feat: add get user permissions method to enforcer

Signed-off-by: Khor Shu Heng <khor.heng@gojek.com>

api/pkg/authz/enforcer/enforcer.go

@@ -18,6 +18,8 @@ type Enforcer interface {
 	GetUserRoles(ctx context.Context, user string) ([]string, error)
 	// GetRolePermissions get all permissions directly associated with a role
 	GetRolePermissions(ctx context.Context, role string) ([]string, error)
+	// GetUserPermissions get all permissions associated with a user
+	GetUserPermissions(ctx context.Context, user string) ([]string, error)
 	// GetRoleMembers get all members for a role
 	GetRoleMembers(ctx context.Context, role string) ([]string, error)
 	// UpdateAuthorization update authorization rules in batches
@@ -131,6 +133,38 @@ func (e *enforcer) GetRolePermissions(ctx context.Context, role string) ([]strin
 	return permissions, nil
 }
 
+func (e *enforcer) GetUserPermissions(ctx context.Context, user string) ([]string, error) {
+	roles, err := e.GetUserRoles(ctx, user)
+	if err != nil {
+		return nil, err
+	}
+	permissionSet := sync.Map{}
+	getPermissionsWorkersGroup := new(errgroup.Group)
+	for _, role := range roles {
+		role := role
+		getPermissionsWorkersGroup.Go(func() error {
+			permissions, err := e.GetRolePermissions(ctx, role)
+			for _, permission := range permissions {
+				permissionSet.Store(permission, true)
+			}
+			if err != nil {
+				return err
+			}
+			return nil
+		})
+	}
+	err = getPermissionsWorkersGroup.Wait()
+	if err != nil {
+		return nil, err
+	}
+	permissions := make([]string, 0)
+	permissionSet.Range(func(key, value interface{}) bool {
+		permissions = append(permissions, key.(string))
+		return true
+	})
+	return permissions, nil
+}
+
 func (e *enforcer) GetRoleMembers(ctx context.Context, role string) ([]string, error) {
 	// The permission tree includes the role as the parent node, and the members as the children nodes.
 	// Hence, we need at least the depth of 2 to get the members. We don't go beyond 2 as we currently

api/pkg/authz/enforcer/enforcer_test.go

@@ -241,6 +241,49 @@ func TestEnforcer_GetRolePermissions(t *testing.T) {
 	}
 }
 
+func TestEnforcer_GetUserPermissions(t *testing.T) {
+	ketoEnforcer, err := NewEnforcerBuilder().Build()
+	require.NoError(t, err)
+	readClient := newKetoClient(ketoRemoteRead)
+	writeClient := newKetoClient(ketoRemoteWrite)
+	clearRelations(readClient, writeClient)
+	updateRequest := NewAuthorizationUpdateRequest()
+	updateRequest.SetRolePermissions("pages.1.reader", []string{"pages.1.get"})
+	updateRequest.SetRolePermissions("pages.1.admin", []string{"pages.1.get", "pages.1.post"})
+	updateRequest.SetRoleMembers("pages.1.reader", []string{"user-1@example.com"})
+	updateRequest.SetRoleMembers("pages.1.admin", []string{"user-1@example.com"})
+	err = ketoEnforcer.UpdateAuthorization(context.Background(), updateRequest)
+	require.NoError(t, err)
+	tests := []struct {
+		name                string
+		user                string
+		expectedPermissions []string
+	}{
+		{
+			"user-1 has reader and admin permissions for page 1",
+			"user-1@example.com",
+			[]string{
+				"pages.1.get",
+				"pages.1.post",
+			},
+		},
+		{
+			"unknown user has no no permissions",
+			"anonymous@example.com",
+			[]string{},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			res, err := ketoEnforcer.GetUserPermissions(context.Background(), tt.user)
+			require.NoError(t, err)
+			sort.Strings(tt.expectedPermissions)
+			sort.Strings(res)
+			require.Equal(t, tt.expectedPermissions, res)
+		})
+	}
+}
+
 func TestEnforcer_GetRoleMembers(t *testing.T) {
 	ketoEnforcer, err := NewEnforcerBuilder().Build()
 	require.NoError(t, err)

api/service/projects_service.go

@@ -179,6 +179,7 @@ func (service *projectsService) updateAuthorizationPolicy(ctx context.Context, p
 	return service.authEnforcer.UpdateAuthorization(ctx, updateRequest)
 }
 
+// TODO: Evaluate if we should retrieve all permissions granted to a user as opposed to just roles
 func (service *projectsService) filterAuthorizedProjects(ctx context.Context, projects []*models.Project,
 	user string) ([]*models.Project, error) {
 	if user == "" {