@@ -51,9 +51,9 @@ const (
51
51
)
52
52
53
53
type UserService interface {
54
- CreateUser (userInfo * bean.UserInfo , token string , managerAuth func (resource , token string , object string ) bool ) ([]* bean.UserInfo , error )
54
+ CreateUser (userInfo * bean.UserInfo , token string , managerAuth func (resource , token string , object string ) bool ) ([]* bean.UserInfo , []bean. RestrictedGroup , error )
55
55
SelfRegisterUserIfNotExists (userInfo * bean.UserInfo ) ([]* bean.UserInfo , error )
56
- UpdateUser (userInfo * bean.UserInfo , token string , managerAuth func (resource , token string , object string ) bool ) (* bean.UserInfo , bool , bool , []string , error )
56
+ UpdateUser (userInfo * bean.UserInfo , token string , managerAuth func (resource , token string , object string ) bool ) (* bean.UserInfo , bool , bool , []bean. RestrictedGroup , error )
57
57
GetById (id int32 ) (* bean.UserInfo , error )
58
58
GetAll () ([]bean.UserInfo , error )
59
59
GetAllWithFilters (request * bean.ListingRequest ) (* bean.UserListingResponse , error )
@@ -276,33 +276,34 @@ func (impl *UserServiceImpl) saveUser(userInfo *bean.UserInfo, emailId string) (
276
276
return userInfo , nil
277
277
}
278
278
279
- func (impl * UserServiceImpl ) CreateUser (userInfo * bean.UserInfo , token string , managerAuth func (resource , token string , object string ) bool ) ([]* bean.UserInfo , error ) {
279
+ func (impl * UserServiceImpl ) CreateUser (userInfo * bean.UserInfo , token string , managerAuth func (resource , token string , object string ) bool ) ([]* bean.UserInfo , []bean. RestrictedGroup , error ) {
280
280
281
281
var pass []string
282
282
var userResponse []* bean.UserInfo
283
+ var restrictedGroups []bean.RestrictedGroup
283
284
emailIds := strings .Split (userInfo .EmailId , "," )
284
285
for _ , emailId := range emailIds {
285
286
dbUser , err := impl .userRepository .FetchActiveOrDeletedUserByEmail (emailId )
286
287
if err != nil && err != pg .ErrNoRows {
287
288
impl .logger .Errorw ("error while fetching user from db" , "error" , err )
288
- return nil , err
289
+ return nil , nil , err
289
290
}
290
291
291
292
//if found, update it with new roles
292
293
if dbUser != nil && dbUser .Id > 0 {
293
294
userInfo , err = impl .updateUserIfExists (userInfo , dbUser , emailId , token , managerAuth )
294
295
if err != nil {
295
296
impl .logger .Errorw ("error while create user if exists in db" , "error" , err )
296
- return nil , err
297
+ return nil , nil , err
297
298
}
298
299
}
299
300
300
301
// if not found, create new user
301
302
if err == pg .ErrNoRows {
302
- userInfo , err = impl .createUserIfNotExists (userInfo , emailId , token , managerAuth )
303
+ userInfo , restrictedGroups , err = impl .createUserIfNotExists (userInfo , emailId , token , managerAuth )
303
304
if err != nil {
304
305
impl .logger .Errorw ("error while create user if not exists in db" , "error" , err )
305
- return nil , err
306
+ return nil , nil , err
306
307
}
307
308
}
308
309
@@ -312,7 +313,7 @@ func (impl *UserServiceImpl) CreateUser(userInfo *bean.UserInfo, token string, m
312
313
userResponse = append (userResponse , & bean.UserInfo {Id : userInfo .Id , EmailId : emailId , Groups : userInfo .Groups , RoleFilters : userInfo .RoleFilters , SuperAdmin : userInfo .SuperAdmin , UserRoleGroup : userInfo .UserRoleGroup })
313
314
}
314
315
315
- return userResponse , nil
316
+ return userResponse , restrictedGroups , nil
316
317
}
317
318
318
319
func (impl * UserServiceImpl ) updateUserIfExists (userInfo * bean.UserInfo , dbUser * repository.UserModel , emailId string ,
@@ -340,20 +341,20 @@ func (impl *UserServiceImpl) updateUserIfExists(userInfo *bean.UserInfo, dbUser
340
341
return userInfo , nil
341
342
}
342
343
343
- func (impl * UserServiceImpl ) createUserIfNotExists (userInfo * bean.UserInfo , emailId string , token string , managerAuth func (resource string , token string , object string ) bool ) (* bean.UserInfo , error ) {
344
+ func (impl * UserServiceImpl ) createUserIfNotExists (userInfo * bean.UserInfo , emailId string , token string , managerAuth func (resource string , token string , object string ) bool ) (* bean.UserInfo , []bean. RestrictedGroup , error ) {
344
345
// if not found, create new user
345
346
dbConnection := impl .userRepository .GetConnection ()
346
347
tx , err := dbConnection .Begin ()
347
348
if err != nil {
348
- return nil , err
349
+ return nil , nil , err
349
350
}
350
351
// Rollback tx on error.
