absmach · felixgateru · Feb 7, 2025 · Feb 10, 2025 · Feb 12, 2025
@@ -8,7 +8,6 @@ import (
 	"net/http"
 
 	apiutil "github.com/absmach/supermq/api/http/util"
-	"github.com/absmach/supermq/auth"
 	smqauthn "github.com/absmach/supermq/pkg/authn"
 	"github.com/go-chi/chi/v5"
 )
@@ -38,7 +37,6 @@ func AuthenticateMiddleware(authn smqauthn.Authentication, domainCheck bool) fun
 					return
 				}
 				resp.DomainID = domain
-				resp.DomainUserID = auth.EncodeDomainUserID(domain, resp.UserID)
 			}
 
 			ctx := context.WithValue(r.Context(), SessionKey, resp)

@@ -356,18 +356,17 @@ func (svc service) checkUserDomain(ctx context.Context, key Key) (subject string
 		}); err == nil {
 			return key.User, nil
 		}
-		// Check user is domain member.
-		domainUserSubject := EncodeDomainUserID(key.Domain, key.User)
+
 		if err = svc.Authorize(ctx, policies.Policy{
-			Subject:     domainUserSubject,
+			Subject:     key.User,
 			SubjectType: policies.UserType,
 			Permission:  policies.MembershipPermission,
 			Object:      key.Domain,
 			ObjectType:  policies.DomainType,
 		}); err != nil {
 			return "", err
 		}
-		return domainUserSubject, nil
+		return key.User, nil
 	}
 	return "", nil
 }
@@ -432,31 +431,6 @@ func SwitchToPermission(relation string) string {
 	}
 }
 
-func EncodeDomainUserID(domainID, userID string) string {
-	if domainID == "" || userID == "" {
-		return ""
-	}
-	return domainID + "_" + userID
-}
-
-func DecodeDomainUserID(domainUserID string) (string, string) {
-	if domainUserID == "" {
-		return domainUserID, domainUserID
-	}
-	duid := strings.Split(domainUserID, "_")
-
-	switch {
-	case len(duid) == 2:
-		return duid[0], duid[1]
-	case len(duid) == 1:
-		return duid[0], ""
-	case len(duid) == 0 || len(duid) > 2:
-		fallthrough
-	default:
-		return "", ""
-	}
-}
-
 func (svc service) CreatePAT(ctx context.Context, token, name, description string, duration time.Duration, scope Scope) (PAT, error) {
 	key, err := svc.Identify(ctx, token)
 	if err != nil {

@@ -421,14 +421,14 @@ func TestIssue(t *testing.T) {
 				ObjectType:  policies.PlatformType,
 			},
 			checkDomainMemberReq: policies.Policy{
-				Subject:     auth.EncodeDomainUserID(domainID, userID),
+				Subject:     userID,
 				SubjectType: policies.UserType,
 				Permission:  policies.MembershipPermission,
 				Object:      domainID,
 				ObjectType:  policies.DomainType,
 			},
 			checkDomainMemberReq1: policies.Policy{
-				Subject:     auth.EncodeDomainUserID(domainID, userID),
+				Subject:     userID,
 				SubjectType: policies.UserType,
 				Permission:  policies.MembershipPermission,
 				Object:      domainID,
@@ -455,7 +455,7 @@ func TestIssue(t *testing.T) {
 				ObjectType:  policies.PlatformType,
 			},
 			checkDomainMemberReq: policies.Policy{
-				Subject:     auth.EncodeDomainUserID(domainID, userID),
+				Subject:     userID,
 				SubjectType: policies.UserType,
 				Permission:  policies.MembershipPermission,
 				Object:      domainID,
@@ -552,14 +552,14 @@ func TestIssue(t *testing.T) {
 				ObjectType:  policies.PlatformType,
 			},
 			checkDomainMemberReq: policies.Policy{
-				Subject:     auth.EncodeDomainUserID(domainID, userID),
+				Subject:     userID,
 				SubjectType: policies.UserType,
 				Permission:  policies.MembershipPermission,
 				Object:      domainID,
 				ObjectType:  policies.DomainType,
 			},
 			checkDomainMemberReq1: policies.Policy{
-				Subject:     auth.EncodeDomainUserID(domainID, userID),
+				Subject:     userID,
 				SubjectType: policies.UserType,
 				Permission:  policies.MembershipPermission,
 				Object:      domainID,
@@ -586,14 +586,14 @@ func TestIssue(t *testing.T) {
 				ObjectType:  policies.PlatformType,
 			},
 			checkDomainMemberReq: policies.Policy{
-				Subject:     auth.EncodeDomainUserID(domainID, userID),
