inline code and rename field

arborist/auth.go

@@ -235,7 +235,7 @@ func authorizeClient(request *AuthRequest) (*AuthResponse, error) {
 			JOIN client_policy ON client_policy.client_id = client.id
 			JOIN policy_resource ON policy_resource.policy_id = client_policy.policy_id
 			JOIN resource ON resource.id = policy_resource.resource_id
-			WHERE client.fence_client_id = $1
+			WHERE client.external_client_id = $1
 			AND EXISTS (
 				SELECT 1 FROM policy_role
 				JOIN permission ON permission.role_id = policy_role.role_id
@@ -350,7 +350,7 @@ func authorizedResources(db *sqlx.DB, request *AuthRequest) ([]ResourceFromQuery
 			SELECT client_policy.policy_id
 			FROM client
 			JOIN client_policy ON client_policy.client_id = client.id
-			WHERE client.fence_client_id = $2
+			WHERE client.external_client_id = $2
 		) policies
 		LEFT JOIN policy_resource ON policy_resource.policy_id = policies.policy_id
 		LEFT JOIN resource ON resource.id = policy_resource.resource_id

arborist/client.go

@@ -13,7 +13,7 @@ type Client struct {
 }
 
 type ClientFromQuery struct {
-	ClientID string         `db:"fence_client_id"`
+	ClientID string         `db:"external_client_id"`
 	Policies pq.StringArray `db:"policies"`
 }
 
@@ -28,12 +28,12 @@ func (clientFromQuery *ClientFromQuery) standardize() Client {
 func clientWithClientID(db *sqlx.DB, clientID string) (*ClientFromQuery, error) {
 	stmt := `
 		SELECT
-			client.fence_client_id,
+			client.external_client_id,
 			array_remove(array_agg(policy.name), NULL) AS policies
 		FROM client
 		LEFT JOIN client_policy ON client.id = client_policy.client_id
 		LEFT JOIN policy ON policy.id = client_policy.policy_id
-		WHERE client.fence_client_id = $1
+		WHERE client.external_client_id = $1
 		GROUP BY client.id
 		LIMIT 1
 	`
@@ -52,7 +52,7 @@ func clientWithClientID(db *sqlx.DB, clientID string) (*ClientFromQuery, error)
 func listClientsFromDb(db *sqlx.DB) ([]ClientFromQuery, error) {
 	stmt := `
 		SELECT
-			client.fence_client_id,
+			client.external_client_id,
 			array_remove(array_agg(policy.name), NULL) AS policies
 		FROM client
 		LEFT JOIN client_policy ON client.id = client_policy.client_id
@@ -81,7 +81,7 @@ func (client *Client) createInDb(db *sqlx.DB) *ErrorResponse {
 
 	var clientDBID int
 	stmt := `
-		INSERT INTO client(fence_client_id)
+		INSERT INTO client(external_client_id)
 		VALUES ($1)
 		RETURNING id
 	`
@@ -153,7 +153,7 @@ func (client *Client) createInDb(db *sqlx.DB) *ErrorResponse {
 }
 
 func (client *Client) deleteInDb(db *sqlx.DB) *ErrorResponse {
-	stmt := "DELETE FROM client WHERE fence_client_id = $1"
+	stmt := "DELETE FROM client WHERE external_client_id = $1"
 	_, err := db.Exec(stmt, client.ClientID)
 	if err != nil {
 		// TODO: verify correct error
@@ -166,7 +166,7 @@ func (client *Client) deleteInDb(db *sqlx.DB) *ErrorResponse {
 func grantClientPolicy(db *sqlx.DB, clientID string, policyName string) *ErrorResponse {
 	stmt := `
 		INSERT INTO client_policy(client_id, policy_id)
-		VALUES ((SELECT id FROM client WHERE fence_client_id = $1), (SELECT id FROM policy WHERE name = $2))
+		VALUES ((SELECT id FROM client WHERE external_client_id = $1), (SELECT id FROM policy WHERE name = $2))
 	`
 	_, err := db.Exec(stmt, clientID, policyName)
 	if err != nil {
@@ -202,7 +202,7 @@ func grantClientPolicy(db *sqlx.DB, clientID string, policyName string) *ErrorRe
 func revokeClientPolicy(db *sqlx.DB, clientID string, policyName string) *ErrorResponse {
 	stmt := `
 		DELETE FROM client_policy
-		WHERE client_id = (SELECT id FROM client WHERE fence_client_id = $1)
+		WHERE client_id = (SELECT id FROM client WHERE external_client_id = $1)
 		AND policy_id = (SELECT id FROM policy WHERE name = $2)
 	`
 	_, err := db.Exec(stmt, clientID, policyName)
@@ -216,7 +216,7 @@ func revokeClientPolicy(db *sqlx.DB, clientID string, policyName string) *ErrorR
 func revokeClientPolicyAll(db *sqlx.DB, clientID string) *ErrorResponse {
 	stmt := `
 		DELETE FROM client_policy
-		WHERE client_id = (SELECT id FROM client WHERE fence_client_id = $1)
+		WHERE client_id = (SELECT id FROM client WHERE external_client_id = $1)
 	`
 	_, err := db.Exec(stmt, clientID)
 	if err != nil {

arborist/server.go

@@ -256,31 +256,21 @@ func (server *Server) handleAuthProxy(w http.ResponseWriter, r *http.Request) {
 		stmts:    server.stmts,
 	}
 
-	handle := func(rv *AuthResponse, err error) bool {
-		if err != nil {
-			msg := fmt.Sprintf("could not authorize: %s", err.Error())
-			server.logger.Info("tried to handle auth request but input was invalid: %s", msg)
-			response := newErrorResponse(msg, 400, nil)
-			_ = response.write(w, r)
-			return true
-		}
-		if !rv.Auth {
-			errResponse := newErrorResponse(
-				"Unauthorized: user does not have access to this resource", 403, nil)
-			_ = errResponse.write(w, r)
-			return true
-		}
-		return false
-	}
-
 	rv, err := authorizeUser(&authRequest)
-	if handle(rv, err) {
+	if err == nil && rv.Auth && authRequest.ClientID != "" {
+		rv, err = authorizeClient(&authRequest)
+	}
+	if err != nil {
+		msg := fmt.Sprintf("could not authorize: %s", err.Error())
+		server.logger.Info("tried to handle auth request but input was invalid: %s", msg)
+		response := newErrorResponse(msg, 400, nil)
+		_ = response.write(w, r)
 		return
 	}
-
-	if authRequest.ClientID != "" {
-		rv, err = authorizeClient(&authRequest)
-		handle(rv, err)
+	if !rv.Auth {
+		errResponse := newErrorResponse(
+			"Unauthorized: user does not have access to this resource", 403, nil)
+		_ = errResponse.write(w, r)
 	}
 }
 

migrations/2019-02-18T214320Z_init/up.sql

@@ -165,7 +165,7 @@ CREATE TABLE usr_policy (
 
 CREATE TABLE client (
     id serial PRIMARY KEY, -- arborist only---not fence
-    fence_client_id text UNIQUE NOT NULL -- SHARED with fence
+    external_client_id text UNIQUE NOT NULL -- SHARED with fence
 );
 
 CREATE TABLE client_policy (