Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add check user resource api #23

Merged
merged 1 commit into from
Jan 23, 2024
Merged

feat: add check user resource api #23

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ GOVERSION := $(shell go version | cut -d ' ' -f 3 | cut -d '.' -f 2)

.PHONY: build check fmt lint test test-race vet test-cover-html help install proto
.DEFAULT_GOAL := build
PROTON_COMMIT := "a1795affeb3f5a6bd8431234e7eb69df253a72c9"
PROTON_COMMIT := "cf2c230788bd298aa64c6e18dc79f0c0d1a9d076"

install:
@echo "Clean up imports..."
Expand Down
37 changes: 21 additions & 16 deletions buf.gen.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,20 +1,25 @@
---
version: "v1"
version: v1
plugins:
- remote: "buf.build/library/plugins/go:v1.27.1-1"
out: "proto"
opt: "paths=source_relative"
- remote: "buf.build/library/plugins/go-grpc:v1.1.0-2"
out: "proto"
opt: "paths=source_relative"
- remote: buf.build/jirkad/plugins/protoc-gen-validate:v0.6.7
- plugin: buf.build/protocolbuffers/go:v1.32.0
out: proto
opt: paths=source_relative
- plugin: buf.build/grpc/go:v1.3.0
out: proto
opt: paths=source_relative,require_unimplemented_servers=true
- plugin: buf.build/bufbuild/validate-go:v1.0.4
out: proto
opt: paths=source_relative
- plugin: buf.build/grpc-ecosystem/gateway:v2.19.0
out: proto
opt:
- paths=source_relative
- lang=go
- remote: "buf.build/grpc-ecosystem/plugins/grpc-gateway:v2.5.0-1"
out: "proto"
opt: "paths=source_relative"
- remote: "buf.build/grpc-ecosystem/plugins/openapiv2:v2.6.0-1"
out: "proto"
opt: "allow_merge=true"
- allow_repeated_fields_in_body=true
- plugin: buf.build/grpc-ecosystem/openapiv2:v2.19.0
out: proto
opt:
- allow_repeated_fields_in_body=true
- output_format=yaml
- allow_merge=true
- merge_file_name=siren
- openapi_naming_strategy=simple
- json_names_for_fields=false
24 changes: 24 additions & 0 deletions internal/api/v1beta1/permission_check.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,30 @@ type resourcePermissionResult struct {
allowed bool
}

func (h Handler) CheckResourceUserPermission(ctx context.Context, req *shieldv1beta1.CheckResourceUserPermissionRequest) (*shieldv1beta1.CheckResourceUserPermissionResponse, error) {
userCtx := user.SetContextWithEmail(ctx, req.GetId()) // id is e-mail here
resp, err := h.CheckResourcePermission(userCtx, &shieldv1beta1.CheckResourcePermissionRequest{
ResourcePermissions: req.GetResourcePermissions(),
})
if err != nil {
return nil, err
}

var permissionResponses []*shieldv1beta1.CheckResourceUserPermissionResponse_ResourcePermissionResponse
for _, permissionResp := range resp.GetResourcePermissions() {
permissionResponses = append(permissionResponses, &shieldv1beta1.CheckResourceUserPermissionResponse_ResourcePermissionResponse{
ObjectId: permissionResp.GetObjectId(),
ObjectNamespace: permissionResp.GetObjectNamespace(),
Permission: permissionResp.GetPermission(),
Allowed: permissionResp.GetAllowed(),
})
}

return &shieldv1beta1.CheckResourceUserPermissionResponse{
ResourcePermissions: permissionResponses,
}, nil
}

func (h Handler) CheckResourcePermission(ctx context.Context, req *shieldv1beta1.CheckResourcePermissionRequest) (*shieldv1beta1.CheckResourcePermissionResponse, error) {
logger := grpczap.Extract(ctx)
//if err := req.ValidateAll(); err != nil {
Expand Down
279 changes: 279 additions & 0 deletions internal/api/v1beta1/permission_check_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -255,3 +255,282 @@ func TestHandler_CheckResourcePermission(t *testing.T) {
})
}
}

