Add granting user for OnBoardUser command

Author: pdt256

cmd/goauth2/main.go

@@ -123,32 +123,40 @@ func initDB(goauth2App *goauth2.App, store rangedb.Store, goAuth2Host string) er
 		clientSecret = "c1e847aef925467290b4302e64f3de4e"
 	)
 
-	goauth2App.Dispatch(goauth2.OnBoardUser{
-		UserID:   userID,
-		Username: email,
-		Password: password,
-	})
-
-	goauth2App.Dispatch(goauth2.OnBoardUser{
-		UserID:   userID2,
-		Username: email2,
-		Password: password2,
-	})
-
 	ctx := context.Background()
-	_, err := store.Save(ctx, &rangedb.EventRecord{
-		Event: goauth2.UserWasGrantedAdministratorRole{
-			UserID:         userID,
-			GrantingUserID: userID,
+	_, err := store.Save(ctx,
+		&rangedb.EventRecord{
+			Event: goauth2.UserWasOnBoarded{
+				UserID:         userID,
+				Username:       email,
+				PasswordHash:   goauth2.GeneratePasswordHash(password),
+				GrantingUserID: userID,
+			},
+			Metadata: map[string]string{
+				"message": "epoch event",
+			},
 		},
-		Metadata: map[string]string{
-			"message": "epoch event",
+		&rangedb.EventRecord{
+			Event: goauth2.UserWasGrantedAdministratorRole{
+				UserID:         userID,
+				GrantingUserID: userID,
+			},
+			Metadata: map[string]string{
+				"message": "epoch event",
+			},
 		},
-	})
+	)
 	if err != nil {
 		return err
 	}
 
+	goauth2App.Dispatch(goauth2.OnBoardUser{
+		UserID:         userID2,
+		Username:       email2,
+		Password:       password2,
+		GrantingUserID: userID,
+	})
+
 	goauth2App.Dispatch(goauth2.AuthorizeUserToOnBoardClientApplications{
 		UserID:            userID,
 		AuthorizingUserID: userID,

go.mod

@@ -22,5 +22,6 @@ require (
 
 require (
 	github.com/dustin/go-humanize v1.0.0 // indirect
+	github.com/fatih/structtag v1.2.0 // indirect
 	github.com/gorilla/websocket v1.4.2 // indirect
 )

go.sum

@@ -13,6 +13,7 @@ github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymF
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/fatih/structtag v1.2.0 h1:/OdNE99OxoI/PqaW/SuSK9uxxT3f/tcSZgon/ssNSx4=
 github.com/fatih/structtag v1.2.0/go.mod h1:mBJUNpUnHmRKrKlQQlmCrh5PuhftFbNv8Ys4/aAZl94=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=

goauth2_test.go

@@ -27,8 +27,11 @@ const (
 	invalidRedirectURI  = "://invalid-uri"
 	insecureRedirectURI = "http://example.com/oauth2/callback"
 	userID              = "d904f8dbd4684a6591a24c8e67ea4a77"
+	userID2             = "e9de5c5ca4364fcb84ac2efc26382dbf"
 	adminUserID         = "7dd7157576e5426ebf44e387d80f0538"
+	notFoundUserID      = "92338d7f50df48f9b3d0ba4250b12e7a"
 	email               = "[email protected]"
+	email2              = "[email protected]"
 	adminEmail          = "[email protected]"
 	passwordHash        = "$2a$10$U6ej0p2d9Y8OO2635R7l/O4oEBvxgc9o6gCaQ1wjMZ77dr4qGl8nu"
 	password            = "Pass123!"
@@ -48,44 +51,124 @@ var (
 
 func Test_OnBoardUser(t *testing.T) {
 	t.Run("on-boards user", goauth2TestCase().
-		Given().
+		Given(
+			goauth2.UserWasOnBoarded{
+				UserID:         adminUserID,
+				Username:       email,
+				PasswordHash:   passwordHash,
+				GrantingUserID: adminUserID,
+			},
+			goauth2.UserWasGrantedAdministratorRole{
+				UserID:         adminUserID,
+				GrantingUserID: adminUserID,
+			},
+		).
 		When(goauth2.OnBoardUser{
-			UserID:   userID,
-			Username: email,
-			Password: password,
+			UserID:         userID,
+			Username:       email,
+			Password:       password,
+			GrantingUserID: adminUserID,
 		}).
 		ThenInspectEvents(func(t *testing.T, events []rangedb.Event) {
 			require.Equal(t, 1, len(events))
 			event := events[0].(goauth2.UserWasOnBoarded)
 			assert.Equal(t, userID, event.UserID)
 			assert.Equal(t, email, event.Username)
+			assert.Equal(t, adminUserID, event.GrantingUserID)
 			assert.True(t, goauth2.VerifyPassword(event.PasswordHash, password))
 		}))
 
-	t.Run("rejected due to existing user", goauth2TestCase().
-		Given(goauth2.UserWasOnBoarded{
-			UserID:       userID,
-			Username:     email,
-			PasswordHash: passwordHash,
+	t.Run("rejected due to not found administrator", goauth2TestCase().
+		Given().
+		When(goauth2.OnBoardUser{
+			UserID:         userID,
+			Username:       email,
+			Password:       password,
+			GrantingUserID: notFoundUserID,
 		}).
+		Then(goauth2.OnBoardUserWasRejectedDueToNonAdministrator{
+			UserID:         userID,
+			GrantingUserID: notFoundUserID,
+		}))
+
+	t.Run("rejected due to non-administrator", goauth2TestCase().
+		Given(
+			goauth2.UserWasOnBoarded{
+				UserID:         userID,
+				Username:       email,
+				PasswordHash:   passwordHash,
+				GrantingUserID: adminUserID,
+			},
+			goauth2.UserWasOnBoarded{
+				UserID:         userID2,
+				Username:       email2,
+				PasswordHash:   passwordHash,
+				GrantingUserID: adminUserID,
+			},
+		).
 		When(goauth2.OnBoardUser{
-			UserID:   userID,
-			Username: email,
-			Password: password,
+			UserID:         userID,
+			Username:       email,
+			Password:       password,
+			GrantingUserID: userID2,
+		}).
+		Then(goauth2.OnBoardUserWasRejectedDueToNonAdministrator{
+			UserID:         userID,
+			GrantingUserID: userID2,
+		}))
+
+	t.Run("rejected due to existing user", goauth2TestCase().
+		Given(
+			goauth2.UserWasOnBoarded{
+				UserID:         adminUserID,
+				Username:       email,
+				PasswordHash:   passwordHash,
+				GrantingUserID: adminUserID,
+			},
+			goauth2.UserWasGrantedAdministratorRole{
+				UserID:         adminUserID,
+				GrantingUserID: adminUserID,
+			},
+			goauth2.UserWasOnBoarded{
+				UserID:         userID,
+				Username:       email,
+				PasswordHash:   passwordHash,
+				GrantingUserID: adminUserID,
+			},
+		).
+		When(goauth2.OnBoardUser{
+			UserID:         userID,
+			Username:       email,
+			Password:       password,
+			GrantingUserID: adminUserID,
 		}).
 		Then(goauth2.OnBoardUserWasRejectedDueToExistingUser{
-			UserID: userID,
+			UserID:         userID,
+			GrantingUserID: adminUserID,
 		}))
 
 	t.Run("rejected due to insecure password", goauth2TestCase().
-		Given().
+		Given(
+			goauth2.UserWasOnBoarded{
+				UserID:         adminUserID,
+				Username:       email,
+				PasswordHash:   passwordHash,
+				GrantingUserID: adminUserID,
+			},
+			goauth2.UserWasGrantedAdministratorRole{
+				UserID:         adminUserID,
+				GrantingUserID: adminUserID,
+			},
+		).
 		When(goauth2.OnBoardUser{
-			UserID:   userID,
-			Username: email,
-			Password: "password",
+			UserID:         userID,
+			Username:       email,
+			Password:       "password",
+			GrantingUserID: adminUserID,
 		}).
 		Then(goauth2.OnBoardUserWasRejectedDueToInsecurePassword{
-			UserID: userID,
+			UserID:         userID,
+			GrantingUserID: adminUserID,
 		}))
 
 	var logBuffer bytes.Buffer
@@ -94,11 +177,23 @@ func Test_OnBoardUser(t *testing.T) {
 		goauth2.WithStore(rangedbtest.NewFailingEventStore()),
 		goauth2.WithLogger(logger),
 	).
-		Given().
+		Given(
+			goauth2.UserWasOnBoarded{
+				UserID:         adminUserID,
+				Username:       email,
+				PasswordHash:   passwordHash,
+				GrantingUserID: adminUserID,
+			},
+			goauth2.UserWasGrantedAdministratorRole{
+				UserID:         adminUserID,
+				GrantingUserID: adminUserID,
+			},
+		).
 		When(goauth2.OnBoardUser{
-			UserID:   userID,
-			Username: email,
-			Password: password,
+			UserID:         userID,
+			Username:       email,
+			Password:       password,
+			GrantingUserID: adminUserID,
 		}).
 		ThenInspectEvents(func(t *testing.T, events []rangedb.Event) {
 			require.Equal(t, 0, len(events))

