Mise en place d'un système de vérification des autorisations côté

serveur

- Création d'un service d'autorisation dynamique basé sur des "voter" (à
  la Symfony)
- Mise en place des autorisations sur les principales queries/mutations
  de l'API GraphQL

internal/graph/dsf_handler.go

@@ -12,6 +12,15 @@ import (
 )
 
 func handleCreateDecisionSupportFile(ctx context.Context, changes *model.DecisionSupportFileChanges) (*model.DecisionSupportFile, error) {
+	authorized, err := isAuthorized(ctx, &model.DecisionSupportFile{}, model.ActionCreate)
+	if err != nil {
+		return nil, errs.WithStack(err)
+	}
+
+	if !authorized {
+		return nil, errs.WithStack(ErrForbidden)
+	}
+
 	ctn := container.Must(ctx)
 	db := orm.Must(ctn).DB()
 
@@ -31,7 +40,21 @@ func handleUpdateDecisionSupportFile(ctx context.Context, id string, changes *mo
 
 	repo := model.NewDSFRepository(db)
 
-	dsf, err := repo.Update(ctx, id, changes)
+	dsf, err := repo.Find(ctx, id)
+	if err != nil {
+		return nil, errs.WithStack(err)
+	}
+
+	authorized, err := isAuthorized(ctx, dsf, model.ActionUpdate)
+	if err != nil {
+		return nil, errs.WithStack(err)
+	}
+
+	if !authorized {
+		return nil, errs.WithStack(ErrForbidden)
+	}
+
+	dsf, err = repo.Update(ctx, id, changes)
 	if err != nil {
 		return nil, errs.WithStack(err)
 	}
@@ -45,7 +68,25 @@ func handleDecisionSupportFiles(ctx context.Context, filter *model.DecisionSuppo
 
 	repo := model.NewDSFRepository(db)
 
-	return repo.Search(ctx, filter)
+	found, err := repo.Search(ctx, filter)
+	if err != nil {
+		return nil, errs.WithStack(err)
+	}
+
+	dsfs := make([]*model.DecisionSupportFile, 0)
+
+	for _, d := range found {
+		authorized, err := isAuthorized(ctx, d, model.ActionRead)
+		if err != nil {
+			return nil, errs.WithStack(err)
+		}
+
+		if authorized {
+			dsfs = append(dsfs, d)
+		}
+	}
+
+	return dsfs, nil
 }
 
 func handleSections(ctx context.Context, dsf *model.DecisionSupportFile) (map[string]interface{}, error) {

internal/graph/error.go

@@ -0,0 +1,7 @@
+package graph
+
+import "errors"
+
+var (
+	ErrForbidden = errors.New("forbidden")
+)

internal/graph/helper.go

@@ -3,6 +3,8 @@ package graph
 import (
 	"context"
 
+	"forge.cadoles.com/Cadoles/daddy/internal/voter"
+
 	"forge.cadoles.com/Cadoles/daddy/internal/model"
 	"forge.cadoles.com/Cadoles/daddy/internal/orm"
 	"forge.cadoles.com/Cadoles/daddy/internal/session"
@@ -46,3 +48,31 @@ func getSessionUser(ctx context.Context) (*model.User, *gorm.DB, error) {
 
 	return user, db, nil
 }
+
+func isAuthorized(ctx context.Context, obj interface{}, action interface{}) (bool, error) {
+	user, _, err := getSessionUser(ctx)
+	if err != nil {
+		return false, errors.WithStack(err)
+	}
+
+	ctn, err := container.From(ctx)
+	if err != nil {
+		return false, errors.WithStack(err)
+	}
+
+	voterSrv, err := voter.From(ctn)
+	if err != nil {
+		return false, errors.WithStack(err)
+	}
+
+	decision, err := voterSrv.Authorized(ctx, user, obj, action)
+	if err != nil {
+		return false, errors.WithStack(err)
+	}
+
+	if decision == voter.Allow {
+		return true, nil
+	}
+
+	return false, nil
+}

internal/graph/workgroup_handler.go

@@ -2,10 +2,10 @@ package graph
 
 import (
 	"context"
-	"strconv"
 
 	"forge.cadoles.com/Cadoles/daddy/internal/model"
 	"github.com/pkg/errors"
+	errs "github.com/pkg/errors"
 )
 
 func handleWorkgroups(ctx context.Context, filter *model.WorkgroupsFilter) ([]*model.Workgroup, error) {
@@ -24,20 +24,28 @@ func handleWorkgroups(ctx context.Context, filter *model.WorkgroupsFilter) ([]*m
 		}
 	}
 
-	workgroups, err := repo.FindWorkgroups(ctx, criteria...)
+	found, err := repo.FindWorkgroups(ctx, criteria...)
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}
 
+	workgroups := make([]*model.Workgroup, 0)
+
+	for _, wg := range found {
+		authorized, err := isAuthorized(ctx, wg, model.ActionRead)
+		if err != nil {
+			return nil, errs.WithStack(err)
+		}
+
+		if authorized {
+			workgroups = append(workgroups, wg)
+		}
+	}
+
 	return workgroups, nil
 }
 
 func handleJoinWorkgroup(ctx context.Context, rawWorkgroupID string) (*model.Workgroup, error) {
-	workgroupID, err := parseWorkgroupID(rawWorkgroupID)
-	if err != nil {
-		return nil, errors.WithStack(err)
-	}
-
 	user, db, err := getSessionUser(ctx)
 	if err != nil {
 		return nil, errors.WithStack(err)
@@ -45,7 +53,21 @@ func handleJoinWorkgroup(ctx context.Context, rawWorkgroupID string) (*model.Wor
 
 	repo := model.NewWorkgroupRepository(db)
 
