Merge pull request #166 from Vicg853/fix/role-update

Fix/role update

.dockerignore

@@ -9,3 +9,4 @@ build
 data.db
 app/node_modules
 app/build
+certs/

.gitignore

@@ -13,4 +13,5 @@ data.db
 *.tar.gz
 .vscode/
 .yalc
-yalc.lock
+yalc.lock
+certs/

server/constants/env.go

@@ -38,6 +38,12 @@ const (
 	EnvKeyDatabasePort = "DATABASE_PORT"
 	// EnvKeyDatabaseHost key for env variable DATABASE_HOST
 	EnvKeyDatabaseHost = "DATABASE_HOST"
+	// EnvKeyDatabaseCert key for env variable DATABASE_CERT
+	EnvKeyDatabaseCert = "DATABASE_CERT"
+	// EnvKeyDatabaseCertKey key for env variable DATABASE_KEY
+	EnvKeyDatabaseCertKey = "DATABASE_CERT_KEY"
+	// EnvKeyDatabaseCACert key for env variable DATABASE_CA_CERT
+	EnvKeyDatabaseCACert = "DATABASE_CA_CERT"
 	// EnvKeySmtpHost key for env variable SMTP_HOST
 	EnvKeySmtpHost = "SMTP_HOST"
 	// EnvKeySmtpPort key for env variable SMTP_PORT

server/db/providers/cassandradb/provider.go

@@ -1,13 +1,17 @@
 package cassandradb
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"log"
 	"strings"
 
 	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/crypto"
 	"github.com/authorizerdev/authorizer/server/db/models"
 	"github.com/authorizerdev/authorizer/server/envstore"
+	"github.com/gocql/gocql"
 	cansandraDriver "github.com/gocql/gocql"
 )
 
@@ -21,6 +25,13 @@ var KeySpace string
 // NewProvider to initialize arangodb connection
 func NewProvider() (*provider, error) {
 	dbURL := envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseURL)
+	if dbURL == "" {
+		dbURL = envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseHost)
+		if envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabasePort) != "" {
+			dbURL = fmt.Sprintf("%s:%s", dbURL, envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabasePort))
+		}
+	}
+
 	KeySpace = envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseName)
 	clusterURL := []string{}
 	if strings.Contains(dbURL, ",") {
@@ -36,10 +47,44 @@ func NewProvider() (*provider, error) {
 		}
 	}
 
+	if envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseCert) != "" && envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseCACert) != "" && envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseCertKey) != "" {
+		certString, err := crypto.DecryptB64(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseCert))
+		if err != nil {
+			return nil, err
+		}
+
+		keyString, err := crypto.DecryptB64(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseCertKey))
+		if err != nil {
+			return nil, err
+		}
+
+		caString, err := crypto.DecryptB64(envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyDatabaseCACert))
+		if err != nil {
+			return nil, err
+		}
+
+		cert, err := tls.X509KeyPair([]byte(certString), []byte(keyString))
+		if err != nil {
+			return nil, err
+		}
+
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM([]byte(caString))
+
+		cassandraClient.SslOpts = &cansandraDriver.SslOptions{
+			Config: &tls.Config{
+				Certificates:       []tls.Certificate{cert},
+				RootCAs:            caCertPool,
+				InsecureSkipVerify: true,
+			},
+			EnableHostVerification: false,
+		}
+	}
+
 	cassandraClient.RetryPolicy = &cansandraDriver.SimpleRetryPolicy{
 		NumRetries: 3,
 	}
-	cassandraClient.Consistency = cansandraDriver.Quorum
+	cassandraClient.Consistency = gocql.LocalQuorum
 
 	session, err := cassandraClient.CreateSession()
 	if err != nil {
@@ -47,12 +92,31 @@ func NewProvider() (*provider, error) {
 		return nil, err
 	}
 
