Add grpc authorizePAT

Signed-off-by: nyagamunene <[email protected]>

auth/api/grpc/auth/client.go

@@ -53,6 +53,15 @@ func NewAuthClient(conn *grpc.ClientConn, timeout time.Duration) grpcAuthV1.Auth
 			grpcAuthV1.AuthZRes{},
 		).Endpoint(),
 		timeout: timeout,
+		authorizePAT: kitgrpc.NewClient(
+			conn,
+			authSvcName,
+			"AuthorizePAT",
+			encodeAuthorizePATRequest,
+			decodeAuthorizeResponse,
+			grpcAuthV1.AuthZRes{},
+		).Endpoint(),
+		timeout: timeout,
 	}
 }
 
@@ -135,3 +144,37 @@ func encodeAuthorizeRequest(_ context.Context, grpcReq interface{}) (interface{}
 		Object:      req.Object,
 	}, nil
 }
+
+func (client authGrpcClient) AuthorizePAT(ctx context.Context, req *grpcAuthV1.AuthZReq, _ ...grpc.CallOption) (r *grpcAuthV1.AuthZRes, err error) {
+	ctx, cancel := context.WithTimeout(ctx, client.timeout)
+	defer cancel()
+
+	res, err := client.authorize(ctx, authReq{
+		Domain:      req.GetDomain(),
+		SubjectType: req.GetSubjectType(),
+		Subject:     req.GetSubject(),
+		SubjectKind: req.GetSubjectKind(),
+		Relation:    req.GetRelation(),
+		Permission:  req.GetPermission(),
+		ObjectType:  req.GetObjectType(),
+		Object:      req.GetObject(),
+	})
+	if err != nil {
+		return &grpcAuthV1.AuthZRes{}, grpcapi.DecodeError(err)
+	}
+
+	ar := res.(authorizeRes)
+	return &grpcAuthV1.AuthZRes{Authorized: ar.authorized, Id: ar.id}, nil
+}
+
+func encodeAuthorizePATRequest(_ context.Context, grpcReq interface{}) (interface{}, error) {
+	req := grpcReq.(authPATReq)
+	return &grpcAuthV1.AuthZpatReq{
+		PaToken:                  req.paToken,
+		PlatformEntityType:       req.platformEntityType,
+		OptionalDomainID:         req.optionalDomainID,
+		OptionalDomainEntityType: req.optionalDomainEntityType,
+		Operation:                req.operation,
+		EntityIDs:                req.entityIDs,
+	}, nil
+}

auth/api/grpc/auth/endpoint.go

@@ -66,3 +66,18 @@ func authorizeEndpoint(svc auth.Service) endpoint.Endpoint {
 		return authorizeRes{authorized: true}, nil
 	}
 }
+
+func authorizePATEndpoint(svc auth.Service) endpoint.Endpoint {
+	return func(ctx context.Context, request interface{}) (interface{}, error) {
+		req := request.(authPATReq)
+
+		if err := req.validate(); err != nil {
+			return authorizeRes{}, err
+		}
+		err := svc.AuthorizePAT(ctx, req.paToken, req.platformEntityType, req.optionalDomainID,req.optionalDomainEntityType, req.operation, req.entityIDs)
+		if err != nil {
+			return authorizeRes{authorized: false}, err
+		}
+		return authorizeRes{authorized: true}, nil
+	}
+}

auth/api/grpc/auth/requests.go

@@ -49,3 +49,19 @@ func (req authReq) validate() error {
 
 	return nil
 }
+
+type authPATReq struct {
+	paToken                  string
+	platformEntityType       string
+	optionalDomainID         string
+	optionalDomainEntityType string
+	operation                string
+	entityIDs                []string
+}
+
+func (req authPATReq) validate() error {
+	if req.paToken == "" {
+		return apiutil.ErrBearerToken
+	}
+	return nil
+}

auth/api/grpc/auth/server.go

@@ -19,6 +19,7 @@ type authGrpcServer struct {
 	authorize       kitgrpc.Handler
 	authenticate    kitgrpc.Handler
 	authenticatePAT kitgrpc.Handler
+	authorizePAT    kitgrpc.Handler
 }
 
 // NewAuthServer returns new AuthnServiceServer instance.
@@ -41,6 +42,12 @@ func NewAuthServer(svc auth.Service) grpcAuthV1.AuthServiceServer {
 			decodeAuthenticateRequest,
 			encodeAuthenticatePATResponse,
 		),
+
+		authorizePAT: kitgrpc.NewServer(
+			(authorizePATEndpoint(svc)),
+			decodeAuthorizePATRequest,
+			encodeAuthorizeResponse,
+		),
 	}
 }
 
@@ -101,3 +108,15 @@ func encodeAuthorizeResponse(_ context.Context, grpcRes interface{}) (interface{
 	res := grpcRes.(authorizeRes)
 	return &grpcAuthV1.AuthZRes{Authorized: res.authorized, Id: res.id}, nil
 }
+
+func decodeAuthorizePATRequest(_ context.Context, grpcReq interface{}) (interface{}, error) {
+	req := grpcReq.(*grpcAuthV1.AuthZpatReq)
+	return authPATReq{
+		paToken:                  req.GetPaToken(),
+		platformEntityType:       req.GetPlatformEntityType(),
+		optionalDomainID:         req.GetOptionalDomainID(),
+		optionalDomainEntityType: req.GetOptionalDomainEntityType(),
+		operation:                req.GetOperation(),
+		entityIDs:                req.GetEntityIDs(),
+	}, nil
+}

auth/service.go

@@ -11,6 +11,7 @@ import (
 	"time"
 
 	"github.com/absmach/magistrala"
+	"github.com/absmach/magistrala/pat"
 	"github.com/absmach/magistrala/pkg/errors"
 	svcerr "github.com/absmach/magistrala/pkg/errors/service"
 	"github.com/absmach/magistrala/pkg/policies"
@@ -173,6 +174,21 @@ func (svc service) RetrieveKey(ctx context.Context, token, id string) (Key, erro
 }
 
 func (svc service) Identify(ctx context.Context, token string) (Key, error) {
+	if strings.HasPrefix(token, "pat"+"_") {
+		pat, err := svc.IdentifyPAT(ctx, token)
+		if err != nil {
+			return Key{}, err
+		}
+		return Key{
+			ID:        pat.ID,
+			Type:      PersonalAccessToken,
+			Subject:   pat.User,
+			User:      pat.User,
+			IssuedAt:  pat.IssuedAt,
+			ExpiresAt: pat.ExpiresAt,
+		}, nil
+	}
+
 	key, err := svc.tokenizer.Parse(token)
 	if errors.Contains(err, ErrExpiry) {
 		err = svc.keys.Remove(ctx, key.Issuer, key.ID)

cmd/auth/main.go

@@ -28,6 +28,8 @@ import (
 	grpcAuthV1 "github.com/absmach/magistrala/internal/grpc/auth/v1"
 	grpcTokenV1 "github.com/absmach/magistrala/internal/grpc/token/v1"
 	mglog "github.com/absmach/magistrala/logger"
+	"github.com/absmach/magistrala/pat/bolt"
+	"github.com/absmach/magistrala/pat/hasher"
 	"github.com/absmach/magistrala/pkg/jaeger"
 	"github.com/absmach/magistrala/pkg/policies/spicedb"
 	"github.com/absmach/magistrala/pkg/postgres"
@@ -244,7 +246,7 @@ func newService(_ context.Context, db *sqlx.DB, tracer trace.Tracer, cfg config,
 
 	t := jwt.New([]byte(cfg.SecretKey))
 
-	svc := auth.New(keysRepo, patsRepo, hasher, idProvider, t, pEvaluator, pService, cfg.AccessDuration, cfg.RefreshDuration, cfg.InvitationDuration)
+	svc := auth.New(keysRepo, patsRepo, hasher,patsRepo, hasher, idProvider, t, pEvaluator, pService, cfg.AccessDuration, cfg.RefreshDuration, cfg.InvitationDuration)
 	svc = api.LoggingMiddleware(svc, logger)
 	counter, latency := prometheus.MakeMetrics("auth", "api")
 	svc = api.MetricsMiddleware(svc, counter, latency)

internal/proto/auth/v1/auth.proto

@@ -10,6 +10,7 @@ option go_package = "github.com/absmach/magistrala/internal/grpc/auth/v1";
 // functionalities for magistrala services.
 service AuthService {
   rpc Authorize(AuthZReq) returns (AuthZRes) {}
+  rpc AuthorizePAT(AuthZpatReq) returns (AuthZRes) {}
   rpc Authenticate(AuthNReq) returns (AuthNRes) {}
   rpc AuthenticatePAT(AuthNReq) returns (AuthNPATRes) {}
 }
@@ -42,6 +43,15 @@ message AuthZReq {
   string object_type = 9;      // Client, User, Group
 }
 
+message AuthZpatReq {
+  string paToken = 1;                     // PaToken
+  string platform_entity_type = 2;        // Platform entity type
+  string optional_domainID = 3;           // Optional domain id
+  string optional_domain_entity_type = 4; // Optional domain entity type 
+  string operation = 5;                   // Operation
+  repeated string entityIDs = 6;          // EntityIDs
+}
+
 message AuthZRes {
   bool authorized = 1;
   string id = 2;