feat: remove orgId dependency in authz

.golangci.yml

@@ -9,9 +9,7 @@ linters:
     - vet
     - goimports
     - thelper
-    - tparallel
     - unconvert
-    - wastedassign
     - revive
     - unused
     - gofmt

cmd/serve.go

@@ -105,7 +105,7 @@ func serve(logger log.Logger, cfg *config.Shield) error {
 	}
 
 	// serving proxies
-	cbs, cps, err := serveProxies(ctx, logger, cfg.App.IdentityProxyHeader, cfg.App.UserIDHeader, cfg.Proxy, deps.ResourceService, deps.UserService)
+	cbs, cps, err := serveProxies(ctx, logger, cfg.App.IdentityProxyHeader, cfg.App.UserIDHeader, cfg.Proxy, deps.ResourceService, deps.UserService, deps.ProjectService)
 	if err != nil {
 		return err
 	}

cmd/serve_proxy.go

@@ -6,6 +6,7 @@ import (
 	"net/http"
 
 	"github.com/odpf/salt/log"
+	"github.com/odpf/shield/core/project"
 	"github.com/odpf/shield/core/resource"
 	"github.com/odpf/shield/core/rule"
 	"github.com/odpf/shield/core/user"
@@ -23,16 +24,18 @@ import (
 func serveProxies(
 	ctx context.Context,
 	logger log.Logger,
-	identityProxyHeaderKey, userIDHeaderKey string,
+	identityProxyHeaderKey,
+	userIDHeaderKey string,
 	cfg proxy.ServicesConfig,
 	resourceService *resource.Service,
 	userService *user.Service,
+	projectService *project.Service,
 ) ([]func() error, []func(ctx context.Context) error, error) {
 	var cleanUpBlobs []func() error
 	var cleanUpProxies []func(ctx context.Context) error
 
 	for _, svcConfig := range cfg.Services {
-		hookPipeline := buildHookPipeline(logger, identityProxyHeaderKey, resourceService)
+		hookPipeline := buildHookPipeline(logger, identityProxyHeaderKey, resourceService, projectService)
 
 		h2cProxy := proxy.NewH2c(
 			proxy.NewH2cRoundTripper(logger, hookPipeline),
@@ -67,9 +70,9 @@ func serveProxies(
 	return cleanUpBlobs, cleanUpProxies, nil
 }
 
-func buildHookPipeline(log log.Logger, identityProxyHeaderKey string, resourceService v1beta1.ResourceService) hook.Service {
+func buildHookPipeline(log log.Logger, identityProxyHeaderKey string, resourceService v1beta1.ResourceService, projectService v1beta1.ProjectService) hook.Service {
 	rootHook := hook.New()
-	return authz_hook.New(log, rootHook, rootHook, identityProxyHeaderKey, resourceService)
+	return authz_hook.New(log, rootHook, rootHook, identityProxyHeaderKey, resourceService, projectService)
 }
 
 // buildPipeline builds middleware sequence

internal/proxy/hook/authz/authz.go

@@ -6,15 +6,16 @@ import (
 	"net/http"
 	"strings"
 
+	"github.com/mitchellh/mapstructure"
+
+	"github.com/odpf/salt/log"
 	"github.com/odpf/shield/core/namespace"
+	"github.com/odpf/shield/core/project"
 	"github.com/odpf/shield/core/resource"
 	"github.com/odpf/shield/core/user"
 	"github.com/odpf/shield/internal/proxy/hook"
 	"github.com/odpf/shield/internal/proxy/middleware"
 	"github.com/odpf/shield/pkg/body_extractor"
-
-	"github.com/mitchellh/mapstructure"
-	"github.com/odpf/salt/log"
 )
 
 type ResourceService interface {
@@ -30,18 +31,26 @@ type Authz struct {
 	// To skip all the next hooks and just respond back
 	escape hook.Service
 
+	projectService ProjectService
+
+	// TODO need to figure out what best to pass this
 	identityProxyHeaderKey string
 
 	resourceService ResourceService
 }
 
-func New(log log.Logger, next, escape hook.Service, identityProxyHeaderKey string, resourceService ResourceService) Authz {
+type ProjectService interface {
+	Get(ctx context.Context, id string) (project.Project, error)
+}
+
+func New(log log.Logger, next, escape hook.Service, identityProxyHeaderKey string, resourceService ResourceService, projectService ProjectService) Authz {
 	return Authz{
 		log:                    log,
 		next:                   next,
 		escape:                 escape,
 		identityProxyHeaderKey: identityProxyHeaderKey,
 		resourceService:        resourceService,
+		projectService:         projectService,
 	}
 }
 
@@ -177,7 +186,7 @@ func (a Authz) ServeHook(res *http.Response, err error) (*http.Response, error)
 		attributes[key] = value
 	}
 
-	resources, err := createResources(attributes)
+	resources, err := a.createResources(res.Request.Context(), attributes)
 	if err != nil {
 		a.log.Error(err.Error())
 		return a.escape.ServeHook(res, fmt.Errorf(err.Error()))
@@ -194,16 +203,25 @@ func (a Authz) ServeHook(res *http.Response, err error) (*http.Response, error)
 	return a.next.ServeHook(res, nil)
 }
 
-func createResources(permissionAttributes map[string]interface{}) ([]resource.Resource, error) {
+func (a Authz) createResources(ctx context.Context, permissionAttributes map[string]interface{}) ([]resource.Resource, error) {
 	var resources []resource.Resource
 	projects, err := getAttributesValues(permissionAttributes["project"])
 	if err != nil {
 		return nil, err
 	}
+	var organizationIds []string
+	var projectIds []string
+	for _, proj := range projects {
+		project, err := a.projectService.Get(ctx, proj)
+		if err != nil {
+			return nil, err
+		}
 
-	orgs, err := getAttributesValues(permissionAttributes["organization"])
-	if err != nil {
-		return nil, err
+		organizationId := project.Organization.ID
+		organizationIds = append(organizationIds, organizationId)
+
+		projectId := project.ID
+		projectIds = append(projectIds, projectId)
 	}
 
 	teams, err := getAttributesValues(permissionAttributes["team"])
@@ -226,12 +244,12 @@ func createResources(permissionAttributes map[string]interface{}) ([]resource.Re
 		return nil, err
 	}
 
-	if len(projects) < 1 || len(orgs) < 1 || len(resourceList) < 1 || (backendNamespace[0] == "") || (resourceType[0] == "") {
-		return nil, fmt.Errorf("namespace, resource type, projects, organizations, resource, and team are required")
+	if len(projects) < 1 || len(organizationIds) < 1 || len(resourceList) < 1 || (backendNamespace[0] == "") || (resourceType[0] == "") {
+		return nil, fmt.Errorf("namespace, resource type, projects, resource, and team are required")
 	}
 
-	for _, org := range orgs {
-		for _, project := range projects {
+	for _, org := range organizationIds {
+		for _, project := range projectIds {
 			for _, res := range resourceList {
 				if len(teams) > 0 {
 					for _, team := range teams {