authorizeQuery authorizes the query using the aclCachePtr. It will silently drop all unauthorized predicates from query. At this stage, namespace is not attached in the predicates.
(ctx context.Context, parsedReq *dql.Result, graphql bool)
| 955 | // unauthorized predicates from query. |
| 956 | // At this stage, namespace is not attached in the predicates. |
| 957 | func authorizeQuery(ctx context.Context, parsedReq *dql.Result, graphql bool) error { |
| 958 | if worker.Config.AclSecretKey == nil { |
| 959 | // the user has not turned on the acl feature |
| 960 | return nil |
| 961 | } |
| 962 | |
| 963 | var userId string |
| 964 | var groupIds []string |
| 965 | var namespace uint64 |
| 966 | predsAndvars := parsePredsFromQuery(parsedReq.Query) |
| 967 | preds := predsAndvars.preds |
| 968 | varsToPredMap := predsAndvars.vars |
| 969 | |
| 970 | // Need this to efficiently identify blocked variables from the |
| 971 | // list of blocked predicates |
| 972 | predToVarsMap := make(map[string]string) |
| 973 | for k, v := range varsToPredMap { |
| 974 | predToVarsMap[v] = k |
| 975 | } |
| 976 | |
| 977 | doAuthorizeQuery := func() (map[string]struct{}, []string, error) { |
| 978 | userData, err := extractUserAndGroups(ctx) |
| 979 | if err != nil { |
| 980 | return nil, nil, status.Error(codes.Unauthenticated, err.Error()) |
| 981 | } |
| 982 | |
| 983 | userId = userData.userId |
| 984 | groupIds = userData.groupIds |
| 985 | namespace = userData.namespace |
| 986 | |
| 987 | if x.IsSuperAdmin(groupIds) { |
| 988 | if shouldAllowAcls(userData.namespace) { |
| 989 | // Members of guardian groups are allowed to query anything. |
| 990 | return nil, nil, nil |
| 991 | } |
| 992 | return blockedPreds(preds), nil, nil |
| 993 | } |
| 994 | |
| 995 | result := authorizePreds(ctx, userData, preds, acl.Read) |
| 996 | return result.blocked, result.allowed, nil |
| 997 | } |
| 998 | |
| 999 | blockedPreds, allowedPreds, err := doAuthorizeQuery() |
| 1000 | if err != nil { |
| 1001 | return err |
| 1002 | } |
| 1003 | |
| 1004 | if span := otrace.FromContext(ctx); span != nil { |
| 1005 | span.Annotatef(nil, (&accessEntry{ |
| 1006 | userId: userId, |
| 1007 | groups: groupIds, |
| 1008 | preds: preds, |
| 1009 | operation: acl.Read, |
| 1010 | allowed: err == nil, |
| 1011 | }).String()) |
| 1012 | } |
| 1013 | |
| 1014 | if len(blockedPreds) != 0 { |
no test coverage detected