Refactor check accounting uuid by namespace uuid for user or org (#965)

* Refactor check accounting uuid by namespace uuid for user or org

* update namespace type

* update namespace component to return namespace type

---------

Co-authored-by: Dev Agent <dev-agent@example.com>
Co-authored-by: Haihui.Wang <wanghh2000@163.com>

Author: 3 people

accounting/router/api.go

@@ -13,10 +13,9 @@ import (
 	"opencsg.com/csghub-server/api/middleware"
 	bldmq "opencsg.com/csghub-server/builder/mq"
 	"opencsg.com/csghub-server/common/config"
-	"opencsg.com/csghub-server/mq"
 )
 
-func NewAccountRouter(config *config.Config, mqHandler mq.MessageQueue, mqFactory bldmq.MessageQueueFactory) (*gin.Engine, error) {
+func NewAccountRouter(config *config.Config, mqFactory bldmq.MessageQueueFactory) (*gin.Engine, error) {
 	r := gin.New()
 	middleware.SetInfraMiddleware(r, config, instrumentation.Account)
 	needAPIKey := middleware.NeedAPIKey(config)
@@ -36,7 +35,7 @@ func NewAccountRouter(config *config.Config, mqHandler mq.MessageQueue, mqFactor
 		return nil, fmt.Errorf("error creating multi sync handler, error: %w", err)
 	}
 	createMeteringRoutes(apiGroup, meterHandler)
-	err = createAdvancedRoutes(apiGroup, config, mqHandler, mqFactory)
+	err = createAdvancedRoutes(apiGroup, config, mqFactory)
 	if err != nil {
 		return nil, fmt.Errorf("error creating accounting advanced routes, error:%w", err)
 	}

accounting/router/api_ce.go

@@ -6,9 +6,8 @@ import (
 	"github.com/gin-gonic/gin"
 	bldmq "opencsg.com/csghub-server/builder/mq"
 	"opencsg.com/csghub-server/common/config"
-	"opencsg.com/csghub-server/mq"
 )
 
-func createAdvancedRoutes(apiGroup *gin.RouterGroup, config *config.Config, mqHandler mq.MessageQueue, mqFactory bldmq.MessageQueueFactory) error {
+func createAdvancedRoutes(apiGroup *gin.RouterGroup, config *config.Config, mqFactory bldmq.MessageQueueFactory) error {
 	return nil
 }

builder/rpc/types.go

@@ -5,6 +5,7 @@ type Namespace struct {
 	Type   string `json:"type"`
 	UUID   string `json:"uuid,omitempty"`
 	Avatar string `json:"avatar,omitempty"`
+	NSType string `json:"nstype,omitempty"`
 }
 
 type User struct {

cmd/csghub-server/cmd/accounting/launch.go

@@ -15,7 +15,6 @@ import (
 	"opencsg.com/csghub-server/builder/store/database"
 	"opencsg.com/csghub-server/common/config"
 	"opencsg.com/csghub-server/common/i18n"
-	"opencsg.com/csghub-server/mq"
 )
 
 var launchCmd = &cobra.Command{
@@ -41,11 +40,6 @@ var launchCmd = &cobra.Command{
 			return fmt.Errorf("database initialization failed: %w", err)
 		}
 
-		mqHandler, err := mq.GetOrInit(cfg)
-		if err != nil {
-			return fmt.Errorf("fail to build message queue handler: %w", err)
-		}
-
 		mqFactory, err := bldmq.GetOrInitMessageQueueFactory(cfg)
 		if err != nil {
 			return fmt.Errorf("failed to creating message queue factory: %w", err)
@@ -70,7 +64,7 @@ var launchCmd = &cobra.Command{
 			panic(err)
 		}
 
-		r, err := router.NewAccountRouter(cfg, mqHandler, mqFactory)
+		r, err := router.NewAccountRouter(cfg, mqFactory)
 		if err != nil {
 			return fmt.Errorf("failed to init router: %w", err)
 		}

common/types/namespace.go

@@ -11,4 +11,5 @@ type Namespace struct {
 	Type   string
 	Avatar string
 	UUID   string
+	NSType string
 }

component/accounting.go

@@ -2,13 +2,14 @@ package component
 
 import (
 	"context"
-	"errors"
 	"fmt"
 
 	"opencsg.com/csghub-server/builder/accounting"
+	"opencsg.com/csghub-server/builder/git/membership"
 	"opencsg.com/csghub-server/builder/rpc"
 	"opencsg.com/csghub-server/builder/store/database"
 	"opencsg.com/csghub-server/common/config"
+	"opencsg.com/csghub-server/common/errorx"
 	"opencsg.com/csghub-server/common/types"
 )
 