-	keyspaceQuery := fmt.Sprintf("CREATE KEYSPACE IF NOT EXISTS %s WITH REPLICATION = {'class': 'SimpleStrategy', 'replication_factor':1}",
+	// Note for astra keyspaces can only be created from there console
-		KeySpace)
+	// https://docs.datastax.com/en/astra/docs/datastax-astra-faq.html#_i_am_trying_to_create_a_keyspace_in_the_cql_shell_and_i_am_running_into_an_error_how_do_i_fix_this
-	err = session.Query(keyspaceQuery).Exec()
+	getKeyspaceQuery := fmt.Sprintf("SELECT keyspace_name FROM system_schema.keyspaces;")
-	if err != nil {
+	scanner := session.Query(getKeyspaceQuery).Iter().Scanner()
-		log.Println("Unable to create keyspace:", err)
+	hasAuthorizerKeySpace := false
-		return nil, err
+	for scanner.Next() {
+		var keySpace string
+		err := scanner.Scan(&keySpace)
+		if err != nil {
+			log.Println("Error while getting keyspace information", err)
+			return nil, err
+		}
+		if keySpace == KeySpace {
+			hasAuthorizerKeySpace = true
+			break
+		}
+	}
+
+	if !hasAuthorizerKeySpace {
+		createKeySpaceQuery := fmt.Sprintf("CREATE KEYSPACE %s WITH REPLICATION = {'class': 'SimpleStrategy', 'replication_factor': 1};", KeySpace)
+		err = session.Query(createKeySpaceQuery).Exec()
+		if err != nil {
+			log.Println("Error while creating keyspace", err)
+			return nil, err
+		}
 	}
 
 	// make sure collections are present

server/env/env.go

@@ -42,6 +42,9 @@ func InitRequiredEnv() error {
 	dbHost := os.Getenv(constants.EnvKeyDatabaseHost)
 	dbUsername := os.Getenv(constants.EnvKeyDatabaseUsername)
 	dbPassword := os.Getenv(constants.EnvKeyDatabasePassword)
+	dbCert := os.Getenv(constants.EnvKeyDatabaseCert)
+	dbCertKey := os.Getenv(constants.EnvKeyDatabaseCertKey)
+	dbCACert := os.Getenv(constants.EnvKeyDatabaseCACert)
 
 	if strings.TrimSpace(dbType) == "" {
 		if envstore.ARG_DB_TYPE != nil && *envstore.ARG_DB_TYPE != "" {
@@ -77,6 +80,10 @@ func InitRequiredEnv() error {
 	envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyDatabasePort, dbPort)
 	envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyDatabaseUsername, dbUsername)
 	envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyDatabasePassword, dbPassword)
+	envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyDatabaseCert, dbCert)
+	envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyDatabaseCertKey, dbCertKey)
+	envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyDatabaseCACert, dbCACert)
+
 	return nil
 }
 

server/handlers/oauth_callback.go

@@ -174,7 +174,11 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 			sessionstore.SetState(authToken.RefreshToken.Token, authToken.FingerPrint+"@"+user.ID)
 		}
 
-		go utils.SaveSessionInDB(c, user.ID)
+		go db.Provider.AddSession(models.Session{
+			UserID:    user.ID,
+			UserAgent: utils.GetUserAgent(c.Request),
+			IP:        utils.GetIP(c.Request),
+		})
 		if strings.Contains(redirectURL, "?") {
 			redirectURL = redirectURL + "&" + params
 		} else {

server/handlers/oauth_login.go

@@ -52,7 +52,7 @@ func OAuthLoginHandler() gin.HandlerFunc {
 
 			// use protected roles verification for admin login only.
 			// though if not associated with user, it will be rejected from oauth_callback
-			if !utils.IsValidRoles(append([]string{}, append(envstore.EnvStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyRoles), envstore.EnvStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyProtectedRoles)...)...), rolesSplit) {
+			if !utils.IsValidRoles(rolesSplit, append([]string{}, append(envstore.EnvStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyRoles), envstore.EnvStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyProtectedRoles)...)...)) {
 				c.JSON(400, gin.H{
 					"error": "invalid role",
 				})

server/handlers/verify_email.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/db"
+	"github.com/authorizerdev/authorizer/server/db/models"
 	"github.com/authorizerdev/authorizer/server/sessionstore"
 	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
@@ -109,7 +110,11 @@ func VerifyEmailHandler() gin.HandlerFunc {
 			redirectURL = redirectURL + "?" + params
 		}
 
