From f2c09dc2dc2528c75fcf5b80aa4b530a0b5eef08 Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Thu, 27 Apr 2023 06:33:34 +0300
Subject: auth: Retrieve `system:*` privileges from resource roles

With the assignment of `system:*` privileges to roles, we need to check for
their existence when doing authorisation.

This commit provides a hack for that, seeing as user groups (and the system
itself) are not treated as resources, and therefore the way to fetch the
privileges is not entirely consistent.
---
 gn3/auth/authorisation/checks.py | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/gn3/auth/authorisation/checks.py b/gn3/auth/authorisation/checks.py
index 9b0af5f..0825c84 100644
--- a/gn3/auth/authorisation/checks.py
+++ b/gn3/auth/authorisation/checks.py
@@ -11,6 +11,25 @@ from .errors import AuthorisationError
 
 from ..authentication.oauth2.resource_server import require_oauth
 
+def __system_privileges_in_roles__(conn, user):
+    """
+    This really is a hack since groups are not treated as resources at the
+    moment of writing this.
+
+    We need a way of allowing the user to have the system:group:* privileges.
+    """
+    query = (
+        "SELECT DISTINCT p.* FROM users AS u "
+        "INNER JOIN group_user_roles_on_resources AS guror "
+        "ON u.user_id=guror.user_id "
+        "INNER JOIN roles AS r ON guror.role_id=r.role_id "
+        "INNER JOIN role_privileges AS rp ON r.role_id=rp.role_id "
+        "INNER JOIN privileges AS p ON rp.privilege_id=p.privilege_id "
+        "WHERE u.user_id=? AND p.privilege_id LIKE 'system:%'")
+    with db.cursor(conn) as cursor:
+        cursor.execute(query, (str(user.user_id),))
+        return (row["privilege_id"] for row in cursor.fetchall())
+
 def authorised_p(
         privileges: tuple[str, ...],
         error_description: str = (
@@ -28,7 +47,9 @@ def authorised_p(
                     with db.connection(app.config["AUTH_DB"]) as conn:
                         user_privileges = tuple(
                             priv.privilege_id for priv in
-                            auth_privs.user_privileges(conn, the_user))
+                            auth_privs.user_privileges(conn, the_user)) + tuple(
+                                priv_id for priv_id in
+                                __system_privileges_in_roles__(conn, the_user))
 
                     not_assigned = [
                         priv for priv in privileges if priv not in user_privileges]
-- 
cgit v1.2.3