[WIP] Concept for whoami server and improved admin check

actions/fetch.go

@@ -268,12 +268,24 @@ func fetchCheckFeed(ctx context.Context, feedId string) (*model.Feed, error) {
 	feed := feeds[0]
 
 	// Check feed permissions
+	if whoami := cfg.Whoami; whoami == nil {
+		// Not ok
+	} else if me, err := whoami.Me(ctx, &authz.MeRequest{}); err != nil {
+		// Not ok
+	} else if me.IsGlobalAdmin {
+		// OK
+		return feed, nil
+	}
+
 	if checker := cfg.Checker; checker == nil {
-		// pass
+		// Not ok
 	} else if check, err := checker.FeedPermissions(ctx, &authz.FeedRequest{Id: int64(feed.ID)}); err != nil {
-		return nil, err
-	} else if !check.Actions.CanCreateFeedVersion {
-		return nil, errors.New("unauthorized")
+		// Not ok
+	} else if check.Actions.CanCreateFeedVersion {
+		// OK
+		return feed, nil
 	}
-	return feed, nil
+
+	// Failed
+	return nil, authz.ErrUnauthorized
 }

actions/fetch_test.go

@@ -111,7 +111,6 @@ func TestStaticFetchWorker(t *testing.T) {
 			// Setup job
 			feedUrl := ts.URL + "/" + tc.serveFile
 			testconfig.ConfigTxRollback(t, testconfig.Options{}, func(cfg model.Config) {
-				cfg.Checker = nil // disable checker for this test
 				ctx := model.WithConfig(context.Background(), cfg)
 				// Run job
 				if result, err := StaticFetch(ctx, tc.feedId, nil, feedUrl); err != nil && !tc.expectError {

cmd/tlserver/server_cmd.go

@@ -21,6 +21,7 @@ import (
 	"github.com/interline-io/transitland-lib/tldb"
 	"github.com/interline-io/transitland-mw/auth/ancheck"
 	"github.com/interline-io/transitland-mw/auth/authn"
+	"github.com/interline-io/transitland-mw/auth/azcheck"
 	"github.com/interline-io/transitland-server/finders/dbfinder"
 	"github.com/interline-io/transitland-server/finders/gbfsfinder"
 	"github.com/interline-io/transitland-server/finders/rtfinder"
@@ -127,11 +128,15 @@ func (cmd *Command) Run() error {
 		gbfsFinder = gbfsfinder.NewFinder(nil)
 	}
 
+	// Create default Whoami checker
+	whoami := &azcheck.Whoami{}
+
 	// Setup config
 	cfg := model.Config{
 		Finder:             dbFinder,
 		RTFinder:           rtFinder,
 		GbfsFinder:         gbfsFinder,
+		Whoami:             whoami,
 		Secrets:            cmd.secrets,
 		Storage:            cmd.Storage,
 		RTStorage:          cmd.RTStorage,
@@ -152,7 +157,7 @@ func (cmd *Command) Run() error {
 	root.Use(model.AddConfig(cfg))
 
 	// This server only supports admin access
-	root.Use(ancheck.AdminDefaultMiddleware("admin"))
+	root.Use(ancheck.AdminDefaultMiddleware(azcheck.GLOBALADMIN_ROLE))
 
 	// Add logging middleware - must be after auth
 	root.Use(log.LoggingMiddleware(cmd.LongQueryDuration, func(ctx context.Context) string {

finders/dbfinder/agency_select.go

@@ -122,6 +122,7 @@ func AgencySelect(limit *int, after *model.Cursor, ids []int, active bool, permF
 		Join("feed_states fsp on fsp.feed_id = current_feeds.id").
 		Where(sq.Or{
 			sq.Expr("fsp.public = true"),
+			sq.Eq{"true": permFilter.IsGlobalAdmin()},
 			sq.Eq{"fsp.feed_id": permFilter.GetAllowedFeeds()},
 			sq.Eq{"feed_versions.id": permFilter.GetAllowedFeedVersions()},
 		})

