From 8d6c10a04cea6ffd35eae6cebc9a7a4eb24b48ea Mon Sep 17 00:00:00 2001
From: Dmitry Ponomarev <demdxx@gmail.com>
Date: Fri, 29 Mar 2024 20:42:35 +0100
Subject: [PATCH] Up migrations

---
 auth/jwt/provider.go                     | 14 +++-----------
 auth/tokenextractor/default.go           | 18 ++++++++++++++++++
 middleware/auth.go                       | 15 ++++++---------
 migrations/initial/005_auth_roles.up.sql | 18 +++++++++---------
 4 files changed, 36 insertions(+), 29 deletions(-)
 create mode 100644 auth/tokenextractor/default.go

diff --git a/auth/jwt/provider.go b/auth/jwt/provider.go
index 80aed31..e74b07d 100644
--- a/auth/jwt/provider.go
+++ b/auth/jwt/provider.go
@@ -9,9 +9,8 @@ import (
 	jwtmiddleware "github.com/auth0/go-jwt-middleware"
 	"github.com/demdxx/gocast/v2"
 	"github.com/form3tech-oss/jwt-go"
-	"github.com/ory/fosite"
 
-	"github.com/geniusrabbit/blaze-api/auth/elogin/utils"
+	"github.com/geniusrabbit/blaze-api/auth/tokenextractor"
 )
 
 var (
@@ -64,15 +63,8 @@ func NewDefaultProvider(secret string, tokenLifetime time.Duration, isDebug bool
 		TokenLifetime: tokenLifetime,
 		Secret:        secret,
 		MiddlewareOpts: &jwtmiddleware.Options{
-			Debug: isDebug,
-			Extractor: func(r *http.Request) (string, error) {
-				token := fosite.AccessTokenFromRequest(r)
-				if token == "" {
-					state := utils.DecodeState(r.URL.Query().Get("state"))
-					token = state.Get(`access_token`)
-				}
-				return token, nil
-			},
+			Debug:     isDebug,
+			Extractor: tokenextractor.DefaultExtractor,
 		},
 	}
 }
diff --git a/auth/tokenextractor/default.go b/auth/tokenextractor/default.go
new file mode 100644
index 0000000..ccf97c2
--- /dev/null
+++ b/auth/tokenextractor/default.go
@@ -0,0 +1,18 @@
+package tokenextractor
+
+import (
+	"net/http"
+
+	"github.com/ory/fosite"
+
+	"github.com/geniusrabbit/blaze-api/auth/elogin/utils"
+)
+
+func DefaultExtractor(r *http.Request) (string, error) {
+	token := fosite.AccessTokenFromRequest(r)
+	if token == "" {
+		state := utils.DecodeState(r.URL.Query().Get("state"))
+		token = state.Get(`access_token`)
+	}
+	return token, nil
+}
diff --git a/middleware/auth.go b/middleware/auth.go
index 6a54524..2850560 100644
--- a/middleware/auth.go
+++ b/middleware/auth.go
@@ -15,9 +15,9 @@ import (
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promauto"
 
