MCPcopy
hub / github.com/Infisical/agent-vault / requireVaultAccess

Method requireVaultAccess

internal/server/server.go:563–597  ·  view source on GitHub ↗

requireVaultAccess checks that the session has access to the given vault. For scoped sessions (VaultID set): checks that the session's vault matches. For instance-level sessions: resolves actor and checks the unified vault_grants table. Returns the actor (nil for scoped sessions) or writes an error

(w http.ResponseWriter, r *http.Request, vaultID string)

Source from the content-addressed store, hash-verified

561// For instance-level sessions: resolves actor and checks the unified vault_grants table.
562// Returns the actor (nil for scoped sessions) or writes an error response.
563func (s *Server) requireVaultAccess(w http.ResponseWriter, r *http.Request, vaultID string) (*Actor, error) {
564 sess := sessionFromContext(r.Context())
565 if sess == nil {
566 jsonError(w, http.StatusForbidden, "Authentication required")
567 return nil, fmt.Errorf("no session")
568 }
569
570 // Scoped session: vault is baked into the session.
571 if sess.VaultID != "" {
572 if sess.VaultID != vaultID {
573 jsonError(w, http.StatusForbidden, "Session not authorized for this vault")
574 return nil, fmt.Errorf("vault mismatch")
575 }
576 return nil, nil // scoped session, no actor resolved
577 }
578
579 // Instance-level session: resolve actor, check unified vault_grants.
580 actor, err := s.actorFromSession(r.Context(), sess)
581 if err != nil {
582 jsonError(w, http.StatusForbidden, "Invalid session")
583 return nil, err
584 }
585
586 has, err := s.store.HasVaultAccess(r.Context(), actor.ID, vaultID)
587 if err != nil {
588 jsonError(w, http.StatusInternalServerError, "Failed to check vault access")
589 return nil, err
590 }
591 if !has {
592 jsonError(w, http.StatusForbidden, "No access to this vault")
593 return nil, fmt.Errorf("no grant")
594 }
595
596 return actor, nil
597}
598
599// requireVaultAdmin checks that the actor has admin role in the given vault.
600// For scoped sessions: checks sess.VaultRole. For instance-level sessions: checks vault_grants.

Callers 9

handleVaultAgentListMethod · 0.95
handleVaultUserListMethod · 0.95
handleVaultLeaveMethod · 0.95
handleServicesGetMethod · 0.95
handleCredentialsListMethod · 0.95

Calls 5

actorFromSessionMethod · 0.95
sessionFromContextFunction · 0.85
jsonErrorFunction · 0.85
ErrorfMethod · 0.80
HasVaultAccessMethod · 0.65

Tested by

no test coverage detected