MCPcopy
hub / github.com/lxc/incus / GetPermissionChecker

Method GetPermissionChecker

internal/server/auth/driver_scriptlet.go:60–98  ·  view source on GitHub ↗

GetPermissionChecker returns a function that can be used to check whether a user has the required entitlement on an authorization object.

(ctx context.Context, r *http.Request, entitlement Entitlement, objectType ObjectType)

Source from the content-addressed store, hash-verified

58
59// GetPermissionChecker returns a function that can be used to check whether a user has the required entitlement on an authorization object.
60func (s *Scriptlet) GetPermissionChecker(ctx context.Context, r *http.Request, entitlement Entitlement, objectType ObjectType) (PermissionChecker, error) {
61 allowFunc := func(b bool) func(Object) bool {
62 return func(Object) bool {
63 return b
64 }
65 }
66
67 details, err := s.requestDetails(r)
68 if err != nil {
69 return nil, api.StatusErrorf(http.StatusForbidden, "Failed to extract request details: %v", err)
70 }
71
72 if details.isInternalOrUnix() {
73 return allowFunc(true), nil
74 }
75
76 actualDetails := details.actualDetails()
77 peerCertificates := []*x509.Certificate{}
78 var apiCert *api.CertificatePut
79
80 if r.TLS != nil {
81 peerCertificates = r.TLS.PeerCertificates
82 if s.certificates != nil {
83 apiCert = s.certificates.GetAPICertificate(actualDetails.Username)
84 }
85 }
86
87 permissionChecker := func(o Object) bool {
88 authorized, err := authScriptlet.AuthorizationRun(logger.Log, actualDetails, peerCertificates, apiCert, o.String(), string(entitlement))
89 if err != nil {
90 logger.Error("Authorization scriptlet execution failed", logger.Ctx{"err": err})
91 return false
92 }
93
94 return authorized
95 }
96
97 return permissionChecker, nil
98}
99
100// GetProjectAccess returns the list of entities who have access to the project.
101func (s *Scriptlet) GetProjectAccess(ctx context.Context, projectName string) (*api.Access, error) {

Callers

nothing calls this directly

Calls 7

StatusErrorfFunction · 0.92
ErrorFunction · 0.92
requestDetailsMethod · 0.80
isInternalOrUnixMethod · 0.80
actualDetailsMethod · 0.80
GetAPICertificateMethod · 0.80
StringMethod · 0.65

Tested by

no test coverage detected