feat: add permission check

internal/models/role.go

@@ -42,3 +42,7 @@ func (role Role) Valid() error {
 	}
 	return lib.ErrBadRole
 }
+
+func (role Role) AsPointer() *Role {
+	return &role
+}

internal/models/user.go

@@ -0,0 +1,9 @@
+package models
+
+import "time"
+
+type User struct {
+	UserId    *int32     `json:"user_id" db:"user_id"`
+	Role      *Role      `json:"role" db:"role"`
+	UpdatedAt *time.Time `json:"updated_at" db:"updated_at"`
+}

internal/services/permission.go

@@ -0,0 +1,39 @@
+package services
+
+import (
+	"context"
+	"git.sch9.ru/new_gate/ms-tester/internal/models"
+	"github.com/open-policy-agent/opa/rego"
+)
+
+type PermissionService struct {
+	query *rego.PreparedEvalQuery
+}
+
+func NewPermissionService() *PermissionService {
+	query, err := rego.New(
+		rego.Query("allow = data.problem.rbac.allow"),
+		rego.Load([]string{"./opa/problem.rego"}, nil),
+	).PrepareForEval(context.TODO())
+
+	if err != nil {
+		panic(err)
+	}
+
+	return &PermissionService{
+		query: &query,
+	}
+}
+
+func (s *PermissionService) Allowed(ctx context.Context, user *models.User, action string) bool {
+	input := map[string]interface{}{
+		"user":   user,
+		"action": action,
+	}
+
+	result, err := s.query.Eval(ctx, rego.EvalInput(input))
+	if err != nil {
+		panic(err)
+	}
+	return result[0].Bindings["allow"].(bool)
+}

internal/services/user.go

@@ -0,0 +1,29 @@
+package services
+
+import (
+	"context"
+	"git.sch9.ru/new_gate/ms-tester/internal/models"
+)
+
+type UserStorage interface {
+	CreateUser(ctx context.Context, user *models.User) error
+	ReadUserById(ctx context.Context, userId int32) (*models.User, error)
+}
+
+type UserService struct {
+	userStorage UserStorage
+}
+
+func NewUserService(userStorage UserStorage) *UserService {
+	return &UserService{
+		userStorage: userStorage,
+	}
+}
+
+func (s *UserService) CreateUser(ctx context.Context, user *models.User) error {
+	return s.userStorage.CreateUser(ctx, user)
+}
+
+func (s *UserService) ReadUserById(ctx context.Context, userId int32) (*models.User, error) {
+	return s.userStorage.ReadUserById(ctx, userId)
+}

internal/storage/contests.go

@@ -2,14 +2,9 @@ package storage
 
 import (
 	"context"
-	"errors"
-	"git.sch9.ru/new_gate/ms-auth/internal/lib"
-	"git.sch9.ru/new_gate/ms-auth/internal/models"
-	"github.com/jackc/pgerrcode"
-	"github.com/jackc/pgx/v5/pgconn"
+	"git.sch9.ru/new_gate/ms-tester/internal/models"
 	"github.com/jmoiron/sqlx"
 	"go.uber.org/zap"
-	"time"
 )
 
 type ContestStorage struct {
@@ -35,17 +30,17 @@ RETURNING id
 	rows, err := storage.db.QueryxContext(
 		ctx,
 		query,
-		contest.Name
+		contest.Name,
 	)
 	if err != nil {
-		return 0, storage.HandlePgErr(err)
+		return 0, handlePgErr(err)
 	}
 
 	defer rows.Close()
 	var id int32
 	err = rows.StructScan(&id)
 	if err != nil {
-		return 0, storage.HandlePgErr(err)
+		return 0, handlePgErr(err)
 	}
 
 	return id, nil
@@ -57,16 +52,16 @@ func (storage *ContestStorage) ReadContestById(ctx context.Context, id int32) (*
 	query := storage.db.Rebind("SELECT * from contests WHERE id=? LIMIT 1")
 	err := storage.db.GetContext(ctx, &contest, query, id)
 	if err != nil {
-		return nil, storage.HandlePgErr(err)
+		return nil, handlePgErr(err)
 	}
 	return &contest, nil
 }
 