finders/dbfinder/entity_mutations.go

@@ -327,12 +327,26 @@ func checkFeedEdit(ctx context.Context, fvid int) error {
 		return errors.New("invalid feed version id")
 	}
 	cfg := model.ForContext(ctx)
-	if checker := cfg.Checker; checker == nil {
+
+	// Check feed permissions
+	if whoami := cfg.Whoami; whoami == nil {
+		// Not ok
+	} else if me, err := whoami.Me(ctx, &authz.MeRequest{}); err != nil {
+		// Not ok
+	} else if me.IsGlobalAdmin {
+		// OK
 		return nil
+	}
+
+	if checker := cfg.Checker; checker == nil {
+		// Not ok
 	} else if check, err := checker.FeedVersionPermissions(ctx, &authz.FeedVersionRequest{Id: int64(fvid)}); err != nil {
-		return err
-	} else if !check.Actions.CanEdit {
-		return authz.ErrUnauthorized
+		// Not ok
+	} else if check.Actions.CanEdit {
+		// OK
+		return nil
 	}
-	return nil
+
+	// Failed
+	return authz.ErrUnauthorized
 }

finders/dbfinder/feed_select.go

@@ -138,6 +138,7 @@ func FeedSelect(limit *int, after *model.Cursor, ids []int, permFilter *model.Pe
 		Join("feed_states fsp on fsp.feed_id = current_feeds.id").
 		Where(sq.Or{
 			sq.Expr("fsp.public = true"),
+			sq.Eq{"true": permFilter.IsGlobalAdmin()},
 			sq.Eq{"fsp.feed_id": permFilter.GetAllowedFeeds()},
 		})
 

finders/dbfinder/feed_version_select.go

@@ -149,6 +149,7 @@ func FeedVersionSelect(limit *int, after *model.Cursor, ids []int, permFilter *m
 		Join("feed_states fsp on fsp.feed_id = current_feeds.id").
 		Where(sq.Or{
 			sq.Expr("fsp.public = true"),
+			sq.Eq{"true": permFilter.IsGlobalAdmin()},
 			sq.Eq{"fsp.feed_id": permFilter.GetAllowedFeeds()},
 			sq.Eq{"feed_versions.id": permFilter.GetAllowedFeedVersions()},
 		})

finders/dbfinder/finder.go

@@ -45,7 +45,10 @@ func (f *Finder) LoadAdmins() error {
 }
 
 func (f *Finder) PermFilter(ctx context.Context) *model.PermFilter {
-	permFilter, _ := checkActive(ctx)
+	permFilter, err := checkActive(ctx)
+	if err != nil {
+		log.Error().Err(err).Msg("failed to get permissions filter for context")
+	}
 	return permFilter
 }
 
@@ -1843,36 +1846,35 @@ func convertEnts[A any, B any](vals [][]A, fn func(a A) B) [][]B {
 	return ret
 }
 
-type canCheckGlobalAdmin interface {
-	CheckGlobalAdmin(context.Context) (bool, error)
-}
-
 func checkActive(ctx context.Context) (*model.PermFilter, error) {
-	checker := model.ForContext(ctx).Checker
 	active := &model.PermFilter{}
-	if checker == nil {
+
+	// Check if we are a global admin
+	whoami := model.ForContext(ctx).Whoami
+	if whoami == nil {
 		return active, nil
 	}
-
-	// TODO: Make this part of actual checker interface
-	if c, ok := checker.(canCheckGlobalAdmin); ok {
-		if a, err := c.CheckGlobalAdmin(ctx); err != nil {
-			return nil, err
-		} else if a {
-			return nil, nil
-		}
+	me, err := whoami.Me(ctx, &authz.MeRequest{})
+	if err != nil {
+		return active, err
 	}
+	active.GlobalAdmin = me.IsGlobalAdmin
 
