From 0bafb086bcc65a7d46aa76467342ac52996f2da8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=9E=D0=BB=D0=B5=D0=B3=20=D0=91=D0=BE=D1=80=D0=BE=D0=B4?= =?UTF-8?q?=D0=B8=D0=BD?= Date: Sat, 10 Aug 2024 15:08:14 +0200 Subject: [PATCH] certmanager updates --- internal/grpc/handler/account.go | 26 +++++++------- internal/grpc/handler/grant.go | 8 ++--- internal/grpc/handler/issuer.go | 24 ++++++------- internal/grpc/handler/service.go | 20 +++++------ internal/logic/account.go | 54 ++++++++++++++++++++++++----- internal/logic/database.go | 12 +++---- internal/logic/grants.go | 27 ++++++++++++--- internal/logic/issuer.go | 58 ++++++++++++++++++++++++++++---- internal/logic/service.go | 47 +++++++++++++++++++++++--- 9 files changed, 206 insertions(+), 70 deletions(-) diff --git a/internal/grpc/handler/account.go b/internal/grpc/handler/account.go index 236a036..fbd0da7 100644 --- a/internal/grpc/handler/account.go +++ b/internal/grpc/handler/account.go @@ -12,7 +12,7 @@ import ( func (hand *Handler) Authentificate(ctx context.Context) (int64, error) { var err error - var userID int64 + var accountID int64 meta, _ := metadata.FromIncomingContext(ctx) hand.log.Debugf("Reqest username: %s", meta["username"]) @@ -21,27 +21,27 @@ func (hand *Handler) Authentificate(ctx context.Context) (int64, error) { passwordArr := meta["password"] if len(usernameArr) == 0 || len(passwordArr) == 0 { err := status.Errorf(codes.PermissionDenied, "Empty auth data") - return userID, err + return accountID, err } username := meta["username"][0] password := meta["password"][0] - validated, userID, err := hand.lg.ValidateAcount(ctx, username, password) + validated, accountID, err := hand.lg.ValidateAcount(ctx, username, password) if !validated { err := status.Errorf(codes.PermissionDenied, "Wrong auth data") - return userID, err + return accountID, err } - return userID, err + return accountID, err } func (hand *Handler) CreateAccount(ctx context.Context, params *cmctl.CreateAccountParams) (*cmctl.CreateAccountResult, error) { var err error hand.log.Debugf("Handle CreateAccount call") res := &cmctl.CreateAccountResult{} - userID, err := hand.Authentificate(ctx) + accountID, err := hand.Authentificate(ctx) if err != nil { return res, err } - res, err = hand.lg.CreateAccount(ctx, userID, params) + res, err = hand.lg.CreateAccount(ctx, accountID, params) return res, err } @@ -49,11 +49,11 @@ func (hand *Handler) DeleteAccount(ctx context.Context, params *cmctl.DeleteAcco var err error hand.log.Debugf("Handle DeleteAccount call") res := &cmctl.DeleteAccountResult{} - userID, err := hand.Authentificate(ctx) + accountID, err := hand.Authentificate(ctx) if err != nil { return res, err } - res, err = hand.lg.DeleteAccount(ctx, userID, params) + res, err = hand.lg.DeleteAccount(ctx, accountID, params) return res, err } @@ -61,11 +61,11 @@ func (hand *Handler) ListAccounts(ctx context.Context, params *cmctl.ListAccount var err error hand.log.Debugf("Handle ListAccounts call") res := &cmctl.ListAccountsResult{} - userID, err := hand.Authentificate(ctx) + accountID, err := hand.Authentificate(ctx) if err != nil { return res, err } - res, err = hand.lg.ListAccounts(ctx, userID, params) + res, err = hand.lg.ListAccounts(ctx, accountID, params) return res, err } @@ -73,10 +73,10 @@ func (hand *Handler) UpdateAccount(ctx context.Context, params *cmctl.UpdateAcco var err error hand.log.Debugf("Handle UpdateAccount call") res := &cmctl.UpdateAccountResult{} - userID, err := hand.Authentificate(ctx) + accountID, err := hand.Authentificate(ctx) if err != nil { return res, err } - res, err = hand.lg.UpdateAccount(ctx, userID, params) + res, err = hand.lg.UpdateAccount(ctx, accountID, params) return res, err } diff --git a/internal/grpc/handler/grant.go b/internal/grpc/handler/grant.go index b900642..a291b09 100644 --- a/internal/grpc/handler/grant.go +++ b/internal/grpc/handler/grant.go @@ -10,11 +10,11 @@ func (hand *Handler) SetGrant(ctx context.Context, params *cmctl.SetGrantParams) var err error hand.log.Debugf("Handle SetGrant call") res := &cmctl.SetGrantResult{} - userID, err := hand.Authentificate(ctx) + accountID, err := hand.Authentificate(ctx) if err != nil { return res, err } - res, err = hand.lg.SetGrant(ctx, userID, params) + res, err = hand.lg.SetGrant(ctx, accountID, params) return res, err } @@ -22,10 +22,10 @@ func (hand *Handler) DeleteGrant(ctx context.Context, params *cmctl.DeleteGrantP var err error hand.log.Debugf("Handle DeleteGrant call") res := &cmctl.DeleteGrantResult{} - userID, err := hand.Authentificate(ctx) + accountID, err := hand.Authentificate(ctx) if err != nil { return res, err } - res, err = hand.lg.DeleteGrant(ctx, userID, params) + res, err = hand.lg.DeleteGrant(ctx, accountID, params) return res, err } diff --git a/internal/grpc/handler/issuer.go b/internal/grpc/handler/issuer.go index aaaea1a..9aa13d9 100644 --- a/internal/grpc/handler/issuer.go +++ b/internal/grpc/handler/issuer.go @@ -10,11 +10,11 @@ func (hand *Handler) CreateIssuerPair(ctx context.Context, params *cmctl.CreateI var err error hand.log.Debugf("Handle CreateIssuerPair call") res := &cmctl.CreateIssuerPairResult{} - userID, err := hand.Authentificate(ctx) + accountID, err := hand.Authentificate(ctx) if err != nil { return res, err } - res, err = hand.lg.CreateIssuerPair(ctx, userID, params) + res, err = hand.lg.CreateIssuerPair(ctx, accountID, params) return res, err } @@ -22,11 +22,11 @@ func (hand *Handler) ImportIssuerPair(ctx context.Context, params *cmctl.ImportI var err error hand.log.Debugf("Handle ImportIssuerPair call") res := &cmctl.ImportIssuerPairResult{} - userID, err := hand.Authentificate(ctx) + accountID, err := hand.Authentificate(ctx) if err != nil { return res, err } - res, err = hand.lg.ImportIssuerPair(ctx, userID, params) + res, err = hand.lg.ImportIssuerPair(ctx, accountID, params) return res, err } @@ -34,11 +34,11 @@ func (hand *Handler) RevokeIssuerPair(ctx context.Context, params *cmctl.RevokeI var err error hand.log.Debugf("Handle RevokeIssuerPair call") res := &cmctl.RevokeIssuerPairResult{} - userID, err := hand.Authentificate(ctx) + accountID, err := hand.Authentificate(ctx) if err != nil { return res, err } - res, err = hand.lg.RevokeIssuerPair(ctx, userID, params) + res, err = hand.lg.RevokeIssuerPair(ctx, accountID, params) return res, err } @@ -46,11 +46,11 @@ func (hand *Handler) UnrevokeIssuerPair(ctx context.Context, params *cmctl.Unrev var err error hand.log.Debugf("Handle UnrevokeIssuerPair call") res := &cmctl.UnrevokeIssuerPairResult{} - userID, err := hand.Authentificate(ctx) + accountID, err := hand.Authentificate(ctx) if err != nil { return res, err } - res, err = hand.lg.UnrevokeIssuerPair(ctx, userID, params) + res, err = hand.lg.UnrevokeIssuerPair(ctx, accountID, params) return res, err } @@ -58,11 +58,11 @@ func (hand *Handler) ListIssuerPairs(ctx context.Context, params *cmctl.ListIssu var err error hand.log.Debugf("Handle ListIssuerPairs call") res := &cmctl.ListIssuerPairsResult{} - userID, err := hand.Authentificate(ctx) + accountID, err := hand.Authentificate(ctx) if err != nil { return res, err } - res, err = hand.lg.ListIssuerPairs(ctx, userID, params) + res, err = hand.lg.ListIssuerPairs(ctx, accountID, params) return res, err } @@ -70,10 +70,10 @@ func (hand *Handler) GetIssuerCertificate(ctx context.Context, params *cmctl.Get var err error hand.log.Debugf("Handle GetIssuerCertificate call") res := &cmctl.GetIssuerCertificateResult{} - userID, err := hand.Authentificate(ctx) + accountID, err := hand.Authentificate(ctx) if err != nil { return res, err } - res, err = hand.lg.GetIssuerCertificate(ctx, userID, params) + res, err = hand.lg.GetIssuerCertificate(ctx, accountID, params) return res, err } diff --git a/internal/grpc/handler/service.go b/internal/grpc/handler/service.go index 7fd39b1..8194f01 100644 --- a/internal/grpc/handler/service.go +++ b/internal/grpc/handler/service.go @@ -10,11 +10,11 @@ func (hand *Handler) CreateServicePair(ctx context.Context, params *cmctl.Create var err error hand.log.Debugf("Handle CreateServicePair call") res := &cmctl.CreateServicePairResult{} - userID, err := hand.Authentificate(ctx) + accountID, err := hand.Authentificate(ctx) if err != nil { return res, err } - res, err = hand.lg.CreateServicePair(ctx, userID, params) + res, err = hand.lg.CreateServicePair(ctx, accountID, params) return res, err } @@ -22,11 +22,11 @@ func (hand *Handler) RevokeServicePair(ctx context.Context, params *cmctl.Revoke var err error hand.log.Debugf("Handle RevokeServicePair call") res := &cmctl.RevokeServicePairResult{} - userID, err := hand.Authentificate(ctx) + accountID, err := hand.Authentificate(ctx) if err != nil { return res, err } - res, err = hand.lg.RevokeServicePair(ctx, userID, params) + res, err = hand.lg.RevokeServicePair(ctx, accountID, params) return res, err } @@ -34,11 +34,11 @@ func (hand *Handler) UnrevokeServicePair(ctx context.Context, params *cmctl.Unre var err error hand.log.Debugf("Handle UnrevokeServicePair call") res := &cmctl.UnrevokeServicePairResult{} - userID, err := hand.Authentificate(ctx) + accountID, err := hand.Authentificate(ctx) if err != nil { return res, err } - res, err = hand.lg.UnrevokeServicePair(ctx, userID, params) + res, err = hand.lg.UnrevokeServicePair(ctx, accountID, params) return res, err } @@ -46,11 +46,11 @@ func (hand *Handler) ListServicePairs(ctx context.Context, params *cmctl.ListSer var err error hand.log.Debugf("Handle ListServicePairs call") res := &cmctl.ListServicePairsResult{} - userID, err := hand.Authentificate(ctx) + accountID, err := hand.Authentificate(ctx) if err != nil { return res, err } - res, err = hand.lg.ListServicePairs(ctx, userID, params) + res, err = hand.lg.ListServicePairs(ctx, accountID, params) return res, err } @@ -58,10 +58,10 @@ func (hand *Handler) GetServicePair(ctx context.Context, params *cmctl.GetServic var err error hand.log.Debugf("Handle GetServicePair call") res := &cmctl.GetServicePairResult{} - userID, err := hand.Authentificate(ctx) + accountID, err := hand.Authentificate(ctx) if err != nil { return res, err } - res, err = hand.lg.GetServicePair(ctx, userID, params) + res, err = hand.lg.GetServicePair(ctx, accountID, params) return res, err } diff --git a/internal/logic/account.go b/internal/logic/account.go index a56e3f0..1c30fa7 100644 --- a/internal/logic/account.go +++ b/internal/logic/account.go @@ -12,27 +12,35 @@ import ( func (lg *Logic) ValidateAcount(ctx context.Context, username, password string) (bool, int64, error) { var err error - var userID int64 + var accountID int64 var valid bool accountExists, accountDescr, err := lg.db.GetAccountByUsername(ctx, username) if !accountExists { err := fmt.Errorf("Account not exists") - return valid, userID, err + return valid, accountID, err } if password != accountDescr.Password { err := fmt.Errorf("Login data mismatch") - return valid, userID, err + return valid, accountID, err } valid = true - userID = accountDescr.ID - return valid, userID, err + accountID = accountDescr.ID + return valid, accountID, err } -func (lg *Logic) CreateAccount(ctx context.Context, userID int64, params *cmctl.CreateAccountParams) (*cmctl.CreateAccountResult, error) { +func (lg *Logic) CreateAccount(ctx context.Context, accountID int64, params *cmctl.CreateAccountParams) (*cmctl.CreateAccountResult, error) { var err error res := &cmctl.CreateAccountResult{} + grantExists, _, err := lg.db.GetGrant(ctx, accountID, descriptor.GrantModifyUsers) + if err != nil { + return res, err + } + if !grantExists { + err := fmt.Errorf("Operation not allowed for the user") + return res, err + } if params.Username == "" { err := fmt.Errorf("Empty username parameters") return res, err @@ -68,10 +76,19 @@ func (lg *Logic) CreateAccount(ctx context.Context, userID int64, params *cmctl. return res, err } -func (lg *Logic) UpdateAccount(ctx context.Context, userID int64, params *cmctl.UpdateAccountParams) (*cmctl.UpdateAccountResult, error) { +func (lg *Logic) UpdateAccount(ctx context.Context, accountID int64, params *cmctl.UpdateAccountParams) (*cmctl.UpdateAccountResult, error) { var err error res := &cmctl.UpdateAccountResult{} + grantExists, _, err := lg.db.GetGrant(ctx, accountID, descriptor.GrantModifyUsers) + if err != nil { + return res, err + } + if !grantExists { + err := fmt.Errorf("Operation not allowed for the user") + return res, err + } + var accountDescr *descriptor.Account var accountExists bool switch { @@ -111,10 +128,19 @@ func (lg *Logic) UpdateAccount(ctx context.Context, userID int64, params *cmctl. return res, err } -func (lg *Logic) DeleteAccount(ctx context.Context, userID int64, params *cmctl.DeleteAccountParams) (*cmctl.DeleteAccountResult, error) { +func (lg *Logic) DeleteAccount(ctx context.Context, accountID int64, params *cmctl.DeleteAccountParams) (*cmctl.DeleteAccountResult, error) { var err error res := &cmctl.DeleteAccountResult{} + grantExists, _, err := lg.db.GetGrant(ctx, accountID, descriptor.GrantModifyUsers) + if err != nil { + return res, err + } + if !grantExists { + err := fmt.Errorf("Operation not allowed for the user") + return res, err + } + var accountDescr *descriptor.Account var accountExists bool switch { @@ -145,11 +171,21 @@ func (lg *Logic) DeleteAccount(ctx context.Context, userID int64, params *cmctl. return res, err } -func (lg *Logic) ListAccounts(ctx context.Context, userID int64, params *cmctl.ListAccountsParams) (*cmctl.ListAccountsResult, error) { +func (lg *Logic) ListAccounts(ctx context.Context, accountID int64, params *cmctl.ListAccountsParams) (*cmctl.ListAccountsResult, error) { var err error res := &cmctl.ListAccountsResult{ Accounts: make([]*cmctl.AccountShortDescr, 0), } + + grantExists, _, err := lg.db.GetGrant(ctx, accountID, descriptor.GrantModifyUsers) + if err != nil { + return res, err + } + if !grantExists { + err := fmt.Errorf("Operation not allowed for the user") + return res, err + } + accountDescrs, err := lg.db.ListAccounts(ctx) if err != nil { return res, err diff --git a/internal/logic/database.go b/internal/logic/database.go index 790c4c1..e5f9ca9 100644 --- a/internal/logic/database.go +++ b/internal/logic/database.go @@ -19,10 +19,10 @@ func (lg *Logic) CleanDatabase(ctx context.Context) error { func (lg *Logic) SeedAccount(ctx context.Context) (int64, error) { var err error - var userID int64 + var accountID int64 accountDescrs, err := lg.db.ListAccounts(ctx) if err != nil { - return userID, err + return accountID, err } if len(accountDescrs) == 0 { now := time.Now().Format(time.RFC3339) @@ -36,9 +36,9 @@ func (lg *Logic) SeedAccount(ctx context.Context) (int64, error) { } err = lg.db.InsertAccount(ctx, accountDescr) if err != nil { - return userID, err + return accountID, err } - userID = accountDescr.ID + accountID = accountDescr.ID grantTypes := []string{ descriptor.GrantModifyServices, descriptor.GrantModifyUssuers, @@ -52,13 +52,13 @@ func (lg *Logic) SeedAccount(ctx context.Context) (int64, error) { } err = lg.db.InsertGrant(ctx, grantDescr) if err != nil { - return userID, err + return accountID, err } } } - return userID, err + return accountID, err } diff --git a/internal/logic/grants.go b/internal/logic/grants.go index d970ae8..526edf7 100644 --- a/internal/logic/grants.go +++ b/internal/logic/grants.go @@ -10,10 +10,19 @@ import ( "certmanager/pkg/cmctl" ) -func (lg *Logic) SetGrant(ctx context.Context, userID int64, params *cmctl.SetGrantParams) (*cmctl.SetGrantResult, error) { +func (lg *Logic) SetGrant(ctx context.Context, accountID int64, params *cmctl.SetGrantParams) (*cmctl.SetGrantResult, error) { var err error res := &cmctl.SetGrantResult{} + grantExists, _, err := lg.db.GetGrant(ctx, accountID, descriptor.GrantModifyUsers) + if err != nil { + return res, err + } + if !grantExists { + err := fmt.Errorf("Operation not allowed for the user") + return res, err + } + grantTypes := []string{ descriptor.GrantModifyServices, descriptor.GrantModifyUssuers, @@ -50,8 +59,7 @@ func (lg *Logic) SetGrant(ctx context.Context, userID int64, params *cmctl.SetGr return res, err } - //grantExists := true - grantExists, _, err := lg.db.GetGrant(ctx, accountDescr.ID, params.Operation) + grantExists, _, err = lg.db.GetGrant(ctx, accountDescr.ID, params.Operation) if err != nil { return res, err } @@ -73,10 +81,19 @@ func (lg *Logic) SetGrant(ctx context.Context, userID int64, params *cmctl.SetGr return res, err } -func (lg *Logic) DeleteGrant(ctx context.Context, userID int64, params *cmctl.DeleteGrantParams) (*cmctl.DeleteGrantResult, error) { +func (lg *Logic) DeleteGrant(ctx context.Context, accountID int64, params *cmctl.DeleteGrantParams) (*cmctl.DeleteGrantResult, error) { var err error res := &cmctl.DeleteGrantResult{} + grantExists, _, err := lg.db.GetGrant(ctx, accountID, descriptor.GrantModifyUsers) + if err != nil { + return res, err + } + if !grantExists { + err := fmt.Errorf("Operation not allowed for the user") + return res, err + } + grantTypes := []string{ descriptor.GrantModifyServices, descriptor.GrantModifyUssuers, @@ -113,7 +130,7 @@ func (lg *Logic) DeleteGrant(ctx context.Context, userID int64, params *cmctl.De return res, err } - grantExists, _, err := lg.db.GetGrant(ctx, accountDescr.ID, params.Operation) + grantExists, _, err = lg.db.GetGrant(ctx, accountDescr.ID, params.Operation) if err != nil { return res, err } diff --git a/internal/logic/issuer.go b/internal/logic/issuer.go index 6bf6adb..a858d53 100644 --- a/internal/logic/issuer.go +++ b/internal/logic/issuer.go @@ -11,10 +11,19 @@ import ( "certmanager/pkg/cmctl" ) -func (lg *Logic) CreateIssuerPair(ctx context.Context, userID int64, params *cmctl.CreateIssuerPairParams) (*cmctl.CreateIssuerPairResult, error) { +func (lg *Logic) CreateIssuerPair(ctx context.Context, accountID int64, params *cmctl.CreateIssuerPairParams) (*cmctl.CreateIssuerPairResult, error) { var err error res := &cmctl.CreateIssuerPairResult{} + grantExists, _, err := lg.db.GetGrant(ctx, accountID, descriptor.GrantModifyUssuers) + if err != nil { + return res, err + } + if !grantExists { + err := fmt.Errorf("Operation not allowed for the user") + return res, err + } + var signerDescr *descriptor.Issuer var signerExists bool if params.SignerID > 0 { @@ -84,12 +93,22 @@ func (lg *Logic) CreateIssuerPair(ctx context.Context, userID int64, params *cmc return res, err } -func (lg *Logic) GetIssuerCertificate(ctx context.Context, userID int64, params *cmctl.GetIssuerCertificateParams) (*cmctl.GetIssuerCertificateResult, error) { +func (lg *Logic) GetIssuerCertificate(ctx context.Context, accountID int64, params *cmctl.GetIssuerCertificateParams) (*cmctl.GetIssuerCertificateResult, error) { var err error res := &cmctl.GetIssuerCertificateResult{ SignerCertificates: make([]string, 0), SignerNames: make([]string, 0), } + + grantExists, _, err := lg.db.GetGrant(ctx, accountID, descriptor.GrantModifyUssuers) + if err != nil { + return res, err + } + if !grantExists { + err := fmt.Errorf("Operation not allowed for the user") + return res, err + } + var issuerDescr *descriptor.Issuer var issuerExists bool switch { @@ -143,10 +162,19 @@ func (lg *Logic) GetIssuerCertificate(ctx context.Context, userID int64, params return res, err } -func (lg *Logic) ImportIssuerPair(ctx context.Context, userID int64, params *cmctl.ImportIssuerPairParams) (*cmctl.ImportIssuerPairResult, error) { +func (lg *Logic) ImportIssuerPair(ctx context.Context, accountID int64, params *cmctl.ImportIssuerPairParams) (*cmctl.ImportIssuerPairResult, error) { var err error res := &cmctl.ImportIssuerPairResult{} + grantExists, _, err := lg.db.GetGrant(ctx, accountID, descriptor.GrantModifyUssuers) + if err != nil { + return res, err + } + if !grantExists { + err := fmt.Errorf("Operation not allowed for the user") + return res, err + } + if params.Certificate == "" { err := fmt.Errorf("Empty issuer cerificata data") return res, err @@ -218,10 +246,19 @@ func (lg *Logic) ImportIssuerPair(ctx context.Context, userID int64, params *cmc return res, err } -func (lg *Logic) RevokeIssuerPair(ctx context.Context, userID int64, params *cmctl.RevokeIssuerPairParams) (*cmctl.RevokeIssuerPairResult, error) { +func (lg *Logic) RevokeIssuerPair(ctx context.Context, accountID int64, params *cmctl.RevokeIssuerPairParams) (*cmctl.RevokeIssuerPairResult, error) { var err error res := &cmctl.RevokeIssuerPairResult{} + grantExists, _, err := lg.db.GetGrant(ctx, accountID, descriptor.GrantModifyUssuers) + if err != nil { + return res, err + } + if !grantExists { + err := fmt.Errorf("Operation not allowed for the user") + return res, err + } + var issuerDescr *descriptor.Issuer var issuerExists bool switch { @@ -263,10 +300,19 @@ func (lg *Logic) RevokeIssuerPair(ctx context.Context, userID int64, params *cmc return res, err } -func (lg *Logic) UnrevokeIssuerPair(ctx context.Context, userID int64, params *cmctl.UnrevokeIssuerPairParams) (*cmctl.UnrevokeIssuerPairResult, error) { +func (lg *Logic) UnrevokeIssuerPair(ctx context.Context, accountID int64, params *cmctl.UnrevokeIssuerPairParams) (*cmctl.UnrevokeIssuerPairResult, error) { var err error res := &cmctl.UnrevokeIssuerPairResult{} + grantExists, _, err := lg.db.GetGrant(ctx, accountID, descriptor.GrantModifyUssuers) + if err != nil { + return res, err + } + if !grantExists { + err := fmt.Errorf("Operation not allowed for the user") + return res, err + } + var issuerDescr *descriptor.Issuer var issuerExists bool switch { @@ -308,7 +354,7 @@ func (lg *Logic) UnrevokeIssuerPair(ctx context.Context, userID int64, params *c return res, err } -func (lg *Logic) ListIssuerPairs(ctx context.Context, userID int64, params *cmctl.ListIssuerPairsParams) (*cmctl.ListIssuerPairsResult, error) { +func (lg *Logic) ListIssuerPairs(ctx context.Context, accountID int64, params *cmctl.ListIssuerPairsParams) (*cmctl.ListIssuerPairsResult, error) { var err error res := &cmctl.ListIssuerPairsResult{ Issuers: make([]*cmctl.IssierShortDescriptor, 0), diff --git a/internal/logic/service.go b/internal/logic/service.go index 8b89e74..7d062a0 