feat(notifications): add authorization before sending notification (#465)

## 📝 Description

renderedtext/project-tasks#2659

## ✅ Checklist
- [x] I have tested this change
- [ ] This change requires documentation update

Author: VeljkoMaksimovic

front/lib/front/models/notification.ex

@@ -58,7 +58,7 @@ defmodule Front.Models.Notification do
 
   def create(user_id, org_id, notification_data, _metadata \\ nil) do
     Watchman.benchmark("notifications.create_notification_request.duration", fn ->
-      notification = construct_notification(notification_data)
+      notification = construct_notification(notification_data, user_id)
 
       {:ok, channel} = GRPC.Stub.connect(api_endpoint())
 
@@ -90,7 +90,7 @@ defmodule Front.Models.Notification do
 
   def update(user_id, org_id, notification_data) do
     Watchman.benchmark("notifications.update_notification_request.duration", fn ->
-      notification = construct_notification(notification_data)
+      notification = construct_notification(notification_data, user_id)
 
       {:ok, channel} = GRPC.Stub.connect(api_endpoint())
 
@@ -110,13 +110,13 @@ defmodule Front.Models.Notification do
     end)
   end
 
-  def construct_notification(data) do
+  def construct_notification(data, creator_id) do
     rules =
       data.rules
       |> Enum.map(&construct_rule(&1))
 
     PublicApi.Notification.new(
-      metadata: PublicApi.Notification.Metadata.new(name: data.name),
+      metadata: PublicApi.Notification.Metadata.new(name: data.name, creator_id: creator_id),
       spec: PublicApi.Notification.Spec.new(rules: rules)
     )
   end

front/lib/public_api/semaphore/notifications.v1alpha.pb.ex

@@ -22,14 +22,16 @@ defmodule Semaphore.Notifications.V1alpha.Notification.Metadata do
           name: String.t(),
           id: String.t(),
           create_time: integer,
-          update_time: integer
+          update_time: integer,
+          creator_id: String.t()
         }
-  defstruct [:name, :id, :create_time, :update_time]
+  defstruct [:name, :id, :create_time, :update_time, :creator_id]
 
   field(:name, 1, type: :string)
   field(:id, 2, type: :string)
   field(:create_time, 3, type: :int64)
   field(:update_time, 4, type: :int64)
+  field(:creator_id, 5, type: :string)
 end
 
 defmodule Semaphore.Notifications.V1alpha.Notification.Spec do

notifications/config/config.exs

@@ -13,9 +13,6 @@ config :logger, :console,
 
 import_config "_silent_lager.exs"
 
-config :notifications, rbac_endpoint: "localhost:50052"
-config :notifications, secrethub_endpoint: "localhost:50052" # sobelow_skip ["Config.Secrets"]
-
 config :notifications, ecto_repos: [Notifications.Repo]
 
 import_config "#{config_env()}.exs"

notifications/config/test.exs

@@ -8,4 +8,12 @@ config :junit_formatter,
   include_filename?: true,
   include_file_line?: true
 
+config :notifications, rbac_endpoint: "localhost:50052"
+config :notifications, secrethub_endpoint: "localhost:50052" # sobelow_skip ["Config.Secrets"]
+config :notifications, pipeline_endpoint: "localhost:50052" # sobelow_skip ["Config.Secrets"]
+config :notifications, projecthub_endpoint: "localhost:50052" # sobelow_skip ["Config.Secrets"]
+config :notifications, repo_proxy_endpoint: "localhost:50052" # sobelow_skip ["Config.Secrets"]
+config :notifications, workflow_endpoint: "localhost:50052" # sobelow_skip ["Config.Secrets"]
+config :notifications, organization_endpoint: "localhost:50052" # sobelow_skip ["Config.Secrets"]
+
 config :notifications, Notifications.Repo, pool: Ecto.Adapters.SQL.Sandbox

notifications/lib/notifications/api/internal_api/create.ex

@@ -9,9 +9,10 @@ defmodule Notifications.Api.InternalApi.Create do
 
   def run(req) do
     org_id = req.metadata.org_id
+    creator_id = req.metadata.user_id
 
-    with {:ok, :valid} <- Validator.validate(req.notification),
-         {:ok, n} <- create_notification(org_id, req.notification) do
+    with {:ok, :valid} <- Validator.validate(req.notification, creator_id),
+         {:ok, n} <- create_notification(org_id, creator_id, req.notification) do
       %CreateResponse{notification: Serialization.serialize(n)}
     else
       {:error, :invalid_argument, message} ->
@@ -27,12 +28,13 @@ defmodule Notifications.Api.InternalApi.Create do
     end
   end
 
-  defp create_notification(org_id, notification) do
+  defp create_notification(org_id, creator_id, notification) do
     Repo.transaction(fn ->
       n =
         Models.Notification.new(
           org_id,
           notification.name,
+          creator_id,
           Notifications.Util.Transforms.encode_spec(%{rules: notification.rules})
         )
 

notifications/lib/notifications/api/internal_api/update.ex

@@ -9,10 +9,11 @@ defmodule Notifications.Api.InternalApi.Update do
 
   def run(req) do
     org_id = req.metadata.org_id
+    updater_id = req.metadata.user_id
 
