unified code verification service
This commit is contained in:
Stephan D
@@ -43,13 +43,13 @@ func (db *AccountBoundDBImp[T]) enforce(ctx context.Context, action model.Action
|
||||
if err != nil {
|
||||
db.Logger.Warn("Failed to enforce permission",
|
||||
zap.Error(err), mzap.ObjRef("permission_ref", db.PermissionRef),
|
||||
mzap.ObjRef("account_ref", accountRef), mzap.ObjRef("organization_ref", organizationRef),
|
||||
mzap.AccRef(accountRef), mzap.ObjRef("organization_ref", organizationRef),
|
||||
zap.String("action", string(action)))
|
||||
return err
|
||||
}
|
||||
if !res {
|
||||
db.Logger.Debug("Access denied", mzap.ObjRef("permission_ref", db.PermissionRef),
|
||||
mzap.ObjRef("account_ref", accountRef), mzap.ObjRef("organization_ref", organizationRef),
|
||||
mzap.AccRef(accountRef), mzap.ObjRef("organization_ref", organizationRef),
|
||||
zap.String("action", string(action)))
|
||||
return merrors.AccessDenied(db.Collection, string(action), bson.NilObjectID)
|
||||
}
|
||||
@@ -73,13 +73,13 @@ func (db *AccountBoundDBImp[T]) enforceInterface(ctx context.Context, action mod
|
||||
if err != nil {
|
||||
db.Logger.Warn("Failed to enforce permission",
|
||||
zap.Error(err), mzap.ObjRef("permission_ref", db.PermissionRef),
|
||||
mzap.ObjRef("account_ref", accountRef), mzap.ObjRef("organization_ref", organizationRef),
|
||||
mzap.AccRef(accountRef), mzap.ObjRef("organization_ref", organizationRef),
|
||||
zap.String("action", string(action)))
|
||||
return err
|
||||
}
|
||||
if !res {
|
||||
db.Logger.Debug("Access denied", mzap.ObjRef("permission_ref", db.PermissionRef),
|
||||
mzap.ObjRef("account_ref", accountRef), mzap.ObjRef("organization_ref", organizationRef),
|
||||
mzap.AccRef(accountRef), mzap.ObjRef("organization_ref", organizationRef),
|
||||
zap.String("action", string(action)))
|
||||
return merrors.AccessDenied(db.Collection, string(action), bson.NilObjectID)
|
||||
}
|
||||
@@ -88,7 +88,7 @@ func (db *AccountBoundDBImp[T]) enforceInterface(ctx context.Context, action mod
|
||||
|
||||
func (db *AccountBoundDBImp[T]) Create(ctx context.Context, accountRef bson.ObjectID, object T) error {
|
||||
orgRef := object.GetOrganizationRef()
|
||||
db.Logger.Debug("Attempting to create object", mzap.ObjRef("account_ref", accountRef),
|
||||
db.Logger.Debug("Attempting to create object", mzap.AccRef(accountRef),
|
||||
mzap.ObjRef("organization_ref", orgRef), zap.String("collection", string(db.Collection)))
|
||||
|
||||
// Check organization update permission for create operations
|
||||
@@ -97,22 +97,22 @@ func (db *AccountBoundDBImp[T]) Create(ctx context.Context, accountRef bson.Obje
|
||||
}
|
||||
|
||||
if err := db.DBImp.Create(ctx, object); err != nil {
|
||||
db.Logger.Warn("Failed to create object", zap.Error(err), mzap.ObjRef("account_ref", accountRef),
|
||||
db.Logger.Warn("Failed to create object", zap.Error(err), mzap.AccRef(accountRef),
|
||||
mzap.ObjRef("organization_ref", orgRef), zap.String("collection", string(db.Collection)))
|
||||
return err
|
||||
}
|
||||
|
||||
db.Logger.Debug("Successfully created object", mzap.ObjRef("account_ref", accountRef),
|
||||
db.Logger.Debug("Successfully created object", mzap.AccRef(accountRef),
|
||||
mzap.ObjRef("organization_ref", orgRef), zap.String("collection", string(db.Collection)))
|
||||
return nil
|
||||
}
|
||||
