feat: add permission check
This commit is contained in:
Vyacheslav1557
parent
56135ff5df
commit
bebc7f3076
14 changed files with 490 additions and 95 deletions
|
|
@ -2,36 +2,112 @@ package transport
|
|||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"git.sch9.ru/new_gate/ms-tester/internal/lib"
|
||||
"git.sch9.ru/new_gate/ms-tester/internal/models"
|
||||
sessionv1 "git.sch9.ru/new_gate/ms-tester/pkg/go/gen/proto/session/v1"
|
||||
"google.golang.org/grpc"
|
||||
"google.golang.org/grpc/codes"
|
||||
"google.golang.org/grpc/metadata"
|
||||
"google.golang.org/grpc/status"
|
||||
)
|
||||
|
||||
type ReqWithToken interface {
|
||||
GetToken() string
|
||||
var defaultUser = &models.User{
|
||||
UserId: nil,
|
||||
Role: models.RoleSpectator.AsPointer(),
|
||||
UpdatedAt: nil,
|
||||
}
|
||||
|
||||
func (s *TesterServer) AuthInterceptor() grpc.UnaryServerInterceptor {
|
||||
return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
|
||||
reqWithToken, ok := req.(ReqWithToken)
|
||||
if !ok {
|
||||
return nil, status.Errorf(codes.Unauthenticated, "") // FIXME
|
||||
func extractToken(ctx context.Context) (string, error) {
|
||||
md, ok := metadata.FromIncomingContext(ctx)
|
||||
if !ok {
|
||||
return "", errors.New("no metadata") // FIXME
|
||||
}
|
||||
tokens := md.Get("token")
|
||||
|
||||
if len(tokens) == 0 {
|
||||
return "", errors.New("no token in metadata") // FIXME
|
||||
}
|
||||
|
||||
token := tokens[0]
|
||||
if token == "" {
|
||||
return "", errors.New("empty token in metadata") // FIXME
|
||||
}
|
||||
return token, nil
|
||||
}
|
||||
|
||||
func (s *TesterServer) readSessionAndReadUser(ctx context.Context, token string) (*models.User, error) {
|
||||
// FIXME: possible bottle neck: should we cache it? (think of it in future)
|
||||
// FIXME: maybe use single connection instead of multiple requests
|
||||
userId, err := s.sessionClient.Read(ctx, &sessionv1.ReadSessionRequest{Token: token})
|
||||
if err != nil {
|
||||
return nil, status.Errorf(codes.Unauthenticated, "") // FIXME
|
||||
}
|
||||
|
||||
user, err := s.userService.ReadUserById(ctx, userId.GetUserId()) // FIXME: must be cached!
|
||||
if err != nil {
|
||||
// FIXME: if error is "not found" (when error codes module is written)
|
||||
// means user has no record, so we should create it
|
||||
user = &models.User{
|
||||
UserId: lib.AsInt32P(userId.GetUserId()),
|
||||
Role: models.RoleParticipant.AsPointer(),
|
||||
}
|
||||
|
||||
token := reqWithToken.GetToken()
|
||||
|
||||
if token == "" {
|
||||
return nil, status.Errorf(codes.Unauthenticated, "") // FIXME
|
||||
}
|
||||
|
||||
userId, err := s.sessionClient.Read(ctx, &sessionv1.ReadSessionRequest{Token: token})
|
||||
err = s.userService.CreateUser(ctx, user)
|
||||
if err != nil {
|
||||
return nil, status.Errorf(codes.Unauthenticated, "") // FIXME
|
||||
}
|
||||
}
|
||||
|
||||
ctx = context.WithValue(ctx, "user_id", userId)
|
||||
return user, nil
|
||||
}
|
||||
|
||||
return handler(ctx, req)
|
||||
func insertUser(ctx context.Context, user *models.User) context.Context {
|
||||
return context.WithValue(ctx, "user", user)
|
||||
}
|
||||
|
||||
func extractUser(ctx context.Context) *models.User {
|
||||
return ctx.Value("user").(*models.User)
|
||||
}
|
||||
|
||||
func (s *TesterServer) AuthUnaryInterceptor() grpc.UnaryServerInterceptor {
|
||||
return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
|
||||
token, err := extractToken(ctx)
|
||||
if err != nil {
|
||||
return handler(insertUser(ctx, defaultUser), req)
|
||||
}
|
||||
|
||||
user, err := s.readSessionAndReadUser(ctx, token)
|
||||
if err != nil {
|
||||
return handler(insertUser(ctx, defaultUser), req)
|
||||
}
|
||||
|
||||
return handler(insertUser(ctx, user), req)
|
||||
}
|
||||
}
|
||||
|
||||
type ssWrapper struct {
|
||||
grpc.ServerStream
|
||||
ctx context.Context
|
||||
}
|
||||
|
||||
func (s *ssWrapper) Context() context.Context {
|
||||
return s.ctx
|
||||
}
|
||||
|
||||
func (s *TesterServer) AuthStreamInterceptor() grpc.StreamServerInterceptor {
|
||||
return func(server interface{}, ss grpc.ServerStream, info *grpc.StreamServerInfo, handler grpc.StreamHandler) error {
|
||||
ctx := ss.Context()
|
||||
|
||||
token, err := extractToken(ctx)
|
||||
if err != nil {
|
||||
return handler(server, &ssWrapper{ServerStream: ss, ctx: insertUser(ctx, defaultUser)})
|
||||
}
|
||||
|
||||
user, err := s.readSessionAndReadUser(ctx, token)
|
||||
if err != nil {
|
||||
return handler(server, &ssWrapper{ServerStream: ss, ctx: insertUser(ctx, defaultUser)})
|
||||
}
|
||||
|
||||
return handler(server, &ssWrapper{ServerStream: ss, ctx: insertUser(ctx, user)})
