2020-07-08 13:56:37 +02:00
|
|
|
package authz
|
2020-03-23 07:01:59 +01:00
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
|
|
|
|
"github.com/caos/zitadel/internal/errors"
|
|
|
|
)
|
|
|
|
|
2020-07-08 13:56:37 +02:00
|
|
|
func getUserMethodPermissions(ctx context.Context, t *TokenVerifier, requiredPerm string, authConfig Config) (context.Context, []string, error) {
|
2020-03-23 07:01:59 +01:00
|
|
|
ctxData := GetCtxData(ctx)
|
|
|
|
if ctxData.IsZero() {
|
|
|
|
return nil, nil, errors.ThrowUnauthenticated(nil, "AUTH-rKLWEH", "context missing")
|
|
|
|
}
|
2020-06-05 07:50:04 +02:00
|
|
|
grant, err := t.ResolveGrant(ctx)
|
2020-03-23 07:01:59 +01:00
|
|
|
if err != nil {
|
|
|
|
return nil, nil, err
|
|
|
|
}
|
2020-07-08 09:53:09 +02:00
|
|
|
if grant == nil {
|
2020-07-22 14:00:29 +02:00
|
|
|
return context.WithValue(ctx, requestPermissionsKey, []string{}), []string{}, nil
|
2020-07-08 09:53:09 +02:00
|
|
|
}
|
2020-07-22 14:00:29 +02:00
|
|
|
requestPermissions, allPermissions := mapGrantToPermissions(requiredPerm, grant, authConfig)
|
|
|
|
ctx = context.WithValue(ctx, allPermissionsKey, allPermissions)
|
|
|
|
return context.WithValue(ctx, requestPermissionsKey, requestPermissions), requestPermissions, nil
|
2020-03-23 07:01:59 +01:00
|
|
|
}
|
|
|
|
|
2020-07-22 14:00:29 +02:00
|
|
|
func mapGrantToPermissions(requiredPerm string, grant *Grant, authConfig Config) ([]string, []string) {
|
|
|
|
requestPermissions := make([]string, 0)
|
|
|
|
allPermissions := make([]string, 0)
|
2020-06-05 07:50:04 +02:00
|
|
|
for _, role := range grant.Roles {
|
2020-07-22 14:00:29 +02:00
|
|
|
requestPermissions, allPermissions = mapRoleToPerm(requiredPerm, role, authConfig, requestPermissions, allPermissions)
|
2020-03-23 07:01:59 +01:00
|
|
|
}
|
2020-06-05 07:50:04 +02:00
|
|
|
|
2020-07-22 14:00:29 +02:00
|
|
|
return requestPermissions, allPermissions
|
2020-03-23 07:01:59 +01:00
|
|
|
}
|
|
|
|
|
2020-07-22 14:00:29 +02:00
|
|
|
func mapRoleToPerm(requiredPerm, actualRole string, authConfig Config, requestPermissions, allPermissions []string) ([]string, []string) {
|
2020-03-23 07:01:59 +01:00
|
|
|
roleName, roleContextID := SplitPermission(actualRole)
|
|
|
|
perms := authConfig.getPermissionsFromRole(roleName)
|
|
|
|
|
|
|
|
for _, p := range perms {
|
2020-07-22 14:00:29 +02:00
|
|
|
permWithCtx := addRoleContextIDToPerm(p, roleContextID)
|
|
|
|
if !ExistsPerm(allPermissions, permWithCtx) {
|
|
|
|
allPermissions = append(allPermissions, permWithCtx)
|
|
|
|
}
|
|
|
|
|
2020-03-23 07:01:59 +01:00
|
|
|
if p == requiredPerm {
|
2020-07-22 14:00:29 +02:00
|
|
|
if !ExistsPerm(requestPermissions, permWithCtx) {
|
|
|
|
requestPermissions = append(requestPermissions, permWithCtx)
|
2020-03-23 07:01:59 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2020-07-22 14:00:29 +02:00
|
|
|
return requestPermissions, allPermissions
|
2020-03-23 07:01:59 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
func addRoleContextIDToPerm(perm, roleContextID string) string {
|
|
|
|
if roleContextID != "" {
|
|
|
|
perm = perm + ":" + roleContextID
|
|
|
|
}
|
|
|
|
return perm
|
|
|
|
}
|
|
|
|
|
2020-06-05 07:50:04 +02:00
|
|
|
func ExistsPerm(existing []string, perm string) bool {
|
2020-03-23 07:01:59 +01:00
|
|
|
for _, e := range existing {
|
|
|
|
if e == perm {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|