feat: add public authorization (#64)

lcpojr · web-flow · commit acaf18932a6d · 2021-07-18T11:54:58.000-03:00
* feat: add public authorization

* chore: remove unecessary module

* feat: add public authorization

* chore: remove unused controller

* chore: add more tests
diff --git a/apps/authorizer/lib/authorizer.ex b/apps/authorizer/lib/authorizer.ex
@@ -3,8 +3,11 @@ defmodule Authorizer do
   Application to deal with request's to authorization server.
   """
 
-  alias Authorizer.Rules.Commands.AdminAccess
+  alias Authorizer.Rules.Commands.{AdminAccess, PublicAccess}
 
   @doc "Delegates to #{AdminAccess}.execute/1"
   defdelegate authorize_admin(conn), to: AdminAccess, as: :execute
+
+  @doc "Delegates to #{PublicAccess}.execute/1"
+  defdelegate authorize_public(conn), to: PublicAccess, as: :execute
 end
diff --git a/apps/authorizer/lib/rules/commands/admin_access.ex b/apps/authorizer/lib/rules/commands/admin_access.ex
@@ -2,7 +2,7 @@ defmodule Authorizer.Rules.Commands.AdminAccess do
   @moduledoc """
   Rule for authorizing a subject to do any action on admin endpoints.
 
-  In order to authorize we have to execute verify if the subject matches some
+  In order to authorize we have to execute an verification if the subject matches some
   requirements as:
     - It has admin flag enabled;
     - It is status is active;
diff --git a/apps/authorizer/lib/rules/commands/public_access.ex b/apps/authorizer/lib/rules/commands/public_access.ex
@@ -0,0 +1,44 @@
+defmodule Authorizer.Rules.Commands.PublicAccess do
+  @moduledoc """
+  Rule for authorizing a subject to do any action on public endpoints.
+
+  In order to authorize we have to execute an verification if the subject matches some
+  requirements as:
+    - It is status is active;
+  """
+
+  require Logger
+
+  alias Authorizer.Policies.SubjectActive
+  alias Plug.Conn
+
+  @steps [SubjectActive]
+
+  @doc """
+  Run the authorization flow in order to verify if the subject matches all requirements.
+  This will call the following policies:
+    - #{SubjectActive};
+  """
+  @spec execute(conn :: Conn.t()) :: :ok | {:error, :unauthorized}
+  def execute(%Conn{} = conn) do
+    @steps
+    |> Enum.reduce_while([], fn policy, opts -> run_policy(policy, conn, opts) end)
+    |> case do
+      {:error, :unauthorized} ->
+        Logger.error("Failed on some of the policies")
+        {:error, :unauthorized}
+
+      _success ->
+        :ok
+    end
+  end
+
+  defp run_policy(policy, conn, opts) do
+    with {:ok, context} <- policy.validate(conn),
+         {:ok, shared_context} <- policy.execute(context, opts) do
+      {:cont, shared_context}
+    else
+      error -> {:halt, error}
+    end
+  end
+end
diff --git a/apps/authorizer/test/rules/commands/public_access_test.exs b/apps/authorizer/test/rules/commands/public_access_test.exs
@@ -0,0 +1,53 @@
+defmodule Authorizer.Rules.Commands.PublicAccessTest do
+  use Authorizer.DataCase, async: true
+
+  alias Authorizer.Ports.ResourceManagerMock
+  alias Authorizer.Rules.Commands.PublicAccess
+
+  setup do
+    conn = %Plug.Conn{
+      private: %{
+        session: %{
+          id: Ecto.UUID.generate(),
+          jti: Ecto.UUID.generate(),
+          subject_id: Ecto.UUID.generate(),
+          subject_type: "user",
+          expires_at: NaiveDateTime.add(NaiveDateTime.utc_now(), 10_000),
+          scopes: ["admin:read", "admin.write"],
+          azp: "Watcher Ex"
+        }
+      }
+    }
+
+    {:ok, conn: conn}
+  end
+
+  describe "#{PublicAccess}.execute/1" do
+    test "succeeds if subject is active and is an admin", %{conn: conn} do
+      expect(ResourceManagerMock, :get_identity, fn %{id: user_id} ->
+        assert conn.private.session.subject_id == user_id
+        {:ok, %{status: "active", is_admin: true}}
+      end)
+
+      assert :ok == PublicAccess.execute(conn)
+    end
+
+    test "fails if identity is not active", %{conn: conn} do
+      expect(ResourceManagerMock, :get_identity, fn %{id: user_id} ->
+        assert conn.private.session.subject_id == user_id
+        {:ok, %{status: "blocked", is_admin: true}}
+      end)
+
+      assert {:error, :unauthorized} == PublicAccess.execute(conn)
+    end
+
+    test "fails if identity was not found", %{conn: conn} do
+      expect(ResourceManagerMock, :get_identity, fn %{id: user_id} ->
+        assert conn.private.session.subject_id == user_id
+        {:error, :not_found}
+      end)
+
+      assert {:error, :unauthorized} == PublicAccess.execute(conn)
+    end
+  end
+end
diff --git a/apps/rest_api/lib/controllers/public/auth.ex b/apps/rest_api/lib/controllers/public/auth.ex
@@ -11,7 +11,7 @@ defmodule RestAPI.Controllers.Public.Auth do
   }
 
   alias RestAPI.Ports.Authenticator, as: Commands
-  alias RestAPI.Views.Public.SignIn
+  alias RestAPI.Views.Public.Auth
 