|
||||
func (db *AccountBoundDBImp[T]) Get(ctx context.Context, accountRef, objectRef bson.ObjectID, result T) error {
|
||||
db.Logger.Debug("Attempting to get object", mzap.ObjRef("account_ref", accountRef), mzap.ObjRef("object_ref", objectRef))
|
||||
db.Logger.Debug("Attempting to get object", mzap.AccRef(accountRef), mzap.ObjRef("object_ref", objectRef))
|
||||
|
||||
// First get the object to check its organization
|
||||
if err := db.DBImp.Get(ctx, objectRef, result); err != nil {
|
||||
db.Logger.Warn("Failed to get object", zap.Error(err), mzap.ObjRef("account_ref", accountRef),
|
||||
db.Logger.Warn("Failed to get object", zap.Error(err), mzap.AccRef(accountRef),
|
||||
mzap.ObjRef("object_ref", objectRef), zap.String("collection", string(db.Collection)))
|
||||
return err
|
||||
}
|
||||
@@ -122,13 +122,13 @@ func (db *AccountBoundDBImp[T]) Get(ctx context.Context, accountRef, objectRef b
|
||||
return err
|
||||
}
|
||||
|
||||
db.Logger.Debug("Successfully retrieved object", mzap.ObjRef("account_ref", accountRef),
|
||||
db.Logger.Debug("Successfully retrieved object", mzap.AccRef(accountRef),
|
||||
mzap.ObjRef("organization_ref", result.GetOrganizationRef()), zap.String("collection", string(db.Collection)))
|
||||
return nil
|
||||
}
|
||||
|
||||
func (db *AccountBoundDBImp[T]) Update(ctx context.Context, accountRef bson.ObjectID, object T) error {
|
||||
db.Logger.Debug("Attempting to update object", mzap.ObjRef("account_ref", accountRef), mzap.StorableRef(object))
|
||||
db.Logger.Debug("Attempting to update object", mzap.AccRef(accountRef), mzap.StorableRef(object))
|
||||
|
||||
// Check organization update permission
|
||||
if err := db.enforce(ctx, model.ActionUpdate, object, accountRef); err != nil {
|
||||
@@ -136,18 +136,18 @@ func (db *AccountBoundDBImp[T]) Update(ctx context.Context, accountRef bson.Obje
|
||||
}
|
||||
|
||||
if err := db.DBImp.Update(ctx, object); err != nil {
|
||||
db.Logger.Warn("Failed to update object", zap.Error(err), mzap.ObjRef("account_ref", accountRef),
|
||||
db.Logger.Warn("Failed to update object", zap.Error(err), mzap.AccRef(accountRef),
|
||||
mzap.ObjRef("organization_ref", object.GetOrganizationRef()), mzap.StorableRef(object))
|
||||
return err
|
||||
}
|
||||
|
||||
db.Logger.Debug("Successfully updated object", mzap.ObjRef("account_ref", accountRef),
|
||||
db.Logger.Debug("Successfully updated object", mzap.AccRef(accountRef),
|
||||
mzap.ObjRef("organization_ref", object.GetOrganizationRef()), mzap.StorableRef(object))
|
||||
return nil
|
||||
}
|
||||
|
||||
func (db *AccountBoundDBImp[T]) Patch(ctx context.Context, accountRef, objectRef bson.ObjectID, patch builder.Patch) error {
|
||||
db.Logger.Debug("Attempting to patch object", mzap.ObjRef("account_ref", accountRef), mzap.ObjRef("object_ref", objectRef))
|
||||
db.Logger.Debug("Attempting to patch object", mzap.AccRef(accountRef), mzap.ObjRef("object_ref", objectRef))
|
||||
|
||||
// First get the object to check its organization
|
||||
objs, err := db.DBImp.Repository.ListAccountBound(ctx, repository.IDFilter(objectRef))
|
||||
@@ -156,7 +156,7 @@ func (db *AccountBoundDBImp[T]) Patch(ctx context.Context, accountRef, objectRef
|
||||
return err
|
||||
}
|
||||
if len(objs) == 0 {
|
||||
db.Logger.Debug("Permission denied for deletion", mzap.ObjRef("object_ref", objectRef), mzap.ObjRef("account_ref", accountRef))