func TestHandler_CheckResourceUserPermission(t *testing.T) {
var userEmail = "[email protected]"
tests := []struct {
name string
setup func(res *mocks.ResourceService)
request *shieldv1beta1.CheckResourceUserPermissionRequest
want *shieldv1beta1.CheckResourceUserPermissionResponse
wantErr error
}{
{
name: "Deprecated check single resource permission: should return internal error if relation service's CheckAuthz function returns some error",
setup: func(res *mocks.ResourceService) {
res.EXPECT().CheckAuthz(mock.AnythingOfType("*context.valueCtx"), resource.Resource{
Name: testRelationV2.Object.ID,
NamespaceID: testRelationV2.Object.NamespaceID,
}, action.Action{ID: schema.EditPermission}).Return(false, errors.New("some error"))
},
request: &shieldv1beta1.CheckResourceUserPermissionRequest{
Id: userEmail,
ResourcePermissions: []*shieldv1beta1.ResourcePermission{
{
ObjectId: testRelationV2.Object.ID,
ObjectNamespace: testRelationV2.Object.NamespaceID,
Permission: schema.EditPermission,
},
},
},
want: nil,
wantErr: grpcInternalServerError,
},
{
name: "Deprecated check single resource permission: should return true when CheckAuthz function returns true bool",
setup: func(res *mocks.ResourceService) {
res.EXPECT().CheckAuthz(mock.AnythingOfType("*context.valueCtx"), resource.Resource{
Name: testRelationV2.Object.ID,
NamespaceID: testRelationV2.Object.NamespaceID,
}, action.Action{ID: schema.EditPermission}).Return(true, nil)
},
request: &shieldv1beta1.CheckResourceUserPermissionRequest{
Id: userEmail,
ResourcePermissions: []*shieldv1beta1.ResourcePermission{
{
ObjectId: testRelationV2.Object.ID,
ObjectNamespace: testRelationV2.Object.NamespaceID,
Permission: schema.EditPermission,
},
},
},
want: &shieldv1beta1.CheckResourceUserPermissionResponse{
ResourcePermissions: []*shieldv1beta1.CheckResourceUserPermissionResponse_ResourcePermissionResponse{
{
ObjectId: testRelationV2.Object.ID,
ObjectNamespace: testRelationV2.Object.NamespaceID,
Permission: schema.EditPermission,
Allowed: true,
},
},
},
wantErr: nil,
},
{
name: "Deprecated check single resource permission: should return false when CheckAuthz function returns false bool",
setup: func(res *mocks.ResourceService) {
res.EXPECT().CheckAuthz(mock.AnythingOfType("*context.valueCtx"), resource.Resource{
Name: testRelationV2.Object.ID,
NamespaceID: testRelationV2.Object.NamespaceID,
}, action.Action{ID: schema.EditPermission}).Return(false, nil)
},
request: &shieldv1beta1.CheckResourceUserPermissionRequest{
Id: userEmail,
ResourcePermissions: []*shieldv1beta1.ResourcePermission{
{
ObjectId: testRelationV2.Object.ID,
ObjectNamespace: testRelationV2.Object.NamespaceID,
Permission: schema.EditPermission,
},
},
},
want: &shieldv1beta1.CheckResourceUserPermissionResponse{
ResourcePermissions: []*shieldv1beta1.CheckResourceUserPermissionResponse_ResourcePermissionResponse{
{
ObjectId: testRelationV2.Object.ID,
ObjectNamespace: testRelationV2.Object.NamespaceID,
Permission: schema.EditPermission,
Allowed: false,
},
},
},
wantErr: nil,
},
{
name: "Deprecated check single resource permission: should return unauthenticated error if relation service's CheckAuthz function returns auth error",
setup: func(res *mocks.ResourceService) {
res.EXPECT().CheckAuthz(mock.AnythingOfType("*context.valueCtx"), resource.Resource{
Name: testRelationV2.Object.ID,
NamespaceID: testRelationV2.Object.NamespaceID,
}, action.Action{ID: schema.EditPermission}).Return(false, user.ErrInvalidEmail)
},
request: &shieldv1beta1.CheckResourceUserPermissionRequest{
Id: userEmail,
ResourcePermissions: []*shieldv1beta1.ResourcePermission{
{
ObjectId: testRelationV2.Object.ID,
ObjectNamespace: testRelationV2.Object.NamespaceID,
Permission: schema.EditPermission,
},
},
},
want: nil,
wantErr: grpcUnauthenticated,
},
{
name: "should return internal error if relation service's CheckAuthz function returns some error",
setup: func(res *mocks.ResourceService) {
res.EXPECT().CheckAuthz(mock.AnythingOfType("*context.valueCtx"), resource.Resource{
Name: testRelationV2.Object.ID,
NamespaceID: testRelationV2.Object.NamespaceID,
}, action.Action{ID: schema.EditPermission}).Return(false, errors.New("some error"))
},
request: &shieldv1beta1.CheckResourceUserPermissionRequest{
Id: userEmail,
ResourcePermissions: []*shieldv1beta1.ResourcePermission{
{
ObjectId: testRelationV2.Object.ID,
ObjectNamespace: testRelationV2.Object.NamespaceID,
Permission: schema.EditPermission,
},
},
},
want: nil,
wantErr: grpcInternalServerError,
},
{
name: "should return unauthenticated error if relation service's CheckAuthz function returns auth error",
setup: func(res *mocks.ResourceService) {
