Mainflux.mainflux/users/service.go

473 lines
12 KiB
Go

// Copyright (c) Mainflux
// SPDX-License-Identifier: Apache-2.0
package users
import (
"context"
"regexp"
"time"
"github.com/mainflux/mainflux"
"github.com/mainflux/mainflux/auth"
"github.com/mainflux/mainflux/internal/apiutil"
mfclients "github.com/mainflux/mainflux/pkg/clients"
"github.com/mainflux/mainflux/pkg/errors"
"github.com/mainflux/mainflux/users/postgres"
)
const (
userKind = "users"
tokenKind = "token"
userType = "user"
groupType = "group"
)
var (
// ErrRecoveryToken indicates error in generating password recovery token.
ErrRecoveryToken = errors.New("failed to generate password recovery token")
// ErrPasswordFormat indicates weak password.
ErrPasswordFormat = errors.New("password does not meet the requirements")
)
type service struct {
clients postgres.Repository
idProvider mainflux.IDProvider
auth mainflux.AuthServiceClient
hasher Hasher
email Emailer
passRegex *regexp.Regexp
}
// NewService returns a new Users service implementation.
func NewService(crepo postgres.Repository, auth mainflux.AuthServiceClient, emailer Emailer, hasher Hasher, idp mainflux.IDProvider, pr *regexp.Regexp) Service {
return service{
clients: crepo,
auth: auth,
hasher: hasher,
email: emailer,
idProvider: idp,
passRegex: pr,
}
}
func (svc service) RegisterClient(ctx context.Context, token string, cli mfclients.Client) (mfclients.Client, error) {
// We don't check the error currently since we can register client with empty token
ownerID, _ := svc.Identify(ctx, token)
clientID, err := svc.idProvider.ID()
if err != nil {
return mfclients.Client{}, err
}
if cli.Owner == "" && ownerID != "" {
cli.Owner = ownerID
}
if cli.Credentials.Secret == "" {
return mfclients.Client{}, apiutil.ErrMissingSecret
}
hash, err := svc.hasher.Hash(cli.Credentials.Secret)
if err != nil {
return mfclients.Client{}, errors.Wrap(errors.ErrMalformedEntity, err)
}
cli.Credentials.Secret = hash
if cli.Status != mfclients.DisabledStatus && cli.Status != mfclients.EnabledStatus {
return mfclients.Client{}, apiutil.ErrInvalidStatus
}
if cli.Role != mfclients.UserRole && cli.Role != mfclients.AdminRole {
return mfclients.Client{}, apiutil.ErrInvalidRole
}
cli.ID = clientID
cli.CreatedAt = time.Now()
client, err := svc.clients.Save(ctx, cli)
if err != nil {
return mfclients.Client{}, err
}
return client, nil
}
func (svc service) IssueToken(ctx context.Context, identity, secret string) (*mainflux.Token, error) {
dbUser, err := svc.clients.RetrieveByIdentity(ctx, identity)
if err != nil {
return &mainflux.Token{}, err
}
if err := svc.hasher.Compare(secret, dbUser.Credentials.Secret); err != nil {
return &mainflux.Token{}, errors.Wrap(errors.ErrLogin, err)
}
return svc.auth.Issue(ctx, &mainflux.IssueReq{Id: dbUser.ID, Type: 0})
}
func (svc service) RefreshToken(ctx context.Context, refreshToken string) (*mainflux.Token, error) {
return svc.auth.Refresh(ctx, &mainflux.RefreshReq{Value: refreshToken})
}
func (svc service) ViewClient(ctx context.Context, token string, id string) (mfclients.Client, error) {
tokenUserID, err := svc.Identify(ctx, token)
if err != nil {
return mfclients.Client{}, err
}
if tokenUserID != id {
if err := svc.isOwner(ctx, id, tokenUserID); err != nil {
return mfclients.Client{}, err
}
}
client, err := svc.clients.RetrieveByID(ctx, id)
if err != nil {
return mfclients.Client{}, err
}
client.Credentials.Secret = ""
return client, nil
}
func (svc service) ViewProfile(ctx context.Context, token string) (mfclients.Client, error) {
id, err := svc.Identify(ctx, token)
if err != nil {
return mfclients.Client{}, err
}
client, err := svc.clients.RetrieveByID(ctx, id)
if err != nil {
return mfclients.Client{}, err
}
client.Credentials.Secret = ""
return client, nil
}
func (svc service) ListClients(ctx context.Context, token string, pm mfclients.Page) (mfclients.ClientsPage, error) {
id, err := svc.Identify(ctx, token)
if err != nil {
return mfclients.ClientsPage{}, err
}
// switch err := svc.authorize(ctx, id, clientsObjectKey, listRelationKey); err {
// // If the user is admin, fetch all users from database.
