raystack
diff --git a/‎api/handler/v1beta1/resource.go‎
Lines changed: 2 additions & 1 deletion b/‎api/handler/v1beta1/resource.go‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎buf.gen.yaml‎
Lines changed: 1 addition & 1 deletion b/‎buf.gen.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎cmd/serve.go‎
Lines changed: 2 additions & 2 deletions b/‎cmd/serve.go‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎hook/authz/authz.go‎
Lines changed: 1 addition & 1 deletion b/‎hook/authz/authz.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎internal/group/groups.go‎
Lines changed: 4 additions & 4 deletions b/‎internal/group/groups.go‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎internal/org/org.go‎
Lines changed: 2 additions & 2 deletions b/‎internal/org/org.go‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎internal/permission/check.go‎
Lines changed: 14 additions & 4 deletions b/‎internal/permission/check.go‎
Lines changed: 14 additions & 4 deletions
diff --git a/‎internal/permission/relation.go‎
Lines changed: 5 additions & 5 deletions b/‎internal/permission/relation.go‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎internal/project/project.go‎
Lines changed: 2 additions & 2 deletions b/‎internal/project/project.go‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎internal/resource/resource.go‎
Lines changed: 2 additions & 2 deletions b/‎internal/resource/resource.go‎
Lines changed: 2 additions & 2 deletions
@@ -181,7 +181,8 @@ func transformResourceToPB(from model.Resource) (shieldv1beta1.Resource, error)
 	}
 
 	return shieldv1beta1.Resource{
-		Id:           from.Id,
+		Id:           from.Idxa,
+		Urn:          from.Urn,
 		Name:         from.Name,
 		Namespace:    &namespace,
 		Organization: &org,
 
@@ -1,4 +1,4 @@
-#!/usr/bin/env -S buf generate buf.build/odpf/proton:50f3663dc011ea70cf65886bfebd28774ceb740a --path odpf/shield --template
+#!/usr/bin/env -S buf generate buf.build/odpf/proton:6e1e1020ca1ea2cd440d5e1417470af31c91c76a --path odpf/shield --template
 ---
 version: "v1"
 plugins:
 
@@ -94,7 +94,7 @@ func serve(logger log.Logger, appConfig *config.Shield) error {
 		Store:               serviceStore,
 		IdentityProxyHeader: appConfig.App.IdentityProxyHeader,
 		ResourcesRepository: resourceConfig,
-	})
+	}, serviceStore)
 
 	cleanUpFunc, cleanUpProxies, err = startProxy(logger, appConfig, ctx, deps, cleanUpFunc, cleanUpProxies, AuthzCheckService)
 	if err != nil {
@@ -315,7 +315,7 @@ func apiDependencies(ctx context.Context, db *sql.SQL, appConfig *config.Shield,
 			ActionService:          schemaService,
 			NamespaceService:       schemaService,
 			IdentityProxyHeader:    appConfig.App.IdentityProxyHeader,
-			PermissionCheckService: permission.NewCheckService(permissions),
+			PermissionCheckService: permission.NewCheckService(permissions, serviceStore),
 		},
 	}
 	return dependencies, nil
 
@@ -179,7 +179,7 @@ func (a Authz) ServeHook(res *http.Response, err error) (*http.Response, error)
 			a.log.Error(err.Error())
 			return a.escape.ServeHook(res, fmt.Errorf(err.Error()))
 		}
-		a.log.Info(fmt.Sprintf("Resource %s created", newResource.Id))
+		a.log.Info(fmt.Sprintf("Resource %s created with ID %s", newResource.Urn, newResource.Idxa))
 	}
 
 	return a.next.ServeHook(res, nil)
 
@@ -95,7 +95,7 @@ func (s Service) AddUsersToGroup(ctx context.Context, groupId string, userIds []
 	}
 
 	isAuthorized, err := s.Permissions.CheckPermission(ctx, currentUser, model.Resource{
-		Id:        groupId,
+		Idxa:      groupId,
 		Namespace: definition.TeamNamespace,
 	},
 		definition.ManageTeamAction,
@@ -137,7 +137,7 @@ func (s Service) RemoveUserFromGroup(ctx context.Context, groupId string, userId
 	}
 
 	isAuthorized, err := s.Permissions.CheckPermission(ctx, currentUser, model.Resource{
-		Id:        groupId,
+		Idxa:      groupId,
 		Namespace: definition.TeamNamespace,
 	},
 		definition.ManageTeamAction,
@@ -194,7 +194,7 @@ func (s Service) AddAdminsToGroup(ctx context.Context, groupId string, userIds [
 	}
 
 	isAuthorized, err := s.Permissions.CheckPermission(ctx, currentUser, model.Resource{
-		Id:        groupId,
+		Idxa:      groupId,
 		Namespace: definition.TeamNamespace,
 	},
 		definition.ManageTeamAction,
@@ -241,7 +241,7 @@ func (s Service) RemoveAdminFromGroup(ctx context.Context, groupId string, userI
 	}
 
 	isAuthorized, err := s.Permissions.CheckPermission(ctx, currentUser, model.Resource{
-		Id:        groupId,
+		Idxa:      groupId,
 		Namespace: definition.TeamNamespace,
 	},
 		definition.ManageTeamAction,
 