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -5,7 +5,6 @@ import (
|
|||
"git.sch9.ru/new_gate/ms-tester/internal/lib"
|
||||
"git.sch9.ru/new_gate/ms-tester/internal/models"
|
||||
problemv1 "git.sch9.ru/new_gate/ms-tester/pkg/go/gen/proto/problem/v1"
|
||||
sessionv1 "git.sch9.ru/new_gate/ms-tester/pkg/go/gen/proto/session/v1"
|
||||
"google.golang.org/grpc/codes"
|
||||
"google.golang.org/grpc/status"
|
||||
"google.golang.org/protobuf/types/known/emptypb"
|
||||
|
|
@ -15,22 +14,11 @@ import (
|
|||
func (s *TesterServer) CreateProblem(server problemv1.ProblemService_CreateProblemServer) error {
|
||||
ctx := server.Context()
|
||||
|
||||
req, err := server.Recv() // receive token
|
||||
if err != nil {
|
||||
return err // FIXME
|
||||
if !s.permissionService.Allowed(ctx, extractUser(ctx), "create") {
|
||||
return status.Errorf(codes.PermissionDenied, "") // FIXME
|
||||
}
|
||||
|
||||
token := req.GetToken()
|
||||
userId, err := s.sessionClient.Read(ctx, &sessionv1.ReadSessionRequest{
|
||||
Token: token,
|
||||
})
|
||||
if err != nil {
|
||||
return err // FIXME
|
||||
}
|
||||
|
||||
ctx = context.WithValue(ctx, "user_id", userId.GetUserId())
|
||||
|
||||
req, err = server.Recv() // receive problem
|
||||
req, err := server.Recv() // receive problem
|
||||
if err != nil {
|
||||
return err // FIXME
|
||||
}
|
||||
|
|
@ -97,6 +85,10 @@ func readChunks(ctx context.Context, server problemv1.ProblemService_CreateProbl
|
|||
}
|
||||
|
||||
func (s *TesterServer) ReadProblem(ctx context.Context, req *problemv1.ReadProblemRequest) (*problemv1.ReadProblemResponse, error) {
|
||||
if !s.permissionService.Allowed(ctx, extractUser(ctx), "read") {
|
||||
return nil, status.Errorf(codes.PermissionDenied, "") // FIXME
|
||||
}
|
||||
|
||||
problem, err := s.problemService.ReadProblemById(ctx, req.GetId())
|
||||
if err != nil {
|
||||
return nil, status.Errorf(codes.Unknown, err.Error()) // FIXME
|
||||
|
|
@ -137,6 +129,9 @@ func (s *TesterServer) ReadProblem(ctx context.Context, req *problemv1.ReadProbl
|
|||
//}
|
||||
|
||||
func (s *TesterServer) DeleteProblem(ctx context.Context, req *problemv1.DeleteProblemRequest) (*emptypb.Empty, error) {
|
||||
if !s.permissionService.Allowed(ctx, extractUser(ctx), "delete") {
|
||||
return nil, status.Errorf(codes.PermissionDenied, "") // FIXME
|
||||
}
|
||||
err := s.problemService.DeleteProblem(ctx, req.GetId())
|
||||
if err != nil {
|
||||
return nil, status.Errorf(codes.Unknown, err.Error()) // FIXME
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ import (
|
|||
)
|
||||
|
||||
type ProblemService interface {
|
||||
CreateProblem(ctx context.Context, problem *models.Problem, ch <-chan []byte) (int32, error) // FIXME: specify chan type
|
||||
CreateProblem(ctx context.Context, problem *models.Problem, ch <-chan []byte) (int32, error)
|
||||
ReadProblemById(ctx context.Context, id int32) (*models.Problem, error)
|
||||
UpdateProblem(ctx context.Context, problem *models.Problem) error
|
||||
DeleteProblem(ctx context.Context, id int32) error
|
||||
|
|
@ -26,11 +26,23 @@ type SessionClient interface {
|
|||
) (*sessionv1.ReadSessionResponse, error)
|
||||
}
|
||||
|
||||
type UserService interface {
|
||||
CreateUser(ctx context.Context, user *models.User) error
|
||||
ReadUserById(ctx context.Context, userId int32) (*models.User, error)
|
||||
}
|
||||
|
||||
type PermissionService interface {
|
||||
Allowed(ctx context.Context, user *models.User, action string) bool
|
||||
}
|
||||
|
||||
type TesterServer struct {
|
||||
problemv1.UnimplementedProblemServiceServer
|
||||
problemService ProblemService
|
||||
|
||||
sessionClient SessionClient
|
||||
userService UserService
|
||||
|
||||
permissionService PermissionService
|
||||
|
||||
grpcServer *grpc.Server
|
||||
logger *zap.Logger
|
||||
|
|
@ -39,16 +51,20 @@ type TesterServer struct {
|
|||
func NewTesterServer(
|
||||
problemService ProblemService,
|
||||
sessionClient SessionClient,
|
||||
|
||||
userService UserService,
|
||||
logger *zap.Logger,
|
||||
) *TesterServer {
|
||||
server := &TesterServer{
|
||||
problemService: problemService,
|
||||
sessionClient: sessionClient,
|
||||
userService: userService,
|
||||
logger: logger,
|
||||
}
|
||||
|
||||
grpcServer := grpc.NewServer(
|
||||
grpc.UnaryInterceptor(server.AuthInterceptor()),
|
||||
grpc.UnaryInterceptor(server.AuthUnaryInterceptor()),
|
||||
grpc.StreamInterceptor(server.AuthStreamInterceptor()),
|
||||
)
|
||||
|
||||
problemv1.RegisterProblemServiceServer(grpcServer, server)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue