-
Notifications
You must be signed in to change notification settings - Fork 347
/
authz_basic_impl.go
138 lines (122 loc) · 4.37 KB
/
authz_basic_impl.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
package project
import (
"context"
"fmt"
"github.com/uptrace/bun"
"github.com/determined-ai/determined/master/internal/db"
"github.com/determined-ai/determined/master/pkg/model"
"github.com/determined-ai/determined/proto/pkg/projectv1"
"github.com/determined-ai/determined/proto/pkg/workspacev1"
)
// ProjectAuthZBasic is classic OSS Determined authentication for projects.
type ProjectAuthZBasic struct{}
// CanGetProject always return true and a nil error for basic auth.
func (a *ProjectAuthZBasic) CanGetProject(
ctx context.Context, curUser model.User, project *projectv1.Project,
) error {
return nil
}
// CanCreateProject always returns true and a nil error for basic auth.
func (a *ProjectAuthZBasic) CanCreateProject(
ctx context.Context, curUser model.User, willBeInWorkspace *workspacev1.Workspace,
) error {
return nil
}
// CanSetProjectNotes always returns nil for basic auth.
func (a *ProjectAuthZBasic) CanSetProjectNotes(
ctx context.Context, curUser model.User, project *projectv1.Project,
) error {
return nil
}
func shouldBeAdminOrOwnWorkspaceOrProject(
curUser model.User, project *projectv1.Project,
) error {
// Is admin or owner of the project?
if curUser.Admin || curUser.ID == model.UserID(project.UserId) {
return nil
}
// Is owner of the workspace?
type workspace struct {
bun.BaseModel `bun:"table:workspaces"`
}
exists, err := db.Bun().NewSelect().Model((*workspace)(nil)).
Where("id = ?", project.WorkspaceId).
Where("user_id = ?", curUser.ID).Exists(context.TODO())
if err != nil {
return err
}
if !exists {
return fmt.Errorf("non admin users need to own the project or workspace")
}
return nil
}
// CanSetProjectName returns an error if a non admin isn't the owner of the project or workspace.
func (a *ProjectAuthZBasic) CanSetProjectName(
ctx context.Context, curUser model.User, project *projectv1.Project,
) error {
if err := shouldBeAdminOrOwnWorkspaceOrProject(curUser, project); err != nil {
return fmt.Errorf("can't set project name: %w", err)
}
return nil
}
// CanSetProjectDescription returns an error if a non admin
// isn't the owner of the project or workspace.
func (a *ProjectAuthZBasic) CanSetProjectDescription(
ctx context.Context, curUser model.User, project *projectv1.Project,
) error {
if err := shouldBeAdminOrOwnWorkspaceOrProject(curUser, project); err != nil {
return fmt.Errorf("can't set project name: %w", err)
}
return nil
}
// CanDeleteProject returns an error if a non admin isn't the owner of the project or workspace.
func (a *ProjectAuthZBasic) CanDeleteProject(
ctx context.Context, curUser model.User, project *projectv1.Project,
) error {
if err := shouldBeAdminOrOwnWorkspaceOrProject(curUser, project); err != nil {
return fmt.Errorf("can't delete project: %w", err)
}
return nil
}
// CanMoveProject returns an error if the user isn't a admin or owner of a project.
func (a *ProjectAuthZBasic) CanMoveProject(
ctx context.Context,
curUser model.User,
project *projectv1.Project,
from, to *workspacev1.Workspace,
) error {
if !curUser.Admin && curUser.ID != model.UserID(project.UserId) {
return fmt.Errorf("non admin users can't move projects that someone else owns")
}
return nil
}
// CanMoveProjectExperiments returns an error if the user isn't a admin or owner of a project.
func (a *ProjectAuthZBasic) CanMoveProjectExperiments(
ctx context.Context, curUser model.User, exp *model.Experiment, from, to *projectv1.Project,
) error {
if !curUser.Admin && exp.OwnerID != nil && curUser.ID != *exp.OwnerID {
return fmt.Errorf("non admin users can't move others' experiments")
}
return nil
}
// CanArchiveProject returns an error if a non admin isn't the owner of the project or workspace.
func (a *ProjectAuthZBasic) CanArchiveProject(
ctx context.Context, curUser model.User, project *projectv1.Project,
) error {
if err := shouldBeAdminOrOwnWorkspaceOrProject(curUser, project); err != nil {
return fmt.Errorf("can't archive project: %w", err)
}
return nil
}
// CanUnarchiveProject returns an error if the user isn't the owner of the project or workspace.
func (a *ProjectAuthZBasic) CanUnarchiveProject(
ctx context.Context, curUser model.User, project *projectv1.Project,
) error {
if err := shouldBeAdminOrOwnWorkspaceOrProject(curUser, project); err != nil {
return fmt.Errorf("can't unarchive project: %w", err)
}
return nil
}
func init() {
AuthZProvider.Register("basic", &ProjectAuthZBasic{})
}