// case nil:
// switch {
// // visibility = all
// case pm.SharedBy == myKey && pm.Owner == myKey:
// pm.SharedBy = ""
// pm.Owner = ""
// // visibility = shared
// case pm.SharedBy == myKey && pm.Owner != myKey:
// pm.SharedBy = id
// pm.Owner = ""
// // visibility = mine
// case pm.Owner == myKey && pm.SharedBy != myKey:
// pm.Owner = id
// pm.SharedBy = ""
// }
// // If the user is not admin, fetch users that they own or are shared with them.
// default:
// switch {
// // visibility = all
// case pm.SharedBy == myKey && pm.Owner == myKey:
// pm.SharedBy = id
// pm.Owner = id
// // visibility = shared
// case pm.SharedBy == myKey && pm.Owner != myKey:
// pm.SharedBy = id
// pm.Owner = ""
// // visibility = mine
// case pm.Owner == myKey && pm.SharedBy != myKey:
// pm.Owner = id
// pm.SharedBy = ""
// default:
// pm.Owner = id
// }
// pm.Action = listRelationKey
// }
pm.Owner = id
clients, err := svc.clients.RetrieveAll(ctx, pm)
if err != nil {
return mfclients.ClientsPage{}, err
}
return clients, nil
}
func (svc service) UpdateClient(ctx context.Context, token string, cli mfclients.Client) (mfclients.Client, error) {
tokenUserID, err := svc.Identify(ctx, token)
if err != nil {
return mfclients.Client{}, err
}
if tokenUserID != cli.ID {
if err := svc.isOwner(ctx, cli.ID, tokenUserID); err != nil {
return mfclients.Client{}, err
}
}
client := mfclients.Client{
ID: cli.ID,
Name: cli.Name,
Metadata: cli.Metadata,
UpdatedAt: time.Now(),
UpdatedBy: tokenUserID,
}
return svc.clients.Update(ctx, client)
}
func (svc service) UpdateClientTags(ctx context.Context, token string, cli mfclients.Client) (mfclients.Client, error) {
tokenUserID, err := svc.Identify(ctx, token)
if err != nil {
return mfclients.Client{}, err
}
if tokenUserID != cli.ID {
if err := svc.isOwner(ctx, cli.ID, tokenUserID); err != nil {
return mfclients.Client{}, err
}
}
client := mfclients.Client{
ID: cli.ID,
Tags: cli.Tags,
UpdatedAt: time.Now(),
UpdatedBy: tokenUserID,
}
return svc.clients.UpdateTags(ctx, client)
}
func (svc service) UpdateClientIdentity(ctx context.Context, token, clientID, identity string) (mfclients.Client, error) {
tokenUserID, err := svc.Identify(ctx, token)
if err != nil {
return mfclients.Client{}, err
}
if tokenUserID != clientID {
if err := svc.isOwner(ctx, clientID, tokenUserID); err != nil {
return mfclients.Client{}, err
}
}
cli := mfclients.Client{
ID: clientID,
Credentials: mfclients.Credentials{
Identity: identity,
},
UpdatedAt: time.Now(),
UpdatedBy: tokenUserID,
}
return svc.clients.UpdateIdentity(ctx, cli)
}
func (svc service) GenerateResetToken(ctx context.Context, email, host string) error {
client, err := svc.clients.RetrieveByIdentity(ctx, email)
if err != nil || client.Credentials.Identity == "" {
return errors.ErrNotFound
}
issueReq := &mainflux.IssueReq{
Id: client.ID,
Type: uint32(auth.RecoveryKey),
}
token, err := svc.auth.Issue(ctx, issueReq)
if err != nil {
return errors.Wrap(ErrRecoveryToken, err)
}
return svc.SendPasswordReset(ctx, host, email, client.Name, token.AccessToken)
}
func (svc service) ResetSecret(ctx context.Context, resetToken, secret string) error {
id, err := svc.Identify(ctx, resetToken)
if err != nil {
return errors.Wrap(errors.ErrAuthentication, err)
}
c, err := svc.clients.RetrieveByID(ctx, id)
if err != nil {
return err
}
if c.Credentials.Identity == "" {
return errors.ErrNotFound
}
if !svc.passRegex.MatchString(secret) {
return ErrPasswordFormat
}
secret, err = svc.hasher.Hash(secret)
if err != nil {
return err
}
c = mfclients.Client{
Credentials: mfclients.Credentials{
Identity: c.Credentials.Identity,
Secret: secret,
},
UpdatedAt: time.Now(),
UpdatedBy: id,
}
if _, err := svc.clients.UpdateSecret(ctx, c); err != nil {
return err
}
return nil
}
func (svc service) UpdateClientSecret(ctx context.Context, token, oldSecret, newSecret string) (mfclients.Client, error) {
id, err := svc.Identify(ctx, token)
if err != nil {
return mfclients.Client{}, err
}
if !svc.passRegex.MatchString(newSecret) {
return mfclients.Client{}, ErrPasswordFormat
