(ctx context.Context, userData *userData, preds []string, aclOp *acl.Operation)
| 618 | } |
| 619 | |
| 620 | func authorizePreds(ctx context.Context, userData *userData, preds []string, |
| 621 | aclOp *acl.Operation) *authPredResult { |
| 622 | |
| 623 | if !worker.AclCachePtr.Loaded() { |
| 624 | RefreshACLs(ctx) |
| 625 | } |
| 626 | |
| 627 | userId := userData.userId |
| 628 | groupIds := userData.groupIds |
| 629 | ns := userData.namespace |
| 630 | blockedPreds := make(map[string]struct{}) |
| 631 | for _, pred := range preds { |
| 632 | nsPred := x.NamespaceAttr(ns, pred) |
| 633 | if err := worker.AclCachePtr.AuthorizePredicate(groupIds, nsPred, aclOp); err != nil { |
| 634 | logAccess(&accessEntry{ |
| 635 | userId: userId, |
| 636 | groups: groupIds, |
| 637 | preds: preds, |
| 638 | operation: aclOp, |
| 639 | allowed: false, |
| 640 | }) |
| 641 | blockedPreds[pred] = struct{}{} |
| 642 | } |
| 643 | } |
| 644 | if worker.HasAccessToAllPreds(ns, groupIds, aclOp) { |
| 645 | // Setting allowed to nil allows access to all predicates. Note that the access to ACL |
| 646 | // predicates will still be blocked. |
| 647 | return &authPredResult{allowed: nil, blocked: blockedPreds} |
| 648 | } |
| 649 | // User can have multiple permission for same predicate, add predicate |
| 650 | allowedPreds := make([]string, 0, len(worker.AclCachePtr.GetUserPredPerms(userId))) |
| 651 | // only if the acl.Op is covered in the set of permissions for the user |
| 652 | for predicate, perm := range worker.AclCachePtr.GetUserPredPerms(userId) { |
| 653 | if (perm & aclOp.Code) > 0 { |
| 654 | allowedPreds = append(allowedPreds, predicate) |
| 655 | } |
| 656 | } |
| 657 | return &authPredResult{allowed: allowedPreds, blocked: blockedPreds} |
| 658 | } |
| 659 | |
| 660 | // authorizeAlter parses the Schema in the operation and authorizes the operation |
| 661 | // using the worker.AclCachePtr. It will return error if any one of the predicates |
no test coverage detected