Skip to content

Commit

Permalink
feat(user): implement entity level authorization (#5819)
Browse files Browse the repository at this point in the history
  • Loading branch information
@racnan
racnan authored Sep 5, 2024
1 parent 9dd1511 commit e15ea18
Show file tree
Hide file tree
Showing 25 changed files with 806 additions and 246 deletions.
246 changes: 197 additions & 49 deletions crates/router/src/analytics.rs
View file

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion crates/router/src/consts.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ pub const EMAIL_TOKEN_TIME_IN_SECS: u64 = 60 * 60 * 24; // 1 day
#[cfg(feature = "email")]
pub const EMAIL_TOKEN_BLACKLIST_PREFIX: &str = "BET_";

pub const ROLE_CACHE_PREFIX: &str = "CR_";
pub const ROLE_INFO_CACHE_PREFIX: &str = "CR_INFO_";

#[cfg(feature = "olap")]
pub const VERIFY_CONNECTOR_ID_PREFIX: &str = "conn_verify";
Expand Down
1 change: 1 addition & 0 deletions crates/router/src/consts/user_role.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,6 @@ pub const ROLE_ID_MERCHANT_IAM_ADMIN: &str = "merchant_iam_admin";
pub const ROLE_ID_MERCHANT_DEVELOPER: &str = "merchant_developer";
pub const ROLE_ID_MERCHANT_OPERATOR: &str = "merchant_operator";
pub const ROLE_ID_MERCHANT_CUSTOMER_SUPPORT: &str = "merchant_customer_support";
pub const ROLE_ID_PROFILE_CUSTOMER_SUPPORT: &str = "profile_customer_support";
pub const INTERNAL_USER_MERCHANT_ID: &str = "juspay000";
pub const MAX_ROLE_NAME_LENGTH: usize = 64;
26 changes: 25 additions & 1 deletion crates/router/src/routes/admin.rs
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
use actix_web::{web, HttpRequest, HttpResponse};
use common_enums::EntityType;
use router_env::{instrument, tracing, Flow};

