mirror of
https://github.com/mainflux/mainflux.git
synced 2025-05-01 13:48:56 +08:00
55e09c1921
* Move Things and Users to Clients Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> Signed-off-by: rodneyosodo <blackd0t@protonmail.com> Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> * NOISSUE - Update Add and Delete Policies (#1792) * Remove Policy Action Ranks Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix Rebase Issues Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix CI Test Errors Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Adding Check on Subject For Clients Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Remove Check Client Exists Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Check When Sharing Clients Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Only Add User to Group When Sharing Things Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Remove clientType Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Minor Fix on ShareClient and Fix Tests Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix Policies Tests Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Clean Up Things Authorization Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix Tests on RetrieveAll Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Test ShareThing Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix Merge Conflicts Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Remove Adding Policies. Only Use Ownership Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Check If Subject is same as Object Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Move Back To Union As Sometimes Policy is Empty and Fails to Evaluate on Ownership Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix Entity Type For Failing Tests Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix BUG in policy evaluation Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix Tests Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Add Comments Regarding checkAdmin Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix Tests On Rebase Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Combine Authorize For Things and Users Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix Tests On Rebase Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Error on Things SVC `unsupported protocol scheme` Signed-off-by: rodneyosodo <blackd0t@protonmail.com> --------- Signed-off-by: rodneyosodo <blackd0t@protonmail.com> Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> * Fix Bug on Things Authorization Cache (#1810) Signed-off-by: rodneyosodo <blackd0t@protonmail.com> Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> * Use Password instead of username in MQTT handler Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> * Simplify MQTT authorization Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> * Fix MQTT tests Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> * NOISSUE - Add More Functions to SDK (#1811) * Add More Functions to SDK Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Add Examples to GoDoc Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Update Unassign Interface Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Pass Subject as ID and Not Token on List Channels By Thing Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix Bootstrap Errors For Element Check Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Add empty line Before Return Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Reorder URLS in things mux Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix Listing Things Policies Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix Share Thing Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Add Examples to CLI Docs Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix Update Identity To Update Another User Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix Identify an Update Policies on Things Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix Update Things Policies Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix GoDocs on Disconnect Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix Tests Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Change Authorize To Use AccessRequest Signed-off-by: rodneyosodo <blackd0t@protonmail.com> --------- Signed-off-by: rodneyosodo <blackd0t@protonmail.com> Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> * For Evaluate Policy Use AccessRequest (#1814) Signed-off-by: rodneyosodo <blackd0t@protonmail.com> Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> * NOISSUE - Add SDK Tests (#1812) * Add Things Tests Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Add Channel Tests Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Add Certs Tests Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Add Consumer Tests Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Enrich Group Tests Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Add Tests For Health Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Add Tests For Tokens Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Rename SDK for Tests Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Add