-
Notifications
You must be signed in to change notification settings - Fork 1
/
permissions.go
69 lines (57 loc) · 1.47 KB
/
permissions.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
package repository
import (
"context"
"strconv"
"strings"
"github.com/ttab/elephantine"
"github.com/twitchtv/twirp"
)
type Permission string
const (
ReadPermission Permission = "r"
WritePermission Permission = "w"
)
func (p Permission) Name() string {
switch p {
case ReadPermission:
return "read"
case WritePermission:
return "write"
}
return strconv.Quote(string(p))
}
const (
ScopeDocumentAdmin = "doc_admin"
ScopeDocumentReadAll = "doc_read_all"
ScopeDocumentRead = "doc_read"
ScopeDocumentDelete = "doc_delete"
ScopeDocumentWrite = "doc_write"
ScopeDocumentImport = "doc_import"
ScopeEventlogRead = "eventlog_read"
ScopeMetricsAdmin = "metrics_admin"
ScopeMetricsWrite = "metrics_write"
ScopeReportAdmin = "report_admin"
ScopeReportRun = "report_run"
ScopeSchemaAdmin = "schema_admin"
ScopeSchemaRead = "schema_read"
ScopeWorkflowAdmin = "workflow_admin"
)
func Subscope(scope string, resource ...string) string {
if len(resource) == 0 {
return scope
}
return scope + ":" + strings.Join(resource, ":")
}
func RequireAnyScope(ctx context.Context, scopes ...string) (*elephantine.AuthInfo, error) {
auth, ok := elephantine.GetAuthInfo(ctx)
if !ok {
return nil, twirp.Unauthenticated.Error(
"no anonymous access allowed")
}
if !auth.Claims.HasAnyScope(scopes...) {
return nil, twirp.PermissionDenied.Errorf(
"one of the the scopes %s is required",
strings.Join(scopes, ", "))
}
return auth, nil
}