use super::app::AppState;
Expand Down Expand Up @@ -118,6 +119,7 @@ pub async fn retrieve_merchant_account(
&auth::JWTAuthMerchantFromRoute {
merchant_id,
required_permission: Permission::MerchantAccountRead,
minimum_entity_level: EntityType::Profile,
},
req.headers(),
),
Expand Down Expand Up @@ -170,6 +172,7 @@ pub async fn update_merchant_account(
&auth::JWTAuthMerchantFromRoute {
merchant_id: merchant_id.clone(),
required_permission: Permission::MerchantAccountWrite,
minimum_entity_level: EntityType::Merchant,
},
req.headers(),
),
Expand Down Expand Up @@ -230,6 +233,7 @@ pub async fn connector_create(
&auth::JWTAuthMerchantFromRoute {
merchant_id: merchant_id.clone(),
required_permission: Permission::MerchantConnectorAccountWrite,
minimum_entity_level: EntityType::Merchant,
},
req.headers(),
),
Expand Down Expand Up @@ -261,6 +265,7 @@ pub async fn connector_create(
&auth::AdminApiAuthWithMerchantIdFromHeader,
&auth::JWTAuthMerchantFromHeader {
required_permission: Permission::MerchantConnectorAccountWrite,
minimum_entity_level: EntityType::Merchant,
},
req.headers(),
),
Expand Down Expand Up @@ -323,6 +328,7 @@ pub async fn connector_retrieve(
&auth::JWTAuthMerchantFromRoute {
merchant_id,
required_permission: Permission::MerchantConnectorAccountRead,
minimum_entity_level: EntityType::Profile,
},
req.headers(),
),
Expand Down Expand Up @@ -361,6 +367,7 @@ pub async fn connector_retrieve(
&auth::AdminApiAuthWithMerchantIdFromHeader,
&auth::JWTAuthMerchantFromHeader {
required_permission: Permission::MerchantConnectorAccountRead,
minimum_entity_level: EntityType::Merchant,
},
req.headers(),
),
Expand Down Expand Up @@ -406,6 +413,7 @@ pub async fn payment_connector_list(
&auth::JWTAuthMerchantFromRoute {
merchant_id,
required_permission: Permission::MerchantConnectorAccountRead,
minimum_entity_level: EntityType::Merchant,
},
req.headers(),
),
Expand Down Expand Up @@ -457,6 +465,7 @@ pub async fn payment_connector_list_profile(
&auth::JWTAuthMerchantFromRoute {
merchant_id,
required_permission: Permission::MerchantConnectorAccountRead,
minimum_entity_level: EntityType::Profile,
},
req.headers(),
),
Expand Down Expand Up @@ -517,6 +526,7 @@ pub async fn connector_update(
&auth::JWTAuthMerchantFromRoute {
merchant_id: merchant_id.clone(),
required_permission: Permission::MerchantConnectorAccountWrite,
minimum_entity_level: EntityType::Merchant,
},
req.headers(),
),
Expand Down Expand Up @@ -568,6 +578,7 @@ pub async fn connector_update(
&auth::JWTAuthMerchantFromRoute {
merchant_id: merchant_id.clone(),
required_permission: Permission::MerchantConnectorAccountWrite,
minimum_entity_level: EntityType::Merchant,
},
req.headers(),
),
Expand Down Expand Up @@ -623,6 +634,7 @@ pub async fn connector_delete(
&auth::JWTAuthMerchantFromRoute {
merchant_id,
required_permission: Permission::MerchantConnectorAccountWrite,
minimum_entity_level: EntityType::Merchant,
},
req.headers(),
),
Expand Down Expand Up @@ -661,6 +673,7 @@ pub async fn connector_delete(
&auth::AdminApiAuthWithMerchantIdFromHeader,
&auth::JWTAuthMerchantFromHeader {
required_permission: Permission::MerchantConnectorAccountWrite,
minimum_entity_level: EntityType::Merchant,
},
req.headers(),
),
Expand Down Expand Up @@ -743,6 +756,7 @@ pub async fn business_profile_create(
&auth::JWTAuthMerchantFromRoute {
merchant_id,
required_permission: Permission::MerchantAccountWrite,
minimum_entity_level: EntityType::Merchant,
},
req.headers(),
),
Expand Down Expand Up @@ -773,6 +787,7 @@ pub async fn business_profile_create(
&auth::AdminApiAuthWithMerchantIdFromHeader,
&auth::JWTAuthMerchantFromHeader {
required_permission: Permission::MerchantAccountWrite,
minimum_entity_level: EntityType::Merchant,
},
req.headers(),
),
Expand Down Expand Up @@ -807,6 +822,7 @@ pub async fn business_profile_retrieve(
&auth::JWTAuthMerchantFromRoute {
merchant_id: merchant_id.clone(),
required_permission: Permission::MerchantAccountRead,
minimum_entity_level: EntityType::Profile,
},
req.headers(),
),
Expand Down Expand Up @@ -837,6 +853,7 @@ pub async fn business_profile_retrieve(
&auth::AdminApiAuthWithMerchantIdFromHeader,
&auth::JWTAuthMerchantFromHeader {
required_permission: Permission::MerchantAccountRead,
minimum_entity_level: EntityType::Merchant,
},
req.headers(),
),
Expand Down Expand Up @@ -872,6 +889,7 @@ pub async fn business_profile_update(
&auth::JWTAuthMerchantAndProfileFromRoute {
merchant_id: merchant_id.clone(),
profile_id: profile_id.clone(),
minimum_entity_level: EntityType::Merchant,
required_permission: Permission::MerchantAccountWrite,
},
req.headers(),
Expand Down Expand Up @@ -904,6 +922,7 @@ pub async fn business_profile_update(
&auth::AdminApiAuthWithMerchantIdFromHeader,
&auth::JWTAuthMerchantFromHeader {
required_permission: Permission::MerchantAccountWrite,
minimum_entity_level: EntityType::Merchant,
},
req.headers(),
),
Expand Down Expand Up @@ -955,6 +974,7 @@ pub async fn business_profiles_list(
&auth::JWTAuthMerchantFromRoute {
merchant_id,
required_permission: Permission::MerchantAccountRead,
minimum_entity_level: EntityType::Merchant,
},
req.headers(),
),
Expand Down Expand Up @@ -989,6 +1009,7 @@ pub async fn business_profiles_list_at_profile_level(
&auth::JWTAuthMerchantFromRoute {
merchant_id,
required_permission: Permission::MerchantAccountRead,
minimum_entity_level: EntityType::Profile,
},
req.headers(),
),
Expand Down Expand Up @@ -1018,7 +1039,10 @@ pub async fn toggle_connector_agnostic_mit(
|state, _, req, _| connector_agnostic_mit_toggle(state, &merchant_id, &profile_id, req),
auth::auth_type(
&auth::HeaderAuth(auth::ApiKeyAuth),
&auth::JWTAuth(Permission::RoutingWrite),
&auth::JWTAuth {
permission: Permission::RoutingWrite,
minimum_entity_level: EntityType::Merchant,
},
req.headers(),
),
api_locking::LockAction::NotApplicable,
Expand Down
10 changes: 10 additions & 0 deletions crates/router/src/routes/api_keys.rs
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
use actix_web::{web, HttpRequest, Responder};
use common_enums::EntityType;
use router_env::{instrument, tracing, Flow};