|
||||
db.Logger.Debug("Permission denied for deletion", mzap.ObjRef("object_ref", objectRef), mzap.AccRef(accountRef))
|
||||
return merrors.AccessDenied(db.Collection, string(model.ActionDelete), objectRef)
|
||||
}
|
||||
|
||||
@@ -166,17 +166,17 @@ func (db *AccountBoundDBImp[T]) Patch(ctx context.Context, accountRef, objectRef
|
||||
}
|
||||
|
||||
if err := db.DBImp.Patch(ctx, objectRef, patch); err != nil {
|
||||
db.Logger.Warn("Failed to patch object", zap.Error(err), mzap.ObjRef("account_ref", accountRef),
|
||||
db.Logger.Warn("Failed to patch object", zap.Error(err), mzap.AccRef(accountRef),
|
||||
mzap.ObjRef("object_ref", objectRef), zap.String("collection", string(db.Collection)))
|
||||
return err
|
||||
}
|
||||
|
||||
db.Logger.Debug("Successfully patched object", mzap.ObjRef("account_ref", accountRef), mzap.ObjRef("object_ref", objectRef))
|
||||
db.Logger.Debug("Successfully patched object", mzap.AccRef(accountRef), mzap.ObjRef("object_ref", objectRef))
|
||||
return nil
|
||||
}
|
||||
|
||||
func (db *AccountBoundDBImp[T]) Delete(ctx context.Context, accountRef, objectRef bson.ObjectID) error {
|
||||
db.Logger.Debug("Attempting to delete object", mzap.ObjRef("account_ref", accountRef), mzap.ObjRef("object_ref", objectRef))
|
||||
db.Logger.Debug("Attempting to delete object", mzap.AccRef(accountRef), mzap.ObjRef("object_ref", objectRef))
|
||||
|
||||
// First get the object to check its organization
|
||||
objs, err := db.DBImp.Repository.ListAccountBound(ctx, repository.IDFilter(objectRef))
|
||||
@@ -185,7 +185,7 @@ func (db *AccountBoundDBImp[T]) Delete(ctx context.Context, accountRef, objectRe
|
||||
return err
|
||||
}
|
||||
if len(objs) == 0 {
|
||||
db.Logger.Debug("Permission denied for deletion", mzap.ObjRef("object_ref", objectRef), mzap.ObjRef("account_ref", accountRef))
|
||||
db.Logger.Debug("Permission denied for deletion", mzap.ObjRef("object_ref", objectRef), mzap.AccRef(accountRef))
|
||||
return merrors.AccessDenied(db.Collection, string(model.ActionDelete), objectRef)
|
||||
}
|
||||
// Check organization update permission for delete operations
|
||||
@@ -194,29 +194,29 @@ func (db *AccountBoundDBImp[T]) Delete(ctx context.Context, accountRef, objectRe
|
||||
}
|
||||
|
||||
if err := db.DBImp.Delete(ctx, objectRef); err != nil {
|
||||
db.Logger.Warn("Failed to delete object", zap.Error(err), mzap.ObjRef("account_ref", accountRef),
|
||||
db.Logger.Warn("Failed to delete object", zap.Error(err), mzap.AccRef(accountRef),
|
||||
mzap.ObjRef("object_ref", objectRef), zap.String("collection", string(db.Collection)))
|
||||
return err
|
||||
}
|
||||
|
||||
db.Logger.Debug("Successfully deleted object", mzap.ObjRef("account_ref", accountRef), mzap.ObjRef("object_ref", objectRef))
|
||||
db.Logger.Debug("Successfully deleted object", mzap.AccRef(accountRef), mzap.ObjRef("object_ref", objectRef))
|
||||
return nil
|
||||
}
|
||||
|
||||
func (db *AccountBoundDBImp[T]) DeleteMany(ctx context.Context, accountRef bson.ObjectID, query builder.Query) error {
|
||||
db.Logger.Debug("Attempting to delete many objects", mzap.ObjRef("account_ref", accountRef), zap.String("collection", string(db.Collection)))
|
||||
db.Logger.Debug("Attempting to delete many objects", mzap.AccRef(accountRef), zap.String("collection", string(db.Collection)))
