NOISSUE - Domains status check on Create & List of Things & Groups (#202

) * check domain status on create and list things and groups Signed-off-by: Arvindh <[email protected]> * rename internal function name Signed-off-by: Arvindh <[email protected]> * fix things test Signed-off-by: Arvindh <[email protected]> --------- Signed-off-by: Arvindh <[email protected]>
absmach · Dec 25, 2023 · c2f125f · c2f125f
1 parent 5590695
commit c2f125f
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 7 deletions.
diff --git a/internal/groups/service.go b/internal/groups/service.go
@@ -46,6 +46,10 @@ func (svc service) CreateGroup(ctx context.Context, token, kind string, g groups
 	if err != nil {
 		return groups.Group{}, err
 	}
+	// If domain is disabled , then this authorization will fail for all non-admin domain users
+	if _, err := svc.authorizeKind(ctx, auth.UserType, auth.UsersKind, res.GetId(), auth.MembershipPermission, auth.DomainType, res.GetDomainId()); err != nil {
+		return groups.Group{}, err
+	}
 	groupID, err := svc.idProvider.ID()
 	if err != nil {
 		return groups.Group{}, err
@@ -58,7 +62,7 @@ func (svc service) CreateGroup(ctx context.Context, token, kind string, g groups
 	g.CreatedAt = time.Now()
 	g.Owner = res.GetDomainId()
 	if g.Parent != "" {
-		_, err := svc.authorize(ctx, auth.UserType, token, auth.EditPermission, auth.GroupType, g.Parent)
+		_, err := svc.authorizeToken(ctx, auth.UserType, token, auth.EditPermission, auth.GroupType, g.Parent)
 		if err != nil {
 			return groups.Group{}, errors.Wrap(errParentUnAuthz, err)
 		}
@@ -107,7 +111,7 @@ func (svc service) CreateGroup(ctx context.Context, token, kind string, g groups
 }
 
 func (svc service) ViewGroup(ctx context.Context, token, id string) (groups.Group, error) {
-	_, err := svc.authorize(ctx, auth.UserType, token, auth.ViewPermission, auth.GroupType, id)
+	_, err := svc.authorizeToken(ctx, auth.UserType, token, auth.ViewPermission, auth.GroupType, id)
 	if err != nil {
 		return groups.Group{}, err
 	}
@@ -219,6 +223,10 @@ func (svc service) ListGroups(ctx context.Context, token, memberKind, memberID s
 				}
 				gm.PageMeta.OwnerID = res.GetDomainId()
 			default:
+				// If domain is disabled , then this authorization will fail for all non-admin domain users
+				if _, err := svc.authorizeKind(ctx, auth.UserType, auth.UsersKind, res.GetId(), auth.MembershipPermission, auth.DomainType, res.GetDomainId()); err != nil {
+					return groups.Page{}, err
+				}
 				ids, err = svc.listAllGroupsOfUserID(ctx, res.GetId(), gm.Permission)
 				if err != nil {
 					return groups.Page{}, err
@@ -294,7 +302,7 @@ func (svc service) checkSuperAdmin(ctx context.Context, userID string) error {
 
 // IMPROVEMENT NOTE: remove this function and all its related auxiliary function, ListMembers are moved to respective service.
 func (svc service) ListMembers(ctx context.Context, token, groupID, permission, memberKind string) (groups.MembersPage, error) {
-	_, err := svc.authorize(ctx, auth.UserType, token, auth.ViewPermission, auth.GroupType, groupID)
+	_, err := svc.authorizeToken(ctx, auth.UserType, token, auth.ViewPermission, auth.GroupType, groupID)
 	if err != nil {
 		return groups.MembersPage{}, err
 	}
@@ -355,7 +363,7 @@ func (svc service) ListMembers(ctx context.Context, token, groupID, permission,
 }
 
