184 lines
6.1 KiB
Go
184 lines
6.1 KiB
Go
package handlers
|
|
|
|
import (
|
|
"authorization/helper"
|
|
"authorization/middleware"
|
|
"authorization/models"
|
|
"authorization/services"
|
|
"encoding/json"
|
|
"log"
|
|
"net/http"
|
|
"time"
|
|
)
|
|
|
|
var authService *models.CachedAuthorizationService
|
|
|
|
// InitAuthService initializes the authorization service with caching
|
|
func InitAuthService() {
|
|
authService = services.NewCachedAuthorizationService()
|
|
}
|
|
|
|
// AuthorizeHandler godoc
|
|
// @Summary Check user authorization (RBAC + ABAC)
|
|
// @Description Validates if a user has permission to perform an action on a resource using Role-Based and Attribute-Based Access Control
|
|
// @Tags authorization
|
|
// @Accept json
|
|
// @Produce json
|
|
// @Param request body models.AuthorizationContext true "Authorization context with resource data"
|
|
// @Success 200 {object} models.AuthorizationResult
|
|
// @Failure 400 {object} map[string]string
|
|
// @Failure 401 {object} map[string]string
|
|
// @Failure 403 {object} models.AuthorizationResult
|
|
// @Security BearerToken
|
|
// @Router /v1/auth/check [post]
|
|
func AuthorizeHandler(w http.ResponseWriter, r *http.Request) {
|
|
// Get claims from JWT middleware
|
|
claims, ok := middleware.GetClaims(r)
|
|
if !ok {
|
|
helper.RespondWithError(w, http.StatusUnauthorized, "Unauthorized")
|
|
return
|
|
}
|
|
|
|
var ctx models.AuthorizationContext
|
|
|
|
err := json.NewDecoder(r.Body).Decode(&ctx)
|
|
if err != nil {
|
|
helper.RespondWithError(w, http.StatusBadRequest, "Invalid request payload")
|
|
return
|
|
}
|
|
|
|
// Validate request
|
|
if ctx.UserID == "" || ctx.Resource == "" || ctx.Action == "" {
|
|
helper.RespondWithError(w, http.StatusBadRequest, "Missing required fields: user_id, resource, action")
|
|
return
|
|
}
|
|
|
|
log.Print("Authorization request for user=", ctx.UserID, ", resource=", ctx.Resource, ", action=", ctx.Action)
|
|
log.Print("JWT claims user=", claims.UserID, ", role=", claims.RoleID)
|
|
// Verify JWT user matches request user (security check)
|
|
if ctx.UserID != claims.UserID {
|
|
helper.RespondWithError(w, http.StatusForbidden, "User ID mismatch")
|
|
return
|
|
}
|
|
|
|
// Initialize maps if nil
|
|
if ctx.ResourceData == nil {
|
|
ctx.ResourceData = make(map[string]string)
|
|
}
|
|
if ctx.Environment == nil {
|
|
ctx.Environment = make(map[string]string)
|
|
}
|
|
|
|
// Set RoleID from claims
|
|
ctx.RoleID = claims.RoleID
|
|
log.Print("Set context RoleID to ", ctx.RoleID)
|
|
// Perform authorization
|
|
log.Printf("[Handler] Performing authorization check for user=%s, resource=%s, action=%s", ctx.UserID, ctx.Resource, ctx.Action)
|
|
result, err := services.AuthorizeWithCache(authService, &ctx)
|
|
if err != nil {
|
|
helper.LogError(err, "Authorization service error")
|
|
log.Printf("✗ Authorization service error for user=%s: %v", ctx.UserID, err)
|
|
helper.RespondWithError(w, http.StatusInternalServerError, "Authorization check failed")
|
|
return
|
|
}
|
|
|
|
// Return result
|
|
if result.Allowed {
|
|
log.Printf("✓ [Handler] Authorization ALLOWED - Returning 200 OK to client")
|
|
// Return response matching AuthorizationResponse model for client compatibility
|
|
response := map[string]interface{}{
|
|
"allowed": result.Allowed,
|
|
"reason": result.Message,
|
|
}
|
|
