github/drone
5
0
Fork 0
mirror of https://github.com/harness/drone.git synced 2025-05-05 23:42:23 +08:00
Code Issues Packages Projects Releases Wiki Activity
ff2f949e78
drone/internal/api/auth/repo.go
Johannes Batzill 3ba0f75c8d Introduce UIDs for Space / Repo / Tokens, Add Custom Harness Validation, ... (#57) 
This change adds the following:
- Space UID + Custom harness validation (accountId for top level space, harness identifier for child spaces)
- Repo UID + Custom harness validation (harness identifier)
- Store Unique casing of space / repo path and add Path.ValueUnique (with Unique index) to allow for application layer controlling the case sensitivity (case insensitive standalone vs partially case sensitive harness)
- Token UID (unique index over ownertype + ownerID + tokenUID)
- Add DisplayName for principals (replaces Name to avoid confustion)
- Store Unique casing of principal UID and add Principal.ValueUnique (with unique index) to allow for application layer, per principal type control of case sensitivity (required in embedded mode)
- Generate serviceAccount UID (+Email) Randomly (sa-{space|repo}-{ID}-{random}) - Allows to have a unique UID across all principals while reducing likelyhood of overlaps with users + avoid overlap across spaces / repos.
- Sync casing of space names (accountId orgId projectId) when creating spaces on the fly (to ensure case sensitivity of - harness code) or use the existing space to update casing.
- Update serviceaccount client to match updated NG Manager API
- in embedded mode create spaces for harness resources owning the service account
2022-11-06 23:14:47 -08:00

43 lines
1.3 KiB
Go
Raw Blame History

// Copyright 2022 Harness Inc. All rights reserved.
// Use of this source code is governed by the Polyform Free Trial License
// that can be found in the LICENSE.md file for this repository.
package auth
import (
"context"
"github.com/harness/gitness/internal/auth"
"github.com/harness/gitness/internal/auth/authz"
"github.com/harness/gitness/internal/paths"
"github.com/harness/gitness/types"
"github.com/harness/gitness/types/enum"
"github.com/pkg/errors"
)
/*
* CheckRepo checks if a repo specific permission is granted for the current auth session
* in the scope of its parent.
* Returns nil if the permission is granted, otherwise returns an error.
* NotAuthenticated, NotAuthorized, or any unerlaying error.
*/
func CheckRepo(ctx context.Context, authorizer authz.Authorizer, session *auth.Session,
repo *types.Repository, permission enum.Permission, orPublic bool) error {
if orPublic && repo.IsPublic {
return nil
}
parentSpace, name, err := paths.DisectLeaf(repo.Path)
if err != nil {
return errors.Wrapf(err, "Failed to disect path '%s'", repo.Path)
}
scope := &types.Scope{SpacePath: parentSpace}
resource := &types.Resource{
Type: enum.ResourceTypeRepo,
Name: name,
}
return Check(ctx, authorizer, session, scope, resource, permission)
}
Reference in New Issue View Git Blame Copy Permalink