Merge branch 'main' into add-e2etest-edge-case

Author: mabdh

cmd/serve.go

@@ -189,11 +189,7 @@ func BuildAPIDependencies(
 
 	resourcePGRepository := postgres.NewResourceRepository(dbc)
 	resourceService := resource.NewService(
-		resourcePGRepository,
-		resourceBlobRepository,
-		relationService,
-		userService,
-		projectService)
+		resourcePGRepository, resourceBlobRepository, relationService, userService, projectService, organizationService, groupService)
 
 	relationAdapter := adapter.NewRelation(groupService, userService, relationService)
 

core/resource/service.go

@@ -5,12 +5,14 @@ import (
 	"strings"
 
 	"github.com/goto/shield/core/action"
+	"github.com/goto/shield/core/group"
 	"github.com/goto/shield/core/namespace"
 	"github.com/goto/shield/core/organization"
 	"github.com/goto/shield/core/project"
 	"github.com/goto/shield/core/relation"
 	"github.com/goto/shield/core/user"
 	"github.com/goto/shield/internal/schema"
+	"github.com/goto/shield/pkg/uuid"
 )
 
 type RelationService interface {
@@ -28,21 +30,33 @@ type ProjectService interface {
 	Get(ctx context.Context, id string) (project.Project, error)
 }
 
+type OrganizationService interface {
+	Get(ctx context.Context, id string) (organization.Organization, error)
+}
+
+type GroupService interface {
+	Get(ctx context.Context, id string) (group.Group, error)
+}
+
 type Service struct {
-	repository       Repository
-	configRepository ConfigRepository
-	relationService  RelationService
-	userService      UserService
-	projectService   ProjectService
+	repository          Repository
+	configRepository    ConfigRepository
+	relationService     RelationService
+	userService         UserService
+	projectService      ProjectService
+	organizationService OrganizationService
+	groupService        GroupService
 }
 
-func NewService(repository Repository, configRepository ConfigRepository, relationService RelationService, userService UserService, projectService ProjectService) *Service {
+func NewService(repository Repository, configRepository ConfigRepository, relationService RelationService, userService UserService, projectService ProjectService, organizationService OrganizationService, groupService GroupService) *Service {
 	return &Service{
-		repository:       repository,
-		configRepository: configRepository,
-		relationService:  relationService,
-		userService:      userService,
-		projectService:   projectService,
+		repository:          repository,
+		configRepository:    configRepository,
+		relationService:     relationService,
+		userService:         userService,
+		projectService:      projectService,
+		organizationService: organizationService,
+		groupService:        groupService,
 	}
 }
 
@@ -158,6 +172,28 @@ func (s Service) CheckAuthz(ctx context.Context, res Resource, act action.Action
 	fetchedResource := res
 
 	if isSystemNS {
+		if !uuid.IsValid(res.Name) {
+			switch res.NamespaceID {
+			case namespace.DefinitionProject.ID:
+				project, err := s.projectService.Get(ctx, res.Name)
+				if err != nil {
+					return false, err
+				}
+				res.Name = project.ID
+			case namespace.DefinitionOrg.ID:
+				organization, err := s.organizationService.Get(ctx, res.Name)
+				if err != nil {
+					return false, err
+				}
+				res.Name = organization.ID
+			case namespace.DefinitionTeam.ID:
+				group, err := s.groupService.Get(ctx, res.Name)
+				if err != nil {
+					return false, err
+				}
+				res.Name = group.ID
+			}
+		}
 		fetchedResource.Idxa = res.Name
 	} else {
 		fetchedResource, err = s.repository.GetByNamespace(ctx, res.Name, res.NamespaceID)

internal/proxy/middleware/authz/authz.go

@@ -257,6 +257,7 @@ func (c *Authz) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 			c.notAllowed(rw, err)
 			return
 		}
+		c.log.Info("successfully checked permission", "permission", permission.Name, "result", isAuthorized)
 		if isAuthorized {
 			break
 		}

internal/store/postgres/group_repository_test.go

@@ -9,15 +9,16 @@ import (
 	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/google/uuid"
 	"github.com/goto/salt/log"
+	"github.com/ory/dockertest"
+	"github.com/stretchr/testify/suite"
+
 	"github.com/goto/shield/core/group"
 	"github.com/goto/shield/core/organization"
 	"github.com/goto/shield/core/relation"
 	"github.com/goto/shield/core/user"
 	"github.com/goto/shield/internal/schema"
 	"github.com/goto/shield/internal/store/postgres"
 	"github.com/goto/shield/pkg/db"
-	"github.com/ory/dockertest"
-	"github.com/stretchr/testify/suite"
 )
 
