-
Notifications
You must be signed in to change notification settings - Fork 11
/
server_auth.go
42 lines (37 loc) · 1.13 KB
/
server_auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
package apiserver
import (
"errors"
"fmt"
"github.com/alphagov/paas-billing/apiserver/auth"
"github.com/labstack/echo/v4"
)
// isAdmin checks if there is a token in the request with an operator scope
// (cloud_controller.admin / cloud_controller.read_only_admin / global_auditor)
// isBillingManager checks if the user has either role assigned within the org
// (billing_manager / org_manager)
// Either of the above should satisfy the authorizer.
func authorize(c echo.Context, uaa auth.Authenticator, orgs []string) (bool, error) {
token, err := auth.GetTokenFromRequest(c)
if err != nil {
return false, err
}
authorizer, err := uaa.NewAuthorizer(token)
if err != nil {
return false, err
}
isAdmin, err := authorizer.Admin()
if err != nil {
return false, fmt.Errorf("invalid credentials: %s", err)
}
if isAdmin {
return true, nil
}
hasBillingAccess, err := authorizer.HasBillingAccess(orgs)
if err != nil {
return false, fmt.Errorf("invalid credentials: %s", err)
}
if hasBillingAccess {
return true, nil
}
return false, errors.New("you need to be billing_manager or an administrator to retrieve the billing data")
}