feat: authz middleware to accept both slug and uuid for system ns (#34)

* feat: AuthCheck middleware to accept both slug and uuid for system ns

* fix: add services

* test: add test with org as slug

* test: remove tests

* test: add tests

* test: add tests

* chore: coverage

Author: ishanarya0

cmd/serve.go

@@ -189,11 +189,7 @@ func BuildAPIDependencies(
 
 	resourcePGRepository := postgres.NewResourceRepository(dbc)
 	resourceService := resource.NewService(
-		resourcePGRepository,
-		resourceBlobRepository,
-		relationService,
-		userService,
-		projectService)
+		resourcePGRepository, resourceBlobRepository, relationService, userService, projectService, organizationService, groupService)
 
 	relationAdapter := adapter.NewRelation(groupService, userService, relationService)
 

core/resource/service.go

@@ -5,12 +5,14 @@ import (
 	"strings"
 
 	"github.com/goto/shield/core/action"
+	"github.com/goto/shield/core/group"
 	"github.com/goto/shield/core/namespace"
 	"github.com/goto/shield/core/organization"
 	"github.com/goto/shield/core/project"
 	"github.com/goto/shield/core/relation"
 	"github.com/goto/shield/core/user"
 	"github.com/goto/shield/internal/schema"
+	"github.com/goto/shield/pkg/uuid"
 )
 
 type RelationService interface {
@@ -28,21 +30,33 @@ type ProjectService interface {
 	Get(ctx context.Context, id string) (project.Project, error)
 }
 
+type OrganizationService interface {
+	Get(ctx context.Context, id string) (organization.Organization, error)
+}
+
+type GroupService interface {
+	Get(ctx context.Context, id string) (group.Group, error)
+}
+
 type Service struct {
-	repository       Repository
-	configRepository ConfigRepository
-	relationService  RelationService
-	userService      UserService
-	projectService   ProjectService
+	repository          Repository
+	configRepository    ConfigRepository
+	relationService     RelationService
+	userService         UserService
+	projectService      ProjectService
+	organizationService OrganizationService
+	groupService        GroupService
 }
 
-func NewService(repository Repository, configRepository ConfigRepository, relationService RelationService, userService UserService, projectService ProjectService) *Service {
+func NewService(repository Repository, configRepository ConfigRepository, relationService RelationService, userService UserService, projectService ProjectService, organizationService OrganizationService, groupService GroupService) *Service {
 	return &Service{
-		repository:       repository,
-		configRepository: configRepository,
-		relationService:  relationService,
-		userService:      userService,
-		projectService:   projectService,
+		repository:          repository,
+		configRepository:    configRepository,
+		relationService:     relationService,
+		userService:         userService,
+		projectService:      projectService,
+		organizationService: organizationService,
+		groupService:        groupService,
 	}
 }
 
@@ -158,6 +172,28 @@ func (s Service) CheckAuthz(ctx context.Context, res Resource, act action.Action
 	fetchedResource := res
 
 	if isSystemNS {
+		if !uuid.IsValid(res.Name) {
+			switch res.NamespaceID {
+			case namespace.DefinitionProject.ID:
+				project, err := s.projectService.Get(ctx, res.Name)
+				if err != nil {
+					return false, err
+				}
+				res.Name = project.ID
+			case namespace.DefinitionOrg.ID:
+				organization, err := s.organizationService.Get(ctx, res.Name)
+				if err != nil {
+					return false, err
+				}
+				res.Name = organization.ID
+			case namespace.DefinitionTeam.ID:
+				group, err := s.groupService.Get(ctx, res.Name)
+				if err != nil {
+					return false, err
+				}
+				res.Name = group.ID
+			}
+		}
 		fetchedResource.Idxa = res.Name
 	} else {
 		fetchedResource, err = s.repository.GetByNamespace(ctx, res.Name, res.NamespaceID)

internal/proxy/middleware/authz/authz.go

@@ -257,6 +257,7 @@ func (c *Authz) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 			c.notAllowed(rw, err)
 			return
 		}
+		c.log.Info("successfully checked permission", "permission", permission.Name, "result", isAuthorized)
 		if isAuthorized {
 			break
 		}

test/e2e_test/smoke/proxy_test.go

@@ -20,7 +20,9 @@ type EndToEndProxySmokeTestSuite struct {
 	suite.Suite
 	userID       string
 	orgID        string
+	orgSlug      string
 	projID       string
+	projSlug     string
 	groupID      string
 	client       shieldv1beta1.ShieldServiceClient
 	cancelClient func()
@@ -50,11 +52,13 @@ func (s *EndToEndProxySmokeTestSuite) SetupTest() {
 	s.Require().NoError(err)
 	s.Require().Equal(1, len(oRes.GetOrganizations()))
 	s.orgID = oRes.GetOrganizations()[0].GetId()
+	s.orgSlug = oRes.GetOrganizations()[0].GetSlug()
 
 	pRes, err := s.client.ListProjects(ctx, &shieldv1beta1.ListProjectsRequest{})
 	s.Require().NoError(err)
 	s.Require().Equal(1, len(pRes.GetProjects()))
 	s.projID = pRes.GetProjects()[0].GetId()
+	s.projSlug = pRes.GetProjects()[0].GetSlug()
 
 	gRes, err := s.client.ListGroups(ctx, &shieldv1beta1.ListGroupsRequest{})
 	s.Require().NoError(err)
@@ -159,10 +163,89 @@ func (s *EndToEndProxySmokeTestSuite) TestProxyToEchoServer() {
 		s.Assert().Equal(401, res.StatusCode)
 	})
 