 type GroupRepositoryTestSuite struct {
@@ -712,6 +713,50 @@ func (s *GroupRepositoryTestSuite) TestListGroupRelations() {
 						RoleID:    "shield/group:member",
 					},
 				},
+				{
+					Object: relation.Object{
+						ID:          s.groups[0].ID,
+						NamespaceID: schema.GroupNamespace,
+					},
+					Subject: relation.Subject{
+						ID:        s.users[2].ID,
+						Namespace: schema.UserPrincipal,
+						RoleID:    "shield/group:member",
+					},
+				},
+				{
+					Object: relation.Object{
+						ID:          s.groups[0].ID,
+						NamespaceID: schema.GroupNamespace,
+					},
+					Subject: relation.Subject{
+						ID:        s.users[3].ID,
+						Namespace: schema.UserPrincipal,
+						RoleID:    "shield/group:member",
+					},
+				},
+				{
+					Object: relation.Object{
+						ID:          s.groups[0].ID,
+						NamespaceID: schema.GroupNamespace,
+					},
+					Subject: relation.Subject{
+						ID:        s.users[4].ID,
+						Namespace: schema.UserPrincipal,
+						RoleID:    "shield/group:member",
+					},
+				},
+				{
+					Object: relation.Object{
+						ID:          s.groups[0].ID,
+						NamespaceID: schema.GroupNamespace,
+					},
+					Subject: relation.Subject{
+						ID:        s.users[5].ID,
+						Namespace: schema.UserPrincipal,
+						RoleID:    "shield/group:member",
+					},
+				},
 			},
 		},
 	}

internal/store/postgres/testdata/mock-user.json

@@ -14,5 +14,29 @@
                 "bar": "v2"
             }
         }
+    },
+    {
+        "name": "Alex Xu",
+        "email": "[email protected]"
+    },
+    {
+        "name": "Alexa Xu",
+        "email": "[email protected]",
+        "metadata": {
+            "k1": "value-string",
+            "k2": 123,
+            "k3": {
+                "foo": "v1",
+                "bar": "v2"
+            }
+        }
+    },
+    {
+        "name": "Bella Anto",
+        "email": "[email protected]"
+    },
+    {
+        "name": "Balex Ro",
+        "email": "[email protected]"
     }
 ]

internal/store/postgres/user_repository.go

@@ -11,11 +11,12 @@ import (
 	"time"
 
 	"github.com/doug-martin/goqu/v9"
+	"github.com/jmoiron/sqlx"
+	newrelic "github.com/newrelic/go-agent"
+
 	"github.com/goto/shield/core/user"
 	"github.com/goto/shield/pkg/db"
 	"github.com/goto/shield/pkg/uuid"
-	"github.com/jmoiron/sqlx"
-	newrelic "github.com/newrelic/go-agent"
 )
 
 type UserRepository struct {
@@ -279,10 +280,20 @@ func (r UserRepository) List(ctx context.Context, flt user.Filter) ([]user.User,
 
 	query, params, err := dialect.From(TABLE_USERS).LeftOuterJoin(
 		goqu.T(TABLE_METADATA),
-		goqu.On(goqu.Ex{"users.id": goqu.I("metadata.user_id")})).Select("users.id", "name", "email", "key", "value", "users.created_at", "users.updated_at").Where(goqu.Or(
-		goqu.C("name").ILike(fmt.Sprintf("%%%s%%", flt.Keyword)),
-		goqu.C("email").ILike(fmt.Sprintf("%%%s%%", flt.Keyword)),
-	)).Limit(uint(flt.Limit)).Offset(uint(offset)).ToSQL()
+		goqu.On(goqu.Ex{"users.id": goqu.I("metadata.user_id")})).Select("users.id", "name", "email", "key", "value", "users.created_at", "users.updated_at").Where(
+		goqu.I("users.email").In(
+			goqu.From("users").
+				Select(goqu.DISTINCT("email")).
+				Where(
+					goqu.Or(
+						goqu.C("name").ILike(fmt.Sprintf("%%%s%%", flt.Keyword)),
+						goqu.C("email").ILike(fmt.Sprintf("%%%s%%", flt.Keyword)),
+					),
+				).
+				Limit(uint(flt.Limit)).
+				Offset(uint(offset)),
+		),
+	).ToSQL()
 	if err != nil {
 		return []user.User{}, fmt.Errorf("%w: %s", queryErr, err)
 	}