|
||||
|
||||
// Get all candidate objects for batch permission checking
|
||||
allObjects, err := db.DBImp.Repository.ListPermissionBound(ctx, query)
|
||||
if err != nil {
|
||||
db.Logger.Warn("Failed to list objects for delete many", zap.Error(err), mzap.ObjRef("account_ref", accountRef))
|
||||
db.Logger.Warn("Failed to list objects for delete many", zap.Error(err), mzap.AccRef(accountRef))
|
||||
return err
|
||||
}
|
||||
|
||||
// Use batch enforcement for efficiency
|
||||
allowedResults, err := db.Enforcer.EnforceBatch(ctx, allObjects, accountRef, model.ActionUpdate)
|
||||
if err != nil {
|
||||
db.Logger.Warn("Failed to enforce batch permissions for delete many", zap.Error(err), mzap.ObjRef("account_ref", accountRef))
|
||||
db.Logger.Warn("Failed to enforce batch permissions for delete many", zap.Error(err), mzap.AccRef(accountRef))
|
||||
return err
|
||||
}
|
||||
|
||||
@@ -229,27 +229,27 @@ func (db *AccountBoundDBImp[T]) DeleteMany(ctx context.Context, accountRef bson.
|
||||
}
|
||||
|
||||
if len(allowedIDs) == 0 {
|
||||
db.Logger.Debug("No objects allowed for deletion", mzap.ObjRef("account_ref", accountRef))
|
||||
db.Logger.Debug("No objects allowed for deletion", mzap.AccRef(accountRef))
|
||||
return nil
|
||||
}
|
||||
|
||||
// Delete only the allowed objects
|
||||
allowedQuery := query.And(repository.Query().In(repository.IDField(), allowedIDs))
|
||||
if err := db.DBImp.DeleteMany(ctx, allowedQuery); err != nil {
|
||||
db.Logger.Warn("Failed to delete many objects", zap.Error(err), mzap.ObjRef("account_ref", accountRef))
|
||||
db.Logger.Warn("Failed to delete many objects", zap.Error(err), mzap.AccRef(accountRef))
|
||||
return err
|
||||
}
|
||||
|
||||
db.Logger.Debug("Successfully deleted many objects", mzap.ObjRef("account_ref", accountRef), zap.Int("count", len(allowedIDs)))
|
||||
db.Logger.Debug("Successfully deleted many objects", mzap.AccRef(accountRef), zap.Int("count", len(allowedIDs)))
|
||||
return nil
|
||||
}
|
||||
|
||||
func (db *AccountBoundDBImp[T]) FindOne(ctx context.Context, accountRef bson.ObjectID, query builder.Query, result T) error {
|
||||
db.Logger.Debug("Attempting to find one object", mzap.ObjRef("account_ref", accountRef), zap.String("collection", string(db.Collection)))
|
||||
db.Logger.Debug("Attempting to find one object", mzap.AccRef(accountRef), zap.String("collection", string(db.Collection)))
|
||||
|
||||
// For FindOne, we need to check read permission after finding the object
|
||||
if err := db.DBImp.FindOne(ctx, query, result); err != nil {
|
||||
db.Logger.Warn("Failed to find one object", zap.Error(err), mzap.ObjRef("account_ref", accountRef))
|
||||
db.Logger.Warn("Failed to find one object", zap.Error(err), mzap.AccRef(accountRef))
|
||||
return err
|
||||
}
|
||||
|
||||
@@ -258,25 +258,25 @@ func (db *AccountBoundDBImp[T]) FindOne(ctx context.Context, accountRef bson.Obj
|
||||
return err
|
||||
}
|
||||
|
||||
db.Logger.Debug("Successfully found one object", mzap.ObjRef("account_ref", accountRef),
|
||||
db.Logger.Debug("Successfully found one object", mzap.AccRef(accountRef),
|
||||
mzap.ObjRef("organization_ref", result.GetOrganizationRef()))
|
||||
return nil
|
||||
}
|
||||
|
||||
func (db *AccountBoundDBImp[T]) ListIDs(ctx context.Context, accountRef bson.ObjectID, query builder.Query) ([]bson.ObjectID, error) {
