feat: Add authorizer struct

canonical · Nov 27, 2023 · c6170a2 · c6170a2
1 parent 8628fa6
commit c6170a2
Show file tree

Hide file tree

Showing 4 changed files with 133 additions and 0 deletions.
diff --git a/internal/authorization/auth_model.go b/internal/authorization/auth_model.go
diff --git a/internal/authorization/authorization.go b/internal/authorization/authorization.go
@@ -0,0 +1,93 @@
+package authorization
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+
+	"github.com/canonical/identity-platform-login-ui/internal/logging"
+	"github.com/canonical/identity-platform-login-ui/internal/monitoring"
+	fga "github.com/openfga/go-sdk"
+	"go.opentelemetry.io/otel/trace"
+)
+
+var ErrInvalidAuthModel = fmt.Errorf("Invalid authorization model schema")
+
+type Authorizer struct {
+	Client AuthzClientInterface
+
+	tracer  trace.Tracer
+	monitor monitoring.MonitorInterface
+	logger  logging.LoggerInterface
+}
+
+func (a *Authorizer) Check(ctx context.Context, user string, relation string, object string) (bool, error) {
+	ctx, span := a.tracer.Start(ctx, "authorization.Authorizer.Check")
+	defer span.End()
+
+	return a.Client.Check(ctx, user, relation, object)
+}
+
+func (a *Authorizer) ListObjects(ctx context.Context, user string, relation string, objectType string) ([]string, error) {
+	ctx, span := a.tracer.Start(ctx, "authorization.Authorizer.ListObjects")
+	defer span.End()
+
+	return a.Client.ListObjects(ctx, user, relation, objectType)
+}
+
+func (a *Authorizer) FilterObjects(ctx context.Context, user string, relation string, objectType string, objs []string) ([]string, error) {
+	ctx, span := a.tracer.Start(ctx, "authorization.Authorizer.FilterObjects")
+	defer span.End()
+
+	allowedObjs, err := a.ListObjects(ctx, user, relation, objectType)
+	if err != nil {
+		return nil, err
+	}
+
+	var ret []string
+	for _, obj := range allowedObjs {
+		if contains(objs, obj) {
+			ret = append(ret, obj)
+		}
+	}
+	return ret, nil
+}
+
+func (a *Authorizer) ValidateModel(ctx context.Context) error {
+	ctx, span := a.tracer.Start(ctx, "authorization.Authorizer.ValidateModel")
+	defer span.End()
+
+	var builtinAuthorizationModel fga.AuthorizationModel
+	err := json.Unmarshal([]byte(authModel), &builtinAuthorizationModel)
+	if err != nil {
+		return err
+	}
+
+	eq, err := a.Client.CompareModel(ctx, builtinAuthorizationModel)
+	if err != nil {
+		return err
+	}
+	if !eq {
+		return ErrInvalidAuthModel
+	}
+	return nil
+}
+
+func NewAuthorizer(client AuthzClientInterface, tracer trace.Tracer, monitor monitoring.MonitorInterface, logger logging.LoggerInterface) *Authorizer {
+	authorizer := new(Authorizer)
+	authorizer.Client = client
+	authorizer.tracer = tracer
+	authorizer.monitor = monitor
+	authorizer.logger = logger
+
+	return authorizer
+}
+
+func contains(s []string, e string) bool {
+	for _, a := range s {
+		if a == e {
+			return true
+		}
+	}
+	return false
+}
diff --git a/internal/authorization/interfaces.go b/internal/authorization/interfaces.go
@@ -0,0 +1,21 @@
+package authorization
+
+import (
+	"context"
+
+	fga "github.com/openfga/go-sdk"
+)
+
+type AuthorizerInterface interface {
+	ListObjects(context.Context, string, string, string) ([]string, error)
+	Check(context.Context, string, string, string) (bool, error)
+	FilterObjects(context.Context, string, string, string, []string) ([]string, error)
+	ValidateModel(context.Context) error
+}
+
+type AuthzClientInterface interface {
+	ListObjects(context.Context, string, string, string) ([]string, error)
+	Check(context.Context, string, string, string) (bool, error)
+	ReadModel(context.Context) (*fga.AuthorizationModel, error)
+	CompareModel(context.Context, fga.AuthorizationModel) (bool, error)
+}
diff --git a/internal/authorization/schema.openfga b/internal/authorization/schema.openfga
@@ -0,0 +1,14 @@
+model
+  schema 1.1
+type user
+type app
+type group
+  relations
+    define member: [user, group#member]
+type app_group
+  relations
+    define member: [app, app_group#member]
+type provider
+  relations
+    define member: [user]
+    define allowed_access: [app, app_group#member]