start refactoring auth types and identity providers into app orgs (co…

…ntains errors) [#581]
rokwire · Aug 29, 2022 · e91465f · e91465f
1 parent 082fbd0
commit e91465f
Show file tree

Hide file tree

Showing 33 changed files with 249 additions and 1,292 deletions.
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -115,7 +115,7 @@
         "filename": "core/apis.go",
         "hashed_secret": "f776bc8b6836b3498c27139f23f5d64e4041af0f",
         "is_verified": false,
-        "line_number": 169
+        "line_number": 150
       }
     ],
     "core/auth/apis.go": [
@@ -124,7 +124,7 @@
         "filename": "core/auth/apis.go",
         "hashed_secret": "4d55af37dbbb6a42088d917caa1ca25428ec42c9",
         "is_verified": false,
-        "line_number": 1938
+        "line_number": 1940
       }
     ],
     "core/auth/auth.go": [
@@ -133,7 +133,7 @@
         "filename": "core/auth/auth.go",
         "hashed_secret": "4d55af37dbbb6a42088d917caa1ca25428ec42c9",
         "is_verified": false,
-        "line_number": 2388
+        "line_number": 2295
       }
     ],
     "core/auth/auth_type_email.go": [
@@ -193,7 +193,7 @@
         "filename": "core/auth/auth_type_oidc.go",
         "hashed_secret": "0ade4f3edccc8888bef404fe6b3c92c13cdfad6b",
         "is_verified": false,
-        "line_number": 377
+        "line_number": 368
       }
     ],
     "driven/emailer/adapter.go": [
@@ -279,5 +279,5 @@
       }
     ]
   },
-  "generated_at": "2022-08-09T22:15:53Z"
+  "generated_at": "2022-08-29T22:01:22Z"
 }
diff --git a/core/apis.go b/core/apis.go
@@ -75,22 +75,7 @@ func (c *APIs) storeSystemData() error {
 	transaction := func(context storage.TransactionContext) error {
 		createAccount := false
 
-		//1. insert email auth type if does not exist
-		emailAuthType, err := c.app.storage.FindAuthType(auth.AuthTypeEmail)
-		if err != nil {
-			return errors.WrapErrorAction(logutils.ActionFind, model.TypeAuthType, nil, err)
-		}
-		if emailAuthType == nil {
-			newDocuments["auth_type"] = uuid.NewString()
-			emailAuthType = &model.AuthType{ID: newDocuments["auth_type"], Code: auth.AuthTypeEmail, Description: "Authentication type relying on email and password",
-				IsExternal: false, IsAnonymous: false, UseCredentials: true, IgnoreMFA: false}
-			_, err = c.app.storage.InsertAuthType(context, *emailAuthType)
-			if err != nil {
-				return errors.WrapErrorAction(logutils.ActionInsert, model.TypeAuthType, nil, err)
-			}
-		}
-
-		//2. insert system org if does not exist
+		//1. insert system org if does not exist
 		systemOrg, err := c.app.storage.FindSystemOrganization()
 		if err != nil {
 			return errors.WrapErrorAction(logutils.ActionFind, model.TypeOrganization, nil, err)
@@ -108,7 +93,8 @@ func (c *APIs) storeSystemData() error {
 			createAccount = true
 		}
 
-		//3. insert system app and appOrg if they do not exist
+		//2. insert system app and appOrg if they do not exist
+		var systemAppOrg model.ApplicationOrganization
 		systemAdminAppOrgs, err := c.app.storage.FindApplicationsOrganizationsByOrgID(systemOrg.ID)
 		if err != nil {
 			return errors.WrapErrorAction(logutils.ActionFind, model.TypeApplicationOrganization, nil, err)
@@ -130,32 +116,27 @@ func (c *APIs) storeSystemData() error {
 			systemAdminApp := &newSystemAdminApp
 
