updates users, transformers services

backend/internal/cmds/mgmt/serve/connect/cmd.go

@@ -548,10 +548,9 @@ func serve(ctx context.Context) error {
 		db,
 		tfwfmgr,
 		connectionService,
-		useraccountService,
 		sqlmanager,
 		jobhookService,
-		rbacclient,
+		userdataclient,
 	)
 	api.Handle(
 		mgmtv1alpha1connect.NewJobServiceHandler(
@@ -605,7 +604,7 @@ func serve(ctx context.Context) error {
 		PresidioDefaultLanguage: getPresidioDefaultLanguage(),
 		IsAuthEnabled:           isAuthEnabled,
 		IsNeosyncCloud:          ncloudlicense.IsValid(),
-	}, anonymizerMeter, useraccountService, presAnalyzeClient, presAnonClient, db)
+	}, anonymizerMeter, userdataclient, useraccountService, presAnalyzeClient, presAnonClient, db)
 	api.Handle(
 		mgmtv1alpha1connect.NewAnonymizationServiceHandler(
 			anonymizationService,

backend/internal/ee/rbac/actions.go

@@ -13,6 +13,18 @@ func (a AccountAction) String() string {
 	return string(a)
 }
 
+type AccountMemberAction string
+
+const (
+	AccountMemberAction_Invite AccountMemberAction = "invite"
+	AccountMemberAction_Delete AccountMemberAction = "delete"
+	AccountMemberAction_View   AccountMemberAction = "view"
+)
+
+func (a AccountMemberAction) String() string {
+	return string(a)
+}
+
 type ConnectionAction string
 
 const (

backend/internal/ee/rbac/policy.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/casbin/casbin/v2"
 	mgmtv1alpha1 "github.com/nucleuscloud/neosync/backend/gen/go/protos/mgmt/v1alpha1"
+	nucleuserrors "github.com/nucleuscloud/neosync/backend/internal/errors"
 )
 
 type Rbac struct {
@@ -26,8 +27,11 @@ type Db interface {
 
 type EntityEnforcer interface {
 	Job(ctx context.Context, user EntityString, account EntityString, job EntityString, action JobAction) (bool, error)
+	EnforceJob(ctx context.Context, user EntityString, account EntityString, job EntityString, action JobAction) error
 	Connection(ctx context.Context, user EntityString, account EntityString, connection EntityString, action ConnectionAction) (bool, error)
+	EnforceConnection(ctx context.Context, user EntityString, account EntityString, connection EntityString, action ConnectionAction) error
 	Account(ctx context.Context, user EntityString, account EntityString, action AccountAction) (bool, error)
+	EnforceAccount(ctx context.Context, user EntityString, account EntityString, action AccountAction) error
 }
 
 // Initialize default policies for existing accounts at startup
@@ -145,6 +149,23 @@ func (r *Rbac) Job(
 	return r.e.Enforce(user.String(), account.String(), job.String(), action.String())
 }
 
+func (r *Rbac) EnforceJob(
+	ctx context.Context,
+	user EntityString,
+	account EntityString,
+	job EntityString,
+	action JobAction,
+) error {
+	ok, err := r.Job(ctx, user, account, job, action)
+	if err != nil {
+		return err
+	}
+	if !ok {
+		return nucleuserrors.NewForbidden(fmt.Sprintf("user does not have permission to %s job", action))
+	}
+	return nil
+}
+
 func (r *Rbac) Connection(
 	ctx context.Context,
 	user EntityString,
@@ -155,6 +176,23 @@ func (r *Rbac) Connection(
 	return r.e.Enforce(user.String(), account.String(), connection.String(), action.String())
 }
 
+func (r *Rbac) EnforceConnection(
+	ctx context.Context,
+	user EntityString,
+	account EntityString,
+	connection EntityString,
+	action ConnectionAction,
+) error {
+	ok, err := r.Connection(ctx, user, account, connection, action)
+	if err != nil {
+		return err
+	}
+	if !ok {
+		return nucleuserrors.NewForbidden(fmt.Sprintf("user does not have permission to %s connection", action))
+	}
+	return nil
+}
+
 func (r *Rbac) Account(
 	ctx context.Context,
 	user EntityString,
@@ -164,6 +202,22 @@ func (r *Rbac) Account(
 	return r.e.Enforce(user.String(), account.String(), account.String(), action.String())
 }
 
