Some improvements for ABAC

2024-11-16 12:51:17 +03:00 · 2024-11-16 12:51:17 +03:00 · 4c129e776c
commit 4c129e776c
parent fac1b30bf4
18 changed files with 299 additions and 72 deletions
--- a/enshi_back/ABAC/blogsPolicies/blogPolicies.go
+++ b/enshi_back/ABAC/blogsPolicies/blogPolicies.go
@ -0,0 +1 @@
+package blogspolicies
--- a/enshi_back/ABAC/blogsPolicies/blogRules/createRule.go
+++ b/enshi_back/ABAC/blogsPolicies/blogRules/createRule.go
@ -0,0 +1,22 @@
+package blogrules
+
+import (
+	globalrules "enshi/ABAC/globalRules"
+	"enshi/ABAC/rules"
+
+	"github.com/gin-gonic/gin"
+)
+
+func BlogCreateRule(c *gin.Context) (bool, []error) {
+	rulesToCheck := []rules.RuleFunction{
+		globalrules.AuthorizedRule,
+	}
+
+	isAllowed, errors := rules.CheckRules(
+		c,
+		rulesToCheck,
+		rules.ALL_RULES_MUST_BE_COMPLETED,
+	)
+
+	return isAllowed, errors
+}
--- a/enshi_back/ABAC/globalRules/AuthorizedRule.go
+++ b/enshi_back/ABAC/globalRules/AuthorizedRule.go
@ -9,10 +9,10 @@ import (
 	"github.com/gin-gonic/gin"
 )

-func AuthorizedRule(c *gin.Context) (bool, error) {
+func AuthorizedRule(c *gin.Context) (bool, []error) {
 	cookies := c.Request.CookiesNamed("auth_cookie")
 	if len(cookies) == 0 {
-		return false, fmt.Errorf("no cookies provided")
+		return false, []error{fmt.Errorf("no cookies provided")}
 	}

 	tokenFromCookies := cookies[0].Value
@ -20,7 +20,7 @@ func AuthorizedRule(c *gin.Context) (bool, error) {
 	if err != nil {
 		c.IndentedJSON(http.StatusUnauthorized, gin.H{"error auth": err.Error()})
 		c.Abort()
-		return false, err
+		return false, []error{err}
 	} else {
 		c.Set(global.ContextUserId, cookieClimes["id"])
 		c.Set(global.ContextTokenData, cookieClimes)
--- a/enshi_back/ABAC/globalRules/IsAdminRule.go
+++ b/enshi_back/ABAC/globalRules/IsAdminRule.go
@ -0,0 +1,33 @@
+package globalrules
+
+import (
+	"context"
+	db_repo "enshi/db/go_queries"
+	"enshi/db_connection"
+	"enshi/middleware/getters"
+	"fmt"
+
+	"github.com/gin-gonic/gin"
+)
+
+func IsAdminRule(c *gin.Context) (bool, []error) {
+	contextUserId, err := getters.GetUserIdFromContext(c)
+
+	if err != nil {
+		return false, []error{err}
+	}
+
+	user, err :=
+		db_repo.New(db_connection.Dbx).
+			GetUserById(context.Background(), contextUserId)
+
+	if err != nil || user.UserID == 0 {
+		return false, []error{err}
+	}
+
+	if !user.IsAdmin {
+		return false, []error{fmt.Errorf("not admin")}
+	}
+
+	return true, nil
+}
--- a/enshi_back/ABAC/globalRules/IsOwnerOfTheBlogRule.go
+++ b/enshi_back/ABAC/globalRules/IsOwnerOfTheBlogRule.go
@ -0,0 +1,39 @@
+package globalrules
+
+import (
+	"context"
+	db_repo "enshi/db/go_queries"
+	"enshi/db_connection"
+	"enshi/middleware/getters"
+	"fmt"
+
+	"github.com/gin-gonic/gin"
+)
+
+func IsOwnerOfTheBlogRule(c *gin.Context) (bool, []error) {
+	blogId, err := getters.GetInt64Param(c, "blog-id")
+
+	if err != nil {
+		return false, []error{err}
+	}
+
+	contextUserId, err := getters.GetUserIdFromContext(c)
+
+	if err != nil {
+		return false, []error{err}
+	}
+
+	blog, err :=
+		db_repo.New(db_connection.Dbx).
+			GetBlogByBlogId(context.Background(), blogId)
+
+	if err != nil {
+		return false, []error{err}
+	}
+
+	if blog.UserID != contextUserId {
+		return false, []error{fmt.Errorf("now owner of the blog")}
+	}
+
+	return true, nil
+}
--- a/enshi_back/ABAC/globalRules/IsOwnerOfThePostRule.go
+++ b/enshi_back/ABAC/globalRules/IsOwnerOfThePostRule.go
@ -0,0 +1,39 @@
+package globalrules
+
+import (
+	"context"
+	db_repo "enshi/db/go_queries"
+	"enshi/db_connection"
+	"enshi/middleware/getters"
+	"fmt"
+
+	"github.com/gin-gonic/gin"
+)
+
+func IsOwnerOfThePostRule(c *gin.Context) (bool, []error) {
+	postId, err := getters.GetInt64Param(c, "post-id")
+
+	if err != nil {
+		return false, []error{err}
+	}
+
+	contextUserId, err := getters.GetUserIdFromContext(c)
+
+	if err != nil {
+		return false, []error{err}
+	}
+
+	post, err :=
+		db_repo.New(db_connection.Dbx).
+			GetPostsByPostId(context.Background(), postId)
+
+	if err != nil {
+		return false, []error{err}
+	}
+
+	if post.UserID != contextUserId {
+		return false, []error{fmt.Errorf("now owner of the post")}
+	}
+
+	return true, nil
+}
--- a/enshi_back/ABAC/postsPolicies/postPolicy.go
+++ b/enshi_back/ABAC/postsPolicies/postPolicy.go
@ -2,6 +2,7 @@ package postspolicies

 import (
 	postRules "enshi/ABAC/postsPolicies/postRules"
+	"enshi/ABAC/rules"

 	"github.com/gin-gonic/gin"
 )
@ -13,36 +14,25 @@ const (
 	GET_POST    = "get_post"
 )

-func checkRule(
-	c *gin.Context,
-	ruleChecker func(*gin.Context) (bool, error),
-) (bool, error) {
-	IsAllowed, err := ruleChecker(c)
-	if err != nil {
-		return false, err
-	}
-
-	return IsAllowed, nil
-}
-
-func PostsPolicies(c *gin.Context) (bool, error) {
+func PostsPolicies(c *gin.Context) (bool, []error) {
 	target, exists := c.Get("target")
 	if !exists {
 		return false, nil
 	}

+	// Permit if one permit
 	switch target {
 	case DELETE_POST:
-		return checkRule(c, postRules.DeleteRule)
+		return rules.CheckRule(c, postRules.DeleteRule)

 	case UPDATE_POST:
-		return checkRule(c, postRules.PostUpdateRule)
+		return rules.CheckRule(c, postRules.PostUpdateRule)

 	case GET_POST:
-		return checkRule(c, postRules.PostReadRule)
+		return rules.CheckRule(c, postRules.PostReadRule)

 	case CREATE_POST:
-		return checkRule(c, postRules.PostCreateRule)
+		return rules.CheckRule(c, postRules.PostCreateRule)

 	}

--- a/enshi_back/ABAC/postsPolicies/postRules/createRule.go
+++ b/enshi_back/ABAC/postsPolicies/postRules/createRule.go
@ -1,10 +1,23 @@
 package postRules

 import (
+	globalrules "enshi/ABAC/globalRules"
+	"enshi/ABAC/rules"
+
 	"github.com/gin-gonic/gin"
 )

 // Only owner of the post can change it
-func PostCreateRule(c *gin.Context) (bool, error) {
-	return true, nil
+func PostCreateRule(c *gin.Context) (bool, []error) {
+	rulesToCheck := []rules.RuleFunction{
+		globalrules.AuthorizedRule,
+	}
+
+	isAllowed, errors := rules.CheckRules(
+		c,
+		rulesToCheck,
+		rules.ALL_RULES_MUST_BE_COMPLETED,
+	)
+
+	return isAllowed, errors
 }
--- a/enshi_back/ABAC/postsPolicies/postRules/deleteRule.go
+++ b/enshi_back/ABAC/postsPolicies/postRules/deleteRule.go
@ -2,30 +2,26 @@ package postRules

 import (
 	globalrules "enshi/ABAC/globalRules"
-	"enshi/middleware/checkRole"
+	"enshi/ABAC/rules"

 	"github.com/gin-gonic/gin"
 )

+const RULES_NUMBER_TO_COMPLETE = 2
+
 // Only owner or admin can delete post
-func DeleteRule(c *gin.Context) (bool, error) {
-	// Sender should be authorized
-	isAuthorized, err := globalrules.AuthorizedRule(c)
-	if err != nil {
-		return false, err
-	} else if !isAuthorized {
-		return false, nil
+func DeleteRule(c *gin.Context) (bool, []error) {
+	rulesToCheck := []rules.RuleFunction{
+		globalrules.AuthorizedRule,
+		globalrules.IsOwnerOfThePostRule,
+		globalrules.IsAdminRule,
 	}

