MCPcopy
hub / github.com/spacecloud-io/space-cloud / IsReadOpAuthorised

Method IsReadOpAuthorised

gateway/modules/auth/handle_crud.go:65–111  ·  view source on GitHub ↗

IsReadOpAuthorised checks if the crud operation is authorised

(ctx context.Context, project, dbAlias, col, token string, req *model.ReadRequest, stub model.ReturnWhereStub)

Source from the content-addressed store, hash-verified

63
64// IsReadOpAuthorised checks if the crud operation is authorised
65func (m *Module) IsReadOpAuthorised(ctx context.Context, project, dbAlias, col, token string, req *model.ReadRequest, stub model.ReturnWhereStub) (*model.PostProcess, model.RequestParams, error) {
66 m.RLock()
67 defer m.RUnlock()
68
69 rule, auth, err := m.authenticateCrudRequest(ctx, project, dbAlias, col, token, model.Read)
70 if err != nil {
71 return nil, model.RequestParams{}, err
72 }
73
74 // Check if internal token
75 if auth != nil {
76 if id, p := auth["id"]; p && id == utils.InternalUserID {
77 hookOp := "db-read"
78 if col == "event_logs" || col == "invocation_logs" {
79 hookOp = "eventing-logs"
80 }
81 hookResponse := m.integrationMan.InvokeHook(ctx, model.RequestParams{
82 Claims: auth,
83 Resource: "internal-api-access",
84 Op: hookOp,
85 Attributes: map[string]string{"project": project},
86 })
87 if hookResponse.CheckResponse() {
88 attr := map[string]string{"project": project, "db": dbAlias, "col": col}
89 return nil, model.RequestParams{Claims: auth, Resource: "db-read", Op: "access", Attributes: attr}, hookResponse.Error()
90 }
91 }
92 }
93
94 opts := map[string]interface{}{}
95 if req.Options != nil {
96 if req.Options.Limit != nil {
97 opts["limit"] = *req.Options.Limit
98 }
99 if req.Options.Skip != nil {
100 opts["skip"] = *req.Options.Skip
101 }
102 }
103 args := map[string]interface{}{"op": req.Operation, "auth": auth, "find": req.Find, "token": token, "opts": opts}
104 actions, err := m.matchRule(ctx, project, rule, map[string]interface{}{"args": args}, auth, stub)
105 if err != nil {
106 return nil, model.RequestParams{}, err
107 }
108
109 attr := map[string]string{"project": project, "db": dbAlias, "col": col}
110 return actions, model.RequestParams{Claims: auth, Resource: "db-read", Op: "access", Attributes: attr}, nil
111}
112
113// IsUpdateOpAuthorised checks if the crud operation is authorised
114func (m *Module) IsUpdateOpAuthorised(ctx context.Context, project, dbAlias, col, token string, req *model.UpdateRequest) (model.RequestParams, error) {

Callers 1

RunAuthForJoinsMethod · 0.95

Calls 5

matchRuleMethod · 0.95
InvokeHookMethod · 0.65
CheckResponseMethod · 0.65
ErrorMethod · 0.65

Tested by

no test coverage detected