diff --git a/api/http/authn.go b/api/http/authn.go index ee9e394f3a..b714a15085 100644 --- a/api/http/authn.go +++ b/api/http/authn.go @@ -8,7 +8,6 @@ import ( "net/http" apiutil "github.com/absmach/supermq/api/http/util" - "github.com/absmach/supermq/auth" smqauthn "github.com/absmach/supermq/pkg/authn" "github.com/go-chi/chi/v5" ) @@ -38,7 +37,6 @@ func AuthenticateMiddleware(authn smqauthn.Authentication, domainCheck bool) fun return } resp.DomainID = domain - resp.DomainUserID = auth.EncodeDomainUserID(domain, resp.UserID) } ctx := context.WithValue(r.Context(), SessionKey, resp) diff --git a/auth/service.go b/auth/service.go index bf31a40850..11120b1024 100644 --- a/auth/service.go +++ b/auth/service.go @@ -356,10 +356,9 @@ func (svc service) checkUserDomain(ctx context.Context, key Key) (subject string }); err == nil { return key.User, nil } - // Check user is domain member. - domainUserSubject := EncodeDomainUserID(key.Domain, key.User) + if err = svc.Authorize(ctx, policies.Policy{ - Subject: domainUserSubject, + Subject: key.User, SubjectType: policies.UserType, Permission: policies.MembershipPermission, Object: key.Domain, @@ -367,7 +366,7 @@ func (svc service) checkUserDomain(ctx context.Context, key Key) (subject string }); err != nil { return "", err } - return domainUserSubject, nil + return key.User, nil } return "", nil } @@ -432,31 +431,6 @@ func SwitchToPermission(relation string) string { } } -func EncodeDomainUserID(domainID, userID string) string { - if domainID == "" || userID == "" { - return "" - } - return domainID + "_" + userID -} - -func DecodeDomainUserID(domainUserID string) (string, string) { - if domainUserID == "" { - return domainUserID, domainUserID - } - duid := strings.Split(domainUserID, "_") - - switch { - case len(duid) == 2: - return duid[0], duid[1] - case len(duid) == 1: - return duid[0], "" - case len(duid) == 0 || len(duid) > 2: - fallthrough - default: - return "", "" - } -} - func (svc service) CreatePAT(ctx context.Context, token, name, description string, duration time.Duration, scope Scope) (PAT, error) { key, err := svc.Identify(ctx, token) if err != nil { diff --git a/auth/service_test.go b/auth/service_test.go index 18115fd4c7..cfb62a13e4 100644 --- a/auth/service_test.go +++ b/auth/service_test.go @@ -421,14 +421,14 @@ func TestIssue(t *testing.T) { ObjectType: policies.PlatformType, }, checkDomainMemberReq: policies.Policy{ - Subject: auth.EncodeDomainUserID(domainID, userID), + Subject: userID, SubjectType: policies.UserType, Permission: policies.MembershipPermission, Object: domainID, ObjectType: policies.DomainType, }, checkDomainMemberReq1: policies.Policy{ - Subject: auth.EncodeDomainUserID(domainID, userID), + Subject: userID, SubjectType: policies.UserType, Permission: policies.MembershipPermission, Object: domainID, @@ -455,7 +455,7 @@ func TestIssue(t *testing.T) { ObjectType: policies.PlatformType, }, checkDomainMemberReq: policies.Policy{ - Subject: auth.EncodeDomainUserID(domainID, userID), + Subject: userID, SubjectType: policies.UserType, Permission: policies.MembershipPermission, Object: domainID, @@ -552,14 +552,14 @@ func TestIssue(t *testing.T) { ObjectType: policies.PlatformType, }, checkDomainMemberReq: policies.Policy{ - Subject: auth.EncodeDomainUserID(domainID, userID), + Subject: userID, SubjectType: policies.UserType, Permission: policies.MembershipPermission, Object: domainID, ObjectType: policies.DomainType, }, checkDomainMemberReq1: policies.Policy{ - Subject: auth.EncodeDomainUserID(domainID, userID), + Subject: userID, SubjectType: policies.UserType, Permission: policies.MembershipPermission, Object: domainID, @@ -586,14 +586,14 @@ func TestIssue(t *testing.T) { ObjectType: policies.PlatformType, }, checkDomainMemberReq: policies.Policy{ - Subject: auth.EncodeDomainUserID(domainID, userID), + Subject: userID, SubjectType: policies.UserType, Permission: policies.MembershipPermission, Object: domainID, ObjectType: policies.DomainType, }, checkDomainMemberReq1: policies.Policy{ - Subject: auth.EncodeDomainUserID(domainID, userID), + Subject: userID, SubjectType: policies.UserType, Permission: policies.MembershipPermission, Object: domainID, @@ -1163,82 +1163,3 @@ func TestSwitchToPermission(t *testing.T) { assert.Equal(t, tc.result, result, fmt.Sprintf("switching to permission expected to succeed: %s", result)) } } - -func TestEncodeDomainUserID(t *testing.T) { - cases := []struct { - desc string - domainID string - userID string - response string - }{ - { - desc: "encode domain user id successfully", - domainID: validID, - userID: validID, - response: validID + "_" + validID, - }, - { - desc: "encode domain user id with empty userID", - domainID: validID, - userID: "", - response: "", - }, - { - desc: "encode domain user id with empty domain ID", - domainID: "", - userID: validID, - response: "", - }, - { - desc: "encode domain user id with empty domain ID and userID", - domainID: "", - userID: "", - response: "", - }, - } - - for _, tc := range cases { - ar := auth.EncodeDomainUserID(tc.domainID, tc.userID) - assert.Equal(t, tc.response, ar, fmt.Sprintf("%s expected %s got %s\n", tc.desc, tc.response, ar)) - } -} - -func TestDecodeDomainUserID(t *testing.T) { - cases := []struct { - desc string - domainUserID string - respDomainID string - respUserID string - }{ - { - desc: "decode domain user id successfully", - domainUserID: validID + "_" + validID, - respDomainID: validID, - respUserID: validID, - }, - { - desc: "decode domain user id with empty domainUserID", - domainUserID: "", - respDomainID: "", - respUserID: "", - }, - { - desc: "decode domain user id with empty UserID", - domainUserID: validID, - respDomainID: validID, - respUserID: "", - }, - { - desc: "decode domain user id with invalid domainuserId", - domainUserID: validID + "_" + validID + "_" + validID + "_" + validID, - respDomainID: "", - respUserID: "", - }, - } - - for _, tc := range cases { - ar, er := auth.DecodeDomainUserID(tc.domainUserID) - assert.Equal(t, tc.respUserID, er, fmt.Sprintf("%s expected %s got %s\n", tc.desc, tc.respUserID, er)) - assert.Equal(t, tc.respDomainID, ar, fmt.Sprintf("%s expected %s got %s\n", tc.desc, tc.respDomainID, ar)) - } -} diff --git a/certs/api/endpoint_test.go b/certs/api/endpoint_test.go index 66be87e00d..f0e086c3f9 100644 --- a/certs/api/endpoint_test.go +++ b/certs/api/endpoint_test.go @@ -224,7 +224,7 @@ func TestIssueCert(t *testing.T) { body: strings.NewReader(tc.request), } if tc.token == valid { - tc.session = smqauthn.Session{DomainUserID: validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := svc.On("IssueCert", mock.Anything, tc.domainID, tc.token, tc.clientID, tc.ttl).Return(tc.svcRes, tc.svcErr) @@ -310,7 +310,7 @@ func TestViewCert(t *testing.T) { token: tc.token, } if tc.token == valid { - tc.session = smqauthn.Session{DomainUserID: validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := svc.On("ViewCert", mock.Anything, tc.serialID).Return(tc.svcRes, tc.svcErr) @@ -403,7 +403,7 @@ func TestRevokeCert(t *testing.T) { token: tc.token, } if tc.token == valid { - tc.session = smqauthn.Session{DomainUserID: validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := svc.On("RevokeCert", mock.Anything, tc.domainID, tc.token, tc.serialID).Return(tc.svcRes, tc.svcErr) @@ -646,7 +646,7 @@ func TestListSerials(t *testing.T) { token: tc.token, } if tc.token == valid { - tc.session = smqauthn.Session{DomainUserID: validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := svc.On("ListSerials", mock.Anything, tc.clientID, certs.PageMetadata{Revoked: tc.revoked, Offset: tc.offset, Limit: tc.limit}).Return(tc.svcRes, tc.svcErr) diff --git a/channels/api/http/endpoint_test.go b/channels/api/http/endpoint_test.go index d5c4243781..10def5adaa 100644 --- a/channels/api/http/endpoint_test.go +++ b/channels/api/http/endpoint_test.go @@ -174,7 +174,7 @@ func TestCreateChannelEndpoint(t *testing.T) { body: strings.NewReader(data), } if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) svcCall := svc.On("CreateChannels", mock.Anything, tc.session, tc.req).Return(tc.svcResp, []roles.RoleProvision{}, tc.svcErr) @@ -310,7 +310,7 @@ func TestCreateChannelsEndpoint(t *testing.T) { body: strings.NewReader(data), } if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) svcCall := svc.On("CreateChannels", mock.Anything, tc.session, tc.req[0]).Return(tc.svcResp, []roles.RoleProvision{}, tc.svcErr) @@ -407,7 +407,7 @@ func TestViewChannelEndpoint(t *testing.T) { token: tc.token, } if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) svcCall := svc.On("ViewChannel", mock.Anything, tc.session, tc.id).Return(tc.svcResp, tc.svcErr) @@ -714,7 +714,7 @@ func TestListChannels(t *testing.T) { token: tc.token, } if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) svcCall := svc.On("ListChannels", mock.Anything, tc.session, mock.Anything).Return(tc.listChannelsResponse, tc.err) @@ -857,7 +857,7 @@ func TestUpdateChannelEndpoint(t *testing.T) { body: strings.NewReader(data), } if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) svcCall := svc.On("UpdateChannel", mock.Anything, tc.session, tc.updateReq).Return(tc.svcResp, tc.svcErr) @@ -997,7 +997,7 @@ func TestUpdateChannelTagsEndpoint(t *testing.T) { body: strings.NewReader(tc.data), } if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) svcCall := svc.On("UpdateChannelTags", mock.Anything, tc.session, channels.Channel{ID: tc.id, Tags: []string{newTag}}).Return(tc.svcResp, tc.svcErr) @@ -1139,7 +1139,7 @@ func TestSetChannelParentGroupEndpoint(t *testing.T) { body: strings.NewReader(tc.data), } if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) svcCall := svc.On("SetParentGroup", mock.Anything, tc.session, validID, tc.id).Return(tc.svcErr) @@ -1227,7 +1227,7 @@ func TestRemoveChannelParentGroupEndpoint(t *testing.T) { token: tc.token, } if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) svcCall := svc.On("RemoveParentGroup", mock.Anything, tc.session, tc.id).Return(tc.svcErr) @@ -1323,7 +1323,7 @@ func TestEnableChannelEndpoint(t *testing.T) { token: tc.token, } if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) svcCall := svc.On("EnableChannel", mock.Anything, tc.session, tc.id).Return(tc.svcResp, tc.svcErr) @@ -1426,7 +1426,7 @@ func TestDisableChannelEndpoint(t *testing.T) { token: tc.token, } if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) svcCall := svc.On("DisableChannel", mock.Anything, tc.session, tc.id).Return(tc.svcResp, tc.svcErr) @@ -1535,7 +1535,7 @@ func TestConnectChannelClientEndpoint(t *testing.T) { body: strings.NewReader(tc.data), } if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) svcCall := svc.On("Connect", mock.Anything, tc.session, []string{tc.id}, []string{validID}, []connections.ConnType{1}).Return(tc.svcErr) @@ -1637,7 +1637,7 @@ func TestDisconnectChannelClientEndpoint(t *testing.T) { body: strings.NewReader(tc.data), } if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) svcCall := svc.On("Disconnect", mock.Anything, tc.session, []string{tc.id}, []string{validID}, []connections.ConnType{1}).Return(tc.svcErr) @@ -1767,7 +1767,7 @@ func TestConnectEndpoint(t *testing.T) { })), } if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) svcCall := svc.On("Connect", mock.Anything, tc.session, tc.channelIDs, tc.clientIDs, tc.types).Return(tc.svcErr) @@ -1897,7 +1897,7 @@ func TestDisconnectEndpoint(t *testing.T) { })), } if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) svcCall := svc.On("Disconnect", mock.Anything, tc.session, tc.channelIDs, tc.clientIDs, tc.types).Return(tc.svcErr) @@ -1980,7 +1980,7 @@ func TestDeleteChannelEndpoint(t *testing.T) { token: tc.token, } if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) svcCall := svc.On("RemoveChannel", mock.Anything, tc.session, tc.id).Return(tc.svcErr) diff --git a/channels/middleware/authorization.go b/channels/middleware/authorization.go index ebf0ff19ec..584f048422 100644 --- a/channels/middleware/authorization.go +++ b/channels/middleware/authorization.go @@ -100,7 +100,7 @@ func (am *authorizationMiddleware) CreateChannels(ctx context.Context, session a if err := am.extAuthorize(ctx, channels.DomainOpCreateChannel, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, ObjectType: policies.DomainType, Object: session.DomainID, }); err != nil { @@ -112,7 +112,7 @@ func (am *authorizationMiddleware) CreateChannels(ctx context.Context, session a if err := am.extAuthorize(ctx, channels.GroupOpSetChildChannel, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, ObjectType: policies.GroupType, Object: ch.ParentGroup, }); err != nil { @@ -141,7 +141,7 @@ func (am *authorizationMiddleware) ViewChannel(ctx context.Context, session auth if err := am.authorize(ctx, channels.OpViewChannel, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, ObjectType: policies.ChannelType, Object: id, }); err != nil { @@ -209,7 +209,7 @@ func (am *authorizationMiddleware) UpdateChannel(ctx context.Context, session au if err := am.authorize(ctx, channels.OpUpdateChannel, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, ObjectType: policies.ChannelType, Object: channel.ID, }); err != nil { @@ -236,7 +236,7 @@ func (am *authorizationMiddleware) UpdateChannelTags(ctx context.Context, sessio if err := am.authorize(ctx, channels.OpUpdateChannelTags, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, ObjectType: policies.ChannelType, Object: channel.ID, }); err != nil { @@ -263,7 +263,7 @@ func (am *authorizationMiddleware) EnableChannel(ctx context.Context, session au if err := am.authorize(ctx, channels.OpEnableChannel, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, ObjectType: policies.ChannelType, Object: id, }); err != nil { @@ -290,7 +290,7 @@ func (am *authorizationMiddleware) DisableChannel(ctx context.Context, session a if err := am.authorize(ctx, channels.OpDisableChannel, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, ObjectType: policies.ChannelType, Object: id, }); err != nil { @@ -317,7 +317,7 @@ func (am *authorizationMiddleware) RemoveChannel(ctx context.Context, session au if err := am.authorize(ctx, channels.OpDeleteChannel, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, ObjectType: policies.ChannelType, Object: id, }); err != nil { @@ -356,7 +356,7 @@ func (am *authorizationMiddleware) Connect(ctx context.Context, session authn.Se if err := am.authorize(ctx, channels.OpConnectClient, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, ObjectType: policies.ChannelType, Object: chID, }); err != nil { @@ -368,7 +368,7 @@ func (am *authorizationMiddleware) Connect(ctx context.Context, session authn.Se if err := am.extAuthorize(ctx, channels.ClientsOpConnectChannel, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, ObjectType: policies.ClientType, Object: thID, }); err != nil { @@ -409,7 +409,7 @@ func (am *authorizationMiddleware) Disconnect(ctx context.Context, session authn if err := am.authorize(ctx, channels.OpDisconnectClient, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, ObjectType: policies.ChannelType, Object: chID, }); err != nil { @@ -421,7 +421,7 @@ func (am *authorizationMiddleware) Disconnect(ctx context.Context, session authn if err := am.extAuthorize(ctx, channels.ClientsOpDisconnectChannel, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, ObjectType: policies.ClientType, Object: thID, }); err != nil { @@ -449,7 +449,7 @@ func (am *authorizationMiddleware) SetParentGroup(ctx context.Context, session a if err := am.authorize(ctx, channels.OpSetParentGroup, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, ObjectType: policies.ChannelType, Object: id, }); err != nil { @@ -459,7 +459,7 @@ func (am *authorizationMiddleware) SetParentGroup(ctx context.Context, session a if err := am.extAuthorize(ctx, channels.GroupOpSetChildChannel, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, ObjectType: policies.GroupType, Object: parentGroupID, }); err != nil { @@ -486,7 +486,7 @@ func (am *authorizationMiddleware) RemoveParentGroup(ctx context.Context, sessio if err := am.authorize(ctx, channels.OpSetParentGroup, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, ObjectType: policies.ChannelType, Object: id, }); err != nil { @@ -501,7 +501,7 @@ func (am *authorizationMiddleware) RemoveParentGroup(ctx context.Context, sessio if err := am.extAuthorize(ctx, channels.GroupOpSetChildChannel, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, ObjectType: policies.GroupType, Object: ch.ParentGroup, }); err != nil { diff --git a/channels/private/service.go b/channels/private/service.go index ec06c1c3bf..f569caae89 100644 --- a/channels/private/service.go +++ b/channels/private/service.go @@ -6,7 +6,6 @@ package private import ( "context" - "github.com/absmach/supermq/auth" "github.com/absmach/supermq/channels" "github.com/absmach/supermq/pkg/errors" svcerr "github.com/absmach/supermq/pkg/errors/service" @@ -41,7 +40,7 @@ func (svc service) Authorize(ctx context.Context, req channels.AuthzReq) error { return err } pr := policies.Policy{ - Subject: auth.EncodeDomainUserID(req.DomainID, req.ClientID), + Subject: req.ClientID, SubjectType: policies.UserType, Object: req.ChannelID, Permission: permission, diff --git a/channels/service.go b/channels/service.go index c2d614c401..26771fe00f 100644 --- a/channels/service.go +++ b/channels/service.go @@ -253,7 +253,7 @@ func (svc service) RemoveChannel(ctx context.Context, session authn.Session, id }, } - if err := svc.RemoveEntitiesRoles(ctx, session.DomainID, session.DomainUserID, []string{id}, filterDeletePolicies, deletePolicies); err != nil { + if err := svc.RemoveEntitiesRoles(ctx, session.DomainID, session.UserID, []string{id}, filterDeletePolicies, deletePolicies); err != nil { return errors.Wrap(svcerr.ErrDeletePolicies, err) } diff --git a/channels/service_test.go b/channels/service_test.go index 3353946827..e0fe2723a7 100644 --- a/channels/service_test.go +++ b/channels/service_test.go @@ -49,7 +49,7 @@ var ( } parentGroupID = testsutil.GenerateUUID(&testing.T{}) validID = testsutil.GenerateUUID(&testing.T{}) - validSession = authn.Session{UserID: validID, DomainID: validID, DomainUserID: validID} + validSession = authn.Session{UserID: validID, DomainID: validID} errRollbackRoles = errors.New("failed to rollback roles") ) diff --git a/clients/api/http/endpoints_test.go b/clients/api/http/endpoints_test.go index 8104737cc3..80fe600dc2 100644 --- a/clients/api/http/endpoints_test.go +++ b/clients/api/http/endpoints_test.go @@ -119,7 +119,7 @@ func TestCreateClient(t *testing.T) { client: client, domainID: domainID, token: validToken, - authnRes: smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID}, contentType: contentType, status: http.StatusCreated, err: nil, @@ -129,7 +129,7 @@ func TestCreateClient(t *testing.T) { client: client, domainID: domainID, token: validToken, - authnRes: smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID}, contentType: contentType, status: http.StatusConflict, err: svcerr.ErrConflict, @@ -155,7 +155,7 @@ func TestCreateClient(t *testing.T) { }, domainID: domainID, token: validToken, - authnRes: smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID}, contentType: contentType, status: http.StatusBadRequest, err: apiutil.ErrValidation, @@ -173,7 +173,7 @@ func TestCreateClient(t *testing.T) { }, domainID: domainID, token: validToken, - authnRes: smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID}, contentType: contentType, status: http.StatusBadRequest, err: errors.ErrMalformedEntity, @@ -190,7 +190,7 @@ func TestCreateClient(t *testing.T) { }, domainID: domainID, token: validToken, - authnRes: smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID}, contentType: contentType, status: http.StatusBadRequest, err: svcerr.ErrInvalidStatus, @@ -206,7 +206,7 @@ func TestCreateClient(t *testing.T) { }, domainID: domainID, token: validToken, - authnRes: smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID}, contentType: "application/xml", status: http.StatusUnsupportedMediaType, err: apiutil.ErrValidation, @@ -280,7 +280,7 @@ func TestCreateClients(t *testing.T) { client: items, domainID: domainID, token: validToken, - authnRes: smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID}, contentType: contentType, status: http.StatusOK, err: nil, @@ -310,7 +310,7 @@ func TestCreateClients(t *testing.T) { client: []clients.Client{}, domainID: domainID, token: validToken, - authnRes: smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID}, contentType: contentType, status: http.StatusBadRequest, err: apiutil.ErrValidation, @@ -331,7 +331,7 @@ func TestCreateClients(t *testing.T) { }, domainID: domainID, token: validToken, - authnRes: smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID}, contentType: contentType, status: http.StatusBadRequest, err: apiutil.ErrValidation, @@ -345,7 +345,7 @@ func TestCreateClients(t *testing.T) { }, domainID: domainID, token: validToken, - authnRes: smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID}, contentType: "application/xml", status: http.StatusUnsupportedMediaType, err: apiutil.ErrValidation, @@ -367,7 +367,7 @@ func TestCreateClients(t *testing.T) { contentType: contentType, domainID: domainID, token: validToken, - authnRes: smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID}, status: http.StatusBadRequest, err: errors.ErrMalformedEntity, }, @@ -377,7 +377,7 @@ func TestCreateClients(t *testing.T) { contentType: contentType, domainID: domainID, token: validToken, - authnRes: smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID}, status: http.StatusUnprocessableEntity, err: svcerr.ErrCreateEntity, }, @@ -434,7 +434,7 @@ func TestListClients(t *testing.T) { desc: "list clients as admin with valid token", domainID: domainID, token: validToken, - authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, DomainUserID: domainID + "_" + validID, SuperAdmin: false}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, SuperAdmin: false}, status: http.StatusOK, listClientsResponse: clients.ClientsPage{ Page: clients.Page{ @@ -448,7 +448,7 @@ func TestListClients(t *testing.T) { desc: "list clients as non admin with valid token", domainID: domainID, token: validToken, - authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, DomainUserID: domainID + "_" + validID, SuperAdmin: false}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, SuperAdmin: false}, status: http.StatusOK, listClientsResponse: clients.ClientsPage{ Page: clients.Page{ @@ -477,7 +477,7 @@ func TestListClients(t *testing.T) { desc: "list clients with offset", domainID: domainID, token: validToken, - authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, DomainUserID: domainID + "_" + validID, SuperAdmin: false}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, SuperAdmin: false}, listClientsResponse: clients.ClientsPage{ Page: clients.Page{ Offset: 1, @@ -493,7 +493,7 @@ func TestListClients(t *testing.T) { desc: "list clients with invalid offset", domainID: domainID, token: validToken, - authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, DomainUserID: domainID + "_" + validID, SuperAdmin: false}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, SuperAdmin: false}, query: "offset=invalid", status: http.StatusBadRequest, err: apiutil.ErrValidation, @@ -502,7 +502,7 @@ func TestListClients(t *testing.T) { desc: "list clients with limit", domainID: domainID, token: validToken, - authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, DomainUserID: domainID + "_" + validID, SuperAdmin: false}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, SuperAdmin: false}, listClientsResponse: clients.ClientsPage{ Page: clients.Page{ Limit: 1, @@ -518,7 +518,7 @@ func TestListClients(t *testing.T) { desc: "list clients with invalid limit", domainID: domainID, token: validToken, - authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, DomainUserID: domainID + "_" + validID, SuperAdmin: false}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, SuperAdmin: false}, query: "limit=invalid", status: http.StatusBadRequest, err: apiutil.ErrValidation, @@ -527,7 +527,7 @@ func TestListClients(t *testing.T) { desc: "list clients with limit greater than max", token: validToken, domainID: domainID, - authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, DomainUserID: domainID + "_" + validID, SuperAdmin: false}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, SuperAdmin: false}, query: fmt.Sprintf("limit=%d", api.MaxLimitSize+1), status: http.StatusBadRequest, err: apiutil.ErrValidation, @@ -536,7 +536,7 @@ func TestListClients(t *testing.T) { desc: "list clients with name", domainID: domainID, token: validToken, - authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, DomainUserID: domainID + "_" + validID, SuperAdmin: false}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, SuperAdmin: false}, listClientsResponse: clients.ClientsPage{ Page: clients.Page{ Total: 1, @@ -551,7 +551,7 @@ func TestListClients(t *testing.T) { desc: "list clients with invalid name", domainID: domainID, token: validToken, - authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, DomainUserID: domainID + "_" + validID, SuperAdmin: false}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, SuperAdmin: false}, query: "name=invalid", status: http.StatusBadRequest, err: apiutil.ErrValidation, @@ -560,7 +560,7 @@ func TestListClients(t *testing.T) { desc: "list clients with duplicate name", domainID: domainID, token: validToken, - authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, DomainUserID: domainID + "_" + validID, SuperAdmin: false}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, SuperAdmin: false}, query: "name=1&name=2", status: http.StatusBadRequest, err: apiutil.ErrInvalidQueryParams, @@ -569,7 +569,7 @@ func TestListClients(t *testing.T) { desc: "list clients with status", domainID: domainID, token: validToken, - authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, DomainUserID: domainID + "_" + validID, SuperAdmin: false}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, SuperAdmin: false}, listClientsResponse: clients.ClientsPage{ Page: clients.Page{ Total: 1, @@ -584,7 +584,7 @@ func TestListClients(t *testing.T) { desc: "list clients with invalid status", domainID: domainID, token: validToken, - authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, DomainUserID: domainID + "_" + validID, SuperAdmin: false}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, SuperAdmin: false}, query: "status=invalid", status: http.StatusBadRequest, err: apiutil.ErrValidation, @@ -593,7 +593,7 @@ func TestListClients(t *testing.T) { desc: "list clients with duplicate status", domainID: domainID, token: validToken, - authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, DomainUserID: domainID + "_" + validID, SuperAdmin: false}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, SuperAdmin: false}, query: "status=enabled&status=disabled", status: http.StatusBadRequest, err: apiutil.ErrInvalidQueryParams, @@ -602,7 +602,7 @@ func TestListClients(t *testing.T) { desc: "list clients with tags", domainID: domainID, token: validToken, - authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, DomainUserID: domainID + "_" + validID, SuperAdmin: false}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, SuperAdmin: false}, listClientsResponse: clients.ClientsPage{ Page: clients.Page{ Total: 1, @@ -617,7 +617,7 @@ func TestListClients(t *testing.T) { desc: "list clients with invalid tags", domainID: domainID, token: validToken, - authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, DomainUserID: domainID + "_" + validID, SuperAdmin: false}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, SuperAdmin: false}, query: "tag=invalid", status: http.StatusBadRequest, err: apiutil.ErrValidation, @@ -626,7 +626,7 @@ func TestListClients(t *testing.T) { desc: "list clients with duplicate tags", domainID: domainID, token: validToken, - authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, DomainUserID: domainID + "_" + validID, SuperAdmin: false}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, SuperAdmin: false}, query: "tag=tag1&tag=tag2", status: http.StatusBadRequest, err: apiutil.ErrInvalidQueryParams, @@ -635,7 +635,7 @@ func TestListClients(t *testing.T) { desc: "list clients with metadata", domainID: domainID, token: validToken, - authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, DomainUserID: domainID + "_" + validID, SuperAdmin: false}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, SuperAdmin: false}, listClientsResponse: clients.ClientsPage{ Page: clients.Page{ Total: 1, @@ -650,7 +650,7 @@ func TestListClients(t *testing.T) { desc: "list clients with invalid metadata", domainID: domainID, token: validToken, - authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, DomainUserID: domainID + "_" + validID, SuperAdmin: false}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, SuperAdmin: false}, query: "metadata=invalid", status: http.StatusBadRequest, err: apiutil.ErrValidation, @@ -659,7 +659,7 @@ func TestListClients(t *testing.T) { desc: "list clients with duplicate metadata", domainID: domainID, token: validToken, - authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, DomainUserID: domainID + "_" + validID, SuperAdmin: false}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, SuperAdmin: false}, query: "metadata=%7B%22domain%22%3A%20%22example.com%22%7D&metadata=%7B%22domain%22%3A%20%22example.com%22%7D", status: http.StatusBadRequest, err: apiutil.ErrInvalidQueryParams, @@ -668,7 +668,7 @@ func TestListClients(t *testing.T) { desc: "list clients with permissions", domainID: domainID, token: validToken, - authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, DomainUserID: domainID + "_" + validID, SuperAdmin: false}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, SuperAdmin: false}, listClientsResponse: clients.ClientsPage{ Page: clients.Page{ Total: 1, @@ -683,7 +683,7 @@ func TestListClients(t *testing.T) { desc: "list clients with invalid permissions", domainID: domainID, token: validToken, - authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, DomainUserID: domainID + "_" + validID, SuperAdmin: false}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, SuperAdmin: false}, query: "permission=invalid", status: http.StatusBadRequest, err: apiutil.ErrValidation, @@ -692,7 +692,7 @@ func TestListClients(t *testing.T) { desc: "list clients with duplicate permissions", domainID: domainID, token: validToken, - authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, DomainUserID: domainID + "_" + validID, SuperAdmin: false}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, SuperAdmin: false}, query: "permission=view&permission=view", status: http.StatusBadRequest, err: apiutil.ErrInvalidQueryParams, @@ -701,7 +701,7 @@ func TestListClients(t *testing.T) { desc: "list clients with list perms", domainID: domainID, token: validToken, - authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, DomainUserID: domainID + "_" + validID, SuperAdmin: false}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, SuperAdmin: false}, listClientsResponse: clients.ClientsPage{ Page: clients.Page{ Total: 1, @@ -716,7 +716,7 @@ func TestListClients(t *testing.T) { desc: "list clients with invalid list perms", domainID: domainID, token: validToken, - authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, DomainUserID: domainID + "_" + validID, SuperAdmin: false}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, SuperAdmin: false}, query: "list_perms=invalid", status: http.StatusBadRequest, err: apiutil.ErrValidation, @@ -725,7 +725,7 @@ func TestListClients(t *testing.T) { desc: "list clients with duplicate list perms", domainID: domainID, token: validToken, - authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, DomainUserID: domainID + "_" + validID, SuperAdmin: false}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID, SuperAdmin: false}, query: "list_perms=true&listPerms=true", status: http.StatusBadRequest, err: apiutil.ErrInvalidQueryParams, @@ -779,7 +779,7 @@ func TestViewClient(t *testing.T) { desc: "view client with valid token", domainID: domainID, token: validToken, - authnRes: smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID}, id: client.ID, status: http.StatusOK, @@ -806,7 +806,7 @@ func TestViewClient(t *testing.T) { desc: "view client with invalid id", domainID: domainID, token: validToken, - authnRes: smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID}, id: inValid, status: http.StatusForbidden, @@ -866,7 +866,7 @@ func TestUpdateClient(t *testing.T) { desc: "update client with valid token", domainID: domainID, id: client.ID, - authnRes: smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID}, data: fmt.Sprintf(`{"name":"%s","tags":["%s"],"metadata":%s}`, newName, newTag, toJSON(newMetadata)), token: validToken, contentType: contentType, @@ -907,7 +907,7 @@ func TestUpdateClient(t *testing.T) { data: fmt.Sprintf(`{"name":"%s","tags":["%s"],"metadata":%s}`, newName, newTag, toJSON(newMetadata)), domainID: domainID, token: validToken, - authnRes: smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID}, contentType: "application/xml", status: http.StatusUnsupportedMediaType, @@ -919,7 +919,7 @@ func TestUpdateClient(t *testing.T) { data: fmt.Sprintf(`{"name":%s}`, "invalid"), domainID: domainID, token: validToken, - authnRes: smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID}, contentType: contentType, status: http.StatusBadRequest, @@ -931,7 +931,7 @@ func TestUpdateClient(t *testing.T) { data: fmt.Sprintf(`{"name":"%s","tags":["%s"],"metadata":%s}`, newName, newTag, toJSON(newMetadata)), domainID: domainID, token: validToken, - authnRes: smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID}, contentType: contentType, status: http.StatusBadRequest, @@ -940,7 +940,7 @@ func TestUpdateClient(t *testing.T) { { desc: "update client with name that is too long", id: client.ID, - authnRes: smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID}, data: fmt.Sprintf(`{"name":"%s","tags":["%s"],"metadata":%s}`, strings.Repeat("a", api.MaxNameSize+1), newTag, toJSON(newMetadata)), domainID: domainID, token: validToken, @@ -1015,7 +1015,7 @@ func TestUpdateClientsTags(t *testing.T) { }, domainID: domainID, token: validToken, - authnRes: smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID}, status: http.StatusOK, err: nil, @@ -1048,7 +1048,7 @@ func TestUpdateClientsTags(t *testing.T) { contentType: contentType, domainID: domainID, token: validToken, - authnRes: smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID}, status: http.StatusForbidden, err: svcerr.ErrAuthorization, @@ -1060,7 +1060,7 @@ func TestUpdateClientsTags(t *testing.T) { contentType: "application/xml", domainID: domainID, token: validToken, - authnRes: smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID}, status: http.StatusUnsupportedMediaType, err: apiutil.ErrValidation, }, @@ -1071,7 +1071,7 @@ func TestUpdateClientsTags(t *testing.T) { contentType: contentType, domainID: domainID, token: validToken, - authnRes: smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID}, status: http.StatusBadRequest, err: apiutil.ErrValidation, @@ -1083,7 +1083,7 @@ func TestUpdateClientsTags(t *testing.T) { contentType: contentType, domainID: domainID, token: validToken, - authnRes: smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID}, status: http.StatusBadRequest, err: errors.ErrMalformedEntity, @@ -1148,7 +1148,7 @@ func TestUpdateClientSecret(t *testing.T) { contentType: contentType, domainID: domainID, token: validToken, - authnRes: smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID}, status: http.StatusOK, err: nil, }, @@ -1198,7 +1198,7 @@ func TestUpdateClientSecret(t *testing.T) { contentType: contentType, domainID: domainID, token: validToken, - authnRes: smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID}, status: http.StatusBadRequest, err: apiutil.ErrValidation, }, @@ -1215,7 +1215,7 @@ func TestUpdateClientSecret(t *testing.T) { contentType: contentType, domainID: domainID, token: validToken, - authnRes: smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID}, status: http.StatusBadRequest, err: apiutil.ErrValidation, @@ -1233,7 +1233,7 @@ func TestUpdateClientSecret(t *testing.T) { contentType: "application/xml", domainID: domainID, token: validToken, - authnRes: smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID}, status: http.StatusUnsupportedMediaType, err: apiutil.ErrValidation, @@ -1251,7 +1251,7 @@ func TestUpdateClientSecret(t *testing.T) { contentType: contentType, domainID: domainID, token: validToken, - authnRes: smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID}, status: http.StatusBadRequest, err: apiutil.ErrValidation, @@ -1311,7 +1311,7 @@ func TestEnableClient(t *testing.T) { }, domainID: domainID, token: validToken, - authnRes: smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID}, status: http.StatusOK, err: nil, @@ -1332,7 +1332,7 @@ func TestEnableClient(t *testing.T) { }, domainID: domainID, token: validToken, - authnRes: smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID}, status: http.StatusBadRequest, err: apiutil.ErrValidation, @@ -1396,7 +1396,7 @@ func TestDisableClient(t *testing.T) { }, domainID: domainID, token: validToken, - authnRes: smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID}, status: http.StatusOK, err: nil, @@ -1417,7 +1417,7 @@ func TestDisableClient(t *testing.T) { }, domainID: domainID, token: validToken, - authnRes: smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID}, status: http.StatusBadRequest, err: apiutil.ErrValidation, @@ -1476,7 +1476,7 @@ func TestDeleteClient(t *testing.T) { id: client.ID, domainID: domainID, token: validToken, - authnRes: smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID}, status: http.StatusNoContent, err: nil, @@ -1504,7 +1504,7 @@ func TestDeleteClient(t *testing.T) { id: " ", domainID: domainID, token: validToken, - authnRes: smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID}, + authnRes: smqauthn.Session{UserID: validID, DomainID: domainID}, status: http.StatusBadRequest, err: apiutil.ErrMissingID, @@ -1653,7 +1653,7 @@ func TestSetClientParentGroupEndpoint(t *testing.T) { body: strings.NewReader(tc.data), } if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) svcCall := svc.On("SetParentGroup", mock.Anything, tc.session, validID, tc.id).Return(tc.svcErr) @@ -1741,7 +1741,7 @@ func TestRemoveClientParentGroupEndpoint(t *testing.T) { token: tc.token, } if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) svcCall := svc.On("RemoveParentGroup", mock.Anything, tc.session, tc.id).Return(tc.svcErr) diff --git a/clients/middleware/authorization.go b/clients/middleware/authorization.go index 8a3483b601..1c1ae6c035 100644 --- a/clients/middleware/authorization.go +++ b/clients/middleware/authorization.go @@ -92,7 +92,7 @@ func (am *authorizationMiddleware) CreateClients(ctx context.Context, session au if err := am.extAuthorize(ctx, clients.DomainOpCreateClient, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, ObjectType: policies.DomainType, Object: session.DomainID, }); err != nil { @@ -120,7 +120,7 @@ func (am *authorizationMiddleware) View(ctx context.Context, session authn.Sessi if err := am.authorize(ctx, clients.OpViewClient, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, ObjectType: policies.ClientType, Object: id, }); err != nil { @@ -191,7 +191,7 @@ func (am *authorizationMiddleware) Update(ctx context.Context, session authn.Ses if err := am.authorize(ctx, clients.OpUpdateClient, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, ObjectType: policies.ClientType, Object: client.ID, }); err != nil { @@ -219,7 +219,7 @@ func (am *authorizationMiddleware) UpdateTags(ctx context.Context, session authn if err := am.authorize(ctx, clients.OpUpdateClientTags, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, ObjectType: policies.ClientType, Object: client.ID, }); err != nil { @@ -247,7 +247,7 @@ func (am *authorizationMiddleware) UpdateSecret(ctx context.Context, session aut if err := am.authorize(ctx, clients.OpUpdateClientSecret, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, ObjectType: policies.ClientType, Object: id, }); err != nil { @@ -274,7 +274,7 @@ func (am *authorizationMiddleware) Enable(ctx context.Context, session authn.Ses if err := am.authorize(ctx, clients.OpEnableClient, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, ObjectType: policies.ClientType, Object: id, }); err != nil { @@ -302,7 +302,7 @@ func (am *authorizationMiddleware) Disable(ctx context.Context, session authn.Se if err := am.authorize(ctx, clients.OpDisableClient, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, ObjectType: policies.ClientType, Object: id, }); err != nil { @@ -328,7 +328,7 @@ func (am *authorizationMiddleware) Delete(ctx context.Context, session authn.Ses if err := am.authorize(ctx, clients.OpDeleteClient, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, ObjectType: policies.ClientType, Object: id, }); err != nil { @@ -356,7 +356,7 @@ func (am *authorizationMiddleware) SetParentGroup(ctx context.Context, session a if err := am.authorize(ctx, clients.OpSetParentGroup, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, ObjectType: policies.ClientType, Object: id, }); err != nil { @@ -366,7 +366,7 @@ func (am *authorizationMiddleware) SetParentGroup(ctx context.Context, session a if err := am.extAuthorize(ctx, clients.GroupOpSetChildClient, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, ObjectType: policies.GroupType, Object: parentGroupID, }); err != nil { @@ -393,7 +393,7 @@ func (am *authorizationMiddleware) RemoveParentGroup(ctx context.Context, sessio if err := am.authorize(ctx, clients.OpRemoveParentGroup, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, ObjectType: policies.ClientType, Object: id, }); err != nil { @@ -409,7 +409,7 @@ func (am *authorizationMiddleware) RemoveParentGroup(ctx context.Context, sessio if err := am.extAuthorize(ctx, clients.GroupOpSetChildClient, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, ObjectType: policies.GroupType, Object: th.ParentGroup, }); err != nil { diff --git a/clients/service.go b/clients/service.go index 5638d91462..af168b48b9 100644 --- a/clients/service.go +++ b/clients/service.go @@ -362,7 +362,7 @@ func (svc service) Delete(ctx context.Context, session authn.Session, id string) }, } - if err := svc.RemoveEntitiesRoles(ctx, session.DomainID, session.DomainUserID, []string{id}, filterDeletePolicies, deletePolicies); err != nil { + if err := svc.RemoveEntitiesRoles(ctx, session.DomainID, session.UserID, []string{id}, filterDeletePolicies, deletePolicies); err != nil { return errors.Wrap(svcerr.ErrDeletePolicies, err) } diff --git a/clients/service_test.go b/clients/service_test.go index 5adbd75143..6d2d59a5b6 100644 --- a/clients/service_test.go +++ b/clients/service_test.go @@ -944,7 +944,7 @@ func TestSetParentGroup(t *testing.T) { desc: "set parent group successfully", clientID: client.ID, parentGroupID: testsutil.GenerateUUID(t), - session: smqauthn.Session{UserID: validID, DomainID: validID, DomainUserID: validID + "_" + validID}, + session: smqauthn.Session{UserID: validID, DomainID: validID}, retrieveByIDResp: client, retrieveEntityResp: &grpcCommonV1.RetrieveEntityRes{ Entity: &grpcCommonV1.EntityBasic{ @@ -959,7 +959,7 @@ func TestSetParentGroup(t *testing.T) { desc: "set parent group with failed to retrieve client", clientID: client.ID, parentGroupID: testsutil.GenerateUUID(t), - session: smqauthn.Session{UserID: validID, DomainID: validID, DomainUserID: validID + "_" + validID}, + session: smqauthn.Session{UserID: validID, DomainID: validID}, retrieveByIDResp: clients.Client{}, retrieveByIDErr: svcerr.ErrNotFound, err: svcerr.ErrUpdateEntity, @@ -968,7 +968,7 @@ func TestSetParentGroup(t *testing.T) { desc: "set parent group with parent already set", clientID: parentedClient.ID, parentGroupID: validID, - session: smqauthn.Session{UserID: validID, DomainID: validID, DomainUserID: validID + "_" + validID}, + session: smqauthn.Session{UserID: validID, DomainID: validID}, retrieveByIDResp: parentedClient, err: nil, }, @@ -976,7 +976,7 @@ func TestSetParentGroup(t *testing.T) { desc: "set parent group of client with existing parent group", clientID: cparentedClient.ID, parentGroupID: testsutil.GenerateUUID(t), - session: smqauthn.Session{UserID: validID, DomainID: validID, DomainUserID: validID + "_" + validID}, + session: smqauthn.Session{UserID: validID, DomainID: validID}, retrieveByIDResp: cparentedClient, err: svcerr.ErrConflict, }, @@ -984,7 +984,7 @@ func TestSetParentGroup(t *testing.T) { desc: "set parent group with failed to retrieve entity", clientID: client.ID, parentGroupID: testsutil.GenerateUUID(t), - session: smqauthn.Session{UserID: validID, DomainID: validID, DomainUserID: validID + "_" + validID}, + session: smqauthn.Session{UserID: validID, DomainID: validID}, retrieveByIDResp: client, retrieveEntityErr: svcerr.ErrAuthorization, err: svcerr.ErrUpdateEntity, @@ -993,7 +993,7 @@ func TestSetParentGroup(t *testing.T) { desc: "set parent group with parent group from different domain", clientID: client.ID, parentGroupID: testsutil.GenerateUUID(t), - session: smqauthn.Session{UserID: validID, DomainID: validID, DomainUserID: validID + "_" + validID}, + session: smqauthn.Session{UserID: validID, DomainID: validID}, retrieveByIDResp: client, retrieveEntityResp: &grpcCommonV1.RetrieveEntityRes{ Entity: &grpcCommonV1.EntityBasic{ @@ -1008,7 +1008,7 @@ func TestSetParentGroup(t *testing.T) { desc: "set parent group with disabled parent group", clientID: client.ID, parentGroupID: testsutil.GenerateUUID(t), - session: smqauthn.Session{UserID: validID, DomainID: validID, DomainUserID: validID + "_" + validID}, + session: smqauthn.Session{UserID: validID, DomainID: validID}, retrieveByIDResp: client, retrieveEntityResp: &grpcCommonV1.RetrieveEntityRes{ Entity: &grpcCommonV1.EntityBasic{ @@ -1023,7 +1023,7 @@ func TestSetParentGroup(t *testing.T) { desc: "set parent group with failed to add policies", clientID: client.ID, parentGroupID: testsutil.GenerateUUID(t), - session: smqauthn.Session{UserID: validID, DomainID: validID, DomainUserID: validID + "_" + validID}, + session: smqauthn.Session{UserID: validID, DomainID: validID}, retrieveByIDResp: client, retrieveEntityResp: &grpcCommonV1.RetrieveEntityRes{ Entity: &grpcCommonV1.EntityBasic{ @@ -1039,7 +1039,7 @@ func TestSetParentGroup(t *testing.T) { desc: "set parent group with failed to set parent group", clientID: client.ID, parentGroupID: testsutil.GenerateUUID(t), - session: smqauthn.Session{UserID: validID, DomainID: validID, DomainUserID: validID + "_" + validID}, + session: smqauthn.Session{UserID: validID, DomainID: validID}, retrieveByIDResp: client, retrieveEntityResp: &grpcCommonV1.RetrieveEntityRes{ Entity: &grpcCommonV1.EntityBasic{ @@ -1055,7 +1055,7 @@ func TestSetParentGroup(t *testing.T) { desc: "set parent group with failed to set parent group and failed rollback", clientID: client.ID, parentGroupID: testsutil.GenerateUUID(t), - session: smqauthn.Session{UserID: validID, DomainID: validID, DomainUserID: validID + "_" + validID}, + session: smqauthn.Session{UserID: validID, DomainID: validID}, retrieveByIDResp: client, retrieveEntityResp: &grpcCommonV1.RetrieveEntityRes{ Entity: &grpcCommonV1.EntityBasic{ @@ -1116,14 +1116,14 @@ func TestRemoveParentGroup(t *testing.T) { { desc: "remove parent group successfully", clientID: parentedGroup.ID, - session: smqauthn.Session{UserID: validID, DomainID: validID, DomainUserID: validID + "_" + validID}, + session: smqauthn.Session{UserID: validID, DomainID: validID}, retrieveByIDResp: parentedGroup, err: nil, }, { desc: "remove parent group with failed to retrieve client", clientID: parentedGroup.ID, - session: smqauthn.Session{UserID: validID, DomainID: validID, DomainUserID: validID + "_" + validID}, + session: smqauthn.Session{UserID: validID, DomainID: validID}, retrieveByIDResp: clients.Client{}, retrieveByIDErr: svcerr.ErrNotFound, err: svcerr.ErrViewEntity, @@ -1131,7 +1131,7 @@ func TestRemoveParentGroup(t *testing.T) { { desc: "remove parent group with failed to delete policies", clientID: parentedGroup.ID, - session: smqauthn.Session{UserID: validID, DomainID: validID, DomainUserID: validID + "_" + validID}, + session: smqauthn.Session{UserID: validID, DomainID: validID}, retrieveByIDResp: parentedGroup, deletePoliciesErr: svcerr.ErrAuthorization, err: svcerr.ErrDeletePolicies, @@ -1139,7 +1139,7 @@ func TestRemoveParentGroup(t *testing.T) { { desc: "remove parent group with failed to remove parent group", clientID: parentedGroup.ID, - session: smqauthn.Session{UserID: validID, DomainID: validID, DomainUserID: validID + "_" + validID}, + session: smqauthn.Session{UserID: validID, DomainID: validID}, retrieveByIDResp: parentedGroup, removeParentGroupErr: svcerr.ErrUpdateEntity, err: svcerr.ErrUpdateEntity, @@ -1147,7 +1147,7 @@ func TestRemoveParentGroup(t *testing.T) { { desc: "remove parent group with failed to remove parent group and failed to add policies", clientID: parentedGroup.ID, - session: smqauthn.Session{UserID: validID, DomainID: validID, DomainUserID: validID + "_" + validID}, + session: smqauthn.Session{UserID: validID, DomainID: validID}, retrieveByIDResp: parentedGroup, removeParentGroupErr: svcerr.ErrUpdateEntity, addPoliciesErr: svcerr.ErrUpdateEntity, diff --git a/docker/spicedb/schema.zed b/docker/spicedb/schema.zed index cb63ecba75..e0af424a4f 100644 --- a/docker/spicedb/schema.zed +++ b/docker/spicedb/schema.zed @@ -318,9 +318,9 @@ definition domain { channel_update + channel_read + channel_delete + channel_set_parent_group + channel_connect_to_client + channel_publish + channel_subscribe + channel_manage_role + channel_add_role_users + channel_remove_role_users + channel_view_role_users + group_update + group_membership + group_read + group_delete + group_set_child + group_set_parent + - group_manage_role + group_add_role_users + group_remove_role_users + group_view_role_users + group_manage_role + group_add_role_users + group_remove_role_users + group_view_role_users + organization->admin - permission admin = read & update & enable & disable & delete & manage_role & add_role_users & remove_role_users & view_role_users + permission admin = (read & update & enable & disable & delete & manage_role & add_role_users & remove_role_users & view_role_users) + organization->admin permission client_create_permission = client_create + team->client_create + organization->admin permission channel_create_permission = channel_create + team->channel_create + organization->admin diff --git a/domains/api/http/endpoint_test.go b/domains/api/http/endpoint_test.go index d5bfdc10c6..934b826e60 100644 --- a/domains/api/http/endpoint_test.go +++ b/domains/api/http/endpoint_test.go @@ -666,7 +666,7 @@ func TestViewDomain(t *testing.T) { token: tc.token, } if tc.token == validToken { - tc.session = authn.Session{UserID: userID, DomainID: tc.domainID, DomainUserID: tc.domainID + "_" + userID} + tc.session = authn.Session{UserID: userID, DomainID: tc.domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) svcCall := svc.On("RetrieveDomain", mock.Anything, tc.session, tc.domainID).Return(tc.svcRes, tc.svcErr) @@ -820,7 +820,7 @@ func TestUpdateDomain(t *testing.T) { } if tc.token == validToken { - tc.session = authn.Session{UserID: userID, DomainID: tc.domainID, DomainUserID: tc.domainID + "_" + userID} + tc.session = authn.Session{UserID: userID, DomainID: tc.domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) svcCall := svc.On("UpdateDomain", mock.Anything, tc.session, tc.domainID, tc.updateReq).Return(tc.svcRes, tc.svcErr) @@ -905,7 +905,7 @@ func TestEnableDomain(t *testing.T) { token: tc.token, } if tc.token == validToken { - tc.session = authn.Session{UserID: userID, DomainID: tc.domainID, DomainUserID: tc.domainID + "_" + userID} + tc.session = authn.Session{UserID: userID, DomainID: tc.domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) svcCall := svc.On("EnableDomain", mock.Anything, tc.session, tc.domainID).Return(tc.svcRes, tc.svcErr) @@ -983,7 +983,7 @@ func TestDisableDomain(t *testing.T) { token: tc.token, } if tc.token == validToken { - tc.session = authn.Session{UserID: userID, DomainID: tc.domainID, DomainUserID: tc.domainID + "_" + userID} + tc.session = authn.Session{UserID: userID, DomainID: tc.domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) svcCall := svc.On("DisableDomain", mock.Anything, tc.session, tc.domainID).Return(tc.svcRes, tc.svcErr) @@ -1061,7 +1061,7 @@ func TestFreezeDomain(t *testing.T) { token: tc.token, } if tc.token == validToken { - tc.session = authn.Session{UserID: userID, DomainID: tc.domainID, DomainUserID: tc.domainID + "_" + userID} + tc.session = authn.Session{UserID: userID, DomainID: tc.domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) svcCall := svc.On("FreezeDomain", mock.Anything, tc.session, tc.domainID).Return(tc.svcRes, tc.svcErr) @@ -1147,7 +1147,7 @@ func TestSendInvitation(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = authn.Session{UserID: userID, DomainID: domainID, DomainUserID: domainID + "_" + userID} + tc.session = authn.Session{UserID: userID, DomainID: domainID} } authnCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) repoCall := svc.On("SendInvitation", mock.Anything, tc.session, mock.Anything).Return(tc.svcErr) @@ -1380,7 +1380,7 @@ func TestViewInvitation(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = authn.Session{UserID: userID, DomainID: domainID, DomainUserID: domainID + "_" + userID} + tc.session = authn.Session{UserID: userID, DomainID: domainID} } authnCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) repoCall := svc.On("ViewInvitation", mock.Anything, tc.session, tc.userID, tc.domainID).Return(domains.Invitation{}, tc.svcErr) @@ -1474,7 +1474,7 @@ func TestDeleteInvitation(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = authn.Session{UserID: userID, DomainID: domainID, DomainUserID: domainID + "_" + userID} + tc.session = authn.Session{UserID: userID, DomainID: domainID} } authnCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) repoCall := svc.On("DeleteInvitation", mock.Anything, tc.session, tc.userID, tc.domainID).Return(tc.svcErr) diff --git a/domains/middleware/authorization.go b/domains/middleware/authorization.go index f043e76248..3e351236c7 100644 --- a/domains/middleware/authorization.go +++ b/domains/middleware/authorization.go @@ -6,7 +6,6 @@ package middleware import ( "context" - "github.com/absmach/supermq/auth" "github.com/absmach/supermq/domains" "github.com/absmach/supermq/pkg/authn" "github.com/absmach/supermq/pkg/authz" @@ -58,8 +57,18 @@ func (am *authorizationMiddleware) CreateDomain(ctx context.Context, session aut } func (am *authorizationMiddleware) RetrieveDomain(ctx context.Context, session authn.Session, id string) (domains.Domain, error) { + if err := am.authz.Authorize(ctx, authz.PolicyReq{ + Subject: session.UserID, + SubjectType: policies.UserType, + Permission: policies.AdminPermission, + ObjectType: policies.PlatformType, + Object: policies.SuperMQObject, + }); err == nil { + session.SuperAdmin = true + return am.svc.RetrieveDomain(ctx, session, id) + } if err := am.authorize(ctx, domains.OpRetrieveDomain, authz.PolicyReq{ - Subject: session.DomainUserID, + Subject: session.UserID, SubjectType: policies.UserType, SubjectKind: policies.UsersKind, Object: id, @@ -72,7 +81,7 @@ func (am *authorizationMiddleware) RetrieveDomain(ctx context.Context, session a func (am *authorizationMiddleware) UpdateDomain(ctx context.Context, session authn.Session, id string, d domains.DomainReq) (domains.Domain, error) { if err := am.authorize(ctx, domains.OpUpdateDomain, authz.PolicyReq{ - Subject: session.DomainUserID, + Subject: session.UserID, SubjectType: policies.UserType, SubjectKind: policies.UsersKind, Object: id, @@ -85,7 +94,7 @@ func (am *authorizationMiddleware) UpdateDomain(ctx context.Context, session aut func (am *authorizationMiddleware) EnableDomain(ctx context.Context, session authn.Session, id string) (domains.Domain, error) { if err := am.authorize(ctx, domains.OpEnableDomain, authz.PolicyReq{ - Subject: session.DomainUserID, + Subject: session.UserID, SubjectType: policies.UserType, SubjectKind: policies.UsersKind, Object: id, @@ -99,7 +108,7 @@ func (am *authorizationMiddleware) EnableDomain(ctx context.Context, session aut func (am *authorizationMiddleware) DisableDomain(ctx context.Context, session authn.Session, id string) (domains.Domain, error) { if err := am.authorize(ctx, domains.OpDisableDomain, authz.PolicyReq{ - Subject: session.DomainUserID, + Subject: session.UserID, SubjectType: policies.UserType, SubjectKind: policies.UsersKind, Object: id, @@ -141,8 +150,7 @@ func (am *authorizationMiddleware) ListDomains(ctx context.Context, session auth } func (am *authorizationMiddleware) SendInvitation(ctx context.Context, session authn.Session, invitation domains.Invitation) (err error) { - domainUserId := auth.EncodeDomainUserID(invitation.DomainID, invitation.InviteeUserID) - if err := am.extAuthorize(ctx, domainUserId, policies.MembershipPermission, policies.DomainType, invitation.DomainID); err == nil { + if err := am.extAuthorize(ctx, session.UserID, policies.MembershipPermission, policies.DomainType, invitation.DomainID); err == nil { // return error if the user is already a member of the domain return errors.Wrap(svcerr.ErrConflict, ErrMemberExist) } @@ -155,7 +163,6 @@ func (am *authorizationMiddleware) SendInvitation(ctx context.Context, session a } func (am *authorizationMiddleware) ViewInvitation(ctx context.Context, session authn.Session, inviteeUserID, domain string) (invitation domains.Invitation, err error) { - session.DomainUserID = auth.EncodeDomainUserID(session.DomainID, session.UserID) if session.UserID != inviteeUserID { if err := am.checkAdmin(ctx, session); err != nil { return domains.Invitation{}, err @@ -166,7 +173,6 @@ func (am *authorizationMiddleware) ViewInvitation(ctx context.Context, session a } func (am *authorizationMiddleware) ListInvitations(ctx context.Context, session authn.Session, page domains.InvitationPageMeta) (invs domains.InvitationPage, err error) { - session.DomainUserID = auth.EncodeDomainUserID(session.DomainID, session.UserID) if err := am.extAuthorize(ctx, session.UserID, policies.AdminPermission, policies.PlatformType, policies.SuperMQObject); err == nil { session.SuperAdmin = true page.DomainID = "" @@ -175,7 +181,7 @@ func (am *authorizationMiddleware) ListInvitations(ctx context.Context, session if !session.SuperAdmin { switch { case page.DomainID != "": - if err := am.extAuthorize(ctx, session.DomainUserID, policies.AdminPermission, policies.DomainType, page.DomainID); err != nil { + if err := am.extAuthorize(ctx, session.UserID, policies.AdminPermission, policies.DomainType, page.DomainID); err != nil { return domains.InvitationPage{}, err } default: @@ -195,7 +201,6 @@ func (am *authorizationMiddleware) RejectInvitation(ctx context.Context, session } func (am *authorizationMiddleware) DeleteInvitation(ctx context.Context, session authn.Session, inviteeUserID, domainID string) (err error) { - session.DomainUserID = auth.EncodeDomainUserID(session.DomainID, session.UserID) if err := am.checkAdmin(ctx, session); err != nil { return err } @@ -222,7 +227,7 @@ func (am *authorizationMiddleware) checkAdmin(ctx context.Context, session authn req := smqauthz.PolicyReq{ SubjectType: policies.UserType, SubjectKind: policies.UsersKind, - Subject: session.DomainUserID, + Subject: session.UserID, Permission: policies.AdminPermission, ObjectType: policies.DomainType, Object: session.DomainID, diff --git a/groups/api/http/endpoint_test.go b/groups/api/http/endpoint_test.go index c8d762e46d..6122378b2a 100644 --- a/groups/api/http/endpoint_test.go +++ b/groups/api/http/endpoint_test.go @@ -205,7 +205,7 @@ func TestCreateGroupEndpoint(t *testing.T) { body: strings.NewReader(data), } if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) svcCall := svc.On("CreateGroup", mock.Anything, tc.session, tc.req.Group).Return(tc.svcResp, []roles.RoleProvision{}, tc.svcErr) @@ -302,7 +302,7 @@ func TestViewGroupEndpoint(t *testing.T) { token: tc.token, } if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) svcCall := svc.On("ViewGroup", mock.Anything, tc.session, tc.id).Return(tc.svcResp, tc.svcErr) @@ -447,7 +447,7 @@ func TestUpdateGroupEndpoint(t *testing.T) { body: strings.NewReader(data), } if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) svcCall := svc.On("UpdateGroup", mock.Anything, tc.session, tc.updateReq).Return(tc.svcResp, tc.svcErr) @@ -550,7 +550,7 @@ func TestEnableGroupEndpoint(t *testing.T) { token: tc.token, } if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) svcCall := svc.On("EnableGroup", mock.Anything, tc.session, tc.id).Return(tc.svcResp, tc.svcErr) @@ -653,7 +653,7 @@ func TestDisableGroupEndpoint(t *testing.T) { token: tc.token, } if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) svcCall := svc.On("DisableGroup", mock.Anything, tc.session, tc.id).Return(tc.svcResp, tc.svcErr) @@ -960,7 +960,7 @@ func TestListGroups(t *testing.T) { token: tc.token, } if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) svcCall := svc.On("ListGroups", mock.Anything, tc.session, mock.Anything).Return(tc.listGroupsResponse, tc.err) @@ -1050,7 +1050,7 @@ func TestDeleteGroupEndpoint(t *testing.T) { token: tc.token, } if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) svcCall := svc.On("DeleteGroup", mock.Anything, tc.session, tc.id).Return(tc.svcErr) @@ -1219,7 +1219,7 @@ func TestRetrieveGroupHierarchyEndpoint(t *testing.T) { token: tc.token, } if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) svcCall := svc.On("RetrieveGroupHierarchy", mock.Anything, tc.session, tc.groupID, tc.pageMeta).Return(tc.svcRes, tc.svcErr) @@ -1368,7 +1368,7 @@ func TestAddParentGroupEndpoint(t *testing.T) { body: strings.NewReader(data), } if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) svcCall := svc.On("AddParentGroup", mock.Anything, tc.session, tc.id, tc.parentID).Return(tc.svcErr) @@ -1459,7 +1459,7 @@ func TestRemoveParentGroupEndpoint(t *testing.T) { token: tc.token, } if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) svcCall := svc.On("RemoveParentGroup", mock.Anything, tc.session, tc.id).Return(tc.svcErr) @@ -1611,7 +1611,7 @@ func TestAddChildrenGroupsEndpoint(t *testing.T) { body: strings.NewReader(data), } if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) svcCall := svc.On("AddChildrenGroups", mock.Anything, tc.session, tc.id, tc.childrenIDs).Return(tc.svcErr) @@ -1753,7 +1753,7 @@ func TestRemoveChildrenGroupsEndpoint(t *testing.T) { body: strings.NewReader(data), } if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) svcCall := svc.On("RemoveChildrenGroups", mock.Anything, tc.session, tc.id, tc.childrenIDs).Return(tc.svcErr) @@ -1844,7 +1844,7 @@ func TestRemoveAllChildrenGroupsEndpoint(t *testing.T) { token: tc.token, } if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) svcCall := svc.On("RemoveAllChildrenGroups", mock.Anything, tc.session, tc.id).Return(tc.svcErr) @@ -1988,7 +1988,7 @@ func TestListChildrenGroupsEndpoint(t *testing.T) { token: tc.token, } if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr) svcCall := svc.On("ListChildrenGroups", mock.Anything, tc.session, tc.id, int64(1), int64(0), tc.pageMeta).Return(tc.svcRes, tc.svcErr) diff --git a/groups/middleware/authorization.go b/groups/middleware/authorization.go index 668baa01e6..f1927c2907 100644 --- a/groups/middleware/authorization.go +++ b/groups/middleware/authorization.go @@ -99,7 +99,7 @@ func (am *authorizationMiddleware) CreateGroup(ctx context.Context, session auth Domain: session.DomainID, SubjectType: policies.UserType, SubjectKind: policies.UsersKind, - Subject: session.DomainUserID, + Subject: session.UserID, Object: session.DomainID, ObjectType: policies.DomainType, }); err != nil { @@ -111,7 +111,7 @@ func (am *authorizationMiddleware) CreateGroup(ctx context.Context, session auth Domain: session.DomainID, SubjectType: policies.UserType, SubjectKind: policies.UsersKind, - Subject: session.DomainUserID, + Subject: session.UserID, Object: g.Parent, ObjectType: policies.GroupType, }); err != nil { @@ -141,7 +141,7 @@ func (am *authorizationMiddleware) UpdateGroup(ctx context.Context, session auth Domain: session.DomainID, SubjectType: policies.UserType, SubjectKind: policies.UsersKind, - Subject: session.DomainUserID, + Subject: session.UserID, Object: g.ID, ObjectType: policies.GroupType, }); err != nil { @@ -170,7 +170,7 @@ func (am *authorizationMiddleware) ViewGroup(ctx context.Context, session authn. Domain: session.DomainID, SubjectType: policies.UserType, SubjectKind: policies.UsersKind, - Subject: session.DomainUserID, + Subject: session.UserID, Object: id, ObjectType: policies.GroupType, }); err != nil { @@ -204,7 +204,7 @@ func (am *authorizationMiddleware) ListGroups(ctx context.Context, session authn Domain: session.DomainID, SubjectType: policies.UserType, SubjectKind: policies.UsersKind, - Subject: session.DomainUserID, + Subject: session.UserID, Object: session.DomainID, ObjectType: policies.DomainType, }); err != nil { @@ -223,7 +223,7 @@ func (am *authorizationMiddleware) ListUserGroups(ctx context.Context, session a Domain: session.DomainID, SubjectType: policies.UserType, SubjectKind: policies.UsersKind, - Subject: session.DomainUserID, + Subject: session.UserID, Object: session.DomainID, ObjectType: policies.DomainType, }); err != nil { @@ -250,7 +250,7 @@ func (am *authorizationMiddleware) EnableGroup(ctx context.Context, session auth if err := am.authorize(ctx, groups.OpEnableGroup, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, Object: id, ObjectType: policies.GroupType, }); err != nil { @@ -278,7 +278,7 @@ func (am *authorizationMiddleware) DisableGroup(ctx context.Context, session aut if err := am.authorize(ctx, groups.OpDisableGroup, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, Object: id, ObjectType: policies.GroupType, }); err != nil { @@ -306,7 +306,7 @@ func (am *authorizationMiddleware) DeleteGroup(ctx context.Context, session auth if err := am.authorize(ctx, groups.OpDeleteGroup, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, Object: id, ObjectType: policies.GroupType, }); err != nil { @@ -334,7 +334,7 @@ func (am *authorizationMiddleware) RetrieveGroupHierarchy(ctx context.Context, s if err := am.authorize(ctx, groups.OpRetrieveGroupHierarchy, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, Object: id, ObjectType: policies.GroupType, }); err != nil { @@ -361,7 +361,7 @@ func (am *authorizationMiddleware) AddParentGroup(ctx context.Context, session a if err := am.authorize(ctx, groups.OpAddParentGroup, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, Object: id, ObjectType: policies.GroupType, }); err != nil { @@ -371,7 +371,7 @@ func (am *authorizationMiddleware) AddParentGroup(ctx context.Context, session a if err := am.authorize(ctx, groups.OpAddChildrenGroups, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, Object: parentID, ObjectType: policies.GroupType, }); err != nil { @@ -398,7 +398,7 @@ func (am *authorizationMiddleware) RemoveParentGroup(ctx context.Context, sessio if err := am.authorize(ctx, groups.OpRemoveParentGroup, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, Object: id, ObjectType: policies.GroupType, }); err != nil { @@ -414,7 +414,7 @@ func (am *authorizationMiddleware) RemoveParentGroup(ctx context.Context, sessio if err := am.authorize(ctx, groups.OpRemoveParentGroup, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, Object: group.Parent, ObjectType: policies.GroupType, }); err != nil { @@ -442,7 +442,7 @@ func (am *authorizationMiddleware) AddChildrenGroups(ctx context.Context, sessio if err := am.authorize(ctx, groups.OpAddChildrenGroups, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, Object: id, ObjectType: policies.GroupType, }); err != nil { @@ -453,7 +453,7 @@ func (am *authorizationMiddleware) AddChildrenGroups(ctx context.Context, sessio if err := am.authorize(ctx, groups.OpAddParentGroup, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, Object: childID, ObjectType: policies.GroupType, }); err != nil { @@ -482,7 +482,7 @@ func (am *authorizationMiddleware) RemoveChildrenGroups(ctx context.Context, ses if err := am.authorize(ctx, groups.OpRemoveChildrenGroups, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, Object: id, ObjectType: policies.GroupType, }); err != nil { @@ -510,7 +510,7 @@ func (am *authorizationMiddleware) RemoveAllChildrenGroups(ctx context.Context, if err := am.authorize(ctx, groups.OpRemoveAllChildrenGroups, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, Object: id, ObjectType: policies.GroupType, }); err != nil { @@ -538,7 +538,7 @@ func (am *authorizationMiddleware) ListChildrenGroups(ctx context.Context, sessi if err := am.authorize(ctx, groups.OpListChildrenGroups, smqauthz.PolicyReq{ Domain: session.DomainID, SubjectType: policies.UserType, - Subject: session.DomainUserID, + Subject: session.UserID, Object: id, ObjectType: policies.GroupType, }); err != nil { diff --git a/groups/service.go b/groups/service.go index b8755d8b9a..6ada2de4ce 100644 --- a/groups/service.go +++ b/groups/service.go @@ -183,7 +183,7 @@ func (svc service) RetrieveGroupHierarchy(ctx context.Context, session smqauthn. return HierarchyPage{}, errors.Wrap(svcerr.ErrViewEntity, err) } hids := svc.getGroupIDs(hp.Groups) - ids, err := svc.filterAllowedGroupIDsOfUserID(ctx, session.DomainUserID, "read_permission", hids) + ids, err := svc.filterAllowedGroupIDsOfUserID(ctx, session.UserID, "read_permission", hids) if err != nil { return HierarchyPage{}, errors.Wrap(svcerr.ErrViewEntity, err) } @@ -454,7 +454,7 @@ func (svc service) DeleteGroup(ctx context.Context, session smqauthn.Session, id Object: id, }) } - if err := svc.RemoveEntitiesRoles(ctx, session.DomainID, session.DomainUserID, []string{id}, filterDeletePolicies, deletePolicies); err != nil { + if err := svc.RemoveEntitiesRoles(ctx, session.DomainID, session.UserID, []string{id}, filterDeletePolicies, deletePolicies); err != nil { return errors.Wrap(svcerr.ErrDeletePolicies, err) } diff --git a/groups/service_test.go b/groups/service_test.go index a02d85a30d..432bdc1d16 100644 --- a/groups/service_test.go +++ b/groups/service_test.go @@ -68,7 +68,7 @@ var ( } validID = testsutil.GenerateUUID(&testing.T{}) errRollbackRoles = errors.New("failed to rollback roles") - validSession = authn.Session{UserID: validID, DomainID: validID, DomainUserID: validID} + validSession = authn.Session{UserID: validID, DomainID: validID} ) var ( @@ -431,7 +431,7 @@ func TestListGroups(t *testing.T) { }{ { desc: "list groups as super admin successfully", - session: smqauthn.Session{UserID: validID, DomainID: validID, DomainUserID: validID, SuperAdmin: true}, + session: smqauthn.Session{UserID: validID, DomainID: validID, SuperAdmin: true}, pageMeta: groups.PageMeta{ Limit: 10, Offset: 0, @@ -453,7 +453,7 @@ func TestListGroups(t *testing.T) { }, { desc: "list groups as super admin with failed to retrieve", - session: smqauthn.Session{UserID: validID, DomainID: validID, DomainUserID: validID, SuperAdmin: true}, + session: smqauthn.Session{UserID: validID, DomainID: validID, SuperAdmin: true}, pageMeta: groups.PageMeta{ Limit: 10, Offset: 0, diff --git a/http/handler.go b/http/handler.go index 9961035577..1a8af25d78 100644 --- a/http/handler.go +++ b/http/handler.go @@ -148,7 +148,7 @@ func (h *handler) Publish(ctx context.Context, topic *string, payload *[]byte) e return mgate.NewHTTPProxyError(http.StatusUnauthorized, svcerr.ErrAuthentication) } clientType = policies.UserType - clientID = authnSession.DomainUserID + clientID = authnSession.UserID default: return mgate.NewHTTPProxyError(http.StatusUnauthorized, svcerr.ErrAuthentication) } diff --git a/http/handler_test.go b/http/handler_test.go index 81095728b2..2a97cdbd05 100644 --- a/http/handler_test.go +++ b/http/handler_test.go @@ -179,7 +179,7 @@ func TestPublish(t *testing.T) { password: validToken, session: &tokenSession, channelID: chanID, - authNRes1: smqauthn.Session{DomainUserID: validID, UserID: validID, DomainID: validID}, + authNRes1: smqauthn.Session{UserID: validID, DomainID: validID}, authNErr: nil, authZRes: &grpcChannelsV1.AuthzRes{Authorized: true}, authZErr: nil, @@ -279,7 +279,7 @@ func TestPublish(t *testing.T) { session: &tokenSession, channelID: chanID, status: http.StatusUnauthorized, - authNRes1: smqauthn.Session{DomainUserID: validID, UserID: validID, DomainID: validID}, + authNRes1: smqauthn.Session{UserID: validID, DomainID: validID}, authNErr: svcerr.ErrAuthentication, err: svcerr.ErrAuthentication, }, diff --git a/journal/api/endpoint_test.go b/journal/api/endpoint_test.go index 38e944f9a4..f15f52d7e4 100644 --- a/journal/api/endpoint_test.go +++ b/journal/api/endpoint_test.go @@ -379,11 +379,7 @@ func TestListEntityJournalsEndpoint(t *testing.T) { for _, c := range cases { t.Run(c.desc, func(t *testing.T) { if c.token == validToken { - c.session = smqauthn.Session{ - UserID: userID, - DomainID: domainID, - DomainUserID: domainID + "_" + userID, - } + c.session = smqauthn.Session{UserID: userID, DomainID: domainID} } authCall := authn.On("Authenticate", mock.Anything, c.token).Return(c.session, c.authnErr) svcCall := svc.On("RetrieveAll", mock.Anything, c.session, mock.Anything).Return(journal.JournalsPage{}, c.svcErr) @@ -462,11 +458,7 @@ func TestRetrieveClientTelemetryEndpoint(t *testing.T) { for _, c := range cases { t.Run(c.desc, func(t *testing.T) { if c.token == validToken { - c.session = smqauthn.Session{ - UserID: userID, - DomainID: c.domainID, - DomainUserID: c.domainID + "_" + userID, - } + c.session = smqauthn.Session{UserID: userID, DomainID: c.domainID} } authCall := authn.On("Authenticate", mock.Anything, c.token).Return(c.session, c.authnErr) svcCall := svc.On("RetrieveClientTelemetry", mock.Anything, c.session, c.clientID).Return(journal.ClientTelemetry{}, c.svcErr) diff --git a/journal/middleware/authorization.go b/journal/middleware/authorization.go index e819835868..9842b8753d 100644 --- a/journal/middleware/authorization.go +++ b/journal/middleware/authorization.go @@ -39,7 +39,7 @@ func (am *authorizationMiddleware) RetrieveAll(ctx context.Context, session smqa permission := readPermission objectType := page.EntityType.String() object := page.EntityID - subject := session.DomainUserID + subject := session.UserID // If the entity is a user, we need to check if the user is an admin if page.EntityType.String() == policies.UserType { @@ -70,7 +70,7 @@ func (am *authorizationMiddleware) RetrieveClientTelemetry(ctx context.Context, Domain: session.DomainID, SubjectType: policies.UserType, SubjectKind: policies.UsersKind, - Subject: session.DomainUserID, + Subject: session.UserID, Permission: readPermission, ObjectType: policies.ClientType, Object: clientID, diff --git a/journal/service_test.go b/journal/service_test.go index bec590add6..b43f183549 100644 --- a/journal/service_test.go +++ b/journal/service_test.go @@ -73,7 +73,7 @@ func TestReadAll(t *testing.T) { repo := new(mocks.Repository) svc := journal.NewService(idProvider, repo) - validSession := smqauthn.Session{DomainUserID: testsutil.GenerateUUID(t), UserID: testsutil.GenerateUUID(t), DomainID: testsutil.GenerateUUID(t)} + validSession := smqauthn.Session{UserID: testsutil.GenerateUUID(t), DomainID: testsutil.GenerateUUID(t)} validPage := journal.Page{ Offset: 0, Limit: 10, diff --git a/pkg/authn/authn.go b/pkg/authn/authn.go index 6a61cc8c58..6893c6fcdc 100644 --- a/pkg/authn/authn.go +++ b/pkg/authn/authn.go @@ -28,12 +28,11 @@ func (t TokenType) String() string { } type Session struct { - Type TokenType - PatID string - DomainUserID string - UserID string - DomainID string - SuperAdmin bool + Type TokenType + PatID string + UserID string + DomainID string + SuperAdmin bool } // Authn is supermq authentication library. diff --git a/pkg/authn/authsvc/authn.go b/pkg/authn/authsvc/authn.go index 2acb88ac12..486d825342 100644 --- a/pkg/authn/authsvc/authn.go +++ b/pkg/authn/authsvc/authn.go @@ -54,5 +54,5 @@ func (a authentication) Authenticate(ctx context.Context, token string) (authn.S return authn.Session{}, errors.Wrap(errors.ErrAuthentication, err) } - return authn.Session{Type: authn.AccessToken, DomainUserID: res.GetId(), UserID: res.GetUserId(), DomainID: res.GetDomainId()}, nil + return authn.Session{Type: authn.AccessToken, UserID: res.GetUserId(), DomainID: res.GetDomainId()}, nil } diff --git a/pkg/policies/service.go b/pkg/policies/service.go index 6a7c625576..dd8e4e4ec4 100644 --- a/pkg/policies/service.go +++ b/pkg/policies/service.go @@ -105,10 +105,3 @@ type Service interface { // ListPermissions lists permission betweeen given subject and object . ListPermissions(ctx context.Context, pr Policy, permissionsFilter []string) (Permissions, error) } - -func EncodeDomainUserID(domainID, userID string) string { - if domainID == "" || userID == "" { - return "" - } - return domainID + "_" + userID -} diff --git a/pkg/roles/provisionmanage.go b/pkg/roles/provisionmanage.go index 381dbd2489..5db671716f 100644 --- a/pkg/roles/provisionmanage.go +++ b/pkg/roles/provisionmanage.go @@ -111,7 +111,7 @@ func (r ProvisionManageService) RemoveEntitiesRoles(ctx context.Context, domainI } for _, emr := range emrs { deletePolicies = append(deletePolicies, policies.Policy{ - Subject: policies.EncodeDomainUserID(domainID, emr.MemberID), + Subject: emr.MemberID, SubjectType: policies.UserType, Relation: policies.MemberRelation, ObjectType: policies.RoleType, @@ -187,7 +187,7 @@ func (r ProvisionManageService) AddNewEntitiesRoles(ctx context.Context, domainI for _, member := range members { prs = append(prs, policies.Policy{ SubjectType: policies.UserType, - Subject: policies.EncodeDomainUserID(domainID, member), + Subject: member, Relation: policies.MemberRelation, Object: id, ObjectType: policies.RoleType, @@ -259,7 +259,7 @@ func (r ProvisionManageService) AddRole(ctx context.Context, session authn.Sessi for _, member := range optionalMembers { prs = append(prs, policies.Policy{ SubjectType: policies.UserType, - Subject: policies.EncodeDomainUserID(session.DomainID, member), + Subject: member, Relation: policies.MemberRelation, Object: id, ObjectType: policies.RoleType, @@ -498,7 +498,7 @@ func (r ProvisionManageService) RoleAddMembers(ctx context.Context, session auth for _, mem := range members { prs = append(prs, policies.Policy{ SubjectType: policies.UserType, - Subject: policies.EncodeDomainUserID(session.DomainID, mem), + Subject: mem, Relation: policies.MemberRelation, Object: ro.ID, ObjectType: policies.RoleType, @@ -567,7 +567,7 @@ func (r ProvisionManageService) RoleRemoveMembers(ctx context.Context, session a for _, mem := range members { prs = append(prs, policies.Policy{ SubjectType: policies.UserType, - Subject: policies.EncodeDomainUserID(session.DomainID, mem), + Subject: mem, Relation: policies.MemberRelation, Object: ro.ID, ObjectType: policies.RoleType, diff --git a/pkg/roles/rolemanager/middleware/authoirzation.go b/pkg/roles/rolemanager/middleware/authoirzation.go index 02df36d3a4..2364dddacb 100644 --- a/pkg/roles/rolemanager/middleware/authoirzation.go +++ b/pkg/roles/rolemanager/middleware/authoirzation.go @@ -55,7 +55,7 @@ func (ram RoleManagerAuthorizationMiddleware) validate() error { func (ram RoleManagerAuthorizationMiddleware) AddRole(ctx context.Context, session authn.Session, entityID, roleName string, optionalActions []string, optionalMembers []string) (roles.RoleProvision, error) { if err := ram.authorize(ctx, roles.OpAddRole, smqauthz.PolicyReq{ Domain: session.DomainID, - Subject: session.DomainUserID, + Subject: session.UserID, SubjectType: policies.UserType, SubjectKind: policies.UsersKind, Object: entityID, @@ -69,7 +69,7 @@ func (ram RoleManagerAuthorizationMiddleware) AddRole(ctx context.Context, sessi func (ram RoleManagerAuthorizationMiddleware) RemoveRole(ctx context.Context, session authn.Session, entityID, roleID string) error { if err := ram.authorize(ctx, roles.OpRemoveRole, smqauthz.PolicyReq{ Domain: session.DomainID, - Subject: session.DomainUserID, + Subject: session.UserID, SubjectType: policies.UserType, SubjectKind: policies.UsersKind, Object: entityID, @@ -83,7 +83,7 @@ func (ram RoleManagerAuthorizationMiddleware) RemoveRole(ctx context.Context, se func (ram RoleManagerAuthorizationMiddleware) UpdateRoleName(ctx context.Context, session authn.Session, entityID, roleID, newRoleName string) (roles.Role, error) { if err := ram.authorize(ctx, roles.OpUpdateRoleName, smqauthz.PolicyReq{ Domain: session.DomainID, - Subject: session.DomainUserID, + Subject: session.UserID, SubjectType: policies.UserType, SubjectKind: policies.UsersKind, Object: entityID, @@ -97,7 +97,7 @@ func (ram RoleManagerAuthorizationMiddleware) UpdateRoleName(ctx context.Context func (ram RoleManagerAuthorizationMiddleware) RetrieveRole(ctx context.Context, session authn.Session, entityID, roleID string) (roles.Role, error) { if err := ram.authorize(ctx, roles.OpRetrieveRole, smqauthz.PolicyReq{ Domain: session.DomainID, - Subject: session.DomainUserID, + Subject: session.UserID, SubjectType: policies.UserType, SubjectKind: policies.UsersKind, Object: entityID, @@ -111,7 +111,7 @@ func (ram RoleManagerAuthorizationMiddleware) RetrieveRole(ctx context.Context, func (ram RoleManagerAuthorizationMiddleware) RetrieveAllRoles(ctx context.Context, session authn.Session, entityID string, limit, offset uint64) (roles.RolePage, error) { if err := ram.authorize(ctx, roles.OpRetrieveAllRoles, smqauthz.PolicyReq{ Domain: session.DomainID, - Subject: session.DomainUserID, + Subject: session.UserID, SubjectType: policies.UserType, SubjectKind: policies.UsersKind, Object: entityID, @@ -129,7 +129,7 @@ func (ram RoleManagerAuthorizationMiddleware) ListAvailableActions(ctx context.C func (ram RoleManagerAuthorizationMiddleware) RoleAddActions(ctx context.Context, session authn.Session, entityID, roleID string, actions []string) (ops []string, err error) { if err := ram.authorize(ctx, roles.OpRoleAddActions, smqauthz.PolicyReq{ Domain: session.DomainID, - Subject: session.DomainUserID, + Subject: session.UserID, SubjectType: policies.UserType, SubjectKind: policies.UsersKind, Object: entityID, @@ -144,7 +144,7 @@ func (ram RoleManagerAuthorizationMiddleware) RoleAddActions(ctx context.Context func (ram RoleManagerAuthorizationMiddleware) RoleListActions(ctx context.Context, session authn.Session, entityID, roleID string) ([]string, error) { if err := ram.authorize(ctx, roles.OpRoleListActions, smqauthz.PolicyReq{ Domain: session.DomainID, - Subject: session.DomainUserID, + Subject: session.UserID, SubjectType: policies.UserType, SubjectKind: policies.UsersKind, Object: entityID, @@ -159,7 +159,7 @@ func (ram RoleManagerAuthorizationMiddleware) RoleListActions(ctx context.Contex func (ram RoleManagerAuthorizationMiddleware) RoleCheckActionsExists(ctx context.Context, session authn.Session, entityID, roleID string, actions []string) (bool, error) { if err := ram.authorize(ctx, roles.OpRoleCheckActionsExists, smqauthz.PolicyReq{ Domain: session.DomainID, - Subject: session.DomainUserID, + Subject: session.UserID, SubjectType: policies.UserType, SubjectKind: policies.UsersKind, Object: entityID, @@ -173,7 +173,7 @@ func (ram RoleManagerAuthorizationMiddleware) RoleCheckActionsExists(ctx context func (ram RoleManagerAuthorizationMiddleware) RoleRemoveActions(ctx context.Context, session authn.Session, entityID, roleID string, actions []string) (err error) { if err := ram.authorize(ctx, roles.OpRoleRemoveActions, smqauthz.PolicyReq{ Domain: session.DomainID, - Subject: session.DomainUserID, + Subject: session.UserID, SubjectType: policies.UserType, SubjectKind: policies.UsersKind, Object: entityID, @@ -187,7 +187,7 @@ func (ram RoleManagerAuthorizationMiddleware) RoleRemoveActions(ctx context.Cont func (ram RoleManagerAuthorizationMiddleware) RoleRemoveAllActions(ctx context.Context, session authn.Session, entityID, roleID string) error { if err := ram.authorize(ctx, roles.OpRoleRemoveAllActions, smqauthz.PolicyReq{ Domain: session.DomainID, - Subject: session.DomainUserID, + Subject: session.UserID, SubjectType: policies.UserType, SubjectKind: policies.UsersKind, Object: entityID, @@ -201,7 +201,7 @@ func (ram RoleManagerAuthorizationMiddleware) RoleRemoveAllActions(ctx context.C func (ram RoleManagerAuthorizationMiddleware) RoleAddMembers(ctx context.Context, session authn.Session, entityID, roleID string, members []string) ([]string, error) { if err := ram.authorize(ctx, roles.OpRoleAddMembers, smqauthz.PolicyReq{ Domain: session.DomainID, - Subject: session.DomainUserID, + Subject: session.UserID, SubjectType: policies.UserType, SubjectKind: policies.UsersKind, Object: entityID, @@ -215,7 +215,7 @@ func (ram RoleManagerAuthorizationMiddleware) RoleAddMembers(ctx context.Context func (ram RoleManagerAuthorizationMiddleware) RoleListMembers(ctx context.Context, session authn.Session, entityID, roleID string, limit, offset uint64) (roles.MembersPage, error) { if err := ram.authorize(ctx, roles.OpRoleListMembers, smqauthz.PolicyReq{ Domain: session.DomainID, - Subject: session.DomainUserID, + Subject: session.UserID, SubjectType: policies.UserType, SubjectKind: policies.UsersKind, Object: entityID, @@ -229,7 +229,7 @@ func (ram RoleManagerAuthorizationMiddleware) RoleListMembers(ctx context.Contex func (ram RoleManagerAuthorizationMiddleware) RoleCheckMembersExists(ctx context.Context, session authn.Session, entityID, roleID string, members []string) (bool, error) { if err := ram.authorize(ctx, roles.OpRoleCheckMembersExists, smqauthz.PolicyReq{ Domain: session.DomainID, - Subject: session.DomainUserID, + Subject: session.UserID, SubjectType: policies.UserType, SubjectKind: policies.UsersKind, Object: entityID, @@ -243,7 +243,7 @@ func (ram RoleManagerAuthorizationMiddleware) RoleCheckMembersExists(ctx context func (ram RoleManagerAuthorizationMiddleware) RoleRemoveAllMembers(ctx context.Context, session authn.Session, entityID, roleID string) (err error) { if err := ram.authorize(ctx, roles.OpRoleRemoveAllMembers, smqauthz.PolicyReq{ Domain: session.DomainID, - Subject: session.DomainUserID, + Subject: session.UserID, SubjectType: policies.UserType, SubjectKind: policies.UsersKind, Object: entityID, @@ -257,7 +257,7 @@ func (ram RoleManagerAuthorizationMiddleware) RoleRemoveAllMembers(ctx context.C func (ram RoleManagerAuthorizationMiddleware) ListEntityMembers(ctx context.Context, session authn.Session, entityID string, pageQuery roles.MembersRolePageQuery) (roles.MembersRolePage, error) { if err := ram.authorize(ctx, roles.OpRoleListMembers, smqauthz.PolicyReq{ Domain: session.DomainID, - Subject: session.DomainUserID, + Subject: session.UserID, SubjectType: policies.UserType, SubjectKind: policies.UsersKind, Object: entityID, @@ -271,7 +271,7 @@ func (ram RoleManagerAuthorizationMiddleware) ListEntityMembers(ctx context.Cont func (ram RoleManagerAuthorizationMiddleware) RemoveEntityMembers(ctx context.Context, session authn.Session, entityID string, members []string) error { if err := ram.authorize(ctx, roles.OpRoleRemoveAllMembers, smqauthz.PolicyReq{ Domain: session.DomainID, - Subject: session.DomainUserID, + Subject: session.UserID, SubjectType: policies.UserType, SubjectKind: policies.UsersKind, Object: entityID, @@ -285,7 +285,7 @@ func (ram RoleManagerAuthorizationMiddleware) RemoveEntityMembers(ctx context.Co func (ram RoleManagerAuthorizationMiddleware) RoleRemoveMembers(ctx context.Context, session authn.Session, entityID, roleID string, members []string) (err error) { if err := ram.authorize(ctx, roles.OpRoleRemoveMembers, smqauthz.PolicyReq{ Domain: session.DomainID, - Subject: session.DomainUserID, + Subject: session.UserID, SubjectType: policies.UserType, SubjectKind: policies.UsersKind, Object: entityID, diff --git a/pkg/sdk/certs_test.go b/pkg/sdk/certs_test.go index 8b1cde5fd7..87bad3f0b1 100644 --- a/pkg/sdk/certs_test.go +++ b/pkg/sdk/certs_test.go @@ -178,7 +178,7 @@ func TestIssueCert(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == valid { - tc.session = smqauthn.Session{DomainUserID: validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := svc.On("IssueCert", mock.Anything, tc.domainID, tc.token, tc.clientID, tc.duration).Return(tc.svcRes, tc.svcErr) @@ -262,7 +262,7 @@ func TestViewCert(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == valid { - tc.session = smqauthn.Session{DomainUserID: validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := svc.On("ViewCert", mock.Anything, tc.certID).Return(tc.svcRes, tc.svcErr) @@ -356,7 +356,7 @@ func TestViewCertByClient(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == valid { - tc.session = smqauthn.Session{DomainUserID: validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := svc.On("ListSerials", mock.Anything, tc.clientID, certs.PageMetadata{Revoked: defRevoke, Offset: defOffset, Limit: defLimit}).Return(tc.svcRes, tc.svcErr) @@ -445,7 +445,7 @@ func TestRevokeCert(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == valid { - tc.session = smqauthn.Session{DomainUserID: validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := svc.On("RevokeCert", mock.Anything, tc.domainID, tc.token, tc.clientID).Return(tc.svcResp, tc.svcErr) diff --git a/pkg/sdk/channels_test.go b/pkg/sdk/channels_test.go index a30fd97f17..fcf3cb7342 100644 --- a/pkg/sdk/channels_test.go +++ b/pkg/sdk/channels_test.go @@ -208,7 +208,7 @@ func TestCreateChannel(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := gsvc.On("CreateChannels", mock.Anything, tc.session, tc.createChannelReq).Return(tc.svcRes, []roles.RoleProvision{}, tc.svcErr) @@ -332,7 +332,7 @@ func TestCreateChannels(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := gsvc.On("CreateChannels", mock.Anything, tc.session, tc.createChannelsReq[0], tc.createChannelsReq[1], tc.createChannelsReq[2]).Return(tc.svcRes, []roles.RoleProvision{}, tc.svcErr) @@ -607,7 +607,7 @@ func TestListChannels(t *testing.T) { Metadata: tc.metadata, } if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := gsvc.On("ListChannels", mock.Anything, tc.session, tc.channelsPageMeta).Return(tc.svcRes, tc.svcErr) @@ -716,7 +716,7 @@ func TestViewChannel(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := gsvc.On("ViewChannel", mock.Anything, tc.session, tc.channelID).Return(tc.svcRes, tc.svcErr) @@ -987,7 +987,7 @@ func TestUpdateChannel(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := gsvc.On("UpdateChannel", mock.Anything, tc.session, tc.updateChannelReq).Return(tc.svcRes, tc.svcErr) @@ -1138,7 +1138,7 @@ func TestUpdateChannelTags(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, mock.Anything).Return(tc.session, tc.authenticateErr) svcCall := tsvc.On("UpdateChannelTags", mock.Anything, tc.session, tc.svcReq).Return(tc.svcRes, tc.svcErr) @@ -1245,7 +1245,7 @@ func TestEnableChannel(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := gsvc.On("EnableChannel", mock.Anything, tc.session, tc.channelID).Return(tc.svcRes, tc.svcErr) @@ -1355,7 +1355,7 @@ func TestDisableChannel(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := gsvc.On("DisableChannel", mock.Anything, tc.session, tc.channelID).Return(tc.svcRes, tc.svcErr) @@ -1435,7 +1435,7 @@ func TestDeleteChannel(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := gsvc.On("RemoveChannel", mock.Anything, tc.session, tc.channelID).Return(tc.svcErr) @@ -1548,7 +1548,7 @@ func TestConnect(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } connTypes := []connections.ConnType{} for _, ct := range tc.connection.Types { @@ -1667,7 +1667,7 @@ func TestDisconnect(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } connTypes := []connections.ConnType{} for _, ct := range tc.disconnect.Types { @@ -1776,7 +1776,7 @@ func TestConnectClients(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } connType, err := connections.ParseConnType(tc.connType) assert.Nil(t, err, fmt.Sprintf("error parsing connection type %s", tc.connType)) @@ -1879,7 +1879,7 @@ func TestDisconnectClients(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } connType, err := connections.ParseConnType(tc.connType) assert.Nil(t, err, fmt.Sprintf("error parsing connection type %s", tc.connType)) @@ -1976,7 +1976,7 @@ func TestSetChannelParent(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := gsvc.On("SetParentGroup", mock.Anything, tc.session, tc.parentID, tc.channelID).Return(tc.svcErr) @@ -2062,7 +2062,7 @@ func TestRemoveChannelParent(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := gsvc.On("RemoveParentGroup", mock.Anything, tc.session, tc.channelID).Return(tc.svcErr) diff --git a/pkg/sdk/clients_test.go b/pkg/sdk/clients_test.go index e702444222..48adce7645 100644 --- a/pkg/sdk/clients_test.go +++ b/pkg/sdk/clients_test.go @@ -188,7 +188,7 @@ func TestCreateClient(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, mock.Anything).Return(tc.session, tc.authenticateErr) svcCall := tsvc.On("CreateClients", mock.Anything, tc.session, tc.svcReq).Return(tc.svcRes, []roles.RoleProvision{}, tc.svcErr) @@ -299,7 +299,7 @@ func TestCreateClients(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, mock.Anything).Return(tc.session, tc.authenticateErr) svcCall := tsvc.On("CreateClients", mock.Anything, tc.session, tc.svcReq[0], tc.svcReq[1], tc.svcReq[2]).Return(tc.svcRes, []roles.RoleProvision{}, tc.svcErr) @@ -566,7 +566,7 @@ func TestListClients(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, mock.Anything).Return(tc.session, tc.authenticateErr) svcCall := tsvc.On("ListClients", mock.Anything, tc.session, tc.svcReq).Return(tc.svcRes, tc.svcErr) @@ -676,7 +676,7 @@ func TestViewClient(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, mock.Anything).Return(tc.session, tc.authenticateErr) svcCall := tsvc.On("View", mock.Anything, tc.session, tc.clientID).Return(tc.svcRes, tc.svcErr) @@ -834,7 +834,7 @@ func TestUpdateClient(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, mock.Anything).Return(tc.session, tc.authenticateErr) svcCall := tsvc.On("Update", mock.Anything, tc.session, tc.svcReq).Return(tc.svcRes, tc.svcErr) @@ -986,7 +986,7 @@ func TestUpdateClientTags(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, mock.Anything).Return(tc.session, tc.authenticateErr) svcCall := tsvc.On("UpdateTags", mock.Anything, tc.session, tc.svcReq).Return(tc.svcRes, tc.svcErr) @@ -1118,7 +1118,7 @@ func TestUpdateClientSecret(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, mock.Anything).Return(tc.session, tc.authenticateErr) svcCall := tsvc.On("UpdateSecret", mock.Anything, tc.session, tc.clientID, tc.newSecret).Return(tc.svcRes, tc.svcErr) @@ -1221,7 +1221,7 @@ func TestEnableClient(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, mock.Anything).Return(tc.session, tc.authenticateErr) svcCall := tsvc.On("Enable", mock.Anything, tc.session, tc.clientID).Return(tc.svcRes, tc.svcErr) @@ -1324,7 +1324,7 @@ func TestDisableClient(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, mock.Anything).Return(tc.session, tc.authenticateErr) svcCall := tsvc.On("Disable", mock.Anything, tc.session, tc.clientID).Return(tc.svcRes, tc.svcErr) @@ -1406,7 +1406,7 @@ func TestDeleteClient(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, mock.Anything).Return(tc.session, tc.authenticateErr) svcCall := tsvc.On("Delete", mock.Anything, tc.session, tc.clientID).Return(tc.svcErr) @@ -1501,7 +1501,7 @@ func TestSetClientParent(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("SetParentGroup", mock.Anything, tc.session, tc.parentID, tc.clientID).Return(tc.svcErr) @@ -1587,7 +1587,7 @@ func TestRemoveClientParent(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RemoveParentGroup", mock.Anything, tc.session, tc.clientID).Return(tc.svcErr) @@ -1721,7 +1721,7 @@ func TestCreateClientRole(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("AddRole", mock.Anything, tc.session, tc.clientID, tc.roleReq.RoleName, tc.roleReq.OptionalActions, tc.roleReq.OptionalMembers).Return(tc.svcRes, tc.svcErr) @@ -1852,7 +1852,7 @@ func TestListClientRoles(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RetrieveAllRoles", mock.Anything, tc.session, tc.clientID, tc.pageMeta.Limit, tc.pageMeta.Offset).Return(tc.svcRes, tc.svcErr) @@ -1969,7 +1969,7 @@ func TestViewClientRole(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RetrieveRole", mock.Anything, tc.session, tc.clientID, tc.roleID).Return(tc.svcRes, tc.svcErr) @@ -2087,7 +2087,7 @@ func TestUpdateClientRole(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("UpdateRoleName", mock.Anything, tc.session, tc.clientID, tc.roleID, tc.newRoleName).Return(tc.svcRes, tc.svcErr) @@ -2183,7 +2183,7 @@ func TestDeleteClientRole(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RemoveRole", mock.Anything, tc.session, tc.clientID, tc.roleID).Return(tc.svcErr) @@ -2306,7 +2306,7 @@ func TestAddClientRoleActions(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RoleAddActions", mock.Anything, tc.session, tc.clientID, tc.roleID, tc.actions).Return(tc.svcRes, tc.svcErr) @@ -2416,7 +2416,7 @@ func TestListClientRoleActions(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RoleListActions", mock.Anything, tc.session, tc.clientID, tc.roleID).Return(tc.svcRes, tc.svcErr) @@ -2530,7 +2530,7 @@ func TestRemoveClientRoleActions(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RoleRemoveActions", mock.Anything, tc.session, tc.clientID, tc.roleID, tc.actions).Return(tc.svcErr) @@ -2634,7 +2634,7 @@ func TestRemoveAllClientRoleActions(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RoleRemoveAllActions", mock.Anything, tc.session, tc.clientID, tc.roleID).Return(tc.svcErr) @@ -2757,7 +2757,7 @@ func TestAddClientRoleMembers(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RoleAddMembers", mock.Anything, tc.session, tc.clientID, tc.roleID, tc.members).Return(tc.svcRes, tc.svcErr) @@ -2906,7 +2906,7 @@ func TestListClientRoleMembers(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RoleListMembers", mock.Anything, tc.session, tc.clientID, tc.roleID, tc.pageMeta.Limit, tc.pageMeta.Offset).Return(tc.svcRes, tc.svcErr) @@ -3020,7 +3020,7 @@ func TestRemoveClientRoleMembers(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RoleRemoveMembers", mock.Anything, tc.session, tc.clientID, tc.roleID, tc.members).Return(tc.svcErr) @@ -3124,7 +3124,7 @@ func TestRemoveAllClientRoleMembers(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RoleRemoveAllMembers", mock.Anything, tc.session, tc.clientID, tc.roleID).Return(tc.svcErr) @@ -3194,7 +3194,7 @@ func TestListAvailableClientRoleActions(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("ListAvailableActions", mock.Anything, tc.session).Return(tc.svcRes, tc.svcErr) diff --git a/pkg/sdk/domains_test.go b/pkg/sdk/domains_test.go index b032fd590a..c2419aa483 100644 --- a/pkg/sdk/domains_test.go +++ b/pkg/sdk/domains_test.go @@ -158,7 +158,7 @@ func TestCreateDomain(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, mock.Anything).Return(tc.session, tc.authnErr) svcCall := svc.On("CreateDomain", mock.Anything, tc.session, tc.svcReq).Return(tc.svcRes, []roles.RoleProvision{}, tc.svcErr) @@ -306,7 +306,7 @@ func TestUpdateDomain(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: tc.domainID + "_" + validID, UserID: validID, DomainID: tc.domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: tc.domainID} } authCall := authn.On("Authenticate", mock.Anything, mock.Anything).Return(tc.session, tc.authnErr) svcCall := svc.On("UpdateDomain", mock.Anything, tc.session, tc.domainID, mock.Anything).Return(tc.svcRes, tc.svcErr) @@ -409,7 +409,7 @@ func TestViewDomain(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: tc.domainID + "_" + validID, UserID: validID, DomainID: tc.domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: tc.domainID} } authCall := authn.On("Authenticate", mock.Anything, mock.Anything).Return(tc.session, tc.authnErr) svcCall := svc.On("RetrieveDomain", mock.Anything, tc.session, tc.domainID).Return(tc.svcRes, tc.svcErr) @@ -550,7 +550,7 @@ func TestListDomians(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := authn.On("Authenticate", mock.Anything, mock.Anything).Return(tc.session, tc.authnErr) svcCall := svc.On("ListDomains", mock.Anything, tc.session, tc.svcReq).Return(tc.svcRes, tc.svcErr) @@ -624,7 +624,7 @@ func TestEnableDomain(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: tc.domainID + "_" + validID, UserID: validID, DomainID: tc.domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: tc.domainID} } authCall := authn.On("Authenticate", mock.Anything, mock.Anything).Return(tc.session, tc.authnErr) svcCall := svc.On("EnableDomain", mock.Anything, tc.session, tc.domainID).Return(tc.svcRes, tc.svcErr) @@ -697,7 +697,7 @@ func TestDisableDomain(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: tc.domainID + "_" + validID, UserID: validID, DomainID: tc.domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: tc.domainID} } authCall := authn.On("Authenticate", mock.Anything, mock.Anything).Return(tc.session, tc.authnErr) svcCall := svc.On("DisableDomain", mock.Anything, tc.session, tc.domainID).Return(tc.svcRes, tc.svcErr) @@ -770,7 +770,7 @@ func TestFreezeDomain(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: tc.domainID + "_" + validID, UserID: validID, DomainID: tc.domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: tc.domainID} } authCall := authn.On("Authenticate", mock.Anything, mock.Anything).Return(tc.session, tc.authnErr) svcCall := svc.On("FreezeDomain", mock.Anything, tc.session, tc.domainID).Return(tc.svcRes, tc.svcErr) @@ -897,7 +897,7 @@ func TestCreateDomainRole(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: tc.domainID + "_" + validID, UserID: validID, DomainID: tc.domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: tc.domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("AddRole", mock.Anything, tc.session, tc.domainID, tc.roleReq.RoleName, tc.roleReq.OptionalActions, tc.roleReq.OptionalMembers).Return(tc.svcRes, tc.svcErr) @@ -1022,7 +1022,7 @@ func TestListDomainRoles(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: tc.domainID + "_" + validID, UserID: validID, DomainID: tc.domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: tc.domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RetrieveAllRoles", mock.Anything, tc.session, tc.domainID, tc.pageMeta.Limit, tc.pageMeta.Offset).Return(tc.svcRes, tc.svcErr) @@ -1131,7 +1131,7 @@ func TestViewClietRole(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: tc.domainID + "_" + validID, UserID: validID, DomainID: tc.domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: tc.domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RetrieveRole", mock.Anything, tc.session, tc.domainID, tc.roleID).Return(tc.svcRes, tc.svcErr) @@ -1243,7 +1243,7 @@ func TestUpdateDomainRole(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: tc.domainID + "_" + validID, UserID: validID, DomainID: tc.domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: tc.domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("UpdateRoleName", mock.Anything, tc.session, tc.domainID, tc.roleID, tc.newRoleName).Return(tc.svcRes, tc.svcErr) @@ -1331,7 +1331,7 @@ func TestDeleteDomainRole(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: tc.domainID + "_" + validID, UserID: validID, DomainID: tc.domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: tc.domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RemoveRole", mock.Anything, tc.session, tc.domainID, tc.roleID).Return(tc.svcErr) @@ -1446,7 +1446,7 @@ func TestAddDomainRoleActions(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: tc.domainID + "_" + validID, UserID: validID, DomainID: tc.domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: tc.domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RoleAddActions", mock.Anything, tc.session, tc.domainID, tc.roleID, tc.actions).Return(tc.svcRes, tc.svcErr) @@ -1548,7 +1548,7 @@ func TestListDomainRoleActions(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: tc.domainID + "_" + validID, UserID: validID, DomainID: tc.domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: tc.domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RoleListActions", mock.Anything, tc.session, tc.domainID, tc.roleID).Return(tc.svcRes, tc.svcErr) @@ -1654,7 +1654,7 @@ func TestRemoveDomainRoleActions(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: tc.domainID + "_" + validID, UserID: validID, DomainID: tc.domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: tc.domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RoleRemoveActions", mock.Anything, tc.session, tc.domainID, tc.roleID, tc.actions).Return(tc.svcErr) @@ -1750,7 +1750,7 @@ func TestRemoveAllDomainRoleActions(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: tc.domainID + "_" + validID, UserID: validID, DomainID: tc.domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: tc.domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RoleRemoveAllActions", mock.Anything, tc.session, tc.domainID, tc.roleID).Return(tc.svcErr) @@ -1865,7 +1865,7 @@ func TestAddDomainRoleMembers(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: tc.domainID + "_" + validID, UserID: validID, DomainID: tc.domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: tc.domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RoleAddMembers", mock.Anything, tc.session, tc.domainID, tc.roleID, tc.members).Return(tc.svcRes, tc.svcErr) @@ -2006,7 +2006,7 @@ func TestListDomainRoleMembers(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: tc.domainID + "_" + validID, UserID: validID, DomainID: tc.domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: tc.domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RoleListMembers", mock.Anything, tc.session, tc.domainID, tc.roleID, tc.pageMeta.Limit, tc.pageMeta.Offset).Return(tc.svcRes, tc.svcErr) @@ -2112,7 +2112,7 @@ func TestRemoveDomainRoleMembers(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: tc.domainID + "_" + validID, UserID: validID, DomainID: tc.domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: tc.domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RoleRemoveMembers", mock.Anything, tc.session, tc.domainID, tc.roleID, tc.members).Return(tc.svcErr) @@ -2208,7 +2208,7 @@ func TestRemoveAllDomainRoleMembers(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: tc.domainID + "_" + validID, UserID: validID, DomainID: tc.domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: tc.domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RoleRemoveAllMembers", mock.Anything, tc.session, tc.domainID, tc.roleID).Return(tc.svcErr) @@ -2269,7 +2269,7 @@ func TestListAvailableDomainRoleActions(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("ListAvailableActions", mock.Anything, tc.session).Return(tc.svcRes, tc.svcErr) diff --git a/pkg/sdk/groups_test.go b/pkg/sdk/groups_test.go index d42cdf95d9..82185dbcb4 100644 --- a/pkg/sdk/groups_test.go +++ b/pkg/sdk/groups_test.go @@ -260,7 +260,7 @@ func TestCreateGroup(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := gsvc.On("CreateGroup", mock.Anything, tc.session, tc.svcReq).Return(tc.svcRes, []roles.RoleProvision{}, tc.svcErr) @@ -495,7 +495,7 @@ func TestListGroups(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := gsvc.On("ListGroups", mock.Anything, tc.session, tc.svcReq).Return(tc.svcRes, tc.svcErr) @@ -604,7 +604,7 @@ func TestViewGroup(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := gsvc.On("ViewGroup", mock.Anything, tc.session, tc.groupID).Return(tc.svcRes, tc.svcErr) @@ -793,7 +793,7 @@ func TestUpdateGroup(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := gsvc.On("UpdateGroup", mock.Anything, tc.session, tc.svcReq).Return(tc.svcRes, tc.svcErr) @@ -904,7 +904,7 @@ func TestEnableGroup(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := gsvc.On("EnableGroup", mock.Anything, tc.session, tc.groupID).Return(tc.svcRes, tc.svcErr) @@ -1015,7 +1015,7 @@ func TestDisableGroup(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := gsvc.On("DisableGroup", mock.Anything, tc.session, tc.groupID).Return(tc.svcRes, tc.svcErr) @@ -1095,7 +1095,7 @@ func TestDeleteGroup(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := gsvc.On("DeleteGroup", mock.Anything, tc.session, tc.groupID).Return(tc.svcErr) @@ -1191,7 +1191,7 @@ func TestSetGroupParent(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("AddParentGroup", mock.Anything, tc.session, tc.groupID, tc.parentID).Return(tc.svcErr) @@ -1278,7 +1278,7 @@ func TestRemoveGroupParent(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RemoveParentGroup", mock.Anything, tc.session, tc.groupID).Return(tc.svcErr) @@ -1374,7 +1374,7 @@ func TestAddChildrenGroups(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("AddChildrenGroups", mock.Anything, tc.session, tc.groupID, tc.childrenIDs).Return(tc.svcErr) @@ -1470,7 +1470,7 @@ func TestRemoveChildrenGroups(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RemoveChildrenGroups", mock.Anything, tc.session, tc.groupID, tc.childrenIDs).Return(tc.svcErr) @@ -1550,7 +1550,7 @@ func TestRemoveAllChildrenGroups(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RemoveAllChildrenGroups", mock.Anything, tc.session, tc.groupID).Return(tc.svcErr) @@ -1803,7 +1803,7 @@ func TestListChildrenGroups(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := gsvc.On("ListChildrenGroups", mock.Anything, tc.session, tc.childID, int64(1), int64(0), mock.Anything).Return(tc.svcRes, tc.svcErr) @@ -1979,7 +1979,7 @@ func TestHierarchy(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := gsvc.On("RetrieveGroupHierarchy", mock.Anything, tc.session, tc.groupID, tc.svcReq).Return(tc.svcRes, tc.svcErr) @@ -2115,7 +2115,7 @@ func TestCreateGroupRole(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("AddRole", mock.Anything, tc.session, tc.groupID, tc.roleReq.RoleName, tc.roleReq.OptionalActions, tc.roleReq.OptionalMembers).Return(tc.svcRes, tc.svcErr) @@ -2247,7 +2247,7 @@ func TestListGroupRoles(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RetrieveAllRoles", mock.Anything, tc.session, tc.groupID, tc.pageMeta.Limit, tc.pageMeta.Offset).Return(tc.svcRes, tc.svcErr) @@ -2364,7 +2364,7 @@ func TestViewGroupRole(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RetrieveRole", mock.Anything, tc.session, tc.groupID, tc.roleID).Return(tc.svcRes, tc.svcErr) @@ -2483,7 +2483,7 @@ func TestUpdateGroupRole(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("UpdateRoleName", mock.Anything, tc.session, tc.groupID, tc.roleID, tc.newRoleName).Return(tc.svcRes, tc.svcErr) @@ -2580,7 +2580,7 @@ func TestDeleteGroupRole(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RemoveRole", mock.Anything, tc.session, tc.groupID, tc.roleID).Return(tc.svcErr) @@ -2704,7 +2704,7 @@ func TestAddGroupRoleActions(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RoleAddActions", mock.Anything, tc.session, tc.groupID, tc.roleID, tc.actions).Return(tc.svcRes, tc.svcErr) @@ -2815,7 +2815,7 @@ func TestListGroupRoleActions(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RoleListActions", mock.Anything, tc.session, tc.groupID, tc.roleID).Return(tc.svcRes, tc.svcErr) @@ -2930,7 +2930,7 @@ func TestRemoveGroupRoleActions(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RoleRemoveActions", mock.Anything, tc.session, tc.groupID, tc.roleID, tc.actions).Return(tc.svcErr) @@ -3035,7 +3035,7 @@ func TestRemoveAllGroupRoleActions(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RoleRemoveAllActions", mock.Anything, tc.session, tc.groupID, tc.roleID).Return(tc.svcErr) @@ -3159,7 +3159,7 @@ func TestAddGroupRoleMembers(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RoleAddMembers", mock.Anything, tc.session, tc.groupID, tc.roleID, tc.members).Return(tc.svcRes, tc.svcErr) @@ -3309,7 +3309,7 @@ func TestListGroupRoleMembers(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RoleListMembers", mock.Anything, tc.session, tc.groupID, tc.roleID, tc.pageMeta.Limit, tc.pageMeta.Offset).Return(tc.svcRes, tc.svcErr) @@ -3424,7 +3424,7 @@ func TestRemoveGroupRoleMembers(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RoleRemoveMembers", mock.Anything, tc.session, tc.groupID, tc.roleID, tc.members).Return(tc.svcErr) @@ -3529,7 +3529,7 @@ func TestRemoveAllGroupRoleMembers(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("RoleRemoveAllMembers", mock.Anything, tc.session, tc.groupID, tc.roleID).Return(tc.svcErr) @@ -3599,7 +3599,7 @@ func TestListAvailableGroupRoleActions(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := csvc.On("ListAvailableActions", mock.Anything, tc.session).Return(tc.svcRes, tc.svcErr) diff --git a/pkg/sdk/invitations_test.go b/pkg/sdk/invitations_test.go index 4e77f5674a..c9de0323ad 100644 --- a/pkg/sdk/invitations_test.go +++ b/pkg/sdk/invitations_test.go @@ -118,11 +118,7 @@ func TestSendInvitation(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == valid { - tc.session = smqauthn.Session{ - UserID: tc.sendInvitationReq.InviteeUserID, - DomainID: tc.sendInvitationReq.DomainID, - DomainUserID: tc.sendInvitationReq.DomainID + "_" + tc.sendInvitationReq.InviteeUserID, - } + tc.session = smqauthn.Session{UserID: tc.sendInvitationReq.InviteeUserID, DomainID: tc.sendInvitationReq.DomainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := svc.On("SendInvitation", mock.Anything, tc.session, tc.svcReq).Return(tc.svcErr) @@ -213,7 +209,7 @@ func TestViewInvitation(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == valid { - tc.session = smqauthn.Session{UserID: tc.userID, DomainID: tc.domainID, DomainUserID: tc.domainID + "_" + tc.userID} + tc.session = smqauthn.Session{UserID: tc.userID, DomainID: tc.domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := svc.On("ViewInvitation", mock.Anything, tc.session, tc.userID, tc.domainID).Return(tc.svcRes, tc.svcErr) @@ -315,7 +311,7 @@ func TestListInvitation(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == valid { - tc.session = smqauthn.Session{DomainUserID: validID, UserID: validID} + tc.session = smqauthn.Session{UserID: validID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := svc.On("ListInvitations", mock.Anything, tc.session, tc.svcReq).Return(tc.svcRes, tc.svcErr) @@ -382,7 +378,7 @@ func TestAcceptInvitation(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == valid { - tc.session = smqauthn.Session{DomainUserID: validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := svc.On("AcceptInvitation", mock.Anything, tc.session, tc.domainID).Return(tc.svcErr) @@ -448,7 +444,7 @@ func TestRejectInvitation(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == valid { - tc.session = smqauthn.Session{DomainUserID: validID, UserID: validID, DomainID: validID} + tc.session = smqauthn.Session{UserID: validID, DomainID: validID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := svc.On("RejectInvitation", mock.Anything, tc.session, tc.domainID).Return(tc.svcErr) @@ -527,7 +523,7 @@ func TestDeleteInvitation(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == valid { - tc.session = smqauthn.Session{UserID: tc.inviteeUserID, DomainID: tc.domainID, DomainUserID: tc.domainID + "_" + tc.inviteeUserID} + tc.session = smqauthn.Session{UserID: tc.inviteeUserID, DomainID: tc.domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := svc.On("DeleteInvitation", mock.Anything, tc.session, tc.inviteeUserID, tc.domainID).Return(tc.svcErr) diff --git a/pkg/sdk/journal_test.go b/pkg/sdk/journal_test.go index 8a91e6479e..e09855e7c3 100644 --- a/pkg/sdk/journal_test.go +++ b/pkg/sdk/journal_test.go @@ -329,7 +329,7 @@ func TestRetrieveJournal(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: domainID + "_" + validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := authn.On("Authenticate", mock.Anything, mock.Anything).Return(tc.session, tc.authnErr) svcCall := svc.On("RetrieveAll", mock.Anything, tc.session, tc.svcReq).Return(tc.svcRes, tc.svcErr) diff --git a/pkg/sdk/tokens_test.go b/pkg/sdk/tokens_test.go index 25c743a951..ddb1fd251b 100644 --- a/pkg/sdk/tokens_test.go +++ b/pkg/sdk/tokens_test.go @@ -161,13 +161,13 @@ func TestRefreshToken(t *testing.T) { } for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { - authCall := auth.On("Authenticate", mock.Anything, mock.Anything).Return(smqauthn.Session{DomainUserID: validID, UserID: validID, DomainID: validID}, tc.identifyErr) - svcCall := svc.On("RefreshToken", mock.Anything, smqauthn.Session{DomainUserID: validID, UserID: validID, DomainID: validID}, tc.token).Return(tc.svcRes, tc.svcErr) + authCall := auth.On("Authenticate", mock.Anything, mock.Anything).Return(smqauthn.Session{UserID: validID, DomainID: validID}, tc.identifyErr) + svcCall := svc.On("RefreshToken", mock.Anything, smqauthn.Session{UserID: validID, DomainID: validID}, tc.token).Return(tc.svcRes, tc.svcErr) resp, err := mgsdk.RefreshToken(tc.token) assert.Equal(t, tc.err, err) assert.Equal(t, tc.response, resp) if tc.err == nil { - ok := svcCall.Parent.AssertCalled(t, "RefreshToken", mock.Anything, smqauthn.Session{DomainUserID: validID, UserID: validID, DomainID: validID}, tc.token) + ok := svcCall.Parent.AssertCalled(t, "RefreshToken", mock.Anything, smqauthn.Session{UserID: validID, DomainID: validID}, tc.token) assert.True(t, ok) } svcCall.Unset() diff --git a/pkg/sdk/users_test.go b/pkg/sdk/users_test.go index 4bb6267728..5ba103cd34 100644 --- a/pkg/sdk/users_test.go +++ b/pkg/sdk/users_test.go @@ -557,7 +557,7 @@ func TestListUsers(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := svc.On("ListUsers", mock.Anything, tc.session, tc.svcReq).Return(tc.svcRes, tc.svcErr) @@ -690,7 +690,7 @@ func TestSearchUsers(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { - authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(smqauthn.Session{DomainUserID: validID, UserID: validID, DomainID: domainID}, tc.authenticateErr) + authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(smqauthn.Session{UserID: validID, DomainID: domainID}, tc.authenticateErr) svcCall := svc.On("SearchUsers", mock.Anything, mock.Anything).Return(tc.searchreturn, tc.err) page, err := mgsdk.SearchUsers(tc.page, tc.token) assert.Equal(t, tc.err, err, fmt.Sprintf("%s: expected error %v, got %v", tc.desc, tc.err, err)) @@ -787,7 +787,7 @@ func TestViewUser(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := svc.On("View", mock.Anything, tc.session, tc.userID).Return(tc.svcRes, tc.svcErr) @@ -866,7 +866,7 @@ func TestUserProfile(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := svc.On("ViewProfile", mock.Anything, tc.session).Return(tc.svcRes, tc.svcErr) @@ -1030,7 +1030,7 @@ func TestUpdateUser(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := svc.On("Update", mock.Anything, tc.session, tc.svcReq).Return(tc.svcRes, tc.svcErr) @@ -1188,7 +1188,7 @@ func TestUpdateUserTags(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := svc.On("UpdateTags", mock.Anything, tc.session, tc.svcReq).Return(tc.svcRes, tc.svcErr) @@ -1336,7 +1336,7 @@ func TestUpdateUserEmail(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := svc.On("UpdateEmail", mock.Anything, tc.session, tc.updateUserReq.ID, tc.svcReq).Return(tc.svcRes, tc.svcErr) @@ -1634,7 +1634,7 @@ func TestUpdatePassword(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := svc.On("UpdateSecret", mock.Anything, tc.session, tc.oldPassword, tc.newPassword).Return(tc.svcRes, tc.svcErr) @@ -1792,7 +1792,7 @@ func TestUpdateUserRole(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := svc.On("UpdateRole", mock.Anything, tc.session, tc.svcReq).Return(tc.svcRes, tc.svcErr) @@ -1956,7 +1956,7 @@ func TestUpdateUsername(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := svc.On("UpdateUsername", mock.Anything, tc.session, tc.svcReq.ID, tc.svcReq.Credentials.Username).Return(tc.svcRes, tc.svcErr) @@ -2118,7 +2118,7 @@ func TestUpdateProfilePicture(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := svc.On("UpdateProfilePicture", mock.Anything, tc.session, tc.svcReq).Return(tc.svcRes, tc.svcErr) @@ -2190,7 +2190,7 @@ func TestEnableUser(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := svc.On("Enable", mock.Anything, tc.session, tc.userID).Return(tc.svcRes, tc.svcErr) @@ -2296,7 +2296,7 @@ func TestDisableUser(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := svc.On("Disable", mock.Anything, tc.session, tc.userID).Return(tc.svcRes, tc.svcErr) @@ -2370,7 +2370,7 @@ func TestDeleteUser(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { if tc.token == validToken { - tc.session = smqauthn.Session{DomainUserID: validID, UserID: validID, DomainID: domainID} + tc.session = smqauthn.Session{UserID: validID, DomainID: domainID} } authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr) svcCall := svc.On("Delete", mock.Anything, tc.session, tc.userID).Return(tc.svcErr) diff --git a/users/service_test.go b/users/service_test.go index fee974fd1a..7e9f35432b 100644 --- a/users/service_test.go +++ b/users/service_test.go @@ -940,7 +940,7 @@ func TestUpdateEmail(t *testing.T) { for _, tc := range cases { repoCall := cRepo.On("CheckSuperAdmin", context.Background(), mock.Anything).Return(tc.checkSuperAdminErr) repoCall1 := cRepo.On("Update", context.Background(), mock.Anything).Return(tc.updateEmailResponse, tc.updateEmailErr) - updatedUser, err := svc.UpdateEmail(context.Background(), authn.Session{DomainUserID: tc.reqUserID, UserID: validID, DomainID: validID}, tc.id, tc.email) + updatedUser, err := svc.UpdateEmail(context.Background(), authn.Session{UserID: validID, DomainID: validID}, tc.id, tc.email) assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err)) assert.Equal(t, tc.updateEmailResponse, updatedUser, fmt.Sprintf("%s: expected %v got %v\n", tc.desc, tc.updateEmailResponse, updatedUser)) if tc.err == nil { @@ -1428,7 +1428,7 @@ func TestRefreshToken(t *testing.T) { }{ { desc: "refresh token with refresh token for an existing user", - session: authn.Session{DomainUserID: validID, UserID: validID, DomainID: validID}, + session: authn.Session{UserID: validID, DomainID: validID}, refreshResp: &grpcTokenV1.Token{AccessToken: validToken, RefreshToken: &validToken, AccessType: "3"}, repoResp: rUser, err: nil, @@ -1442,7 +1442,7 @@ func TestRefreshToken(t *testing.T) { }, { desc: "refresh token with access token for an existing user", - session: authn.Session{DomainUserID: validID, UserID: validID, DomainID: validID}, + session: authn.Session{UserID: validID, DomainID: validID}, refreshResp: &grpcTokenV1.Token{}, refresErr: svcerr.ErrAuthentication, repoResp: rUser, @@ -1450,19 +1450,19 @@ func TestRefreshToken(t *testing.T) { }, { desc: "refresh token with refresh token for a non-existing client", - session: authn.Session{DomainUserID: validID, UserID: validID, DomainID: validID}, + session: authn.Session{UserID: validID, DomainID: validID}, repoErr: repoerr.ErrNotFound, err: repoerr.ErrNotFound, }, { desc: "refresh token with refresh token for a disable user", - session: authn.Session{DomainUserID: validID, UserID: validID, DomainID: validID}, + session: authn.Session{UserID: validID, DomainID: validID}, repoResp: users.User{Status: users.DisabledStatus}, err: svcerr.ErrAuthentication, }, { desc: "refresh token with empty domain id", - session: authn.Session{DomainUserID: validID, UserID: validID, DomainID: validID}, + session: authn.Session{UserID: validID, DomainID: validID}, refreshResp: &grpcTokenV1.Token{}, refresErr: svcerr.ErrAuthentication, repoResp: rUser, diff --git a/ws/handler.go b/ws/handler.go index 238011b28d..f0a241c478 100644 --- a/ws/handler.go +++ b/ws/handler.go @@ -180,7 +180,7 @@ func (h *handler) Publish(ctx context.Context, topic *string, payload *[]byte) e return err } clientType = policies.UserType - clientID = authnSession.DomainUserID + clientID = authnSession.UserID } ar := &grpcChannelsV1.AuthzReq{ @@ -262,7 +262,7 @@ func (h *handler) authAccess(ctx context.Context, token, topic string, msgType c return err } clientType = policies.UserType - clientID = authnSession.DomainUserID + clientID = authnSession.UserID } // Topics are in the format: