This repository has been archived by the owner on Dec 26, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 44
/
authz.go
70 lines (56 loc) · 2.15 KB
/
authz.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
package internal
import (
"context"
"fmt"
"github.com/leg100/otf/internal/rbac"
)
// unexported key type prevents collisions
type subjectCtxKeyType string
const subjectCtxKey subjectCtxKeyType = "subject"
// Subject is an entity that carries out actions on resources.
type Subject interface {
CanAccessSite(action rbac.Action) bool
CanAccessOrganization(action rbac.Action, name string) bool
CanAccessWorkspace(action rbac.Action, policy WorkspacePolicy) bool
IsOwner(organization string) bool
IsSiteAdmin() bool
// Organizations returns subject's organization memberships
Organizations() []string
String() string
}
// WorkspacePolicy binds workspace permissions to a workspace
type WorkspacePolicy struct {
Organization string
WorkspaceID string
Permissions []WorkspacePermission
}
// WorkspacePermission binds a role to a team.
type WorkspacePermission struct {
Team string // team name
TeamID string
Role rbac.Role
}
// AddSubjectToContext adds a subject to a context
func AddSubjectToContext(ctx context.Context, subj Subject) context.Context {
return context.WithValue(ctx, subjectCtxKey, subj)
}
// SubjectFromContext retrieves a subject from a context
func SubjectFromContext(ctx context.Context) (Subject, error) {
subj, ok := ctx.Value(subjectCtxKey).(Subject)
if !ok {
return nil, fmt.Errorf("no subject in context")
}
return subj, nil
}
// Superuser is a subject with unlimited privileges.
type Superuser struct {
Username string
}
func (*Superuser) CanAccessSite(action rbac.Action) bool { return true }
func (*Superuser) CanAccessOrganization(rbac.Action, string) bool { return true }
func (*Superuser) CanAccessWorkspace(rbac.Action, WorkspacePolicy) bool { return true }
func (s *Superuser) Organizations() []string { return nil }
func (s *Superuser) String() string { return s.Username }
func (s *Superuser) ID() string { return s.Username }
func (s *Superuser) IsSiteAdmin() bool { return true }
func (s *Superuser) IsOwner(string) bool { return true }