feat: update authz subject

Closing ENG-1824
indykite · Sep 18, 2023 · 4278189 · 4278189
1 parent d30fd43
commit 4278189
Show file tree

Hide file tree

Showing 19 changed files with 1,266 additions and 349 deletions.
diff --git a/authorization/authorization_suite_test.go b/authorization/authorization_suite_test.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2022 IndyKite
+// Copyright (c) 2023 IndyKite
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.

diff --git a/authorization/client_test.go b/authorization/client_test.go
@@ -42,12 +42,9 @@ var _ = Describe("IsAuthorized", func() {
 		It("New", func() {
 			var err error
 			authorizationClient, err = authorization.NewTestClient(context.Background(), mockClient)
-			Ω(err).To(Succeed())
+			Expect(err).To(Succeed())
 			Expect(authorizationClient).To(Not(BeNil()))
-
-			if authorizationClient != nil {
-				Expect(authorizationClient.Close()).To(Succeed())
-			}
+			Expect(authorizationClient.Close()).To(Succeed())
 		})
 
 	})

diff --git a/authorization/doc.go b/authorization/doc.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2022 IndyKite
+// Copyright (c) 2023 IndyKite
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.

diff --git a/authorization/is_authorized.go b/authorization/is_authorized.go
@@ -21,25 +21,21 @@ import (
 
 	"github.com/indykite/indykite-sdk-go/errors"
 	authorizationpb "github.com/indykite/indykite-sdk-go/gen/indykite/authorization/v1beta1"
-	identitypb "github.com/indykite/indykite-sdk-go/gen/indykite/identity/v1beta2"
 )
 
 // IsAuthorized checks if DigitalTwin can perform actions on resources.
 func (c *Client) IsAuthorized(
 	ctx context.Context,
-	digitalTwin *identitypb.DigitalTwin,
+	digitalTwinID *authorizationpb.DigitalTwin,
 	resources []*authorizationpb.IsAuthorizedRequest_Resource,
 	inputParams map[string]*authorizationpb.InputParam,
 	policyTags []string,
 	opts ...grpc.CallOption,
 ) (*authorizationpb.IsAuthorizedResponse, error) {
 	return c.IsAuthorizedWithRawRequest(ctx, &authorizationpb.IsAuthorizedRequest{
 		Subject: &authorizationpb.Subject{
-			Subject: &authorizationpb.Subject_DigitalTwinIdentifier{
-				DigitalTwinIdentifier: &identitypb.DigitalTwinIdentifier{
-					Filter: &identitypb.DigitalTwinIdentifier_DigitalTwin{DigitalTwin: digitalTwin},
-				},
-			},
+			Subject: &authorizationpb.Subject_DigitalTwinId{
+				DigitalTwinId: digitalTwinID},
 		},
 		Resources:   resources,
 		InputParams: inputParams,
@@ -59,11 +55,8 @@ func (c *Client) IsAuthorizedByToken(
 ) (*authorizationpb.IsAuthorizedResponse, error) {
 	return c.IsAuthorizedWithRawRequest(ctx, &authorizationpb.IsAuthorizedRequest{
 		Subject: &authorizationpb.Subject{
-			Subject: &authorizationpb.Subject_DigitalTwinIdentifier{
-				DigitalTwinIdentifier: &identitypb.DigitalTwinIdentifier{
-					Filter: &identitypb.DigitalTwinIdentifier_AccessToken{AccessToken: token},
-				},
-			},
+			Subject: &authorizationpb.Subject_IndykiteAccessToken{
+				IndykiteAccessToken: token},
 		},
 		Resources:   resources,
 		InputParams: inputParams,
@@ -75,19 +68,16 @@ func (c *Client) IsAuthorizedByToken(
 // can perform actions on resources.
 func (c *Client) IsAuthorizedByProperty(
 	ctx context.Context,
-	propertyFilter *identitypb.PropertyFilter,
+	property *authorizationpb.Property,
 	resources []*authorizationpb.IsAuthorizedRequest_Resource,
 	inputParams map[string]*authorizationpb.InputParam,
 	policyTags []string,
 	opts ...grpc.CallOption,
 ) (*authorizationpb.IsAuthorizedResponse, error) {
 	return c.IsAuthorizedWithRawRequest(ctx, &authorizationpb.IsAuthorizedRequest{
 		Subject: &authorizationpb.Subject{
-			Subject: &authorizationpb.Subject_DigitalTwinIdentifier{
-				DigitalTwinIdentifier: &identitypb.DigitalTwinIdentifier{
-					Filter: &identitypb.DigitalTwinIdentifier_PropertyFilter{PropertyFilter: propertyFilter},
-				},
-			},
+			Subject: &authorizationpb.Subject_DigitalTwinProperty{
+				DigitalTwinProperty: property},
 		},
 		Resources:   resources,
 		InputParams: inputParams,
@@ -104,11 +94,9 @@ func (c *Client) IsAuthorizedWithRawRequest(
 		return nil, errors.NewInvalidArgumentErrorWithCause(err, "unable to call IsAuthorized client endpoint")
 	}
 
