MG-2048 - Authorize clients and users with PATs (#2499)

Signed-off-by: nyagamunene <[email protected]> Signed-off-by: Felix Gateru <[email protected]> Signed-off-by: Arvindh <[email protected]> Co-authored-by: Felix Gateru <[email protected]> Co-authored-by: Arvindh <[email protected]>
absmach · Dec 30, 2024 · 6abc52d · 6abc52d
1 parent f12aacd
commit 6abc52d
Show file tree

Hide file tree

Showing 10 changed files with 465 additions and 41 deletions.
diff --git a/api/http/common.go b/api/http/common.go
@@ -127,6 +127,7 @@ func EncodeError(_ context.Context, err error, w http.ResponseWriter) {
 	switch {
 	case errors.Contains(err, svcerr.ErrAuthorization),
 		errors.Contains(err, svcerr.ErrDomainAuthorization),
+		errors.Contains(err, svcerr.ErrUnauthorizedPAT),
 		errors.Contains(err, bootstrap.ErrExternalKey),
 		errors.Contains(err, bootstrap.ErrExternalKeySecure):
 		err = unwrap(err)

diff --git a/auth/api/grpc/utils.go b/auth/api/grpc/utils.go
@@ -25,7 +25,9 @@ func EncodeError(err error) error {
 		err == apiutil.ErrMissingMemberType,
 		err == apiutil.ErrMissingPolicySub,
 		err == apiutil.ErrMissingPolicyObj,
-		err == apiutil.ErrMalformedPolicyAct:
+		err == apiutil.ErrMalformedPolicyAct,
+		err == apiutil.ErrMissingUserID,
+		err == apiutil.ErrMissingPATID:
 		return status.Error(codes.InvalidArgument, err.Error())
 	case errors.Contains(err, svcerr.ErrAuthentication),
 		errors.Contains(err, auth.ErrKeyExpired),

diff --git a/auth/hasher/doc.go b/auth/hasher/doc.go
@@ -2,5 +2,5 @@
 // SPDX-License-Identifier: Apache-2.0
 
 // Package hasher contains the domain concept definitions needed to
-// support Magistrala users password hasher sub-service functionality.
+// support Supermq users password hasher sub-service functionality.
 package hasher
diff --git a/auth/tracing/tracing.go b/auth/tracing/tracing.go
@@ -203,7 +203,7 @@ func (tm *tracingMiddleware) AuthorizePAT(ctx context.Context, userID, patID str
 func (tm *tracingMiddleware) CheckPAT(ctx context.Context, userID, patID string, platformEntityType auth.PlatformEntityType, optionalDomainID string, optionalDomainEntityType auth.DomainEntityType, operation auth.OperationType, entityIDs ...string) error {
 	ctx, span := tm.tracer.Start(ctx, "check_pat", trace.WithAttributes(
 		attribute.String("user_id", userID),
-		attribute.String("patID", patID),
+		attribute.String("pat_id", patID),
 		attribute.String("platform_entity", platformEntityType.String()),
 		attribute.String("optional_domain_id", optionalDomainID),
 		attribute.String("optional_domain_entity", optionalDomainEntityType.String()),

diff --git a/clients/middleware/authorization.go b/clients/middleware/authorization.go
diff --git a/pkg/authz/authsvc/authz.go b/pkg/authz/authsvc/authz.go
@@ -121,3 +121,23 @@ func (a authorization) checkDomain(ctx context.Context, subjectType, subject, do
 		return svcerr.ErrInvalidStatus
 	}
 }
+
+func (a authorization) AuthorizePAT(ctx context.Context, pr authz.PatReq) error {
+	req := grpcAuthV1.AuthZPatReq{
+		UserId:                   pr.UserID,
+		PatId:                    pr.PatID,
+		PlatformEntityType:       uint32(pr.PlatformEntityType),
+		OptionalDomainId:         pr.OptionalDomainID,
+		OptionalDomainEntityType: uint32(pr.OptionalDomainEntityType),
+		Operation:                uint32(pr.Operation),
+		EntityIds:                pr.EntityIDs,
+	}
+	res, err := a.authSvcClient.AuthorizePAT(ctx, &req)
+	if err != nil {
+		return errors.Wrap(errors.ErrAuthorization, err)
+	}
+	if !res.Authorized {
+		return errors.ErrAuthorization
+	}
+	return nil
+}
diff --git a/pkg/authz/authz.go b/pkg/authz/authz.go
@@ -3,7 +3,11 @@
 
 package authz
 
-import "context"
+import (
+	"context"
+
+	"github.com/absmach/supermq/auth"
+)
 
 type PolicyReq struct {
 	// Domain contains the domain ID.
@@ -42,9 +46,20 @@ type PolicyReq struct {
 	Permission string `json:"permission,omitempty"`
 }
 
+type PatReq struct {
+	UserID                   string                  `json:"user_id,omitempty"`                     // UserID
+	PatID                    string                  `json:"pat_id,omitempty"`                      // UserID
+	PlatformEntityType       auth.PlatformEntityType `json:"platform_entity_type,omitempty"`        // Platform entity type
+	OptionalDomainID         string                  `json:"optional_domainID,omitempty"`           // Optional domain id
+	OptionalDomainEntityType auth.DomainEntityType   `json:"optional_domain_entity_type,omitempty"` // Optional domain entity type
+	Operation                auth.OperationType      `json:"operation,omitempty"`                   // Operation
+	EntityIDs                []string                `json:"entityIDs,omitempty"`                   // EntityIDs
+}
+
 // Authz is supermq authorization library.
 //
 //go:generate mockery --name Authorization --output=./mocks --filename authz.go --quiet --note "Copyright (c) Abstract Machines"
 type Authorization interface {
 	Authorize(ctx context.Context, pr PolicyReq) error
+	AuthorizePAT(ctx context.Context, pr PatReq) error
 }
diff --git a/pkg/authz/mocks/authz.go b/pkg/authz/mocks/authz.go
diff --git a/pkg/errors/service/types.go b/pkg/errors/service/types.go
@@ -84,4 +84,7 @@ var (
 
 	// ErrRollbackRepo indicates a failure to rollback repository.
 	ErrRollbackRepo = errors.New("failed to rollback repo")
+
+	// ErrUnauthorizedPAT indicates failure occurred while authorizing PAT.
+	ErrUnauthorizedPAT = errors.New("failed to authorize PAT")
 )