refactor: add superadmin check on retrieve domain

Signed-off-by: Felix Gateru <[email protected]>

domains/api/http/endpoint_test.go

@@ -1149,7 +1149,7 @@ func TestSendInvitation(t *testing.T) {
 	for _, tc := range cases {
 		t.Run(tc.desc, func(t *testing.T) {
 			if tc.token == validToken {
-				tc.session = authn.Session{UserID: userID, DomainID: domainID, DomainUserID: domainID + "_" + userID}
+				tc.session = authn.Session{UserID: userID, DomainID: domainID}
 			}
 			authnCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr)
 			repoCall := svc.On("SendInvitation", mock.Anything, tc.session, mock.Anything).Return(tc.svcErr)
@@ -1382,7 +1382,7 @@ func TestViewInvitation(t *testing.T) {
 	for _, tc := range cases {
 		t.Run(tc.desc, func(t *testing.T) {
 			if tc.token == validToken {
-				tc.session = authn.Session{UserID: userID, DomainID: domainID, DomainUserID: domainID + "_" + userID}
+				tc.session = authn.Session{UserID: userID, DomainID: domainID}
 			}
 			authnCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr)
 			repoCall := svc.On("ViewInvitation", mock.Anything, tc.session, tc.userID, tc.domainID).Return(domains.Invitation{}, tc.svcErr)
@@ -1476,7 +1476,7 @@ func TestDeleteInvitation(t *testing.T) {
 	for _, tc := range cases {
 		t.Run(tc.desc, func(t *testing.T) {
 			if tc.token == validToken {
-				tc.session = authn.Session{UserID: userID, DomainID: domainID, DomainUserID: domainID + "_" + userID}
+				tc.session = authn.Session{UserID: userID, DomainID: domainID}
 			}
 			authnCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authnErr)
 			repoCall := svc.On("DeleteInvitation", mock.Anything, tc.session, tc.userID, tc.domainID).Return(tc.svcErr)

domains/middleware/authorization.go

@@ -6,7 +6,6 @@ package middleware
 import (
 	"context"
 
-	"github.com/absmach/supermq/auth"
 	"github.com/absmach/supermq/domains"
 	"github.com/absmach/supermq/pkg/authn"
 	"github.com/absmach/supermq/pkg/authz"
@@ -58,6 +57,16 @@ func (am *authorizationMiddleware) CreateDomain(ctx context.Context, session aut
 }
 
 func (am *authorizationMiddleware) RetrieveDomain(ctx context.Context, session authn.Session, id string) (domains.Domain, error) {
+	if err := am.authz.Authorize(ctx, authz.PolicyReq{
+		Subject:     session.UserID,
+		SubjectType: policies.UserType,
+		Permission:  policies.AdminPermission,
+		ObjectType:  policies.PlatformType,
+		Object:      policies.SuperMQObject,
+	}); err == nil {
+		session.SuperAdmin = true
+		return am.svc.RetrieveDomain(ctx, session, id)
+	}
 	if err := am.authorize(ctx, domains.OpRetrieveDomain, authz.PolicyReq{
 		Subject:     session.UserID,
 		SubjectType: policies.UserType,
@@ -141,8 +150,7 @@ func (am *authorizationMiddleware) ListDomains(ctx context.Context, session auth
 }
 
 func (am *authorizationMiddleware) SendInvitation(ctx context.Context, session authn.Session, invitation domains.Invitation) (err error) {
-	domainUserId := auth.EncodeDomainUserID(invitation.DomainID, invitation.InviteeUserID)
-	if err := am.extAuthorize(ctx, domainUserId, policies.MembershipPermission, policies.DomainType, invitation.DomainID); err == nil {
+	if err := am.extAuthorize(ctx, session.UserID, policies.MembershipPermission, policies.DomainType, invitation.DomainID); err == nil {
 		// return error if the user is already a member of the domain
 		return errors.Wrap(svcerr.ErrConflict, ErrMemberExist)
 	}
@@ -155,7 +163,6 @@ func (am *authorizationMiddleware) SendInvitation(ctx context.Context, session a
 }
 
 func (am *authorizationMiddleware) ViewInvitation(ctx context.Context, session authn.Session, inviteeUserID, domain string) (invitation domains.Invitation, err error) {
-	session.DomainUserID = auth.EncodeDomainUserID(session.DomainID, session.UserID)
 	if session.UserID != inviteeUserID {
 		if err := am.checkAdmin(ctx, session); err != nil {
 			return domains.Invitation{}, err
@@ -166,7 +173,6 @@ func (am *authorizationMiddleware) ViewInvitation(ctx context.Context, session a
 }
 