351
352
defer tx .Rollback ()
352
353
353
354
_ , err = impl .validateUserRequest (userInfo )
354
355
if err != nil {
355
356
err = & util.ApiError {HttpStatusCode : http .StatusBadRequest , UserMessage : "Invalid request, please provide role filters" }
356
- return nil , err
357
+ return nil , nil , err
357
358
}
358
359
359
360
//create new user in our db on d basis of info got from google api or hex. assign a basic role
@@ -375,24 +376,30 @@ func (impl *UserServiceImpl) createUserIfNotExists(userInfo *bean.UserInfo, emai
375
376
InternalMessage : "failed to create new user in db" ,
376
377
UserMessage : fmt .Sprintf ("requested by %d" , userInfo .UserId ),
377
378
}
378
- return nil , err
379
+ return nil , nil , err
379
380
}
380
381
userInfo .Id = model .Id
381
382
//loading policy for safety
382
383
casbin2 .LoadPolicy ()
383
384
385
+ var restrictedGroups []bean.RestrictedGroup
386
+
384
387
//Starts Role and Mapping
385
388
capacity , mapping := impl .userCommonService .GetCapacityForRoleFilter (userInfo .RoleFilters )
386
389
//var policies []casbin2.Policy
387
390
var policies = make ([]casbin2.Policy , 0 , capacity )
388
391
if userInfo .SuperAdmin == false {
392
+ isActionPerformingUserSuperAdmin , err := impl .IsSuperAdmin (int (userInfo .UserId ))
393
+ if err != nil {
394
+ return nil , nil , err
395
+ }
389
396
for index , roleFilter := range userInfo .RoleFilters {
390
397
impl .logger .Infow ("Creating Or updating User Roles for RoleFilter " )
391
398
entity := roleFilter .Entity
392
399
policiesToBeAdded , _ , err := impl .CreateOrUpdateUserRolesForAllTypes (roleFilter , userInfo .UserId , model , nil , token , managerAuth , tx , entity , mapping [index ])
393
400
if err != nil {
394
401
impl .logger .Errorw ("error in creating user roles for Alltypes" , "err" , err )
395
- return nil , err
402
+ return nil , nil , err
396
403
}
397
404
policies = append (policies , policiesToBeAdded ... )
398
405
@@ -402,29 +409,34 @@ func (impl *UserServiceImpl) createUserIfNotExists(userInfo *bean.UserInfo, emai
402
409
for _ , item := range userInfo .UserRoleGroup {
403
410
userGroup , err := impl .roleGroupRepository .GetRoleGroupByName (item .RoleGroup .Name )
404
411
if err != nil {
405
- return nil , err
412
+ return nil , nil , err
413
+ }
414
+ hasAccessToGroup , hasSuperAdminPermission := impl .checkGroupAuth (userGroup .CasbinName , token , managerAuth , isActionPerformingUserSuperAdmin )
415
+ if hasAccessToGroup {
416
+ policies = append (policies , casbin2.Policy {Type : "g" , Sub : casbin2 .Subject (userInfo .EmailId ), Obj : casbin2 .Object (userGroup .CasbinName )})
417
+ } else {
418
+ restrictedGroup := adapter .CreateRestrictedGroup (item .RoleGroup .Name , hasSuperAdminPermission )
419
+ restrictedGroups = append (restrictedGroups , restrictedGroup )
406
420
}
407
- //object := "group:" + strings.ReplaceAll(item, " ", "_")
408
- policies = append (policies , casbin2.Policy {Type : "g" , Sub : casbin2 .Subject (emailId ), Obj : casbin2 .Object (userGroup .CasbinName )})
409
421
}
410
422
// END GROUP POLICY
411
423
} else if userInfo .SuperAdmin == true {
412
424
413
425
isSuperAdmin , err := impl .IsSuperAdmin (int (userInfo .UserId ))
414
426
if err != nil {
415
- return nil , err
427
+ return nil , nil , err
416
428
}
417
429
if isSuperAdmin == false {
418
430
err = & util.ApiError {HttpStatusCode : http .StatusForbidden , UserMessage : "Invalid request, not allow to update super admin type user" }
419
- return nil , err
431
+ return nil , nil , err
420
432
}
421
433
