Merge pull request #245 from factly/fix/space-conflicts

fix/space-conflicts

.gitignore

@@ -37,6 +37,7 @@ bower_components
 psd
 thumb
 sketch
+cockroach-data
 
 ### Code ###
 .vscode/*

config.env.example

@@ -5,11 +5,26 @@ DATABASE_NAME=kavach
 DATABASE_PORT=5432 
 DATABASE_SSL_MODE=disable
 KETO_URL=http://keto:4466
+KETO_WRITE_API_URL=http://keto:4467
+KETO_READ_API_URL=http://keto:4466
 KRATOS_ADMIN_URL=http://kratos:4434
+KRATOS_PUBLIC_URL=http://kratos:4433  
 MODE=development
 IMAGEPROXY_URL=http://127.0.0.1:7001
-USE_SQLITE=true
+USE_SQLITE=false
 SQLITE_DB_PATH=kavach.db
 SENDGRID_API_KEY=API-KEY
 DOMAIN_NAME=http://127.0.0.1:4455/.factly/kavach/web # development mode
-# DOMAIN_NAME=https://kavach.factly.org - production mode
+DYNAMIC_FROM_EMAIL='kavach'
+MANDE_HOST=http://mande.factly.in
+DYNAMIC_MANDE_TEMPLATE_ID=1
+DYNAMIC_SENDGRID_API_KEY=API-KEY
+ENABLE_MULTITENANCY=true
+DISABLE_REGISTRATION=false
+[email protected]
+APPLICATION_NAME=Kavach
+DEFAULT_USER_EMAIL=default-email
+DEFAULT_USER_PASSWORD=default-password
+DEFAULT_ORGANISATION_NAME=FACTLYADMIN
+
+

docker-compose.yml

@@ -2,7 +2,7 @@ version: "3.7"
 
 services:
   ###########################################################################
-  #######             DB SERVICES                                     #######
+  #######                  DB SERVICES                                #######
   ###########################################################################
   postgres:
     image: postgres:11.7-alpine
@@ -18,9 +18,9 @@ services:
     networks:
       - kavach
 
-  ##########################################################################
-  ######                         IMGPROXY                            #######
-  ##########################################################################
+  #########################################################################
+  #####                         IMGPROXY                            #######
+  #########################################################################
   imgproxy:
     image: darthsim/imgproxy:v2.15.0
     ports:
@@ -137,24 +137,37 @@ services:
       - kavach
 
   keto-migrate:
-    image: oryd/keto:v0.5.7
+    image: oryd/keto:v0.9.0-alpha.0
     environment:
+      - DSN=postgres://postgres:postgres@postgres:5432/keto?sslmode=disable
       - LOG_LEVEL=debug
     depends_on:
       - postgres
-    command: migrate sql postgres://postgres:postgres@postgres:5432/keto?sslmode=disable
+    volumes:
+      - type: bind
+        source: ./keto
+        target: /etc/config/keto
+    # command: namespace migrate legacy -c "/etc/config/keto/keto.yml" --yes
+    command: migrate up -c "/etc/config/keto/keto.yml" --yes
     restart: on-failure
     networks:
       - kavach
 
   keto:
-    image: oryd/keto:v0.5.7
-    ports:
-      - "4466:4466"
     depends_on:
       - keto-migrate
+    image: oryd/keto:v0.9.0-alpha.0
+    ports:
+      - "4466:4466" # read
+      - "4467:4467" # write 
+      - "4468:4468" # metric
     environment:
-      - DSN=postgres://postgres:postgres@postgres:5432/keto?sslmode=disable
+      - LOG_LEVEL=debug
+    volumes:
+      - type: bind
+        source: ./keto
+        target: /etc/config/keto
+    command: serve -c "/etc/config/keto/keto.yml" 
     networks:
       - kavach
 
@@ -275,6 +288,6 @@ services:
     restart: unless-stopped
     networks:
       - kavach
-
+  
 networks:
   kavach:

keto/keto.yml

@@ -0,0 +1,12 @@
+dsn: postgres://postgres:postgres@postgres:5432/keto?sslmode=disable
+version: v0.9.0-alpha.0
+namespaces:
+  - id: 0
+    name: organisations
+  - id: 1
+    name: applications
+  - id: 2
+    name: spaces
+  - id: 3
+    name: superorganisation
+

kratos/config/kratos.yml

@@ -11,7 +11,7 @@ serve:
     base_url: http://kratos:4434/
 
 selfservice:
-  default_browser_return_url: http://127.0.0.1:4455/.factly/kavach/web/organisation
+  default_browser_return_url: http://127.0.0.1:4455/.factly/kavach/web/
   whitelisted_return_urls:
     - http://127.0.0.1:4455
     - http://127.0.0.1:4455/.factly/dega/studio/
@@ -23,6 +23,27 @@ selfservice:
     password:
       enabled: true
 
+    oidc:
+      enabled: true
+      config:
+        providers:
+          - id: github
+            provider: github 
+            client_id: 123abc
+            client_secret: 123abc
+            mapper_url: file:///etc/config/kratos/oidc.github.jsonnet
+            scope:
+              - user:email
+
+          - id: google 
+            provider: google
+            client_id: 123abc
+            client_secret: 123abc
+            mapper_url: file:///etc/config/kratos/oidc.google.jsonnet
+            scope:
+              - email
+              - profile
+
     link: 
       enabled: true
       config:
@@ -39,7 +60,7 @@ selfservice:
 
     settings:
       ui_url: http://127.0.0.1:4455/.factly/kavach/web/password
-      privileged_session_max_age: 15m
+      privileged_session_max_age: 1m
       required_aal: highest_available
 
     logout:
@@ -54,14 +75,14 @@ selfservice:
           hooks:
             - hook: require_verified_address
 