-func (storage *ContestStorage) UpdateContest(ctx context.Context, id int32,contest models.Contest) error {
+func (storage *ContestStorage) UpdateContest(ctx context.Context, id int32, contest models.Contest) error {
 	query := storage.db.Rebind("UPDATE contests SET name=?")
 	_, err := storage.db.ExecContext(ctx, query, contest.Name)
 	if err != nil {
-		return storage.HandlePgErr(err)
+		return handlePgErr(err)
 	}
 }
 
@@ -74,9 +69,8 @@ func (storage *ContestStorage) DeleteContest(ctx context.Context, id int32) erro
 	query := storage.db.Rebind("DELETE FROM contests WHERE id=?")
 	_, err := storage.db.ExecContext(ctx, query, id)
 	if err != nil {
-		return storage.HandlePgErr(err)
+		return handlePgErr(err)
 	}
 
 	return nil
 }
-

internal/storage/errhandling.go

@@ -1,27 +1,21 @@
 package storage
 
 import (
-	"context"
 	"errors"
-	"git.sch9.ru/new_gate/ms-auth/internal/lib"
-	"git.sch9.ru/new_gate/ms-auth/internal/models"
+	"git.sch9.ru/new_gate/ms-tester/internal/lib"
 	"github.com/jackc/pgerrcode"
 	"github.com/jackc/pgx/v5/pgconn"
-	"github.com/jmoiron/sqlx"
-	"go.uber.org/zap"
-	"time"
 )
 
-func (storage *UserStorage) HandlePgErr(err error) error {
+func handlePgErr(err error) error {
 	var pgErr *pgconn.PgError
 	if !errors.As(err, &pgErr) {
-		storage.logger.DPanic("unexpected error from postgres", zap.String("err", err.Error()))
+		//storage.logger.DPanic("unexpected error from postgres", zap.String("err", err.Error()))
 		return lib.ErrUnexpected
 	}
 	if pgerrcode.IsIntegrityConstraintViolation(pgErr.Code) {
 		return errors.New("unique key violation") // FIXME
 	}
-	storage.logger.DPanic("unexpected internal error from postgres", zap.String("err", err.Error()))
+	//storage.logger.DPanic("unexpected internal error from postgres", zap.String("err", err.Error()))
 	return lib.ErrInternal
 }
-

internal/storage/user.go

@@ -0,0 +1,42 @@
+package storage
+
+import (
+	"context"
+	"git.sch9.ru/new_gate/ms-tester/internal/models"
+	"github.com/jmoiron/sqlx"
+)
+
+type UserStorage struct {
+	db *sqlx.DB
+}
+
+func NewUserStorage(db *sqlx.DB) *UserStorage {
+	return &UserStorage{
+		db: db,
+	}
+}
+
+func (storage *UserStorage) CreateUser(ctx context.Context, user *models.User) error {
+	query := storage.db.Rebind("INSERT INTO users (user_id, role) VALUES (?, ?)")
+	_, err := storage.db.ExecContext(ctx, query, user.UserId, user.Role)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func (storage *UserStorage) ReadUserById(ctx context.Context, userId int32) (*models.User, error) {
+	query := storage.db.Rebind(`
+SELECT *
+FROM users
+WHERE user_id = ?
+LIMIT 1;
+`)
+
+	var user models.User
+	err := storage.db.GetContext(ctx, &user, query, userId)
+	if err != nil {
+		return nil, err
+	}
+	return &user, nil
+}

internal/transport/interceptors.go

@@ -2,36 +2,112 @@ package transport
 
 import (
 	"context"
+	"errors"
+	"git.sch9.ru/new_gate/ms-tester/internal/lib"
+	"git.sch9.ru/new_gate/ms-tester/internal/models"
 	sessionv1 "git.sch9.ru/new_gate/ms-tester/pkg/go/gen/proto/session/v1"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/metadata"
 	"google.golang.org/grpc/status"
 )
 
-type ReqWithToken interface {
-	GetToken() string
+var defaultUser = &models.User{
+	UserId:    nil,
+	Role:      models.RoleSpectator.AsPointer(),
+	UpdatedAt: nil,
 }
 
