-
Notifications
You must be signed in to change notification settings - Fork 290
/
Copy pathrole_grant.go
106 lines (92 loc) · 3.21 KB
/
role_grant.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
package iam
import (
"context"
"github.com/hashicorp/boundary/internal/db"
"github.com/hashicorp/boundary/internal/errors"
"github.com/hashicorp/boundary/internal/iam/store"
"github.com/hashicorp/boundary/internal/perms"
"google.golang.org/protobuf/proto"
)
const defaultRoleGrantTable = "iam_role_grant"
// RoleGrant defines the grants that are assigned to a role
type RoleGrant struct {
*store.RoleGrant
tableName string `gorm:"-"`
}
// ensure that RoleGrant implements the interfaces of: Cloneable and db.VetForWriter
var (
_ Cloneable = (*RoleGrant)(nil)
_ db.VetForWriter = (*RoleGrant)(nil)
)
// NewRoleGrant creates a new in memory role grant
func NewRoleGrant(roleId string, grant string, _ ...Option) (*RoleGrant, error) {
const op = "iam.NewRoleGrant"
if roleId == "" {
return nil, errors.NewDeprecated(errors.InvalidParameter, op, "missing role id")
}
if grant == "" {
return nil, errors.NewDeprecated(errors.InvalidParameter, op, "missing grant")
}
// Validate that the grant parses successfully. Note that we fake the scope
// here to avoid a lookup as the scope is only relevant at actual ACL
// checking time and we just care that it parses correctly.
perm, err := perms.Parse("o_abcd1234", grant)
if err != nil {
return nil, errors.WrapDeprecated(err, op, errors.WithMsg("parsing grant string"))
}
rg := &RoleGrant{
RoleGrant: &store.RoleGrant{
RoleId: roleId,
RawGrant: grant,
CanonicalGrant: perm.CanonicalString(),
},
}
return rg, nil
}
func allocRoleGrant() RoleGrant {
return RoleGrant{
RoleGrant: &store.RoleGrant{},
}
}
// Clone creates a clone of the RoleGrant
func (g *RoleGrant) Clone() any {
cp := proto.Clone(g.RoleGrant)
return &RoleGrant{
RoleGrant: cp.(*store.RoleGrant),
}
}
// VetForWrite implements db.VetForWrite() interface
func (g *RoleGrant) VetForWrite(ctx context.Context, _ db.Reader, _ db.OpType, _ ...db.Option) error {
const op = "iam.(RoleGrant).VetForWrite"
if g.RawGrant == "" {
return errors.New(ctx, errors.InvalidParameter, op, "missing grant")
}
// Validate that the grant parses successfully. Note that we fake the scope
// here to avoid a lookup as the scope is only relevant at actual ACL
// checking time and we just care that it parses correctly. We may have
// already done this in NewRoleGrant, but we re-check and set it here
// anyways because it should still be part of the vetting process.
perm, err := perms.Parse("o_abcd1234", g.RawGrant)
if err != nil {
return errors.Wrap(ctx, err, op, errors.WithMsg("parsing grant string"))
}
canonical := perm.CanonicalString()
if g.CanonicalGrant != "" && g.CanonicalGrant != canonical {
return errors.Wrap(ctx, err, op, errors.WithMsg("existing canonical grant and derived one do not match"))
}
g.CanonicalGrant = canonical
return nil
}
// TableName returns the tablename to override the default gorm table name
func (g *RoleGrant) TableName() string {
if g.tableName != "" {
return g.tableName
}
return defaultRoleGrantTable
}
// SetTableName sets the tablename and satisfies the ReplayableMessage
// interface. If the caller attempts to set the name to "" the name will be
// reset to the default name.
func (g *RoleGrant) SetTableName(n string) {
g.tableName = n
}