-		go utils.SaveSessionInDB(c, user.ID)
+		go db.Provider.AddSession(models.Session{
+			UserID:    user.ID,
+			UserAgent: utils.GetUserAgent(c.Request),
+			IP:        utils.GetIP(c.Request),
+		})
 
 		c.Redirect(http.StatusTemporaryRedirect, redirectURL)
 	}

server/resolvers/login.go

@@ -10,6 +10,7 @@ import (
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/db"
+	"github.com/authorizerdev/authorizer/server/db/models"
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/sessionstore"
@@ -57,7 +58,7 @@ func LoginResolver(ctx context.Context, params model.LoginInput) (*model.AuthRes
 	roles := envstore.EnvStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyDefaultRoles)
 	currentRoles := strings.Split(user.Roles, ",")
 	if len(params.Roles) > 0 {
-		if !utils.IsValidRoles(currentRoles, params.Roles) {
+		if !utils.IsValidRoles(params.Roles, currentRoles) {
 			return res, fmt.Errorf(`invalid roles`)
 		}
 
@@ -96,7 +97,11 @@ func LoginResolver(ctx context.Context, params model.LoginInput) (*model.AuthRes
 		sessionstore.SetState(authToken.RefreshToken.Token, authToken.FingerPrint+"@"+user.ID)
 	}
 
-	go utils.SaveSessionInDB(gc, user.ID)
+	go db.Provider.AddSession(models.Session{
+		UserID:    user.ID,
+		UserAgent: utils.GetUserAgent(gc.Request),
+		IP:        utils.GetIP(gc.Request),
+	})
 
 	return res, nil
 }

server/resolvers/magic_link_login.go

@@ -52,7 +52,7 @@ func MagicLinkLoginResolver(ctx context.Context, params model.MagicLinkLoginInpu
 		// define roles for new user
 		if len(params.Roles) > 0 {
 			// check if roles exists
-			if !utils.IsValidRoles(envstore.EnvStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyRoles), params.Roles) {
+			if !utils.IsValidRoles(params.Roles, envstore.EnvStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyRoles)) {
 				return res, fmt.Errorf(`invalid roles`)
 			} else {
 				inputRoles = params.Roles

server/resolvers/signup.go

@@ -174,7 +174,11 @@ func SignupResolver(ctx context.Context, params model.SignUpInput) (*model.AuthR
 
 		sessionstore.SetState(authToken.FingerPrintHash, authToken.FingerPrint+"@"+user.ID)
 		cookie.SetSession(gc, authToken.FingerPrintHash)
-		go utils.SaveSessionInDB(gc, user.ID)
+		go db.Provider.AddSession(models.Session{
+			UserID:    user.ID,
+			UserAgent: utils.GetUserAgent(gc.Request),
+			IP:        utils.GetIP(gc.Request),
+		})
 
 		expiresIn := authToken.AccessToken.ExpiresAt - time.Now().Unix()
 		if expiresIn <= 0 {

server/resolvers/verify_email.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/db"
+	"github.com/authorizerdev/authorizer/server/db/models"
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/sessionstore"
 	"github.com/authorizerdev/authorizer/server/token"
@@ -62,7 +63,11 @@ func VerifyEmailResolver(ctx context.Context, params model.VerifyEmailInput) (*m
 	sessionstore.SetState(authToken.FingerPrintHash, authToken.FingerPrint+"@"+user.ID)
 	sessionstore.SetState(authToken.AccessToken.Token, authToken.FingerPrint+"@"+user.ID)
 	cookie.SetSession(gc, authToken.FingerPrintHash)
-	go utils.SaveSessionInDB(gc, user.ID)
+	go db.Provider.AddSession(models.Session{
+		UserID:    user.ID,
+		UserAgent: utils.GetUserAgent(gc.Request),
+		IP:        utils.GetIP(gc.Request),
+	})
 