projection/users.go

@@ -12,6 +12,7 @@ import (
 type user struct {
 	UserID                      string
 	Username                    string
+	GrantingUserID              string
 	CreateTimestamp             uint64
 	IsAdmin                     bool
 	CanOnboardAdminApplications bool
@@ -38,14 +39,19 @@ func (a *Users) Accept(record *rangedb.Record) {
 		a.users[event.UserID] = &user{
 			UserID:          event.UserID,
 			Username:        event.Username,
+			GrantingUserID:  event.GrantingUserID,
 			CreateTimestamp: record.InsertTimestamp,
 		}
 
 	case *goauth2.UserWasGrantedAdministratorRole:
-		a.users[event.UserID].IsAdmin = true
+		if a.userExists(event.UserID) {
+			a.users[event.UserID].IsAdmin = true
+		}
 
 	case *goauth2.UserWasAuthorizedToOnBoardClientApplications:
-		a.users[event.UserID].CanOnboardAdminApplications = true
+		if a.userExists(event.UserID) {
+			a.users[event.UserID].CanOnboardAdminApplications = true
+		}
 
 	}
 }
@@ -67,3 +73,8 @@ func (a *Users) GetAll() []*user {
 
 	return users
 }
+
+func (a *Users) userExists(userID string) bool {
+	_, ok := a.users[userID]
+	return ok
+}

resource_owner.go

@@ -100,22 +100,25 @@ func (a *resourceOwner) Handle(command Command) {
 func (a *resourceOwner) OnBoardUser(c OnBoardUser) {
 	if a.IsOnBoarded {
 		a.raise(OnBoardUserWasRejectedDueToExistingUser{
-			UserID: c.UserID,
+			UserID:         c.UserID,
+			GrantingUserID: c.GrantingUserID,
 		})
 		return
 	}
 
 	if securepass.IsInsecure(c.Password) {
 		a.raise(OnBoardUserWasRejectedDueToInsecurePassword{
-			UserID: c.UserID,
+			UserID:         c.UserID,
+			GrantingUserID: c.GrantingUserID,
 		})
 		return
 	}
 
 	a.raise(UserWasOnBoarded{
-		UserID:       c.UserID,
-		Username:     c.Username,
-		PasswordHash: GeneratePasswordHash(c.Password),
+		UserID:         c.UserID,
+		Username:       c.Username,
+		PasswordHash:   GeneratePasswordHash(c.Password),
+		GrantingUserID: c.GrantingUserID,
 	})
 }
 

resource_owner_command_authorization.go

@@ -35,6 +35,7 @@ func (a *resourceOwnerCommandAuthorization) CommandTypes() []string {
 		GrantUserAdministratorRole{}.CommandType(),
 		AuthorizeUserToOnBoardClientApplications{}.CommandType(),
 		OnBoardClientApplication{}.CommandType(),
+		OnBoardUser{}.CommandType(),
 	}
 }
 
@@ -50,6 +51,9 @@ func (a *resourceOwnerCommandAuthorization) Handle(command Command) bool {
 	case OnBoardClientApplication:
 		return a.OnBoardClientApplication(c)
 
+	case OnBoardUser:
+		return a.OnBoardUser(c)
+
 	}
 
 	return true
@@ -121,6 +125,28 @@ func (a *resourceOwnerCommandAuthorization) OnBoardClientApplication(c OnBoardCl
 	return true
 }
 
+func (a *resourceOwnerCommandAuthorization) OnBoardUser(c OnBoardUser) bool {
+	resourceOwner := a.loadResourceOwnerAggregate(c.GrantingUserID)
+
+	if !resourceOwner.IsOnBoarded {
+		a.raise(OnBoardUserWasRejectedDueToNonAdministrator{
+			UserID:         c.UserID,
+			GrantingUserID: c.GrantingUserID,
+		})
+		return false
+	}
+
+	if !resourceOwner.IsAdministrator {
+		a.raise(OnBoardUserWasRejectedDueToNonAdministrator{
+			UserID:         c.UserID,
+			GrantingUserID: c.GrantingUserID,
+		})
+		return false
+	}
+
+	return true
+}
+
 func (a *resourceOwnerCommandAuthorization) raise(events ...rangedb.Event) {
 	a.pendingEvents = append(a.pendingEvents, events...)
 }

resource_owner_commands.go

@@ -3,9 +3,10 @@ package goauth2
 //go:generate go run github.com/inklabs/rangedb/gen/commandgenerator -id UserID -aggregateType resource-owner
 
 type OnBoardUser struct {
-	UserID   string `json:"userID"`
-	Username string `json:"username"`
-	Password string `json:"password"`
+	UserID         string `json:"userID"`
+	Username       string `json:"username"`
+	Password       string `json:"password"`
+	GrantingUserID string `json:"grantingUserID"`
 }
 type GrantUserAdministratorRole struct {
 	UserID         string `json:"userID"`