Merge branch 'master' into auth_mock

auth.proto

@@ -24,7 +24,7 @@ service AuthService {
     rpc Issue(IssueReq) returns (Token) {}
     rpc Identify(Token) returns (UserIdentity) {}
     rpc Authorize(AuthorizeReq) returns (google.protobuf.Empty) {}
-    rpc CanAccessGroup(AccessGroupReq) returns (google.protobuf.Empty) {}
+    rpc AddPolicy(PolicyReq) returns (google.protobuf.Empty) {}
     rpc Assign(Assignment) returns (google.protobuf.Empty) {}
     rpc Members(MembersReq) returns (MembersRes) {}
     rpc AssignRole(AssignRoleReq) returns (google.protobuf.Empty) {}
@@ -82,9 +82,11 @@ message AuthorizeRes {
     bool authorized = 1;
 }
 
-message AccessGroupReq {
+message PolicyReq {
     string token    = 1;
-    string groupID  = 2;
+    string policy   = 2;
+    string subject  = 3;
+    string object   = 4;
 }
 
 message Assignment {

auth/api/grpc/client.go

@@ -23,14 +23,14 @@ const (
 var _ mainflux.AuthServiceClient = (*grpcClient)(nil)
 
 type grpcClient struct {
-	issue          endpoint.Endpoint
-	identify       endpoint.Endpoint
-	authorize      endpoint.Endpoint
-	canAccessGroup endpoint.Endpoint
-	assign         endpoint.Endpoint
-	members        endpoint.Endpoint
-	assignRole     endpoint.Endpoint
-	timeout        time.Duration
+	issue      endpoint.Endpoint
+	identify   endpoint.Endpoint
+	authorize  endpoint.Endpoint
+	addPolicy  endpoint.Endpoint
+	assign     endpoint.Endpoint
+	members    endpoint.Endpoint
+	assignRole endpoint.Endpoint
+	timeout    time.Duration
 }
 
 // NewClient returns new gRPC client instance.
@@ -60,11 +60,11 @@ func NewClient(tracer opentracing.Tracer, conn *grpc.ClientConn, timeout time.Du
 			decodeEmptyResponse,
 			empty.Empty{},
 		).Endpoint()),
-		canAccessGroup: kitot.TraceClient(tracer, "can_access_group")(kitgrpc.NewClient(
+		addPolicy: kitot.TraceClient(tracer, "add_policy")(kitgrpc.NewClient(
 			conn,
 			svcName,
-			"CanAccessGroup",
-			encodeAccessGroupRequest,
+			"AddPolicy",
+			encodeAddPolicyRequest,
 			decodeEmptyResponse,
 			empty.Empty{},
 		).Endpoint()),
@@ -166,11 +166,11 @@ func encodeAuthorizeRequest(_ context.Context, grpcReq interface{}) (interface{}
 	}, nil
 }
 
-func (client grpcClient) CanAccessGroup(ctx context.Context, req *mainflux.AccessGroupReq, opts ...grpc.CallOption) (r *empty.Empty, err error) {
+func (client grpcClient) AddPolicy(ctx context.Context, req *mainflux.PolicyReq, opts ...grpc.CallOption) (r *empty.Empty, err error) {
 	ctx, close := context.WithTimeout(ctx, client.timeout)
 	defer close()
 
-	res, err := client.canAccessGroup(ctx, accessGroupReq{Token: req.GetToken(), GroupID: req.GetGroupID()})
+	res, err := client.addPolicy(ctx, policyReq{Token: req.GetToken(), Object: req.GetObject(), Policy: req.GetPolicy()})
 	if err != nil {
 		return nil, err
 	}
@@ -179,11 +179,12 @@ func (client grpcClient) CanAccessGroup(ctx context.Context, req *mainflux.Acces
 	return &empty.Empty{}, er.err
 }
 
