[#346] Fix configs to support multi-tenancy

.github/workflows/detect-secrets.yaml

@@ -8,12 +8,14 @@ jobs:
     container: python:latest
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
+
+    - run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
 
     - name: Install Yelp's detect secrets
       run: |
         apt-get update && apt-get install -y jq
         pip install yq
         pip install detect-secrets==$(yq -r .repos[0].rev .pre-commit-config.yaml)
     - name: Detect potential secrets
-      run: find -type f -not -path './.git/*' -printf '%P\n' | xargs detect-secrets-hook --baseline .secrets.baseline
+      run: git ls-files -z | xargs -0 detect-secrets-hook --baseline .secrets.baseline

.secrets.baseline

@@ -75,10 +75,6 @@
     {
       "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
     },
-    {
-      "path": "detect_secrets.filters.common.is_baseline_file",
-      "filename": ".secrets.baseline"
-    },
     {
       "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
       "min_level": 2
@@ -109,12 +105,6 @@
     },
     {
       "path": "detect_secrets.filters.heuristic.is_templated_secret"
-    },
-    {
-      "path": "detect_secrets.filters.regex.should_exclude_file",
-      "pattern": [
-        "go.sum"
-      ]
     }
   ],
   "results": {
@@ -124,8 +114,7 @@
         "filename": "README.md",
         "hashed_secret": "112bb791304791ddcf692e29fd5cf149b35fea37",
         "is_verified": false,
-        "line_number": 23,
-        "is_secret": false
+        "line_number": 23
       }
     ],
     "driven/authman/adapter.go": [
@@ -134,8 +123,7 @@
         "filename": "driven/authman/adapter.go",
         "hashed_secret": "941b2c7dc20fdba5a806569a85d022d4fc919525",
         "is_verified": false,
-        "line_number": 39,
-        "is_secret": false
+        "line_number": 39
       }
     ],
     "driven/rewards/adapter.go": [
@@ -144,8 +132,7 @@
         "filename": "driven/rewards/adapter.go",
         "hashed_secret": "d8e8bbab2645e80215848443c09ca41ac5caa4e1",
         "is_verified": false,
-        "line_number": 46,
-        "is_secret": false
+        "line_number": 46
       }
     ],
     "driven/smtp/adapter.go": [
@@ -154,8 +141,7 @@
         "filename": "driven/smtp/adapter.go",
         "hashed_secret": "d8e8bbab2645e80215848443c09ca41ac5caa4e1",
         "is_verified": false,
-        "line_number": 30,
-        "is_secret": false
+        "line_number": 30
       }
     ],
     "driver/web/auth.go": [
@@ -164,50 +150,44 @@
         "filename": "driver/web/auth.go",
         "hashed_secret": "47ba63d38f624336f93ea4e976b53a00d6f0337c",
         "is_verified": false,
-        "line_number": 131,
-        "is_secret": false
+        "line_number": 86
       },
       {
         "type": "Secret Keyword",
         "filename": "driver/web/auth.go",
-        "hashed_secret": "bfd9e18ca4489720cec5bb4b3b28e4edad02c45a",
+        "hashed_secret": "2720e4984f69fc9c7e31373ea616b07b5c7e72dd",
         "is_verified": false,
-        "line_number": 209,
-        "is_secret": false
+        "line_number": 161
       },
       {
         "type": "Secret Keyword",
         "filename": "driver/web/auth.go",
         "hashed_secret": "d3f775338d6d042e1b687982d84e392d041f3b0b",
         "is_verified": false,
-        "line_number": 224,
-        "is_secret": false
+        "line_number": 176
       },
       {
         "type": "Secret Keyword",
         "filename": "driver/web/auth.go",
         "hashed_secret": "2ae54691ede74558dc887d397903a79031def7f8",
         "is_verified": false,
-        "line_number": 281,
-        "is_secret": false
+        "line_number": 233
       },
       {
         "type": "Secret Keyword",
         "filename": "driver/web/auth.go",
         "hashed_secret": "32af2ceba9eb2748e8bd9f6ebd4450a6b0271a5e",
         "is_verified": false,
-        "line_number": 285,
-        "is_secret": false
+        "line_number": 237
       },
       {
         "type": "Secret Keyword",
         "filename": "driver/web/auth.go",
         "hashed_secret": "a23be006fadbd85ce60d87580e3f127c58a824ce",
         "is_verified": false,
-        "line_number": 295,
-        "is_secret": false
+        "line_number": 247
       }
     ]
   },
-  "generated_at": "2022-12-01T17:05:51Z"
+  "generated_at": "2023-02-18T00:34:00Z"
 }