-func (s *TesterServer) AuthInterceptor() grpc.UnaryServerInterceptor {
-	return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
-		reqWithToken, ok := req.(ReqWithToken)
-		if !ok {
-			return nil, status.Errorf(codes.Unauthenticated, "") // FIXME
+func extractToken(ctx context.Context) (string, error) {
+	md, ok := metadata.FromIncomingContext(ctx)
+	if !ok {
+		return "", errors.New("no metadata") // FIXME
+	}
+	tokens := md.Get("token")
+
+	if len(tokens) == 0 {
+		return "", errors.New("no token in metadata") // FIXME
+	}
+
+	token := tokens[0]
+	if token == "" {
+		return "", errors.New("empty token in metadata") // FIXME
+	}
+	return token, nil
+}
+
+func (s *TesterServer) readSessionAndReadUser(ctx context.Context, token string) (*models.User, error) {
+	// FIXME: possible bottle neck: should we cache it? (think of it in future)
+	// FIXME: maybe use single connection instead of multiple requests
+	userId, err := s.sessionClient.Read(ctx, &sessionv1.ReadSessionRequest{Token: token})
+	if err != nil {
+		return nil, status.Errorf(codes.Unauthenticated, "") // FIXME
+	}
+
+	user, err := s.userService.ReadUserById(ctx, userId.GetUserId()) // FIXME: must be cached!
+	if err != nil {
+		// FIXME: if error is "not found" (when error codes module is written)
+		// means user has no record, so we should create it
+		user = &models.User{
+			UserId: lib.AsInt32P(userId.GetUserId()),
+			Role:   models.RoleParticipant.AsPointer(),
 		}
-
-		token := reqWithToken.GetToken()
-
-		if token == "" {
-			return nil, status.Errorf(codes.Unauthenticated, "") // FIXME
-		}
-
-		userId, err := s.sessionClient.Read(ctx, &sessionv1.ReadSessionRequest{Token: token})
+		err = s.userService.CreateUser(ctx, user)
 		if err != nil {
 			return nil, status.Errorf(codes.Unauthenticated, "") // FIXME
 		}
+	}
 
-		ctx = context.WithValue(ctx, "user_id", userId)
+	return user, nil
+}
 
-		return handler(ctx, req)
+func insertUser(ctx context.Context, user *models.User) context.Context {
+	return context.WithValue(ctx, "user", user)
+}
+
+func extractUser(ctx context.Context) *models.User {
+	return ctx.Value("user").(*models.User)
+}
+
+func (s *TesterServer) AuthUnaryInterceptor() grpc.UnaryServerInterceptor {
+	return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
+		token, err := extractToken(ctx)
+		if err != nil {
+			return handler(insertUser(ctx, defaultUser), req)
+		}
+
+		user, err := s.readSessionAndReadUser(ctx, token)
+		if err != nil {
+			return handler(insertUser(ctx, defaultUser), req)
+		}
+
+		return handler(insertUser(ctx, user), req)
+	}
+}
+
+type ssWrapper struct {
+	grpc.ServerStream
+	ctx context.Context
+}
+
+func (s *ssWrapper) Context() context.Context {
+	return s.ctx
+}
+
+func (s *TesterServer) AuthStreamInterceptor() grpc.StreamServerInterceptor {
+	return func(server interface{}, ss grpc.ServerStream, info *grpc.StreamServerInfo, handler grpc.StreamHandler) error {
+		ctx := ss.Context()
+
+		token, err := extractToken(ctx)
+		if err != nil {
+			return handler(server, &ssWrapper{ServerStream: ss, ctx: insertUser(ctx, defaultUser)})
+		}
+
+		user, err := s.readSessionAndReadUser(ctx, token)
+		if err != nil {
+			return handler(server, &ssWrapper{ServerStream: ss, ctx: insertUser(ctx, defaultUser)})
+		}
+
+		return handler(server, &ssWrapper{ServerStream: ss, ctx: insertUser(ctx, user)})
 	}
 }

internal/transport/problem.go

@@ -5,7 +5,6 @@ import (
 	"git.sch9.ru/new_gate/ms-tester/internal/lib"
 	"git.sch9.ru/new_gate/ms-tester/internal/models"
 	problemv1 "git.sch9.ru/new_gate/ms-tester/pkg/go/gen/proto/problem/v1"
-	sessionv1 "git.sch9.ru/new_gate/ms-tester/pkg/go/gen/proto/session/v1"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 	"google.golang.org/protobuf/types/known/emptypb"
@@ -15,22 +14,11 @@ import (
 func (s *TesterServer) CreateProblem(server problemv1.ProblemService_CreateProblemServer) error {
 	ctx := server.Context()
 