+	s.Run("permission expression: user not having permission at proj level will not be authenticated by middleware auth", func() {
+		url := fmt.Sprintf("http://localhost:%d/api/create_firehose_based_on_sink", s.appConfig.Proxy.Services[0].Port)
+		reqBodyMap := map[string]any{
+			"organization": s.orgID,
+			"project":      s.projID,
+			"configs": map[string]any{
+				"env_vars": map[string]any{
+					"SINK_TYPE": "bigquery",
+				},
+			},
+		}
+		reqBodyBytes, err := json.Marshal(reqBodyMap)
+		s.Require().NoError(err)
+
+		req, err := http.NewRequest(http.MethodPost, url, bytes.NewBuffer(reqBodyBytes))
+		s.Require().NoError(err)
+
+		req.Header.Set(testbench.IdentityHeader, "[email protected]")
+
+		res, err := http.DefaultClient.Do(req)
+		s.Require().NoError(err)
+
+		defer res.Body.Close()
+		s.Assert().Equal(401, res.StatusCode)
+	})
+
 	s.Run("permission expression: user not having permission at org level will not be authenticated by middleware auth", func() {
 		url := fmt.Sprintf("http://localhost:%d/api/create_firehose_based_on_sink", s.appConfig.Proxy.Services[0].Port)
 		reqBodyMap := map[string]any{
 			"organization": s.orgID,
+			"project":      s.projID,
+			"configs": map[string]any{
+				"env_vars": map[string]any{
+					"SINK_TYPE": "blob",
+				},
+			},
+		}
+		reqBodyBytes, err := json.Marshal(reqBodyMap)
+		s.Require().NoError(err)
+
+		req, err := http.NewRequest(http.MethodPost, url, bytes.NewBuffer(reqBodyBytes))
+		s.Require().NoError(err)
+
+		req.Header.Set(testbench.IdentityHeader, "[email protected]")
+
+		res, err := http.DefaultClient.Do(req)
+		s.Require().NoError(err)
+
+		defer res.Body.Close()
+		s.Assert().Equal(401, res.StatusCode)
+	})
+
+	s.Run("permission expression: user not having permission at org level will not be authenticated by middleware auth with org passed as slug", func() {
+		url := fmt.Sprintf("http://localhost:%d/api/create_firehose_based_on_sink", s.appConfig.Proxy.Services[0].Port)
+		reqBodyMap := map[string]any{
+			"organization": s.orgSlug,
+			"project":      s.projSlug,
+			"configs": map[string]any{
+				"env_vars": map[string]any{
+					"SINK_TYPE": "blob",
+				},
+			},
+		}
+		reqBodyBytes, err := json.Marshal(reqBodyMap)
+		s.Require().NoError(err)
+
+		req, err := http.NewRequest(http.MethodPost, url, bytes.NewBuffer(reqBodyBytes))
+		s.Require().NoError(err)
+
+		req.Header.Set(testbench.IdentityHeader, "[email protected]")
+
+		res, err := http.DefaultClient.Do(req)
+		s.Require().NoError(err)
+
+		defer res.Body.Close()
+		s.Assert().Equal(401, res.StatusCode)
+	})
+
+	s.Run("permission expression: user not having permission at proj level will not be authenticated by middleware auth with proj passed as slug", func() {
+		url := fmt.Sprintf("http://localhost:%d/api/create_firehose_based_on_sink", s.appConfig.Proxy.Services[0].Port)
+		reqBodyMap := map[string]any{
+			"organization": s.orgSlug,
+			"project":      s.projSlug,
 			"configs": map[string]any{
 				"env_vars": map[string]any{
 					"SINK_TYPE": "bigquery",

test/e2e_test/testbench/testdata/configs/resources/resource.yaml

@@ -57,4 +57,27 @@ shield/organization:
         - firehose_bq_admin
     - name: manage_gcs_firehose
       roles:
-        - firehose_gcs_admin
+        - firehose_gcs_admin
+
+shield/project:
+  type: system
+  roles:
+    - name: sink_editor
+      principals:
+        - shield/user
+        - shield/group
+    - name: firehose_project_bq_admin
+      principals:
+        - shield/user
+        - shield/group
+    - name: firehose_project_gcs_admin
+      principals:
+        - shield/user
+        - shield/group
+  permissions:
+    - name: manage_bq_firehose
+      roles:
+        - firehose_project_bq_admin
+    - name: manage_gcs_firehose
+      roles:
+        - firehose_project_bq_admin

test/e2e_test/testbench/testdata/configs/rules/rule.yamltpl

@@ -89,6 +89,9 @@ rules:
                     organization:
                       key: organization
                       type: json_payload
+                    project:
+                      key: project
+                      type: json_payload
                     sink:
                       key: configs.env_vars.SINK_TYPE
                       type: json_payload
@@ -101,8 +104,8 @@ rules:
                           operator: ==
                           value: "blob"
                     - name: manage_bq_firehose
-                      namespace: shield/organization
-                      attribute: organization
+                      namespace: shield/project
+                      attribute: project
                       expression:
                           attribute: sink
                           operator: ==