/
authorization.go
112 lines (102 loc) · 3.55 KB
/
authorization.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
//
// SPDX-License-Identifier: Apache-2.0
package github
import (
"context"
)
// IsAuthorized checks if the author of the event is authorized to perform actions on the service
func (c *client) IsAuthorized(authorizationType AuthorizationType, event *GenericRequestEvent) bool {
if UserType(*event.Author.Type) == UserTypeBot {
return false
}
ctx := context.Background()
defer ctx.Done()
switch authorizationType {
case AuthorizationAll:
return true
case AuthorizationOrg:
return c.isInOrganization(ctx, event)
case AuthorizationTeam:
return c.isInDefaultTeam(ctx, event)
case AuthorizationCodeOwners:
// todo: update to really parse the codeowners file with fallback to default team or org
return c.isInRequestedTeam(ctx, event)
case AuthorizationOrgAdmin:
return c.isOrgAdmin(ctx, event)
}
return false
}
// isOrgAdmin checks if the author is organization admin
func (c *client) isOrgAdmin(ctx context.Context, event *GenericRequestEvent) bool {
membership, _, err := c.client.Organizations.GetOrgMembership(ctx, event.GetAuthorName(), event.GetOwnerName())
if err != nil {
c.log.V(3).Info(err.Error())
return false
}
if MembershipStatus(membership.GetState()) != MembershipStatusActive {
return false
}
if MembershipRole(membership.GetRole()) == MembershipRoleAdmin {
return true
}
return false
}
// isInOrganization checks if the author is in the organization
func (c *client) isInOrganization(ctx context.Context, event *GenericRequestEvent) bool {
membership, _, err := c.client.Organizations.GetOrgMembership(ctx, event.GetAuthorName(), event.GetOwnerName())
if err != nil {
c.log.V(3).Info(err.Error())
return false
}
if MembershipStatus(membership.GetState()) == MembershipStatusActive {
return true
}
return false
}
// isInRequestedTeam checks if the author is in the requested PR team
func (c *client) isInRequestedTeam(ctx context.Context, event *GenericRequestEvent) bool {
pr, err := c.GetPullRequest(ctx, event)
if err != nil {
return false
}
// use default team if there is no requested team
if c.defaultTeam != nil && len(pr.RequestedTeams) == 0 {
membership, _, err := c.client.Teams.GetTeamMembershipByID(ctx, c.defaultTeam.Organization.GetID(), c.defaultTeam.GetID(), event.GetAuthorName())
if err != nil {
c.log.V(3).Info(err.Error(), "team", c.defaultTeam.GetName())
return false
}
if MembershipStatus(membership.GetState()) != MembershipStatusActive {
return true
}
return false
}
for _, team := range pr.RequestedTeams {
membership, _, err := c.client.Teams.GetTeamMembershipByID(ctx, team.Organization.GetID(), team.GetID(), event.GetAuthorName())
if err != nil {
c.log.V(3).Info(err.Error(), "team", team.GetName())
return false
}
if MembershipStatus(membership.GetState()) == MembershipStatusActive {
return true
}
}
return false
}
// isInRequestedTeam checks if the author is in the requested PR team
func (c *client) isInDefaultTeam(ctx context.Context, event *GenericRequestEvent) bool {
if c.defaultTeam == nil {
c.log.Info("no default team defined", "repository", event.GetRepositoryName(), "owner", event.GetOwnerName())
return false
}
membership, _, err := c.client.Teams.GetTeamMembershipByID(ctx, c.defaultTeam.Organization.GetID(), c.defaultTeam.GetID(), event.GetAuthorName())
if err != nil {
c.log.V(3).Info(err.Error(), "team", c.defaultTeam.GetName())
return false
}
if MembershipStatus(membership.GetState()) == MembershipStatusActive {
return true
}
return false
}