Policies Tests Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix Linter Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix Tests Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Make Variable Defination Inline Signed-off-by: rodneyosodo <blackd0t@protonmail.com> --------- Signed-off-by: rodneyosodo <blackd0t@protonmail.com> Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> * NOISSUE - Make Cache Key Duration Configurable (#1815) * Make Cache Key Duration Configurable Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Rename ENV Var Signed-off-by: rodneyosodo <blackd0t@protonmail.com> --------- Signed-off-by: rodneyosodo <blackd0t@protonmail.com> Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> * NOISSUE - Update GoDocs (#1816) * Add GoDocs Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Add Missing GoDoc Files Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Enable godot Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Add License Information Signed-off-by: rodneyosodo <blackd0t@protonmail.com> --------- Signed-off-by: rodneyosodo <blackd0t@protonmail.com> Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> * NOISSUE - Add Call Home Client to Mainflux services (#1751) * Move Things and Users to Clients Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> Signed-off-by: rodneyosodo <blackd0t@protonmail.com> Signed-off-by: SammyOina <sammyoina@gmail.com> * collect and send data package Signed-off-by: SammyOina <sammyoina@gmail.com> * create telemetry migrations Signed-off-by: SammyOina <sammyoina@gmail.com> * add telemetry endpoints Signed-off-by: SammyOina <sammyoina@gmail.com> * add transport Signed-off-by: SammyOina <sammyoina@gmail.com> * create service Signed-off-by: SammyOina <sammyoina@gmail.com> * remove homing server Signed-off-by: SammyOina <sammyoina@gmail.com> * add call home to adapters Signed-off-by: SammyOina <sammyoina@gmail.com> * add last seen Signed-off-by: SammyOina <sammyoina@gmail.com> * rename logger Signed-off-by: SammyOina <sammyoina@gmail.com> * remove homing client Signed-off-by: SammyOina <sammyoina@gmail.com> * use unmerged repo Signed-off-by: SammyOina <sammyoina@gmail.com> * use renamed module Signed-off-by: SammyOina <sammyoina@gmail.com> * update call home version Signed-off-by: SammyOina <sammyoina@gmail.com> * edit documentation Signed-off-by: SammyOina <sammyoina@gmail.com> * align table Signed-off-by: SammyOina <sammyoina@gmail.com> * use alias for call home client Signed-off-by: SammyOina <sammyoina@gmail.com> * update callhome Signed-off-by: SammyOina <sammyoina@gmail.com> * update call home pkg Signed-off-by: SammyOina <sammyoina@gmail.com> * update call home Signed-off-by: SammyOina <sammyoina@gmail.com> * fix modules Signed-off-by: SammyOina <sammyoina@gmail.com> * use mf build version Signed-off-by: SammyOina <sammyoina@gmail.com> * use mf build version Signed-off-by: SammyOina <sammyoina@gmail.com> * restore default Signed-off-by: SammyOina <sammyoina@gmail.com> * add call home for users and things Signed-off-by: SammyOina <sammyoina@gmail.com> * enable opting on call home Signed-off-by: SammyOina <sammyoina@gmail.com> * remove full stops Signed-off-by: SammyOina <sammyoina@gmail.com> * update callhome client Signed-off-by: SammyOina <sammyoina@gmail.com> * add call home to all services Signed-off-by: SammyOina <sammyoina@gmail.com> * fix build Signed-off-by: SammyOina <sammyoina@gmail.com> * restore sdk tests Signed-off-by: SammyOina <sammyoina@gmail.com> * remove unnecessary changes Signed-off-by: SammyOina <sammyoina@gmail.com> * restore health_test.go Signed-off-by: SammyOina <sammyoina@gmail.com> --------- Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> Signed-off-by: rodneyosodo <blackd0t@protonmail.com> Signed-off-by: SammyOina <sammyoina@gmail.com> Co-authored-by: b1ackd0t <blackd0t@protonmail.com> Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> --------- Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> Signed-off-by: rodneyosodo <blackd0t@protonmail.com> Signed-off-by: SammyOina <sammyoina@gmail.com> Co-authored-by: b1ackd0t <blackd0t@protonmail.com> Co-authored-by: Sammy Kerata Oina <44265300+SammyOina@users.noreply.github.com>
255 lines
6.3 KiB
Go
255 lines
6.3 KiB
Go
// Copyright (c) Mainflux
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
package policies
|
|
|
|
import (
|
|
"context"
|
|
"time"
|
|
|
|
"github.com/mainflux/mainflux"
|
|
"github.com/mainflux/mainflux/pkg/errors"
|
|
upolicies "github.com/mainflux/mainflux/users/policies"
|
|
)
|
|
|
|
const (
|
|
ReadAction = "m_read"
|
|
WriteAction = "m_write"
|
|
addPolicyAction = "g_add"
|
|
ClientEntityType = "client"
|
|
GroupEntityType = "group"
|
|
ThingEntityType = "thing"
|
|
thingsObjectKey = "things"
|
|
)
|
|
|
|
var (
|
|
// ErrInvalidEntityType indicates that the entity type is invalid.
|
|
ErrInvalidEntityType = errors.New("invalid entity type")
|
|
)
|
|
|
|
type service struct {
|
|
auth upolicies.AuthServiceClient
|
|
policies Repository
|
|
policyCache Cache
|
|
idProvider mainflux.IDProvider
|
|
}
|
|
|
|
// NewService returns a new Clients service implementation.