+				Subject:     userID,
 				SubjectType: policies.UserType,
 				Permission:  policies.MembershipPermission,
 				Object:      domainID,
 				ObjectType:  policies.DomainType,
 			},
 			checkDomainMemberReq1: policies.Policy{
-				Subject:     auth.EncodeDomainUserID(domainID, userID),
+				Subject:     userID,
 				SubjectType: policies.UserType,
 				Permission:  policies.MembershipPermission,
 				Object:      domainID,
@@ -1163,82 +1163,3 @@ func TestSwitchToPermission(t *testing.T) {
 		assert.Equal(t, tc.result, result, fmt.Sprintf("switching to permission expected to succeed: %s", result))
 	}
 }
-
-func TestEncodeDomainUserID(t *testing.T) {
-	cases := []struct {
-		desc     string
-		domainID string
-		userID   string
-		response string
-	}{
-		{
-			desc:     "encode domain user id successfully",
-			domainID: validID,
-			userID:   validID,
-			response: validID + "_" + validID,
-		},
-		{
-			desc:     "encode domain user id with empty userID",
-			domainID: validID,
-			userID:   "",
-			response: "",
-		},
-		{
-			desc:     "encode domain user id with empty domain ID",
-			domainID: "",
-			userID:   validID,
-			response: "",
-		},
-		{
-			desc:     "encode domain user id with empty domain ID and userID",
-			domainID: "",
-			userID:   "",
-			response: "",
-		},
-	}
-
-	for _, tc := range cases {
-		ar := auth.EncodeDomainUserID(tc.domainID, tc.userID)
-		assert.Equal(t, tc.response, ar, fmt.Sprintf("%s expected %s got %s\n", tc.desc, tc.response, ar))
-	}
-}
-
-func TestDecodeDomainUserID(t *testing.T) {
-	cases := []struct {
-		desc         string
-		domainUserID string
-		respDomainID string
-		respUserID   string
-	}{
-		{
-			desc:         "decode domain user id successfully",
-			domainUserID: validID + "_" + validID,
-			respDomainID: validID,
-			respUserID:   validID,
-		},
-		{
-			desc:         "decode domain user id with empty domainUserID",
-			domainUserID: "",
-			respDomainID: "",
-			respUserID:   "",
-		},
-		{
-			desc:         "decode domain user id with empty UserID",
-			domainUserID: validID,
-			respDomainID: validID,
-			respUserID:   "",
-		},
-		{
-			desc:         "decode domain user id with invalid domainuserId",
-			domainUserID: validID + "_" + validID + "_" + validID + "_" + validID,
-			respDomainID: "",
-			respUserID:   "",
-		},
-	}
-
-	for _, tc := range cases {
-		ar, er := auth.DecodeDomainUserID(tc.domainUserID)
-		assert.Equal(t, tc.respUserID, er, fmt.Sprintf("%s expected %s got %s\n", tc.desc, tc.respUserID, er))
-		assert.Equal(t, tc.respDomainID, ar, fmt.Sprintf("%s expected %s got %s\n", tc.desc, tc.respDomainID, ar))
-	}
-}
@@ -224,7 +224,7 @@ func TestIssueCert(t *testing.T) {
 				body:        strings.NewReader(tc.request),
 			}
 			if tc.token == valid {
-				tc.session = smqauthn.Session{DomainUserID: validID, UserID: validID, DomainID: validID}
+				tc.session = smqauthn.Session{UserID: validID, DomainID: validID}
 			}
 			authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr)
 			svcCall := svc.On("IssueCert", mock.Anything, tc.domainID, tc.token, tc.clientID, tc.ttl).Return(tc.svcRes, tc.svcErr)
@@ -310,7 +310,7 @@ func TestViewCert(t *testing.T) {
 				token:  tc.token,
 			}
 			if tc.token == valid {
-				tc.session = smqauthn.Session{DomainUserID: validID, UserID: validID, DomainID: validID}
+				tc.session = smqauthn.Session{UserID: validID, DomainID: validID}
 			}
 			authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr)
 			svcCall := svc.On("ViewCert", mock.Anything, tc.serialID).Return(tc.svcRes, tc.svcErr)
@@ -403,7 +403,7 @@ func TestRevokeCert(t *testing.T) {
 				token:  tc.token,
 			}
 			if tc.token == valid {
-				tc.session = smqauthn.Session{DomainUserID: validID, UserID: validID, DomainID: validID}
+				tc.session = smqauthn.Session{UserID: validID, DomainID: validID}