-	isOwner, err := checkRole.IsOwnerOfThePost(c)
-	if err != nil {
-		return false, err
-	}
+	isAllowed, errors := rules.CheckRules(
+		c,
+		rulesToCheck,
+		RULES_NUMBER_TO_COMPLETE,
+	)

-	isAdmin, err := checkRole.IsAdmin(c)
-	if err != nil {
-		return false, err
-	}
-
-	return isAdmin || isOwner, err
+	return isAllowed, errors
 }
--- a/enshi_back/ABAC/postsPolicies/postRules/readRule.go
+++ b/enshi_back/ABAC/postsPolicies/postRules/readRule.go
@ -5,6 +5,6 @@ import (
 )

 // Only owner of the post can change it
-func PostReadRule(c *gin.Context) (bool, error) {
+func PostReadRule(c *gin.Context) (bool, []error) {
 	return true, nil
 }
--- a/enshi_back/ABAC/postsPolicies/postRules/updateRule.go
+++ b/enshi_back/ABAC/postsPolicies/postRules/updateRule.go
@ -2,25 +2,23 @@ package postRules

 import (
 	globalrules "enshi/ABAC/globalRules"
-	"enshi/middleware/checkRole"
+	"enshi/ABAC/rules"

 	"github.com/gin-gonic/gin"
 )

 // Only owner of the post can change it
-func PostUpdateRule(c *gin.Context) (bool, error) {
-	// Sender should be authorized
-	isAuthorized, err := globalrules.AuthorizedRule(c)
-	if err != nil {
-		return false, err
-	} else if !isAuthorized {
-		return false, nil
+func PostUpdateRule(c *gin.Context) (bool, []error) {
+	rulesToCheck := []rules.RuleFunction{
+		globalrules.AuthorizedRule,
+		globalrules.IsOwnerOfThePostRule,
 	}

-	isOwner, err := checkRole.IsOwnerOfThePost(c)
-	if err != nil {
-		return false, err
-	}
+	isAllowed, errors := rules.CheckRules(
+		c,
+		rulesToCheck,
+		rules.ALL_RULES_MUST_BE_COMPLETED,
+	)

-	return isOwner, nil
+	return isAllowed, errors
 }
--- a/enshi_back/ABAC/rules/CheckRule.go
+++ b/enshi_back/ABAC/rules/CheckRule.go
@ -0,0 +1,72 @@
+package rules
+
+import (
+	"fmt"
+	"strconv"
+
+	"github.com/gin-gonic/gin"
+)
+
+type RuleFunction func(*gin.Context) (bool, []error)
+
+const (
+	ALL_RULES_MUST_BE_COMPLETED = iota
+)
+
+func CheckRule(
+	c *gin.Context,
+	ruleChecker RuleFunction,
+) (bool, []error) {
+	IsAllowed, err := ruleChecker(c)
+	if err != nil {
+		return false, err
+	}
+
+	return IsAllowed, nil
+}
+
+func CheckRules(
+	c *gin.Context,
+	rules []RuleFunction,
+	completedRulesCount int,
+) (bool, []error) {
+	var allowancesIndexes []int
+	var errors []error
+
+	if len(rules) < completedRulesCount {
+		return false, []error{fmt.Errorf("there is less rules, that should be completed")}
+	}
+
+	for i, rule := range rules {
+		if isAllowed, err := CheckRule(c, rule); err != nil {
+			errors = append(
+				errors,
+				err...,
+			)
+		} else if !isAllowed {
+			errors = append(
+				errors,
+				fmt.Errorf("rule "+
+					strconv.Itoa(i)+
+					" was rejected"),
+			)
+		} else {
+			allowancesIndexes = append(allowancesIndexes, i)
+		}
+	}
+
+	switch completedRulesCount {
+	case ALL_RULES_MUST_BE_COMPLETED:
+		if len(allowancesIndexes) == len(rules) {
+			return true, nil
+		} else {
+			return false, errors
+		}
+	default:
+		if len(allowancesIndexes) >= completedRulesCount {
+			return true, nil
+		} else {
+			return false, errors
+		}
+	}
+}
--- a/enshi_back/db/go_queries/blogs_queries.sql.go
+++ b/enshi_back/db/go_queries/blogs_queries.sql.go
@ -56,6 +56,26 @@ func (q *Queries) DeleteBlogByBlogId(ctx context.Context, blogID int64) error {
 	return err
 }

