authorizeMutation authorizes the mutation using the worker.AclCachePtr. It will return permission denied error if any one of the predicates in mutation(set or delete) is unauthorized. At this stage, namespace is not attached in the predicates.
(ctx context.Context, gmu *dql.Mutation)
| 785 | // denied error if any one of the predicates in mutation(set or delete) is unauthorized. |
| 786 | // At this stage, namespace is not attached in the predicates. |
| 787 | func authorizeMutation(ctx context.Context, gmu *dql.Mutation) error { |
| 788 | if worker.Config.AclSecretKey == nil { |
| 789 | // the user has not turned on the acl feature |
| 790 | return nil |
| 791 | } |
| 792 | |
| 793 | preds := parsePredsFromMutation(gmu.Set) |
| 794 | // Del predicates weren't included before. |
| 795 | // A bug probably since f115de2eb6a40d882a86c64da68bf5c2a33ef69a |
| 796 | preds = append(preds, parsePredsFromMutation(gmu.Del)...) |
| 797 | |
| 798 | var userId string |
| 799 | var groupIds []string |
| 800 | // doAuthorizeMutation checks if modification of all the predicates are allowed |
| 801 | // as a byproduct, it also sets the userId and groups |
| 802 | doAuthorizeMutation := func() error { |
| 803 | userData, err := extractUserAndGroups(ctx) |
| 804 | if err != nil { |
| 805 | // We don't follow fail open approach anymore. |
| 806 | return status.Error(codes.Unauthenticated, err.Error()) |
| 807 | } |
| 808 | |
| 809 | userId = userData.userId |
| 810 | groupIds = userData.groupIds |
| 811 | |
| 812 | if x.IsSuperAdmin(groupIds) { |
| 813 | // Members of guardians group are allowed to mutate anything |
| 814 | // (including delete) except the permission of the acl predicates. |
| 815 | switch { |
| 816 | case isAclPredMutation(gmu.Set): |
| 817 | return errors.Errorf("the permission of ACL predicates can not be changed") |
| 818 | case isAclPredMutation(gmu.Del): |
| 819 | return errors.Errorf("ACL predicates can't be deleted") |
| 820 | } |
| 821 | if !shouldAllowAcls(userData.namespace) { |
| 822 | for _, pred := range preds { |
| 823 | if x.IsAclPredicate(pred) { |
| 824 | return status.Errorf(codes.PermissionDenied, |
| 825 | "unauthorized to mutate acl predicates: %s\n", pred) |
| 826 | } |
| 827 | } |
| 828 | } |
| 829 | return nil |
| 830 | } |
| 831 | result := authorizePreds(ctx, userData, preds, acl.Write) |
| 832 | if len(result.blocked) > 0 { |
| 833 | var msg strings.Builder |
| 834 | for key := range result.blocked { |
| 835 | x.Check2(msg.WriteString(key)) |
| 836 | x.Check2(msg.WriteString(" ")) |
| 837 | } |
| 838 | return status.Errorf(codes.PermissionDenied, |
| 839 | "unauthorized to mutate following predicates: %s\n", msg.String()) |
| 840 | } |
| 841 | gmu.AllowedPreds = result.allowed |
| 842 | return nil |
| 843 | } |
| 844 |
no test coverage detected