internal/store/postgres/user_repository_test.go

@@ -4,18 +4,20 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"sort"
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/google/uuid"
 	"github.com/goto/salt/log"
+	"github.com/ory/dockertest"
+	"github.com/stretchr/testify/suite"
+
 	"github.com/goto/shield/core/user"
 	"github.com/goto/shield/internal/store/postgres"
 	"github.com/goto/shield/pkg/db"
 	"github.com/goto/shield/pkg/metadata"
-	"github.com/ory/dockertest"
-	"github.com/stretchr/testify/suite"
 )
 
 type UserRepositoryTestSuite struct {
@@ -241,7 +243,27 @@ func (s *UserRepositoryTestSuite) TestList() {
 		{
 			Description: "should return empty users if keyword not match any",
 			Filter: user.Filter{
-				Keyword: "some-keyword",
+				Keyword: "random=keyword",
+			},
+		},
+		{
+			Description: "should return list of users if keyword match",
+			Filter: user.Filter{
+				Keyword: "alex",
+			},
+			ExpectedUsers: []user.User{
+				{
+					Name:  s.users[2].Name,
+					Email: s.users[2].Email,
+				},
+				{
+					Name:  s.users[3].Name,
+					Email: s.users[3].Email,
+				},
+				{
+					Name:  s.users[5].Name,
+					Email: s.users[5].Email,
+				},
 			},
 		},
 		{
@@ -252,8 +274,56 @@ func (s *UserRepositoryTestSuite) TestList() {
 			},
 			ExpectedUsers: []user.User{
 				{
-					Name:  s.users[0].Name,
-					Email: s.users[0].Email,
+					Name:  s.users[3].Name,
+					Email: s.users[3].Email,
+				},
+			},
+		},
+		{
+			Description: "should return 1st page after filtering the users based on keywords",
+			Filter: user.Filter{
+				Keyword: "alex",
+				Page:    1,
+				Limit:   2,
+			},
+			ExpectedUsers: []user.User{
+				{
+					Name:  s.users[2].Name,
+					Email: s.users[2].Email,
+				},
+				{
+					Name:  s.users[3].Name,
+					Email: s.users[3].Email,
+				},
+			},
+		},
+		{
+			Description: "should return 2nd page after filtering the users based on keywords",
+			Filter: user.Filter{
+				Keyword: "alex",
+				Page:    2,
+				Limit:   2,
+			},
+			ExpectedUsers: []user.User{
+				{
+					Name:  s.users[5].Name,
+					Email: s.users[5].Email,
+				},
+			},
+		},
+		{
+			Description: "should return all users with keyword matching email or name",
+			Filter: user.Filter{
+				Keyword: "xu",
+			},
+			ExpectedUsers: []user.User{
+				{
+					Name:  s.users[2].Name,
+					Email: s.users[2].Email,
+				},
+				{
+					Name:  s.users[3].Name,
+					Email: s.users[3].Email,
 				},
 			},
 		},
@@ -270,6 +340,20 @@ func (s *UserRepositoryTestSuite) TestList() {
 			if !(len(got) == len(tc.ExpectedUsers)) {
 				s.T().Fatalf("got result %+v, expected was %+v", got, tc.ExpectedUsers)
 			}
+
+			sort.Slice(got, func(i, j int) bool {
+				return got[i].Email < got[j].Email
+			})
+
+			sort.Slice(tc.ExpectedUsers, func(i, j int) bool {
+				return tc.ExpectedUsers[i].Email < tc.ExpectedUsers[j].Email
+			})
+
+			for idx := 0; idx < len(got); idx++ {
+				if got[idx].Name != tc.ExpectedUsers[idx].Name || got[idx].Email != tc.ExpectedUsers[idx].Email {
+					s.T().Fatalf("got user %+v, expected was %+v", got[idx], tc.ExpectedUsers[idx])
+				}
+			}
 		})
 	}
 }