-    # verification:
-    #   enabled: true
-    #   ui_url: http://127.0.0.1:4455/.factly/kavach/web/auth/verification
+    verification:
+      enabled: true
+      ui_url: http://127.0.0.1:4455/.factly/kavach/web/auth/verification
 
 
     registration:
       after:
-        default_browser_return_url: http://127.0.0.1:4455/.factly/kavach/web/auth/login
+        default_browser_return_url: http://127.0.0.1:4455/.factly/kavach/web/verification
       lifespan: 10m
       ui_url: http://127.0.0.1:4455/.factly/kavach/web/auth/registration
 

oathkeeper/access-rules/kavach-web.json

@@ -6,7 +6,7 @@
       "url": "http://kavach-web:3000"
     },
     "match": {
-      "url": "http://127.0.0.1:4455/.factly/kavach/web/<(auth/login|auth/registration|auth/recovery|verification|error|auth/verification|manifest.json|static/.*|config.js)(|/)>",
+      "url": "http://127.0.0.1:4455/.factly/kavach/web/<(auth/login|auth/registration|auth/recovery|verification|tokens|error|auth/verification|manifest.json|static/.*|config.js)(|/)>",
       "methods": [
         "GET"
       ]
@@ -32,7 +32,7 @@
       "url": "http://kavach-web:3000"
     },
     "match": {
-      "url": "http://127.0.0.1:4455/.factly/kavach/web<(/(organisation|settings|password|profile|profile/invite|users(/new)|applications(/(create|\\d+/edit|\\d+/detail))?))?/?>",
+      "url": "http://127.0.0.1:4455/.factly/kavach/web<(/(organisation|organisation/edit|organisation(/(\\d+/settings(/(tokens|tokens/create|roles|roles(/(\\d+/users|\\d+/create|\\d+/edit))|policies|users|users/new))))|settings|password|profile|profile/invite|users|users(/new)|applications(/(create|type|\\d+/edit|\\d+/detail|\\d+/settings|\\d+/settings(/(users|tokens|tokens/create|roles|roles/create|policies|policies/create|spaces|spaces(/(create|\\d+/settings|\\d+/settings(/(tokens|roles|policies|users))))))))?))?/?>",
       "methods": [
         "GET"
       ]

server/Dockerfile.migrate

@@ -11,4 +11,4 @@ RUN go mod download
 ADD https://github.com/ufoscout/docker-compose-wait/releases/download/2.7.3/wait /wait
 RUN chmod +x /wait
 
-ENTRYPOINT /wait && go build main.go && ./main migrate
+ENTRYPOINT /wait && go build main.go && ./main migrate  && ./main create-super-org

server/action/organisation/application/access.go

@@ -1,10 +1,12 @@
 package application
 
 import (
+	"fmt"
 	"net/http"
 	"strconv"
 
 	"github.com/factly/kavach-server/model"
+	"github.com/factly/kavach-server/util/user"
 	"github.com/factly/x/errorx"
 	"github.com/factly/x/loggerx"
 	"github.com/factly/x/renderx"
@@ -31,44 +33,47 @@ func access(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	uID, err := strconv.Atoi(r.Header.Get("X-User"))
+	organisationID := chi.URLParam(r, "organisation_id")
+	orgID, err := strconv.Atoi(organisationID)
+
 	if err != nil {
 		loggerx.Error(err)
 		errorx.Render(w, errorx.Parser(errorx.InvalidID()))
 		return
 	}
 
-	organisationUser := make([]model.OrganisationUser, 0)
-
-	model.DB.Model(&model.OrganisationUser{}).Where(&model.OrganisationUser{
-		UserID: uint(uID),
-	}).Preload("Organisation").Find(&organisationUser)
-
-	orgIDs := make([]uint, 0)
-	for _, ou := range organisationUser {
-		orgIDs = append(orgIDs, ou.OrganisationID)
+	uID, err := strconv.Atoi(r.Header.Get("X-User"))
+	if err != nil {
+		loggerx.Error(err)
+		errorx.Render(w, errorx.Parser(errorx.InvalidID()))
+		return
 	}
 
-	applicationList := make([]model.Application, 0)
-	err = model.DB.Model(&model.Application{}).Where("organisation_id IN (?)", orgIDs).Where(&model.Application{
+	app := new(model.Application)
+	err = model.DB.Model(&model.Application{}).Where(&model.Application{
 		Slug: appSlug,
-	}).Preload("Users").Find(&applicationList).Error
-
+	}).First(app).Error
 	if err != nil {
 		loggerx.Error(err)
-		errorx.Render(w, errorx.Parser(errorx.RecordNotFound()))
+		errorx.Render(w, errorx.Parser(errorx.DBError()))
 		return
 	}
 
-	for _, app := range applicationList {
-		for _, usr := range app.Users {
-			if usr.ID == uint(uID) {
-				renderx.JSON(w, http.StatusOK, nil)
-				return
-			}
-		}
-
+	// VERIFY WHETHER THE USER IS PART OF Application OR NOT
+	isAuthorised, err := user.IsUserAuthorised(
+		namespace,
+		fmt.Sprintf("org:%d:app:%d", orgID, app.ID),
+		fmt.Sprintf("%d", uID),
+	)
+	if err != nil {
+		loggerx.Error(err)
+		errorx.Render(w, errorx.Parser(errorx.DecodeError()))
+		return
 	}
-
-	renderx.JSON(w, http.StatusUnauthorized, nil)
+	if !isAuthorised {
+		loggerx.Warning("user is not part of the application")
+		errorx.Render(w, errorx.Parser(errorx.Unauthorized()))
+		return
+	}
+	renderx.JSON(w, http.StatusOK, nil)
 }