MCPcopy Create free account
hub / github.com/chainloop-dev/chainloop / doGet

Method doGet

app/controlplane/pkg/data/referrer.go:318–449  ·  view source on GitHub ↗
(ctx context.Context, root *ent.Referrer, allowedOrgs []uuid.UUID, visibleProjectsMap map[uuid.UUID][]uuid.UUID, public *bool, projectPred predicate.Referrer, p *pagination.CursorOptions, level int)

Source from the content-addressed store, hash-verified

316const maxTraverseLevels = 1
317
318func (r *ReferrerRepo) doGet(ctx context.Context, root *ent.Referrer, allowedOrgs []uuid.UUID, visibleProjectsMap map[uuid.UUID][]uuid.UUID, public *bool, projectPred predicate.Referrer, p *pagination.CursorOptions, level int) (*biz.StoredReferrer, string, error) {
319 // Assemble the referrer to return
320 res := &biz.StoredReferrer{
321 ID: root.ID,
322 CreatedAt: toTimePtr(root.CreatedAt),
323 Referrer: &biz.Referrer{
324 Digest: root.Digest,
325 Kind: root.Kind,
326 Downloadable: root.Downloadable,
327 Metadata: root.Metadata,
328 Annotations: root.Annotations,
329 },
330 }
331
332 // add additional information related to the workflows
333 hydrateWorkflowsInfo(root, res)
334
335 // check that, if RBAC is required, the user has visibility on the artifact in at least 1 org/project
336 if visible := isReferrerVisible(res, allowedOrgs, visibleProjectsMap); !visible {
337 return nil, "", biz.NewErrUnauthorizedStr("referrer not allowed")
338 }
339
340 // When a project filter is active, an attestation root has already been filtered by the
341 // initial referrer lookup (the projectPred subquery), so it is guaranteed to belong to the
342 // requested project here. A material root passes that lookup unconditionally and is
343 // validated through its references below (or via the pagination-independent existence
344 // check after the references query).
345 projectFilterActive := projectPred != nil
346
347 // Next: We'll find the references recursively up to a max of maxTraverseLevels levels
348 if level >= maxTraverseLevels {
349 return res, "", nil
350 }
351
352 // Find the references and call recursively filtered out by the allowed organizations
353 // and by the visibility if needed
354 predicateReferrer := []predicate.Referrer{}
355
356 predicateWF := []predicate.Workflow{
357 workflow.DeletedAtIsNil(), workflow.HasOrganizationWith(organization.IDIn(allowedOrgs...)),
358 }
359
360 // optionally attaching its visibility
361 if public != nil {
362 predicateWF = append(predicateWF, workflow.Public(*public))
363 }
364
365 // Attach the workflow predicate
366 predicateReferrer = append(predicateReferrer, referrer.HasWorkflowsWith(predicateWF...))
367
368 // When scoping to a project, attestation references must belong to that project (optionally
369 // narrowed to a version). Non-attestation references (materials/subjects) are kept as-is:
370 // they inherit the project through the attestation that references them.
371 if projectFilterActive {
372 predicateReferrer = append(predicateReferrer, referrer.Or(
373 referrer.KindNEQ(biz.ReferrerAttestationType),
374 projectPred,
375 ))

Callers 1

GetFromRootMethod · 0.95

Implementers 1

ReferrerRepoapp/controlplane/pkg/data/referrer.go

Calls 15

NewErrUnauthorizedStrFunction · 0.92
DeletedAtIsNilFunction · 0.92
HasOrganizationWithFunction · 0.92
IDInFunction · 0.92
PublicFunction · 0.92
HasWorkflowsWithFunction · 0.92
OrFunction · 0.92
KindNEQFunction · 0.92
ByCreatedAtFunction · 0.92
ByIDFunction · 0.92
EncodeCursorFunction · 0.92
IsErrUnauthorizedFunction · 0.92

Tested by

no test coverage detected