|
||||
db.Logger.Debug("Attempting to list object IDs", mzap.ObjRef("account_ref", accountRef), zap.String("collection", string(db.Collection)))
|
||||
db.Logger.Debug("Attempting to list object IDs", mzap.AccRef(accountRef), zap.String("collection", string(db.Collection)))
|
||||
|
||||
// Get all candidate objects for batch permission checking
|
||||
allObjects, err := db.DBImp.Repository.ListPermissionBound(ctx, query)
|
||||
if err != nil {
|
||||
db.Logger.Warn("Failed to list objects for ID filtering", zap.Error(err), mzap.ObjRef("account_ref", accountRef))
|
||||
db.Logger.Warn("Failed to list objects for ID filtering", zap.Error(err), mzap.AccRef(accountRef))
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Use batch enforcement for efficiency
|
||||
allowedResults, err := db.Enforcer.EnforceBatch(ctx, allObjects, accountRef, model.ActionRead)
|
||||
if err != nil {
|
||||
db.Logger.Warn("Failed to enforce batch permissions for ID listing", zap.Error(err), mzap.ObjRef("account_ref", accountRef))
|
||||
db.Logger.Warn("Failed to enforce batch permissions for ID listing", zap.Error(err), mzap.AccRef(accountRef))
|
||||
return nil, err
|
||||
}
|
||||
|
||||
@@ -289,12 +289,12 @@ func (db *AccountBoundDBImp[T]) ListIDs(ctx context.Context, accountRef bson.Obj
|
||||
}
|
||||
|
||||
db.Logger.Debug("Successfully filtered object IDs", zap.Int("total_count", len(allObjects)),
|
||||
zap.Int("allowed_count", len(allowedIDs)), mzap.ObjRef("account_ref", accountRef))
|
||||
zap.Int("allowed_count", len(allowedIDs)), mzap.AccRef(accountRef))
|
||||
return allowedIDs, nil
|
||||
}
|
||||
|
||||
func (db *AccountBoundDBImp[T]) ListAccountBound(ctx context.Context, accountRef, organizationRef bson.ObjectID, query builder.Query) ([]model.AccountBoundStorable, error) {
|
||||
db.Logger.Debug("Attempting to list account bound objects", mzap.ObjRef("account_ref", accountRef), zap.String("collection", string(db.Collection)))
|
||||
db.Logger.Debug("Attempting to list account bound objects", mzap.AccRef(accountRef), zap.String("collection", string(db.Collection)))
|
||||
|
||||
// Build query to find objects where accountRef matches OR is null/absent
|
||||
accountQuery := repository.WithOrg(accountRef, organizationRef)
|
||||
@@ -305,7 +305,7 @@ func (db *AccountBoundDBImp[T]) ListAccountBound(ctx context.Context, accountRef
|
||||
// Get all candidate objects
|
||||
allObjects, err := db.DBImp.Repository.ListAccountBound(ctx, finalQuery)
|
||||
if err != nil {
|
||||
db.Logger.Warn("Failed to list account bound objects", zap.Error(err), mzap.ObjRef("account_ref", accountRef))
|
||||
db.Logger.Warn("Failed to list account bound objects", zap.Error(err), mzap.AccRef(accountRef))
|
||||
return nil, err
|
||||
}
|
||||
|
||||
@@ -323,18 +323,18 @@ func (db *AccountBoundDBImp[T]) ListAccountBound(ctx context.Context, accountRef
|
||||
}
|
||||
|
||||
db.Logger.Debug("Successfully filtered account bound objects", zap.Int("total_count", len(allObjects)),
|
||||
zap.Int("allowed_count", len(allowedObjects)), mzap.ObjRef("account_ref", accountRef))
|
||||
zap.Int("allowed_count", len(allowedObjects)), mzap.AccRef(accountRef))
|
||||
return allowedObjects, nil
|
||||
}
|
||||
|
||||
func (db *AccountBoundDBImp[T]) GetByAccountRef(ctx context.Context, accountRef bson.ObjectID, result T) error {
