MCPcopy Index your code
hub / github.com/bytebase/bytebase / verifyWorkspaceMembership

Method verifyWorkspaceMembership

backend/api/auth/auth.go:233–272  ·  view source on GitHub ↗

verifyWorkspaceMembership checks that the account is a member of the workspace.

(ctx context.Context, workspaceID string, account *store.AccountMessage)

Source from the content-addressed store, hash-verified

231
232// verifyWorkspaceMembership checks that the account is a member of the workspace.
233func (in *APIAuthInterceptor) verifyWorkspaceMembership(ctx context.Context, workspaceID string, account *store.AccountMessage) error {
234 switch account.Type {
235 case storepb.PrincipalType_SERVICE_ACCOUNT, storepb.PrincipalType_WORKLOAD_IDENTITY:
236 // Service accounts and workload identities have workspace on their record.
237 if account.Workspace != workspaceID {
238 return errs.Errorf("principal %q does not belong to workspace %q", account.Email, workspaceID)
239 }
240 return nil
241
242 case storepb.PrincipalType_END_USER:
243 // END_USER membership is verified via workspace IAM policy.
244 // Check direct membership, group membership, and allUsers.
245 iamPolicy, err := in.store.GetWorkspaceIamPolicy(ctx, workspaceID)
246 if err != nil {
247 return errs.Wrap(err, "failed to get workspace IAM policy")
248 }
249 userMember := common.FormatUserEmail(account.Email)
250 for _, binding := range iamPolicy.Policy.Bindings {
251 for _, member := range binding.Members {
252 if member == userMember {
253 return nil
254 }
255 if member == common.AllUsers && !in.profile.SaaS {
256 return nil
257 }
258 // Check group membership.
259 if strings.HasPrefix(member, common.GroupPrefix) {
260 groupMembers, _ := in.store.GetGroupMembersSnapshot(ctx, workspaceID, member)
261 if groupMembers != nil && groupMembers[userMember] {
262 return nil
263 }
264 }
265 }
266 }
267 return errs.Errorf("user %q is not a member of workspace %q", account.Email, workspaceID)
268
269 default:
270 return errs.Errorf("unknown principal type %v", account.Type)
271 }
272}
273
274// authenticateConnect is a ConnectRPC-specific version that returns ConnectRPC errors.
275func (in *APIAuthInterceptor) authenticateConnect(ctx context.Context, accessTokenStr string) (*store.UserMessage, *claimsMessage, error) {

Callers 1

authenticateMethod · 0.95

Calls 4

FormatUserEmailFunction · 0.92
ErrorfMethod · 0.80
GetWorkspaceIamPolicyMethod · 0.80

Tested by

no test coverage detected