This repository has been archived by the owner on Oct 11, 2023. It is now read-only.
/
manager.go
398 lines (309 loc) · 18.6 KB
/
manager.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
package api
import (
"time"
)
// TYPE DEFINITIONS
// Resource interface that all resource types have to implement
type Resource interface {
// This method must return resource URN
GetUrn() string
}
// UserGroupRelation interface for User-Group relationships
type UserGroupRelation interface {
GetUser() *User
GetGroup() *Group
GetDate() time.Time
}
// PolicyGroupRelation interface for Policy-Group relationships
type PolicyGroupRelation interface {
GetGroup() *Group
GetPolicy() *Policy
GetDate() time.Time
}
// WorkerAPI that implements API interfaces using repositories
type WorkerAPI struct {
UserRepo UserRepo
GroupRepo GroupRepo
PolicyRepo PolicyRepo
ProxyRepo ProxyRepo
AuthOidcRepo AuthOidcRepo
}
// ProxyAPI that implements API interfaces using repositories
type ProxyAPI struct {
ProxyRepo ProxyRepo
}
// Filter properties for database search
type Filter struct {
PathPrefix string
Org string
ExternalID string
PolicyName string
GroupName string
ProxyResourceName string
AuthProviderName string
// Pagination
Offset int
Limit int
// Sorting
OrderBy string
}
// API INTERFACES WITH AUTHORIZATION
// UserAPI interface
type UserAPI interface {
// Store user in database. Throw error when parameters are invalid,
// user already exists or unexpected error happen.
AddUser(requestInfo RequestInfo, externalId string, path string) (*User, error)
// Retrieve user from database. Throw error when parameter is invalid,
// user doesn't exist or unexpected error happen.
GetUserByExternalID(requestInfo RequestInfo, externalId string) (*User, error)
// Retrieve user identifiers from database filtered by pathPrefix (optional parameter). Throw error
// if pathPrefix is invalid or unexpected error happen.
ListUsers(requestInfo RequestInfo, filter *Filter) ([]string, int, error)
// Update user stored in database with new pathPrefix. Throw error if the input parameters
// are invalid, user doesn't exist or unexpected error happen.
UpdateUser(requestInfo RequestInfo, externalId string, newPath string) (*User, error)
// Remove user stored in database with its group relationships.
// Throw error if externalId parameter is invalid, user doesn't exist or unexpected error happen.
RemoveUser(requestInfo RequestInfo, externalId string) error
// Retrieve groups that belongs to the user. Throw error if externalId parameter is invalid, user
// doesn't exist or unexpected error happen.
ListGroupsByUser(requestInfo RequestInfo, filter *Filter) ([]UserGroups, int, error)
}
// GroupAPI interface
type GroupAPI interface {
// Store group in database. Throw error when the input parameters are invalid,
// the group already exist or unexpected error happen.
AddGroup(requestInfo RequestInfo, org string, name string, path string) (*Group, error)
// Retrieve group from database. Throw error when the input parameters are invalid,
// group doesn't exist or unexpected error happen.
GetGroupByName(requestInfo RequestInfo, org string, name string) (*Group, error)
// Retrieve group identifiers from database filtered by org and pathPrefix parameters. These input parameters are optional.
// Throw error if the input parameters are invalid or unexpected error happen.
ListGroups(requestInfo RequestInfo, filter *Filter) ([]GroupIdentity, int, error)
// Update group stored in database with new name and pathPrefix.
// Throw error if the input parameters are invalid, group to update doesn't exist,
// target group already exist or unexpected error happen.
UpdateGroup(requestInfo RequestInfo, org string, groupName string, newName string, newPath string) (*Group, error)
// Remove group stored in database with its user and policy relationships.
// Throw error if the input parameters are invalid, the group doesn't exist or unexpected error happen.
RemoveGroup(requestInfo RequestInfo, org string, name string) error
// Add new member to group. Throw error if the input parameters are invalid, user doesn't exist,
// group doesn't exist, user is already a member of the group or unexpected error happen.
AddMember(requestInfo RequestInfo, externalId string, groupName string, org string) error
// Remove member from group. Throw error if the input parameters are invalid, user doesn't exist,
// group doesn't exist, user isn't a member of the group or unexpected error happen.
RemoveMember(requestInfo RequestInfo, externalId string, groupName string, org string) error
// List user identifiers that belong to the group. Throw error if the input parameters are invalid,
// group doesn't exist or unexpected error happen.
