Upstream sync

2018-05-03 07:57:08 +02:00
14 changed files with 190 additions and 13 deletions
--- a/config.dev.toml
+++ b/config.dev.toml
@@ -37,7 +37,6 @@ db = 0
 pass = "3rdaP3KL2x%V"
 prefix = "nemt-portal-api-dev"
 default-expiration = "5m"
-master-name = "devmaster01"

 [log]
 log-to-file = false
--- a/config.prd.toml
+++ b/config.prd.toml
@@ -37,7 +37,6 @@ db = 0
 pass = "3rdaP3KL2x%V"
 prefix = "portal-api-prod"
 default-expiration = "5m"
-master-name = "master01"

 [log]
 log-to-file = false
--- a/config.stg.toml
+++ b/config.stg.toml
@@ -37,7 +37,6 @@ db = 0
 pass = "3rdaP3KL2x%V"
 prefix = "portal-api-test"
 default-expiration = "5m"
-master-name = "devmaster01"

 [log]
 log-to-file = false
--- a/data/datamysql/notification.go
+++ b/data/datamysql/notification.go
@@ -80,9 +80,7 @@ func (c *notificationRepo) getQuery() string {
 INNER JOIN			tab_login								e
 		ON					c.user_id								=		e.user_id
 INNER JOIN			tab_login								f
-		 ON					d.user_id								=		f.user_id
- INNER JOIN			tab_ride								g
- 		 ON					g.ride_id							  =		a.ride_id `
+ 		ON					d.user_id								=		f.user_id`
 }

 func (c *notificationRepo) GetLastNotificationFromPhoneNumber(notificationType string, phoneNumber string, status string) (entity.Notification, error) {
--- a/infra/cache/cache.go
+++ b/infra/cache/cache.go
@@ -31,11 +31,10 @@ type RedisCache struct {
 func Instance(cfg *config.Config) contract.CacheManager {
 	once.Do(func() {
 		client := redis.NewFailoverClient(&redis.FailoverOptions{
-			MasterName:    cfg.Cache.Master,
+			MasterName:    "master01",
 			SentinelAddrs: []string{fmt.Sprintf("%s:%v", cfg.Cache.Server, cfg.Cache.Port)},
 			Password:      cfg.Cache.Pass,
 			DB:            cfg.Cache.DB,
-			MaxRetries:    10,
 		})

 		instance = &RedisCache{cfg, client}
--- a/infra/config/config.go
+++ b/infra/config/config.go
@@ -119,7 +119,6 @@ type CacheConfig struct {
 	Pass              string
 	Prefix            string
 	DefaultExpiration time.Duration
-	Master            string
 }