-func encodeAccessGroupRequest(_ context.Context, grpcReq interface{}) (interface{}, error) {
-	req := grpcReq.(accessGroupReq)
-	return &mainflux.AccessGroupReq{
-		Token:   req.Token,
-		GroupID: req.GroupID,
+func encodeAddPolicyRequest(_ context.Context, grpcReq interface{}) (interface{}, error) {
+	req := grpcReq.(policyReq)
+	return &mainflux.PolicyReq{
+		Token:  req.Token,
+		Object: req.Object,
+		Policy: req.Policy,
 	}, nil
 }
 

auth/api/grpc/endpoint.go

@@ -50,7 +50,7 @@ func identifyEndpoint(svc auth.Service) endpoint.Endpoint {
 			id:    id.ID,
 			email: id.Email,
 		}
-		
+
 		return ret, nil
 	}
 }
@@ -94,14 +94,14 @@ func assignRoleEndpoint(svc auth.Service) endpoint.Endpoint {
 	}
 }
 
-func accessGroupEndpoint(svc auth.Service) endpoint.Endpoint {
+func addPolicyEndpoint(svc auth.Service) endpoint.Endpoint {
 	return func(ctx context.Context, request interface{}) (interface{}, error) {
-		req := request.(accessGroupReq)
+		req := request.(policyReq)
 		if err := req.validate(); err != nil {
 			return emptyRes{}, err
 		}
 
-		if err := svc.CanAccessGroup(ctx, req.Token, req.GroupID); err != nil {
+		if err := svc.AddPolicy(ctx, req.Token, req.Object, req.Policy); err != nil {
 			return emptyRes{}, err
 		}
 

auth/api/grpc/requests.go

@@ -94,25 +94,35 @@ func (req authReq) validate() error {
 		return apiutil.ErrBearerToken
 	}
 
-	if req.Subject == "" {
-		return apiutil.ErrMissingSubject
+	if req.Subject != auth.RootSubject && req.Subject != auth.GroupSubject {
+		return apiutil.ErrInvalidSubject
 	}
 
 	return nil
 }
 
-type accessGroupReq struct {
+type policyReq struct {
 	Token   string
-	GroupID string
+	Policy  string
+	Subject string
+	Object  string
 }
 
-func (req accessGroupReq) validate() error {
+func (req policyReq) validate() error {
 	if req.Token == "" {
 		return apiutil.ErrBearerToken
 	}
 
-	if req.GroupID == "" {
-		return apiutil.ErrMissingID
+	if req.Object == "" {
+		return apiutil.ErrMissingObject
+	}
+
+	if req.Subject != auth.RootSubject && req.Subject != auth.GroupSubject {
+		return apiutil.ErrInvalidSubject
+	}
+
+	if req.Policy != auth.RPolicy && req.Policy != auth.RwPolicy && req.Policy != "" {
+		return apiutil.ErrInvalidPolicy
 	}
 
 	return nil

auth/api/grpc/server.go

@@ -21,13 +21,13 @@ import (
 var _ mainflux.AuthServiceServer = (*grpcServer)(nil)
 
 type grpcServer struct {
-	issue          kitgrpc.Handler
-	identify       kitgrpc.Handler
-	authorize      kitgrpc.Handler
-	canAccessGroup kitgrpc.Handler
-	assign         kitgrpc.Handler
-	members        kitgrpc.Handler
-	assignRole     kitgrpc.Handler
+	issue      kitgrpc.Handler
+	identify   kitgrpc.Handler
+	authorize  kitgrpc.Handler
+	addPolicy  kitgrpc.Handler
+	assign     kitgrpc.Handler
+	members    kitgrpc.Handler
+	assignRole kitgrpc.Handler
 }
 
