mirror of
https://github.com/harness/drone.git
synced 2025-05-14 07:59:56 +08:00
8c2f900c80
This change introduces the concept of a principal (abstraction of call identity), and adds a new service account type principal. Also adds support for different tokens (session, PAT, SAT, OAuth2) and adds auth.Session which is being used to capture information about the caller and call method.
82 lines
2.6 KiB
Go
82 lines
2.6 KiB
Go
// Copyright 2022 Harness Inc. All rights reserved.
|
|
// Use of this source code is governed by the Polyform Free Trial License
|
|
// that can be found in the LICENSE.md file for this repository.
|
|
|
|
package enum
|
|
|
|
// ResourceType represents the different types of resources that can be guarded with permissions.
|
|
type ResourceType string
|
|
|
|
const (
|
|
ResourceTypeSpace ResourceType = "SPACE"
|
|
ResourceTypeRepo ResourceType = "REPOSITORY"
|
|
ResourceTypeServiceAccount ResourceType = "SERVICEACCOUNT"
|
|
// ResourceType_Branch ResourceType = "BRANCH"
|
|
)
|
|
|
|
// Permission represents the different types of permissions a principal can have.
|
|
type Permission string
|
|
|
|
const (
|
|
/*
|
|
----- SPACE -----
|
|
*/
|
|
PermissionSpaceCreate Permission = "space_create"
|
|
PermissionSpaceView Permission = "space_view"
|
|
PermissionSpaceEdit Permission = "space_edit"
|
|
PermissionSpaceDelete Permission = "space_delete"
|
|
)
|
|
|
|
const (
|
|
/*
|
|
----- REPOSITORY -----
|
|
*/
|
|
PermissionRepoCreate Permission = "repository_create"
|
|
PermissionRepoView Permission = "repository_view"
|
|
PermissionRepoEdit Permission = "repository_edit"
|
|
PermissionRepoDelete Permission = "repository_delete"
|
|
)
|
|
|
|
const (
|
|
/*
|
|
----- REPOSITORY -----
|
|
*/
|
|
PermissionServiceAccountCreate Permission = "serviceaccount_create"
|
|
PermissionServiceAccountView Permission = "serviceaccount_view"
|
|
PermissionServiceAccountEdit Permission = "serviceaccount_edit"
|
|
PermissionServiceAccountDelete Permission = "serviceaccount_delete"
|
|
)
|
|
|
|
// AccessGrant represents the access grants a token or sshkey can have.
|
|
// Keep as int64 to allow for simpler+faster lookup of grants for a given token
|
|
// as we don't have to store an array field or need to do a join / 2nd db call.
|
|
// Multiple grants can be combined using the bit-wise or operation.
|
|
// ASSUMPTION: we don't need more than 63 grants!
|
|
//
|
|
// NOTE: A grant is always restricted by the principal permissions
|
|
//
|
|
// TODO: Beter name, access grant and permission might be to close in terminology?
|
|
type AccessGrant int64
|
|
|
|
const (
|
|
// no grants - useless token.
|
|
AccessGrantNone AccessGrant = 0
|
|
|
|
// privacy related grants.
|
|
AccessGrantPublic AccessGrant = 1 << 0 // 1
|
|
AccessGrantPrivate AccessGrant = 1 << 1 // 2
|
|
|
|
// api related grants (spaces / repos, ...).
|
|
AccessGrantAPICreate AccessGrant = 1 << 10 // 1024
|
|
AccessGrantAPIView AccessGrant = 1 << 11 // 2048
|
|
AccessGrantAPIEdit AccessGrant = 1 << 12 // 4096
|
|
AccessGrantAPIDelete AccessGrant = 1 << 13 // 8192
|
|
|
|
// code related grants.
|
|
AccessGrantCodeRead AccessGrant = 1 << 20 // 1048576
|
|
AccessGrantCodeWrite AccessGrant = 1 << 21 // 2097152
|
|
|
|
// grants everything - for user sessions.
|
|
AccessGrantAll AccessGrant = 1<<63 - 1
|
|
)
|