 // CacheConfig represents the configuration values about the documentation config.
@@ -195,7 +194,6 @@ func Read() (*Config, error) {
 			Pass:              viper.GetString("cache.pass"),
 			Prefix:            viper.GetString("cache.prefix"),
 			DefaultExpiration: viper.GetDuration("cache.default-expiration"),
-			Master:            viper.GetString("cache.master-name"),
 		},
 		Lyft: LyftConfig{
 			Client:       viper.GetString("lyft.key"),
--- a/server/authorization/authorization.go
+++ b/server/authorization/authorization.go
@@ -0,0 +1 @@
+package authorization
--- a/server/authorization/organization.go
+++ b/server/authorization/organization.go
@@ -0,0 +1,28 @@
+package authorization
+
+import (
+	"fmt"
+
+	"bitbucket.org/nemt/nemt-portal-api/application/viewmodel"
+)
+
+func isAChildOrganization(potentialParent viewmodel.Organization, potentialChild viewmodel.Organization) bool {
+	for _, org := range potentialParent.ChildOrgs {
+		if potentialChild.UUID == org.UUID {
+			return true
+		}
+	}
+	return false
+}
+
+func isSameOrganization(organizationA viewmodel.Organization, organizationB viewmodel.Organization) bool {
+	return organizationA.UUID == organizationB.UUID
+}
+
+func grabOrgFromUser(user viewmodel.User) (viewmodel.Organization, error) {
+	if len(user.Organizations) < 1 {
+		return viewmodel.Organization{}, fmt.Errorf("User has no organizations %v", user)
+	}
+
+	return user.Organizations[0], nil
+}
--- a/server/authorization/profile.go
+++ b/server/authorization/profile.go
@@ -0,0 +1,62 @@
+package authorization
+
+import (
+	"fmt"
+
+	"bitbucket.org/nemt/nemt-portal-api/application/viewmodel"
+)
+
+const (
+	superAdmin       = "AD"
+	scheduler        = "SP"
+	support          = "SPT"
+	member           = "US"
+	brighterDevAdmin = "BDCAD"
+	bcbsiAdmin       = "BCBSIAD"
+	planAdmin        = "PLANAD"
+	providerAdmin    = "SCHDAD"
+)
+
+func grabProfileFromUser(user viewmodel.User) (viewmodel.Profile, error) {
+	if len(user.Profiles) < 1 {
+		return viewmodel.Profile{}, fmt.Errorf("User has no profiles %v", user)
+	}
+	return user.Profiles[0], nil
+}
+
+func morePrivileged(who viewmodel.Profile, towardsWhom viewmodel.Profile) bool {
+	order := []string{superAdmin, brighterDevAdmin, bcbsiAdmin, planAdmin, providerAdmin, support, scheduler, member}
+	for _, value := range order {
+		if value == who.Key {
+			return true
+		}
+
+		if value == towardsWhom.Key {
+			return false
+		}
+	}
+	// should hapen only in case profile key is empty
+	// and that's something fishy so let's deny!
+	return false
+}
+
+func equallyOrMorePrivileged(who viewmodel.Profile, towardsWhom viewmodel.Profile) bool {
+	if who.Key == towardsWhom.Key {
+		return true
+	}
+
+	return morePrivileged(who, towardsWhom)
+
+}
+
+func lessPrivilegedThanAdmin(who viewmodel.Profile) bool {
+	switch who.Key {
+	case member:
+		return true
+	case scheduler:
+		return true
+	case support:
+		return true
+	}
+	return false
+}
--- a/server/authorization/user.go
+++ b/server/authorization/user.go
@@ -0,0 +1,86 @@
+package authorization
+
+import "bitbucket.org/nemt/nemt-portal-api/application/viewmodel"
+
+/*
+CanCreateUser returns true if currentUser is allowed to create updatingUser according to
+authorization rules
+*/
+func CanCreateUser(currentUser viewmodel.User, updatingUser viewmodel.User) bool {
+
+	if len(currentUser.Profiles) < 1 {
+		return false
+	}
+
+	if len(updatingUser.Profiles) < 1 {
+		return false
+	}
+
+	currentUserOrganization, err := grabOrgFromUser(currentUser)
+	if err != nil {
+		return false
+	}
+
+	updatingUserOrganization, err := grabOrgFromUser(updatingUser)
+	if err != nil {
+		return false
+	}
+
+	currentUserRole, err := grabProfileFromUser(currentUser)
+	if err != nil {
+		return false
+	}
+
+	updatingUserRole, err := grabProfileFromUser(updatingUser)
+	if err != nil {
+		return false
+	}
+
+	/*
+		Admin	Provider
+		Manage all Authorized Users of the provider Organization or child organization
+
+		The (Provider) Admin can manage Authorized Users of their Parent/ Top-level Org , but not Admins
+	*/
+
+	currentUserHigherOrEqualOrg := isSameOrganization(currentUserOrganization, updatingUserOrganization) || isAChildOrganization(currentUserOrganization, updatingUserOrganization)
+	currentUserLowerOrg := isAChildOrganization(updatingUserOrganization, currentUserOrganization)
+	if currentUserRole.Key == providerAdmin && currentUserHigherOrEqualOrg && equallyOrMorePrivileged(currentUserRole, updatingUserRole) {
+		return true
+	}
+	if currentUserRole.Key == providerAdmin && currentUserLowerOrg && lessPrivilegedThanAdmin(updatingUserRole) {
+		return true
+	}
+
+	/* Admin	BCBSI
+	Manage all Authorized Users except Admins
+
+	return false
+	*/
+
+	if currentUserRole.Key == bcbsiAdmin && lessPrivilegedThanAdmin(updatingUserRole) {
+		return true
+	}
+
+	/* Admin	Technical Support	Manage all Authorized Users except Admins */
+
+	if currentUserRole.Key == brighterDevAdmin && lessPrivilegedThanAdmin(updatingUserRole) {
+		return true
+	}
+
+	/* Admin	Plan	Manage all Authorized Users of a single participating Plan except Admins */
+
+	if currentUserRole.Key == planAdmin && lessPrivilegedThanAdmin(updatingUserRole) && isSameOrganization(currentUserOrganization, updatingUserOrganization) {
+		return true
+	}
+
+	/* Super Admin	Technical Support
+	Manage all Members, INCLUDING Admins */
+
+	if currentUserRole.Key == superAdmin {
+		return true
+	}
+
+	return false
+
+}
--- a/server/router/routeutils/response.go
+++ b/server/router/routeutils/response.go
@@ -49,6 +49,11 @@ func ResponseAPIAuthError(c echo.Context, message string, redirect bool) error {
 	return ResponseAPIError(c, http.StatusUnauthorized, message, redirect)
 }