 // NewServer returns new AuthServiceServer instance.
@@ -48,9 +48,9 @@ func NewServer(tracer opentracing.Tracer, svc auth.Service) mainflux.AuthService
 			decodeAuthorizeRequest,
 			encodeEmptyResponse,
 		),
-		canAccessGroup: kitgrpc.NewServer(
-			kitot.TraceServer(tracer, "can_access_group")(accessGroupEndpoint(svc)),
-			decodeAccessGroupRequest,
+		addPolicy: kitgrpc.NewServer(
+			kitot.TraceServer(tracer, "add_policy")(addPolicyEndpoint(svc)),
+			decodeAddPolicyRequest,
 			encodeEmptyResponse,
 		),
 		assign: kitgrpc.NewServer(
@@ -95,8 +95,8 @@ func (s *grpcServer) Authorize(ctx context.Context, req *mainflux.AuthorizeReq)
 	return res.(*empty.Empty), nil
 }
 
-func (s *grpcServer) CanAccessGroup(ctx context.Context, req *mainflux.AccessGroupReq) (*empty.Empty, error) {
-	_, res, err := s.canAccessGroup.ServeGRPC(ctx, req)
+func (s *grpcServer) AddPolicy(ctx context.Context, req *mainflux.PolicyReq) (*empty.Empty, error) {
+	_, res, err := s.addPolicy.ServeGRPC(ctx, req)
 	if err != nil {
 		return nil, encodeError(err)
 	}
@@ -162,9 +162,9 @@ func decodeAssignRequest(_ context.Context, grpcReq interface{}) (interface{}, e
 	return assignReq{token: req.GetValue()}, nil
 }
 
-func decodeAccessGroupRequest(_ context.Context, grpcReq interface{}) (interface{}, error) {
-	req := grpcReq.(*mainflux.AccessGroupReq)
-	return accessGroupReq{Token: req.GetToken(), GroupID: req.GetGroupID()}, nil
+func decodeAddPolicyRequest(_ context.Context, grpcReq interface{}) (interface{}, error) {
+	req := grpcReq.(*mainflux.PolicyReq)
+	return policyReq{Token: req.GetToken(), Object: req.GetObject(), Policy: req.GetPolicy()}, nil
 }
 
 func decodeMembersRequest(_ context.Context, grpcReq interface{}) (interface{}, error) {

auth/api/logging.go

@@ -289,17 +289,17 @@ func (lm *loggingMiddleware) ListOrgGroups(ctx context.Context, token, orgID str
 	return lm.svc.ListOrgGroups(ctx, token, orgID, pm)
 }
 
-func (lm *loggingMiddleware) CanAccessGroup(ctx context.Context, token, orgID string) (err error) {
+func (lm *loggingMiddleware) AddPolicy(ctx context.Context, token, groupID, policy string) (err error) {
 	defer func(begin time.Time) {
-		message := fmt.Sprintf("Method can_access_group for token %s and org id %s took %s to complete", token, orgID, time.Since(begin))
+		message := fmt.Sprintf("Method add_policy for token %s and took %s to complete", token, time.Since(begin))
 		if err != nil {
 			lm.logger.Warn(fmt.Sprintf("%s with error: %s.", message, err))
 			return
 		}
 		lm.logger.Info(fmt.Sprintf("%s without errors.", message))
 	}(time.Now())
 
-	return lm.svc.CanAccessGroup(ctx, token, orgID)
+	return lm.svc.AddPolicy(ctx, token, groupID, policy)
 }
 
 func (lm *loggingMiddleware) Backup(ctx context.Context, token string) (backup auth.Backup, err error) {

auth/api/metrics.go

@@ -206,13 +206,13 @@ func (ms *metricsMiddleware) ListOrgGroups(ctx context.Context, token, groupID s
 	return ms.svc.ListOrgGroups(ctx, token, groupID, pm)
 }
 