100644 --- a/internal/logic/service.go +++ b/internal/logic/service.go @@ -12,10 +12,19 @@ import ( "certmanager/pkg/cmctl" ) -func (lg *Logic) CreateServicePair(ctx context.Context, userID int64, params *cmctl.CreateServicePairParams) (*cmctl.CreateServicePairResult, error) { +func (lg *Logic) CreateServicePair(ctx context.Context, accountID int64, params *cmctl.CreateServicePairParams) (*cmctl.CreateServicePairResult, error) { var err error res := &cmctl.CreateServicePairResult{} + grantExists, _, err := lg.db.GetGrant(ctx, accountID, descriptor.GrantModifyServices) + if err != nil { + return res, err + } + if !grantExists { + err := fmt.Errorf("Operation not allowed for the user") + return res, err + } + var issuerDescr *descriptor.Issuer var issuerExists bool switch { @@ -93,11 +102,21 @@ func (lg *Logic) CreateServicePair(ctx context.Context, userID int64, params *cm return res, err } -func (lg *Logic) GetServicePair(ctx context.Context, userID int64, params *cmctl.GetServicePairParams) (*cmctl.GetServicePairResult, error) { +func (lg *Logic) GetServicePair(ctx context.Context, accountID int64, params *cmctl.GetServicePairParams) (*cmctl.GetServicePairResult, error) { var err error res := &cmctl.GetServicePairResult{ IssuerCertificates: make([]string, 0), } + + grantExists, _, err := lg.db.GetGrant(ctx, accountID, descriptor.GrantModifyServices) + if err != nil { + return res, err + } + if !grantExists { + err := fmt.Errorf("Operation not allowed for the user") + return res, err + } + var serviceDescr *descriptor.Service var serviceExists bool switch { @@ -276,7 +295,7 @@ func (lg *Logic) GetNextIssuerChain(ctx context.Context, deep int, firstIssuerDe return res, err } -func (lg *Logic) ListServicePairs(ctx context.Context, userID int64, params *cmctl.ListServicePairsParams) (*cmctl.ListServicePairsResult, error) { +func (lg *Logic) ListServicePairs(ctx context.Context, accountID int64, params *cmctl.ListServicePairsParams) (*cmctl.ListServicePairsResult, error) { var err error res := &cmctl.ListServicePairsResult{ Services: make([]*cmctl.ServiceShortDescriptor, 0), @@ -299,10 +318,19 @@ func (lg *Logic) ListServicePairs(ctx context.Context, userID int64, params *cmc return res, err } -func (lg *Logic) RevokeServicePair(ctx context.Context, userID int64, params *cmctl.RevokeServicePairParams) (*cmctl.RevokeServicePairResult, error) { +func (lg *Logic) RevokeServicePair(ctx context.Context, accountID int64, params *cmctl.RevokeServicePairParams) (*cmctl.RevokeServicePairResult, error) { var err error res := &cmctl.RevokeServicePairResult{} + grantExists, _, err := lg.db.GetGrant(ctx, accountID, descriptor.GrantModifyServices) + if err != nil { + return res, err + } + if !grantExists { + err := fmt.Errorf("Operation not allowed for the user") + return res, err + } + var serviceDescr *descriptor.Service var serviceExists bool switch { @@ -344,10 +372,19 @@ func (lg *Logic) RevokeServicePair(ctx context.Context, userID int64, params *cm return res, err } -func (lg *Logic) UnrevokeServicePair(ctx context.Context, userID int64, params *cmctl.UnrevokeServicePairParams) (*cmctl.UnrevokeServicePairResult, error) { +func (lg *Logic) UnrevokeServicePair(ctx context.Context, accountID int64, params *cmctl.UnrevokeServicePairParams) (*cmctl.UnrevokeServicePairResult, error) { var err error res := &cmctl.UnrevokeServicePairResult{} + grantExists, _, err := lg.db.GetGrant(ctx, accountID, descriptor.GrantModifyServices) + if err != nil { + return res, err + } + if !grantExists { + err := fmt.Errorf("Operation not allowed for the user") + return res, err + } + var serviceDescr *descriptor.Service var serviceExists bool switch {