mirror of
https://github.com/zitadel/zitadel.git
synced 2024-12-12 11:04:25 +00:00
96 lines
2.9 KiB
Go
96 lines
2.9 KiB
Go
package authz
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/caos/zitadel/internal/errors"
|
|
"github.com/caos/zitadel/internal/telemetry/tracing"
|
|
)
|
|
|
|
func getUserMethodPermissions(ctx context.Context, t *TokenVerifier, requiredPerm string, authConfig Config, ctxData CtxData) (requestedPermissions, allPermissions []string, err error) {
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
defer func() { span.EndWithError(err) }()
|
|
|
|
if ctxData.IsZero() {
|
|
return nil, nil, errors.ThrowUnauthenticated(nil, "AUTH-rKLWEH", "context missing")
|
|
}
|
|
|
|
ctx = context.WithValue(ctx, dataKey, ctxData)
|
|
memberships, err := t.SearchMyMemberships(ctx)
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
if len(memberships) == 0 {
|
|
err = retry(func() error {
|
|
memberships, err = t.SearchMyMemberships(ctx)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if len(memberships) == 0 {
|
|
return errors.ThrowNotFound(nil, "AUTHZ-cdgFk", "membership not found")
|
|
}
|
|
return nil
|
|
})
|
|
if err != nil {
|
|
return nil, nil, nil
|
|
}
|
|
}
|
|
requestedPermissions, allPermissions = mapMembershipsToPermissions(requiredPerm, memberships, authConfig)
|
|
return requestedPermissions, allPermissions, nil
|
|
}
|
|
|
|
func mapMembershipsToPermissions(requiredPerm string, memberships []*Membership, authConfig Config) (requestPermissions, allPermissions []string) {
|
|
requestPermissions = make([]string, 0)
|
|
allPermissions = make([]string, 0)
|
|
for _, membership := range memberships {
|
|
requestPermissions, allPermissions = mapMembershipToPerm(requiredPerm, membership, authConfig, requestPermissions, allPermissions)
|
|
}
|
|
|
|
return requestPermissions, allPermissions
|
|
}
|
|
|
|
func mapMembershipToPerm(requiredPerm string, membership *Membership, authConfig Config, requestPermissions, allPermissions []string) ([]string, []string) {
|
|
roleNames, roleContextID := roleWithContext(membership)
|
|
for _, roleName := range roleNames {
|
|
perms := authConfig.getPermissionsFromRole(roleName)
|
|
|
|
for _, p := range perms {
|
|
permWithCtx := addRoleContextIDToPerm(p, roleContextID)
|
|
if !ExistsPerm(allPermissions, permWithCtx) {
|
|
allPermissions = append(allPermissions, permWithCtx)
|
|
}
|
|
|
|
p, _ = SplitPermission(p)
|
|
if p == requiredPerm {
|
|
if !ExistsPerm(requestPermissions, permWithCtx) {
|
|
requestPermissions = append(requestPermissions, permWithCtx)
|
|
}
|
|
}
|
|
}
|
|
}
|
|
return requestPermissions, allPermissions
|
|
}
|
|
|
|
func addRoleContextIDToPerm(perm, roleContextID string) string {
|
|
if roleContextID != "" {
|
|
perm = perm + ":" + roleContextID
|
|
}
|
|
return perm
|
|
}
|
|
|
|
func ExistsPerm(existingPermissions []string, perm string) bool {
|
|
for _, existingPermission := range existingPermissions {
|
|
if existingPermission == perm {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
func roleWithContext(membership *Membership) (roles []string, ctxID string) {
|
|
if membership.MemberType == MemberTypeProject || membership.MemberType == MemberTypeProjectGrant {
|
|
return membership.Roles, membership.ObjectID
|
|
}
|
|
return membership.Roles, ""
|
|
}
|