use super::app::AppState;
Expand Down Expand Up @@ -37,6 +38,7 @@ pub async fn api_key_create(
&auth::JWTAuthMerchantFromRoute {
merchant_id: merchant_id.clone(),
required_permission: Permission::ApiKeyWrite,
minimum_entity_level: EntityType::Merchant,
},
req.headers(),
),
Expand Down Expand Up @@ -67,6 +69,7 @@ pub async fn api_key_create(
&auth::AdminApiAuthWithMerchantIdFromHeader,
&auth::JWTAuthMerchantFromHeader {
required_permission: Permission::ApiKeyWrite,
minimum_entity_level: EntityType::Merchant,
},
req.headers(),
),
Expand Down Expand Up @@ -104,6 +107,7 @@ pub async fn api_key_retrieve(
&auth::AdminApiAuthWithMerchantIdFromHeader,
&auth::JWTAuthMerchantFromHeader {
required_permission: Permission::ApiKeyRead,
minimum_entity_level: EntityType::Merchant,
},
req.headers(),
),
Expand Down Expand Up @@ -136,6 +140,7 @@ pub async fn api_key_retrieve(
&auth::JWTAuthMerchantFromRoute {
merchant_id: merchant_id.clone(),
required_permission: Permission::ApiKeyRead,
minimum_entity_level: EntityType::Merchant,
},
req.headers(),
),
Expand Down Expand Up @@ -172,6 +177,7 @@ pub async fn api_key_update(
&auth::JWTAuthMerchantFromRoute {
merchant_id,
required_permission: Permission::ApiKeyWrite,
minimum_entity_level: EntityType::Merchant,
},
req.headers(),
),
Expand Down Expand Up @@ -204,6 +210,7 @@ pub async fn api_key_update(
&auth::JWTAuthMerchantFromRoute {
merchant_id,
required_permission: Permission::ApiKeyWrite,
minimum_entity_level: EntityType::Merchant,
},
req.headers(),
),
Expand Down Expand Up @@ -237,6 +244,7 @@ pub async fn api_key_revoke(
&auth::JWTAuthMerchantFromRoute {
merchant_id: merchant_id.clone(),
required_permission: Permission::ApiKeyWrite,
minimum_entity_level: EntityType::Merchant,
},
req.headers(),
),
Expand Down Expand Up @@ -266,6 +274,7 @@ pub async fn api_key_revoke(
&auth::JWTAuthMerchantFromRoute {
merchant_id: merchant_id.clone(),
required_permission: Permission::ApiKeyWrite,
minimum_entity_level: EntityType::Merchant,
},
req.headers(),
),
Expand Down Expand Up @@ -318,6 +327,7 @@ pub async fn api_key_list(
&auth::JWTAuthMerchantFromRoute {
merchant_id,
required_permission: Permission::ApiKeyRead,
minimum_entity_level: EntityType::Merchant,
},
req.headers(),
),
Expand Down
21 changes: 17 additions & 4 deletions crates/router/src/routes/blocklist.rs
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
use actix_web::{web, HttpRequest, HttpResponse};
use api_models::blocklist as api_blocklist;
use common_enums::EntityType;
use router_env::Flow;