ListMembers(requestInfo RequestInfo, filter *Filter) ([]GroupMembers, int, error)
// Attach policy to group. Throw error if the input parameters are invalid, policy doesn't exist,
// group doesn't exist, policy is already attached to the group or unexpected error happen.
AttachPolicyToGroup(requestInfo RequestInfo, org string, groupName string, policyName string) error
// Detach policy from group. Throw error if the input parameters are invalid, policy doesn't exist,
// group doesn't exist, policy isn't attached to the group or unexpected error happen.
DetachPolicyToGroup(requestInfo RequestInfo, org string, groupName string, policyName string) error
// Retrieve policies that are attached to the group. Throw error if the input parameters are invalid,
// group doesn't exist or unexpected error happen.
ListAttachedGroupPolicies(requestInfo RequestInfo, filter *Filter) ([]GroupPolicies, int, error)
}
// PolicyAPI interface
type PolicyAPI interface {
// Store policy in database. Throw error when the input parameters are invalid,
// the policy already exist or unexpected error happen.
AddPolicy(requestInfo RequestInfo, name string, path string, org string, statements []Statement) (*Policy, error)
// Retrieve policy from database. Throw error when the input parameters are invalid,
// policy doesn't exist or unexpected error happen.
GetPolicyByName(requestInfo RequestInfo, org string, name string) (*Policy, error)
// Retrieve policy identifiers from database filtered by org and pathPrefix parameters. These input parameters are optional.
// Throw error if the input parameters are invalid or unexpected error happen.
ListPolicies(requestInfo RequestInfo, filter *Filter) ([]PolicyIdentity, int, error)
// Update policy stored in database with new name, new pathPrefix and new statements.
// It overrides older statements. Throw error if the input parameters are invalid,
// policy to update doesn't exist, target policy already exist or unexpected error happen.
UpdatePolicy(requestInfo RequestInfo, org string, name string, newName string, newPath string,
newStatements []Statement) (*Policy, error)
// Remove policy stored in database with its groups relationships.
// Throw error if the input parameters are invalid, the policy doesn't exist or unexpected error happen.
RemovePolicy(requestInfo RequestInfo, org string, name string) error
// Retrieve groups that are attached to the policy. Throw error if the input parameters are invalid,
// policy doesn't exist or unexpected error happen.
ListAttachedGroups(requestInfo RequestInfo, filter *Filter) ([]PolicyGroups, int, error)
}
// AuthzAPI interface
type AuthzAPI interface {
// Retrieve list of authorized user resources filtered according to the input parameters. Throw error
// if requestInfo doesn't exist, requestInfo doesn't have access to any resources or unexpected error happen.
GetAuthorizedUsers(requestInfo RequestInfo, resourceUrn string, action string, users []User) ([]User, error)
// Retrieve list of authorized group resources filtered according to the input parameters. Throw error
// if requestInfo doesn't exist, requestInfo doesn't have access to any resources or unexpected error happen.
GetAuthorizedGroups(requestInfo RequestInfo, resourceUrn string, action string, groups []Group) ([]Group, error)
// Retrieve list of authorized policies resources filtered according to the input parameters. Throw error
// if requestInfo doesn't exist, requestInfo doesn't have access to any resources or unexpected error happen.
GetAuthorizedPolicies(requestInfo RequestInfo, resourceUrn string, action string, policies []Policy) ([]Policy, error)
// Retrieve list of authorized proxy resources filtered according to the input parameters. Throw error
// if requestInfo doesn't exist, requestInfo doesn't have access to any resources or unexpected error happen.
GetAuthorizedProxyResources(requestInfo RequestInfo, resourceUrn string, action string, proxyResources []ProxyResource) ([]ProxyResource, error)
// Retrieve list of authorized external resources filtered according to the input parameters. Throw error
// if requestInfo doesn't exist, requestInfo doesn't have access to any resources or unexpected error happen.
GetAuthorizedExternalResources(requestInfo RequestInfo, action string, resources []string) ([]string, error)
}
// InternalProxyAPI interface to manage proxy resources
type InternalProxyAPI interface {
// Retrieve list of proxy resources.