 	expiresIn := authToken.AccessToken.ExpiresAt - time.Now().Unix()
 	if expiresIn <= 0 {

server/test/resolvers_test.go

@@ -11,10 +11,10 @@ import (
 
 func TestResolvers(t *testing.T) {
 	databases := map[string]string{
-		// constants.DbTypeSqlite: "../../data.db",
+		constants.DbTypeSqlite: "../../data.db",
 		// constants.DbTypeArangodb: "http://localhost:8529",
 		// constants.DbTypeMongodb:  "mongodb://localhost:27017",
-		constants.DbTypeCassandraDB: "127.0.0.1:9042",
+		// constants.DbTypeCassandraDB: "127.0.0.1:9042",
 	}
 
 	for dbType, dbURL := range databases {

server/test/test.go

@@ -31,31 +31,31 @@ type TestSetup struct {
 }
 
 func cleanData(email string) {
-	// verificationRequest, err := db.Provider.GetVerificationRequestByEmail(email, constants.VerificationTypeBasicAuthSignup)
+	verificationRequest, err := db.Provider.GetVerificationRequestByEmail(email, constants.VerificationTypeBasicAuthSignup)
-	// if err == nil {
+	if err == nil {
-	// 	err = db.Provider.DeleteVerificationRequest(verificationRequest)
+		err = db.Provider.DeleteVerificationRequest(verificationRequest)
-	// }
+	}
 
-	// verificationRequest, err = db.Provider.GetVerificationRequestByEmail(email, constants.VerificationTypeForgotPassword)
+	verificationRequest, err = db.Provider.GetVerificationRequestByEmail(email, constants.VerificationTypeForgotPassword)
-	// if err == nil {
+	if err == nil {
-	// 	err = db.Provider.DeleteVerificationRequest(verificationRequest)
+		err = db.Provider.DeleteVerificationRequest(verificationRequest)
-	// }
+	}
 
-	// verificationRequest, err = db.Provider.GetVerificationRequestByEmail(email, constants.VerificationTypeUpdateEmail)
+	verificationRequest, err = db.Provider.GetVerificationRequestByEmail(email, constants.VerificationTypeUpdateEmail)
-	// if err == nil {
+	if err == nil {
-	// 	err = db.Provider.DeleteVerificationRequest(verificationRequest)
+		err = db.Provider.DeleteVerificationRequest(verificationRequest)
-	// }
+	}
 
-	// verificationRequest, err = db.Provider.GetVerificationRequestByEmail(email, constants.VerificationTypeMagicLinkLogin)
+	verificationRequest, err = db.Provider.GetVerificationRequestByEmail(email, constants.VerificationTypeMagicLinkLogin)
-	// if err == nil {
+	if err == nil {
-	// 	err = db.Provider.DeleteVerificationRequest(verificationRequest)
+		err = db.Provider.DeleteVerificationRequest(verificationRequest)
-	// }
+	}
 
-	// dbUser, err := db.Provider.GetUserByEmail(email)
+	dbUser, err := db.Provider.GetUserByEmail(email)
-	// if err == nil {
+	if err == nil {
-	// 	db.Provider.DeleteUser(dbUser)
+		db.Provider.DeleteUser(dbUser)
-	// 	db.Provider.DeleteSession(dbUser.ID)
+		db.Provider.DeleteSession(dbUser.ID)
-	// }
+	}
 }
 
 func createContext(s TestSetup) (*http.Request, context.Context) {

server/test/update_user_test.go

@@ -24,6 +24,7 @@ func updateUserTest(t *testing.T, s TestSetup) {
 		})
 
