-
Notifications
You must be signed in to change notification settings - Fork 1
/
scopes.go
161 lines (132 loc) · 3.5 KB
/
scopes.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
package scopes
import (
"errors"
"fmt"
"strings"
)
type (
Type string
Resource string
Permission string
)
const (
ScopeDelimiter = ":"
TypeAPI Type = "api"
TypeTargetGroup Type = "targetGroup"
TypeAccount Type = "account"
ResourceDeployment Resource = "deployment"
ResourceTenant Resource = "tenant"
ResourceOrganization Resource = "organization"
ResourceAgentHub Resource = "agentHub"
ResourceStar Resource = "*"
PermissionFull Permission = "full"
)
var (
ScopeOrganizationAdmin = mustScope(TypeAPI, ResourceOrganization, PermissionFull)
ScopeTenantAdmin = mustScope(TypeAPI, ResourceTenant, PermissionFull)
ScopeDeploymentsFullAccess = mustScope(TypeAPI, ResourceDeployment, PermissionFull)
ScopeRemoteNetworkAgent = mustScope(TypeAPI, ResourceAgentHub, PermissionFull)
types = []Type{TypeAPI, TypeAccount, TypeTargetGroup}
permissions = []Permission{PermissionFull}
)
var (
ErrInvalidScope = errors.New("invalid scope")
ErrInvalidGrant = errors.New("invalid grant")
)
type Grant struct {
Type Type
Resource Resource
Permission Permission
}
func GrantFromStrings(t, r, p string) Grant {
return Grant{Type: Type(t), Resource: Resource(r), Permission: Permission(p)}
}
func Parse(scope string) (Grant, error) {
parts := strings.Split(scope, ScopeDelimiter)
if len(parts) != 3 {
return Grant{}, fmt.Errorf("%w: wanted 3 parts, got %d", ErrInvalidScope, len(parts))
}
t := Type(parts[0])
r := Resource(parts[1])
p := Permission(parts[2])
v := validator{baseError: ErrInvalidScope}
if err := v.validate(t, r, p); err != nil {
return Grant{}, err
}
return Grant{
Type: t,
Resource: r,
Permission: p,
}, nil
}
func FromGrant(g Grant) (string, error) {
t := g.Type
r := g.Resource
p := g.Permission
v := validator{baseError: ErrInvalidGrant}
if err := v.validate(t, r, p); err != nil {
return "", err
}
return string(t) + ScopeDelimiter + string(r) + ScopeDelimiter + string(p), nil
}
type validator struct {
baseError error
}
func (v validator) validate(t Type, r Resource, p Permission) error {
if err := v.validateType(t); err != nil {
return err
}
if err := v.validatePermission(p); err != nil {
return err
}
switch t {
case TypeAPI:
if err := v.validateResourceForAPIType(r); err != nil {
return err
}
case TypeTargetGroup:
if err := v.validateResourceForTargetGroupType(r); err != nil {
return err
}
}
return nil
}
func (v validator) validateType(t Type) error {
if !oneOf(types, t) {
return fmt.Errorf("%w: unexpected type %q", v.baseError, t)
}
return nil
}
func (v validator) validatePermission(p Permission) error {
if !oneOf(permissions, p) {
return fmt.Errorf("%w: unexpected permission %q", v.baseError, p)
}
return nil
}
func (v validator) validateResourceForAPIType(r Resource) error {
if !oneOf([]Resource{ResourceDeployment, ResourceTenant, ResourceOrganization, ResourceAgentHub}, r) {
return fmt.Errorf("%w: invalid resource for api type: %q", v.baseError, r)
}
return nil
}
func (v validator) validateResourceForTargetGroupType(r Resource) error {
if r == ResourceStar {
return fmt.Errorf("%w: cannot use wildcard resource for targetGroup type", v.baseError)
}
return nil
}
func oneOf[T comparable](group []T, test T) bool {
for _, g := range group {
if test == g {
return true
}
}
return false
}
func mustScope(t Type, r Resource, p Permission) string {
scope, err := FromGrant(Grant{t, r, p})
if err != nil {
panic(err)
}
return scope
}