}
dbClient, err := svc.clients.RetrieveByID(ctx, id)
if err != nil {
return mfclients.Client{}, err
}
if _, err := svc.IssueToken(ctx, dbClient.Credentials.Identity, oldSecret); err != nil {
return mfclients.Client{}, err
}
newSecret, err = svc.hasher.Hash(newSecret)
if err != nil {
return mfclients.Client{}, err
}
dbClient.Credentials.Secret = newSecret
dbClient.UpdatedAt = time.Now()
dbClient.UpdatedBy = id
return svc.clients.UpdateSecret(ctx, dbClient)
}
func (svc service) SendPasswordReset(_ context.Context, host, email, user, token string) error {
to := []string{email}
return svc.email.SendPasswordReset(to, host, user, token)
}
func (svc service) UpdateClientOwner(ctx context.Context, token string, cli mfclients.Client) (mfclients.Client, error) {
tokenUserID, err := svc.Identify(ctx, token)
if err != nil {
return mfclients.Client{}, err
}
if tokenUserID != cli.ID {
if err := svc.isOwner(ctx, cli.ID, tokenUserID); err != nil {
return mfclients.Client{}, err
}
}
client := mfclients.Client{
ID: cli.ID,
Owner: cli.Owner,
UpdatedAt: time.Now(),
UpdatedBy: tokenUserID,
}
return svc.clients.UpdateOwner(ctx, client)
}
func (svc service) EnableClient(ctx context.Context, token, id string) (mfclients.Client, error) {
client := mfclients.Client{
ID: id,
UpdatedAt: time.Now(),
Status: mfclients.EnabledStatus,
}
client, err := svc.changeClientStatus(ctx, token, client)
if err != nil {
return mfclients.Client{}, errors.Wrap(mfclients.ErrEnableClient, err)
}
return client, nil
}
func (svc service) DisableClient(ctx context.Context, token, id string) (mfclients.Client, error) {
client := mfclients.Client{
ID: id,
UpdatedAt: time.Now(),
Status: mfclients.DisabledStatus,
}
client, err := svc.changeClientStatus(ctx, token, client)
if err != nil {
return mfclients.Client{}, errors.Wrap(mfclients.ErrDisableClient, err)
}
return client, nil
}
func (svc service) changeClientStatus(ctx context.Context, token string, client mfclients.Client) (mfclients.Client, error) {
tokenUserID, err := svc.Identify(ctx, token)
if err != nil {
return mfclients.Client{}, err
}
if tokenUserID != client.ID {
if err := svc.isOwner(ctx, client.ID, tokenUserID); err != nil {
return mfclients.Client{}, err
}
}
dbClient, err := svc.clients.RetrieveByID(ctx, client.ID)
if err != nil {
return mfclients.Client{}, err
}
if dbClient.Status == client.Status {
return mfclients.Client{}, mfclients.ErrStatusAlreadyAssigned
}
client.UpdatedBy = tokenUserID
return svc.clients.ChangeStatus(ctx, client)
}
func (svc service) ListMembers(ctx context.Context, token, groupID string, pm mfclients.Page) (mfclients.MembersPage, error) {
if _, err := svc.authorize(ctx, userType, tokenKind, token, pm.Permission, groupType, groupID); err != nil {
return mfclients.MembersPage{}, err
}
uids, err := svc.auth.ListAllSubjects(ctx, &mainflux.ListSubjectsReq{
SubjectType: userType,
Permission: pm.Permission,
Object: groupID,
ObjectType: groupType,
})
if err != nil {
return mfclients.MembersPage{}, err
}
pm.IDs = uids.Policies
cp, err := svc.clients.RetrieveAll(ctx, pm)
if err != nil {
return mfclients.MembersPage{}, err
}
return mfclients.MembersPage{
Page: cp.Page,
Members: cp.Clients,
}, nil
}
func (svc *service) isOwner(ctx context.Context, clientID, ownerID string) error {
return svc.clients.IsOwner(ctx, clientID, ownerID)
}
func (svc *service) authorize(ctx context.Context, subjType, subjKind, subj, perm, objType, obj string) (string, error) {
req := &mainflux.AuthorizeReq{
SubjectType: subjType,
SubjectKind: subjKind,
Subject: subj,
Permission: perm,
ObjectType: objType,
Object: obj,
}
res, err := svc.auth.Authorize(ctx, req)
if err != nil {
return "", errors.Wrap(errors.ErrAuthorization, err)
}
if !res.GetAuthorized() {
return "", errors.ErrAuthorization
}
return res.GetId(), nil
}
func (svc service) Identify(ctx context.Context, token string) (string, error) {
user, err := svc.auth.Identify(ctx, &mainflux.IdentityReq{Token: token})
if err != nil {
return "", err
}
return user.GetId(), nil
}