 		user := *signupRes.User
+
 		adminRole := "supplier"
 		userRole := "user"
 		newRoles := []*string{&adminRole, &userRole}
@@ -40,6 +41,15 @@ func updateUserTest(t *testing.T, s TestSetup) {
 			ID:    user.ID,
 			Roles: newRoles,
 		})
+		// supplier is not part of envs
+		assert.Error(t, err)
+		adminRole = "admin"
+		envstore.EnvStoreObj.UpdateEnvVariable(constants.SliceStoreIdentifier, constants.EnvKeyProtectedRoles, []string{adminRole})
+		newRoles = []*string{&adminRole, &userRole}
+		_, err = resolvers.UpdateUserResolver(ctx, model.UpdateUserInput{
+			ID:    user.ID,
+			Roles: newRoles,
+		})
 		assert.Nil(t, err)
 		cleanData(email)
 	})

server/token/auth_token.go

@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"log"
-	"os"
 	"strings"
 	"time"
 
@@ -318,7 +317,7 @@ func CreateIDToken(user models.User, roles []string, hostname, nonce string) (st
 	}
 
 	// check for the extra access token script
-	accessTokenScript := os.Getenv(constants.EnvKeyCustomAccessTokenScript)
+	accessTokenScript := envstore.EnvStoreObj.GetStringStoreEnvVariable(constants.EnvKeyCustomAccessTokenScript)
 	if accessTokenScript != "" {
 		vm := otto.New()
 

server/utils/common.go

@@ -1,12 +1,7 @@
 package utils
 
 import (
-	"log"
 	"reflect"
-
-	"github.com/authorizerdev/authorizer/server/db"
-	"github.com/authorizerdev/authorizer/server/db/models"
-	"github.com/gin-gonic/gin"
 )
 
 // StringSliceContains checks if a string slice contains a particular string
@@ -19,23 +14,6 @@ func StringSliceContains(s []string, e string) bool {
 	return false
 }
 
-// SaveSessionInDB saves sessions generated for a given user with meta information
-// Do not store token here as that could be security breach
-func SaveSessionInDB(c *gin.Context, userId string) {
-	sessionData := models.Session{
-		UserID:    userId,
-		UserAgent: GetUserAgent(c.Request),
-		IP:        GetIP(c.Request),
-	}
-
-	err := db.Provider.AddSession(sessionData)
-	if err != nil {
-		log.Println("=> error saving session in db:", err)
-	} else {
-		log.Println("=> session saved in db:", sessionData)
-	}
-}
-
 // RemoveDuplicateString removes duplicate strings from a string slice
 func RemoveDuplicateString(strSlice []string) []string {
 	allKeys := make(map[string]bool)

server/utils/file.go

@@ -0,0 +1,48 @@
+package utils
+
+import (
+	"errors"
+	"os"
+)
+
+// CreateFolder creates a folder in Current working dir
+func CreateFolder(dir string) (string, error) {
+	pwd, err := os.Getwd()
+	if err != nil {
+		return "", err
+	}
+	path := pwd + "/" + dir
+	err = os.Mkdir(path, 0o755)
+	if err == nil {
+		return path, nil
+	}
+	if os.IsExist(err) {
+		// check that the existing path is a directory
+		info, err := os.Stat(path)
+		if err != nil {
+			return "", err
+		}
+		if !info.IsDir() {
+			return "", errors.New("path exists but is not a directory")
+		}
+		return path, nil
+	}
+	return path, err
+}
+
+// CreateFile creates a file on given path with given content
+func CreateFile(filePath string, content string) error {
+	f, err := os.Create(filePath)
+	if err != nil {
+		return err
+	}
+
+	defer f.Close()
+
+	_, err = f.WriteString(content)
+
+	if err != nil {
+		return err
+	}
+	return nil
+}

server/utils/validator.go

@@ -54,8 +54,8 @@ func IsValidOrigin(url string) bool {
 // IsValidRoles validates roles
 func IsValidRoles(userRoles []string, roles []string) bool {
 	valid := true
-	for _, role := range roles {
+	for _, userRole := range userRoles {
-		if !StringSliceContains(userRoles, role) {
+		if !StringSliceContains(roles, userRole) {
 			valid = false
 			break
 		}