 			//insert system admin apporg
-			emailSupport := []struct {
-				AuthTypeID string                 `bson:"auth_type_id"`
-				Params     map[string]interface{} `bson:"params"`
-			}{
-				{emailAuthType.ID, nil},
-			}
-			supportedAuthTypes := make([]model.AuthTypesSupport, len(systemAdminApp.Types))
-			for i, appType := range systemAdminApp.Types {
-				supportedAuthTypes[i] = model.AuthTypesSupport{AppTypeID: appType.ID, SupportedAuthTypes: emailSupport}
-			}
-
 			newDocuments["application_organization"] = uuid.NewString()
 			newSystemAdminAppOrg := model.ApplicationOrganization{ID: newDocuments["application_organization"], Application: *systemAdminApp, Organization: *systemOrg,
-				SupportedAuthTypes: supportedAuthTypes, DateCreated: time.Now().UTC()}
-			_, err = c.app.storage.InsertApplicationOrganization(context, newSystemAdminAppOrg)
+				AuthTypes: map[string]model.SupportedAuthType{auth.AuthTypeEmail: {}}, DateCreated: time.Now().UTC()}
+			err = c.app.storage.InsertApplicationOrganization(context, newSystemAdminAppOrg)
 			if err != nil {
 				return errors.WrapErrorAction(logutils.ActionSave, model.TypeApplicationOrganization, nil, err)
 			}
 
-			systemAdminAppOrgs = append(systemAdminAppOrgs, newSystemAdminAppOrg)
+			systemAppOrg = newSystemAdminAppOrg
 			createAccount = true
+		} else if !systemAdminAppOrgs[0].IsAuthTypeSupported(auth.AuthTypeEmail) {
+			//insert email auth type if does not exist
+			systemAppOrg = systemAdminAppOrgs[0]
+			systemAppOrg.AuthTypes[auth.AuthTypeEmail] = model.SupportedAuthType{}
+			err = c.app.storage.UpdateApplicationOrganization(context, systemAppOrg)
+			if err != nil {
+				return errors.WrapErrorAction(logutils.ActionUpdate, model.TypeApplicationOrganization, nil, err)
+			}
 		}
 
-		systemAppOrg := systemAdminAppOrgs[0]
-
-		//4. insert api key if does not exist
+		//3. insert api key if does not exist
 		apiKeys, err := c.Auth.GetApplicationAPIKeys(systemAppOrg.Application.ID)
 		if err != nil {
 			return errors.WrapErrorAction(logutils.ActionFind, model.TypeAPIKey, nil, err)
@@ -173,7 +154,7 @@ func (c *APIs) storeSystemData() error {
 			}
 		}
 
-		//5. insert all_system_core permission and grant_all_permissions permission if they do not exist
+		//4. insert all_system_core permission and grant_all_permissions permission if they do not exist
 		requiredPermissions := map[string]string{
 			model.PermissionAllSystemCore:       "Gives access to all admin and system APIs",
 			model.PermissionGrantAllPermissions: "Gives the ability to grant any permission",
@@ -223,7 +204,7 @@ func (c *APIs) storeSystemData() error {
 			if c.systemAccountEmail == "" || c.systemAccountPassword == "" {
 				return errors.ErrorData(logutils.StatusMissing, "initial system account email or password", nil)
 			}
-			newDocuments["account"], err = c.Auth.InitializeSystemAccount(context, *emailAuthType, systemAppOrg, model.PermissionAllSystemCore, c.systemAccountEmail, c.systemAccountPassword, c.logger.NewRequestLog(nil))
+			newDocuments["account"], err = c.Auth.InitializeSystemAccount(context, systemAppOrg, model.PermissionAllSystemCore, c.systemAccountEmail, c.systemAccountPassword, c.logger.NewRequestLog(nil))
 			if err != nil {
 				return errors.WrapErrorAction(logutils.ActionInitialize, "system account", nil, err)
 			}
@@ -529,16 +510,4 @@ func (s *systemImpl) SysDeleteAppConfig(id string) error {
 	return s.app.sysDeleteAppConfig(id)
 }
 
