item {

8
src/modules/authorization/adapters/secondaries/opa.decision-maker.ts
View File

@ -18,12 +18,11 @@ export class OpaDecisionMaker extends IMakeDecision {
super(); super();
} }
async decide( decide = async (
uuid: string,
domain: Domain, domain: Domain,
action: Action, action: Action,
context: Array<ContextItem>, context: Array<ContextItem>,
): Promise<Authorization> { ): Promise<Authorization> => {
const reducedContext = context.reduce( const reducedContext = context.reduce(
(obj, item) => Object.assign(obj, { [item.name]: item.value }), (obj, item) => Object.assign(obj, { [item.name]: item.value }),
{}, {},
@ -34,7 +33,6 @@ export class OpaDecisionMaker extends IMakeDecision {
this._configService.get<string>('OPA_URL') + domain + '/' + action, this._configService.get<string>('OPA_URL') + domain + '/' + action,
{ {
input: { input: {
uuid,
...reducedContext, ...reducedContext,
}, },
}, },
@ -44,5 +42,5 @@ export class OpaDecisionMaker extends IMakeDecision {
} catch (e) { } catch (e) {
return new Authorization(false); return new Authorization(false);
} }
} };
} }

6
src/modules/authorization/domain/dtos/decision.request.ts
View File

@ -1,13 +1,9 @@
import { IsArray, IsEnum, IsNotEmpty, IsString } from 'class-validator'; import { IsArray, IsEnum, IsNotEmpty } from 'class-validator';
import { ContextItem } from './context-item'; import { ContextItem } from './context-item';
import { Action } from './action.enum'; import { Action } from './action.enum';
import { Domain } from './domain.enum'; import { Domain } from './domain.enum';
export class DecisionRequest { export class DecisionRequest {
@IsString()
@IsNotEmpty()
uuid: string;
@IsEnum(Domain) @IsEnum(Domain)
@IsNotEmpty() @IsNotEmpty()
domain: Domain; domain: Domain;

1
src/modules/authorization/domain/interfaces/decision-maker.ts
View File

@ -6,7 +6,6 @@ import { Authorization } from '../entities/authorization';
@Injectable() @Injectable()
export abstract class IMakeDecision { export abstract class IMakeDecision {
abstract decide( abstract decide(
uuid: string,
domain: Domain, domain: Domain,
action: Action, action: Action,
context: Array<{ name: string; value: string }>, context: Array<{ name: string; value: string }>,

1
src/modules/authorization/domain/usecases/decision.usecase.ts
View File

@ -9,7 +9,6 @@ export class DecisionUseCase {
async execute(decisionQuery: DecisionQuery): Promise<Authorization> { async execute(decisionQuery: DecisionQuery): Promise<Authorization> {
return this._decisionMaker.decide( return this._decisionMaker.decide(
decisionQuery.uuid,
decisionQuery.domain, decisionQuery.domain,
decisionQuery.action, decisionQuery.action,
decisionQuery.context, decisionQuery.context,

9
src/modules/authorization/queries/decision.query.ts
View File

@ -3,18 +3,11 @@ import { Action } from '../domain/dtos/action.enum';
import { Domain } from '../domain/dtos/domain.enum'; import { Domain } from '../domain/dtos/domain.enum';
export class DecisionQuery { export class DecisionQuery {
readonly uuid: string;
readonly domain: Domain; readonly domain: Domain;
readonly action: Action; readonly action: Action;
readonly context: Array<ContextItem>; readonly context: Array<ContextItem>;
constructor( constructor(domain: Domain, action: Action, context?: Array<ContextItem>) {
uuid: string,
domain: Domain,
action: Action,
context?: Array<ContextItem>,
) {
this.uuid = uuid;
this.domain = domain; this.domain = domain;
this.action = action; this.action = action;
this.context = context; this.context = context;

2
src/modules/authorization/tests/unit/decision.usecase.spec.ts
View File

@ -40,14 +40,12 @@ describe('DecisionUseCase', () => {
describe('execute', () => { describe('execute', () => {
it('should validate an authorization', async () => { it('should validate an authorization', async () => {
const decisionRequest: DecisionRequest = new DecisionRequest(); const decisionRequest: DecisionRequest = new DecisionRequest();
decisionRequest.uuid = 'bb281075-1b98-4456-89d6-c643d3044a91';
decisionRequest.domain = Domain.USER; decisionRequest.domain = Domain.USER;
decisionRequest.action = Action.CREATE; decisionRequest.action = Action.CREATE;
decisionRequest.context = [new ContextItem('context1', 'value1')]; decisionRequest.context = [new ContextItem('context1', 'value1')];
expect( expect(
decisionUseCase.execute( decisionUseCase.execute(
new DecisionQuery( new DecisionQuery(
decisionRequest.uuid,
decisionRequest.domain, decisionRequest.domain,
decisionRequest.action, decisionRequest.action,
decisionRequest.context, decisionRequest.context,

9
src/modules/authorization/tests/unit/opa.decision-maker.spec.ts
View File

@ -71,28 +71,25 @@ describe('OpaDecisionMaker', () => {
describe('execute', () => { describe('execute', () => {
it('should return a truthy authorization', async () => { it('should return a truthy authorization', async () => {
const authorization = await opaDecisionMaker.decide( const authorization = await opaDecisionMaker.decide(
'bb281075-1b98-4456-89d6-c643d3044a91',
Domain.USER, Domain.USER,
Action.READ, Action.READ,
[], [{ name: 'uuid', value: 'bb281075-1b98-4456-89d6-c643d3044a91' }],
); );
expect(authorization.allow).toBeTruthy(); expect(authorization.allow).toBeTruthy();
}); });
it('should return a falsy authorization', async () => { it('should return a falsy authorization', async () => {
const authorization = await opaDecisionMaker.decide( const authorization = await opaDecisionMaker.decide(
'bb281075-1b98-4456-89d6-c643d3044a91',
Domain.USER, Domain.USER,
Action.READ, Action.READ,
[], [{ name: 'uuid', value: 'bb281075-1b98-4456-89d6-c643d3044a91' }],
); );
expect(authorization.allow).toBeFalsy(); expect(authorization.allow).toBeFalsy();
}); });
it('should return a falsy authorization when an error happens', async () => { it('should return a falsy authorization when an error happens', async () => {
const authorization = await opaDecisionMaker.decide( const authorization = await opaDecisionMaker.decide(
'bb281075-1b98-4456-89d6-c643d3044a91',
Domain.USER, Domain.USER,
Action.READ, Action.READ,
[], [{ name: 'uuid', value: 'bb281075-1b98-4456-89d6-c643d3044a91' }],
); );
expect(authorization.allow).toBeFalsy(); expect(authorization.allow).toBeFalsy();
}); });