fixed authorization

handlers/authorize.go

@@ -1,6 +1,7 @@
 package handlers
 
 import (
+	"authorization/db"
 	"authorization/helper"
 	"authorization/middleware"
 	"authorization/models"
@@ -9,17 +10,24 @@ import (
 	"net/http"
 )
 
+var authService *models.CachedAuthorizationService
+
+// InitAuthService initializes the authorization service with caching
+func InitAuthService() {
+	authService = services.NewCachedAuthorizationService(db.DB)
+}
+
 // AuthorizeHandler godoc
-// @Summary Check user authorization
-// @Description Validates if a user has permission to perform an action on a resource
+// @Summary Check user authorization (RBAC + ABAC)
+// @Description Validates if a user has permission to perform an action on a resource using Role-Based and Attribute-Based Access Control
 // @Tags authorization
 // @Accept json
 // @Produce json
-// @Param request body models.AuthorizationRequest true "Authorization request"
-// @Success 200 {object} models.AuthorizationResponse
+// @Param request body models.AuthorizationContext true "Authorization context with resource data"
+// @Success 200 {object} models.AuthorizationResult
 // @Failure 400 {object} map[string]string
 // @Failure 401 {object} map[string]string
-// @Failure 403 {object} map[string]string
+// @Failure 403 {object} models.AuthorizationResult
 // @Security BearerToken
 // @Router /v1/auth/check [post]
 func AuthorizeHandler(w http.ResponseWriter, r *http.Request) {
@@ -30,37 +38,46 @@ func AuthorizeHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	var request models.AuthorizationRequest
+	var ctx models.AuthorizationContext
 
-	err := json.NewDecoder(r.Body).Decode(&request)
+	err := json.NewDecoder(r.Body).Decode(&ctx)
 	if err != nil {
 		helper.RespondWithError(w, http.StatusBadRequest, "Invalid request payload")
 		return
 	}
 
 	// Validate request
-	if request.UserID == "" || request.Resource == "" || request.Action == "" {
-		helper.RespondWithError(w, http.StatusBadRequest, "Missing required fields")
+	if ctx.UserID == "" || ctx.Resource == "" || ctx.Action == "" {
+		helper.RespondWithError(w, http.StatusBadRequest, "Missing required fields: user_id, resource, action")
 		return
 	}
 
-	allowed, reason := services.Authorize(claims, &request)
-	if !allowed {
-		response := models.AuthorizationResponse{
-			Allowed: false,
-			Reason:  reason,
-		}
-		w.Header().Set("Content-Type", "application/json")
-		w.WriteHeader(http.StatusForbidden)
-		json.NewEncoder(w).Encode(response)
+	// Verify JWT user matches request user (security check)
+	if ctx.UserID != claims.UserID {
+		helper.RespondWithError(w, http.StatusForbidden, "User ID mismatch")
 		return
 	}
 
-	// Success response
-	response := models.AuthorizationResponse{
-		Allowed: true,
-		Reason:  "Access granted",
+	// Initialize maps if nil
+	if ctx.ResourceData == nil {
+		ctx.ResourceData = make(map[string]string)
+	}
+	if ctx.Environment == nil {
+		ctx.Environment = make(map[string]string)
+	}
+
+	// Perform authorization
+	result, err := services.AuthorizeWithCache(authService, &ctx)
+	if err != nil {
+		helper.LogError(err, "Authorization service error")
+		helper.RespondWithError(w, http.StatusInternalServerError, "Authorization check failed")
+		return
+	}
+
+	// Return result
+	if result.Allowed {
+		helper.RespondWithJSON(w, http.StatusOK, result)
+	} else {
+		helper.RespondWithJSON(w, http.StatusForbidden, result)
 	}
-	w.Header().Set("Content-Type", "application/json")
-	json.NewEncoder(w).Encode(response)
 }