raystack · rsbh · Apr 4, 2022 · Mar 31, 2022 · Apr 4, 2022 · Apr 4, 2022
diff --git a/api/handler/v1beta1/resource.go b/api/handler/v1beta1/resource.go
@@ -181,7 +181,8 @@ func transformResourceToPB(from model.Resource) (shieldv1beta1.Resource, error)
 	}
 
 	return shieldv1beta1.Resource{
-		Id:           from.Id,
+		Id:           from.Idxa,
+		Urn:          from.Urn,
 		Name:         from.Name,
 		Namespace:    &namespace,
 		Organization: &org,

diff --git a/buf.gen.yaml b/buf.gen.yaml
@@ -1,4 +1,4 @@
-#!/usr/bin/env -S buf generate buf.build/odpf/proton:50f3663dc011ea70cf65886bfebd28774ceb740a --path odpf/shield --template
+#!/usr/bin/env -S buf generate buf.build/odpf/proton:6e1e1020ca1ea2cd440d5e1417470af31c91c76a --path odpf/shield --template
 ---
 version: "v1"
 plugins:

diff --git a/cmd/serve.go b/cmd/serve.go
@@ -94,7 +94,7 @@ func serve(logger log.Logger, appConfig *config.Shield) error {
 		Store:               serviceStore,
 		IdentityProxyHeader: appConfig.App.IdentityProxyHeader,
 		ResourcesRepository: resourceConfig,
-	})
+	}, serviceStore)
 
 	cleanUpFunc, cleanUpProxies, err = startProxy(logger, appConfig, ctx, deps, cleanUpFunc, cleanUpProxies, AuthzCheckService)
 	if err != nil {
@@ -315,7 +315,7 @@ func apiDependencies(ctx context.Context, db *sql.SQL, appConfig *config.Shield,
 			ActionService:          schemaService,
 			NamespaceService:       schemaService,
 			IdentityProxyHeader:    appConfig.App.IdentityProxyHeader,
-			PermissionCheckService: permission.NewCheckService(permissions),
+			PermissionCheckService: permission.NewCheckService(permissions, serviceStore),
 		},
 	}
 	return dependencies, nil

diff --git a/hook/authz/authz.go b/hook/authz/authz.go
@@ -179,7 +179,7 @@ func (a Authz) ServeHook(res *http.Response, err error) (*http.Response, error)
 			a.log.Error(err.Error())
 			return a.escape.ServeHook(res, fmt.Errorf(err.Error()))
 		}
-		a.log.Info(fmt.Sprintf("Resource %s created", newResource.Id))
+		a.log.Info(fmt.Sprintf("Resource %s created with ID %s", newResource.Urn, newResource.Idxa))
 	}
 
 	return a.next.ServeHook(res, nil)

diff --git a/internal/group/groups.go b/internal/group/groups.go
@@ -95,7 +95,7 @@ func (s Service) AddUsersToGroup(ctx context.Context, groupId string, userIds []
 	}
 
 	isAuthorized, err := s.Permissions.CheckPermission(ctx, currentUser, model.Resource{
-		Id:        groupId,
+		Idxa:      groupId,
 		Namespace: definition.TeamNamespace,
 	},
 		definition.ManageTeamAction,
@@ -137,7 +137,7 @@ func (s Service) RemoveUserFromGroup(ctx context.Context, groupId string, userId
 	}
 
 	isAuthorized, err := s.Permissions.CheckPermission(ctx, currentUser, model.Resource{
-		Id:        groupId,
+		Idxa:      groupId,
 		Namespace: definition.TeamNamespace,
 	},
 		definition.ManageTeamAction,
@@ -194,7 +194,7 @@ func (s Service) AddAdminsToGroup(ctx context.Context, groupId string, userIds [
 	}
 
 	isAuthorized, err := s.Permissions.CheckPermission(ctx, currentUser, model.Resource{
-		Id:        groupId,
+		Idxa:      groupId,
 		Namespace: definition.TeamNamespace,
 	},
 		definition.ManageTeamAction,
@@ -241,7 +241,7 @@ func (s Service) RemoveAdminFromGroup(ctx context.Context, groupId string, userI
 	}
 
 	isAuthorized, err := s.Permissions.CheckPermission(ctx, currentUser, model.Resource{
-		Id:        groupId,
+		Idxa:      groupId,
 		Namespace: definition.TeamNamespace,
 	},
 		definition.ManageTeamAction,

diff --git a/internal/org/org.go b/internal/org/org.go
@@ -82,7 +82,7 @@ func (s Service) AddAdmin(ctx context.Context, id string, userIds []string) ([]m
 	}
 
 	isAuthorized, err := s.Permissions.CheckPermission(ctx, currentUser, model.Resource{
-		Id:        id,
+		Idxa:      id,
 		Namespace: definition.OrgNamespace,
 	},
 		definition.ManageOrganizationAction,
@@ -128,7 +128,7 @@ func (s Service) RemoveAdmin(ctx context.Context, id string, userId string) ([]m
 	}
 
 	isAuthorized, err := s.Permissions.CheckPermission(ctx, currentUser, model.Resource{
-		Id:        id,
+		Idxa:      id,
 		Namespace: definition.OrgNamespace,
 	},
 		definition.ManageOrganizationAction,

diff --git a/internal/permission/check.go b/internal/permission/check.go
@@ -9,10 +9,15 @@ import (
 
 type CheckService struct {
 	PermissionsService Permissions
+	ResourceStore      ResourceStore
 }
 
