Organizations update

server/serverconfig/authorization.go

@@ -1,8 +1,6 @@
 package serverconfig
 
 import (
-	"fmt"
-
 	"bitbucket.org/nemt/nemt-portal-api/application/applicationservice"
 	"bitbucket.org/nemt/nemt-portal-api/application/viewmodel"
 	"bitbucket.org/nemt/nemt-portal-api/infra/auth"
@@ -77,8 +75,8 @@ func (a *Config) CheckPermission(c echo.Context) bool {
 	}
 	method := c.Request().Method
 	path := c.Request().URL.Path
-	objectOrganization := a.organizationGoverningObject(c, user)
-	objectRole := a.roleGoverningObject(c, user)
+
+	objectsRole, objectsOrganization, objectsOrganizationType, object := a.policyObjectAttributes(c, user)
 
 	currentUsersOrganization := viewmodel.Organization{}
 	if len(user.Organizations) > 0 {
@@ -89,49 +87,74 @@ func (a *Config) CheckPermission(c echo.Context) bool {
 	if len(user.Profiles) > 0 {
 		currentUsersRole = user.Profiles[0]
 	}
-	orgRelation := organizationsRelation(currentUsersOrganization, objectOrganization)
-	objRelation := a.objectRelation(c, user)
 
-	// parameters to Enforce must match the request section of the authorization model
-	return a.Enforcer.Enforce(currentUsersRole.Key, objectRole.Key, orgRelation, objRelation, path, method)
+	currentUsersOrganizationType := ""
+	if len(user.Profiles) > 0 {
+		currentUsersOrganizationType = user.Profiles[0].Organization.Type.Key
+	}
+
+	orgRelation := organizationsRelation(currentUsersOrganization, objectsOrganization)
+	objRelation := a.objectRelation(object, user)
+
+	// parameters to Enforce must match the request section of the authorization_model.conf
+	return a.Enforcer.Enforce(currentUsersRole.Key,
+		objectsRole.Key,
+		objectsOrganizationType,
+		currentUsersOrganizationType,
+		orgRelation,
+		objRelation,
+		path,
+		method)
 
 }
 
-// organizationGoverningObject returns the organization that is the owner of the object that is being accessed
-// in case object exists and returns users role if it is a new object
-func (a *Config) organizationGoverningObject(c echo.Context, userDetails viewmodel.User) (result viewmodel.Organization) {
+// policyObjectAttributes returns all information about the object being accessed for the policy
+// in case object exists and returns users information if it is a new object
+func (a *Config) policyObjectAttributes(c echo.Context, userDetails viewmodel.User) (viewmodel.Profile, viewmodel.Organization, string, interface{}) {
 
-	fmt.Println("***************")
-	fmt.Println(c.ParamValues())
-	fmt.Println("***************")
-	existingUser := strings.Contains(c.Request().URL.Path, "/users") && len(c.ParamValues()) > 1
-	newUser := strings.Contains(c.Request().URL.Path, "/users") && len(c.ParamValues()) <= 1
+	var object interface{}
+
+	objectIsNew := len(c.ParamValues()) <= 1
+	objectIsExisting := len(c.ParamValues()) > 1
+
+	existingUser := strings.Contains(c.Request().URL.Path, "/users") && objectIsNew
+	newUser := strings.Contains(c.Request().URL.Path, "/users") && objectIsExisting
+
+	existingOrganization := strings.Contains(c.Request().URL.Path, "/organization") && objectIsExisting
+	newOrganization := strings.Contains(c.Request().URL.Path, "/organization") && objectIsNew
 
 	switch {
 	case existingUser:
-		user, _ := a.Svc.Users.GetByUUID(c.ParamValues()[1], "")
-		result = user.Organizations[0]
+		object, _ = a.Svc.Users.GetByUUID(c.ParamValues()[1], "")
 	case newUser && len(userDetails.Organizations) > 0:
-		result = userDetails.Organizations[0]
+		object = userDetails
+	case existingOrganization:
+		object, _ = a.Svc.Organization.GetByUUID(c.ParamValues()[1], userDetails)
+	case newOrganization:
+		object = viewmodel.Organization{}
 	}
-	return
-}
 
-// organizationGoverningObject returns the role that is the owner of the object that is being accessed
-// in case object exists and returns users role if it is a new object
-func (a *Config) roleGoverningObject(c echo.Context, userDetails viewmodel.User) (result viewmodel.Profile) {
-
-	existingUser := strings.Contains(c.Request().URL.Path, "/users") && len(c.ParamValues()) > 1
-	newUser := strings.Contains(c.Request().URL.Path, "/users") && len(c.ParamValues()) <= 1
-
-	switch {
-	case existingUser:
-		user, _ := a.Svc.Users.GetByUUID(c.ParamValues()[1], "")
-		result = user.Profiles[0]
-	case newUser && len(userDetails.Organizations) > 0:
-		result = userDetails.Profiles[0]
+	objectsRole := viewmodel.Profile{}
+	switch obj := object.(type) {
+	case viewmodel.User:
+		if len(obj.Profiles) > 0 {
+			objectsRole = obj.Profiles[0]
+		}
 	}
-	return
+
+	objectsOrganization := viewmodel.Organization{}
+	switch obj := object.(type) {
+	case viewmodel.User:
+		if len(obj.Profiles) > 0 {
+			objectsOrganization = obj.Profiles[0].Organization
+		}
+	case viewmodel.Organization:
+		objectsOrganization = obj
+	}
+
+	objectsOrganizationType := objectsOrganization.Type.Key
+
+	return objectsRole, objectsOrganization, objectsOrganizationType, object
 }
 
 func organizationsRelation(requestOrganization, currentUsersOrganization viewmodel.Organization) string {
@@ -156,15 +179,14 @@ func organizationsRelation(requestOrganization, currentUsersOrganization viewmod
 
 // organizationGoverningObject returns the role that is the owner of the object that is being accessed
 // in case object exists and returns users role if it is a new object
-func (a *Config) objectRelation(c echo.Context, userDetails viewmodel.User) string {
+func (a *Config) objectRelation(object interface{}, currentUser viewmodel.User) string {
 
-	existingUser := strings.Contains(c.Request().URL.Path, "/users") && len(c.ParamValues()) > 1
-
-	switch {
-	case existingUser:
-		user, _ := a.Svc.Users.GetByUUID(c.ParamValues()[1], "")
-		if user.ID == userDetails.ID {
+	switch obj := object.(type) {
+	case viewmodel.User:
+		if obj.ID == currentUser.ID {
 			return "[self]"
+		} else {
+			return "[other]"
 		}
 	}
 	return "[other]"