From 24ff158d46622fd38d80aaccf248995081c004eb Mon Sep 17 00:00:00 2001 From: Salaton Date: Fri, 27 Jan 2023 10:03:15 +0300 Subject: [PATCH] chore: purge casbin authorization implementation --- .../authorization/authentication.go | 77 ------- .../authorization/data/rbac_policy.csv | 105 --------- .../application/authorization/permission.go | 209 ------------------ .../application/authorization/rbac_model.conf | 14 -- .../infrastructure/mock/repository_mock.go | 82 ------- 5 files changed, 487 deletions(-) delete mode 100644 pkg/clinical/application/authorization/authentication.go delete mode 100644 pkg/clinical/application/authorization/data/rbac_policy.csv delete mode 100644 pkg/clinical/application/authorization/permission.go delete mode 100644 pkg/clinical/application/authorization/rbac_model.conf delete mode 100644 pkg/clinical/infrastructure/mock/repository_mock.go diff --git a/pkg/clinical/application/authorization/authentication.go b/pkg/clinical/application/authorization/authentication.go deleted file mode 100644 index 3ae5c783..00000000 --- a/pkg/clinical/application/authorization/authentication.go +++ /dev/null @@ -1,77 +0,0 @@ -package authentication - -import ( - "fmt" - "log" - "path/filepath" - "runtime" - - "github.com/casbin/casbin/v2" - "github.com/savannahghi/converterandformatter" - "github.com/savannahghi/profileutils" -) - -var ( - enforcer *casbin.Enforcer -) - -// this function helps to initialize the global variable `enforcer` that cannot be initialized in the global context. - -func init() { - initEnforcer() -} - -func initEnforcer() { - _, b, _, _ := runtime.Caller(0) - basepath := filepath.Dir(b) - conf := filepath.Join(basepath, "/rbac_model.conf") - dataFile := filepath.Join(basepath, "/data/rbac_policy.csv") - e, err := casbin.NewEnforcer(conf, dataFile) - if err != nil { - log.Panicf("unable to initialize and enforce permissions %v", err) - } - enforcer = e -} - -// CheckPemissions is used to check whether the permissions of a subject are set -func CheckPemissions(subject string, input profileutils.PermissionInput) (bool, error) { - - ok, err := enforcer.Enforce(subject, input.Resource, input.Action) - if err != nil { - return false, fmt.Errorf("unable to check permissions %w", err) - } - if ok { - return true, nil - } - return false, nil -} - -// CheckAuthorization is used to check the user permissions -func CheckAuthorization(subject string, permission profileutils.PermissionInput) (bool, error) { - isAuthorized, err := CheckPemissions(subject, permission) - if err != nil { - return false, fmt.Errorf("internal server error: can't authorize user: %w", err) - } - - if !isAuthorized { - return false, nil - } - - return true, nil -} - -// IsAuthorized checks if the subject identified by their email has permission to access the -// specified resource -// currently only known internal anonymous users and external API Integrations emails are checked, internal and default logged in users -// have access by default. -// for subjects identified by their phone number normalize the phone and omit the first (+) character -func IsAuthorized(user *profileutils.UserInfo, permission profileutils.PermissionInput) (bool, error) { - if user.PhoneNumber != "" && converterandformatter.StringSliceContains(profileutils.AuthorizedPhones, user.PhoneNumber) { - return CheckAuthorization(user.PhoneNumber[1:], permission) - } - if user.Email != "" && converterandformatter.StringSliceContains(profileutils.AuthorizedEmails, user.Email) { - return CheckAuthorization(user.Email, permission) - - } - return true, nil -} diff --git a/pkg/clinical/application/authorization/data/rbac_policy.csv b/pkg/clinical/application/authorization/data/rbac_policy.csv deleted file mode 100644 index 0db971ce..00000000 --- a/pkg/clinical/application/authorization/data/rbac_policy.csv +++ /dev/null @@ -1,105 +0,0 @@ -p,254700000000,problem_summary_view,view, deny -p,254700000000,visit_summary_view,view, deny -p,254700000000,patient_timeline_with_count_view,view, deny -p,254700000000,episode_of_care_create,create, deny -p,254700000000,encounters_list,view, deny -p,254700000000,start_episode_by_otp_create,create, deny -p,254700000000,upgrade_episode_update,edit, deny -p,254700000000,start_episode_by_break_glass_create,create, deny -p,254700000000,organisation_view,view, deny -p,254700000000,organisation_create,create, deny -p,254700000000,open_episodes_view,view, deny -p,254700000000,search_episodes_view,view, deny -p,254700000000,encounter_create,create, deny -p,254700000000,encounter_edit,edit, deny -p,254700000000,patient_create,create, deny -p,254700000000,patient_get,view, deny -p,254700000000,fhir_composition_create,create, deny -p,254700000000,fhir_composition_edit,edit, deny -p,254700000000,fhir_composition_delete,delete, deny -p,254700000000,fhir_condition_view,view, deny -p,254700000000,fhir_condition_create,create, deny -p,254700000000,fhir_condition_edit,edit, deny -p,254700000000,fhir_encounter_view,view, deny -p,254700000000,fhir_enconter_create,create, deny -p,254700000000,fhir_medication_view,view, deny -p,254700000000,fhir_medication_create,create, deny -p,254700000000,fhir_medication_view,edit, deny -p,254700000000,fhir_medication_view,delete, deny -p,254700000000,fhir_observation_view,view, deny -p,254700000000,fhir_observation_create,create, deny -p,254700000000,fhir_observation_delete,delete, deny -p,254700000000,patient_update_extra_info_edit,create, deny -p,254700000000,fhir_patient_delete,delete, deny -p,254700000000,allergy_intolerance_view,view, deny -p,apa-dev@healthcloud.co.ke,problem_summary_view,view, deny -p,apa-dev@healthcloud.co.ke,visit_summary_view,view, deny -p,apa-dev@healthcloud.co.ke,patient_timeline_with_count_view,view, deny -p,apa-dev@healthcloud.co.ke,episode_of_care_create,create, deny -p,apa-dev@healthcloud.co.ke,encounters_list,view, deny -p,apa-dev@healthcloud.co.ke,start_episode_by_otp_create,create, deny -p,apa-dev@healthcloud.co.ke,upgrade_episode_update,edit, deny -p,apa-dev@healthcloud.co.ke,start_episode_by_break_glass_create,create, deny -p,apa-dev@healthcloud.co.ke,organisation_view,view, deny -p,apa-dev@healthcloud.co.ke,organisation_create,create, deny -p,apa-dev@healthcloud.co.ke,open_episodes_view,view, deny -p,apa-dev@healthcloud.co.ke,search_episodes_view,view, deny -p,apa-dev@healthcloud.co.ke,encounter_create,create, deny -p,apa-dev@healthcloud.co.ke,encounter_edit,edit, deny -p,apa-dev@healthcloud.co.ke,patient_create,create, deny -p,apa-dev@healthcloud.co.ke,patient_get,view, deny -p,apa-dev@healthcloud.co.ke,fhir_composition_create,create, deny -p,apa-dev@healthcloud.co.ke,fhir_composition_edit,edit, deny -p,apa-dev@healthcloud.co.ke,fhir_composition_delete,delete, deny -p,apa-dev@healthcloud.co.ke,fhir_condition_view,view, deny -p,apa-dev@healthcloud.co.ke,fhir_condition_create,create, deny -p,apa-dev@healthcloud.co.ke,fhir_condition_edit,edit, deny -p,apa-dev@healthcloud.co.ke,fhir_encounter_view,view, deny -p,apa-dev@healthcloud.co.ke,fhir_enconter_create,create, deny -p,apa-dev@healthcloud.co.ke,fhir_medication_view,view, deny -p,apa-dev@healthcloud.co.ke,fhir_medication_create,create, deny -p,apa-dev@healthcloud.co.ke,fhir_medication_view,edit, deny -p,apa-dev@healthcloud.co.ke,fhir_medication_view,delete, deny -p,apa-dev@healthcloud.co.ke,fhir_observation_view,view, deny -p,apa-dev@healthcloud.co.ke,fhir_observation_create,create, deny -p,apa-dev@healthcloud.co.ke,fhir_observation_delete,delete, deny -p,apa-dev@healthcloud.co.ke,patient_update_extra_info_edit,create, deny -p,apa-dev@healthcloud.co.ke,fhir_patient_delete,delete, deny -p,apa-dev@healthcloud.co.ke,allergy_intolerance_view,view, deny -p,apa-prod@healthcloud.co.ke,problem_summary_view,view, deny -p,apa-prod@healthcloud.co.ke,visit_summary_view,view, deny -p,apa-prod@healthcloud.co.ke,patient_timeline_with_count_view,view, deny -p,apa-prod@healthcloud.co.ke,episode_of_care_create,create, deny -p,apa-prod@healthcloud.co.ke,encounters_list,view, deny -p,apa-prod@healthcloud.co.ke,start_episode_by_otp_create,create, deny -p,apa-prod@healthcloud.co.ke,upgrade_episode_update,edit, deny -p,apa-prod@healthcloud.co.ke,start_episode_by_break_glass_create,create, deny -p,apa-prod@healthcloud.co.ke,organisation_view,view, deny -p,apa-prod@healthcloud.co.ke,organisation_create,create, deny -p,apa-prod@healthcloud.co.ke,open_episodes_view,view, deny -p,apa-prod@healthcloud.co.ke,search_episodes_view,view, deny -p,apa-prod@healthcloud.co.ke,encounter_create,create, deny -p,apa-prod@healthcloud.co.ke,encounter_edit,edit, deny -p,apa-prod@healthcloud.co.ke,patient_create,create, deny -p,apa-prod@healthcloud.co.ke,patient_get,view, deny -p,apa-prod@healthcloud.co.ke,fhir_composition_create,create, deny -p,apa-prod@healthcloud.co.ke,fhir_composition_edit,edit, deny -p,apa-prod@healthcloud.co.ke,fhir_composition_delete,delete, deny -p,apa-prod@healthcloud.co.ke,fhir_condition_view,view, deny -p,apa-prod@healthcloud.co.ke,fhir_condition_create,create, deny -p,apa-prod@healthcloud.co.ke,fhir_condition_edit,edit, deny -p,apa-prod@healthcloud.co.ke,fhir_encounter_view,view, deny -p,apa-prod@healthcloud.co.ke,fhir_enconter_create,create, deny -p,apa-prod@healthcloud.co.ke,fhir_medication_view,view, deny -p,apa-prod@healthcloud.co.ke,fhir_medication_create,create, deny -p,apa-prod@healthcloud.co.ke,fhir_medication_view,edit, deny -p,apa-prod@healthcloud.co.ke,fhir_medication_view,delete, deny -p,apa-prod@healthcloud.co.ke,fhir_observation_view,view, deny -p,apa-prod@healthcloud.co.ke,fhir_observation_create,create, deny -p,apa-prod@healthcloud.co.ke,fhir_observation_delete,delete, deny -p,apa-prod@healthcloud.co.ke,patient_update_extra_info_edit,create, deny -p,apa-prod@healthcloud.co.ke,fhir_patient_delete,delete, deny -p,apa-prod@healthcloud.co.ke,allergy_intolerance_view,view, deny -p,254711223344,update_primary_phone,edit,allow - - diff --git a/pkg/clinical/application/authorization/permission.go b/pkg/clinical/application/authorization/permission.go deleted file mode 100644 index 1caa8c24..00000000 --- a/pkg/clinical/application/authorization/permission.go +++ /dev/null @@ -1,209 +0,0 @@ -package authentication - -import ( - "github.com/savannahghi/profileutils" -) - -// ProblemSummaryView describes view permissions on viewing a patient problem summary resource -var ProblemSummaryView = profileutils.PermissionInput{ - Resource: "problem_summary_view", - Action: "view", -} - -// VisitSummaryView describes view permissions on a user past visits -var VisitSummaryView = profileutils.PermissionInput{ - Resource: "visit_summary_view", - Action: "view", -} - -// PatientTimelineWithCountView describes view permissions on a user patienttimeline -var PatientTimelineWithCountView = profileutils.PermissionInput{ - Resource: "patient_timeline_with_count_view", - Action: "view", -} - -// EpisodeOfCareCreate describes write permissions on a patient episodeofcare -var EpisodeOfCareCreate = profileutils.PermissionInput{ - Resource: "episode_of_care_create", - Action: "create", -} - -// EncountersList describes read permissions on a patient encounters -var EncountersList = profileutils.PermissionInput{ - Resource: "encounters_list", - Action: "view", -} - -// StartEpisodeByOtpCreate describes write permissions on a patient StartEpisodeByOtp -var StartEpisodeByOtpCreate = profileutils.PermissionInput{ - Resource: "start_episode_by_otp_create", - Action: "create", -} - -// UpgradeEpisodeUpdate describes update permissions on a patient episode resource -var UpgradeEpisodeUpdate = profileutils.PermissionInput{ - Resource: "upgrade_episode_update", - Action: "edit", -} - -// StartEpisodeByBreakGlassCreate describes write permissions on a patient start episode by break glass -var StartEpisodeByBreakGlassCreate = profileutils.PermissionInput{ - Resource: "start_episode_by_break_glass_create", - Action: "create", -} - -// OrganizationView describe view permissions on getting an organisation -var OrganizationView = profileutils.PermissionInput{ - Resource: "organisation_view", - Action: "view", -} - -// OrganizationCreate describe write permissions on creating an organisation -var OrganizationCreate = profileutils.PermissionInput{ - Resource: "organisation_create", - Action: "create", -} - -// OpenEpisodesView describe view permissions on an patient open episodes -var OpenEpisodesView = profileutils.PermissionInput{ - Resource: "open_episodes_view", - Action: "view", -} - -// SearchEpisodesView describes permissions on an patient ability to search open episodes -var SearchEpisodesView = profileutils.PermissionInput{ - Resource: "search_episodes_view", - Action: "view", -} - -// EncounterCreate describes write permissions on an encounter resource -var EncounterCreate = profileutils.PermissionInput{ - Resource: "encounter_create", - Action: "create", -} - -// EncounterUpdate describes edit permissions on an encounter resource -var EncounterUpdate = profileutils.PermissionInput{ - Resource: "encounter_edit", - Action: "edit", -} - -// PatientCreate describes write permissions on a patient resource -var PatientCreate = profileutils.PermissionInput{ - Resource: "patient_create", - Action: "create", -} - -// PatientGet describes read permissions on patient resource -var PatientGet = profileutils.PermissionInput{ - Resource: "patient_get", - Action: "view", -} - -// FHIRCompositionCreate describes write permissions on patient FHIR composition resource -var FHIRCompositionCreate = profileutils.PermissionInput{ - Resource: "fhir_composition_create", - Action: "create", -} - -// FHIRCompositionEdit describes edit permissions on patient FHIR composition resource -var FHIRCompositionEdit = profileutils.PermissionInput{ - Resource: "fhir_composition_edit", - Action: "edit", -} - -// FHIRCompositionDelete describes delete permissions on patient FHIR composition resource -var FHIRCompositionDelete = profileutils.PermissionInput{ - Resource: "fhir_composition_delete", - Action: "delete", -} - -// FHIRConditionView describes view permissions on patient FHIR condition resource -var FHIRConditionView = profileutils.PermissionInput{ - Resource: "fhir_condition_view", - Action: "view", -} - -// FHIRConditionCreate describes write permissions on patient FHIR condition resource -var FHIRConditionCreate = profileutils.PermissionInput{ - Resource: "fhir_condition_create", - Action: "create", -} - -// FHIRConditionEdit describes edit permissions on patient FHIR condition resource -var FHIRConditionEdit = profileutils.PermissionInput{ - Resource: "fhir_condition_edit", - Action: "edit", -} - -// FHIREncounterView describes view permissions on patient FHIR encounter resource -var FHIREncounterView = profileutils.PermissionInput{ - Resource: "fhir_encounter_view", - Action: "view", -} - -// FHIREncounterCreate describes write permissions on patient FHIR condition resource -var FHIREncounterCreate = profileutils.PermissionInput{ - Resource: "fhir_enconter_create", - Action: "create", -} - -// FHIRMedicationRequestView describes view permissions on a FHIR medication request resource -var FHIRMedicationRequestView = profileutils.PermissionInput{ - Resource: "fhir_medication_view", - Action: "view", -} - -// FHIRMedicationRequestCreate describes write permissions on a FHIR medication request resource -var FHIRMedicationRequestCreate = profileutils.PermissionInput{ - Resource: "fhir_medication_create", - Action: "create", -} - -// FHIRMedicationRequestEdit describes edit permissions on a FHIR medication request resource -var FHIRMedicationRequestEdit = profileutils.PermissionInput{ - Resource: "fhir_medication_edit", - Action: "edit", -} - -// FHIRMedicationRequestDelete describes delete permissions on a FHIR medication request resource -var FHIRMedicationRequestDelete = profileutils.PermissionInput{ - Resource: "fhir_medication_delete", - Action: "delete", -} - -// FHIRObservationView describes view permissions on a FHIR observation resource -var FHIRObservationView = profileutils.PermissionInput{ - Resource: "fhir_observation_view", - Action: "view", -} - -// FHIRObservationCreate describes create permissions on a FHIR observation resource -var FHIRObservationCreate = profileutils.PermissionInput{ - Resource: "fhir_observation_create", - Action: "create", -} - -// FHIRObservationDelete describes delete permissions on a FHIR observation resource -var FHIRObservationDelete = profileutils.PermissionInput{ - Resource: "fhir_observation_delete", - Action: "delete", -} - -// PatientExtraInformationEdit describes edit permissions on a patient resource -var PatientExtraInformationEdit = profileutils.PermissionInput{ - Resource: "patient_update_extra_info_edit", - Action: "edit", -} - -// FHIRPatientDelete describes delete permissions on a FHIR patient resource -var FHIRPatientDelete = profileutils.PermissionInput{ - Resource: "fhir_patient_delete", - Action: "delete", -} - -// AllergyIntoleranceView describes view permissions on a FHIR allergy resource -var AllergyIntoleranceView = profileutils.PermissionInput{ - Resource: "allergy_intolerance_view", - Action: "view", -} diff --git a/pkg/clinical/application/authorization/rbac_model.conf b/pkg/clinical/application/authorization/rbac_model.conf deleted file mode 100644 index 33749f00..00000000 --- a/pkg/clinical/application/authorization/rbac_model.conf +++ /dev/null @@ -1,14 +0,0 @@ -[request_definition] -r = sub, obj, act - -[policy_definition] -p = sub, obj, act, eft - -[role_definition] -g = _, _ - -[policy_effect] -e = some(where (p.eft == allow)) && !some(where (p.eft == deny)) - -[matchers] -m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act \ No newline at end of file diff --git a/pkg/clinical/infrastructure/mock/repository_mock.go b/pkg/clinical/infrastructure/mock/repository_mock.go deleted file mode 100644 index c48dcdb2..00000000 --- a/pkg/clinical/infrastructure/mock/repository_mock.go +++ /dev/null @@ -1,82 +0,0 @@ -package mock - -// // FakeFHIRRepository is a mock FHIR repository -// type FakeFHIRRepository struct { -// CreateFHIRResourceFn func(resourceType string, payload map[string]interface{}) ([]byte, error) -// DeleteFHIRResourceFn func(resourceType, fhirResourceID string) ([]byte, error) -// PatchFHIRResourceFn func(resourceType, fhirResourceID string, payload []map[string]interface{}) ([]byte, error) -// UpdateFHIRResourceFn func(resourceType, fhirResourceID string, payload map[string]interface{}) ([]byte, error) -// GetFHIRPatientAllDataFn func(fhirResourceID string) ([]byte, error) -// FHIRRestURLFn func() string -// GetFHIRResourceFn func(resourceType, fhirResourceID string) ([]byte, error) -// GetFHIRPatientEverythingFn func(fhirResourceID string) ([]byte, error) -// } - -// // NewFakeFHIRRepositoryMock initializes a new FakeFHIRRepositoryMock -// func NewFakeFHIRRepositoryMock() *FakeFHIRRepository { -// return &FakeFHIRRepository{ -// GetFHIRResourceFn: func(resourceType, fhirResourceID string) ([]byte, error) { -// bs, err := json.Marshal("m") -// if err != nil { -// return nil, fmt.Errorf("unable to marshal map to JSON: %w", err) -// } -// return bs, nil -// }, -// } -// } - -// // CreateFHIRResource ... -// func (f *FakeFHIRRepository) CreateFHIRResource(resourceType string, payload map[string]interface{}) ([]byte, error) { -// return f.CreateFHIRResourceFn(resourceType, payload) -// } - -// // DeleteFHIRResource ... -// func (f *FakeFHIRRepository) DeleteFHIRResource(resourceType, fhirResourceID string) ([]byte, error) { -// return f.DeleteFHIRResourceFn(resourceType, fhirResourceID) -// } - -// // PatchFHIRResource ... -// func (f *FakeFHIRRepository) PatchFHIRResource(resourceType, fhirResourceID string, payload []map[string]interface{}) ([]byte, error) { -// return f.PatchFHIRResourceFn(resourceType, fhirResourceID, payload) -// } - -// // UpdateFHIRResource ... -// func (f *FakeFHIRRepository) UpdateFHIRResource(resourceType, fhirResourceID string, payload map[string]interface{}) ([]byte, error) { -// return f.UpdateFHIRResourceFn(resourceType, fhirResourceID, payload) -// } - -// // GetFHIRPatientAllData ... -// func (f *FakeFHIRRepository) GetFHIRPatientAllData(fhirResourceID string) ([]byte, error) { -// return f.GetFHIRPatientAllDataFn(fhirResourceID) -// } - -// // FHIRRestURL ... -// func (f *FakeFHIRRepository) FHIRRestURL() string { -// return f.FHIRRestURLFn() -// } - -// // GetFHIRResource ... -// func (f *FakeFHIRRepository) GetFHIRResource(resourceType, fhirResourceID string) ([]byte, error) { -// return f.GetFHIRResourceFn(resourceType, fhirResourceID) -// } - -// //GetFHIRPatientEverything .... -// func (f *FakeFHIRRepository) GetFHIRPatientEverything(fhirResourceID string) ([]byte, error) { -// return f.GetFHIRPatientEverythingFn(fhirResourceID) -// } - -// FakeRepository is a mock firebase repository -// type FakeRepository struct { -// SaveEmailOTPFn func(ctx context.Context, email string, optIn bool) error -// StageStartEpisodeByBreakGlassFn func(ctx context.Context, input domain.BreakGlassEpisodeCreationInput) error -// } - -// // SaveEmailOTP ... -// func (fb *FakeRepository) SaveEmailOTP(ctx context.Context, email string, optIn bool) error { -// return fb.SaveEmailOTPFn(ctx, email, optIn) -// } - -// // StageStartEpisodeByBreakGlass persists starts an emergency episode data -// func (fb *FakeRepository) StageStartEpisodeByBreakGlass(ctx context.Context, input domain.BreakGlassEpisodeCreationInput) error { -// return fb.StageStartEpisodeByBreakGlassFn(ctx, input) -// }