fix: change authorization for users

Signed-off-by: Rodney Osodo <socials@rodneyosodo.com>
absmach · Jun 15, 2024 · a9f2729 · a9f2729
1 parent e36bde7
commit a9f2729
Show file tree

Hide file tree

Showing 4 changed files with 79 additions and 50 deletions.
diff --git a/activitylog/service.go b/activitylog/service.go
@@ -37,20 +37,28 @@ func (svc *service) RetrieveAll(ctx context.Context, token string, page Page) (A
 }
 
 func (svc *service) authorize(ctx context.Context, token, entityID, entityType string) error {
+	user, err := svc.auth.Identify(ctx, &magistrala.IdentityReq{Token: token})
+	if err != nil {
+		return errors.Wrap(svcerr.ErrAuthentication, err)
+	}
+
 	permission := auth.ViewPermission
 	objectType := entityType
 	object := entityID
+	subject := user.GetId()
+
 	// If the entity is a user, we need to check if the user is an admin
 	if entityType == auth.UserType {
 		permission = auth.AdminPermission
 		objectType = auth.PlatformType
 		object = auth.MagistralaObject
+		subject = user.GetUserId()
 	}
 
 	req := &magistrala.AuthorizeReq{
 		SubjectType: auth.UserType,
-		SubjectKind: auth.TokenKind,
-		Subject:     token,
+		SubjectKind: auth.UsersKind,
+		Subject:     subject,
 		Permission:  permission,
 		ObjectType:  objectType,
 		Object:      object,

diff --git a/activitylog/service_test.go b/activitylog/service_test.go
@@ -82,14 +82,16 @@ func TestReadAll(t *testing.T) {
 	}
 
 	cases := []struct {
-		desc    string
-		token   string
-		page    activitylog.Page
-		resp    activitylog.ActivitiesPage
-		authRes *magistrala.AuthorizeRes
-		authErr error
-		repoErr error
-		err     error
+		desc        string
+		token       string
+		page        activitylog.Page
+		resp        activitylog.ActivitiesPage
+		identifyRes *magistrala.IdentityRes
+		identifyErr error
+		authRes     *magistrala.AuthorizeRes
+		authErr     error
+		repoErr     error
+		err         error
 	}{
 		{
 			desc:  "successful",
@@ -101,10 +103,11 @@ func TestReadAll(t *testing.T) {
 				Limit:      10,
 				Activities: []activitylog.Activity{validActivity},
 			},
-			authRes: &magistrala.AuthorizeRes{Authorized: true},
-			authErr: nil,
-			repoErr: nil,
-			err:     nil,
+			identifyRes: &magistrala.IdentityRes{Id: testsutil.GenerateUUID(t), UserId: testsutil.GenerateUUID(t)},
+			authRes:     &magistrala.AuthorizeRes{Authorized: true},
+			authErr:     nil,
+			repoErr:     nil,
+			err:         nil,
 		},
 		{
 			desc:  "successful for user",
@@ -121,48 +124,61 @@ func TestReadAll(t *testing.T) {
 				Limit:      10,
 				Activities: []activitylog.Activity{validActivity},
 			},
-			authRes: &magistrala.AuthorizeRes{Authorized: true},
-			authErr: nil,
-			repoErr: nil,
-			err:     nil,
+			identifyRes: &magistrala.IdentityRes{Id: testsutil.GenerateUUID(t), UserId: testsutil.GenerateUUID(t)},
+			authRes:     &magistrala.AuthorizeRes{Authorized: true},
+			authErr:     nil,
+			repoErr:     nil,
+			err:         nil,
 		},
 		{
-			desc:    "with repo error",
-			token:   validToken,
-			page:    validPage,
-			resp:    activitylog.ActivitiesPage{},
-			authRes: &magistrala.AuthorizeRes{Authorized: true},
-			repoErr: repoerr.ErrViewEntity,
-			err:     repoerr.ErrViewEntity,
+			desc:        "with identify error",
+			token:       validToken,
+			page:        validPage,
+			resp:        activitylog.ActivitiesPage{},
+			identifyRes: &magistrala.IdentityRes{},
+			identifyErr: svcerr.ErrAuthentication,
+			err:         svcerr.ErrAuthentication,
+		},
+		{
+			desc:        "with repo error",
+			token:       validToken,
+			page:        validPage,
+			resp:        activitylog.ActivitiesPage{},
+			identifyRes: &magistrala.IdentityRes{Id: testsutil.GenerateUUID(t), UserId: testsutil.GenerateUUID(t)},
+			authRes:     &magistrala.AuthorizeRes{Authorized: true},
+			repoErr:     repoerr.ErrViewEntity,
+			err:         repoerr.ErrViewEntity,
 		},
 		{
-			desc:    "with failed to authorize",
-			token:   validToken,
-			page:    validPage,
-			resp:    activitylog.ActivitiesPage{},
-			authRes: &magistrala.AuthorizeRes{Authorized: false},
-			authErr: nil,
-			repoErr: nil,
-			err:     svcerr.ErrAuthorization,
+			desc:        "with failed to authorize",
+			token:       validToken,
+			page:        validPage,
+			resp:        activitylog.ActivitiesPage{},
+			identifyRes: &magistrala.IdentityRes{Id: testsutil.GenerateUUID(t), UserId: testsutil.GenerateUUID(t)},
+			authRes:     &magistrala.AuthorizeRes{Authorized: false},
+			authErr:     nil,
+			repoErr:     nil,
+			err:         svcerr.ErrAuthorization,
 		},
 		{
-			desc:    "with error on authorize",
-			token:   validToken,
-			page:    validPage,
-			resp:    activitylog.ActivitiesPage{},
-			authRes: &magistrala.AuthorizeRes{Authorized: true},
-			authErr: svcerr.ErrAuthorization,
-			repoErr: nil,
-			err:     svcerr.ErrAuthorization,
+			desc:        "with error on authorize",
+			token:       validToken,
+			page:        validPage,
+			resp:        activitylog.ActivitiesPage{},
+			identifyRes: &magistrala.IdentityRes{Id: testsutil.GenerateUUID(t), UserId: testsutil.GenerateUUID(t)},
+			authRes:     &magistrala.AuthorizeRes{Authorized: true},
+			authErr:     svcerr.ErrAuthorization,
+			repoErr:     nil,
+			err:         svcerr.ErrAuthorization,
 		},
 	}
 
