forked from leg100/otf
/
token.go
93 lines (79 loc) · 2.77 KB
/
token.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
package organization
import (
"time"
"github.com/tofutf/tofutf/internal"
"github.com/tofutf/tofutf/internal/rbac"
"github.com/tofutf/tofutf/internal/tokens"
)
const OrganizationTokenKind tokens.Kind = "organization_token"
type (
// OrganizationToken provides information about an API token for an organization
OrganizationToken struct {
ID string
CreatedAt time.Time
// Token belongs to an organization
Organization string
// Optional expiry.
Expiry *time.Time
}
// CreateOrganizationTokenOptions are options for creating an organization token via the service
// endpoint
CreateOrganizationTokenOptions struct {
Organization string `schema:"organization_name,required"`
Expiry *time.Time
}
// tokenFactory constructs organization tokens
tokenFactory struct {
tokens *tokens.Service
}
)
func (f *tokenFactory) NewOrganizationToken(opts CreateOrganizationTokenOptions) (*OrganizationToken, []byte, error) {
ot := OrganizationToken{
ID: internal.NewID("ot"),
CreatedAt: internal.CurrentTimestamp(nil),
Organization: opts.Organization,
Expiry: opts.Expiry,
}
token, err := f.tokens.NewToken(tokens.NewTokenOptions{
Subject: ot.ID,
Kind: OrganizationTokenKind,
Expiry: opts.Expiry,
})
if err != nil {
return nil, nil, err
}
return &ot, token, nil
}
func (u *OrganizationToken) CanAccessSite(action rbac.Action) bool {
// only be used for organization-scoped resources.
return false
}
func (u *OrganizationToken) CanAccessTeam(rbac.Action, string) bool {
// only be used for organization-scoped resources.
return false
}
func (u *OrganizationToken) CanAccessOrganization(action rbac.Action, org string) bool {
if u.Organization != org {
return false
}
// can perform most actions in an organization, so it is easier to first refuse
// access to those actions it CANNOT perform.
switch action {
case rbac.GetRunAction, rbac.ListRunsAction, rbac.ApplyRunAction, rbac.CreateRunAction, rbac.DiscardRunAction, rbac.CancelRunAction, rbac.ForceCancelRunAction, rbac.EnqueuePlanAction, rbac.PutChunkAction, rbac.TailLogsAction, rbac.CreateStateVersionAction, rbac.RollbackStateVersionAction:
return false
}
return true
}
func (u *OrganizationToken) CanAccessWorkspace(action rbac.Action, policy internal.WorkspacePolicy) bool {
return u.CanAccessOrganization(action, policy.Organization)
}
func (u *OrganizationToken) IsOwner(organization string) bool {
// an owner would give perms to all actions in org whereas an org token
// cannot perform certain actions, so org token is not an owner.
return false
}
func (u *OrganizationToken) IsSiteAdmin() bool { return false }
func (u *OrganizationToken) String() string { return u.ID }
func (u *OrganizationToken) Organizations() []string {
return []string{u.Organization}
}