@@ -82,7 +82,7 @@ func (s Service) AddAdmin(ctx context.Context, id string, userIds []string) ([]m
 	}
 
 	isAuthorized, err := s.Permissions.CheckPermission(ctx, currentUser, model.Resource{
-		Id:        id,
+		Idxa:      id,
 		Namespace: definition.OrgNamespace,
 	},
 		definition.ManageOrganizationAction,
@@ -128,7 +128,7 @@ func (s Service) RemoveAdmin(ctx context.Context, id string, userId string) ([]m
 	}
 
 	isAuthorized, err := s.Permissions.CheckPermission(ctx, currentUser, model.Resource{
-		Id:        id,
+		Idxa:      id,
 		Namespace: definition.OrgNamespace,
 	},
 		definition.ManageOrganizationAction,
 
@@ -9,10 +9,15 @@ import (
 
 type CheckService struct {
 	PermissionsService Permissions
+	ResourceStore      ResourceStore
 }
 
-func NewCheckService(permissionService Permissions) CheckService {
-	return CheckService{PermissionsService: permissionService}
+type ResourceStore interface {
+	GetResourceByURN(ctx context.Context, urn string) (model.Resource, error)
+}
+
+func NewCheckService(permissionService Permissions, resourceStore ResourceStore) CheckService {
+	return CheckService{PermissionsService: permissionService, ResourceStore: resourceStore}
 }
 
 func (c CheckService) CheckAuthz(ctx context.Context, resource model.Resource, action model.Action) (bool, error) {
@@ -21,6 +26,11 @@ func (c CheckService) CheckAuthz(ctx context.Context, resource model.Resource, a
 		return false, err
 	}
 
-	resource.Id = utils.CreateResourceId(resource)
-	return c.PermissionsService.CheckPermission(ctx, user, resource, action)
+	resource.Urn = utils.CreateResourceURN(resource)
+	fetchedResource, err := c.ResourceStore.GetResourceByURN(ctx, resource.Urn)
+	if err != nil {
+		return false, err
+	}
+
+	return c.PermissionsService.CheckPermission(ctx, user, fetchedResource, action)
 }
@@ -222,7 +222,7 @@ func (s Service) AddProjectToResource(ctx context.Context, project model.Project
 
 	rel := model.Relation{
 		ObjectNamespace:  resourceNS,
-		ObjectId:         resource.Id,
+		ObjectId:         resource.Idxa,
 		SubjectId:        project.Id,
 		SubjectNamespace: definition.ProjectNamespace,
 		Role: model.Role{
@@ -241,7 +241,7 @@ func (s Service) AddOrgToResource(ctx context.Context, org model.Organization, r
 
 	rel := model.Relation{
 		ObjectNamespace:  resourceNS,
-		ObjectId:         resource.Id,
+		ObjectId:         resource.Idxa,
 		SubjectId:        org.Id,
 		SubjectNamespace: definition.OrgNamespace,
 		Role: model.Role{
@@ -260,7 +260,7 @@ func (s Service) AddTeamToResource(ctx context.Context, team model.Group, resour
 
 	rel := model.Relation{
 		ObjectNamespace:  resourceNS,
-		ObjectId:         resource.Id,
+		ObjectId:         resource.Idxa,
 		SubjectId:        team.Id,
 		SubjectNamespace: definition.TeamNamespace,
 		Role: model.Role{
@@ -279,7 +279,7 @@ func (s Service) CheckPermission(ctx context.Context, user model.User, resource
 
 	rel := model.Relation{
 		ObjectNamespace:  resourceNS,
-		ObjectId:         resource.Id,
+		ObjectId:         resource.Idxa,
 		SubjectId:        user.Id,
 		SubjectNamespace: definition.UserNamespace,
 	}
@@ -307,7 +307,7 @@ func (s Service) AddOwnerToResource(ctx context.Context, user model.User, resour
 
 	rel := model.Relation{
 		ObjectNamespace:  resourceNS,
-		ObjectId:         resource.Id,
+		ObjectId:         resource.Idxa,
 		SubjectId:        user.Id,
 		SubjectNamespace: definition.UserNamespace,
 		Role:             role,
 
