MCPcopy Index your code
hub / github.com/bytebase/bytebase / accessCheckWithGrantedTargets

Method accessCheckWithGrantedTargets

backend/api/v1/sql_service.go:1539–1759  ·  view source on GitHub ↗
(
	ctx context.Context,
	instance *store.InstanceMessage,
	database *store.DatabaseMessage,
	user *store.UserMessage,
	spans []*parserbase.QuerySpan,
	isExplain bool,
	statements []parserbase.Statement,
	grantedTargets map[string]struct{},
	requestSchema string,
	multiStatement bool,
)

Source from the content-addressed store, hash-verified

1537}
1538
1539func (s *SQLService) accessCheckWithGrantedTargets(
1540 ctx context.Context,
1541 instance *store.InstanceMessage,
1542 database *store.DatabaseMessage,
1543 user *store.UserMessage,
1544 spans []*parserbase.QuerySpan,
1545 isExplain bool,
1546 statements []parserbase.Statement,
1547 grantedTargets map[string]struct{},
1548 requestSchema string,
1549 multiStatement bool,
1550) error {
1551 project, err := s.store.GetProject(ctx, &store.FindProjectMessage{Workspace: common.GetWorkspaceIDFromContext(ctx), ResourceID: &database.ProjectID})
1552 if err != nil {
1553 return err
1554 }
1555 if project == nil {
1556 return connect.NewError(connect.CodeInvalidArgument, errors.Errorf("project %q not found", database.ProjectID))
1557 }
1558
1559 workspacePolicy, err := s.store.GetWorkspaceIamPolicy(ctx, common.GetWorkspaceIDFromContext(ctx))
1560 if err != nil {
1561 return connect.NewError(connect.CodeInternal, errors.Wrapf(err, "failed to get workspace iam policy"))
1562 }
1563
1564 projectPolicy, err := s.store.GetProjectIamPolicy(ctx, common.GetWorkspaceIDFromContext(ctx), project.ResourceID)
1565 if err != nil {
1566 return connect.NewError(connect.CodeInternal, errors.New(err.Error()))
1567 }
1568
1569 checkDatabaseAccess := func(perm permission.Permission) error {
1570 databaseFullName := common.FormatDatabase(instance.ResourceID, database.DatabaseName)
1571 if _, granted := grantedTargets[databaseFullName]; granted {
1572 return nil
1573 }
1574 attributes := map[string]any{
1575 common.CELAttributeRequestTime: time.Now(),
1576 common.CELAttributeResourceDatabase: databaseFullName,
1577 }
1578 env := ""
1579 if database.EffectiveEnvironmentID != nil {
1580 env = *database.EffectiveEnvironmentID
1581 }
1582 attributes[common.CELAttributeResourceEnvironmentID] = env
1583
1584 ok, err := s.hasDatabaseAccessRights(
1585 ctx,
1586 user,
1587 perm,
1588 attributes,
1589 workspacePolicy.Policy,
1590 projectPolicy.Policy,
1591 )
1592 if err != nil {
1593 return connect.NewError(connect.CodeInternal, errors.Errorf("failed to check access control for database: %q, error %v", databaseFullName, err))
1594 }
1595 if !ok {
1596 return &queryError{

Callers 2

accessCheckMethod · 0.95
accessCheckWithGrantMethod · 0.95

Calls 12

resolveWriteTargetsMethod · 0.95
authorizeWriteTargetsMethod · 0.95
FormatDatabaseFunction · 0.92
EngineSupportQueryNewACLFunction · 0.92
ErrorfMethod · 0.80
GetWorkspaceIamPolicyMethod · 0.80
GetProjectIamPolicyMethod · 0.80
GetProjectMethod · 0.65
ErrorMethod · 0.45
GetEngineMethod · 0.45

Tested by

no test coverage detected