MCPcopy Index your code
hub / github.com/rilldata/rill / securityRulesFromMagicAuthToken

Function securityRulesFromMagicAuthToken

admin/server/runtime_jwt.go:256–325  ·  view source on GitHub ↗

securityRulesFromMagicAuthToken builds the security rules encoded by a magic auth token: a resource allow-list (or blanket deny), metrics-view row filters, and a field allow-list.

(mdl *database.MagicAuthToken)

Source from the content-addressed store, hash-verified

254// securityRulesFromMagicAuthToken builds the security rules encoded by a magic auth token:
255// a resource allow-list (or blanket deny), metrics-view row filters, and a field allow-list.
256func securityRulesFromMagicAuthToken(mdl *database.MagicAuthToken) ([]*runtimev1.SecurityRule, error) {
257 var rules []*runtimev1.SecurityRule
258 if len(mdl.Resources) == 0 {
259 // No resources means deny all access.
260 rules = append(rules, &runtimev1.SecurityRule{
261 Rule: &runtimev1.SecurityRule_Access{
262 Access: &runtimev1.SecurityRuleAccess{Allow: false},
263 },
264 })
265 } else {
266 for _, r := range mdl.Resources {
267 rules = append(rules, &runtimev1.SecurityRule{
268 Rule: &runtimev1.SecurityRule_TransitiveAccess{
269 TransitiveAccess: &runtimev1.SecurityRuleTransitiveAccess{
270 Resource: &runtimev1.ResourceName{
271 Kind: r.Type,
272 Name: r.Name,
273 },
274 },
275 },
276 })
277 }
278 }
279
280 for mv, filter := range mdl.MetricsViewFilterJSONs {
281 if mv == "" {
282 return nil, status.Errorf(codes.Internal, "empty metrics view name in metrics view filter")
283 }
284 expr := &runtimev1.Expression{}
285 if err := protojson.Unmarshal([]byte(filter), expr); err != nil {
286 return nil, status.Errorf(codes.Internal, "could not unmarshal metrics view %q filter: %s", mv, err.Error())
287 }
288 if mv == "*" {
289 // Backwards compatibility: "*" applies to all metrics views.
290 rules = append(rules, &runtimev1.SecurityRule{
291 Rule: &runtimev1.SecurityRule_RowFilter{
292 RowFilter: &runtimev1.SecurityRuleRowFilter{
293 Expression: expr,
294 },
295 },
296 })
297 continue
298 }
299 rules = append(rules, &runtimev1.SecurityRule{
300 Rule: &runtimev1.SecurityRule_RowFilter{
301 RowFilter: &runtimev1.SecurityRuleRowFilter{
302 ConditionResources: []*runtimev1.ResourceName{{
303 Kind: runtime.ResourceKindMetricsView,
304 Name: mv,
305 }},
306 Expression: expr,
307 },
308 },
309 })
310 }
311
312 if len(mdl.Fields) > 0 {
313 rules = append(rules, &runtimev1.SecurityRule{

Callers 1

issueRuntimeTokenMethod · 0.85

Calls 2

ErrorfMethod · 0.65
ErrorMethod · 0.45

Tested by

no test coverage detected