mirror of
https://github.com/zitadel/zitadel.git
synced 2025-01-10 07:23:40 +00:00
3549a8b64e
* move mgmt pkg * begin package restructure * rename auth package to authz * begin start api * move auth * move admin * fix merge * configs and interceptors * interceptor * revert generate-grpc.sh * some cleanups * console * move console * fix tests and merging * js linting * merge * merging and configs * change k8s base to current ports * fixes * cleanup * regenerate proto * remove unnecessary whitespace * missing param * go mod tidy * fix merging * move login pkg * cleanup * move api pkgs again * fix pkg naming * fix generate-static.sh for login * update workflow * fixes * logging * remove duplicate * comment for optional gateway interfaces * regenerate protos * fix proto imports for grpc web * protos * grpc web generate * grpc web generate * fix changes * add translation interceptor * fix merging * regenerate mgmt proto
64 lines
1.7 KiB
Go
64 lines
1.7 KiB
Go
package authz
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/caos/zitadel/internal/errors"
|
|
)
|
|
|
|
func getUserMethodPermissions(ctx context.Context, t *TokenVerifier, requiredPerm string, authConfig Config) (context.Context, []string, error) {
|
|
ctxData := GetCtxData(ctx)
|
|
if ctxData.IsZero() {
|
|
return nil, nil, errors.ThrowUnauthenticated(nil, "AUTH-rKLWEH", "context missing")
|
|
}
|
|
grant, err := t.ResolveGrant(ctx)
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
if grant == nil {
|
|
return context.WithValue(ctx, permissionsKey, []string{}), []string{}, nil
|
|
}
|
|
permissions := mapGrantToPermissions(requiredPerm, grant, authConfig)
|
|
return context.WithValue(ctx, permissionsKey, permissions), permissions, nil
|
|
}
|
|
|
|
func mapGrantToPermissions(requiredPerm string, grant *Grant, authConfig Config) []string {
|
|
resolvedPermissions := make([]string, 0)
|
|
for _, role := range grant.Roles {
|
|
resolvedPermissions = mapRoleToPerm(requiredPerm, role, authConfig, resolvedPermissions)
|
|
}
|
|
|
|
return resolvedPermissions
|
|
}
|
|
|
|
func mapRoleToPerm(requiredPerm, actualRole string, authConfig Config, resolvedPermissions []string) []string {
|
|
roleName, roleContextID := SplitPermission(actualRole)
|
|
perms := authConfig.getPermissionsFromRole(roleName)
|
|
|
|
for _, p := range perms {
|
|
if p == requiredPerm {
|
|
p = addRoleContextIDToPerm(p, roleContextID)
|
|
if !ExistsPerm(resolvedPermissions, p) {
|
|
resolvedPermissions = append(resolvedPermissions, p)
|
|
}
|
|
}
|
|
}
|
|
return resolvedPermissions
|
|
}
|
|
|
|
func addRoleContextIDToPerm(perm, roleContextID string) string {
|
|
if roleContextID != "" {
|
|
perm = perm + ":" + roleContextID
|
|
}
|
|
return perm
|
|
}
|
|
|
|
func ExistsPerm(existing []string, perm string) bool {
|
|
for _, e := range existing {
|
|
if e == perm {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|