-func (s *systemImpl) SysCreateAuthTypes(code string, description string, isExternal bool, isAnonymous bool, useCredentials bool, ignoreMFA bool, params map[string]interface{}) (*model.AuthType, error) {
-	return s.app.sysCreateAuthTypes(code, description, isExternal, isAnonymous, useCredentials, ignoreMFA, params)
-}
-
-func (s *systemImpl) SysGetAuthTypes() ([]model.AuthType, error) {
-	return s.app.sysGetAuthTypes()
-}
-
-func (s *systemImpl) SysUpdateAuthTypes(ID string, code string, description string, isExternal bool, isAnonymous bool, useCredentials bool, ignoreMFA bool, params map[string]interface{}) error {
-	return s.app.SysUpdateAuthTypes(ID, code, description, isExternal, isAnonymous, useCredentials, ignoreMFA, params)
-}
-
 ///
diff --git a/core/app_system.go b/core/app_system.go
@@ -333,37 +333,3 @@ func (app *application) sysDeleteAppConfig(id string) error {
 
 	return nil
 }
-
-func (app *application) sysCreateAuthTypes(code string, description string, isExternal bool,
-	isAnonymous bool, useCredentials bool, ignoreMFA bool, params map[string]interface{}) (*model.AuthType, error) {
-
-	authTypeID, _ := uuid.NewUUID()
-	authType := model.AuthType{ID: authTypeID.String(), Code: code, Description: description,
-		IsExternal: isExternal, IsAnonymous: isAnonymous, UseCredentials: useCredentials,
-		IgnoreMFA: ignoreMFA, Params: params}
-
-	insertedAuthType, err := app.storage.InsertAuthType(nil, authType)
-	if err != nil {
-		return nil, errors.WrapErrorAction(logutils.ActionFind, model.TypeAuthType, nil, err)
-	}
-	return insertedAuthType, nil
-}
-
-func (app *application) sysGetAuthTypes() ([]model.AuthType, error) {
-	getAuthTypes, err := app.storage.FindAuthTypes()
-	if err != nil {
-		return nil, errors.WrapErrorAction(logutils.ActionGet, model.TypeAuthType, nil, err)
-	}
-
-	return getAuthTypes, nil
-}
-
-func (app *application) SysUpdateAuthTypes(ID string, code string, description string, isExternal bool, isAnonymous bool, useCredentials bool, ignoreMFA bool, params map[string]interface{}) error {
-	err := app.storage.UpdateAuthTypes(ID, code, description, isExternal, isAnonymous, useCredentials, ignoreMFA, params)
-	if err != nil {
-		return errors.WrapErrorAction(logutils.ActionUpdate, model.TypeAuthType, nil, err)
-	}
-
-	return err
-
-}
diff --git a/core/auth/apis.go b/core/auth/apis.go
@@ -78,7 +78,7 @@ func (a *Auth) Login(ipAddress string, deviceType string, deviceOS *string, devi
 	//TODO - analyse what should go in one transaction
 
 	//validate if the provided auth type is supported by the provided application and organization
-	authType, appType, appOrg, err := a.validateAuthType(authenticationType, appTypeIdentifier, orgID)
+	appType, appOrg, err := a.validateAuthType(authenticationType, appTypeIdentifier, orgID)
 	if err != nil {
 		return nil, nil, nil, errors.WrapErrorAction(logutils.ActionValidate, typeAuthType, nil, err)
 	}
@@ -107,26 +107,26 @@ func (a *Auth) Login(ipAddress string, deviceType string, deviceOS *string, devi
 	var state string
 
