152 lines
4.0 KiB
Go
152 lines
4.0 KiB
Go
package client
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"net/http"
|
|
"reflect"
|
|
)
|
|
|
|
// CompanyPrivileges contains the privileges for a combination of email address and company id
|
|
type CompanyPrivileges struct {
|
|
Admin bool `json:"admin"`
|
|
Company bool `json:"company"`
|
|
Consumer bool `json:"consumer"`
|
|
Time bool `json:"time"`
|
|
Invoicing bool `json:"invoicing"`
|
|
Accounting bool `json:"accounting"`
|
|
Supplier bool `json:"supplier"`
|
|
}
|
|
|
|
// PrivilegeHandler processes PrivilegeAdded-events and fetches the initial set of privileges from an authz-service
|
|
type PrivilegeHandler struct {
|
|
client *http.Client
|
|
baseURL string
|
|
privileges map[string]map[string]*CompanyPrivileges
|
|
}
|
|
|
|
// OptsFunc is used to configure the PrivilegeHandler
|
|
type OptsFunc func(handler *PrivilegeHandler)
|
|
|
|
// WithBaseURL sets the base URL to the authz-service
|
|
func WithBaseURL(url string) OptsFunc {
|
|
return func(handler *PrivilegeHandler) {
|
|
handler.baseURL = url
|
|
}
|
|
}
|
|
|
|
// New creates a new PrivilegeHandler. Pass OptsFuncs to configure.
|
|
func New(opts ...OptsFunc) *PrivilegeHandler {
|
|
handler := &PrivilegeHandler{
|
|
client: &http.Client{},
|
|
baseURL: "http://authz-service",
|
|
privileges: map[string]map[string]*CompanyPrivileges{},
|
|
}
|
|
for _, opt := range opts {
|
|
opt(handler)
|
|
}
|
|
return handler
|
|
}
|
|
|
|
// Fetch the initial set of privileges from an authz-service
|
|
func (h *PrivilegeHandler) Fetch() error {
|
|
resp, err := h.client.Get(fmt.Sprintf("%s/authz", h.baseURL))
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
buff, err := ioutil.ReadAll(resp.Body)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
err = json.Unmarshal(buff, &h.privileges)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// Process privilege-related events and update the internal state
|
|
func (h *PrivilegeHandler) Process(msg interface{}) bool {
|
|
switch ev := msg.(type) {
|
|
case *UserAdded:
|
|
if priv, exists := h.privileges[ev.Email]; exists {
|
|
priv[ev.CompanyID] = &CompanyPrivileges{}
|
|
} else {
|
|
h.privileges[ev.Email] = map[string]*CompanyPrivileges{
|
|
ev.CompanyID: {},
|
|
}
|
|
}
|
|
return true
|
|
case *UserRemoved:
|
|
if priv, exists := h.privileges[ev.Email]; exists {
|
|
delete(priv, ev.CompanyID)
|
|
}
|
|
return true
|
|
case *PrivilegeAdded:
|
|
h.setPrivileges(ev.Email, ev.CompanyID, ev.Privilege, true)
|
|
return true
|
|
case *PrivilegeRemoved:
|
|
h.setPrivileges(ev.Email, ev.CompanyID, ev.Privilege, false)
|
|
return true
|
|
default:
|
|
fmt.Printf("Got unexpected message type (%s): '%+v'\n", reflect.TypeOf(msg).String(), msg)
|
|
return false
|
|
}
|
|
}
|
|
|
|
func (h *PrivilegeHandler) setPrivileges(email, companyId string, privilege Privilege, set bool) {
|
|
if priv, exists := h.privileges[email]; exists {
|
|
if c, exists := priv[companyId]; exists {
|
|
switch privilege {
|
|
case PrivilegeAdmin:
|
|
c.Admin = set
|
|
case PrivilegeCompany:
|
|
c.Company = set
|
|
case PrivilegeConsumer:
|
|
c.Consumer = set
|
|
case PrivilegeTime:
|
|
c.Time = set
|
|
case PrivilegeInvoicing:
|
|
c.Invoicing = set
|
|
case PrivilegeAccounting:
|
|
c.Accounting = set
|
|
case PrivilegeSupplier:
|
|
c.Supplier = set
|
|
}
|
|
} else {
|
|
priv[companyId] = &CompanyPrivileges{}
|
|
h.setPrivileges(email, companyId, privilege, set)
|
|
}
|
|
} else {
|
|
h.privileges[email] = map[string]*CompanyPrivileges{}
|
|
h.setPrivileges(email, companyId, privilege, set)
|
|
}
|
|
}
|
|
|
|
// CompaniesByUser return a slice of company ids matching the provided email and predicate func
|
|
func (h *PrivilegeHandler) CompaniesByUser(email string, predicate func(privileges CompanyPrivileges) bool) []string {
|
|
var result []string
|
|
if p, exists := h.privileges[email]; exists {
|
|
for k, v := range p {
|
|
if predicate(*v) {
|
|
result = append(result, k)
|
|
}
|
|
}
|
|
}
|
|
return result
|
|
}
|
|
|
|
// IsAllowed return true if the provided predicate return true for the privileges matching the provided email and companyID, return false otherwise
|
|
func (h *PrivilegeHandler) IsAllowed(email, companyID string, predicate func(privileges CompanyPrivileges) bool) bool {
|
|
if p, exists := h.privileges[email]; exists {
|
|
if v, exists := p[companyID]; exists {
|
|
return predicate(*v)
|
|
}
|
|
}
|
|
|
|
return false
|
|
}
|