+	// Check for additional permissions
+	checker := model.ForContext(ctx).Checker
+	if checker == nil {
+		return active, nil
+	}
 	okFeeds, err := checker.FeedList(ctx, &authz.FeedListRequest{})
 	if err != nil {
-		return nil, err
+		return active, err
 	}
 	for _, feed := range okFeeds.Feeds {
 		active.AllowedFeeds = append(active.AllowedFeeds, int(feed.Id))
 	}
 	okFvids, err := checker.FeedVersionList(ctx, &authz.FeedVersionListRequest{})
 	if err != nil {
-		return nil, err
+		return active, err
 	}
 	for _, fv := range okFvids.FeedVersions {
 		active.AllowedFeedVersions = append(active.AllowedFeedVersions, int(fv.Id))

finders/dbfinder/operator_select.go

@@ -135,6 +135,7 @@ func OperatorSelect(limit *int, after *model.Cursor, ids []int, permFilter *mode
 		Join("feed_states fsp on fsp.feed_id = coif.feed_id").
 		Where(sq.Or{
 			sq.Expr("fsp.public = true"),
+			sq.Eq{"true": permFilter.IsGlobalAdmin()},
 			sq.Eq{"fsp.feed_id": permFilter.GetAllowedFeeds()},
 		})
 

finders/dbfinder/pathway_select.go

@@ -46,6 +46,7 @@ func PathwaySelect(limit *int, after *model.Cursor, ids []int, permFilter *model
 		Join("feed_states fsp on fsp.feed_id = current_feeds.id").
 		Where(sq.Or{
 			sq.Expr("fsp.public = true"),
+			sq.Eq{"true": permFilter.IsGlobalAdmin()},
 			sq.Eq{"fsp.feed_id": permFilter.GetAllowedFeeds()},
 			sq.Eq{"feed_versions.id": permFilter.GetAllowedFeedVersions()},
 		})

finders/dbfinder/place_select.go

@@ -56,6 +56,7 @@ func PlaceSelect(limit *int, after *model.Cursor, ids []int, level *model.PlaceA
 	q = q.
 		Where(sq.Or{
 			sq.Expr("feed_states.public = true"),
+			sq.Eq{"true": permFilter.IsGlobalAdmin()},
 			sq.Eq{"feed_states.feed_id": permFilter.GetAllowedFeeds()},
 			sq.Eq{"feed_states.feed_version_id": permFilter.GetAllowedFeedVersions()},
 		})

finders/dbfinder/route_select.go

@@ -149,6 +149,7 @@ func RouteSelect(limit *int, after *model.Cursor, ids []int, active bool, permFi
 		Join("feed_states fsp on fsp.feed_id = current_feeds.id").
 		Where(sq.Or{
 			sq.Expr("fsp.public = true"),
+			sq.Eq{"true": permFilter.IsGlobalAdmin()},
 			sq.Eq{"fsp.feed_id": permFilter.GetAllowedFeeds()},
 			sq.Eq{"feed_versions.id": permFilter.GetAllowedFeedVersions()},
 		})

finders/dbfinder/stop_select.go

@@ -184,6 +184,7 @@ func StopSelect(limit *int, after *model.Cursor, ids []int, active bool, permFil
 		Join("feed_states fsp on fsp.feed_id = current_feeds.id").
 		Where(sq.Or{
 			sq.Expr("fsp.public = true"),
+			sq.Eq{"true": permFilter.IsGlobalAdmin()},
 			sq.Eq{"fsp.feed_id": permFilter.GetAllowedFeeds()},
 			sq.Eq{"feed_versions.id": permFilter.GetAllowedFeedVersions()},
 		})

finders/dbfinder/trip_select.go

@@ -106,6 +106,7 @@ func TripSelect(limit *int, after *model.Cursor, ids []int, active bool, permFil
 		Join("feed_states fsp on fsp.feed_id = current_feeds.id").
 		Where(sq.Or{
 			sq.Expr("fsp.public = true"),
+			sq.Eq{"true": permFilter.IsGlobalAdmin()},
 			sq.Eq{"fsp.feed_id": permFilter.GetAllowedFeeds()},
 			sq.Eq{"feed_versions.id": permFilter.GetAllowedFeedVersions()},
 		})

go.mod

@@ -121,6 +121,6 @@ require (
 )
 
