diff --git a/controller/northbound/server/auth_interceptor.go b/controller/northbound/server/auth_interceptor.go index cc127da9bbf47e3e7670ab25948331b642a8d7ca..96b11971ec603ed40b898522a52562e97b994ade 100644 --- a/controller/northbound/server/auth_interceptor.go +++ b/controller/northbound/server/auth_interceptor.go @@ -35,6 +35,11 @@ func (auth AuthInterceptor) Unary() grpc.UnaryServerInterceptor { case *apb.CreateUsersRequest: if len(r.User) < 2 { return handler(ctx, req) + } else { + err := auth.authorize(ctx, info.FullMethod) + if err != nil { + return nil, err + } } default: err := auth.authorize(ctx, info.FullMethod) @@ -80,7 +85,16 @@ func (auth AuthInterceptor) authorize(ctx context.Context, method string) error return err } - err = verifyPermisisonForRequestedCall(claims, method) + user, err := userc.Get(store.Query{Name: claims.Username}) + if err != nil { + return err + } + + if user.GetToken() != token { + return status.Errorf(codes.PermissionDenied, "invalid token") + } + + err = verifyPermisisonForRequestedCall(user.GetRoles(), method) if err != nil { return err } @@ -91,13 +105,8 @@ func (auth AuthInterceptor) authorize(ctx context.Context, method string) error return nil } -func verifyPermisisonForRequestedCall(claims *rbac.UserClaims, requestedMethod string) error { - user, err := userc.Get(store.Query{Name: claims.Username}) - if err != nil { - return err - } - - roles, err := rolec.GetAll() +func verifyPermisisonForRequestedCall(userRoles map[string]string, requestedMethod string) error { + storedRoles, err := rolec.GetAll() if err != nil { return err } @@ -106,10 +115,10 @@ func verifyPermisisonForRequestedCall(claims *rbac.UserClaims, requestedMethod s // first loop through map with roles associated to user // second loop check if name of user role exists in roles // third loop check if role associated to current user has permission for call - for _, userRole := range user.GetRoles() { - for _, role := range roles { - if userRole == role.Name() { - for _, permission := range role.GetPermissions() { + for _, userRole := range userRoles { + for _, storedRole := range storedRoles { + if userRole == storedRole.Name() { + for _, permission := range storedRole.GetPermissions() { if permission == requestedMethod { return nil }