res.EXPECT().CheckAuthz(mock.AnythingOfType("*context.valueCtx"), resource.Resource{
Name: testRelationV2.Object.ID,
NamespaceID: testRelationV2.Object.NamespaceID,
}, action.Action{ID: schema.EditPermission}).Return(false, user.ErrInvalidEmail)
},
request: &shieldv1beta1.CheckResourceUserPermissionRequest{
Id: userEmail,
ResourcePermissions: []*shieldv1beta1.ResourcePermission{
{
ObjectId: testRelationV2.Object.ID,
ObjectNamespace: testRelationV2.Object.NamespaceID,
Permission: schema.EditPermission,
},
},
},
want: nil,
wantErr: grpcUnauthenticated,
},
{
name: "should return validation error if the request has empty resource permission list",
setup: func(res *mocks.ResourceService) {
res.EXPECT().CheckAuthz(mock.AnythingOfType("*context.valueCtx"), resource.Resource{
Name: testRelationV2.Object.ID,
NamespaceID: testRelationV2.Object.NamespaceID,
}, action.Action{ID: schema.EditPermission}).Return(false, errors.New("some error"))
},
request: &shieldv1beta1.CheckResourceUserPermissionRequest{
Id: userEmail,
ResourcePermissions: []*shieldv1beta1.ResourcePermission{},
},
want: nil,
wantErr: fmt.Errorf("%s: %s", ErrRequestBodyValidation, "resource_permissions"),
},
{
name: "should return true when CheckAuthz function returns true bool",
setup: func(res *mocks.ResourceService) {
res.EXPECT().CheckAuthz(mock.AnythingOfType("*context.valueCtx"), resource.Resource{
Name: testRelationV2.Object.ID,
NamespaceID: testRelationV2.Object.NamespaceID,
}, action.Action{ID: schema.EditPermission}).Return(true, nil)
},
request: &shieldv1beta1.CheckResourceUserPermissionRequest{
Id: userEmail,
ResourcePermissions: []*shieldv1beta1.ResourcePermission{
{
ObjectId: testRelationV2.Object.ID,
ObjectNamespace: testRelationV2.Object.NamespaceID,
Permission: schema.EditPermission,
},
},
},
want: &shieldv1beta1.CheckResourceUserPermissionResponse{
ResourcePermissions: []*shieldv1beta1.CheckResourceUserPermissionResponse_ResourcePermissionResponse{
{
ObjectId: testRelationV2.Object.ID,
ObjectNamespace: testRelationV2.Object.NamespaceID,
Permission: schema.EditPermission,
Allowed: true,
},
},
},
wantErr: nil,
},
{
name: "should return false when CheckAuthz function returns false bool",
setup: func(res *mocks.ResourceService) {
res.EXPECT().CheckAuthz(mock.AnythingOfType("*context.valueCtx"), resource.Resource{
Name: testRelationV2.Object.ID,
NamespaceID: testRelationV2.Object.NamespaceID,
}, action.Action{ID: schema.EditPermission}).Return(false, nil)
},
request: &shieldv1beta1.CheckResourceUserPermissionRequest{
Id: userEmail,
ResourcePermissions: []*shieldv1beta1.ResourcePermission{
{
ObjectId: testRelationV2.Object.ID,
ObjectNamespace: testRelationV2.Object.NamespaceID,
Permission: schema.EditPermission,
},
},
},
want: &shieldv1beta1.CheckResourceUserPermissionResponse{
ResourcePermissions: []*shieldv1beta1.CheckResourceUserPermissionResponse_ResourcePermissionResponse{
{
ObjectId: testRelationV2.Object.ID,
ObjectNamespace: testRelationV2.Object.NamespaceID,
Permission: schema.EditPermission,
Allowed: false,
},
},
},
wantErr: nil,
},
{
name: "should return internal error if resource service's CheckAuthz returns some error even with multiple resource check failures",
setup: func(res *mocks.ResourceService) {
res.EXPECT().CheckAuthz(mock.AnythingOfType("*context.valueCtx"), resource.Resource{
Name: testRelationV2.Object.ID,
NamespaceID: testRelationV2.Object.NamespaceID,
}, action.Action{ID: schema.EditPermission}).Return(false, errors.New("some error"))
res.EXPECT().CheckAuthz(mock.AnythingOfType("*context.valueCtx"), resource.Resource{
Name: testRelationV2.Object.ID,
NamespaceID: testRelationV2.Object.NamespaceID,
}, action.Action{ID: schema.ViewPermission}).Return(false, errors.New("some error")).Twice()
},
request: &shieldv1beta1.CheckResourceUserPermissionRequest{
Id: userEmail,
ResourcePermissions: []*shieldv1beta1.ResourcePermission{
{
ObjectId: testRelationV2.Object.ID,
ObjectNamespace: testRelationV2.Object.NamespaceID,
Permission: schema.EditPermission,
},
{
ObjectId: testRelationV2.Object.ID,
ObjectNamespace: testRelationV2.Object.NamespaceID,
Permission: schema.ViewPermission,
},
{
ObjectId: testRelationV2.Object.ID,
ObjectNamespace: testRelationV2.Object.NamespaceID,
Permission: schema.ViewPermission,
},
},
},
want: nil,
wantErr: grpcInternalServerError,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
mockResourceSrv := new(mocks.ResourceService)
if tt.setup != nil {
tt.setup(mockResourceSrv)
}

mockDep := Handler{resourceService: mockResourceSrv, checkAPILimit: 5}
resp, err := mockDep.CheckResourceUserPermission(context.Background(), tt.request)
assert.EqualValues(t, tt.want, resp)
assert.EqualValues(t, tt.wantErr, err)
})
}
}
Loading
Loading