+func (r *Rbac) EnforceAccount(
+	ctx context.Context,
+	user EntityString,
+	account EntityString,
+	action AccountAction,
+) error {
+	ok, err := r.Account(ctx, user, account, action)
+	if err != nil {
+		return err
+	}
+	if !ok {
+		return nucleuserrors.NewForbidden(fmt.Sprintf("user does not have permission to %s account", action))
+	}
+	return nil
+}
+
 func toRoleName(role mgmtv1alpha1.AccountRole) (string, error) {
 	switch role {
 	case mgmtv1alpha1.AccountRole_ACCOUNT_ROLE_ADMIN:

backend/internal/userdata/user.go

@@ -89,7 +89,7 @@ type UserEntityEnforcer struct {
 }
 
 type DomainEntity interface {
-	GetId() string
+	Identifier
 	GetAccountId() string
 }
 type DomainEntityImpl struct {
@@ -98,6 +98,10 @@ type DomainEntityImpl struct {
 	isWild    bool
 }
 
+type Identifier interface {
+	GetId() string
+}
+
 func (j *DomainEntityImpl) GetId() string {
 	return j.id
 }
@@ -127,51 +131,37 @@ func NewDbDomainEntity(accountId, id pgtype.UUID) DomainEntity {
 	}
 }
 
-func (u *UserEntityEnforcer) Job(ctx context.Context, job DomainEntity, action rbac.JobAction) (bool, error) {
-	if err := u.enforceAccountAccess(ctx, job.GetAccountId()); err != nil {
-		return false, err
+type IdentifierImpl struct {
+	id string
+}
+
+func NewIdentifier(id string) Identifier {
+	return &IdentifierImpl{
+		id: id,
 	}
-	return u.enforcer.Job(ctx, u.user, rbac.NewAccountIdEntity(job.GetAccountId()), rbac.NewJobIdEntity(job.GetId()), action)
 }
+
+func (i *IdentifierImpl) GetId() string {
+	return i.id
+}
+
 func (u *UserEntityEnforcer) EnforceJob(ctx context.Context, job DomainEntity, action rbac.JobAction) error {
-	ok, err := u.Job(ctx, job, action)
-	if err != nil {
+	if err := u.enforceAccountAccess(ctx, job.GetAccountId()); err != nil {
 		return err
 	}
-	if !ok {
-		return nucleuserrors.NewForbidden(fmt.Sprintf("user does not have permission to %s job", action))
-	}
-	return nil
-}
-func (u *UserEntityEnforcer) Connection(ctx context.Context, connection DomainEntity, action rbac.ConnectionAction) (bool, error) {
-	if err := u.enforceAccountAccess(ctx, connection.GetAccountId()); err != nil {
-		return false, err
-	}
-	return u.enforcer.Connection(ctx, u.user, rbac.NewAccountIdEntity(connection.GetAccountId()), rbac.NewConnectionIdEntity(connection.GetId()), action)
+	return u.enforcer.EnforceJob(ctx, u.user, rbac.NewAccountIdEntity(job.GetAccountId()), rbac.NewJobIdEntity(job.GetId()), action)
 }
+
 func (u *UserEntityEnforcer) EnforceConnection(ctx context.Context, connection DomainEntity, action rbac.ConnectionAction) error {
-	ok, err := u.Connection(ctx, connection, action)
-	if err != nil {
+	if err := u.enforceAccountAccess(ctx, connection.GetAccountId()); err != nil {
 		return err
 	}
-	if !ok {
-		return nucleuserrors.NewForbidden(fmt.Sprintf("user does not have permission to %s connection", action))
-	}
-	return nil
+	return u.enforcer.EnforceConnection(ctx, u.user, rbac.NewAccountIdEntity(connection.GetAccountId()), rbac.NewConnectionIdEntity(connection.GetId()), action)
 }
-func (u *UserEntityEnforcer) Account(ctx context.Context, account *mgmtv1alpha1.UserAccount, action rbac.AccountAction) (bool, error) {
+
+func (u *UserEntityEnforcer) EnforceAccount(ctx context.Context, account Identifier, action rbac.AccountAction) error {
 	if err := u.enforceAccountAccess(ctx, account.GetId()); err != nil {
-		return false, err
-	}
-	return u.enforcer.Account(ctx, u.user, rbac.NewAccountIdEntity(account.GetId()), action)
-}
-func (u *UserEntityEnforcer) EnforceAccount(ctx context.Context, account *mgmtv1alpha1.UserAccount, action rbac.AccountAction) error {
-	ok, err := u.Account(ctx, account, action)
-	if err != nil {
 		return err
 	}
-	if !ok {
-		return nucleuserrors.NewForbidden(fmt.Sprintf("user does not have permission to %s account", action))
-	}
-	return nil
+	return u.enforcer.EnforceAccount(ctx, u.user, rbac.NewAccountIdEntity(account.GetId()), action)
 }