-func (ms *metricsMiddleware) CanAccessGroup(ctx context.Context, token, groupID string) error {
+func (ms *metricsMiddleware) AddPolicy(ctx context.Context, token, groupID, policy string) error {
 	defer func(begin time.Time) {
-		ms.counter.With("method", "can_access_group").Add(1)
-		ms.latency.With("method", "can_access_group").Observe(time.Since(begin).Seconds())
+		ms.counter.With("method", "add_policy").Add(1)
+		ms.latency.With("method", "add_policy").Observe(time.Since(begin).Seconds())
 	}(time.Now())
 
-	return ms.svc.CanAccessGroup(ctx, token, groupID)
+	return ms.svc.AddPolicy(ctx, token, groupID, policy)
 }
 
 func (ms *metricsMiddleware) Backup(ctx context.Context, token string) (auth.Backup, error) {

auth/mocks/orgs.go

@@ -361,6 +361,22 @@ func (orm *orgRepositoryMock) RetrieveAllGroupRelations(ctx context.Context) ([]
 	return grs, nil
 }
 
+func (orm *orgRepositoryMock) SavePolicy(ctx context.Context, memberID string, policy string, groupIDs ...string) error {
+	panic("not implemented")
+}
+
+func (orm *orgRepositoryMock) RetrievePolicy(ctx context.Context, gp auth.GroupsPolicy) (string, error) {
+	panic("not implemented")
+}
+
+func (orm *orgRepositoryMock) UpdatePolicy(ctx context.Context, gp auth.GroupsPolicy) error {
+	panic("not implemented")
+}
+
+func (orm *orgRepositoryMock) RemovePolicy(ctx context.Context, gp auth.GroupsPolicy) error {
+	panic("not implemented")
+}
+
 func sortOrgsByID(orgs map[string]auth.Org) []string {
 	var keys []string
 	for k := range orgs {

auth/orgs.go

@@ -95,6 +95,12 @@ type GroupRelationsPage struct {
 	GroupRelations []GroupRelation
 }
 
+type GroupsPolicy struct {
+	GroupID  string
+	MemberID string
+	Policy   string
+}
+
 type Member struct {
 	ID    string `json:"id"`
 	Role  string `json:"role"`
@@ -235,4 +241,16 @@ type OrgRepository interface {
 
 	// RetrieveAllGroupRelations retrieves all group relations.
 	RetrieveAllGroupRelations(ctx context.Context) ([]GroupRelation, error)
+
+	// SavePolicy saves group policy for a user.
+	SavePolicy(ctx context.Context, memberID, policy string, groupID ...string) error
+
+	// RetrievePolicy retrieves group policy for a user.
+	RetrievePolicy(ctc context.Context, gp GroupsPolicy) (string, error)
+
+	// RemovePolicy removes group policy for a user.
+	RemovePolicy(ctx context.Context, gp GroupsPolicy) error
+
+	// UpdatePolicy updates group policy for a user.
+	UpdatePolicy(ctx context.Context, gp GroupsPolicy) error
 }

auth/postgres/init.go

@@ -108,15 +108,28 @@ func migrateDB(db *sqlx.DB) error {
 				Id: "auth_4",
 				Up: []string{
 					`CREATE TABLE IF NOT EXISTS users_roles (
-					 role VARCHAR(12) CHECK (role IN ('root', 'admin')),
-				         user_id UUID NOT NULL,
-				         PRIMARY KEY (user_id)
-				    )`,
+					       	        role VARCHAR(12) CHECK (role IN ('root', 'admin')),
+ 				           	        user_id UUID NOT NULL,
+				                        PRIMARY KEY (user_id)
+				                 )`,
 				},
 				Down: []string{
 					"DROP TABLE users_roles",
 				},
 			},
+			{
+				Id: "auth_5",
+				Up: []string{
+					`CREATE TABLE IF NOT EXISTS group_policies (
+							group_id    UUID UNIQUE NOT NULL,
+							member_id   UUID NOT NULL,
+							policy      VARCHAR(15)
+						 )`,
+				},
+				Down: []string{
+					`DROP TABLE IF EXISTS group_policies`,
+				},
+			},
 		},
 	}