CHANGELOG.md

@@ -5,6 +5,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## Unreleased
+### Fixed
+- Fix configs to support multi-tenancy [#346](https://github.com/rokwire/groups-building-block/issues/346)
+- Fix multi-tenancy [#224](https://github.com/rokwire/groups-building-block/issues/224)
 
 ## [1.16.1] - 2023-02-14
 ### Fixed

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.19-bullseye as builder
+FROM golang:1.20-bullseye as builder
 
 ENV CGO_ENABLED=0
 
@@ -19,8 +19,8 @@ COPY --from=builder /groups-app/driver/web/authorization_policy.csv /driver/web/
 COPY --from=builder /groups-app/driver/web/permissions_authorization_policy.csv /driver/web/permissions_authorization_policy.csv
 COPY --from=builder /groups-app/driver/web/scope_authorization_policy.csv /driver/web/scope_authorization_policy.csv
 
-COPY --from=builder /groups-app/vendor/github.com/rokwire/core-auth-library-go/v2/authorization/authorization_model_scope.conf /groups-app/vendor/github.com/rokwire/core-auth-library-go/v2/authorization/authorization_model_scope.conf
-COPY --from=builder /groups-app/vendor/github.com/rokwire/core-auth-library-go/v2/authorization/authorization_model_string.conf /groups-app/vendor/github.com/rokwire/core-auth-library-go/v2/authorization/authorization_model_string.conf
+COPY --from=builder /groups-app/vendor/github.com/rokwire/core-auth-library-go/v3/authorization/authorization_model_scope.conf /groups-app/vendor/github.com/rokwire/core-auth-library-go/v3/authorization/authorization_model_scope.conf
+COPY --from=builder /groups-app/vendor/github.com/rokwire/core-auth-library-go/v3/authorization/authorization_model_string.conf /groups-app/vendor/github.com/rokwire/core-auth-library-go/v3/authorization/authorization_model_string.conf
 
 COPY --from=builder /etc/passwd /etc/passwd
 

README.md

@@ -11,7 +11,7 @@ The API documentation is available here: https://api.rokwire.illinois.edu/gr/doc
 ### Prerequisites
 MongoDB v4.2.2+
 
-Go v1.16+
+Go v1.20+
 
 ### Environment variables
 The following Environment variables are supported. The service will not start unless those marked as Required are supplied.

core/administration.go

@@ -14,17 +14,133 @@
 
 package core
 
-import "groups/core/model"
+import (
+	"groups/core/model"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/rokwire/core-auth-library-go/v3/authutils"
+	"github.com/rokwire/core-auth-library-go/v3/tokenauth"
+	"github.com/rokwire/logging-library-go/v2/errors"
+	"github.com/rokwire/logging-library-go/v2/logutils"
+)
 
 func (app *Application) getTODO() error {
 	return nil
 }
 
-func (app *Application) getGroupsUnprotected(clientID string, filter model.GroupsFilter) ([]model.Group, error) {
-	groups, err := app.storage.FindGroups(clientID, nil, filter)
+func (app *Application) getGroupsUnprotected(filter model.GroupsFilter) ([]model.Group, error) {
+	groups, err := app.storage.FindGroups(nil, filter)
 	if err != nil {
 		return nil, err
 	}
 