 func (am *authorizationMiddleware) ListInvitations(ctx context.Context, session authn.Session, page domains.InvitationPageMeta) (invs domains.InvitationPage, err error) {
-	session.DomainUserID = auth.EncodeDomainUserID(session.DomainID, session.UserID)
 	if err := am.extAuthorize(ctx, session.UserID, policies.AdminPermission, policies.PlatformType, policies.SuperMQObject); err == nil {
 		session.SuperAdmin = true
 		page.DomainID = ""
@@ -175,7 +181,7 @@ func (am *authorizationMiddleware) ListInvitations(ctx context.Context, session
 	if !session.SuperAdmin {
 		switch {
 		case page.DomainID != "":
-			if err := am.extAuthorize(ctx, session.DomainUserID, policies.AdminPermission, policies.DomainType, page.DomainID); err != nil {
+			if err := am.extAuthorize(ctx, session.UserID, policies.AdminPermission, policies.DomainType, page.DomainID); err != nil {
 				return domains.InvitationPage{}, err
 			}
 		default:
@@ -195,7 +201,6 @@ func (am *authorizationMiddleware) RejectInvitation(ctx context.Context, session
 }
 
 func (am *authorizationMiddleware) DeleteInvitation(ctx context.Context, session authn.Session, inviteeUserID, domainID string) (err error) {
-	session.DomainUserID = auth.EncodeDomainUserID(session.DomainID, session.UserID)
 	if err := am.checkAdmin(ctx, session); err != nil {
 		return err
 	}
@@ -222,7 +227,7 @@ func (am *authorizationMiddleware) checkAdmin(ctx context.Context, session authn
 	req := smqauthz.PolicyReq{
 		SubjectType: policies.UserType,
 		SubjectKind: policies.UsersKind,
-		Subject:     session.DomainUserID,
+		Subject:     session.UserID,
 		Permission:  policies.AdminPermission,
 		ObjectType:  policies.DomainType,
 		Object:      session.DomainID,

pkg/sdk/invitations_test.go

@@ -118,11 +118,7 @@ func TestSendInvitation(t *testing.T) {
 	for _, tc := range cases {
 		t.Run(tc.desc, func(t *testing.T) {
 			if tc.token == valid {
-				tc.session = smqauthn.Session{
-					UserID:       tc.sendInvitationReq.InviteeUserID,
-					DomainID:     tc.sendInvitationReq.DomainID,
-					DomainUserID: tc.sendInvitationReq.DomainID + "_" + tc.sendInvitationReq.InviteeUserID,
-				}
+				tc.session = smqauthn.Session{UserID: tc.sendInvitationReq.InviteeUserID, DomainID: tc.sendInvitationReq.DomainID}
 			}
 			authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr)
 			svcCall := svc.On("SendInvitation", mock.Anything, tc.session, tc.svcReq).Return(tc.svcErr)
@@ -213,7 +209,7 @@ func TestViewInvitation(t *testing.T) {
 	for _, tc := range cases {
 		t.Run(tc.desc, func(t *testing.T) {
 			if tc.token == valid {
-				tc.session = smqauthn.Session{UserID: tc.userID, DomainID: tc.domainID, DomainUserID: tc.domainID + "_" + tc.userID}
+				tc.session = smqauthn.Session{UserID: tc.userID, DomainID: tc.domainID}
 			}
 			authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr)
 			svcCall := svc.On("ViewInvitation", mock.Anything, tc.session, tc.userID, tc.domainID).Return(tc.svcRes, tc.svcErr)
@@ -527,7 +523,7 @@ func TestDeleteInvitation(t *testing.T) {
 	for _, tc := range cases {
 		t.Run(tc.desc, func(t *testing.T) {
 			if tc.token == valid {
-				tc.session = smqauthn.Session{UserID: tc.inviteeUserID, DomainID: tc.domainID, DomainUserID: tc.domainID + "_" + tc.inviteeUserID}
+				tc.session = smqauthn.Session{UserID: tc.inviteeUserID, DomainID: tc.domainID}
 			}
 			authCall := auth.On("Authenticate", mock.Anything, tc.token).Return(tc.session, tc.authenticateErr)
 			svcCall := svc.On("DeleteInvitation", mock.Anything, tc.session, tc.inviteeUserID, tc.domainID).Return(tc.svcErr)