diff --git a/crates/api_models/src/user_role.rs b/crates/api_models/src/user_role.rs index 735cd240b6..72fca2b2f0 100644 --- a/crates/api_models/src/user_role.rs +++ b/crates/api_models/src/user_role.rs @@ -32,6 +32,8 @@ pub enum Permission { DisputeWrite, MandateRead, MandateWrite, + CustomerRead, + CustomerWrite, FileRead, FileWrite, Analytics, @@ -53,6 +55,7 @@ pub enum PermissionModule { Routing, Analytics, Mandates, + Customer, Disputes, Files, ThreeDsDecisionManager, diff --git a/crates/router/src/routes/customers.rs b/crates/router/src/routes/customers.rs index cfc37cbdbb..2592d8837d 100644 --- a/crates/router/src/routes/customers.rs +++ b/crates/router/src/routes/customers.rs @@ -4,7 +4,7 @@ use router_env::{instrument, tracing, Flow}; use super::app::AppState; use crate::{ core::{api_locking, customers::*}, - services::{api, authentication as auth}, + services::{api, authentication as auth, authorization::permissions::Permission}, types::api::customers, }; @@ -36,7 +36,11 @@ pub async fn customers_create( &req, json_payload.into_inner(), |state, auth, req| create_customer(state, auth.merchant_account, auth.key_store, req), - &auth::ApiKeyAuth, + auth::auth_type( + &auth::ApiKeyAuth, + &auth::JWTAuth(Permission::CustomerWrite), + req.headers(), + ), api_locking::LockAction::NotApplicable, )) .await @@ -68,11 +72,14 @@ pub async fn customers_retrieve( }) .into_inner(); - let auth = + let auth = if auth::is_jwt_auth(req.headers()) { + Box::new(auth::JWTAuth(Permission::CustomerRead)) + } else { match auth::is_ephemeral_auth(req.headers(), &*state.store, &payload.customer_id).await { Ok(auth) => auth, Err(err) => return api::log_and_return_error_response(err), - }; + } + }; api::server_wrap( flow, @@ -110,7 +117,11 @@ pub async fn customers_list(state: web::Data, req: HttpRequest) -> Htt &req, (), |state, auth, _| list_customers(state, auth.merchant_account.merchant_id, auth.key_store), - &auth::ApiKeyAuth, + auth::auth_type( + &auth::ApiKeyAuth, + &auth::JWTAuth(Permission::CustomerRead), + req.headers(), + ), api_locking::LockAction::NotApplicable, ) .await @@ -148,7 +159,11 @@ pub async fn customers_update( &req, json_payload.into_inner(), |state, auth, req| update_customer(state, auth.merchant_account, req, auth.key_store), - &auth::ApiKeyAuth, + auth::auth_type( + &auth::ApiKeyAuth, + &auth::JWTAuth(Permission::CustomerWrite), + req.headers(), + ), api_locking::LockAction::NotApplicable, )) .await @@ -185,7 +200,11 @@ pub async fn customers_delete( &req, payload, |state, auth, req| delete_customer(state, auth.merchant_account, req, auth.key_store), - &auth::ApiKeyAuth, + auth::auth_type( + &auth::ApiKeyAuth, + &auth::JWTAuth(Permission::CustomerWrite), + req.headers(), + ), api_locking::LockAction::NotApplicable, )) .await @@ -209,7 +228,11 @@ pub async fn get_customer_mandates( |state, auth, req| { crate::core::mandate::get_customer_mandates(state, auth.merchant_account, req) }, - &auth::ApiKeyAuth, + auth::auth_type( + &auth::ApiKeyAuth, + &auth::JWTAuth(Permission::MandateRead), + req.headers(), + ), api_locking::LockAction::NotApplicable, ) .await diff --git a/crates/router/src/services/authorization/info.rs b/crates/router/src/services/authorization/info.rs index c6b649f3de..cef93f8273 100644 --- a/crates/router/src/services/authorization/info.rs +++ b/crates/router/src/services/authorization/info.rs @@ -38,6 +38,7 @@ pub enum PermissionModule { Routing, Analytics, Mandates, + Customer, Disputes, Files, ThreeDsDecisionManager, @@ -55,6 +56,7 @@ impl PermissionModule { Self::Forex => "Forex module permissions allow the user to view and query the forex rates", Self::Analytics => "Permission to view and analyse the data relating to payments, refunds, sdk etc.", Self::Mandates => "Everything related to mandates - like creating and viewing mandate related information are within this module", + Self::Customer => "Everything related to customers - like creating and viewing customer related information are within this module", Self::Disputes => "Everything related to disputes - like creating and viewing dispute related information are within this module", Self::Files => "Permissions for uploading, deleting and viewing files for disputes", Self::ThreeDsDecisionManager => "View and configure 3DS decision rules configured for a merchant", @@ -133,6 +135,14 @@ impl ModuleInfo { Permission::MandateWrite, ]), }, + PermissionModule::Customer => Self { + module: module_name, + description, + permissions: PermissionInfo::new(&[ + Permission::CustomerRead, + Permission::CustomerWrite, + ]), + }, PermissionModule::Disputes => Self { module: module_name, description, diff --git a/crates/router/src/services/authorization/permissions.rs b/crates/router/src/services/authorization/permissions.rs index 