GetPermissionChecker returns a function that can be used to check whether a user has the required entitlement on an authorization object.
(ctx context.Context, r *http.Request, entitlement Entitlement, objectType ObjectType)
| 58 | |
| 59 | // GetPermissionChecker returns a function that can be used to check whether a user has the required entitlement on an authorization object. |
| 60 | func (s *Scriptlet) GetPermissionChecker(ctx context.Context, r *http.Request, entitlement Entitlement, objectType ObjectType) (PermissionChecker, error) { |
| 61 | allowFunc := func(b bool) func(Object) bool { |
| 62 | return func(Object) bool { |
| 63 | return b |
| 64 | } |
| 65 | } |
| 66 | |
| 67 | details, err := s.requestDetails(r) |
| 68 | if err != nil { |
| 69 | return nil, api.StatusErrorf(http.StatusForbidden, "Failed to extract request details: %v", err) |
| 70 | } |
| 71 | |
| 72 | if details.isInternalOrUnix() { |
| 73 | return allowFunc(true), nil |
| 74 | } |
| 75 | |
| 76 | actualDetails := details.actualDetails() |
| 77 | peerCertificates := []*x509.Certificate{} |
| 78 | var apiCert *api.CertificatePut |
| 79 | |
| 80 | if r.TLS != nil { |
| 81 | peerCertificates = r.TLS.PeerCertificates |
| 82 | if s.certificates != nil { |
| 83 | apiCert = s.certificates.GetAPICertificate(actualDetails.Username) |
| 84 | } |
| 85 | } |
| 86 | |
| 87 | permissionChecker := func(o Object) bool { |
| 88 | authorized, err := authScriptlet.AuthorizationRun(logger.Log, actualDetails, peerCertificates, apiCert, o.String(), string(entitlement)) |
| 89 | if err != nil { |
| 90 | logger.Error("Authorization scriptlet execution failed", logger.Ctx{"err": err}) |
| 91 | return false |
| 92 | } |
| 93 | |
| 94 | return authorized |
| 95 | } |
| 96 | |
| 97 | return permissionChecker, nil |
| 98 | } |
| 99 | |
| 100 | // GetProjectAccess returns the list of entities who have access to the project. |
| 101 | func (s *Scriptlet) GetProjectAccess(ctx context.Context, projectName string) (*api.Access, error) { |
nothing calls this directly
no test coverage detected