-	if sub, ok := req.GetSubject().Subject.(*authorizationpb.Subject_DigitalTwinIdentifier); ok {
-		if filter, ok := sub.DigitalTwinIdentifier.Filter.(*identitypb.DigitalTwinIdentifier_AccessToken); ok {
-			if err := verifyTokenFormat(filter.AccessToken); err != nil {
-				return nil, err
-			}
+	if subject, ok := req.GetSubject().Subject.(*authorizationpb.Subject_IndykiteAccessToken); ok {
+		if err := verifyTokenFormat(subject.IndykiteAccessToken); err != nil {
+			return nil, err
 		}
 	}
 

diff --git a/authorization/is_authorized_test.go b/authorization/is_authorized_test.go
@@ -27,7 +27,6 @@ import (
 	"github.com/indykite/indykite-sdk-go/authorization"
 	sdkerrors "github.com/indykite/indykite-sdk-go/errors"
 	authorizationpb "github.com/indykite/indykite-sdk-go/gen/indykite/authorization/v1beta1"
-	identitypb "github.com/indykite/indykite-sdk-go/gen/indykite/identity/v1beta2"
 	objectpb "github.com/indykite/indykite-sdk-go/gen/indykite/objects/v1beta1"
 	"github.com/indykite/indykite-sdk-go/test"
 	authorizationmock "github.com/indykite/indykite-sdk-go/test/authorization/v1beta1"
@@ -77,7 +76,7 @@ var _ = Describe("IsAuthorized", func() {
 
 		var err error
 		authorizationClient, err = authorization.NewTestClient(ctx, mockClient)
-		Ω(err).To(Succeed())
+		Expect(err).To(Succeed())
 	})
 
 	Describe("IsAuthorized", func() {
@@ -108,14 +107,9 @@ var _ = Describe("IsAuthorized", func() {
 		It("Wrong DT should return a validation error in the response", func() {
 			req := &authorizationpb.IsAuthorizedRequest{
 				Subject: &authorizationpb.Subject{
-					Subject: &authorizationpb.Subject_DigitalTwinIdentifier{
-						DigitalTwinIdentifier: &identitypb.DigitalTwinIdentifier{
-							Filter: &identitypb.DigitalTwinIdentifier_DigitalTwin{
-								DigitalTwin: &identitypb.DigitalTwin{
-									Id:       "gid:like",
-									TenantId: "gid:like",
-								},
-							},
+					Subject: &authorizationpb.Subject_DigitalTwinId{
+						DigitalTwinId: &authorizationpb.DigitalTwin{
+							Id: "gid:like",
 						},
 					},
 				},
@@ -132,14 +126,9 @@ var _ = Describe("IsAuthorized", func() {
 		It("IsAuthorizedDT", func() {
 			req := &authorizationpb.IsAuthorizedRequest{
 				Subject: &authorizationpb.Subject{
-					Subject: &authorizationpb.Subject_DigitalTwinIdentifier{
-						DigitalTwinIdentifier: &identitypb.DigitalTwinIdentifier{
-							Filter: &identitypb.DigitalTwinIdentifier_DigitalTwin{
-								DigitalTwin: &identitypb.DigitalTwin{
-									Id:       "gid:like-real-digital_twin-id-at-least-27",
-									TenantId: "gid:like-real-tenant-id-at-least-27",
-								},
-							},
+					Subject: &authorizationpb.Subject_DigitalTwinId{
+						DigitalTwinId: &authorizationpb.DigitalTwin{
+							Id: "gid:like-real-digital_twin-id-at-least-27-char",
 						},
 					},
 				},
@@ -163,15 +152,10 @@ var _ = Describe("IsAuthorized", func() {
 		It("IsAuthorizedProperty", func() {
 			req := &authorizationpb.IsAuthorizedRequest{
 				Subject: &authorizationpb.Subject{
-					Subject: &authorizationpb.Subject_DigitalTwinIdentifier{
-						DigitalTwinIdentifier: &identitypb.DigitalTwinIdentifier{
-							Filter: &identitypb.DigitalTwinIdentifier_PropertyFilter{
-								PropertyFilter: &identitypb.PropertyFilter{
-									Type:     "email_for_example",
-									Value:    objectpb.String("[email protected]"),
-									TenantId: "gid:like-real-tenant-id-at-least-27",
-								},
-							},
+					Subject: &authorizationpb.Subject_DigitalTwinProperty{
+						DigitalTwinProperty: &authorizationpb.Property{
+							Type:  "email_for_example",
+							Value: objectpb.String("[email protected]"),
 						},
 					},
 				},
@@ -189,10 +173,9 @@ var _ = Describe("IsAuthorized", func() {
 
