Allow users to be resolved by ID (#39)

directory/identity.go

@@ -2,20 +2,19 @@ package directory
 
 import (
 	"context"
+	"errors"
 
+	cerr "github.com/aserto-dev/errors"
 	"github.com/aserto-dev/go-authorizer/pkg/aerr"
 	v2 "github.com/aserto-dev/go-directory/aserto/directory/common/v2"
 	ds2 "github.com/aserto-dev/go-directory/aserto/directory/reader/v2"
-	"github.com/google/uuid"
+	"github.com/aserto-dev/go-directory/pkg/derr"
 )
 
 func GetIdentityV2(client ds2.ReaderClient, ctx context.Context, identity string) (*v2.Object, error) {
 	identityString := "identity"
 	obj := v2.ObjectIdentifier{Type: &identityString, Key: &identity}
-	_, err := uuid.Parse(identity)
-	if err == nil {
-		obj = v2.ObjectIdentifier{Id: &identity}
-	}
+
 	relationString := "identifier"
 	subjectType := "user"
 	withObjects := true
@@ -28,15 +27,16 @@ func GetIdentityV2(client ds2.ReaderClient, ctx context.Context, identity string
 		},
 		WithObjects: &withObjects,
 	})
-	if err != nil {
+	switch {
+	case err != nil && errors.Is(cerr.UnwrapAsertoError(err), derr.ErrNotFound):
+		return nil, aerr.ErrDirectoryObjectNotFound
+	case err != nil:
 		return nil, err
-	}
 
-	if relResp.Results == nil {
+	case relResp.Results == nil:
 		return nil, aerr.ErrDirectoryObjectNotFound
-	}
 
-	if len(relResp.Objects) == 0 {
+	case len(relResp.Objects) == 0:
 		return nil, aerr.ErrDirectoryObjectNotFound.Msg("no objects found in relation")
 	}
 

pkg/app/impl/jwt.go

@@ -12,6 +12,7 @@ import (
 	"github.com/aserto-dev/go-authorizer/aserto/authorizer/v2/api"
 	"github.com/aserto-dev/go-authorizer/pkg/aerr"
 	v2 "github.com/aserto-dev/go-directory/aserto/directory/common/v2"
+	ds2 "github.com/aserto-dev/go-directory/aserto/directory/reader/v2"
 	"github.com/aserto-dev/topaz/builtins/edge/ds"
 	"github.com/lestrrat-go/jwx/jwk"
 	"github.com/lestrrat-go/jwx/jwt"
@@ -187,5 +188,25 @@ func (s *AuthorizerServer) getUserFromIdentity(ctx context.Context, identity str
 	default:
 	}
 
+	if user == nil {
+		return s.getObject(ctx, identity)
+	}
+
 	return user, nil
 }
+
+func (s *AuthorizerServer) getObject(ctx context.Context, id string) (proto.Message, error) {
+	client, err := s.resolver.GetDirectoryResolver().GetDS(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	objResp, err := client.GetObject(ctx, &ds2.GetObjectRequest{
+		Param: &v2.ObjectIdentifier{Id: &id},
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return objResp.Result, nil
+}

pkg/app/tests/authz_test.go

@@ -32,6 +32,7 @@ func TestWithMissingIdentity(t *testing.T) {
 		test func(*testing.T)
 	}{
 		{"TestDecisionTreeWithMissingIdentity", DecisionTreeWithMissingIdentity(ctx, client)},
+		{"TestDecisionTreeWithUserID", DecisionTreeWithUserID(ctx, client)},
 		{"TestIsWithMissingIdentity", IsWithMissingIdentity(ctx, client)},
 		{"TestQueryWithMissingIdentity", QueryWithMissingIdentity(ctx, client)},
 	}
@@ -69,6 +70,34 @@ func DecisionTreeWithMissingIdentity(ctx context.Context, client authz2.Authoriz
 	}
 }
 
+func DecisionTreeWithUserID(ctx context.Context, client authz2.AuthorizerClient) func(*testing.T) {
+	return func(t *testing.T) {
+		respX, errX := client.DecisionTree(ctx, &authz2.DecisionTreeRequest{
+			PolicyContext: &authz_api_v2.PolicyContext{
+				Path:      "peoplefinder.GET",
+				Decisions: []string{"allowed"},
+			},
+			IdentityContext: &authz_api_v2.IdentityContext{
+				Identity: "2bfaa552-d9a5-41e9-a6c3-5be62b4433c8", // April Stewart
+				Type:     authz_api_v2.IdentityType_IDENTITY_TYPE_SUB,
+			},
+			Options:         &authz2.DecisionTreeOptions{},
+			ResourceContext: &structpb.Struct{},
+		})
+
+		if errX != nil {
+			t.Logf("ERR >>> %s\n", errX)
+		}
+
+		assert.NoError(t, errX)
+		assert.NotNil(t, respX, "response object should not be nil")
+		assert.Equal(t, "peoplefinder.GET", respX.PathRoot)
+
+		path := respX.Path.AsMap()
+		assert.Len(t, path, 2)
+	}
+}
+
 func IsWithMissingIdentity(ctx context.Context, client authz2.AuthorizerClient) func(*testing.T) {
 	return func(t *testing.T) {
 		respX, errX := client.Is(ctx, &authz2.IsRequest{