GetProxyResources() ([]ProxyResource, error)
}
// WorkerProxyResourcesAPI interface to manage proxy resources
type ProxyResourcesAPI interface {
// Store proxy resource in database. Throw error when the input parameters are invalid,
// the proxy resource already exist or unexpected error happen.
AddProxyResource(requestInfo RequestInfo, name string, org string, path string, resource ResourceEntity) (*ProxyResource, error)
// Retrieve proxy resource from database. Throw error when the input parameters are invalid,
// Proxy resource doesn't exist or unexpected error happen.
GetProxyResourceByName(requestInfo RequestInfo, org string, name string) (*ProxyResource, error)
// Retrieve list of proxy resources.
ListProxyResources(requestInfo RequestInfo, filter *Filter) ([]ProxyResourceIdentity, int, error)
// Update proxy resource stored in database with new name, new path and new resource.
// It overrides the older resource. Throw error if the input parameters are invalid,
// proxy resource to update doesn't exist, target proxy resource already exist or unexpected error happen.
UpdateProxyResource(requestInfo RequestInfo, org string, name string, newName string, newPath string,
newResource ResourceEntity) (*ProxyResource, error)
// Remove proxy resource stored in database.
// Throw error if the input parameters are invalid, the proxy resource doesn't exist or unexpected error happen.
RemoveProxyResource(requestInfo RequestInfo, org string, name string) error
}
// AuthOidcAPI interface
type AuthOidcAPI interface {
// Store a new OIDC provider in database. Throw error when parameters are invalid,
// the OIDC provider already exists or unexpected error happen.
AddOidcProvider(requestInfo RequestInfo, name string, path string, issuerURL string, oidcClients []string) (*OidcProvider, error)
// Retrieve OIDC provider from database. Throw error when parameter is invalid,
// the OIDC provider doesn't exist or unexpected error happen.
GetOidcProviderByName(requestInfo RequestInfo, name string) (*OidcProvider, error)
// Retrieve OIDC provider names from database filtered by pathPrefix (optional parameter). Throw error
// if pathPrefix is invalid or unexpected error happen.
ListOidcProviders(requestInfo RequestInfo, filter *Filter) ([]string, int, error)
// Update OIDC provider stored in database with new parameters. Throw error if the input parameters
// are invalid, the OIDC provider doesn't exist or unexpected error happen.
UpdateOidcProvider(requestInfo RequestInfo, oidcProviderName string, newName string, newPath string, newIssuerUrl string,
newClients []string) (*OidcProvider, error)
// Remove OIDC provider stored in database with its client relationships.
// Throw error if name parameter is invalid, OIDC provider doesn't exist or unexpected error happen.
RemoveOidcProvider(requestInfo RequestInfo, name string) error
}
// REPOSITORY INTERFACES
// UserRepo contains all database operations
type UserRepo interface {
// Store user in database if there aren't errors.
AddUser(user User) (*User, error)
// Retrieve user from database if it exists. Otherwise it throws an error.
GetUserByExternalID(id string) (*User, error)
// Retrieve user list from database filtered by pathPrefix optional parameter. Throw error
// if there are problems with database.
GetUsersFiltered(filter *Filter) ([]User, int, error)
// Update user stored in database with new fields. Throw error if the database restrictions
// are not satisfied or unexpected error happen.
UpdateUser(user User) (*User, error)
// Remove user stored in database with its group relationships.
// Throw error if there are problems during transactions.
RemoveUser(id string) error
// Retrieve groups that belong to the user. Throw error
// if there are problems with database.
GetGroupsByUserID(id string, filter *Filter) ([]UserGroupRelation, int, error)
// OrderByValidColumns returns valid columns that you can use in OrderBy
OrderByValidColumns(action string) []string
}
// GroupRepo contains all database operations
type GroupRepo interface {
// Store group in database if there aren't errors.
AddGroup(group Group) (*Group, error)
// Retrieve group from database if it exists. Otherwise it throws an error.
GetGroupByName(org string, name string) (*Group, error)
// Retrieve groups from database filtered by org and pathPrefix optional parameters. Throw error
// if there are problems with database.
GetGroupsFiltered(filter *Filter) ([]Group, int, error)
// Update group stored in database with new fields.
// Throw error if there are problems with database.
UpdateGroup(group Group) (*Group, error)
// Remove group stored in database with its user and policy relationships.
// Throw error if there are problems during transactions.
RemoveGroup(groupID string) error
// Add new member to group. It doesn't check restrictions about existence of group or user. It throws
// errors if there are problems with database.
