File: driver_scriptlet.go

package info (click to toggle)
incus 6.0.5-7
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 25,788 kB
  • sloc: sh: 16,313; ansic: 3,121; python: 457; makefile: 337; ruby: 51; sql: 50; lisp: 6
file content (83 lines) | stat: -rw-r--r-- 2,765 bytes parent folder | download | duplicates (7) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
 
package auth

import (
	"context"
	"net/http"

	"github.com/lxc/incus/v6/internal/server/certificate"
	authScriptlet "github.com/lxc/incus/v6/internal/server/scriptlet/auth"
	"github.com/lxc/incus/v6/shared/api"
	"github.com/lxc/incus/v6/shared/logger"
)

// Scriptlet represents a scriptlet authorizer.
type Scriptlet struct {
	commonAuthorizer
}

// CheckPermission returns an error if the user does not have the given Entitlement on the given Object.
func (s *Scriptlet) CheckPermission(ctx context.Context, r *http.Request, object Object, entitlement Entitlement) error {
	details, err := s.requestDetails(r)
	if err != nil {
		return api.StatusErrorf(http.StatusForbidden, "Failed to extract request details: %v", err)
	}

	if details.isInternalOrUnix() {
		return nil
	}

	authorized, err := authScriptlet.AuthorizationRun(logger.Log, details.actualDetails(), object.String(), string(entitlement))
	if err != nil {
		return api.StatusErrorf(http.StatusForbidden, "Authorization scriptlet execution failed with error: %v", err)
	}

	if authorized {
		return nil
	}

	return api.StatusErrorf(http.StatusForbidden, "Permission denied")
}

// GetInstanceAccess returns the list of entities who have access to the instance.
func (s *Scriptlet) GetInstanceAccess(ctx context.Context, projectName string, instanceName string) (*api.Access, error) {
	return authScriptlet.GetInstanceAccessRun(logger.Log, projectName, instanceName)
}

// GetPermissionChecker returns a function that can be used to check whether a user has the required entitlement on an authorization object.
func (s *Scriptlet) GetPermissionChecker(ctx context.Context, r *http.Request, entitlement Entitlement, objectType ObjectType) (PermissionChecker, error) {
	allowFunc := func(b bool) func(Object) bool {
		return func(Object) bool {
			return b
		}
	}

	details, err := s.requestDetails(r)
	if err != nil {
		return nil, api.StatusErrorf(http.StatusForbidden, "Failed to extract request details: %v", err)
	}

	if details.isInternalOrUnix() {
		return allowFunc(true), nil
	}

	permissionChecker := func(o Object) bool {
		authorized, err := authScriptlet.AuthorizationRun(logger.Log, details.actualDetails(), o.String(), string(entitlement))
		if err != nil {
			logger.Error("Authorization scriptlet execution failed", logger.Ctx{"err": err})
			return false
		}

		return authorized
	}

	return permissionChecker, nil
}

// GetProjectAccess returns the list of entities who have access to the project.
func (s *Scriptlet) GetProjectAccess(ctx context.Context, projectName string) (*api.Access, error) {
	return authScriptlet.GetProjectAccessRun(logger.Log, projectName)
}

func (s *Scriptlet) load(ctx context.Context, certificateCache *certificate.Cache, opts Opts) error {
	return nil
}