@@ -69,12 +70,43 @@ func NewAccountingComponent(config *config.Config) (AccountingComponent, error)
 }
 
 func (ac *accountingComponentImpl) ListMeteringsByUserIDAndTime(ctx context.Context, req types.ActStatementsReq) (interface{}, error) {
-	user, err := ac.userStore.FindByUsername(ctx, req.CurrentUser)
+	if err := ac.allowQueryData(ctx, req.CurrentUser, req.UserUUID); err != nil {
+		return nil, errorx.Forbidden(err, map[string]any{
+			"user": req.CurrentUser,
+		})
+	}
+	return ac.accountingClient.ListMeteringsByUserIDAndTime(req)
+}
+
+// CanQueryUserData checks if the current user has permission to query the target user's data.
+// Permission is granted if:
+// 1. Current user is the same as the target user (querying own data)
+// 2. Current user is an admin
+// 3. Current user is a member of the organization that owns the target user's namespace
+func (ac *accountingComponentImpl) allowQueryData(ctx context.Context, currentUser, targetUUID string) error {
+	user, err := ac.userSvcClient.GetUserByName(ctx, currentUser)
 	if err != nil {
-		return nil, fmt.Errorf("user does not exist, %w", err)
+		return fmt.Errorf("current user not found: %w", err)
 	}
-	if user.UUID != req.UserUUID {
-		return nil, errors.New("invalid user")
+
+	if user.IsAdmin() || user.UUID == targetUUID {
+		return nil
 	}
-	return ac.accountingClient.ListMeteringsByUserIDAndTime(req)
+
+	ns, err := ac.userSvcClient.GetNameSpaceInfoByUUID(ctx, targetUUID)
+	if err != nil {
+		return fmt.Errorf("target namespace not found: %w", err)
+	}
+
+	if ns.NSType != string(database.OrgNamespace) {
+		return fmt.Errorf("do not have permission to query the target org's data: %w", err)
+	}
+
+	// Check if current user is member of org that owns target user's namespace
+	role, err := ac.userSvcClient.GetMemberRoleByUUID(ctx, ns.UUID, currentUser)
+	if err != nil || role == membership.RoleUnknown {
+		return fmt.Errorf("do not have permission to query the target org's data: %w", err)
+	}
+
+	return nil
 }

component/accounting_test.go

@@ -5,20 +5,21 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/require"
-	"opencsg.com/csghub-server/builder/store/database"
 	"opencsg.com/csghub-server/common/types"
 )
 
 func TestAccountingComponent_ListMeteringsByUserIDAndTime(t *testing.T) {
 	ctx := context.TODO()
 	ac := initializeTestAccountingComponent(ctx, t)
+	ac.userSvcClient = ac.mocks.userSvcClient
 
 	req := types.ActStatementsReq{
 		CurrentUser: "user",
 		UserUUID:    "uuid",
 	}
-	ac.mocks.stores.UserMock().EXPECT().FindByUsername(ctx, "user").Return(database.User{
-		UUID: "uuid",
+	ac.mocks.userSvcClient.EXPECT().GetUserByName(ctx, "user").Return(&types.User{
+		UUID:  "uuid",
+		Roles: []string{},
 	}, nil)
 	ac.mocks.accountingClient.EXPECT().ListMeteringsByUserIDAndTime(req).Return(
 		"", nil,

user/component/namespace.go

@@ -44,9 +44,10 @@ func (c *namespaceComponentImpl) GetInfoByUUID(ctx context.Context, uuid string)
 
 func (c *namespaceComponentImpl) buildNamespace(ctx context.Context, dbns *database.Namespace) (*types.Namespace, error) {
 	ns := &types.Namespace{
-		Path: dbns.Path,
-		Type: string(dbns.NamespaceType),
-		UUID: dbns.UUID,
+		Path:   dbns.Path,
+		Type:   string(dbns.NamespaceType),
+		NSType: string(dbns.NamespaceType),
+		UUID:   dbns.UUID,
 	}
 	switch dbns.NamespaceType {
 	case database.UserNamespace:

user/component/namespace_test.go

@@ -39,6 +39,7 @@ func TestNamespaceComponent_GetInfo(t *testing.T) {
 			Path:   user.Username,
 			Type:   "user",
 			Avatar: user.Avatar,
+			NSType: "user",
 		}
 		require.EqualValues(t, expected, actual)
 	})
@@ -80,6 +81,7 @@ func TestNamespaceComponent_GetInfo(t *testing.T) {
 			Path:   org.Name,
 			Type:   org.OrgType,
 			Avatar: org.Logo,
+			NSType: "organization",
 		}
 		require.EqualValues(t, expected, actual)
 
@@ -117,6 +119,7 @@ func TestNamespaceComponent_GetInfoByUUID(t *testing.T) {
 			Type:   "user",
 			UUID:   namespaceUUID,
 			Avatar: user.Avatar,
+			NSType: "user",
 		}
 		require.EqualValues(t, expected, actual)
 	})
@@ -161,6 +164,7 @@ func TestNamespaceComponent_GetInfoByUUID(t *testing.T) {
 			Type:   org.OrgType,
 			UUID:   namespaceUUID,
 			Avatar: org.Logo,
+			NSType: "organization",
 		}
 		require.EqualValues(t, expected, actual)
 	})