helper.RespondWithJSON(w, http.StatusOK, response)
|
|
} else {
|
|
log.Printf("✗ [Handler] Authorization DENIED - Returning 403 Forbidden to client (reason: %s)", result.Message)
|
|
// Return response matching AuthorizationResponse model for client compatibility
|
|
response := map[string]interface{}{
|
|
"allowed": result.Allowed,
|
|
"reason": result.Message,
|
|
}
|
|
helper.RespondWithJSON(w, http.StatusForbidden, response)
|
|
}
|
|
}
|
|
|
|
// SimpleCheckRequest represents a simplified authorization check request
|
|
type SimpleCheckRequest struct {
|
|
Resource string `json:"resource"`
|
|
Action string `json:"action"`
|
|
ResourceData map[string]string `json:"resource_data,omitempty"`
|
|
}
|
|
|
|
// SimpleCheckHandler godoc
|
|
// @Summary Simple permission check
|
|
// @Description Simplified endpoint to check if the authenticated user has permission for a resource/action
|
|
// @Tags authorization
|
|
// @Accept json
|
|
// @Produce json
|
|
// @Param request body SimpleCheckRequest true "Simple authorization request"
|
|
// @Success 200 {object} map[string]interface{}
|
|
// @Failure 400 {object} map[string]string
|
|
// @Failure 401 {object} map[string]string
|
|
// @Failure 403 {object} map[string]interface{}
|
|
// @Security BearerToken
|
|
// @Router /v1/auth/simple-check [post]
|
|
func SimpleCheckHandler(w http.ResponseWriter, r *http.Request) {
|
|
// Get claims from JWT middleware
|
|
claims, ok := middleware.GetClaims(r)
|
|
if !ok {
|
|
helper.RespondWithError(w, http.StatusUnauthorized, "Unauthorized")
|
|
return
|
|
}
|
|
|
|
var req SimpleCheckRequest
|
|
err := json.NewDecoder(r.Body).Decode(&req)
|
|
if err != nil {
|
|
helper.RespondWithError(w, http.StatusBadRequest, "Invalid request payload")
|
|
return
|
|
}
|
|
|
|
// Validate request
|
|
if req.Resource == "" || req.Action == "" {
|
|
helper.RespondWithError(w, http.StatusBadRequest, "Missing required fields: resource, action")
|
|
return
|
|
}
|
|
|
|
log.Printf("[SimpleCheck] Authorization request for user=%s, resource=%s, action=%s",
|
|
claims.UserID, req.Resource, req.Action)
|
|
|
|
// Build authorization context
|
|
ctx := &models.AuthorizationContext{
|
|
UserID: claims.UserID,
|
|
Resource: req.Resource,
|
|
Action: req.Action,
|
|
ResourceData: req.ResourceData,
|
|
Environment: make(map[string]string),
|
|
}
|
|
|
|
// Add current time to environment
|
|
ctx.Environment["time"] = time.Now().Format(time.RFC3339)
|
|
|
|
// Use the direct Authorize function (non-cached)
|
|
log.Printf("[SimpleCheck] Using direct (non-cached) authorization")
|
|
result, err := services.Authorize(ctx)
|
|
if err != nil {
|
|
helper.LogError(err, "Simple authorization check error")
|
|
log.Printf("✗ Simple authorization check error for user=%s: %v", claims.UserID, err)
|
|
helper.RespondWithError(w, http.StatusInternalServerError, "Authorization check failed")
|
|
return
|
|
}
|
|
|
|
response := map[string]interface{}{
|
|
"allowed": result.Allowed,
|
|
"message": result.Message,
|
|
}
|
|
|
|
if result.Allowed {
|
|
log.Printf("✓ [SimpleCheck] Authorization ALLOWED for user=%s", claims.UserID)
|
|
helper.RespondWithJSON(w, http.StatusOK, response)
|
|
} else {
|
|
log.Printf("✗ [SimpleCheck] Authorization DENIED for user=%s - Reason: %s", claims.UserID, result.Message)
|
|
helper.RespondWithJSON(w, http.StatusForbidden, response)
|
|
}
|
|
}
|