   action_fallback RestAPI.Controllers.Fallback
 
@@ -30,7 +30,7 @@ defmodule RestAPI.Controllers.Public.Auth do
     with {:ok, input} <- ResourceOwner.cast_and_apply(params),
          {:ok, response} <- Commands.sign_in_resource_owner(input) do
       conn
-      |> put_view(SignIn)
+      |> put_view(Auth)
       |> put_status(200)
       |> render("token.json", response: response)
     end
@@ -42,7 +42,7 @@ defmodule RestAPI.Controllers.Public.Auth do
     with {:ok, input} <- RefreshToken.cast_and_apply(params),
          {:ok, response} <- Commands.sign_in_refresh_token(input) do
       conn
-      |> put_view(SignIn)
+      |> put_view(Auth)
       |> put_status(200)
       |> render("token.json", response: response)
     end
@@ -54,7 +54,7 @@ defmodule RestAPI.Controllers.Public.Auth do
     with {:ok, input} <- ClientCredentials.cast_and_apply(params),
          {:ok, response} <- Commands.sign_in_client_credentials(input) do
       conn
-      |> put_view(SignIn)
+      |> put_view(Auth)
       |> put_status(200)
       |> render("token.json", response: response)
     end
@@ -66,7 +66,7 @@ defmodule RestAPI.Controllers.Public.Auth do
     with {:ok, input} <- AuthorizationCode.cast_and_apply(params),
          {:ok, response} <- Commands.sign_in_authorization_code(input) do
       conn
-      |> put_view(SignIn)
+      |> put_view(Auth)
       |> put_status(200)
       |> render("token.json", response: response)
     end
diff --git a/apps/rest_api/lib/plugs/authorization.ex b/apps/rest_api/lib/plugs/authorization.ex
@@ -41,6 +41,15 @@ defmodule RestAPI.Plugs.Authorization do
     end
   end
 
+  defp authorized?(conn, "public") do
+    conn
+    |> Authorizer.authorize_public()
+    |> case do
+      :ok -> true
+      {:error, :unauthorized} -> false
+    end
+  end
+
   # We will start to authorize public endpoint on a next PR
   defp authorized?(_conn, _type), do: true
 end
diff --git a/apps/rest_api/lib/ports/authorizer.ex b/apps/rest_api/lib/ports/authorizer.ex
@@ -11,10 +11,17 @@ defmodule RestAPI.Ports.Authorizer do
   @doc "Delegates to Authorizer.authorize_admin/1"
   @callback authorize_admin(conn :: Conn.t()) :: possible_authorize_response()
 
+  @doc "Delegates to Authorizer.authorize_public/1"
+  @callback authorize_public(conn :: Conn.t()) :: possible_authorize_response()
+
   @doc "Authorizes the subject using admin rule"
   @spec authorize_admin(conn :: Conn.t()) :: possible_authorize_response()
   def authorize_admin(conn), do: implementation().authorize_admin(conn)
 
+  @doc "Authorizes the subject using public rule"
+  @spec authorize_public(conn :: Conn.t()) :: possible_authorize_response()
+  def authorize_public(conn), do: implementation().authorize_public(conn)
+
   defp implementation do
     :rest_api
     |> Application.get_env(__MODULE__)
diff --git a/apps/rest_api/lib/routers/admin.ex b/apps/rest_api/lib/routers/admin.ex
@@ -10,14 +10,18 @@ defmodule RestAPI.Routers.Admin do
     plug Tracker
   end
 
-  pipeline :authorized_by_admin do
+  pipeline :authorized_as_user do
+    plug Authorization, type: "public"
+  end
+
+  pipeline :authorized_as_admin do
     plug Authorization, type: "admin"
   end
 
   scope "/v1", RestAPI.Controller.Admin do
     pipe_through :authenticated
-    pipe_through :authorized_by_admin
+    pipe_through :authorized_as_admin
 
-    resources("/users", User, except: [:new])
+    resources "/users", User, except: [:new]
   end
 end
diff --git a/apps/rest_api/lib/views/public/auth.ex b/apps/rest_api/lib/views/public/auth.ex
@@ -1,4 +1,4 @@
-defmodule RestAPI.Views.Public.SignIn do
+defmodule RestAPI.Views.Public.Auth do
   @moduledoc false
 
   use RestAPI.View
diff --git a/apps/rest_api/test/plugs/authorization_test.exs b/apps/rest_api/test/plugs/authorization_test.exs
@@ -18,6 +18,9 @@ defmodule RestAPI.Plugs.AuthorizationTest do
 
     test "succeeds and authorizer the subject in public endpoint", ctx do
       conn = %{ctx.conn | private: %{session: ctx.session}}
+
+      expect(AuthorizerMock, :authorize_public, fn _conn -> :ok end)
+
       assert %Plug.Conn{private: %{session: _}} = Authorization.call(conn, type: "public")
     end
 
@@ -42,8 +45,10 @@ defmodule RestAPI.Plugs.AuthorizationTest do
       conn = %{ctx.conn | private: %{session: ctx.session}}
 
       expect(AuthorizerMock, :authorize_admin, fn _conn -> {:error, :unauthorized} end)
+      expect(AuthorizerMock, :authorize_public, fn _conn -> {:error, :unauthorized} end)
 
       assert %Plug.Conn{status: 401} = Authorization.call(conn, type: "admin")
+      assert %Plug.Conn{status: 401} = Authorization.call(conn, type: "public")
     end
   end
 

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-defmodule RestAPI.Views.Public.SignIn do`
	`1`	`+defmodule RestAPI.Views.Public.Auth do`
`2`	`2`	`@moduledoc false`
`3`	`3`
`4`	`4`	`use RestAPI.View`