-	workgroup, err := repo.AddUserToWorkgroup(ctx, user.ID, workgroupID)
+	workgroup, err := repo.Find(ctx, rawWorkgroupID)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	authorized, err := isAuthorized(ctx, workgroup, model.ActionJoin)
+	if err != nil {
+		return nil, errs.WithStack(err)
+	}
+
+	if !authorized {
+		return nil, errs.WithStack(ErrForbidden)
+	}
+
+	workgroup, err = repo.AddUserToWorkgroup(ctx, user.ID, workgroup.ID)
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}
@@ -53,12 +75,7 @@ func handleJoinWorkgroup(ctx context.Context, rawWorkgroupID string) (*model.Wor
 	return workgroup, nil
 }
 
-func handleLeaveWorkgroup(ctx context.Context, rawWorkgroupID string) (*model.Workgroup, error) {
-	workgroupID, err := parseWorkgroupID(rawWorkgroupID)
-	if err != nil {
-		return nil, errors.WithStack(err)
-	}
-
+func handleLeaveWorkgroup(ctx context.Context, workgroupID string) (*model.Workgroup, error) {
 	user, db, err := getSessionUser(ctx)
 	if err != nil {
 		return nil, errors.WithStack(err)
@@ -66,7 +83,21 @@ func handleLeaveWorkgroup(ctx context.Context, rawWorkgroupID string) (*model.Wo
 
 	repo := model.NewWorkgroupRepository(db)
 
-	workgroup, err := repo.RemoveUserFromWorkgroup(ctx, user.ID, workgroupID)
+	workgroup, err := repo.Find(ctx, workgroupID)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	authorized, err := isAuthorized(ctx, workgroup, model.ActionLeave)
+	if err != nil {
+		return nil, errs.WithStack(err)
+	}
+
+	if !authorized {
+		return nil, errs.WithStack(ErrForbidden)
+	}
+
+	workgroup, err = repo.RemoveUserFromWorkgroup(ctx, user.ID, workgroup.ID)
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}
@@ -75,6 +106,15 @@ func handleLeaveWorkgroup(ctx context.Context, rawWorkgroupID string) (*model.Wo
 }
 
 func handleCreateWorkgroup(ctx context.Context, changes model.WorkgroupChanges) (*model.Workgroup, error) {
+	authorized, err := isAuthorized(ctx, &model.Workgroup{}, model.ActionCreate)
+	if err != nil {
+		return nil, errs.WithStack(err)
+	}
+
+	if !authorized {
+		return nil, errs.WithStack(ErrForbidden)
+	}
+
 	db, err := getDB(ctx)
 	if err != nil {
 		return nil, errors.WithStack(err)
@@ -90,12 +130,7 @@ func handleCreateWorkgroup(ctx context.Context, changes model.WorkgroupChanges)
 	return workgroup, nil
 }
 
-func handleCloseWorkgroup(ctx context.Context, rawWorkgroupID string) (*model.Workgroup, error) {
-	workgroupID, err := parseWorkgroupID(rawWorkgroupID)
-	if err != nil {
-		return nil, errors.WithStack(err)
-	}
-
+func handleCloseWorkgroup(ctx context.Context, workgroupID string) (*model.Workgroup, error) {
 	db, err := getDB(ctx)
 	if err != nil {
 		return nil, errors.WithStack(err)
@@ -103,7 +138,21 @@ func handleCloseWorkgroup(ctx context.Context, rawWorkgroupID string) (*model.Wo
 
 	repo := model.NewWorkgroupRepository(db)
 
-	workgroup, err := repo.CloseWorkgroup(ctx, workgroupID)
+	workgroup, err := repo.Find(ctx, workgroupID)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	authorized, err := isAuthorized(ctx, workgroup, model.ActionClose)
+	if err != nil {
+		return nil, errs.WithStack(err)
+	}
+
+	if !authorized {
+		return nil, errs.WithStack(ErrForbidden)
+	}
+
+	workgroup, err = repo.CloseWorkgroup(ctx, workgroup.ID)
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}
@@ -111,12 +160,7 @@ func handleCloseWorkgroup(ctx context.Context, rawWorkgroupID string) (*model.Wo
 	return workgroup, nil
 }
 
-func handleUpdateWorkgroup(ctx context.Context, rawWorkgroupID string, changes model.WorkgroupChanges) (*model.Workgroup, error) {
-	workgroupID, err := parseWorkgroupID(rawWorkgroupID)
-	if err != nil {
-		return nil, errors.WithStack(err)
-	}
-
+func handleUpdateWorkgroup(ctx context.Context, workgroupID string, changes model.WorkgroupChanges) (*model.Workgroup, error) {
 	db, err := getDB(ctx)
 	if err != nil {
 		return nil, errors.WithStack(err)
@@ -124,19 +168,24 @@ func handleUpdateWorkgroup(ctx context.Context, rawWorkgroupID string, changes m
 
 	repo := model.NewWorkgroupRepository(db)
 
-	workgroup, err := repo.UpdateWorkgroup(ctx, workgroupID, changes)
+	workgroup, err := repo.Find(ctx, workgroupID)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	authorized, err := isAuthorized(ctx, workgroup, model.ActionUpdate)
+	if err != nil {
+		return nil, errs.WithStack(err)
+	}
+
+	if !authorized {
+		return nil, errs.WithStack(ErrForbidden)
+	}
+
+	workgroup, err = repo.UpdateWorkgroup(ctx, workgroup.ID, changes)
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}
 
 	return workgroup, nil
 }
-
-func parseWorkgroupID(workgroupID string) (uint, error) {
-	workgroupID64, err := strconv.ParseUint(workgroupID, 10, 32)
-	if err != nil {
-		return 0, errors.WithStack(err)
-	}
-
-	return uint(workgroupID64), nil
-}