From ef783567b9b5d382bec42b8281d69dd87a7a7338 Mon Sep 17 00:00:00 2001 From: GotPPay Date: Thu, 3 May 2018 18:29:24 +0200 Subject: [PATCH 1/3] create structure for rules checking --- server/authorization/address.go | 51 +++++++++++++++++++ server/authorization/contact.go | 51 +++++++++++++++++++ server/authorization/organization.go | 41 +++++++++++++++ server/router/organizationroute/controller.go | 25 +++++++++ 4 files changed, 168 insertions(+) create mode 100644 server/authorization/address.go create mode 100644 server/authorization/contact.go diff --git a/server/authorization/address.go b/server/authorization/address.go new file mode 100644 index 0000000..ea0d4a4 --- /dev/null +++ b/server/authorization/address.go @@ -0,0 +1,51 @@ +package authorization + +import ( + + "bitbucket.org/nemt/nemt-portal-api/application/viewmodel" +) + +func CanCreateAddress(user viewmodel.User, address viewmodel.OrganizationAddress) bool { + //TODO : implement checking + + userRole, err := grabProfileFromUser(user) + if err != nil { + return false + } + + /*Admin Provider Manage all Organizations */ + if userRole.Key == providerAdmin{ + return true + } + + /* Admin BCBSI Manage all Organizations */ + if userRole.Key == bcbsiAdmin{ + return true + } + + /* Admin Technical Support Manage all Organizations */ + if userRole.Key == brighterDevAdmin{ + return true + } + + /* Admin Plan + Manage the authenticated Authorized User's Plan (Organization) and children of this Plan*/ + if userRole.Key == planAdmin { + return true + } + + /* Super Admin Technical Support Manage all Organizations*/ + if userRole.Key == superAdmin { + return true + } + + return false +} + +func CanUpdateAddress(user viewmodel.User, address viewmodel.OrganizationAddress) bool { + return CanCreateAddress(user, address) +} + +func CanDeleteAddress(user viewmodel.User, address viewmodel.OrganizationAddress) bool { + return CanCreateAddress(user, address) +} \ No newline at end of file diff --git a/server/authorization/contact.go b/server/authorization/contact.go new file mode 100644 index 0000000..13ade04 --- /dev/null +++ b/server/authorization/contact.go @@ -0,0 +1,51 @@ +package authorization + +import ( + + "bitbucket.org/nemt/nemt-portal-api/application/viewmodel" +) + +func CanCreateContact(user viewmodel.User, contact viewmodel.OrganizationContact) bool { + //TODO : implement checking + + userRole, err := grabProfileFromUser(user) + if err != nil { + return false + } + + /*Admin Provider Manage all Organizations */ + if userRole.Key == providerAdmin{ + return true + } + + /* Admin BCBSI Manage all Organizations */ + if userRole.Key == bcbsiAdmin{ + return true + } + + /* Admin Technical Support Manage all Organizations */ + if userRole.Key == brighterDevAdmin{ + return true + } + + /* Admin Plan + Manage the authenticated Authorized User's Plan (Organization) and children of this Plan*/ + if userRole.Key == planAdmin { + return true + } + + /* Super Admin Technical Support Manage all Organizations*/ + if userRole.Key == superAdmin { + return true + } + + return false +} + +func CanUpdateContact(user viewmodel.User, contact viewmodel.OrganizationContact) bool { + return CanCreateContact(user, contact) +} + +func CanDeleteContact(user viewmodel.User, contact viewmodel.OrganizationContact) bool { + return CanCreateContact(user, contact) +} \ No newline at end of file diff --git a/server/authorization/organization.go b/server/authorization/organization.go index 7b42fa6..d6229e5 100644 --- a/server/authorization/organization.go +++ b/server/authorization/organization.go @@ -26,3 +26,44 @@ func grabOrgFromUser(user