From 8a0d777866afabc9527c87f51ae1a9b8268955ea Mon Sep 17 00:00:00 2001
From: Yash Mehrotra <yashmehrotra95@gmail.com>
Date: Wed, 23 Aug 2023 15:08:46 +0530
Subject: [PATCH] feat: assign clerk users role on creation

---
 api/global.go        |  4 ++++
 auth/clerk_client.go | 23 +++++++++++++++++++----
 auth/controllers.go  |  2 +-
 auth/middleware.go   |  4 ++--
 rbac/middleware.go   |  4 ++--
 5 files changed, 28 insertions(+), 9 deletions(-)

diff --git a/api/global.go b/api/global.go
index d429ed6fb..8002c5e16 100644
--- a/api/global.go
+++ b/api/global.go
@@ -15,6 +15,10 @@ import (
 	"k8s.io/client-go/kubernetes"
 )
 
+const (
+	UserIDHeaderKey = "X-User-ID"
+)
+
 var SystemUserID *uuid.UUID
 var CanaryCheckerPath string
 var ApmHubPath string
diff --git a/auth/clerk_client.go b/auth/clerk_client.go
index bd88b431d..4f0b29c0e 100644
--- a/auth/clerk_client.go
+++ b/auth/clerk_client.go
@@ -9,6 +9,7 @@ import (
 	"github.com/flanksource/commons/logger"
 	"github.com/flanksource/incident-commander/api"
 	"github.com/flanksource/incident-commander/db"
+	"github.com/flanksource/incident-commander/rbac"
 	"github.com/golang-jwt/jwt/v4"
 	"github.com/labstack/echo/v4"
 	"github.com/patrickmn/go-cache"
@@ -83,7 +84,7 @@ func (h ClerkHandler) Session(next echo.HandlerFunc) echo.HandlerFunc {
 		}
 
 		c.Request().Header.Set(echo.HeaderAuthorization, fmt.Sprintf("Bearer %s", token))
-		c.Request().Header.Set(UserIDHeaderKey, user.ID.String())
+		c.Request().Header.Set(api.UserIDHeaderKey, user.ID.String())
 		return next(c)
 	}
 }
@@ -109,7 +110,7 @@ func (h *ClerkHandler) getUser(ctx *api.Context, sessionToken string) (*api.Pers
 		Avatar:     fmt.Sprint(claims["image_url"]),
 		ExternalID: fmt.Sprint(claims["user_id"]),
 	}
-	dbUser, err := h.createDBUserIfNotExists(ctx, user)
+	dbUser, err := h.createDBUserIfNotExists(ctx, user, fmt.Sprint(claims["role"]))
 	if err != nil {
 		return nil, "", err
 	}
@@ -117,7 +118,7 @@ func (h *ClerkHandler) getUser(ctx *api.Context, sessionToken string) (*api.Pers
 	return &dbUser, sessionID, nil
 }
 
-func (h *ClerkHandler) createDBUserIfNotExists(ctx *api.Context, user api.Person) (api.Person, error) {
+func (h *ClerkHandler) createDBUserIfNotExists(ctx *api.Context, user api.Person, role string) (api.Person, error) {
 	existingUser, err := db.GetUserByExternalID(ctx, user.ExternalID)
 	if err == nil {
 		// User with the given external ID exists
@@ -129,5 +130,19 @@ func (h *ClerkHandler) createDBUserIfNotExists(ctx *api.Context, user api.Person
 		return api.Person{}, err
 	}
 
-	return db.CreateUser(ctx, user)
+	dbUser, err := db.CreateUser(ctx, user)
+	if err != nil {
+		return api.Person{}, err
+	}
+
+	roleToAdd := rbac.RoleEditor
+	if role == "admin" {
+		roleToAdd = rbac.RoleAdmin
+	}
+
+	if _, err := rbac.Enforcer.AddRoleForUser(dbUser.ID.String(), roleToAdd); err != nil {
+		return api.Person{}, err
+	}
+
+	return dbUser, nil
 }
diff --git a/auth/controllers.go b/auth/controllers.go
index afba73849..f0a485bcf 100644
--- a/auth/controllers.go
+++ b/auth/controllers.go
@@ -118,7 +118,7 @@ func UpdateAccountProperties(c echo.Context) error {
 
 func WhoAmI(c echo.Context) error {
 	ctx := c.(*api.Context)
-	userID := c.Request().Header.Get(UserIDHeaderKey)
+	userID := c.Request().Header.Get(api.UserIDHeaderKey)
 	user, err := db.GetUserByID(ctx, userID)
 	if err != nil {
 		return c.JSON(http.StatusInternalServerError, api.HTTPError{
diff --git a/auth/middleware.go b/auth/middleware.go
index c05db17e1..cc70bb4de 100644
--- a/auth/middleware.go
+++ b/auth/middleware.go
@@ -16,6 +16,7 @@ import (
 	"github.com/flanksource/commons/rand"
 	"github.com/flanksource/commons/utils"
 	"github.com/flanksource/duty/models"
+	"github.com/flanksource/incident-commander/api"
 	"github.com/google/uuid"
 	"github.com/labstack/echo/v4"
 	client "github.com/ory/client-go"
@@ -26,7 +27,6 @@ import (
 
 const (
 	DefaultPostgrestRole = "postgrest_api"
-	UserIDHeaderKey      = "X-User-ID"
 )
 
 var (
@@ -93,7 +93,7 @@ func (k *kratosMiddleware) Session(next echo.HandlerFunc) echo.HandlerFunc {
 			return c.String(http.StatusUnauthorized, "Unauthorized")
 		}
 		c.Request().Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
-		c.Request().Header.Set(UserIDHeaderKey, session.Identity.GetId())
+		c.Request().Header.Set(api.UserIDHeaderKey, session.Identity.GetId())
 
 		return next(c)
 	}
diff --git a/rbac/middleware.go b/rbac/middleware.go
index bcdfb3c32..d85f8735b 100644
--- a/rbac/middleware.go
+++ b/rbac/middleware.go
@@ -6,7 +6,7 @@ import (
 
 	"github.com/flanksource/commons/collections"
 	"github.com/flanksource/commons/logger"
-	"github.com/flanksource/incident-commander/auth"
+	"github.com/flanksource/incident-commander/api"
 	"github.com/labstack/echo/v4"
 )
 
@@ -24,7 +24,7 @@ func Authorization(object, action string) func(echo.HandlerFunc) echo.HandlerFun
 				return next(c)
 			}
 
-			userID := c.Request().Header.Get(auth.UserIDHeaderKey)
+			userID := c.Request().Header.Get(api.UserIDHeaderKey)
 			if userID == "" {
 				return c.String(http.StatusUnauthorized, errNoUserID)
 			}