 func (svc service) UpdateGroup(ctx context.Context, token string, g groups.Group) (groups.Group, error) {
-	id, err := svc.authorize(ctx, auth.UserType, token, auth.EditPermission, auth.GroupType, g.ID)
+	id, err := svc.authorizeToken(ctx, auth.UserType, token, auth.EditPermission, auth.GroupType, g.ID)
 	if err != nil {
 		return groups.Group{}, err
 	}
@@ -685,7 +693,7 @@ func (svc service) listAllGroupsOfUserID(ctx context.Context, userID, permission
 }
 
 func (svc service) changeGroupStatus(ctx context.Context, token string, group groups.Group) (groups.Group, error) {
-	id, err := svc.authorize(ctx, auth.UserType, token, auth.EditPermission, auth.GroupType, group.ID)
+	id, err := svc.authorizeToken(ctx, auth.UserType, token, auth.EditPermission, auth.GroupType, group.ID)
 	if err != nil {
 		return groups.Group{}, err
 	}
@@ -712,7 +720,7 @@ func (svc service) identify(ctx context.Context, token string) (*magistrala.Iden
 	return res, nil
 }
 
-func (svc service) authorize(ctx context.Context, subjectType, subject, permission, objectType, object string) (string, error) {
+func (svc service) authorizeToken(ctx context.Context, subjectType, subject, permission, objectType, object string) (string, error) {
 	req := &magistrala.AuthorizeReq{
 		SubjectType: subjectType,
 		SubjectKind: auth.TokenKind,

diff --git a/things/service.go b/things/service.go
@@ -70,6 +70,11 @@ func (svc service) CreateThings(ctx context.Context, token string, cls ...mgclie
 	if err != nil {
 		return []mgclients.Client{}, err
 	}
+	// If domain is disabled , then this authorization will fail for all non-admin domain users
+	if _, err := svc.authorize(ctx, auth.UserType, auth.UsersKind, user.GetId(), auth.MembershipPermission, auth.DomainType, user.GetDomainId()); err != nil {
+		return []mgclients.Client{}, err
+	}
+
 	var clients []mgclients.Client
 	for _, c := range cls {
 		if c.ID == "" {
@@ -185,6 +190,10 @@ func (svc service) ListClients(ctx context.Context, token, reqUserID string, pm
 			}
 			pm.Owner = res.GetDomainId()
 		default:
+			// If domain is disabled , then this authorization will fail for all non-admin domain users
+			if _, err := svc.authorize(ctx, auth.UserType, auth.UsersKind, res.GetId(), auth.MembershipPermission, auth.DomainType, res.GetDomainId()); err != nil {
+				return mgclients.ClientsPage{}, err
+			}
 			ids, err = svc.listClientIDs(ctx, res.GetId(), pm.Permission)
 			if err != nil {
 				return mgclients.ClientsPage{}, errors.Wrap(repoerr.ErrNotFound, err)

diff --git a/things/service_test.go b/things/service_test.go
@@ -241,7 +241,8 @@ func TestRegisterClient(t *testing.T) {
 	for _, tc := range cases {
 		repoCall := auth.On("Identify", mock.Anything, &magistrala.IdentityReq{Token: tc.token}).Return(&magistrala.IdentityRes{Id: validID, DomainId: testsutil.GenerateUUID(t)}, nil)
 		repoCall1 := auth.On("AddPolicies", mock.Anything, mock.Anything).Return(&magistrala.AddPoliciesRes{Authorized: true}, nil)
-		repoCall2 := cRepo.On("Save", context.Background(), mock.Anything).Return([]mgclients.Client{tc.client}, tc.err)
+		repoCall2 := auth.On("Authorize", mock.Anything, mock.Anything).Return(&magistrala.AuthorizeRes{Authorized: true}, nil)
+		repoCall3 := cRepo.On("Save", context.Background(), mock.Anything).Return([]mgclients.Client{tc.client}, tc.err)
 		expected, err := svc.CreateThings(context.Background(), tc.token, tc.client)
 		assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
 		if err == nil {
@@ -256,6 +257,7 @@ func TestRegisterClient(t *testing.T) {
 		repoCall.Unset()
 		repoCall1.Unset()
 		repoCall2.Unset()
+		repoCall3.Unset()
 	}
 }