Move role package to auth/authz and create specific expored functions

for checking permissions

Co-authored-by: Thomas Krampl <[email protected]>

Author: christeredvartsen

.configs/gqlgen.yaml

@@ -27,6 +27,7 @@ omit_root_models: true
 autobind:
   - "github.com/99designs/gqlgen/graphql/introspection" # Without this line in the beginning, a `prelude.resolver.go` is generated
   - "github.com/nais/api/internal/activitylog"
+  - "github.com/nais/api/internal/auth/authz"
   - "github.com/nais/api/internal/cost"
   - "github.com/nais/api/internal/deployment"
   - "github.com/nais/api/internal/feature"
@@ -41,7 +42,6 @@ autobind:
   - "github.com/nais/api/internal/persistence/sqlinstance"
   - "github.com/nais/api/internal/persistence/valkey"
   - "github.com/nais/api/internal/reconciler"
-  - "github.com/nais/api/internal/role/graphrole"
   - "github.com/nais/api/internal/search"
   - "github.com/nais/api/internal/serviceaccount"
   - "github.com/nais/api/internal/status"

.configs/sqlc.yaml

@@ -68,13 +68,13 @@ sql:
         out: "../internal/team/teamsql"
 
   - <<: *default_domain
-    name: "Roles SQL"
-    queries: "../internal/role/queries"
+    name: "Authz SQL"
+    queries: "../internal/auth/authz/queries"
     gen:
       go:
         <<: *default_go
-        package: "rolesql"
-        out: "../internal/role/rolesql"
+        package: "authzsql"
+        out: "../internal/auth/authz/authzsql"
 
   - <<: *default_domain
     name: "Activity log SQL"

cmd/setup_local/main.go

@@ -153,7 +153,7 @@ func run(ctx context.Context, cfg *seedConfig, log logrus.FieldLogger) error {
 	ctx = activitylog.NewLoaderContext(ctx, pool)
 	ctx = user.NewLoaderContext(ctx, pool)
 	ctx = team.NewLoaderContext(ctx, pool, nil)
-	ctx = role.NewLoaderContext(ctx, pool)
+	ctx = authz.NewLoaderContext(ctx, pool)
 	ctx = environment.NewLoaderContext(ctx, pool)
 
 	emails := map[string]struct{}{}
@@ -217,12 +217,6 @@ func run(ctx context.Context, cfg *seedConfig, log logrus.FieldLogger) error {
 			return fmt.Errorf("sync environments: %w", err)
 		}
 
-		defaultUserRoles := []string{
-			"Team creator",
-			"Team viewer",
-			"User viewer",
-		}
-
 		var err error
 		var adminUser, devUser *user.User
 
@@ -233,7 +227,7 @@ func run(ctx context.Context, cfg *seedConfig, log logrus.FieldLogger) error {
 				return fmt.Errorf("create admin user: %w", err)
 			}
 		}
-		if err := role.AssignGlobalRoleToUser(ctx, adminUser.UUID, "Admin"); err != nil {
+		if err := authz.AssignGlobalAdmin(ctx, adminUser.UUID); err != nil {
 			return fmt.Errorf("assign global admin role to admin user: %w", err)
 		}
 		actor := &authz.Actor{User: adminUser}
@@ -245,10 +239,9 @@ func run(ctx context.Context, cfg *seedConfig, log logrus.FieldLogger) error {
 				return fmt.Errorf("create dev user: %w", err)
 			}
 		}
-		for _, roleName := range defaultUserRoles {
-			if err := role.AssignGlobalRoleToUser(ctx, devUser.UUID, roleName); err != nil {
-				return fmt.Errorf("assign globla role %q to dev user: %w", roleName, err)
-			}
+
+		if err := authz.AssignDefaultPermissionsToUser(ctx, devUser.UUID); err != nil {
+			return fmt.Errorf("assign default permissions to dev user: %w", err)
 		}
 
 		users := []*user.User{devUser}
@@ -266,10 +259,8 @@ func run(ctx context.Context, cfg *seedConfig, log logrus.FieldLogger) error {
 				return fmt.Errorf("create user %q: %w", email, err)
 			}
 
-			for _, roleName := range defaultUserRoles {
-				if err = role.AssignGlobalRoleToUser(ctx, u.UUID, roleName); err != nil {
-					return fmt.Errorf("assign global role %q to user %q: %w", roleName, u.Email, err)
-				}
+			if err = authz.AssignDefaultPermissionsToUser(ctx, u.UUID); err != nil {
+				return fmt.Errorf("assign default permissions to user %q: %w", u.Email, err)
 			}
 
 			log.Infof("%d/%d users created", i, *cfg.NumUsers)
@@ -302,8 +293,8 @@ func run(ctx context.Context, cfg *seedConfig, log logrus.FieldLogger) error {
 			return fmt.Errorf("update external references for devteam: %w", err)
 		}
 