 // replace github.com/interline-io/transitland-lib => /Users/irees/src/interline-io/transitland-lib
-// replace github.com/interline-io/transitland-mw => /Users/irees/src/interline-io/transitland-mw
+replace github.com/interline-io/transitland-mw => /Users/irees/src/interline-io/transitland-mw
 // replace github.com/interline-io/log => /Users/irees/src/interline-io/log
 // replace github.com/interline-io/transitland-dbutil => /Users/irees/src/interline-io/transitland-dbutil

internal/testconfig/testconfig.go

@@ -92,16 +92,21 @@ func newTestConfig(t testing.TB, db sqlx.Ext, opts Options) model.Config {
 
 	// Setup Checker
 	var checker model.Checker
+	var whoami model.Whoami
 	if opts.FGAEndpoint != "" {
 		checkerCfg := azcheck.CheckerConfig{
 			FGAEndpoint:      opts.FGAEndpoint,
 			FGALoadModelFile: opts.FGAModelFile,
 			FGALoadTestData:  opts.FGAModelTuples,
 		}
-		checker, err = azcheck.NewCheckerFromConfig(checkerCfg, db)
+		ch, err := azcheck.NewCheckerFromConfig(checkerCfg, db)
 		if err != nil {
 			t.Fatal(err)
 		}
+		checker = ch
+		whoami = ch
+	} else {
+		whoami = &azcheck.Whoami{}
 	}
 
 	// Setup DB
@@ -144,6 +149,7 @@ func newTestConfig(t testing.TB, db sqlx.Ext, opts Options) model.Config {
 		Finder:     dbf,
 		RTFinder:   rtf,
 		GbfsFinder: gbf,
+		Whoami:     whoami,
 		Checker:    checker,
 		JobQueue:   jobQueue,
 		Clock:      cl,

model/config.go

@@ -13,6 +13,7 @@ type Config struct {
 	Finder             Finder
 	RTFinder           RTFinder
 	GbfsFinder         GbfsFinder
+	Whoami             Whoami
 	Checker            Checker
 	JobQueue           jobs.JobQueue
 	Clock              clock.Clock

model/cursor.go

@@ -13,6 +13,7 @@ import (
 type PermFilter struct {
 	AllowedFeeds        []int
 	AllowedFeedVersions []int
+	GlobalAdmin         bool
 }
 
 func (pf *PermFilter) GetAllowedFeeds() []int {
@@ -29,6 +30,13 @@ func (pf *PermFilter) GetAllowedFeedVersions() []int {
 	return pf.AllowedFeedVersions
 }
 
+func (pf *PermFilter) IsGlobalAdmin() bool {
+	if pf == nil {
+		return false
+	}
+	return pf.GlobalAdmin
+}
+
 type Cursor struct {
 	FeedVersionID int
 	ID            int

model/finders.go

@@ -154,3 +154,7 @@ type GbfsFinder interface {
 type Checker interface {
 	authz.CheckerServer
 }
+
+type Whoami interface {
+	authz.WhoamiServer
+}

server/gql/query_resolver.go

@@ -20,9 +20,9 @@ func (r *queryResolver) Me(ctx context.Context) (*model.Me, error) {
 	cfg := model.ForContext(ctx)
 	me := model.Me{}
 	me.ExternalData = tt.NewMap(map[string]any{})
-	if checker := cfg.Checker; checker != nil {
-		// Use checker if available
-		cm, err := checker.Me(ctx, &authz.MeRequest{})
+	if whoami := cfg.Whoami; whoami != nil {
+		// Use whoami checker if available
+		cm, err := whoami.Me(ctx, &authz.MeRequest{})
 		if err != nil {
 			return nil, err
 		}