feat: assign clerk users role on creation

flanksource · Aug 23, 2023 · 5cf9ff6 · 5cf9ff6
1 parent 19cdb23
commit 5cf9ff6
Show file tree

Hide file tree

Showing 6 changed files with 30 additions and 11 deletions.
diff --git a/api/global.go b/api/global.go
@@ -15,6 +15,10 @@ import (
 	"k8s.io/client-go/kubernetes"
 )
 
+const (
+	UserIDHeaderKey = "X-User-ID"
+)
+
 var SystemUserID *uuid.UUID
 var CanaryCheckerPath string
 var ApmHubPath string

diff --git a/auth/clerk_client.go b/auth/clerk_client.go
@@ -9,6 +9,7 @@ import (
 	"github.com/flanksource/commons/logger"
 	"github.com/flanksource/incident-commander/api"
 	"github.com/flanksource/incident-commander/db"
+	"github.com/flanksource/incident-commander/rbac"
 	"github.com/golang-jwt/jwt/v4"
 	"github.com/labstack/echo/v4"
 	"github.com/patrickmn/go-cache"
@@ -83,7 +84,7 @@ func (h ClerkHandler) Session(next echo.HandlerFunc) echo.HandlerFunc {
 		}
 
 		c.Request().Header.Set(echo.HeaderAuthorization, fmt.Sprintf("Bearer %s", token))
-		c.Request().Header.Set(UserIDHeaderKey, user.ID.String())
+		c.Request().Header.Set(api.UserIDHeaderKey, user.ID.String())
 		return next(c)
 	}
 }
@@ -109,15 +110,15 @@ func (h *ClerkHandler) getUser(ctx *api.Context, sessionToken string) (*api.Pers
 		Avatar:     fmt.Sprint(claims["image_url"]),
 		ExternalID: fmt.Sprint(claims["user_id"]),
 	}
-	dbUser, err := h.createDBUserIfNotExists(ctx, user)
+	dbUser, err := h.createDBUserIfNotExists(ctx, user, fmt.Sprint(claims["role"]))
 	if err != nil {
 		return nil, "", err
 	}
 	h.userCache.SetDefault(sessionID, &dbUser)
 	return &dbUser, sessionID, nil
 }
 
-func (h *ClerkHandler) createDBUserIfNotExists(ctx *api.Context, user api.Person) (api.Person, error) {
+func (h *ClerkHandler) createDBUserIfNotExists(ctx *api.Context, user api.Person, role string) (api.Person, error) {
 	existingUser, err := db.GetUserByExternalID(ctx, user.ExternalID)
 	if err == nil {
 		// User with the given external ID exists
@@ -129,5 +130,19 @@ func (h *ClerkHandler) createDBUserIfNotExists(ctx *api.Context, user api.Person
 		return api.Person{}, err
 	}
 
-	return db.CreateUser(ctx, user)
+	dbUser, err := db.CreateUser(ctx, user)
+	if err != nil {
+		return api.Person{}, err
+	}
+
+	roleToAdd := rbac.RoleEditor
+	if role == "admin" {
+		roleToAdd = rbac.RoleAdmin
+	}
+
+	if _, err := rbac.Enforcer.AddRoleForUser(dbUser.ID.String(), roleToAdd); err != nil {
+		return api.Person{}, err
+	}
+
+	return dbUser, nil
 }
diff --git a/auth/controllers.go b/auth/controllers.go
@@ -118,7 +118,7 @@ func UpdateAccountProperties(c echo.Context) error {
 
 func WhoAmI(c echo.Context) error {
 	ctx := c.(*api.Context)
-	userID := c.Request().Header.Get(UserIDHeaderKey)
+	userID := c.Request().Header.Get(api.UserIDHeaderKey)
 	user, err := db.GetUserByID(ctx, userID)
 	if err != nil {
 		return c.JSON(http.StatusInternalServerError, api.HTTPError{

diff --git a/auth/middleware.go b/auth/middleware.go
@@ -16,6 +16,7 @@ import (
 	"github.com/flanksource/commons/rand"
 	"github.com/flanksource/commons/utils"
 	"github.com/flanksource/duty/models"
+	"github.com/flanksource/incident-commander/api"
 	"github.com/google/uuid"
 	"github.com/labstack/echo/v4"
 	client "github.com/ory/client-go"
@@ -26,7 +27,6 @@ import (
 
 const (
 	DefaultPostgrestRole = "postgrest_api"
-	UserIDHeaderKey      = "X-User-ID"
 )
 
 var (
@@ -93,7 +93,7 @@ func (k *kratosMiddleware) Session(next echo.HandlerFunc) echo.HandlerFunc {
 			return c.String(http.StatusUnauthorized, "Unauthorized")
 		}
 		c.Request().Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
-		c.Request().Header.Set(UserIDHeaderKey, session.Identity.GetId())
+		c.Request().Header.Set(api.UserIDHeaderKey, session.Identity.GetId())
 
 		return next(c)
 	}

diff --git a/rbac/middleware.go b/rbac/middleware.go
@@ -6,7 +6,7 @@ import (
 
 	"github.com/flanksource/commons/collections"
 	"github.com/flanksource/commons/logger"
-	"github.com/flanksource/incident-commander/auth"
+	"github.com/flanksource/incident-commander/api"
 	"github.com/labstack/echo/v4"
 )
 
@@ -24,7 +24,7 @@ func Authorization(object, action string) func(echo.HandlerFunc) echo.HandlerFun
 				return next(c)
 			}
 
-			userID := c.Request().Header.Get(auth.UserIDHeaderKey)
+			userID := c.Request().Header.Get(api.UserIDHeaderKey)
 			if userID == "" {
 				return c.String(http.StatusUnauthorized, errNoUserID)
 			}

diff --git a/rbac/middleware_test.go b/rbac/middleware_test.go
@@ -8,7 +8,7 @@ import (
 	embeddedPG "github.com/fergusstrange/embedded-postgres"
 	"github.com/flanksource/commons/logger"
 	"github.com/flanksource/duty/testutils"
-	"github.com/flanksource/incident-commander/auth"
+	"github.com/flanksource/incident-commander/api"
 	"github.com/flanksource/incident-commander/db"
 	"github.com/labstack/echo/v4"
 )
@@ -90,7 +90,7 @@ func TestAuthorization(t *testing.T) {
 
 	for _, tc := range tests {
 		req := httptest.NewRequest(tc.method, tc.path, nil)
-		req.Header.Set(auth.UserIDHeaderKey, tc.user)
+		req.Header.Set(api.UserIDHeaderKey, tc.user)
 		rec := httptest.NewRecorder()
 
 		// Call endpoint