securityRulesFromMagicAuthToken builds the security rules encoded by a magic auth token: a resource allow-list (or blanket deny), metrics-view row filters, and a field allow-list.
(mdl *database.MagicAuthToken)
| 254 | // securityRulesFromMagicAuthToken builds the security rules encoded by a magic auth token: |
| 255 | // a resource allow-list (or blanket deny), metrics-view row filters, and a field allow-list. |
| 256 | func securityRulesFromMagicAuthToken(mdl *database.MagicAuthToken) ([]*runtimev1.SecurityRule, error) { |
| 257 | var rules []*runtimev1.SecurityRule |
| 258 | if len(mdl.Resources) == 0 { |
| 259 | // No resources means deny all access. |
| 260 | rules = append(rules, &runtimev1.SecurityRule{ |
| 261 | Rule: &runtimev1.SecurityRule_Access{ |
| 262 | Access: &runtimev1.SecurityRuleAccess{Allow: false}, |
| 263 | }, |
| 264 | }) |
| 265 | } else { |
| 266 | for _, r := range mdl.Resources { |
| 267 | rules = append(rules, &runtimev1.SecurityRule{ |
| 268 | Rule: &runtimev1.SecurityRule_TransitiveAccess{ |
| 269 | TransitiveAccess: &runtimev1.SecurityRuleTransitiveAccess{ |
| 270 | Resource: &runtimev1.ResourceName{ |
| 271 | Kind: r.Type, |
| 272 | Name: r.Name, |
| 273 | }, |
| 274 | }, |
| 275 | }, |
| 276 | }) |
| 277 | } |
| 278 | } |
| 279 | |
| 280 | for mv, filter := range mdl.MetricsViewFilterJSONs { |
| 281 | if mv == "" { |
| 282 | return nil, status.Errorf(codes.Internal, "empty metrics view name in metrics view filter") |
| 283 | } |
| 284 | expr := &runtimev1.Expression{} |
| 285 | if err := protojson.Unmarshal([]byte(filter), expr); err != nil { |
| 286 | return nil, status.Errorf(codes.Internal, "could not unmarshal metrics view %q filter: %s", mv, err.Error()) |
| 287 | } |
| 288 | if mv == "*" { |
| 289 | // Backwards compatibility: "*" applies to all metrics views. |
| 290 | rules = append(rules, &runtimev1.SecurityRule{ |
| 291 | Rule: &runtimev1.SecurityRule_RowFilter{ |
| 292 | RowFilter: &runtimev1.SecurityRuleRowFilter{ |
| 293 | Expression: expr, |
| 294 | }, |
| 295 | }, |
| 296 | }) |
| 297 | continue |
| 298 | } |
| 299 | rules = append(rules, &runtimev1.SecurityRule{ |
| 300 | Rule: &runtimev1.SecurityRule_RowFilter{ |
| 301 | RowFilter: &runtimev1.SecurityRuleRowFilter{ |
| 302 | ConditionResources: []*runtimev1.ResourceName{{ |
| 303 | Kind: runtime.ResourceKindMetricsView, |
| 304 | Name: mv, |
| 305 | }}, |
| 306 | Expression: expr, |
| 307 | }, |
| 308 | }, |
| 309 | }) |
| 310 | } |
| 311 | |
| 312 | if len(mdl.Fields) > 0 { |
| 313 | rules = append(rules, &runtimev1.SecurityRule{ |
no test coverage detected