708da97e1e..426b048e88 100644 --- a/crates/router/src/services/authorization/permissions.rs +++ b/crates/router/src/services/authorization/permissions.rs @@ -19,6 +19,8 @@ pub enum Permission { DisputeWrite, MandateRead, MandateWrite, + CustomerRead, + CustomerWrite, FileRead, FileWrite, Analytics, @@ -55,6 +57,8 @@ impl Permission { Self::DisputeWrite => Some("Create and update disputes"), Self::MandateRead => Some("View mandates"), Self::MandateWrite => Some("Create and update mandates"), + Self::CustomerRead => Some("View customers"), + Self::CustomerWrite => Some("Create, update and delete customers"), Self::FileRead => Some("View files"), Self::FileWrite => Some("Create, update and delete files"), Self::Analytics => Some("Access to analytics module"), diff --git a/crates/router/src/services/authorization/predefined_permissions.rs b/crates/router/src/services/authorization/predefined_permissions.rs index a9f2b864d0..c489f1fc96 100644 --- a/crates/router/src/services/authorization/predefined_permissions.rs +++ b/crates/router/src/services/authorization/predefined_permissions.rs @@ -52,6 +52,8 @@ pub static PREDEFINED_PERMISSIONS: Lazy> = Lazy: Permission::DisputeWrite, Permission::MandateRead, Permission::MandateWrite, + Permission::CustomerRead, + Permission::CustomerWrite, Permission::FileRead, Permission::FileWrite, Permission::Analytics, @@ -79,6 +81,7 @@ pub static PREDEFINED_PERMISSIONS: Lazy> = Lazy: Permission::Analytics, Permission::DisputeRead, Permission::MandateRead, + Permission::CustomerRead, Permission::FileRead, Permission::UsersRead, ], @@ -112,6 +115,8 @@ pub static PREDEFINED_PERMISSIONS: Lazy> = Lazy: Permission::DisputeWrite, Permission::MandateRead, Permission::MandateWrite, + Permission::CustomerRead, + Permission::CustomerWrite, Permission::FileRead, Permission::FileWrite, Permission::Analytics, @@ -150,6 +155,8 @@ pub static PREDEFINED_PERMISSIONS: Lazy> = Lazy: Permission::DisputeWrite, Permission::MandateRead, Permission::MandateWrite, + Permission::CustomerRead, + Permission::CustomerWrite, Permission::FileRead, Permission::FileWrite, Permission::Analytics, @@ -175,6 +182,7 @@ pub static PREDEFINED_PERMISSIONS: Lazy> = Lazy: Permission::SurchargeDecisionManagerRead, Permission::DisputeRead, Permission::MandateRead, + Permission::CustomerRead, Permission::FileRead, Permission::Analytics, Permission::UsersRead, @@ -198,6 +206,7 @@ pub static PREDEFINED_PERMISSIONS: Lazy> = Lazy: Permission::SurchargeDecisionManagerRead, Permission::DisputeRead, Permission::MandateRead, + Permission::CustomerRead, Permission::FileRead, Permission::Analytics, Permission::UsersRead, @@ -223,6 +232,7 @@ pub static PREDEFINED_PERMISSIONS: Lazy> = Lazy: Permission::SurchargeDecisionManagerRead, Permission::DisputeRead, Permission::MandateRead, + Permission::CustomerRead, Permission::FileRead, Permission::Analytics, Permission::UsersRead, @@ -252,6 +262,7 @@ pub static PREDEFINED_PERMISSIONS: Lazy> = Lazy: Permission::SurchargeDecisionManagerWrite, Permission::DisputeRead, Permission::MandateRead, + Permission::CustomerRead, Permission::FileRead, Permission::Analytics, Permission::UsersRead, @@ -273,6 +284,7 @@ pub static PREDEFINED_PERMISSIONS: Lazy> = Lazy: Permission::MerchantAccountRead, Permission::MerchantConnectorAccountRead, Permission::MandateRead, + Permission::CustomerRead, Permission::FileRead, Permission::FileWrite, Permission::Analytics, diff --git a/crates/router/src/types/domain/user.rs b/crates/router/src/types/domain/user.rs index a595afa4a2..ce8350bd9e 100644 --- a/crates/router/src/types/domain/user.rs +++ b/crates/router/src/types/domain/user.rs @@ -788,6 +788,7 @@ impl From for user_role_api::PermissionModule { info::PermissionModule::Routing => Self::Routing, info::PermissionModule::Analytics => Self::Analytics, info::PermissionModule::Mandates => Self::Mandates, + info::PermissionModule::Customer => Self::Customer, info::PermissionModule::Disputes => Self::Disputes, info::PermissionModule::Files => Self::Files, info::PermissionModule::ThreeDsDecisionManager => Self::ThreeDsDecisionManager, diff --git a/crates/router/src/utils/user_role.rs b/crates/router/src/utils/user_role.rs index 0026984fdb..4449338402 100644 --- a/crates/router/src/utils/user_role.rs +++ b/crates/router/src/utils/user_role.rs @@ -74,6 +74,8 @@ impl TryFrom<&Permission> for user_role_api::Permission { Permission::DisputeWrite => Ok(Self::DisputeWrite), Permission::MandateRead => Ok(Self::MandateRead), Permission::MandateWrite => Ok(Self::MandateWrite), + Permission::CustomerRead => Ok(Self::CustomerRead), + Permission::CustomerWrite => Ok(Self::CustomerWrite), Permission::FileRead => Ok(Self::FileRead), Permission::FileWrite => Ok(Self::FileWrite), Permission::Analytics => Ok(Self::Analytics),