Authorization/services/authorize.go

package services

import (
	"authorization/models"
	"authorization/repository"
	"fmt"
	"log"
	"time"
)

// Authorize performs RBAC + ABAC authorization check
func Authorize(ctx *models.AuthorizationContext) (*models.AuthorizationResult, error) {
	startTime := time.Now()

	log.Printf("[AuthZ Step 0] Fetching user details for userID=%s", ctx.UserID)
	user, err := repository.GetUserByID(ctx.UserID)
	if err != nil {
		log.Printf("✗ User not found for userID=%s: %v", ctx.UserID, err)
		return &models.AuthorizationResult{
			Allowed: false,
			Message: fmt.Sprintf("User not found: %v", err),
		}, nil
	}
	log.Printf("[AuthZ Step 0] User found: role_id=%d", user.RoleID)

	log.Printf("[AuthZ Step 1] Checking if role_id=%d has permission for resource=%s, action=%s", user.RoleID, ctx.Resource, ctx.Action)
	permission, err := repository.GetPermissionByResourceActionAndRole(ctx.Resource, ctx.Action, user.RoleID)
	if err != nil {
		log.Printf("✗ Permission not found or not granted to role_id=%d for resource=%s, action=%s: %v", user.RoleID, ctx.Resource, ctx.Action, err)
		return &models.AuthorizationResult{
			Allowed: false,
			Message: fmt.Sprintf("Permission not granted to your role: %v", err),
		}, nil
	}
	log.Printf("[AuthZ Step 1] Permission found: ID=%d, Name=%s", permission.ID, permission.PermissionName)

	// Step 2: Get user attributes
	log.Printf("[AuthZ Step 2] Fetching user attributes for userID=%s", ctx.UserID)
	userAttrs, err := repository.GetUserAttributes(ctx.UserID)
	if err != nil {
		log.Printf("✗ Failed to get user attributes for userID=%s: %v", ctx.UserID, err)
		return &models.AuthorizationResult{
			Allowed: false,
			Message: fmt.Sprintf("Failed to get user attributes: %v", err),
		}, err
	}
	ctx.UserAttributes = userAttrs
	log.Printf("[AuthZ Step 2] User attributes retrieved: %d attributes", len(userAttrs))

	// Step 3: Get policy attributes for the permission
	log.Printf("[AuthZ Step 3] Fetching policy attributes for permissionID=%d", permission.ID)
	policies, err := repository.GetPolicyAttributesByPermission(permission.ID)
	if err != nil {
		log.Printf("✗ Failed to get policies for permissionID=%d: %v", permission.ID, err)
		return &models.AuthorizationResult{
			Allowed: false,
			Message: fmt.Sprintf("Failed to get policies: %v", err),
		}, err
	}
	log.Printf("[AuthZ Step 3] Policies retrieved: %d policies to evaluate", len(policies))

	log.Printf("[AuthZ Step 4] Using RoleID: %s (from context or user record)", ctx.RoleID)
	allowed, reason := EvaluatePolicies(policies, ctx)

	result := &models.AuthorizationResult{
		Allowed: allowed,
	}

	if allowed {
		result.RedirectRoute = "dashboard"
		result.Message = "Access granted"
		log.Printf("✓ Authorization GRANTED for user=%s, resource=%s, action=%s (evaluated in %v)",
			ctx.UserID, ctx.Resource, ctx.Action, time.Since(startTime))
	} else {
		log.Printf("✗ Authorization DENIED for user=%s, resource=%s, action=%s - Reason: %s (evaluated in %v)",
			ctx.UserID, ctx.Resource, ctx.Action, reason, time.Since(startTime))
		result.Message = reason
	}

	// Log evaluation time for performance monitoring
	evalTime := time.Since(startTime)
	if evalTime > 100*time.Millisecond {
		fmt.Printf("WARN: Slow authorization evaluation: %v for user=%s, resource=%s, action=%s\n",
			evalTime, ctx.UserID, ctx.Resource, ctx.Action)
	}

	return result, nil
}

// CheckPermission is a simplified authorization check
func CheckPermission(userID, resource, action string, resourceData map[string]string) (bool, string, error) {
	ctx := &models.AuthorizationContext{
		UserID:       userID,
		Resource:     resource,
		Action:       action,
		ResourceData: resourceData,
		Environment:  make(map[string]string),
	}

	// Add current time to environment
	ctx.Environment["time"] = time.Now().Format(time.RFC3339)

	result, err := Authorize(ctx)
	if err != nil {
		return false, fmt.Sprintf("Authorization error: %v", err), err
	}

	return result.Allowed, result.Message, nil
}