(ctx context.Context, root *ent.Referrer, allowedOrgs []uuid.UUID, visibleProjectsMap map[uuid.UUID][]uuid.UUID, public *bool, projectPred predicate.Referrer, p *pagination.CursorOptions, level int)
| 316 | const maxTraverseLevels = 1 |
| 317 | |
| 318 | func (r *ReferrerRepo) doGet(ctx context.Context, root *ent.Referrer, allowedOrgs []uuid.UUID, visibleProjectsMap map[uuid.UUID][]uuid.UUID, public *bool, projectPred predicate.Referrer, p *pagination.CursorOptions, level int) (*biz.StoredReferrer, string, error) { |
| 319 | // Assemble the referrer to return |
| 320 | res := &biz.StoredReferrer{ |
| 321 | ID: root.ID, |
| 322 | CreatedAt: toTimePtr(root.CreatedAt), |
| 323 | Referrer: &biz.Referrer{ |
| 324 | Digest: root.Digest, |
| 325 | Kind: root.Kind, |
| 326 | Downloadable: root.Downloadable, |
| 327 | Metadata: root.Metadata, |
| 328 | Annotations: root.Annotations, |
| 329 | }, |
| 330 | } |
| 331 | |
| 332 | // add additional information related to the workflows |
| 333 | hydrateWorkflowsInfo(root, res) |
| 334 | |
| 335 | // check that, if RBAC is required, the user has visibility on the artifact in at least 1 org/project |
| 336 | if visible := isReferrerVisible(res, allowedOrgs, visibleProjectsMap); !visible { |
| 337 | return nil, "", biz.NewErrUnauthorizedStr("referrer not allowed") |
| 338 | } |
| 339 | |
| 340 | // When a project filter is active, an attestation root has already been filtered by the |
| 341 | // initial referrer lookup (the projectPred subquery), so it is guaranteed to belong to the |
| 342 | // requested project here. A material root passes that lookup unconditionally and is |
| 343 | // validated through its references below (or via the pagination-independent existence |
| 344 | // check after the references query). |
| 345 | projectFilterActive := projectPred != nil |
| 346 | |
| 347 | // Next: We'll find the references recursively up to a max of maxTraverseLevels levels |
| 348 | if level >= maxTraverseLevels { |
| 349 | return res, "", nil |
| 350 | } |
| 351 | |
| 352 | // Find the references and call recursively filtered out by the allowed organizations |
| 353 | // and by the visibility if needed |
| 354 | predicateReferrer := []predicate.Referrer{} |
| 355 | |
| 356 | predicateWF := []predicate.Workflow{ |
| 357 | workflow.DeletedAtIsNil(), workflow.HasOrganizationWith(organization.IDIn(allowedOrgs...)), |
| 358 | } |
| 359 | |
| 360 | // optionally attaching its visibility |
| 361 | if public != nil { |
| 362 | predicateWF = append(predicateWF, workflow.Public(*public)) |
| 363 | } |
| 364 | |
| 365 | // Attach the workflow predicate |
| 366 | predicateReferrer = append(predicateReferrer, referrer.HasWorkflowsWith(predicateWF...)) |
| 367 | |
| 368 | // When scoping to a project, attestation references must belong to that project (optionally |
| 369 | // narrowed to a version). Non-attestation references (materials/subjects) are kept as-is: |
| 370 | // they inherit the project through the attestation that references them. |
| 371 | if projectFilterActive { |
| 372 | predicateReferrer = append(predicateReferrer, referrer.Or( |
| 373 | referrer.KindNEQ(biz.ReferrerAttestationType), |
| 374 | projectPred, |
| 375 | )) |
no test coverage detected