@@ -90,7 +90,7 @@ func (s Service) AddAdmin(ctx context.Context, id string, userIds []string) ([]m
 	}
 
 	isAuthorized, err := s.Permissions.CheckPermission(ctx, currentUser, model.Resource{
-		Id:        id,
+		Idxa:      id,
 		Namespace: definition.ProjectNamespace,
 	},
 		definition.ManageProjectAction,
@@ -136,7 +136,7 @@ func (s Service) RemoveAdmin(ctx context.Context, id string, userId string) ([]m
 	}
 
 	isAuthorized, err := s.Permissions.CheckPermission(ctx, currentUser, model.Resource{
-		Id:        id,
+		Idxa:      id,
 		Namespace: definition.ProjectNamespace,
 	},
 		definition.ManageProjectAction,
 
@@ -31,7 +31,7 @@ func (s Service) Get(ctx context.Context, id string) (model.Resource, error) {
 }
 
 func (s Service) Create(ctx context.Context, resource model.Resource) (model.Resource, error) {
-	id := utils.CreateResourceId(resource)
+	urn := utils.CreateResourceURN(resource)
 
 	user, err := s.Permissions.FetchCurrentUser(ctx)
 
@@ -46,7 +46,7 @@ func (s Service) Create(ctx context.Context, resource model.Resource) (model.Res
 	}
 
 	newResource, err := s.Store.CreateResource(ctx, model.Resource{
-		Id:             id,
+		Urn:            urn,
 		Name:           resource.Name,
 		OrganizationId: resource.OrganizationId,
 		ProjectId:      resource.ProjectId,
Original file line number	Diff line number	Diff line change
`@@ -181,7 +181,8 @@ func transformResourceToPB(from model.Resource) (shieldv1beta1.Resource, error)`
`181`	`181`	`}`
`182`	`182`
`183`	`183`	`return shieldv1beta1.Resource{`
`184`		`- Id: from.Id,`
	`184`	`+ Id: from.Idxa,`
	`185`	`+ Urn: from.Urn,`
`185`	`186`	`Name: from.Name,`
`186`	`187`	`Namespace: &namespace,`
`187`	`188`	`Organization: &org,`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-#!/usr/bin/env -S buf generate buf.build/odpf/proton:50f3663dc011ea70cf65886bfebd28774ceb740a --path odpf/shield --template`
	`1`	`+#!/usr/bin/env -S buf generate buf.build/odpf/proton:6e1e1020ca1ea2cd440d5e1417470af31c91c76a --path odpf/shield --template`
`2`	`2`	`---`
`3`	`3`	`version: "v1"`
`4`	`4`	`plugins:`
Original file line number	Diff line number	Diff line change
`@@ -179,7 +179,7 @@ func (a Authz) ServeHook(res http.Response, err error) (http.Response, error)`
`179`	`179`	`a.log.Error(err.Error())`
`180`	`180`	`return a.escape.ServeHook(res, fmt.Errorf(err.Error()))`
`181`	`181`	`}`
`182`		`- a.log.Info(fmt.Sprintf("Resource %s created", newResource.Id))`
	`182`	`+ a.log.Info(fmt.Sprintf("Resource %s created with ID %s", newResource.Urn, newResource.Idxa))`
`183`	`183`	`}`
`184`	`184`
`185`	`185`	`return a.next.ServeHook(res, nil)`
Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ func (s Service) Get(ctx context.Context, id string) (model.Resource, error) {`
`31`	`31`	`}`
`32`	`32`
`33`	`33`	`func (s Service) Create(ctx context.Context, resource model.Resource) (model.Resource, error) {`
`34`		`- id := utils.CreateResourceId(resource)`
	`34`	`+ urn := utils.CreateResourceURN(resource)`
`35`	`35`
`36`	`36`	`user, err := s.Permissions.FetchCurrentUser(ctx)`
`37`	`37`
`@@ -46,7 +46,7 @@ func (s Service) Create(ctx context.Context, resource model.Resource) (model.Res`
`46`	`46`	`}`
`47`	`47`
`48`	`48`	`newResource, err := s.Store.CreateResource(ctx, model.Resource{`
`49`		`- Id: id,`
	`49`	`+ Urn: urn,`
`50`	`50`	`Name: resource.Name,`
`51`	`51`	`OrganizationId: resource.OrganizationId,`
`52`	`52`	`ProjectId: resource.ProjectId,`