flag , err := impl .userAuthRepository .CreateRoleForSuperAdminIfNotExists (tx , userInfo .UserId )
422
434
if err != nil || flag == false {
423
- return nil , err
435
+ return nil , nil , err
424
436
}
425
437
roleModel , err := impl .userAuthRepository .GetRoleByFilterForAllTypes ("" , "" , "" , "" , bean2 .SUPER_ADMIN , "" , "" , "" , "" , "" , "" , "" , false , "" )
426
438
if err != nil {
427
- return nil , err
439
+ return nil , nil , err
428
440
}
429
441
if roleModel .Id > 0 {
430
442
userRoleModel := & repository.UserRoleModel {UserId : model .Id , RoleId : roleModel .Id , AuditLog : sql.AuditLog {
@@ -435,7 +447,7 @@ func (impl *UserServiceImpl) createUserIfNotExists(userInfo *bean.UserInfo, emai
435
447
}}
436
448
userRoleModel , err = impl .userAuthRepository .CreateUserRoleMapping (userRoleModel , tx )
437
449
if err != nil {
438
- return nil , err
450
+ return nil , nil , err
439
451
}
440
452
policies = append (policies , casbin2.Policy {Type : "g" , Sub : casbin2 .Subject (model .EmailId ), Obj : casbin2 .Object (roleModel .Role )})
441
453
}
@@ -450,11 +462,11 @@ func (impl *UserServiceImpl) createUserIfNotExists(userInfo *bean.UserInfo, emai
450
462
//Ends
451
463
err = tx .Commit ()
452
464
if err != nil {
453
- return nil , err
465
+ return nil , nil , err
454
466
}
455
467
//loading policy for syncing orchestrator to casbin with newly added policies
456
468
casbin2 .LoadPolicy ()
457
- return userInfo , nil
469
+ return userInfo , restrictedGroups , nil
458
470
}
459
471
460
472
func (impl * UserServiceImpl ) CreateOrUpdateUserRolesForAllTypes (roleFilter bean.RoleFilter , userId int32 , model * repository.UserModel , existingRoles map [int ]repository.UserRoleModel , token string , managerAuth func (resource string , token string , object string ) bool , tx * pg.Tx , entity string , capacity int ) ([]casbin2.Policy , bool , error ) {
@@ -634,7 +646,7 @@ func (impl UserServiceImpl) mergeUserRoleGroup(oldUserRoleGroups []bean.UserRole
634
646
return finalUserRoleGroups
635
647
}
636
648
637
- func (impl * UserServiceImpl ) UpdateUser (userInfo * bean.UserInfo , token string , managerAuth func (resource , token string , object string ) bool ) (* bean.UserInfo , bool , bool , []string , error ) {
649
+ func (impl * UserServiceImpl ) UpdateUser (userInfo * bean.UserInfo , token string , managerAuth func (resource , token string , object string ) bool ) (* bean.UserInfo , bool , bool , []bean. RestrictedGroup , error ) {
638
650
//checking if request for same user is being processed
639
651
isLocked := impl .getUserReqLockStateById (userInfo .Id )
640
652
if isLocked {
@@ -698,7 +710,7 @@ func (impl *UserServiceImpl) UpdateUser(userInfo *bean.UserInfo, token string, m
698
710
var eliminatedPolicies []casbin2.Policy
699
711
capacity , mapping := impl .userCommonService .GetCapacityForRoleFilter (userInfo .RoleFilters )
700
712
var addedPolicies = make ([]casbin2.Policy , 0 , capacity )
701
- restrictedGroups := []string {}
713
+ restrictedGroups := []bean. RestrictedGroup {}
702
714
rolesChanged := false
703
715
groupsModified := false
704
716
//loading policy for safety
@@ -767,13 +779,13 @@ func (impl *UserServiceImpl) UpdateUser(userInfo *bean.UserInfo, token string, m
767
779
newGroupMap [userGroup .CasbinName ] = userGroup .CasbinName
768
780
if _ , ok := oldGroupMap [userGroup .CasbinName ]; ! ok {
769
781
//check permission for new group which is going to add
770
- hasAccessToGroup := impl .checkGroupAuth (userGroup .CasbinName , token , managerAuth , isActionPerformingUserSuperAdmin )
782
