feat: added auth checking for bus grpc

ShatteredRealms · Dec 11, 2024 · 4296bfb · 4296bfb
1 parent 51cc6f8
commit 4296bfb
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 2 deletions.
diff --git a/pkg/srv/bus.go b/pkg/srv/bus.go
@@ -38,6 +38,11 @@ var (
 
 // ResetReaderBus implements pb.BusServiceServer.
 func (b *busService) ResetReaderBus(ctx context.Context, request *pb.BusTarget) (*pb.ResetBusResponse, error) {
+	err := b.ctx.ValidateRoles(ctx, RoleBusReset)
+	if err != nil {
+		return nil, err
+	}
+
 	if request.GetType() == "" {
 		// Reset all buses
 		var err error
@@ -63,7 +68,7 @@ func (b *busService) ResetReaderBus(ctx context.Context, request *pb.BusTarget)
 		return nil, status.Errorf(codes.NotFound, ErrBusNotFound.Error())
 	}
 
-	err := bus.Reset(ctx)
+	err = bus.Reset(ctx)
 	if err != nil {
 		return nil, status.Errorf(codes.Internal, fmt.Errorf("%w: %w", ErrBusReset, err).Error())
 	}
@@ -75,6 +80,11 @@ func (b *busService) ResetReaderBus(ctx context.Context, request *pb.BusTarget)
 
 // ResetWriterBus implements pb.BusServiceServer.
 func (b *busService) ResetWriterBus(ctx context.Context, request *pb.BusTarget) (*pb.ResetBusResponse, error) {
+	err := b.ctx.ValidateRoles(ctx, RoleBusReset)
+	if err != nil {
+		return nil, err
+	}
+
 	if request.GetType() == "" {
 		var err error
 		builder := strings.Builder{}
@@ -98,7 +108,7 @@ func (b *busService) ResetWriterBus(ctx context.Context, request *pb.BusTarget)
 		return nil, status.Errorf(codes.NotFound, ErrBusNotFound.Error())
 	}
 
-	err := busCallback()
+	err = busCallback()
 	if err != nil {
 		return nil, status.Errorf(codes.Internal, fmt.Errorf("%w: %w", ErrBusReset, err).Error())
 	}

diff --git a/pkg/srv/context.go b/pkg/srv/context.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"time"
 
+	"github.com/ShatteredRealms/go-common-service/pkg/auth"
 	"github.com/ShatteredRealms/go-common-service/pkg/config"
 	"github.com/ShatteredRealms/go-common-service/pkg/log"
 	"github.com/WilSimpson/gocloak/v13"
@@ -107,6 +108,17 @@ func (srvCtx *Context) CreateRoles(ctx context.Context, roles *[]*gocloak.Role)
 	return errs
 }
 
+func (srvCtx *Context) ValidateRoles(ctx context.Context, role *gocloak.Role) error {
+	claims, ok := auth.RetrieveClaims(ctx)
+	if !ok {
+		return ErrPermissionDenied
+	}
+	if !claims.HasResourceRole(role, srvCtx.Config.Keycloak.ClientId) {
+		return ErrPermissionDenied
+	}
+	return nil
+}
+
 // // ValidateUserExists checks if a user exists in Keycloak. If the user does not exist it returns
 // // auth.ErrDoesNotExist. Otherwise, it returns nil. Other errors are possible.
 // func (srvCtx *Context) ValidateUserExists(