diff --git a/prism-agent/service/server/src/main/scala/io/iohk/atala/iam/authorization/core/EntityPermissionManagementService.scala b/prism-agent/service/server/src/main/scala/io/iohk/atala/iam/authorization/core/EntityPermissionManagementService.scala index 978cb42476..e2a8d9a68a 100644 --- a/prism-agent/service/server/src/main/scala/io/iohk/atala/iam/authorization/core/EntityPermissionManagementService.scala +++ b/prism-agent/service/server/src/main/scala/io/iohk/atala/iam/authorization/core/EntityPermissionManagementService.scala @@ -2,7 +2,6 @@ package io.iohk.atala.iam.authorization.core import io.iohk.atala.agent.walletapi.model.Entity import io.iohk.atala.agent.walletapi.service.EntityService -import io.iohk.atala.agent.walletapi.service.WalletManagementService import io.iohk.atala.iam.authorization.core.PermissionManagement.Error import io.iohk.atala.iam.authorization.core.PermissionManagement.Error.ServiceError import io.iohk.atala.iam.authorization.core.PermissionManagement.Error.WalletNotFoundById @@ -12,15 +11,13 @@ import zio.* import scala.language.implicitConversions -class EntityPermissionManagementService(entityService: EntityService, walletManagementService: WalletManagementService) - extends PermissionManagement.Service[Entity] { +class EntityPermissionManagementService(entityService: EntityService) extends PermissionManagement.Service[Entity] { override def grantWalletToUser(walletId: WalletId, entity: Entity): ZIO[WalletAdministrationContext, Error, Unit] = { for { - _ <- walletManagementService - .getWallet(walletId) - .mapError(wmse => ServiceError(wmse.toThrowable.getMessage)) - .someOrFail(WalletNotFoundById(walletId)) + _ <- ZIO + .serviceWith[WalletAdministrationContext](_.isAuthorized(walletId)) + .filterOrFail(identity)(Error.WalletNotFoundById(walletId)) _ <- entityService.assignWallet(entity.id, walletId.toUUID).mapError[Error](e => e) } yield () } @@ -29,14 +26,16 @@ class EntityPermissionManagementService(entityService: EntityService, walletMana ZIO.fail(Error.ServiceError(s"Revoking wallet permission for an Entity is not yet supported.")) override def listWalletPermissions(entity: Entity): ZIO[WalletAdministrationContext, Error, Seq[WalletId]] = { - walletManagementService - .getWallet(WalletId.fromUUID(entity.walletId)) - .mapBoth(e => e, _.toSeq.map(_.id)) + val walletId = WalletId.fromUUID(entity.walletId) + ZIO + .serviceWith[WalletAdministrationContext](_.isAuthorized(walletId)) + .filterOrFail(identity)(Error.WalletNotFoundById(walletId)) + .as(Seq(walletId)) } } object EntityPermissionManagementService { - val layer: URLayer[EntityService & WalletManagementService, PermissionManagement.Service[Entity]] = - ZLayer.fromFunction(EntityPermissionManagementService(_, _)) + val layer: URLayer[EntityService, PermissionManagement.Service[Entity]] = + ZLayer.fromFunction(EntityPermissionManagementService(_)) } diff --git a/prism-agent/service/server/src/main/scala/io/iohk/atala/iam/authorization/core/PermissionManagement.scala b/prism-agent/service/server/src/main/scala/io/iohk/atala/iam/authorization/core/PermissionManagement.scala index bd33e0c3af..977b418522 100644 --- a/prism-agent/service/server/src/main/scala/io/iohk/atala/iam/authorization/core/PermissionManagement.scala +++ b/prism-agent/service/server/src/main/scala/io/iohk/atala/iam/authorization/core/PermissionManagement.scala @@ -6,7 +6,6 @@ import io.iohk.atala.agent.walletapi.model.error.EntityServiceError.EntityAlread import io.iohk.atala.agent.walletapi.model.error.EntityServiceError.EntityNotFound import io.iohk.atala.agent.walletapi.model.error.EntityServiceError.EntityStorageError import io.iohk.atala.agent.walletapi.model.error.EntityServiceError.EntityWalletNotFound -import io.iohk.atala.agent.walletapi.service.WalletManagementServiceError import io.iohk.atala.shared.models.WalletAdministrationContext import io.iohk.atala.shared.models.WalletId import zio.