Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature: Airtable Analyzer for Personal Access Tokens #3941

Merged
merged 12 commits into from
Mar 3, 2025
+807 −124
Merged

Feature: Airtable Analyzer for Personal Access Tokens #3941

Changes from 1 commit
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
ca91b0b
added airtable personal access token analyzer
nabeelalam Feb 26, 2025
746f75c
Merge branch 'main' into feature/analyzer/airtable-personal-access-token
nabeelalam Feb 28, 2025
90434b2
updated airtable oauth and pat analyzers
nabeelalam Feb 28, 2025
4c82e64
Merge branch 'main' into feature/analyzer/airtable-personal-access-token
nabeelalam Feb 28, 2025
1921386
updated airtable entry in analyzer mapping
nabeelalam Feb 28, 2025
25c36ac
updated airtablepat error checking, table shape
nabeelalam Feb 28, 2025
838a1ef
added more error checks in analyzer code
nabeelalam Feb 28, 2025
5c0da7d
updated airtable pat analyzer; incorporated feedback; fixed formating…
nabeelalam Mar 3, 2025
e587433
Merge branch 'main' into feature/analyzer/airtable-personal-access-token
nabeelalam Mar 3, 2025
1a0df40
updated analyzer type int of planetscale expected output json
nabeelalam Mar 3, 2025
d0b8c24
fixed spelling in comment
nabeelalam Mar 3, 2025
1c07637
updated expected output analyzer type numbers
nabeelalam Mar 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
updated airtablepat error checking, table shape
  • Loading branch information
@nabeelalam
nabeelalam committed Feb 28, 2025
commit 25c36acd31191684b381b52844c14ce5c51e8de6
42 changes: 33 additions & 9 deletions pkg/analyzer/analyzers/airtable/airtablepat/airtable.go
View file
Original file line number Diff line number Diff line change
@@ -48,10 +48,16 @@
scopeStatusMap[common.PermissionStrings[common.UserEmailRead]] = userInfo.Email != nil
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: Is the idea here that if the response from the FetchAirtableUserInfo API contains an email, they have the user.email:read scope?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. Here's the API reference for that: https://airtable.com/developers/web/api/get-user-id-scopes


var basesInfo *common.AirtableBases
if granted, _ := determineScope(token, common.SchemaBasesRead, nil); granted {
basesInfo, _ = common.FetchAirtableBases(token)
if granted, err := determineScope(token, common.SchemaBasesRead, nil); granted {
if err != nil {
return nil, err
}
basesInfo, err = common.FetchAirtableBases(token)
if err != nil {
return nil, err
}
// If bases are fetched, determine the token scopes
determineScopes(token, basesInfo)

Check failure on line 60 in pkg/analyzer/analyzers/airtable/airtablepat/airtable.go

GitHub Actions / golangci-lint 

Error return value is not checked (errcheck)
}

return mapToAnalyzerResult(userInfo, basesInfo), nil
@@ -74,7 +80,7 @@
return
}
basesInfo, _ = common.FetchAirtableBases(token)
determineScopes(token, basesInfo)

Check failure on line 83 in pkg/analyzer/analyzers/airtable/airtablepat/airtable.go

GitHub Actions / golangci-lint 

Error return value is not checked (errcheck)
}

color.Green("[!] Valid Airtable Personal Access Token\n\n")
@@ -124,35 +130,52 @@
return true, nil
}

func determineScopes(token string, basesInfo *common.AirtableBases) {
func determineScopes(token string, basesInfo *common.AirtableBases) error {
if basesInfo != nil && len(basesInfo.Bases) > 0 {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: Similar to my earlier "line of sight" comment, we can invert the logic of this if statement to return early, allowing us to de-indent the following for loop for better readability.

Ex:

if basesInfo == nil || len(basesInfo.Bases) == 0 {
    return nil
}

for _ base := range baseInfo.Bases {
    ...
}

for _, base := range basesInfo.Bases {
if base.Schema != nil && len(base.Schema.Tables) > 0 {
ids := map[string]string{"baseID": base.ID}
tableScopesDetermined := false

// Verify token "webhooks:manage" permission
determineScope(token, common.WebhookManage, ids)
_, err := determineScope(token, common.WebhookManage, ids)
if err != nil {
return err
}
// Verify token "block:manage" permission
determineScope(token, common.BlockManage, ids)
_, err = determineScope(token, common.BlockManage, ids)
if err != nil {
return err
}

// Verifying scopes that require an existing table
for _, table := range base.Schema.Tables {
ids["tableID"] = table.ID

if !tableScopesDetermined {
determineScope(token, common.SchemaBasesWrite, ids)
determineScope(token, common.DataRecordsWrite, ids)
_, err = determineScope(token, common.SchemaBasesWrite, ids)
if err != nil {
return err
}
_, err = determineScope(token, common.DataRecordsWrite, ids)
if err != nil {
return err
}
tableScopesDetermined = true
}

if granted, _ := determineScope(token, common.DataRecordsRead, ids); granted {
if granted, err := determineScope(token, common.DataRecordsRead, ids); err != nil {
return err
} else if granted {
// Verifying scopes that require an existing record and record read permission
records, err := fetchAirtableRecords(token, base.ID, table.ID)
if err != nil || len(records) > 0 {
for _, record := range records {
ids["recordID"] = record.ID
determineScope(token, common.DataRecordcommentsRead, ids)
_, err = determineScope(token, common.DataRecordcommentsRead, ids)
if err != nil {
return err
}
break
}
break
@@ -162,6 +185,7 @@
}
}
}
return nil
}

func mapToAnalyzerResult(userInfo *common.AirtableUserInfo, basesInfo *common.AirtableBases) *analyzers.AnalyzerResult {
21 changes: 0 additions & 21 deletions pkg/analyzer/analyzers/airtable/airtablepat/requests.go
View file
Original file line number Diff line number Diff line change
@@ -13,27 +13,6 @@ type AirtableRecordsResponse struct {
Records []common.AirtableEntity `json:"records"`
}

func fetchBaseSchema(baseID, token string) (*common.Schema, error) {
endpoint := getEndpoint(common.GetBaseSchemaEndpoint)
url := strings.Replace(endpoint.URL, "{baseID}", baseID, -1)
resp, err := common.CallAirtableAPI(token, endpoint.Method, url)
if err != nil {
return nil, err
}
defer resp.Body.Close()

if resp.StatusCode != http.StatusOK {
return nil, fmt.Errorf("failed to fetch schema for base %s, status: %d", baseID, resp.StatusCode)
}

var schema common.Schema
if err := json.NewDecoder(resp.Body).Decode(&schema); err != nil {
return nil, err
}

return &schema, nil
}

func fetchAirtableRecords(token string, baseID string, tableID string) ([]common.AirtableEntity, error) {
endpoint := getEndpoint(common.ListRecordsEndpoint)
url := strings.Replace(strings.Replace(endpoint.URL, "{baseID}", baseID, -1), "{tableID}", tableID, -1)
1 change: 1 addition & 0 deletions pkg/analyzer/analyzers/airtable/common/common.go
View file
Original file line number Diff line number Diff line change
@@ -173,6 +173,7 @@ func PrintUserAndPermissions(info *AirtableUserInfo, scopeStatusMap map[string]b
t2.AppendRow(table.Row{color.GreenString(scopeString), color.GreenString(permission), color.GreenString(scopeStatus)})
scopeStatus = ""
}
t2.AppendSeparator()
}
t2.Render()
fmt.Printf("%s: https://airtable.com/developers/web/api/scopes\n", color.GreenString("Ref"))
Loading
Oops, something went wrong.