-		if err := role.AssignTeamRoleToUser(ctx, devUser.UUID, devteam.Slug, "Team owner"); err != nil {
-			return fmt.Errorf("assign team owner role to dev user: %w", err)
+		if err := authz.MakeUserTeamOwner(ctx, devUser.UUID, devteam.Slug); err != nil {
+			return fmt.Errorf("make user %q owner of team %q: %w", devUser.Email, devteam.Slug, err)
 		}
 
 		input := &team.UpdateTeamEnvironmentInput{
@@ -354,15 +345,15 @@ func run(ctx context.Context, cfg *seedConfig, log logrus.FieldLogger) error {
 
 			for o := 0; o < *cfg.NumOwnersPerTeam; o++ {
 				u := users[rand.IntN(usersCreated)]
-				if err = role.AssignTeamRoleToUser(ctx, u.UUID, t.Slug, "Team owner"); err != nil {
-					return fmt.Errorf("assign team owner role to user %q in team %q: %w", u.Email, t.Slug, err)
+				if err = authz.MakeUserTeamOwner(ctx, u.UUID, t.Slug); err != nil {
+					return fmt.Errorf("make user %q owner of team %q: %w", u.Email, t.Slug, err)
 				}
 			}
 
 			for o := 0; o < *cfg.NumMembersPerTeam; o++ {
 				u := users[rand.IntN(usersCreated)]
-				if err = role.AssignTeamRoleToUser(ctx, u.UUID, t.Slug, "Team member"); err != nil {
-					return fmt.Errorf("assign team member role to user %q in team %q: %w", u.Email, t.Slug, err)
+				if err = authz.MakeUserTeamMember(ctx, u.UUID, t.Slug); err != nil {
+					return fmt.Errorf("make user %q member of team %q: %w", u.Email, t.Slug, err)
 				}
 			}
 

internal/role/authorizations.go internal/auth/authz/authorizations.go

@@ -1,4 +1,4 @@
-package role
+package authz
 
 /*
 type Authorization string
@@ -35,23 +35,23 @@ const (
 	AuthorizationUnleashUpdate         Authorization = "unleash:update"
 )
 
-var roles = map[rolesql.RoleName][]Authorization{
-	rolesql.RoleNameAdmin: {
+var roles = map[authzsql.RoleName][]Authorization{
+	authzsql.RoleNameAdmin: {
 		// Admins have all authorizations
 	},
-	rolesql.RoleNameTeamcreator: {
+	authzsql.RoleNameTeamcreator: {
 		AuthorizationTeamsCreate,
 	},
-	rolesql.RoleNameServiceaccountcreator: {
+	authzsql.RoleNameServiceaccountcreator: {
 		AuthorizationServiceAccountsCreate,
 	},
-	rolesql.RoleNameServiceaccountowner: {
+	authzsql.RoleNameServiceaccountowner: {
 		AuthorizationServiceAccountsCreate,
 		AuthorizationServiceAccountsDelete,
 		AuthorizationServiceAccountsRead,
 		AuthorizationServiceAccountsUpdate,
 	},
-	rolesql.RoleNameTeammember: {
+	authzsql.RoleNameTeammember: {
 		AuthorizationActivityLogsRead,
 		AuthorizationTeamsRead,
 		AuthorizationTeamsMetadataUpdate,
@@ -76,7 +76,7 @@ var roles = map[rolesql.RoleName][]Authorization{
 		AuthorizationServiceAccountsRead,
 		AuthorizationServiceAccountsUpdate,
 	},
-	rolesql.RoleNameTeamowner: {
+	authzsql.RoleNameTeamowner: {
 		AuthorizationActivityLogsRead,
 		AuthorizationTeamsDelete,
 		AuthorizationTeamsRead,
@@ -103,22 +103,22 @@ var roles = map[rolesql.RoleName][]Authorization{
 		AuthorizationServiceAccountsRead,
 		AuthorizationServiceAccountsUpdate,
 	},
-	rolesql.RoleNameTeamviewer: {
+	authzsql.RoleNameTeamviewer: {
 		AuthorizationActivityLogsRead,
 		AuthorizationTeamsList,
 		AuthorizationTeamsRead,
 	},
-	rolesql.RoleNameUseradmin: {
+	authzsql.RoleNameUseradmin: {
 		AuthorizationUsersList,
 	},
-	rolesql.RoleNameUserviewer: {
+	authzsql.RoleNameUserviewer: {
 		AuthorizationUsersList,
 	},
-	rolesql.RoleNameSynchronizer: {
+	authzsql.RoleNameSynchronizer: {
 		AuthorizationTeamsSynchronize,
 		AuthorizationUsersyncSynchronize,
 	},
-	rolesql.RoleNameDeploykeyviewer: {
+	authzsql.RoleNameDeploykeyviewer: {
 		AuthorizationDeployKeyRead,
 	},
 }

internal/auth/authz/authz.go

@@ -2,12 +2,9 @@ package authz
 
 import (
 	"context"
-	"errors"
 