+const getBlogByBlogId = `-- name: GetBlogByBlogId :one
+SELECT blog_id, user_id, title, description, category_id, created_at
+FROM public.blogs
+WHERE blog_id = $1
+`
+
+func (q *Queries) GetBlogByBlogId(ctx context.Context, blogID int64) (Blog, error) {
+	row := q.db.QueryRow(ctx, getBlogByBlogId, blogID)
+	var i Blog
+	err := row.Scan(
+		&i.BlogID,
+		&i.UserID,
+		&i.Title,
+		&i.Description,
+		&i.CategoryID,
+		&i.CreatedAt,
+	)
+	return i, err
+}
+
 const getBlogsByUserId = `-- name: GetBlogsByUserId :many
 SELECT blog_id, user_id, title, description, category_id, created_at
 FROM public.blogs
--- a/enshi_back/db/queries/blogs_queries.sql
+++ b/enshi_back/db/queries/blogs_queries.sql
@ -15,6 +15,11 @@ SELECT *
 FROM public.blogs
 WHERE user_id = $1;

+-- name: GetBlogByBlogId :one
+SELECT *
+FROM public.blogs
+WHERE blog_id = $1;
+
 -- name: DeleteBlogByBlogId :exec
 DELETE FROM public.blogs
 WHERE blog_id=$1;
--- a/enshi_back/main.go
+++ b/enshi_back/main.go
@ -6,7 +6,7 @@ import (
 	"enshi/db_connection"
 	"enshi/env"
 	"enshi/global"
-	utils "enshi/utils"
+	"enshi/routes"
 	"fmt"

 	"github.com/gin-gonic/gin"
@ -27,7 +27,7 @@ func main() {
 	defer db_connection.Dbx_connection.Close(context.Background())

 	router := gin.Default()
-	if err := utils.SetupRotes(router); err != nil {
+	if err := routes.SetupRotes(router); err != nil {
 		fmt.Println(err.Error())
 		return
 	}
--- a/enshi_back/middleware/postsMiddleware.go
+++ b/enshi_back/middleware/postsMiddleware.go
@ -4,6 +4,7 @@ import (
 	postspolicies "enshi/ABAC/postsPolicies"
 	rest_api_stuff "enshi/REST_API_stuff"
 	"fmt"
+	"net/http"

 	"github.com/gin-gonic/gin"
 )
@ -22,10 +23,15 @@ func PostsMiddleware() gin.HandlerFunc {
 			c.Set("target", postspolicies.GET_POST)
 		}

-		isAllowed, err := postspolicies.PostsPolicies(c)
+		isAllowed, errors := postspolicies.PostsPolicies(c)

-		if err != nil {
-			rest_api_stuff.InternalErrorAnswer(c, err)
+		var errorsMap = map[int]string{}
+		for i, error := range errors {
+			errorsMap[i] = error.Error()
+		}
+
+		if errors != nil {
+			c.IndentedJSON(http.StatusUnauthorized, errorsMap)
 			c.Abort()
 			return
 		}
--- a/enshi_back/routes/postsRoutes/updatePost.go
+++ b/enshi_back/routes/postsRoutes/updatePost.go
@ -18,20 +18,14 @@ func UpdatePost(c *gin.Context) {
 		return
 	}

-	_, err := getters.GetUserIdFromContext(c)
+	postId, err := getters.GetInt64Param(c, "post-id")

 	if err != nil {
 		rest_api_stuff.InternalErrorAnswer(c, err)
 		return
 	}

-	// if isOwner, _ := checkRole.IsOwnerOfThePost(
-	// 	userId,
-	// 	UpdatedPostParams.PostID,
-	// ); !isOwner {
-	// 	rest_api_stuff.UnauthorizedAnswer(c, fmt.Errorf("you are now allowed to change this"))
-	// 	return
-	// }
+	UpdatedPostParams.PostID = postId

 	_, err = db_repo.New(
 		db_connection.Dbx,
--- a/enshi_back/routes/routesSetup.go
+++ b/enshi_back/routes/routesSetup.go
@ -1,4 +1,4 @@
-package utils
+package routes

 import (
 	"enshi/middleware"
@ -37,10 +37,6 @@ func SetupRotes(g *gin.Engine) error {
 		authRoutes.RegisterUser,
 	)

-	// Auth group routes
-	authGroup := g.Group("/")
-	authGroup.Use(middleware.AuthMiddleware())
-
 	postsGroup := g.Group("/")
 	postsGroup.Use(middleware.PostsMiddleware())

@ -61,6 +57,9 @@ func SetupRotes(g *gin.Engine) error {
 		postsRoutes.DeletePost,
 	)

+	// Auth group routes
+	authGroup := g.Group("/")
+	authGroup.Use(middleware.AuthMiddleware())
 	authGroup.PUT(
 		"user-profiles",
 		userProfileRoutes.UpdateUserProfile,