+// ResponseAPIAuthorizationError returns a standard API auth error to the response
+func ResponseAPIAuthorizationError(c echo.Context) error {
+	return ResponseAPIError(c, http.StatusForbidden, "Forbidden by controller", false)
+}
+
 // ResponseAPIServiceError returns a standard API service unavailable error to the response
 func ResponseAPIServiceError(c echo.Context, message string) error {
 	return ResponseAPIError(c, http.StatusServiceUnavailable, message, false)
--- a/server/router/usersroute/controller.go
+++ b/server/router/usersroute/controller.go
@@ -13,6 +13,7 @@ import (
 	"bitbucket.org/nemt/nemt-portal-api/infra/auth"
 	"bitbucket.org/nemt/nemt-portal-api/infra/cache"
 	"bitbucket.org/nemt/nemt-portal-api/infra/config"
+	"bitbucket.org/nemt/nemt-portal-api/server/authorization"
 	"bitbucket.org/nemt/nemt-portal-api/server/router/routeutils"
 	"github.com/labstack/echo"
 )
@@ -389,6 +390,10 @@ func (c *controller) handlePortal(ctx echo.Context) error {
 		return routeutils.HandleAPIError(ctx, err)
 	}

+	if !authorization.CanCreateUser(authUser, user) {
+		return routeutils.ResponseAPIAuthorizationError(ctx)
+	}
+
 	if len(user.Profiles) == 0 {
 		return routeutils.ResponseAPIAuthError(ctx, "profile is required", false)
 	}
--- a/server/serverconfig/authorization.go
+++ b/server/serverconfig/authorization.go
@@ -193,8 +193,6 @@ func (a *Config) objectRelation(object interface{}, currentUser viewmodel.User)
 	case viewmodel.User:
 		if obj.ID == currentUser.ID {
 			return "[self]"
-		} else {
-			return "[other]"
 		}
 	}
 	return "[other]"
--- a/server/serverconfig/serverconfig.go
+++ b/server/serverconfig/serverconfig.go
@@ -18,7 +18,7 @@ func SetMiddlewares(server *echo.Echo, cfg *config.Config, log *logger.Logger, s
 	setCORSMiddleware(server, cfg)
 	setBodyLimitMiddleware(server)
 	setRateLimitMiddleware(server)
-	//setAuthorizationMiddleware(server, log, cfg, appsvc)
+	setAuthorizationMiddleware(server, log, cfg, appsvc)

 	err := setJWTMiddleware(server, cfg)
 	if err != nil {