-	"github.com/geniusrabbit/blaze-api/auth/elogin/utils"
 	"github.com/geniusrabbit/blaze-api/auth/jwt"
 	"github.com/geniusrabbit/blaze-api/auth/oauth2/serverprovider"
+	"github.com/geniusrabbit/blaze-api/auth/tokenextractor"
 	"github.com/geniusrabbit/blaze-api/context/ctxlogger"
 	"github.com/geniusrabbit/blaze-api/context/session"
 	"github.com/geniusrabbit/blaze-api/model"
@@ -68,16 +68,13 @@ func AuthHTTP(metricsPrefix string, next http.Handler, oauth2provider fosite.OAu
 	authWr := newAuthWrapper(metricsPrefix)
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		var (
-			err          error
-			ctx          = r.Context()
-			isJWTSession = false
-			token        = fosite.AccessTokenFromRequest(r)
 			authorized   = false
+			isJWTSession = false
+			ctx          = r.Context()
+			token, err   = tokenextractor.DefaultExtractor(r)
 		)
-		// If authroization by social network then all parameters will be passed in the state
-		if token == "" && r.URL.Query().Get("state") != "" {
-			state := utils.DecodeState(r.URL.Query().Get("state"))
-			token = state.Get("access_token")
+		if err != nil {
+			ctxlogger.Get(r.Context()).Error("token extraction", zap.Error(err))
 		}
 		// If token is empty then it's anonymous user
 		if token == "" {
diff --git a/migrations/initial/005_auth_roles.up.sql b/migrations/initial/005_auth_roles.up.sql
index a105952..e307369 100644
--- a/migrations/initial/005_auth_roles.up.sql
+++ b/migrations/initial/005_auth_roles.up.sql
@@ -3,16 +3,16 @@ INSERT INTO rbac_role
   (name, title, context, permissions) VALUES
   -- System roles
   ('system:admin',       'System admins',      NULL, '{"*"}'),
-  ('system:manager',     'System manager',     NULL, '{"*.{view|list|count|create|update|delete|restore|approve|reject|reset}.*", "role.**", "user.password.reset", "account.member.**"}'),
-  ('system:analyst',     'System analyst',     NULL, '{"*.{view|list|count}.*", "*.*.{view|list|count}.*", "role.check", "user.password.reset"}'),
-  ('system:viewer',      'System viewer',      NULL, '{"*.{view|list|count}.*", "role.check", "user.password.reset"}'),
-  ('system:compliance',  'System compliance',  NULL, '{"*.{view|list|count|approve|reject}.*", "*.*.{view|list|count|approve|reject}.*", "role.check", "user.password.reset"}'),
+  ('system:manager',     'System manager',     NULL, '{"*.{view|list|count|create|update|delete|restore|approve|reject|reset}.*", "role.**", "user.password.reset", "account.member.**", "permission.**"}'),
+  ('system:analyst',     'System analyst',     NULL, '{"*.{view|list|count}.*", "*.*.{view|list|count}.*", "role.check", "user.password.reset", "permission.list"}'),
+  ('system:viewer',      'System viewer',      NULL, '{"*.{view|list|count}.*", "role.check", "user.password.reset", "permission.list"}'),
+  ('system:compliance',  'System compliance',  NULL, '{"*.{view|list|count|approve|reject}.*", "*.*.{view|list|count|approve|reject}.*", "role.check", "user.password.reset", "permission.list"}'),
   -- Account roles'
-  ('account:admin',      'Account admins',     NULL, '{"*.*.{account|owner}", "*.*.*.{account|owner}", "role.check", "user.password.reset"}'),
-  ('account:writer',     'Account writer',     NULL, '{"*.{view|list|restore}.{account|owner}", "*.*.{view|list|restore}.{account|owner}", "role.check", "user.password.reset"}'),
-  ('account:analyst',    'Account analyst',    NULL, '{"*.{view|list}.{account|owner}", "*.*.{view|list}.{account|owner}", "role.check", "user.password.reset"}'),
-  ('account:viewer',     'Account viewer',     NULL, '{"*.{view|list}.{account|owner}", "*.*.{view|list}.{account|owner}", "role.check", "user.password.reset"}'),
-  ('account:compliance', 'Account compliance', NULL, '{"*.{view|list|approve|reject}.{account|owner}", "*.*.{view|list|approve|reject}.{account|owner}", "role.check", "user.password.reset"}');
+  ('account:admin',      'Account admins',     NULL, '{"*.*.{account|owner}", "*.*.*.{account|owner}", "role.check", "user.password.reset", "permission.list"}'),
+  ('account:writer',     'Account writer',     NULL, '{"*.{view|list|restore}.{account|owner}", "*.*.{view|list|restore}.{account|owner}", "role.check", "user.password.reset", "permission.list"}'),
+  ('account:analyst',    'Account analyst',    NULL, '{"*.{view|list}.{account|owner}", "*.*.{view|list}.{account|owner}", "role.check", "user.password.reset", "permission.list"}'),
+  ('account:viewer',     'Account viewer',     NULL, '{"*.{view|list}.{account|owner}", "*.*.{view|list}.{account|owner}", "role.check", "user.password.reset", "permission.list"}'),
+  ('account:compliance', 'Account compliance', NULL, '{"*.{view|list|approve|reject}.{account|owner}", "*.*.{view|list|approve|reject}.{account|owner}", "role.check", "user.password.reset", "permission.list"}');
 
 INSERT INTO m2m_account_member_role(member_id, role_id)
   SELECT m.id as member_id, (SELECT id FROM rbac_role WHERE name = 'system:admin') AS role_id