fixed check for creating more than one user when not logged in, added check to...

fixed check for creating more than one user when not logged in, added check to see if provided token belongs to user

controller/northbound/server/auth_interceptor.go

@@ -35,6 +35,11 @@ func (auth AuthInterceptor) Unary() grpc.UnaryServerInterceptor {
 		case *apb.CreateUsersRequest:
 			if len(r.User) < 2 {
 				return handler(ctx, req)
+			} else {
+				err := auth.authorize(ctx, info.FullMethod)
+				if err != nil {
+					return nil, err
+				}
 			}
 		default:
 			err := auth.authorize(ctx, info.FullMethod)
@@ -80,7 +85,16 @@ func (auth AuthInterceptor) authorize(ctx context.Context, method string) error
 			return err
 		}
 
-		err = verifyPermisisonForRequestedCall(claims, method)
+		user, err := userc.Get(store.Query{Name: claims.Username})
+		if err != nil {
+			return err
+		}
+
+		if user.GetToken() != token {
+			return status.Errorf(codes.PermissionDenied, "invalid token")
+		}
+
+		err = verifyPermisisonForRequestedCall(user.GetRoles(), method)
 		if err != nil {
 			return err
 		}
@@ -91,13 +105,8 @@ func (auth AuthInterceptor) authorize(ctx context.Context, method string) error
 	return nil
 }
 
-func verifyPermisisonForRequestedCall(claims *rbac.UserClaims, requestedMethod string) error {
-	user, err := userc.Get(store.Query{Name: claims.Username})
-	if err != nil {
-		return err
-	}
-
-	roles, err := rolec.GetAll()
+func verifyPermisisonForRequestedCall(userRoles map[string]string, requestedMethod string) error {
+	storedRoles, err := rolec.GetAll()
 	if err != nil {
 		return err
 	}
@@ -106,10 +115,10 @@ func verifyPermisisonForRequestedCall(claims *rbac.UserClaims, requestedMethod s
 	// first loop through map with roles associated to user
 	// second loop check if name of user role exists in roles
 	// third loop check if role associated to current user has permission for call
-	for _, userRole := range user.GetRoles() {
-		for _, role := range roles {
-			if userRole == role.Name() {
-				for _, permission := range role.GetPermissions() {
+	for _, userRole := range userRoles {
+		for _, storedRole := range storedRoles {
+			if userRole == storedRole.Name() {
+				for _, permission := range storedRole.GetPermissions() {
 					if permission == requestedMethod {
 						return nil
 					}