 			}
 			authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr)
 			svcCall := svc.On("RevokeCert", mock.Anything, tc.domainID, tc.token, tc.serialID).Return(tc.svcRes, tc.svcErr)
@@ -646,7 +646,7 @@ func TestListSerials(t *testing.T) {
 				token:  tc.token,
 			}
 			if tc.token == valid {
-				tc.session = smqauthn.Session{DomainUserID: validID, UserID: validID, DomainID: validID}
+				tc.session = smqauthn.Session{UserID: validID, DomainID: validID}
 			}
 			authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr)
 			svcCall := svc.On("ListSerials", mock.Anything, tc.clientID, certs.PageMetadata{Revoked: tc.revoked, Offset: tc.offset, Limit: tc.limit}).Return(tc.svcRes, tc.svcErr)

@@ -174,7 +174,7 @@ func TestCreateChannelEndpoint(t *testing.T) {
 				body:        strings.NewReader(data),
 			}
 			if tc.token == validToken {
-				tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID}
+				tc.session = smqauthn.Session{UserID: validID, DomainID: validID}
 			}
 			authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr)
 			svcCall := svc.On("CreateChannels", mock.Anything, tc.session, tc.req).Return(tc.svcResp, []roles.RoleProvision{}, tc.svcErr)
@@ -310,7 +310,7 @@ func TestCreateChannelsEndpoint(t *testing.T) {
 				body:        strings.NewReader(data),
 			}
 			if tc.token == validToken {
-				tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID}
+				tc.session = smqauthn.Session{UserID: validID, DomainID: validID}
 			}
 			authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr)
 			svcCall := svc.On("CreateChannels", mock.Anything, tc.session, tc.req[0]).Return(tc.svcResp, []roles.RoleProvision{}, tc.svcErr)
@@ -407,7 +407,7 @@ func TestViewChannelEndpoint(t *testing.T) {
 				token:  tc.token,
 			}
 			if tc.token == validToken {
-				tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID}
+				tc.session = smqauthn.Session{UserID: validID, DomainID: validID}
 			}
 			authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr)
 			svcCall := svc.On("ViewChannel", mock.Anything, tc.session, tc.id).Return(tc.svcResp, tc.svcErr)
@@ -714,7 +714,7 @@ func TestListChannels(t *testing.T) {
 				token:       tc.token,
 			}
 			if tc.token == validToken {
-				tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID}
+				tc.session = smqauthn.Session{UserID: validID, DomainID: validID}
 			}
 			authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr)
 			svcCall := svc.On("ListChannels", mock.Anything, tc.session, mock.Anything).Return(tc.listChannelsResponse, tc.err)
@@ -857,7 +857,7 @@ func TestUpdateChannelEndpoint(t *testing.T) {
 				body:        strings.NewReader(data),
 			}
 			if tc.token == validToken {
-				tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID}
+				tc.session = smqauthn.Session{UserID: validID, DomainID: validID}
 			}
 			authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr)
 			svcCall := svc.On("UpdateChannel", mock.Anything, tc.session, tc.updateReq).Return(tc.svcResp, tc.svcErr)
@@ -997,7 +997,7 @@ func TestUpdateChannelTagsEndpoint(t *testing.T) {
 				body:        strings.NewReader(tc.data),
 			}
 			if tc.token == validToken {
-				tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID}
+				tc.session = smqauthn.Session{UserID: validID, DomainID: validID}
 			}
 			authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr)
 			svcCall := svc.On("UpdateChannelTags", mock.Anything, tc.session, channels.Channel{ID: tc.id, Tags: []string{newTag}}).Return(tc.svcResp, tc.svcErr)
@@ -1139,7 +1139,7 @@ func TestSetChannelParentGroupEndpoint(t *testing.T) {
 				body:        strings.NewReader(tc.data),
 			}
 			if tc.token == validToken {
-				tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID}
+				tc.session = smqauthn.Session{UserID: validID, DomainID: validID}
 			}