AddMember(userID string, groupID string) error
// Remove member from group. It doesn't check restrictions about existence of group or user. It throws
// errors if there are problems with database.
RemoveMember(userID string, groupID string) error
// Check if user is member of group. It returns true if at least one relation exists. It throws
// errors if there are problems with database.
IsMemberOfGroup(userID string, groupID string) (bool, error)
// Retrieve users that belong to the group. Throw error if there are problems with database.
GetGroupMembers(groupID string, filter *Filter) ([]UserGroupRelation, int, error)
// Attach policy to group. It doesn't check restrictions about existence of group or policy. It throws
// errors if there are problems with database.
AttachPolicy(groupID string, policyID string) error
// Detach policy from group. It doesn't check restrictions about existence of group or policy. It throws
// errors if there are problems with database.
DetachPolicy(groupID string, policyID string) error
// Check if policy is attached to group. It returns true if at least one relation exists. It throws
// errors if there are problems with database.
IsAttachedToGroup(groupID string, policyID string) (bool, error)
// Retrieve policies that are attached to the group. Throw error if there are problems with database.
GetAttachedPolicies(groupID string, filter *Filter) ([]PolicyGroupRelation, int, error)
// OrderByValidColumns returns valid columns that you can use in OrderBy
OrderByValidColumns(action string) []string
}
// PolicyRepo contains all database operations
type PolicyRepo interface {
// Store policy in database if there aren't errors.
AddPolicy(policy Policy) (*Policy, error)
// Retrieve policy from database if it exists. Otherwise it throws an error.
GetPolicyByName(org string, name string) (*Policy, error)
// Retrieve policies from database filtered by org and pathPrefix optional parameters. Throw error
// if there are problems with database.
GetPoliciesFiltered(filter *Filter) ([]Policy, int, error)
// Update policy stored in database with new fields. Also it overrides statements if it has.
// Throw error if there are problems with database.
UpdatePolicy(policy Policy) (*Policy, error)
// Remove policy stored in database with its groups relationships.
// Throw error if there are problems during transactions.
RemovePolicy(id string) error
// Retrieve groups that are attached to the policy. Throw error if there are problems with database.
GetAttachedGroups(policyID string, filter *Filter) ([]PolicyGroupRelation, int, error)
// OrderByValidColumns returns valid columns that you can use in OrderBy
OrderByValidColumns(action string) []string
}
// ProxyRepo contains all database operations
type ProxyRepo interface {
// Retrieve proxy resources from database. Otherwise it throws an error.
GetProxyResources(filter *Filter) ([]ProxyResource, int, error)
// Retrieve proxy resource from database if it exists. Otherwise it throws an error.
GetProxyResourceByName(org string, name string) (*ProxyResource, error)
// Store proxy resource in database if there aren't errors.
AddProxyResource(proxyResource ProxyResource) (*ProxyResource, error)
// Update proxy resource stored in database with new fields. Also it overrides statements if it has.
// Throw error if there are problems with database.
UpdateProxyResource(proxyResource ProxyResource) (*ProxyResource, error)
// Remove proxy resource stored in database.
// Throw error if there are problems during transaction.
RemoveProxyResource(proxyResourceID string) error
// OrderByValidColumns returns valid columns that you can use in OrderBy
OrderByValidColumns(action string) []string
}
// AuthOidcRepo contains all database operations
type AuthOidcRepo interface {
// Store a OIDC provider in database if there aren't errors.
AddOidcProvider(oidcProvider OidcProvider) (*OidcProvider, error)
// Retrieve the OIDC provider from database if it exists. Otherwise it throws an error.
GetOidcProviderByName(name string) (*OidcProvider, error)
// Retrieve OIDC providers from database filtered by pathPrefix optional parameter. Throw error
// if there are problems with database.
GetOidcProvidersFiltered(filter *Filter) ([]OidcProvider, int, error)
// Update the OIDC provider stored in database with new fields.
// Throw error if there are problems with database.
UpdateOidcProvider(oidcProvider OidcProvider) (*OidcProvider, error)
// Remove the OIDC provider stored in database with its OIDC Clients.
// Throw error if there are problems during transactions.
RemoveOidcProvider(id string) error
// OrderByValidColumns returns valid columns that you can use in OrderBy
OrderByValidColumns(action string) []string
}