 	//get the auth type implementation for the auth type
-	if authType.IsAnonymous && !admin {
+	if authImpl, err := a.getAnonymousAuthTypeImpl(authenticationType); err == nil && !admin {
 		anonymous = true
 
 		anonymousID := ""
-		anonymousID, responseParams, err = a.applyAnonymousAuthType(*authType, creds)
+		anonymousID, responseParams, err = a.applyAnonymousAuthType(authImpl, creds)
 		if err != nil {
 			return nil, nil, nil, errors.WrapErrorAction("apply anonymous auth type", "user", nil, err)
 		}
 		sub = anonymousID
 
-	} else if authType.IsExternal {
-		accountAuthType, responseParams, mfaTypes, externalIDs, err = a.applyExternalAuthType(*authType, *appType, *appOrg, creds, params, profile, preferences, admin, l)
+	} else if authImpl, err := a.getExternalAuthTypeImpl(authenticationType); err == nil {
+		accountAuthType, responseParams, mfaTypes, externalIDs, err = a.applyExternalAuthType(authImpl, *appType, *appOrg, creds, params, profile, preferences, admin, l)
 		if err != nil {
 			return nil, nil, nil, errors.WrapErrorAction("apply external auth type", "user", nil, err)
 
 		}
 
 		sub = accountAuthType.Account.ID
-	} else {
-		message, accountAuthType, mfaTypes, externalIDs, err = a.applyAuthType(*authType, *appOrg, creds, params, profile, preferences, admin, l)
+	} else if authImpl, err := a.getAuthTypeImpl(authenticationType); err == nil {
+		message, accountAuthType, mfaTypes, externalIDs, err = a.applyAuthType(authImpl, *appOrg, creds, params, profile, preferences, admin, l)
 		if err != nil {
 			return nil, nil, nil, errors.WrapErrorAction("apply auth type", "user", nil, err)
 		}
@@ -138,6 +138,8 @@ func (a *Auth) Login(ipAddress string, deviceType string, deviceOS *string, devi
 		sub = accountAuthType.Account.ID
 
 		//the credentials are valid
+	} else {
+		return nil, nil, nil, errors.ErrorData(logutils.StatusInvalid, typeAuthType, logutils.StringArgs(authenticationType))
 	}
 
 	//check if account is enrolled in MFA
@@ -239,13 +241,13 @@ func (a *Auth) CanSignIn(authenticationType string, userIdentifier string, apiKe
 //	Returns:
 //		canLink (bool): valid when error is nil
 func (a *Auth) CanLink(authenticationType string, userIdentifier string, apiKey string, appTypeIdentifier string, orgID string) (bool, error) {
-	account, authTypeID, err := a.getAccount(authenticationType, userIdentifier, apiKey, appTypeIdentifier, orgID)
+	account, err := a.getAccount(authenticationType, userIdentifier, apiKey, appTypeIdentifier, orgID)
 	if err != nil {
 		return false, errors.WrapErrorAction(logutils.ActionGet, model.TypeAccount, nil, err)
 	}
 
 	if account != nil {
-		aat := account.GetAccountAuthType(authTypeID, userIdentifier)
+		aat := account.GetAccountAuthType(authenticationType, userIdentifier)
 		return (aat != nil && aat.Unverified), nil
 	}
 
@@ -1614,10 +1616,10 @@ func (a *Auth) DeleteAccount(id string) error {
 }
 
 // InitializeSystemAccount initializes the first system account
-func (a *Auth) InitializeSystemAccount(context storage.TransactionContext, authType model.AuthType, appOrg model.ApplicationOrganization,
-	allSystemPermission string, email string, password string, l *logs.Log) (string, error) {
+func (a *Auth) InitializeSystemAccount(context storage.TransactionContext, appOrg model.ApplicationOrganization, allSystemPermission string,
+	email string, password string, l *logs.Log) (string, error) {
 	//auth type
-	authImpl, err := a.getAuthTypeImpl(authType)
+	authImpl, err := a.getAuthTypeImpl(AuthTypeEmail)
 	if err != nil {
 		return "", errors.WrapErrorAction(logutils.ActionLoadCache, typeAuthType, nil, err)
 	}