 	"github.com/google/uuid"
-	"github.com/nais/api/internal/role"
-	"github.com/nais/api/internal/role/rolesql"
-	"github.com/nais/api/internal/slug"
+	"github.com/nais/api/internal/graph/apierror"
 )
 
 type ContextKey string
@@ -20,10 +17,10 @@ type AuthenticatedUser interface {
 
 type Actor struct {
 	User  AuthenticatedUser
-	Roles []*role.Role
+	Roles []*Role
 }
 
-var ErrNotAuthenticated = errors.New("not authenticated")
+var ErrNotAuthenticated = apierror.Errorf("Valid user required. You are not logged in.")
 
 func (u *Actor) Authenticated() bool {
 	if u == nil || u.User == nil {
@@ -36,7 +33,7 @@ func (u *Actor) Authenticated() bool {
 const contextKeyUser ContextKey = "actor"
 
 // ContextWithActor Return a context with an actor attached to it.
-func ContextWithActor(ctx context.Context, user AuthenticatedUser, roles []*role.Role) context.Context {
+func ContextWithActor(ctx context.Context, user AuthenticatedUser, roles []*Role) context.Context {
 	return context.WithValue(ctx, contextKeyUser, &Actor{
 		User:  user,
 		Roles: roles,
@@ -50,19 +47,21 @@ func ActorFromContext(ctx context.Context) *Actor {
 	return actor
 }
 
-// RequireGlobalAuthorization Require an actor to have a specific authorization through a globally assigned role.
-func RequireGlobalAuthorization(actor *Actor, requiredAuthzName role.Authorization) error {
+/*
+// requireGlobalAuthorization Require an actor to have a specific authorization through a globally assigned role.
+func requireGlobalAuthorization(actor *Actor, requiredAuthzName string) error {
 	if !actor.Authenticated() {
 		return ErrNotAuthenticated
 	}
 
-	authorizations := make(map[role.Authorization]struct{})
+	authorizations := make(map[string]struct{})
 
 	for _, r := range actor.Roles {
-		if r.Name == rolesql.RoleNameAdmin {
+		if r.Name == "Admin" {
 			return nil
 		}
 
+		authorizations, err := ListAuthorizationsInRole(r.Name)
 		roleAuthz, err := r.Authorizations()
 		if err != nil {
 			return err
@@ -77,17 +76,19 @@ func RequireGlobalAuthorization(actor *Actor, requiredAuthzName role.Authorizati
 	return authorized(authorizations, requiredAuthzName)
 }
 
-// RequireTeamAuthorization Require an actor to have a specific authorization through a globally assigned or a correctly
+
+
+// requireTeamAuthorization Require an actor to have a specific authorization through a globally assigned or a correctly
 // targeted role.
-func RequireTeamAuthorization(actor *Actor, requiredAuthzName role.Authorization, targetTeamSlug slug.Slug) error {
+func requireTeamAuthorization(actor *Actor, requiredAuthzName string, targetTeamSlug slug.Slug) error {
 	if !actor.Authenticated() {
 		return ErrNotAuthenticated
 	}
 
-	authorizations := make(map[role.Authorization]struct{})
+	authorizations := make(map[string]struct{})
 
 	for _, r := range actor.Roles {
-		if r.Name == rolesql.RoleNameAdmin {
+		if r.Name == "Admin" {
 			return nil
 		}
 
@@ -106,12 +107,13 @@ func RequireTeamAuthorization(actor *Actor, requiredAuthzName role.Authorization
 }
 
 // RequireTeamAuthorizationCtx fetches the actor from the context and checks if it has the required authorization.
-func RequireTeamAuthorizationCtx(ctx context.Context, requiredAuthzName role.Authorization, targetTeamSlug slug.Slug) error {
+func RequireTeamAuthorizationCtx(ctx context.Context, requiredAuthzName string, targetTeamSlug slug.Slug) error {
 	return RequireTeamAuthorization(ActorFromContext(ctx), requiredAuthzName, targetTeamSlug)
 }
+*/
 
 // authorized Check if one of the authorizations in the map matches the required authorization.
-func authorized(authorizations map[role.Authorization]struct{}, requiredAuthzName role.Authorization) error {
+func authorized(authorizations map[string]struct{}, requiredAuthzName string) error {
 	for authorization := range authorizations {
 		if authorization == requiredAuthzName {
 			return nil
@@ -128,7 +130,7 @@ func RequireGlobalAdmin(ctx context.Context) error {
 	}
 
 	for _, r := range actor.Roles {
-		if r.Name == rolesql.RoleNameAdmin {
+		if r.Name == "Admin" {
 			return nil
 		}
 	}