|
||||
db.Logger.Debug("Attempting to get object by account ref", mzap.ObjRef("account_ref", accountRef))
|
||||
db.Logger.Debug("Attempting to get object by account ref", mzap.AccRef(accountRef))
|
||||
|
||||
// Build query to find objects where accountRef matches OR is null/absent
|
||||
query := repository.WithoutOrg(accountRef)
|
||||
|
||||
if err := db.DBImp.FindOne(ctx, query, result); err != nil {
|
||||
db.Logger.Warn("Failed to get object by account ref", zap.Error(err), mzap.ObjRef("account_ref", accountRef))
|
||||
db.Logger.Warn("Failed to get object by account ref", zap.Error(err), mzap.AccRef(accountRef))
|
||||
return err
|
||||
}
|
||||
|
||||
@@ -343,13 +343,13 @@ func (db *AccountBoundDBImp[T]) GetByAccountRef(ctx context.Context, accountRef
|
||||
return err
|
||||
}
|
||||
|
||||
db.Logger.Debug("Successfully retrieved object by account ref", mzap.ObjRef("account_ref", accountRef),
|
||||
db.Logger.Debug("Successfully retrieved object by account ref", mzap.AccRef(accountRef),
|
||||
mzap.ObjRef("organization_ref", result.GetOrganizationRef()))
|
||||
return nil
|
||||
}
|
||||
|
||||
func (db *AccountBoundDBImp[T]) DeleteByAccountRef(ctx context.Context, accountRef bson.ObjectID) error {
|
||||
db.Logger.Debug("Attempting to delete objects by account ref", mzap.ObjRef("account_ref", accountRef))
|
||||
db.Logger.Debug("Attempting to delete objects by account ref", mzap.AccRef(accountRef))
|
||||
|
||||
// Build query to find objects where accountRef matches OR is null/absent
|
||||
query := repository.WithoutOrg(accountRef)
|
||||
@@ -357,7 +357,7 @@ func (db *AccountBoundDBImp[T]) DeleteByAccountRef(ctx context.Context, accountR
|
||||
// Get all candidate objects for individual permission checking
|
||||
allObjects, err := db.DBImp.Repository.ListAccountBound(ctx, query)
|
||||
if err != nil {
|
||||
db.Logger.Warn("Failed to list objects for delete by account ref", zap.Error(err), mzap.ObjRef("account_ref", accountRef))
|
||||
db.Logger.Warn("Failed to list objects for delete by account ref", zap.Error(err), mzap.AccRef(accountRef))
|
||||
return err
|
||||
}
|
||||
|
||||
@@ -375,18 +375,18 @@ func (db *AccountBoundDBImp[T]) DeleteByAccountRef(ctx context.Context, accountR
|
||||
}
|
||||
|
||||
if len(allowedIDs) == 0 {
|
||||
db.Logger.Debug("No objects allowed for deletion by account ref", mzap.ObjRef("account_ref", accountRef))
|
||||
db.Logger.Debug("No objects allowed for deletion by account ref", mzap.AccRef(accountRef))
|
||||
return nil
|
||||
}
|
||||
|
||||
// Delete only the allowed objects
|
||||
allowedQuery := query.And(repository.Query().In(repository.IDField(), allowedIDs))
|
||||
if err := db.DBImp.DeleteMany(ctx, allowedQuery); err != nil {
|
||||
db.Logger.Warn("Failed to delete objects by account ref", zap.Error(err), mzap.ObjRef("account_ref", accountRef))
|
||||
db.Logger.Warn("Failed to delete objects by account ref", zap.Error(err), mzap.AccRef(accountRef))
|
||||
return err
|
||||
}
|
||||
|
||||
db.Logger.Debug("Successfully deleted objects by account ref", mzap.ObjRef("account_ref", accountRef), zap.Int("count", len(allowedIDs)))
|
||||
db.Logger.Debug("Successfully deleted objects by account ref", mzap.AccRef(accountRef), zap.Int("count", len(allowedIDs)))
|
||||
return nil
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user