 	return groups, nil
 }
+
+func (app *Application) getConfig(id string, claims *tokenauth.Claims) (*model.Config, error) {
+	config, err := app.storage.FindConfigByID(id)
+	if err != nil {
+		return nil, errors.WrapErrorAction(logutils.ActionFind, model.TypeConfig, nil, err)
+	}
+	if config == nil {
+		return nil, errors.ErrorData(logutils.StatusMissing, model.TypeConfig, &logutils.FieldArgs{"id": id})
+	}
+
+	err = claims.CanAccess(config.AppID, config.OrgID, config.System)
+	if err != nil {
+		return nil, errors.WrapErrorAction(logutils.ActionValidate, "config access", nil, err)
+	}
+
+	return config, nil
+}
+
+func (app *Application) getConfigs(configType *string, claims *tokenauth.Claims) ([]model.Config, error) {
+	configs, err := app.storage.FindConfigs(configType)
+	if err != nil {
+		return nil, errors.WrapErrorAction(logutils.ActionFind, model.TypeConfig, nil, err)
+	}
+
+	allowedConfigs := make([]model.Config, 0)
+	for _, config := range configs {
+		if err := claims.CanAccess(config.AppID, config.OrgID, config.System); err == nil {
+			allowedConfigs = append(allowedConfigs, config)
+		}
+	}
+	return allowedConfigs, nil
+}
+
+func (app *Application) createConfig(config model.Config, claims *tokenauth.Claims) (*model.Config, error) {
+	// must be a system config if applying to all orgs
+	if config.OrgID == authutils.AllOrgs && !config.System {
+		return nil, errors.ErrorData(logutils.StatusInvalid, "config system status", &logutils.FieldArgs{"config.org_id": authutils.AllOrgs})
+	}
+
+	err := claims.CanAccess(config.AppID, config.OrgID, config.System)
+	if err != nil {
+		return nil, errors.WrapErrorAction(logutils.ActionValidate, "config access", nil, err)
+	}
+
+	config.ID = uuid.NewString()
+	config.DateCreated = time.Now().UTC()
+	err = app.storage.InsertConfig(config)
+	if err != nil {
+		return nil, errors.WrapErrorAction(logutils.ActionInsert, model.TypeConfig, nil, err)
+	}
+	return &config, nil
+}
+
+func (app *Application) updateConfig(config model.Config, claims *tokenauth.Claims) error {
+	// must be a system config if applying to all orgs
+	if config.OrgID == authutils.AllOrgs && !config.System {
+		return errors.ErrorData(logutils.StatusInvalid, "config system status", &logutils.FieldArgs{"config.org_id": authutils.AllOrgs})
+	}
+
+	oldConfig, err := app.storage.FindConfig(config.Type, config.AppID, config.OrgID)
+	if err != nil {
+		return errors.WrapErrorAction(logutils.ActionFind, model.TypeConfig, nil, err)
+	}
+	if oldConfig == nil {
+		return errors.ErrorData(logutils.StatusMissing, model.TypeConfig, &logutils.FieldArgs{"type": config.Type, "app_id": config.AppID, "org_id": config.OrgID})
+	}
+
+	// cannot update a system config if not a system admin
+	if !claims.System && oldConfig.System {
+		return errors.ErrorData(logutils.StatusInvalid, "system claim", nil)
+	}
+	err = claims.CanAccess(config.AppID, config.OrgID, config.System)
+	if err != nil {
+		return errors.WrapErrorAction(logutils.ActionValidate, "config access", nil, err)
+	}
+
+	now := time.Now().UTC()
+	config.ID = oldConfig.ID
+	config.DateUpdated = &now
+
+	err = app.storage.UpdateConfig(config)
+	if err != nil {
+		return errors.WrapErrorAction(logutils.ActionUpdate, model.TypeConfig, nil, err)
+	}
+	return nil
+}
+
+func (app *Application) deleteConfig(id string, claims *tokenauth.Claims) error {
+	config, err := app.storage.FindConfigByID(id)
+	if err != nil {
+		return errors.WrapErrorAction(logutils.ActionFind, model.TypeConfig, nil, err)
+	}
+	if config == nil {
+		return errors.ErrorData(logutils.StatusMissing, model.TypeConfig, &logutils.FieldArgs{"id": id})
+	}
+
+	err = claims.CanAccess(config.AppID, config.OrgID, config.System)
+	if err != nil {
+		return errors.WrapErrorAction(logutils.ActionValidate, "config access", nil, err)
+	}
+
+	err = app.storage.DeleteConfig(id)
+	if err != nil {
+		return errors.WrapErrorAction(logutils.ActionDelete, model.TypeConfig, nil, err)
+	}
+	return nil
+}