authorizeAlter parses the Schema in the operation and authorizes the operation using the worker.AclCachePtr. It will return error if any one of the predicates specified in alter are not authorized.
(ctx context.Context, op *api.Operation)
| 661 | // using the worker.AclCachePtr. It will return error if any one of the predicates |
| 662 | // specified in alter are not authorized. |
| 663 | func authorizeAlter(ctx context.Context, op *api.Operation) error { |
| 664 | if worker.Config.AclSecretKey == nil { |
| 665 | // the user has not turned on the acl feature |
| 666 | return nil |
| 667 | } |
| 668 | |
| 669 | // extract the list of predicates from the operation object |
| 670 | var preds []string |
| 671 | switch { |
| 672 | case len(op.DropAttr) > 0: |
| 673 | preds = []string{op.DropAttr} |
| 674 | case op.DropOp == api.Operation_ATTR && len(op.DropValue) > 0: |
| 675 | preds = []string{op.DropValue} |
| 676 | default: |
| 677 | update, err := schema.Parse(op.Schema) |
| 678 | if err != nil { |
| 679 | return err |
| 680 | } |
| 681 | |
| 682 | for _, u := range update.Preds { |
| 683 | preds = append(preds, x.ParseAttr(u.Predicate)) |
| 684 | } |
| 685 | } |
| 686 | var userId string |
| 687 | var groupIds []string |
| 688 | |
| 689 | // doAuthorizeAlter checks if alter of all the predicates are allowed |
| 690 | // as a byproduct, it also sets the userId, groups variables |
| 691 | doAuthorizeAlter := func() error { |
| 692 | userData, err := extractUserAndGroups(ctx) |
| 693 | if err != nil { |
| 694 | // We don't follow fail open approach anymore. |
| 695 | return status.Error(codes.Unauthenticated, err.Error()) |
| 696 | } |
| 697 | |
| 698 | userId = userData.userId |
| 699 | groupIds = userData.groupIds |
| 700 | |
| 701 | if x.IsSuperAdmin(groupIds) { |
| 702 | // Members of guardian group are allowed to alter anything. |
| 703 | return nil |
| 704 | } |
| 705 | |
| 706 | // if we get here, we know the user is not a guardian. |
| 707 | if isDropAll(op) || op.DropOp == api.Operation_DATA { |
| 708 | return errors.Errorf( |
| 709 | "only guardians are allowed to drop all data, but the current user is %s", userId) |
| 710 | } |
| 711 | |
| 712 | result := authorizePreds(ctx, userData, preds, acl.Modify) |
| 713 | if len(result.blocked) > 0 { |
| 714 | var msg strings.Builder |
| 715 | for key := range result.blocked { |
| 716 | x.Check2(msg.WriteString(key)) |
| 717 | x.Check2(msg.WriteString(" ")) |
| 718 | } |
| 719 | return status.Errorf(codes.PermissionDenied, |
| 720 | "unauthorized to alter following predicates: %s\n", msg.String()) |
no test coverage detected