forked from vmware-archive/atc
-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
check_worker_team_access_handler.go
83 lines (67 loc) · 1.59 KB
/
check_worker_team_access_handler.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
package auth
import (
"net/http"
"github.com/concourse/atc/db"
)
type CheckWorkerTeamAccessHandlerFactory interface {
HandlerFor(pipelineScopedHandler http.Handler, rejector Rejector) http.Handler
}
type checkWorkerTeamAccessHandlerFactory struct {
workerFactory db.WorkerFactory
}
func NewCheckWorkerTeamAccessHandlerFactory(
workerFactory db.WorkerFactory,
) CheckWorkerTeamAccessHandlerFactory {
return &checkWorkerTeamAccessHandlerFactory{
workerFactory: workerFactory,
}
}
func (f *checkWorkerTeamAccessHandlerFactory) HandlerFor(
delegateHandler http.Handler,
rejector Rejector,
) http.Handler {
return checkWorkerTeamHandler{
rejector: rejector,
workerFactory: f.workerFactory,
delegateHandler: delegateHandler,
}
}
type checkWorkerTeamHandler struct {
rejector Rejector
workerFactory db.WorkerFactory
delegateHandler http.Handler
}
func (h checkWorkerTeamHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
if !IsAuthenticated(r) {
h.rejector.Unauthorized(w, r)
return
}
if IsSystem(r) {
h.delegateHandler.ServeHTTP(w, r)
return
}
team, found := GetTeam(r)
if !found {
h.rejector.Unauthorized(w, r)
return
}
if team.IsAdmin() {
h.delegateHandler.ServeHTTP(w, r)
return
}
workerName := r.FormValue(":worker_name")
worker, found, err := h.workerFactory.GetWorker(workerName)
if err != nil {
w.WriteHeader(http.StatusInternalServerError)
return
}
if !found {
w.WriteHeader(http.StatusNotFound)
return
}
if worker.TeamName() != team.Name() {
h.rejector.Forbidden(w, r)
return
}
h.delegateHandler.ServeHTTP(w, r)
}