 	for _, tc := range cases {
 		t.Run(tc.desc, func(t *testing.T) {
 			authReq := &magistrala.AuthorizeReq{
 				SubjectType: auth.UserType,
-				SubjectKind: auth.TokenKind,
-				Subject:     tc.token,
+				SubjectKind: auth.UsersKind,
+				Subject:     tc.identifyRes.GetId(),
 				ObjectType:  tc.page.EntityType.AuthString(),
 				Object:      tc.page.EntityID,
 				Permission:  auth.ViewPermission,
@@ -171,8 +187,10 @@ func TestReadAll(t *testing.T) {
 				authReq.Permission = auth.AdminPermission
 				authReq.ObjectType = auth.PlatformType
 				authReq.Object = auth.MagistralaObject
+				authReq.Subject = tc.identifyRes.GetUserId()
 			}
-			authCall := authsvc.On("Authorize", context.Background(), authReq).Return(tc.authRes, tc.authErr)
+			authCall := authsvc.On("Identify", context.Background(), &magistrala.IdentityReq{Token: tc.token}).Return(tc.identifyRes, tc.identifyErr)
+			authCall1 := authsvc.On("Authorize", context.Background(), authReq).Return(tc.authRes, tc.authErr)
 			repoCall := repo.On("RetrieveAll", context.Background(), tc.page).Return(tc.resp, tc.repoErr)
 			resp, err := svc.RetrieveAll(context.Background(), tc.token, tc.page)
 			if tc.err == nil {
@@ -181,6 +199,7 @@ func TestReadAll(t *testing.T) {
 			assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
 			repoCall.Unset()
 			authCall.Unset()
+			authCall1.Unset()
 		})
 	}
 }
diff --git a/api/openapi/notifiers.yml b/api/openapi/notifiers.yml
@@ -43,6 +43,8 @@ paths:
           $ref: "#/components/responses/Create"
         "400":
           description: Failed due to malformed JSON.
+        "401":
+          description: Missing or invalid access token provided.          
         "403":
           description: Failed to perform authorization over the entity.
         "409":

diff --git a/pkg/sdk/mocks/sdk.go b/pkg/sdk/mocks/sdk.go