backend/services/mgmt/v1alpha1/transformers-service/entities.go

@@ -8,7 +8,9 @@ import (
 	"connectrpc.com/connect"
 	mgmtv1alpha1 "github.com/nucleuscloud/neosync/backend/gen/go/protos/mgmt/v1alpha1"
 	"github.com/nucleuscloud/neosync/backend/gen/go/protos/mgmt/v1alpha1/mgmtv1alpha1connect"
+	"github.com/nucleuscloud/neosync/backend/internal/ee/rbac"
 	nucleuserrors "github.com/nucleuscloud/neosync/backend/internal/errors"
+	"github.com/nucleuscloud/neosync/backend/internal/userdata"
 	presidioapi "github.com/nucleuscloud/neosync/internal/ee/presidio"
 )
 
@@ -26,7 +28,11 @@ func (s *Service) GetTransformPiiEntities(
 	if s.entityclient == nil {
 		return nil, nucleuserrors.NewInternalError("entity service is enabled but client was nil.")
 	}
-	_, err := s.verifyUserInAccount(ctx, req.Msg.GetAccountId())
+	user, err := s.userdataclient.GetUser(ctx)
+	if err != nil {
+		return nil, err
+	}
+	err = user.EnforceJob(ctx, userdata.NewWildcardDomainEntity(req.Msg.GetAccountId()), rbac.JobAction_View)
 	if err != nil {
 		return nil, err
 	}

backend/services/mgmt/v1alpha1/transformers-service/service.go

@@ -1,16 +1,16 @@
 package v1alpha1_transformersservice
 
 import (
-	"github.com/nucleuscloud/neosync/backend/gen/go/protos/mgmt/v1alpha1/mgmtv1alpha1connect"
 	"github.com/nucleuscloud/neosync/backend/internal/neosyncdb"
+	"github.com/nucleuscloud/neosync/backend/internal/userdata"
 	presidioapi "github.com/nucleuscloud/neosync/internal/ee/presidio"
 )
 
 type Service struct {
-	cfg                *Config
-	db                 *neosyncdb.NeosyncDb
-	useraccountService mgmtv1alpha1connect.UserAccountServiceClient
-	entityclient       presidioapi.EntityInterface
+	cfg            *Config
+	db             *neosyncdb.NeosyncDb
+	entityclient   presidioapi.EntityInterface
+	userdataclient userdata.Client
 }
 
 type Config struct {
@@ -21,13 +21,13 @@ type Config struct {
 func New(
 	cfg *Config,
 	db *neosyncdb.NeosyncDb,
-	useraccountService mgmtv1alpha1connect.UserAccountServiceClient,
 	recognizerclient presidioapi.EntityInterface,
+	userdataclient userdata.Client,
 ) *Service {
 	return &Service{
-		cfg:                cfg,
-		db:                 db,
-		useraccountService: useraccountService,
-		entityclient:       recognizerclient,
+		cfg:            cfg,
+		db:             db,
+		entityclient:   recognizerclient,
+		userdataclient: userdataclient,
 	}
 }