viewmodel.User) (viewmodel.Organization, error) { return user.Organizations[0], nil } + +func CanCreateOrganization(user viewmodel.User, organization viewmodel.Organization ) bool { + //TODO : implement checking + + userRole, err := grabProfileFromUser(user) + if err != nil { + return false + } + + /*Admin Provider Manage all Organizations */ + if userRole.Key == providerAdmin{ + return true + } + + /* Admin BCBSI Manage all Organizations */ + if userRole.Key == bcbsiAdmin{ + return true + } + + /* Admin Technical Support Manage all Organizations */ + if userRole.Key == brighterDevAdmin{ + return true + } + + /* Admin Plan + Manage the authenticated Authorized User's Plan (Organization) and children of this Plan*/ + if userRole.Key == planAdmin { + return true + } + + /* Super Admin Technical Support Manage all Organizations*/ + if userRole.Key == superAdmin { + return true + } + + return false +} + +func CanUpdateOrganization(user viewmodel.User, organization viewmodel.Organization) bool { + return CanCreateOrganization(user,organization) +} diff --git a/server/router/organizationroute/controller.go b/server/router/organizationroute/controller.go index 682a896..a1816f1 100644 --- a/server/router/organizationroute/controller.go +++ b/server/router/organizationroute/controller.go @@ -10,6 +10,7 @@ import ( "bitbucket.org/nemt/nemt-portal-api/infra/cache" "bitbucket.org/nemt/nemt-portal-api/infra/config" "bitbucket.org/nemt/nemt-portal-api/server/router/routeutils" + "bitbucket.org/nemt/nemt-portal-api/server/authorization" "github.com/labstack/echo" ) @@ -64,6 +65,11 @@ func (c *controller) handleAddOrganization(ctx echo.Context) error { if err != nil { return routeutils.HandleAPIError(ctx, err) } + + if !authorization.CanCreateOrganization(authUser, org) { + return routeutils.ResponseAPIAuthorizationError(ctx) + } + org.Author.ID = authUser.ID org.LastEditor.ID = authUser.ID @@ -215,6 +221,10 @@ func (c *controller) handleRemoveAddress(ctx echo.Context) error { return routeutils.HandleAPIError(ctx, err) } + if !authorization.CanDeleteAddress(authUser, address) { + return routeutils.ResponseAPIAuthorizationError(ctx) + } + address.UpdatedUser.ID = authUser.ID err = c.svc.Organization.InactivateOrganizationAddress(orgUUID, address, authUser) @@ -246,6 +256,11 @@ func (c *controller) handleAddAddress(ctx echo.Context) error { if err != nil { return routeutils.HandleAPIError(ctx, err) } + + if !authorization.CanCreateAddress(authUser, address) { + return routeutils.ResponseAPIAuthorizationError(ctx) + } + address.CreatedUser.ID = authUser.ID address.UpdatedUser.ID = authUser.ID @@ -278,6 +293,11 @@ func (c *controller) handleRemoveContact(ctx echo.Context) error { if err != nil { return routeutils.HandleAPIError(ctx, err) } + + if !authorization.CanDeleteContact(authUser, contact) { + return routeutils.ResponseAPIAuthorizationError(ctx) + } + contact.UpdatedUser.ID = authUser.ID err = c.svc.Organization.InactivateOrganizationContact(orgUUID, contact, authUser) @@ -309,6 +329,11 @@ func (c *controller) handleAddContact(ctx echo.Context) error { if err != nil { return routeutils.HandleAPIError(ctx, err) } + + if !authorization.CanCreateContact(authUser, contact) { + return routeutils.ResponseAPIAuthorizationError(ctx) + } + contact.CreatedUser.ID = authUser.ID contact.UpdatedUser.ID = authUser.ID -- 2.47.3 From d820d47fcd38ae6f8a7c441b0c0868acde48557a Mon Sep 17 00:00:00 2001 From: GotPPay Date: Fri, 4 May 2018 16:36:51 +0200 Subject: [PATCH 2/3] implement rules checking for orgnz, addr and contact creation and update --- server/authorization/address.go | 46 ++--------------- server/authorization/contact.go | 46 ++--------------- server/authorization/organization.go | 49 +++++++++---------- server/router/organizationroute/controller.go | 42 ++++++++++++---- 4 files changed, 66 insertions(+), 117 deletions(-) diff --git a/server/authorization/address.go b/server/authorization/address.go index ea0d4a4..467fcc9 100644 --- a/server/authorization/address.go +++ b/server/authorization/address.go @@ -5,47 +5,11 @@ import ( "bitbucket.org/nemt/nemt-portal-api/application/viewmodel" ) -func CanCreateAddress(user viewmodel.User, address viewmodel.OrganizationAddress) bool { - //TODO : implement checking - - userRole, err := grabProfileFromUser(user) - if err != nil { - return false - } - - /*Admin Provider Manage all Organizations */ - if userRole.Key == providerAdmin{ - return true - } - - /* Admin BCBSI Manage all Organizations */ - if userRole.Key == bcbsiAdmin{ - return true - } - - /* Admin Technical Support Manage all Organizations */ - if userRole.Key == brighterDevAdmin{ - return true - } - - /* Admin Plan - Manage the authenticated Authorized User's Plan (Organization) and children of this Plan*/ - if userRole.Key == planAdmin { - return true - } - - /* Super Admin Technical Support Manage all Organizations*/ - if userRole.Key == superAdmin { - return true - } - - return false +func CanCreateAddress(user viewmodel.User, organization viewmodel.Organization) bool { + //rules are the same for address creation and for organization creation + return CanCreateOrganization(user, organization) } -func CanUpdateAddress(user viewmodel.User, address viewmodel.OrganizationAddress) bool { - return CanCreateAddress(user, address) -} - -func CanDeleteAddress(user viewmodel.User, address viewmodel.OrganizationAddress) bool { - return CanCreateAddress(user, address) +func CanUpdateAddress(user viewmodel.User, organization viewmodel.Organization) bool { + return CanCreateAddress(user, organization) } \ No newline at end of file diff --git a/server/authorization/contact.go b/server/authorization/contact.go index 13ade04..97612f9 100644 --- a/server/authorization/contact.go +++ b/server/authorization/contact.go @@ -5,47 +5,11 @@ import ( "bitbucket.org/nemt/nemt-portal-api/application/viewmodel" ) -func CanCreateContact(user viewmodel.User, contact viewmodel.OrganizationContact) bool { - //TODO : implement checking - - userRole, err := grabProfileFromUser(user) - if err != nil { - return false - } - - /*Admin Provider Manage all Organizations */ - if userRole.Key == providerAdmin{ - return true - } - - /* Admin BCBSI Manage all Organizations */ - if userRole.Key == bcbsiAdmin{ - return true - } - - /* Admin Technical Support Manage all Organizations */ - if userRole.Key == brighterDevAdmin{ - return true - } - - /* Admin Plan - Manage the authenticated Authorized User's Plan (Organization) and children of this Plan*/ - if userRole.Key == planAdmin { - return true - } - - /* Super Admin Technical Support Manage all Organizations*/ - if userRole.Key == superAdmin { - return true - } - - return false +func CanCreateContact(user viewmodel.User, organization viewmodel.Organization) bool { + //rules are the same for contact creation and for organization creation + return CanCreateOrganization(user, organization) } -func CanUpdateContact(user viewmodel.User, contact viewmodel.OrganizationContact) bool { - return CanCreateContact(user, contact) -} - -func CanDeleteContact(user viewmodel.User, contact viewmodel.OrganizationContact) bool { - return CanCreateContact(user, contact) +func CanUpdateContact(user viewmodel.User, organization viewmodel.Organization) bool { + return CanCreateAddress(user, organization) } \ No newline at end of file diff --git a/server/authorization/organization.go b/server/authorization/organization.go index d6229e5..07b0936 100644 --- a/server/authorization/organization.go +++ b/server/authorization/organization.go @@ -28,42 +28,41 @@ func grabOrgFromUser(user viewmodel.User) (viewmodel.Organization, error) { } func CanCreateOrganization(user viewmodel.User, organization viewmodel.Organization ) bool { - //TODO : implement checking - userRole, err := grabProfileFromUser(user) if err != nil { return false } - /*Admin Provider Manage all Organizations */ - if userRole.Key == providerAdmin{ + /* + Admin BCBSI + Admin Technical Support + Super Admin Technical Support + + Manage all Organizations*/ + if userRole.Key == bcbsiAdmin || userRole.Key == brighterDevAdmin || userRole.Key == superAdmin{ return true } - /* Admin BCBSI Manage all Organizations */ - if userRole.Key == bcbsiAdmin{ - return true + userOrg, err := grabOrgFromUser(user) + if err != nil{ + return false } - - /* Admin Technical Support Manage all Organizations */ - if userRole.Key == brighterDevAdmin{ - return true - } - - /* Admin Plan - Manage the authenticated Authorized User's Plan (Organization) and children of this Plan*/ - if userRole.Key == planAdmin { - return true - } - - /* Super Admin Technical Support Manage all Organizations*/ - if userRole.Key == superAdmin { - return true + + /* + Admin Provider + Admin Plan + + Manage the authenticated Authorized User's Organization and child Organizations */ + if userRole.Key == providerAdmin || userRole.Key == planAdmin{ + if isSameOrganization(userOrg, organization) || isAChildOrganization(userOrg, organization) { + return true + } + return false } return false } -func CanUpdateOrganization(user viewmodel.User, organization viewmodel.Organization) bool { - return CanCreateOrganization(user,organization) -} +func CanUpdateOrganization(user viewmodel.User, organization viewmodel.Organization) bool{ + return CanCreateOrganization(user, organization) +} \ No newline at end of file diff --git a/server/router/organizationroute/controller.go b/server/router/organizationroute/controller.go index a1816f1..1044379 100644 --- a/server/router/organizationroute/controller.go +++ b/server/router/organizationroute/controller.go @@ -133,6 +133,15 @@ func (c *controller) handleParent(ctx echo.Context) error { return routeutils.HandleAPIError(ctx, err) } + organization, err := c.svc.Organization.GetByUUID(orgUUID, authUser) + if err != nil { + return routeutils.HandleAPIError(ctx, err) + } + + if !authorization.CanUpdateOrganization(authUser, organization){ + return routeutils.ResponseAPIAuthorizationError(ctx) + } + resp, err := c.svc.Organization.SetParentOrganization(orgUUID, parent.UUID, authUser) if err != nil { return routeutils.HandleAPIError(ctx, err) @@ -158,6 +167,15 @@ func (c *controller) handleChild(ctx echo.Context) error { return routeutils.HandleAPIError(ctx, err) } + organization, err := c.svc.Organization.GetByUUID(orgUUID, authUser) + if err != nil { + return routeutils.HandleAPIError(ctx, err) + } + + if !authorization.CanUpdateOrganization(authUser, organization){ + return routeutils.ResponseAPIAuthorizationError(ctx) + } + _, err = c.svc.Organization.SetParentOrganization(child.UUID, orgUUID, authUser) if err != nil { return routeutils.HandleAPIError(ctx, err) @@ -221,10 +239,6 @@ func (c *controller) handleRemoveAddress(ctx echo.Context) error { return routeutils.HandleAPIError(ctx, err) } - if !authorization.CanDeleteAddress(authUser, address) { - return