 			authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr)
 			svcCall := svc.On("SetParentGroup", mock.Anything, tc.session, validID, tc.id).Return(tc.svcErr)
@@ -1227,7 +1227,7 @@ func TestRemoveChannelParentGroupEndpoint(t *testing.T) {
 				token:  tc.token,
 			}
 			if tc.token == validToken {
-				tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID}
+				tc.session = smqauthn.Session{UserID: validID, DomainID: validID}
 			}
 			authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr)
 			svcCall := svc.On("RemoveParentGroup", mock.Anything, tc.session, tc.id).Return(tc.svcErr)
@@ -1323,7 +1323,7 @@ func TestEnableChannelEndpoint(t *testing.T) {
 				token:  tc.token,
 			}
 			if tc.token == validToken {
-				tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID}
+				tc.session = smqauthn.Session{UserID: validID, DomainID: validID}
 			}
 			authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr)
 			svcCall := svc.On("EnableChannel", mock.Anything, tc.session, tc.id).Return(tc.svcResp, tc.svcErr)
@@ -1426,7 +1426,7 @@ func TestDisableChannelEndpoint(t *testing.T) {
 				token:  tc.token,
 			}
 			if tc.token == validToken {
-				tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID}
+				tc.session = smqauthn.Session{UserID: validID, DomainID: validID}
 			}
 			authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr)
 			svcCall := svc.On("DisableChannel", mock.Anything, tc.session, tc.id).Return(tc.svcResp, tc.svcErr)
@@ -1535,7 +1535,7 @@ func TestConnectChannelClientEndpoint(t *testing.T) {
 				body:        strings.NewReader(tc.data),
 			}
 			if tc.token == validToken {
-				tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID}
+				tc.session = smqauthn.Session{UserID: validID, DomainID: validID}
 			}
 			authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr)
 			svcCall := svc.On("Connect", mock.Anything, tc.session, []string{tc.id}, []string{validID}, []connections.ConnType{1}).Return(tc.svcErr)
@@ -1637,7 +1637,7 @@ func TestDisconnectChannelClientEndpoint(t *testing.T) {
 				body:        strings.NewReader(tc.data),
 			}
 			if tc.token == validToken {
-				tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID}
+				tc.session = smqauthn.Session{UserID: validID, DomainID: validID}
 			}
 			authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr)
 			svcCall := svc.On("Disconnect", mock.Anything, tc.session, []string{tc.id}, []string{validID}, []connections.ConnType{1}).Return(tc.svcErr)
@@ -1767,7 +1767,7 @@ func TestConnectEndpoint(t *testing.T) {
 				})),
 			}
 			if tc.token == validToken {
-				tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID}
+				tc.session = smqauthn.Session{UserID: validID, DomainID: validID}
 			}
 			authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr)
 			svcCall := svc.On("Connect", mock.Anything, tc.session, tc.channelIDs, tc.clientIDs, tc.types).Return(tc.svcErr)
@@ -1897,7 +1897,7 @@ func TestDisconnectEndpoint(t *testing.T) {
 				})),
 			}
 			if tc.token == validToken {
-				tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID}
+				tc.session = smqauthn.Session{UserID: validID, DomainID: validID}
 			}
 			authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr)
 			svcCall := svc.On("Disconnect", mock.Anything, tc.session, tc.channelIDs, tc.clientIDs, tc.types).Return(tc.svcErr)
@@ -1980,7 +1980,7 @@ func TestDeleteChannelEndpoint(t *testing.T) {
 				token:  tc.token,
 			}
 			if tc.token == validToken {
-				tc.session = smqauthn.Session{DomainUserID: validID + "_" + validID, UserID: validID, DomainID: validID}
+				tc.session = smqauthn.Session{UserID: validID, DomainID: validID}
 			}
 			authCall := authn.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr)
 			svcCall := svc.On("RemoveChannel", mock.Anything, tc.session, tc.id).Return(tc.svcErr)