|
|
func NewService(auth upolicies.AuthServiceClient, p Repository, ccache Cache, idp mainflux.IDProvider) Service {
|
|
return service{
|
|
auth: auth,
|
|
policies: p,
|
|
policyCache: ccache,
|
|
idProvider: idp,
|
|
}
|
|
}
|
|
|
|
func (svc service) Authorize(ctx context.Context, ar AccessRequest) (Policy, error) {
|
|
// fetch from cache first
|
|
policy := Policy{
|
|
Subject: ar.Subject,
|
|
Object: ar.Object,
|
|
}
|
|
policy, err := svc.policyCache.Get(ctx, policy)
|
|
if err == nil {
|
|
for _, action := range policy.Actions {
|
|
if action == ar.Action {
|
|
return policy, nil
|
|
}
|
|
}
|
|
return Policy{}, errors.ErrAuthorization
|
|
}
|
|
if !errors.Contains(err, errors.ErrNotFound) {
|
|
return Policy{}, err
|
|
}
|
|
|
|
// fetch from repo as a fallback if not found in cache
|
|
switch ar.Entity {
|
|
case GroupEntityType:
|
|
policy, err = svc.policies.EvaluateGroupAccess(ctx, ar)
|
|
if err != nil {
|
|
return Policy{}, err
|
|
}
|
|
|
|
case ClientEntityType:
|
|
policy, err = svc.policies.EvaluateThingAccess(ctx, ar)
|
|
if err != nil {
|
|
return Policy{}, err
|
|
}
|
|
|
|
case ThingEntityType:
|
|
policy, err := svc.policies.EvaluateMessagingAccess(ctx, ar)
|
|
if err != nil {
|
|
return Policy{}, err
|
|
}
|
|
// Replace Subject since AccessRequest Subject is Thing Key,
|
|
// and Policy subject is Thing ID.
|
|
policy.Subject = ar.Subject
|
|
if err := svc.policyCache.Put(ctx, policy); err != nil {
|
|
return policy, err
|
|
}
|
|
|
|
default:
|
|
return Policy{}, ErrInvalidEntityType
|
|
}
|
|
|
|
return policy, nil
|
|
}
|
|
|
|
// AddPolicy adds a policy is added if:
|
|
//
|
|
// 1. The client is admin
|
|
//
|
|
// 2. The client has `g_add` action on the object or is the owner of the object.
|
|
func (svc service) AddPolicy(ctx context.Context, token string, p Policy) (Policy, error) {
|
|
userID, err := svc.identify(ctx, token)
|
|
if err != nil {
|
|
return Policy{}, err
|
|
}
|
|
if err := p.Validate(); err != nil {
|
|
return Policy{}, err
|
|
}
|
|
pm := Page{Subject: p.Subject, Object: p.Object, Offset: 0, Limit: 1}
|
|
page, err := svc.policies.Retrieve(ctx, pm)
|
|
if err != nil {
|
|
return Policy{}, err
|
|
}
|
|
|
|
// If the policy already exists, replace the actions
|
|
if len(page.Policies) == 1 {
|
|
if err := svc.checkPolicy(ctx, userID, p); err != nil {
|
|
return Policy{}, err
|
|
}
|
|
|
|
p.UpdatedAt = time.Now()
|
|
p.UpdatedBy = userID
|
|
return svc.policies.Update(ctx, p)
|
|
}
|
|
|
|
p.OwnerID = userID
|
|
p.CreatedAt = time.Now()
|
|
|
|
// If the client is admin, add the policy
|
|
if err := svc.checkAdmin(ctx, userID); err == nil {
|
|
if err := svc.policyCache.Put(ctx, p); err != nil {
|
|
return Policy{}, err
|
|
}
|
|
return svc.policies.Save(ctx, p)
|
|
}
|
|
|
|
// If the client has `g_add` action on the object or is the owner of the object, add the policy
|
|
ar := AccessRequest{Subject: userID, Object: p.Object, Action: "g_add"}
|
|
if _, err := svc.policies.EvaluateGroupAccess(ctx, ar); err == nil {
|
|
if err := svc.policyCache.Put(ctx, p); err != nil {
|
|
return Policy{}, err
|
|
}
|
|
return svc.policies.Save(ctx, p)
|
|
}
|
|
|
|
return Policy{}, errors.ErrAuthorization
|
|
}
|
|
|
|
func (svc service) UpdatePolicy(ctx context.Context, token string, p Policy) (Policy, error) {
|
|
userID, err := svc.identify(ctx, token)
|
|
if err != nil {
|
|
return Policy{}, err
|
|
}
|
|
|
|
if err := p.Validate(); err != nil {
|
|
return Policy{}, err
|
|
}
|
|
if err := svc.checkPolicy(ctx, userID, p); err != nil {
|
|
return Policy{}, err
|
|
}
|
|
p.UpdatedAt = time.Now()
|
|
p.UpdatedBy = userID
|
|
|
|
if err := svc.policyCache.Remove(ctx, p); err != nil {
|
|
return Policy{}, err
|
|
}
|
|
|
|
return svc.policies.Update(ctx, p)
|
|
}
|
|
|
|
func (svc service) ListPolicies(ctx context.Context, token string, pm Page) (PolicyPage, error) {
|
|
userID, err := svc.identify(ctx, token)
|
|
if err != nil {
|
|
return PolicyPage{}, err
|
|
}
|
|
if err := pm.Validate(); err != nil {
|
|
return PolicyPage{}, err
|
|
}
|
|
// If the user is admin, return all policies
|
|
if err := svc.checkAdmin(ctx, userID); err == nil {
|
|
return svc.policies.Retrieve(ctx, pm)
|
|
}
|
|
|
|
// If the user is not admin, return only the policies that they created
|
|
pm.OwnerID = userID
|
|
|
|
return svc.policies.Retrieve(ctx, pm)
|
|
}
|
|
|
|
func (svc service) DeletePolicy(ctx context.Context, token string, p Policy) error {
|
|
userID, err := svc.identify(ctx, token)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if err := svc.checkPolicy(ctx, userID, p); err != nil {
|
|
return err
|
|
}
|
|
|
|
if err := svc.policyCache.Remove(ctx, p); err != nil {
|
|
return err
|
|
}
|
|
return svc.policies.Delete(ctx, p)
|
|
}
|
|
|
|
// checkPolicy checks for the following:
|
|
//
|
|
// 1. Check if the client is admin
|
|
// 2. Check if the client is the owner of the policy
|
|
func (svc service) checkPolicy(ctx context.Context, clientID string, p Policy) error {
|
|
if err := svc.checkAdmin(ctx, clientID); err == nil {
|
|
return nil
|
|
}
|
|
|
|
pm := Page{Subject: p.Subject, Object: p.Object, OwnerID: clientID, Offset: 0, Limit: 1}
|
|
page, err := svc.policies.Retrieve(ctx, pm)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if len(page.Policies) == 1 && page.Policies[0].OwnerID == clientID {
|
|
return nil
|
|
}
|
|
|
|
return errors.ErrAuthorization
|
|
}
|
|
|
|
func (svc service) identify(ctx context.Context, token string) (string, error) {
|
|
req := &upolicies.Token{Value: token}
|
|
res, err := svc.auth.Identify(ctx, req)
|
|
if err != nil {
|
|
return "", errors.Wrap(errors.ErrAuthorization, err)
|
|
}
|
|
return res.GetId(), nil
|
|
}
|
|
|
|
func (svc service) checkAdmin(ctx context.Context, id string) error {
|
|
// for checking admin rights policy object, action and entity type are not important
|
|
req := &upolicies.AuthorizeReq{
|
|
Sub: id,
|
|
Obj: thingsObjectKey,
|
|
Act: addPolicyAction,
|
|
EntityType: GroupEntityType,
|
|
}
|
|
res, err := svc.auth.Authorize(ctx, req)
|
|
if err != nil {
|
|
return errors.Wrap(errors.ErrAuthorization, err)
|
|
}
|
|
if !res.GetAuthorized() {
|
|
return errors.ErrAuthorization
|
|
}
|
|
return nil
|
|
}
|