routeutils.ResponseAPIAuthorizationError(ctx) - } - address.UpdatedUser.ID = authUser.ID err = c.svc.Organization.InactivateOrganizationAddress(orgUUID, address, authUser) @@ -257,10 +271,17 @@ func (c *controller) handleAddAddress(ctx echo.Context) error { return routeutils.HandleAPIError(ctx, err) } - if !authorization.CanCreateAddress(authUser, address) { + organization, err := c.svc.Organization.GetByUUID(orgUUID, authUser) + if err != nil { + return routeutils.HandleAPIError(ctx, err) + } + + if !authorization.CanCreateAddress(authUser, organization) { return routeutils.ResponseAPIAuthorizationError(ctx) } + return routeutils.ResponseAPIAuthorizationError(ctx) + address.CreatedUser.ID = authUser.ID address.UpdatedUser.ID = authUser.ID @@ -294,10 +315,6 @@ func (c *controller) handleRemoveContact(ctx echo.Context) error { return routeutils.HandleAPIError(ctx, err) } - if !authorization.CanDeleteContact(authUser, contact) { - return routeutils.ResponseAPIAuthorizationError(ctx) - } - contact.UpdatedUser.ID = authUser.ID err = c.svc.Organization.InactivateOrganizationContact(orgUUID, contact, authUser) @@ -330,7 +347,12 @@ func (c *controller) handleAddContact(ctx echo.Context) error { return routeutils.HandleAPIError(ctx, err) } - if !authorization.CanCreateContact(authUser, contact) { + organization, err := c.svc.Organization.GetByUUID(orgUUID, authUser) + if err != nil { + return routeutils.HandleAPIError(ctx, err) + } + + if !authorization.CanCreateContact(authUser, organization) { return routeutils.ResponseAPIAuthorizationError(ctx) } -- 2.47.3 From 9c1ccdcf68451b292457228f7346d31bd0027a82 Mon Sep 17 00:00:00 2001 From: GotPPay Date: Fri, 4 May 2018 16:57:19 +0200 Subject: [PATCH 3/3] added DELETE rule to authorization_policy --- authorization_policy.csv | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/authorization_policy.csv b/authorization_policy.csv index 107e45f..0f3e882 100644 --- a/authorization_policy.csv +++ b/authorization_policy.csv @@ -79,18 +79,23 @@ p, *, *, *, *, *, *, /v1/nemt/organization/type, GET p, AD, *, *, *, *, *, /v1/nemt/organization/*, GET p, AD, *, *, *, *, *, /v1/nemt/organization/*, POST p, AD, *, *, *, *, *, /v1/nemt/organization/*, PUT +p, AD, *, *, *, *, *, /v1/nemt/organization/*, DELETE p, SCHDAD, *, *, *, [equal*], *, /v1/nemt/organization/*, GET p, SCHDAD, *, *, *, [equal*], *, /v1/nemt/organization/*, POST p, SCHDAD, *, *, *, [equal*], *, /v1/nemt/organization/*, PUT +p, SCHDAD, *, *, *, [equal*], *, /v1/nemt/organization/*, DELETE p, PLANAD, *, *, *, [equal*], *, /v1/nemt/organization/*, GET p, PLANAD, *, *, *, [equal*], *, /v1/nemt/organization/*, POST p, PLANAD, *, *, *, [equal*], *, /v1/nemt/organization/*, PUT +p, PLANAD, *, *, *, [equal*], *, /v1/nemt/organization/*, DELETE p, BDCAD, *, *, *, *, *, /v1/nemt/organization/*, GET p, BDCAD, *, *, *, *, *, /v1/nemt/organization/*, POST p, BDCAD, *, *, *, *, *, /v1/nemt/organization/*, PUT +p, BDCAD, *, *, *, *, *, /v1/nemt/organization/*, DELETE p, BCBSIAD, *, *, *, *, *, /v1/nemt/organization/*, GET p, BCBSIAD, *, *, *, *, *, /v1/nemt/organization/*, POST p, BCBSIAD, *, *, *, *, *, /v1/nemt/organization/*, PUT +p, BCBSIAD, *, *, *, *, *, /v1/nemt/organization/*, DELETE p, SPT, *, programsupport, *, *, *, /v1/nemt/organization/*, GET p, SP, *, provider, *, *, *, /v1/nemt/organization, GET p, SP, *, plan, *, *, *, /v1/nemt/organization, GET @@ -108,4 +113,3 @@ p, BCBSIAD, *, bcbsi, *, *, *, /v1/nemt/eligibility, POST p, BDCAD, *, techsupport, *, *, *, /v1/nemt/eligibility, POST p, PLANAD, *, plan, *, *, *, /v1/nemt/eligibility, POST p, AD, *, *, *, *, *, /v1/nemt/eligibility, POST - -- 2.47.3