forked from rancher/rancher
-
Notifications
You must be signed in to change notification settings - Fork 0
/
validator.go
64 lines (54 loc) · 1.98 KB
/
validator.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
package secret
import (
"fmt"
"net/http"
"strings"
"github.com/rancher/norman/api/access"
"github.com/rancher/norman/httperror"
"github.com/rancher/norman/types"
v1 "github.com/rancher/types/apis/core/v1"
)
func Validator(request *types.APIContext, schema *types.Schema, data map[string]interface{}) error {
unauthedError := httperror.NewAPIError(httperror.PermissionDenied, "unauthorized")
if request.Method == http.MethodPost {
id := ""
// extracting project name from data
if projectData, ok := data["projectId"].(string); ok {
if projectParts := strings.Split(projectData, ":"); len(projectParts) == 2 {
id = fmt.Sprintf("%s:%s", projectParts[1], data["name"])
}
}
if id == "" {
return unauthedError
}
// minimum info needed to use CanDo
secretState := map[string]interface{}{
"name": data["name"],
"id": id,
"namespaceId": data["namespaceId"],
}
// update is used here to avoid the application of general user permissions for secrets
if err := request.AccessControl.CanDo(v1.SecretGroupVersionKind.Group, v1.SecretResource.Name, "update", request, secretState, schema); err != nil {
return unauthedError
}
} else if request.Method == http.MethodPut {
var secretState map[string]interface{}
if err := access.ByID(request, request.Version, request.Type, request.ID, &secretState); err != nil {
if httperror.IsNotFound(err) || isUnauthorized(err) {
return httperror.NewAPIError(httperror.NotFound, "not found")
}
return httperror.NewAPIError(httperror.ServerError, err.Error())
}
// this is unused but will be necessary if readonly users are ever given permission to view secrets
if err := request.AccessControl.CanDo(v1.SecretGroupVersionKind.Group, v1.SecretResource.Name, "update", request, secretState, schema); err != nil {
return unauthedError
}
}
return nil
}
func isUnauthorized(err interface{}) bool {
if err, ok := err.(*httperror.APIError); ok {
return err.Code.Status == 403
}
return false
}