 			resp, err := authorizationClient.IsAuthorizedByProperty(
 				ctx,
-				&identitypb.PropertyFilter{
-					Type:     "email_for_example",
-					Value:    objectpb.String("[email protected]"),
-					TenantId: "gid:like-real-tenant-id-at-least-27",
+				&authorizationpb.Property{
+					Type:  "email_for_example",
+					Value: objectpb.String("[email protected]"),
 				},
 				resourceExample,
 				inputParam,
@@ -205,12 +188,8 @@ var _ = Describe("IsAuthorized", func() {
 		It("IsAuthorizedToken", func() {
 			req := &authorizationpb.IsAuthorizedRequest{
 				Subject: &authorizationpb.Subject{
-					Subject: &authorizationpb.Subject_DigitalTwinIdentifier{
-						DigitalTwinIdentifier: &identitypb.DigitalTwinIdentifier{
-							Filter: &identitypb.DigitalTwinIdentifier_AccessToken{
-								AccessToken: tokenGood,
-							},
-						},
+					Subject: &authorizationpb.Subject_IndykiteAccessToken{
+						IndykiteAccessToken: tokenGood,
 					},
 				},
 				Resources:   resourceExample,
@@ -239,12 +218,8 @@ var _ = Describe("IsAuthorized", func() {
 		It("IsAuthorizedTokenWrongFormat", func() {
 			req := &authorizationpb.IsAuthorizedRequest{
 				Subject: &authorizationpb.Subject{
-					Subject: &authorizationpb.Subject_DigitalTwinIdentifier{
-						DigitalTwinIdentifier: &identitypb.DigitalTwinIdentifier{
-							Filter: &identitypb.DigitalTwinIdentifier_AccessToken{
-								AccessToken: tokenBad,
-							},
-						},
+					Subject: &authorizationpb.Subject_IndykiteAccessToken{
+						IndykiteAccessToken: tokenBad,
 					},
 				},
 				Resources:   resourceExample,
@@ -259,19 +234,15 @@ var _ = Describe("IsAuthorized", func() {
 		It("Invalid status", func() {
 			req := &authorizationpb.IsAuthorizedRequest{
 				Subject: &authorizationpb.Subject{
-					Subject: &authorizationpb.Subject_DigitalTwinIdentifier{
-						DigitalTwinIdentifier: &identitypb.DigitalTwinIdentifier{
-							Filter: &identitypb.DigitalTwinIdentifier_AccessToken{
-								AccessToken: tokenGood,
-							},
-						},
+					Subject: &authorizationpb.Subject_IndykiteAccessToken{
+						IndykiteAccessToken: tokenGood,
 					},
 				},
 				Resources:   resourceExample,
 				InputParams: inputParam,
 				PolicyTags:  policyTags,
 			}
-			statusErr := status.New(codes.InvalidArgument, "something wrong").Err()
+			statusErr := status.New(codes.AlreadyExists, "something wrong").Err()
 			mockClient.EXPECT().
 				IsAuthorized(gomock.Any(), req).
 				Return(nil, statusErr)

diff --git a/authorization/what_authorized.go b/authorization/what_authorized.go
@@ -21,26 +21,22 @@ import (
 
 	"github.com/indykite/indykite-sdk-go/errors"
 	authorizationpb "github.com/indykite/indykite-sdk-go/gen/indykite/authorization/v1beta1"
-	identitypb "github.com/indykite/indykite-sdk-go/gen/indykite/identity/v1beta2"
 )
 
