(
ctx context.Context,
instance *store.InstanceMessage,
database *store.DatabaseMessage,
user *store.UserMessage,
spans []*parserbase.QuerySpan,
isExplain bool,
statements []parserbase.Statement,
grantedTargets map[string]struct{},
requestSchema string,
multiStatement bool,
)
| 1537 | } |
| 1538 | |
| 1539 | func (s *SQLService) accessCheckWithGrantedTargets( |
| 1540 | ctx context.Context, |
| 1541 | instance *store.InstanceMessage, |
| 1542 | database *store.DatabaseMessage, |
| 1543 | user *store.UserMessage, |
| 1544 | spans []*parserbase.QuerySpan, |
| 1545 | isExplain bool, |
| 1546 | statements []parserbase.Statement, |
| 1547 | grantedTargets map[string]struct{}, |
| 1548 | requestSchema string, |
| 1549 | multiStatement bool, |
| 1550 | ) error { |
| 1551 | project, err := s.store.GetProject(ctx, &store.FindProjectMessage{Workspace: common.GetWorkspaceIDFromContext(ctx), ResourceID: &database.ProjectID}) |
| 1552 | if err != nil { |
| 1553 | return err |
| 1554 | } |
| 1555 | if project == nil { |
| 1556 | return connect.NewError(connect.CodeInvalidArgument, errors.Errorf("project %q not found", database.ProjectID)) |
| 1557 | } |
| 1558 | |
| 1559 | workspacePolicy, err := s.store.GetWorkspaceIamPolicy(ctx, common.GetWorkspaceIDFromContext(ctx)) |
| 1560 | if err != nil { |
| 1561 | return connect.NewError(connect.CodeInternal, errors.Wrapf(err, "failed to get workspace iam policy")) |
| 1562 | } |
| 1563 | |
| 1564 | projectPolicy, err := s.store.GetProjectIamPolicy(ctx, common.GetWorkspaceIDFromContext(ctx), project.ResourceID) |
| 1565 | if err != nil { |
| 1566 | return connect.NewError(connect.CodeInternal, errors.New(err.Error())) |
| 1567 | } |
| 1568 | |
| 1569 | checkDatabaseAccess := func(perm permission.Permission) error { |
| 1570 | databaseFullName := common.FormatDatabase(instance.ResourceID, database.DatabaseName) |
| 1571 | if _, granted := grantedTargets[databaseFullName]; granted { |
| 1572 | return nil |
| 1573 | } |
| 1574 | attributes := map[string]any{ |
| 1575 | common.CELAttributeRequestTime: time.Now(), |
| 1576 | common.CELAttributeResourceDatabase: databaseFullName, |
| 1577 | } |
| 1578 | env := "" |
| 1579 | if database.EffectiveEnvironmentID != nil { |
| 1580 | env = *database.EffectiveEnvironmentID |
| 1581 | } |
| 1582 | attributes[common.CELAttributeResourceEnvironmentID] = env |
| 1583 | |
| 1584 | ok, err := s.hasDatabaseAccessRights( |
| 1585 | ctx, |
| 1586 | user, |
| 1587 | perm, |
| 1588 | attributes, |
| 1589 | workspacePolicy.Policy, |
| 1590 | projectPolicy.Policy, |
| 1591 | ) |
| 1592 | if err != nil { |
| 1593 | return connect.NewError(connect.CodeInternal, errors.Errorf("failed to check access control for database: %q, error %v", databaseFullName, err)) |
| 1594 | } |
| 1595 | if !ok { |
| 1596 | return &queryError{ |
no test coverage detected