-func NewCheckService(permissionService Permissions) CheckService {
-	return CheckService{PermissionsService: permissionService}
+type ResourceStore interface {
+	GetResourceByURN(ctx context.Context, urn string) (model.Resource, error)
+}
+
+func NewCheckService(permissionService Permissions, resourceStore ResourceStore) CheckService {
+	return CheckService{PermissionsService: permissionService, ResourceStore: resourceStore}
 }
 
 func (c CheckService) CheckAuthz(ctx context.Context, resource model.Resource, action model.Action) (bool, error) {
@@ -21,6 +26,11 @@ func (c CheckService) CheckAuthz(ctx context.Context, resource model.Resource, a
 		return false, err
 	}
 
-	resource.Id = utils.CreateResourceId(resource)
-	return c.PermissionsService.CheckPermission(ctx, user, resource, action)
+	resource.Urn = utils.CreateResourceURN(resource)
+	fetchedResource, err := c.ResourceStore.GetResourceByURN(ctx, resource.Urn)
+	if err != nil {
+		return false, err
+	}
+
+	return c.PermissionsService.CheckPermission(ctx, user, fetchedResource, action)
 }
diff --git a/internal/permission/relation.go b/internal/permission/relation.go
@@ -222,7 +222,7 @@ func (s Service) AddProjectToResource(ctx context.Context, project model.Project
 
 	rel := model.Relation{
 		ObjectNamespace:  resourceNS,
-		ObjectId:         resource.Id,
+		ObjectId:         resource.Idxa,
 		SubjectId:        project.Id,
 		SubjectNamespace: definition.ProjectNamespace,
 		Role: model.Role{
@@ -241,7 +241,7 @@ func (s Service) AddOrgToResource(ctx context.Context, org model.Organization, r
 
 	rel := model.Relation{
 		ObjectNamespace:  resourceNS,
-		ObjectId:         resource.Id,
+		ObjectId:         resource.Idxa,
 		SubjectId:        org.Id,
 		SubjectNamespace: definition.OrgNamespace,
 		Role: model.Role{
@@ -260,7 +260,7 @@ func (s Service) AddTeamToResource(ctx context.Context, team model.Group, resour
 
 	rel := model.Relation{
 		ObjectNamespace:  resourceNS,
-		ObjectId:         resource.Id,
+		ObjectId:         resource.Idxa,
 		SubjectId:        team.Id,
 		SubjectNamespace: definition.TeamNamespace,
 		Role: model.Role{
@@ -279,7 +279,7 @@ func (s Service) CheckPermission(ctx context.Context, user model.User, resource
 
 	rel := model.Relation{
 		ObjectNamespace:  resourceNS,
-		ObjectId:         resource.Id,
+		ObjectId:         resource.Idxa,
 		SubjectId:        user.Id,
 		SubjectNamespace: definition.UserNamespace,
 	}
@@ -307,7 +307,7 @@ func (s Service) AddOwnerToResource(ctx context.Context, user model.User, resour
 
 	rel := model.Relation{
 		ObjectNamespace:  resourceNS,
-		ObjectId:         resource.Id,
+		ObjectId:         resource.Idxa,
 		SubjectId:        user.Id,
 		SubjectNamespace: definition.UserNamespace,
 		Role:             role,

diff --git a/internal/project/project.go b/internal/project/project.go
@@ -90,7 +90,7 @@ func (s Service) AddAdmin(ctx context.Context, id string, userIds []string) ([]m
 	}
 
 	isAuthorized, err := s.Permissions.CheckPermission(ctx, currentUser, model.Resource{
-		Id:        id,
+		Idxa:      id,
 		Namespace: definition.ProjectNamespace,
 	},
 		definition.ManageProjectAction,
@@ -136,7 +136,7 @@ func (s Service) RemoveAdmin(ctx context.Context, id string, userId string) ([]m
 	}
 
 	isAuthorized, err := s.Permissions.CheckPermission(ctx, currentUser, model.Resource{
-		Id:        id,
+		Idxa:      id,
 		Namespace: definition.ProjectNamespace,
 	},
 		definition.ManageProjectAction,

diff --git a/internal/resource/resource.go b/internal/resource/resource.go
@@ -31,7 +31,7 @@ func (s Service) Get(ctx context.Context, id string) (model.Resource, error) {
 }
 
 func (s Service) Create(ctx context.Context, resource model.Resource) (model.Resource, error) {
-	id := utils.CreateResourceId(resource)
+	urn := utils.CreateResourceURN(resource)
 
 	user, err := s.Permissions.FetchCurrentUser(ctx)
 
@@ -46,7 +46,7 @@ func (s Service) Create(ctx context.Context, resource model.Resource) (model.Res
 	}
 
 	newResource, err := s.Store.CreateResource(ctx, model.Resource{
-		Id:             id,
+		Urn:            urn,
 		Name:           resource.Name,
 		OrganizationId: resource.OrganizationId,
 		ProjectId:      resource.ProjectId,

diff --git a/model/model.go b/model/model.go
@@ -99,7 +99,8 @@ type Relation struct {
 }
 
 type Resource struct {
-	Id             string
+	Idxa           string
+	Urn            string
 	Name           string
 	ProjectId      string `json:"project_id"`
 	Project        Project

diff --git a/proto/apidocs.swagger.json b/proto/apidocs.swagger.json
@@ -2646,6 +2646,9 @@
         },
         "user": {
           "$ref": "#/definitions/v1beta1User"
+        },
+        "urn": {
+          "type": "string"
         }
       }
     },