 // WhatAuthorized returns a list of resources and allowed actions for provided resource types for
 // subject, identified by DigitalTwinIdentifier, can access.
 func (c *Client) WhatAuthorized(
 	ctx context.Context,
-	digitalTwin *identitypb.DigitalTwin,
+	digitalTwinID *authorizationpb.DigitalTwin,
 	resourceTypes []*authorizationpb.WhatAuthorizedRequest_ResourceType,
 	inputParams map[string]*authorizationpb.InputParam,
 	policyTags []string,
 	opts ...grpc.CallOption,
 ) (*authorizationpb.WhatAuthorizedResponse, error) {
 	return c.WhatAuthorizedWithRawRequest(ctx, &authorizationpb.WhatAuthorizedRequest{
 		Subject: &authorizationpb.Subject{
-			Subject: &authorizationpb.Subject_DigitalTwinIdentifier{
-				DigitalTwinIdentifier: &identitypb.DigitalTwinIdentifier{
-					Filter: &identitypb.DigitalTwinIdentifier_DigitalTwin{DigitalTwin: digitalTwin},
-				},
-			},
+			Subject: &authorizationpb.Subject_DigitalTwinId{
+				DigitalTwinId: digitalTwinID},
 		},
 		ResourceTypes: resourceTypes,
 		InputParams:   inputParams,
@@ -60,11 +56,8 @@ func (c *Client) WhatAuthorizedByToken(
 ) (*authorizationpb.WhatAuthorizedResponse, error) {
 	return c.WhatAuthorizedWithRawRequest(ctx, &authorizationpb.WhatAuthorizedRequest{
 		Subject: &authorizationpb.Subject{
-			Subject: &authorizationpb.Subject_DigitalTwinIdentifier{
-				DigitalTwinIdentifier: &identitypb.DigitalTwinIdentifier{
-					Filter: &identitypb.DigitalTwinIdentifier_AccessToken{AccessToken: token},
-				},
-			},
+			Subject: &authorizationpb.Subject_IndykiteAccessToken{
+				IndykiteAccessToken: token},
 		},
 		ResourceTypes: resourceTypes,
 		InputParams:   inputParams,
@@ -76,18 +69,16 @@ func (c *Client) WhatAuthorizedByToken(
 // subject, identified by property filter, can access.
 func (c *Client) WhatAuthorizedByProperty(
 	ctx context.Context,
-	propertyFilter *identitypb.PropertyFilter,
+	property *authorizationpb.Property,
 	resourceTypes []*authorizationpb.WhatAuthorizedRequest_ResourceType,
 	inputParams map[string]*authorizationpb.InputParam,
 	policyTags []string,
 	opts ...grpc.CallOption,
 ) (*authorizationpb.WhatAuthorizedResponse, error) {
 	return c.WhatAuthorizedWithRawRequest(ctx, &authorizationpb.WhatAuthorizedRequest{
 		Subject: &authorizationpb.Subject{
-			Subject: &authorizationpb.Subject_DigitalTwinIdentifier{
-				DigitalTwinIdentifier: &identitypb.DigitalTwinIdentifier{
-					Filter: &identitypb.DigitalTwinIdentifier_PropertyFilter{PropertyFilter: propertyFilter},
-				}},
+			Subject: &authorizationpb.Subject_DigitalTwinProperty{
+				DigitalTwinProperty: property},
 		},
 		ResourceTypes: resourceTypes,
 		InputParams:   inputParams,
@@ -106,11 +97,9 @@ func (c *Client) WhatAuthorizedWithRawRequest(
 		return nil, errors.NewInvalidArgumentErrorWithCause(err, "unable to call WhatAuthorized client endpoint")
 	}
 
-	if sub, ok := req.GetSubject().Subject.(*authorizationpb.Subject_DigitalTwinIdentifier); ok {
-		if filter, ok := sub.DigitalTwinIdentifier.Filter.(*identitypb.DigitalTwinIdentifier_AccessToken); ok {
-			if err := verifyTokenFormat(filter.AccessToken); err != nil {
-				return nil, err
-			}
+	if subject, ok := req.GetSubject().Subject.(*authorizationpb.Subject_IndykiteAccessToken); ok {
+		if err := verifyTokenFormat(subject.IndykiteAccessToken); err != nil {
+			return nil, err
 		}
 	}