-	req, err := server.Recv() // receive token
-	if err != nil {
-		return err // FIXME
+	if !s.permissionService.Allowed(ctx, extractUser(ctx), "create") {
+		return status.Errorf(codes.PermissionDenied, "") // FIXME
 	}
 
-	token := req.GetToken()
-	userId, err := s.sessionClient.Read(ctx, &sessionv1.ReadSessionRequest{
-		Token: token,
-	})
-	if err != nil {
-		return err // FIXME
-	}
-
-	ctx = context.WithValue(ctx, "user_id", userId.GetUserId())
-
-	req, err = server.Recv() // receive problem
+	req, err := server.Recv() // receive problem
 	if err != nil {
 		return err // FIXME
 	}
@@ -97,6 +85,10 @@ func readChunks(ctx context.Context, server problemv1.ProblemService_CreateProbl
 }
 
 func (s *TesterServer) ReadProblem(ctx context.Context, req *problemv1.ReadProblemRequest) (*problemv1.ReadProblemResponse, error) {
+	if !s.permissionService.Allowed(ctx, extractUser(ctx), "read") {
+		return nil, status.Errorf(codes.PermissionDenied, "") // FIXME
+	}
+
 	problem, err := s.problemService.ReadProblemById(ctx, req.GetId())
 	if err != nil {
 		return nil, status.Errorf(codes.Unknown, err.Error()) // FIXME
@@ -137,6 +129,9 @@ func (s *TesterServer) ReadProblem(ctx context.Context, req *problemv1.ReadProbl
 //}
 
 func (s *TesterServer) DeleteProblem(ctx context.Context, req *problemv1.DeleteProblemRequest) (*emptypb.Empty, error) {
+	if !s.permissionService.Allowed(ctx, extractUser(ctx), "delete") {
+		return nil, status.Errorf(codes.PermissionDenied, "") // FIXME
+	}
 	err := s.problemService.DeleteProblem(ctx, req.GetId())
 	if err != nil {
 		return nil, status.Errorf(codes.Unknown, err.Error()) // FIXME

internal/transport/server.go

@@ -13,7 +13,7 @@ import (
 )
 
 type ProblemService interface {
-	CreateProblem(ctx context.Context, problem *models.Problem, ch <-chan []byte) (int32, error) // FIXME: specify chan type
+	CreateProblem(ctx context.Context, problem *models.Problem, ch <-chan []byte) (int32, error)
 	ReadProblemById(ctx context.Context, id int32) (*models.Problem, error)
 	UpdateProblem(ctx context.Context, problem *models.Problem) error
 	DeleteProblem(ctx context.Context, id int32) error
@@ -26,11 +26,23 @@ type SessionClient interface {
 	) (*sessionv1.ReadSessionResponse, error)
 }
 
+type UserService interface {
+	CreateUser(ctx context.Context, user *models.User) error
+	ReadUserById(ctx context.Context, userId int32) (*models.User, error)
+}
+
+type PermissionService interface {
+	Allowed(ctx context.Context, user *models.User, action string) bool
+}
+
 type TesterServer struct {
 	problemv1.UnimplementedProblemServiceServer
 	problemService ProblemService
 
 	sessionClient SessionClient
+	userService   UserService
+
+	permissionService PermissionService
 
 	grpcServer *grpc.Server
 	logger     *zap.Logger
@@ -39,16 +51,20 @@ type TesterServer struct {
 func NewTesterServer(
 	problemService ProblemService,
 	sessionClient SessionClient,
+
+	userService UserService,
 	logger *zap.Logger,
 ) *TesterServer {
 	server := &TesterServer{
 		problemService: problemService,
 		sessionClient:  sessionClient,
+		userService:    userService,
 		logger:         logger,
 	}
 
 	grpcServer := grpc.NewServer(
-		grpc.UnaryInterceptor(server.AuthInterceptor()),
+		grpc.UnaryInterceptor(server.AuthUnaryInterceptor()),
+		grpc.StreamInterceptor(server.AuthStreamInterceptor()),
 	)
 
 	problemv1.RegisterProblemServiceServer(grpcServer, server)