service backend

2025-11-07 18:35:26 +01:00
parent 20e8f9acc4
commit 62a6631b9a
537 changed files with 48453 additions and 0 deletions
--- a/api/pkg/auth/helper.go
+++ b/api/pkg/auth/helper.go
@@ -0,0 +1,61 @@
+package auth
+
+import (
+	"context"
+	"errors"
+
+	"github.com/tech/sendico/pkg/db/repository"
+	"github.com/tech/sendico/pkg/db/repository/builder"
+	"github.com/tech/sendico/pkg/db/template"
+	"github.com/tech/sendico/pkg/merrors"
+	"github.com/tech/sendico/pkg/model"
+	"github.com/tech/sendico/pkg/mutil/mzap"
+	"go.mongodb.org/mongo-driver/bson/primitive"
+	"go.uber.org/zap"
+)
+
+func enforceObject[T model.PermissionBoundStorable](ctx context.Context, db *template.DBImp[T], enforcer Enforcer, action model.Action, accountRef primitive.ObjectID, query builder.Query) error {
+	l, err := db.ListPermissionBound(ctx, query)
+	if err != nil {
+		db.Logger.Warn("Error occured while checking access rights", zap.Error(err),
+			mzap.ObjRef("account_ref", accountRef), zap.String("action", string(action)))
+		return err
+	}
+	if len(l) == 0 {
+		db.Logger.Debug("Access denied", mzap.ObjRef("account_ref", accountRef), zap.String("action", string(action)))
+		return merrors.AccessDenied(db.Repository.Collection(), string(action), primitive.NilObjectID)
+	}
+	for _, item := range l {
+		db.Logger.Debug("Object found", mzap.ObjRef("object_ref", *item.GetID()),
+			mzap.ObjRef("organization_ref", item.GetOrganizationRef()),
+			mzap.ObjRef("permission_ref", item.GetPermissionRef()),
+			zap.String("collection", item.Collection()))
+	}
+	res, err := enforcer.EnforceBatch(ctx, l, accountRef, action)
+	if err != nil {
+		db.Logger.Warn("Failed to enforce permission", zap.Error(err),
+			mzap.ObjRef("account_ref", accountRef), zap.String("action", string(action)))
+	}
+	for objectRef, hasPermission := range res {
+		if !hasPermission {
+			db.Logger.Info("Permission denied for object during reordering", mzap.ObjRef("account_ref", accountRef),
+				mzap.ObjRef("object_ref", objectRef), zap.String("action", string(model.ActionUpdate)))
+			return merrors.AccessDenied(db.Repository.Collection(), string(action), objectRef)
+		}
+	}
+	return nil
+}
+
+func enforceObjectByRef[T model.PermissionBoundStorable](ctx context.Context, db *template.DBImp[T], enforcer Enforcer, action model.Action, accountRef, objectRef primitive.ObjectID) error {
+	err := enforceObject(ctx, db, enforcer, action, accountRef, repository.IDFilter(objectRef))
+	if err != nil {
+		if errors.Is(err, merrors.ErrAccessDenied) {
+			db.Logger.Debug("Access denied", mzap.ObjRef("account_ref", accountRef), mzap.ObjRef("object_ref", objectRef), zap.String("action", string(action)))
+			return merrors.AccessDenied(db.Repository.Collection(), string(action), objectRef)
+		} else {
+			db.Logger.Warn("Error occurred while checking permissions", zap.Error(err),
+				mzap.ObjRef("account_ref", accountRef), mzap.ObjRef("object_ref", objectRef), zap.String("action", string(action)))
+		}
+	}
+	return err
+}