+ hasAccessToGroup , hasSuperAdminPermission := impl .checkGroupAuth (userGroup .CasbinName , token , managerAuth , isActionPerformingUserSuperAdmin )
771
783
if hasAccessToGroup {
772
784
groupsModified = true
773
785
addedPolicies = append (addedPolicies , casbin2.Policy {Type : "g" , Sub : casbin2 .Subject (userInfo .EmailId ), Obj : casbin2 .Object (userGroup .CasbinName )})
774
786
} else {
775
- trimmedGroup := strings . TrimPrefix (item .RoleGroup .Name , "group:" )
776
- restrictedGroups = append (restrictedGroups , trimmedGroup )
787
+ restrictedGroup := adapter . CreateRestrictedGroup (item .RoleGroup .Name , hasSuperAdminPermission )
788
+ restrictedGroups = append (restrictedGroups , restrictedGroup )
777
789
}
778
790
}
779
791
}
@@ -783,15 +795,15 @@ func (impl *UserServiceImpl) UpdateUser(userInfo *bean.UserInfo, token string, m
783
795
if item != bean .SUPERADMIN {
784
796
//check permission for group which is going to eliminate
785
797
if strings .HasPrefix (item , "group:" ) {
786
- hasAccessToGroup := impl .checkGroupAuth (item , token , managerAuth , isActionPerformingUserSuperAdmin )
798
+ hasAccessToGroup , hasSuperAdminPermission := impl .checkGroupAuth (item , token , managerAuth , isActionPerformingUserSuperAdmin )
787
799
if hasAccessToGroup {
788
800
if strings .HasPrefix (item , "group:" ) {
789
801
groupsModified = true
790
802
}
791
803
eliminatedPolicies = append (eliminatedPolicies , casbin2.Policy {Type : "g" , Sub : casbin2 .Subject (userInfo .EmailId ), Obj : casbin2 .Object (item )})
792
804
} else {
793
- trimmedGroup := strings . TrimPrefix (item , "group:" )
794
- restrictedGroups = append (restrictedGroups , trimmedGroup )
805
+ restrictedGroup := adapter . CreateRestrictedGroup (item , hasSuperAdminPermission )
806
+ restrictedGroups = append (restrictedGroups , restrictedGroup )
795
807
}
796
808
}
797
809
}
@@ -1672,15 +1684,20 @@ func (impl *UserServiceImpl) saveUserAudit(r *http.Request, userId int32) {
1672
1684
impl .userAuditService .Save (userAudit )
1673
1685
}
1674
1686
1675
- func (impl * UserServiceImpl ) checkGroupAuth (groupName string , token string , managerAuth func (resource , token string , object string ) bool , isActionUserSuperAdmin bool ) bool {
1687
+ func (impl * UserServiceImpl ) checkGroupAuth (groupName string , token string , managerAuth func (resource , token string , object string ) bool , isActionUserSuperAdmin bool ) ( bool , bool ) {
1676
1688
//check permission for group which is going to add/eliminate
1677
1689
roles , err := impl .roleGroupRepository .GetRolesByGroupCasbinName (groupName )
1678
1690
if err != nil && err != pg .ErrNoRows {
1679
1691
impl .logger .Errorw ("error while fetching user from db" , "error" , err )
1680
- return false
1692
+ return false , false
1681
1693
}
1682
1694
hasAccessToGroup := true
1695
+ hasSuperAdminPermission := false
1683
1696
for _ , role := range roles {
1697
+ if role .Role == bean .SUPERADMIN && ! isActionUserSuperAdmin {
1698
+ hasAccessToGroup = false
1699
+ hasSuperAdminPermission = true
1700
+ }
1684
1701
if role .AccessType == bean .APP_ACCESS_TYPE_HELM && ! isActionUserSuperAdmin {
1685
1702
hasAccessToGroup = false
1686
1703
}
@@ -1699,7 +1716,7 @@ func (impl *UserServiceImpl) checkGroupAuth(groupName string, token string, mana
1699
1716
}
1700
1717
1701
1718
}
1702
- return hasAccessToGroup
1719
+ return hasAccessToGroup , hasSuperAdminPermission
1703
1720
}
1704
1721
1705
1722
func (impl * UserServiceImpl ) GetRoleFiltersByUserRoleGroups (userRoleGroups []bean.UserRoleGroup ) ([]bean.RoleFilter , error ) {
0 commit comments