verifyWorkspaceMembership checks that the account is a member of the workspace.
(ctx context.Context, workspaceID string, account *store.AccountMessage)
| 231 | |
| 232 | // verifyWorkspaceMembership checks that the account is a member of the workspace. |
| 233 | func (in *APIAuthInterceptor) verifyWorkspaceMembership(ctx context.Context, workspaceID string, account *store.AccountMessage) error { |
| 234 | switch account.Type { |
| 235 | case storepb.PrincipalType_SERVICE_ACCOUNT, storepb.PrincipalType_WORKLOAD_IDENTITY: |
| 236 | // Service accounts and workload identities have workspace on their record. |
| 237 | if account.Workspace != workspaceID { |
| 238 | return errs.Errorf("principal %q does not belong to workspace %q", account.Email, workspaceID) |
| 239 | } |
| 240 | return nil |
| 241 | |
| 242 | case storepb.PrincipalType_END_USER: |
| 243 | // END_USER membership is verified via workspace IAM policy. |
| 244 | // Check direct membership, group membership, and allUsers. |
| 245 | iamPolicy, err := in.store.GetWorkspaceIamPolicy(ctx, workspaceID) |
| 246 | if err != nil { |
| 247 | return errs.Wrap(err, "failed to get workspace IAM policy") |
| 248 | } |
| 249 | userMember := common.FormatUserEmail(account.Email) |
| 250 | for _, binding := range iamPolicy.Policy.Bindings { |
| 251 | for _, member := range binding.Members { |
| 252 | if member == userMember { |
| 253 | return nil |
| 254 | } |
| 255 | if member == common.AllUsers && !in.profile.SaaS { |
| 256 | return nil |
| 257 | } |
| 258 | // Check group membership. |
| 259 | if strings.HasPrefix(member, common.GroupPrefix) { |
| 260 | groupMembers, _ := in.store.GetGroupMembersSnapshot(ctx, workspaceID, member) |
| 261 | if groupMembers != nil && groupMembers[userMember] { |
| 262 | return nil |
| 263 | } |
| 264 | } |
| 265 | } |
| 266 | } |
| 267 | return errs.Errorf("user %q is not a member of workspace %q", account.Email, workspaceID) |
| 268 | |
| 269 | default: |
| 270 | return errs.Errorf("unknown principal type %v", account.Type) |
| 271 | } |
| 272 | } |
| 273 | |
| 274 | // authenticateConnect is a ConnectRPC-specific version that returns ConnectRPC errors. |
| 275 | func (in *APIAuthInterceptor) authenticateConnect(ctx context.Context, accessTokenStr string) (*store.UserMessage, *claimsMessage, error) { |
no test coverage detected