PoC on how to combine REST api with context sensitive authorization with Clojure. Using Compojure here, but that's not really interesting. Hairy macro magic. Too hairy, but brazilian waxing in progress.

compojure-enterprise-auth

(ns aitu.compojure-util
  (:require [compojure.core :as c]
            [aitu.toimiala.kayttajaoikeudet :as auth-map]
            [clojure.tools.logging :as log]))

(def http-compojure {
  :get 'compojure.core/GET
  :post 'compojure.core/POST
  :delete 'compojure.core/DELETE
  :update 'compojure.core/UPDATE})


(defmacro defapi-with-auth [toiminto konteksti-arg http-method path args & body]
  (let [compojure-macro (get http-compojure http-method)
        _ (log/info (str "declared " toiminto " on REST API: " http-method " at " path args))
        auth-fn (get auth-map/toiminnot toiminto)
        _ (log/info (str "auth-check " auth-fn " context param " (or konteksti-arg "N/A")))]
    (if (nil? konteksti-arg)
      `(~compojure-macro ~path ~args 
                         (assert (eval (~auth-fn )) "haxxor!") 
                         ~@body)
      `(~compojure-macro ~path ~args 
                         (assert (eval (~auth-fn ~konteksti-arg)) "haxxor!")
                         ~@body))))
                         
; and actions are declared separately:


(def ^:dynamic *current-user-authmap*)

(defn get-current-authmap
  []
  {:post [(not (nil? %))]}
  (assert (bound? #'*current-user-authmap*))
  *current-user-authmap*)

(defn yllapitaja? [kayttaja-map]
  {:pre [(contains? #{"YLLAPITAJA", "KAYTTAJA"} (:roolitunnus kayttaja-map))]}
  (= "YLLAPITAJA" (:roolitunnus kayttaja-map)))

(def toiminnot
  {:sopimustiedot_paivitys #(yllapitaja? (get-current-authmap))