* @@ -47,7 +46,5 @@ object PermissionManagement { case e: EntityStorageError => UnexpectedError(Exception(s"Entity storage error: ${e.message}")) case e: EntityWalletNotFound => WalletNotFoundById(WalletId.fromUUID(e.walletId)) } - - given Conversion[WalletManagementServiceError, Error] = { e => UnexpectedError(e.toThrowable) } } } diff --git a/prism-agent/service/wallet-api/src/main/scala/io/iohk/atala/agent/walletapi/service/WalletManagementServiceImpl.scala b/prism-agent/service/wallet-api/src/main/scala/io/iohk/atala/agent/walletapi/service/WalletManagementServiceImpl.scala index 2ec3ab35f4..94858f11e4 100644 --- a/prism-agent/service/wallet-api/src/main/scala/io/iohk/atala/agent/walletapi/service/WalletManagementServiceImpl.scala +++ b/prism-agent/service/wallet-api/src/main/scala/io/iohk/atala/agent/walletapi/service/WalletManagementServiceImpl.scala @@ -51,19 +51,10 @@ class WalletManagementServiceImpl( walletId: WalletId ): ZIO[WalletAdministrationContext, WalletManagementServiceError, Option[Wallet]] = { ZIO - .serviceWith[WalletAdministrationContext] { - case WalletAdministrationContext.Admin() => Some(walletId) - case WalletAdministrationContext.SelfService(permittedWallets) => - if permittedWallets.contains(walletId) - then Some(walletId) - else None - } + .serviceWith[WalletAdministrationContext](_.isAuthorized(walletId)) .flatMap { - case Some(walletId) => - nonSecretStorage - .getWallet(walletId) - .mapError(e => e) - case None => ZIO.none + case true => nonSecretStorage.getWallet(walletId).mapError(e => e) + case false => ZIO.none } } @@ -71,15 +62,8 @@ class WalletManagementServiceImpl( walletIds: Seq[WalletId] ): ZIO[WalletAdministrationContext, WalletManagementServiceError, Seq[Wallet]] = { ZIO - .serviceWith[WalletAdministrationContext] { - case WalletAdministrationContext.Admin() => walletIds - case WalletAdministrationContext.SelfService(permittedWallets) => walletIds.intersect(permittedWallets) - } - .flatMap { filteredIds => - nonSecretStorage - .getWallets(filteredIds) - .mapError(e => e) - } + .serviceWith[WalletAdministrationContext](ctx => walletIds.filter(ctx.isAuthorized)) + .flatMap { filteredIds => nonSecretStorage.getWallets(filteredIds).mapError(e => e) } } override def listWallets( diff --git a/shared/src/main/scala/io/iohk/atala/shared/models/MultiTenancy.scala b/shared/src/main/scala/io/iohk/atala/shared/models/MultiTenancy.scala index b73eb6bd16..bafe9cdeee 100644 --- a/shared/src/main/scala/io/iohk/atala/shared/models/MultiTenancy.scala +++ b/shared/src/main/scala/io/iohk/atala/shared/models/MultiTenancy.scala @@ -18,9 +18,15 @@ final case class WalletAccessContext(walletId: WalletId) // This might eventually be unified with WalletAccessContext and introduce some scope / role. // For now this is only intended for wallet admin related operations. -sealed trait WalletAdministrationContext +sealed trait WalletAdministrationContext { + def isAuthorized(walletId: WalletId): Boolean +} object WalletAdministrationContext { - final case class Admin() extends WalletAdministrationContext - final case class SelfService(permittedWallets: Seq[WalletId]) extends WalletAdministrationContext + final case class Admin() extends WalletAdministrationContext { + def isAuthorized(walletId: WalletId): Boolean = true + } + final case class SelfService(permittedWallets: Seq[WalletId]) extends WalletAdministrationContext { + def isAuthorized(walletId: WalletId): Boolean = permittedWallets.contains(walletId) + } }