use crate::{
Expand Down Expand Up @@ -36,7 +37,10 @@ pub async fn add_entry_to_blocklist(
},
auth::auth_type(
&auth::HeaderAuth(auth::ApiKeyAuth),
&auth::JWTAuth(Permission::MerchantAccountWrite),
&auth::JWTAuth {
permission: Permission::MerchantAccountWrite,
minimum_entity_level: EntityType::Merchant,
},
req.headers(),
),
api_locking::LockAction::NotApplicable,
Expand Down Expand Up @@ -72,7 +76,10 @@ pub async fn remove_entry_from_blocklist(
},
auth::auth_type(
&auth::HeaderAuth(auth::ApiKeyAuth),
&auth::JWTAuth(Permission::MerchantAccountWrite),
&auth::JWTAuth {
permission: Permission::MerchantAccountWrite,
minimum_entity_level: EntityType::Merchant,
},
req.headers(),
),
api_locking::LockAction::NotApplicable,
Expand Down Expand Up @@ -110,7 +117,10 @@ pub async fn list_blocked_payment_methods(
},
auth::auth_type(
&auth::HeaderAuth(auth::ApiKeyAuth),
&auth::JWTAuth(Permission::MerchantAccountRead),
&auth::JWTAuth {
permission: Permission::MerchantAccountRead,
minimum_entity_level: EntityType::Merchant,
},
req.headers(),
),
api_locking::LockAction::NotApplicable,
Expand Down Expand Up @@ -148,7 +158,10 @@ pub async fn toggle_blocklist_guard(
},
auth::auth_type(
&auth::HeaderAuth(auth::ApiKeyAuth),
&auth::JWTAuth(Permission::MerchantAccountWrite),
&auth::JWTAuth {
permission: Permission::MerchantAccountWrite,
minimum_entity_level: EntityType::Merchant,
},
req.headers(),
),
api_locking::LockAction::NotApplicable,
Expand Down
16 changes: 13 additions & 3 deletions crates/router/src/routes/connector_onboarding.rs
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
use actix_web::{web, HttpRequest, HttpResponse};
use api_models::connector_onboarding as api_types;
use common_enums::EntityType;
use router_env::Flow;

use super::AppState;
Expand All @@ -21,7 +22,10 @@ pub async fn get_action_url(
&http_req,
req_payload.clone(),
core::get_action_url,
&auth::JWTAuth(Permission::MerchantAccountWrite),
&auth::JWTAuth {
permission: Permission::MerchantAccountWrite,
minimum_entity_level: EntityType::Merchant,
},
api_locking::LockAction::NotApplicable,
))
.await
Expand All @@ -40,7 +44,10 @@ pub async fn sync_onboarding_status(
&http_req,
req_payload.clone(),
core::sync_onboarding_status,
&auth::JWTAuth(Permission::MerchantAccountWrite),
&auth::JWTAuth {
permission: Permission::MerchantAccountWrite,
minimum_entity_level: EntityType::Merchant,
},
api_locking::LockAction::NotApplicable,
))
.await
Expand All @@ -59,7 +66,10 @@ pub async fn reset_tracking_id(
&http_req,
req_payload.clone(),
core::reset_tracking_id,
&auth::JWTAuth(Permission::MerchantAccountWrite),
&auth::JWTAuth {
permission: Permission::MerchantAccountWrite,
minimum_entity_level: EntityType::Merchant,
},
api_locking::LockAction::NotApplicable,
))
.await
Expand Down
Loading

0 comments on commit e15ea18

Please sign in to comment.