-    with {:ok, :valid} <- Validator.validate(req.notification),
+    with {:ok, :valid} <- Validator.validate(req.notification, updater_id),
          {:ok, n} <- find_by_id_or_name(org_id, req.id, req.name),
-         {:ok, n} <- update_notification(n, req.notification) do
+         {:ok, n} <- update_notification(n, updater_id, req.notification) do
       %UpdateResponse{notification: Serialization.serialize(n)}
     else
       {:error, :invalid_argument, message} ->
@@ -37,11 +38,12 @@ defmodule Notifications.Api.InternalApi.Update do
   # notification: existing row from database
   # apiresource: new notification from the API call that needs to be applied
   #
-  defp update_notification(notification, apiresource) do
+  defp update_notification(notification, updater_id, apiresource) do
     Repo.transaction(fn ->
       changes =
         Model.changeset(notification, %{
           name: apiresource.name,
+          creator_id: updater_id,
           spec: Notifications.Util.Transforms.encode_spec(%{rules: apiresource.rules})
         })
 

notifications/lib/notifications/api/public_api/create.ex

@@ -12,8 +12,8 @@ defmodule Notifications.Api.PublicApi.Create do
     Logger.info("#{inspect(org_id)} #{inspect(user_id)} #{name}")
 
     with {:ok, :authorized} <- Auth.can_manage?(user_id, org_id),
-         {:ok, :valid} <- Validator.validate(notification),
-         {:ok, n} <- create_notification(org_id, notification) do
+         {:ok, :valid} <- Validator.validate(notification, user_id),
+         {:ok, n} <- create_notification(org_id, user_id, notification) do
       Serialization.serialize(n)
     else
       {:error, :permission_denied} ->
@@ -34,12 +34,13 @@ defmodule Notifications.Api.PublicApi.Create do
     end
   end
 
-  def create_notification(org_id, notification) do
+  def create_notification(org_id, creator_id, notification) do
     Repo.transaction(fn ->
       n =
         Models.Notification.new(
           org_id,
           notification.metadata.name,
+          creator_id,
           Notifications.Util.Transforms.encode_spec(notification.spec)
         )
 

notifications/lib/notifications/api/public_api/update.ex

@@ -12,9 +12,9 @@ defmodule Notifications.Api.PublicApi.Update do
     Logger.info("#{inspect(org_id)} #{inspect(user_id)} #{name_or_id}")
 
     with {:ok, :authorized} <- Auth.can_manage?(user_id, org_id),
-         {:ok, :valid} <- Validator.validate(req.notification),
+         {:ok, :valid} <- Validator.validate(req.notification, user_id),
          {:ok, n} <- Model.find_by_id_or_name(org_id, name_or_id),
-         {:ok, n} <- update_notification(n, req.notification) do
+         {:ok, n} <- update_notification(n, user_id, req.notification) do
       Serialization.serialize(n)
     else
       {:error, :permission_denied} ->
@@ -44,11 +44,12 @@ defmodule Notifications.Api.PublicApi.Update do
   # notification: existing row from database
   # apiresource: new notification from the API call that needs to be applied
   #
-  def update_notification(notification, apiresource) do
+  def update_notification(notification, creator_id, apiresource) do
     Repo.transaction(fn ->
       changes =
         Model.changeset(notification, %{
           name: apiresource.metadata.name,
+          creator_id: creator_id,
           spec: Notifications.Util.Transforms.encode_spec(apiresource.spec)
         })
 

notifications/lib/notifications/auth.ex

@@ -12,8 +12,14 @@ defmodule Notifications.Auth do
     authorize(user_id, org_id, "organization.notifications.manage")
   end
 
-  defp authorize(user_id, org_id, permission) do
-    req = Request.new(user_id: user_id, org_id: org_id)
+  def can_view_project?(user_id, org_id, project_id) do
+    authorize(user_id, org_id, project_id, "project.view")
+  end
+
+  defp authorize(user_id, org_id, permission), do: authorize(user_id, org_id, "", permission)
+
+  defp authorize(user_id, org_id, project_id, permission) do
+    req = Request.new(user_id: user_id, org_id: org_id, project_id: project_id)
     endpoint = Application.fetch_env!(:notifications, :rbac_endpoint)
     {:ok, channel} = GRPC.Stub.connect(endpoint)
 

notifications/lib/notifications/models/notification.ex

@@ -12,16 +12,18 @@ defmodule Notifications.Models.Notification do
     has_many(:rules, Notifications.Models.Rule, on_delete: :delete_all)
 
     field(:org_id, :binary_id)
+    field(:creator_id, :binary_id)
     field(:name, :string)
     field(:spec, :map)
 
     timestamps()
   end
 
-  def new(org_id, name, spec) do
+  def new(org_id, name, creator_id, spec) do
     %__MODULE__{}
     |> changeset(%{
       org_id: org_id,
+      creator_id: creator_id,
       name: name,
       spec: spec
     })
@@ -78,8 +80,8 @@ defmodule Notifications.Models.Notification do
 
   def changeset(notification, params \\ %{}) do
     notification
-    |> cast(params, [:org_id, :name, :spec])
-    |> validate_required([:org_id, :name, :spec])
+    |> cast(params, [:org_id, :creator_id, :name, :spec])
+    |> validate_required([:org_id, :creator_id, :name, :spec])
     |> valid_name_format(params)
     |> unique_constraint(
       :unique_names,