62 lines
2.7 KiB
Go
62 lines
2.7 KiB
Go
package auth
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
|
|
"github.com/tech/sendico/pkg/db/repository"
|
|
"github.com/tech/sendico/pkg/db/repository/builder"
|
|
"github.com/tech/sendico/pkg/db/template"
|
|
"github.com/tech/sendico/pkg/merrors"
|
|
"github.com/tech/sendico/pkg/model"
|
|
"github.com/tech/sendico/pkg/mutil/mzap"
|
|
"go.mongodb.org/mongo-driver/bson/primitive"
|
|
"go.uber.org/zap"
|
|
)
|
|
|
|
func enforceObject[T model.PermissionBoundStorable](ctx context.Context, db *template.DBImp[T], enforcer Enforcer, action model.Action, accountRef primitive.ObjectID, query builder.Query) error {
|
|
l, err := db.ListPermissionBound(ctx, query)
|
|
if err != nil {
|
|
db.Logger.Warn("Error occured while checking access rights", zap.Error(err),
|
|
mzap.ObjRef("account_ref", accountRef), zap.String("action", string(action)))
|
|
return err
|
|
}
|
|
if len(l) == 0 {
|
|
db.Logger.Debug("Access denied", mzap.ObjRef("account_ref", accountRef), zap.String("action", string(action)))
|
|
return merrors.AccessDenied(db.Repository.Collection(), string(action), primitive.NilObjectID)
|
|
}
|
|
for _, item := range l {
|
|
db.Logger.Debug("Object found", mzap.ObjRef("object_ref", *item.GetID()),
|
|
mzap.ObjRef("organization_ref", item.GetOrganizationRef()),
|
|
mzap.ObjRef("permission_ref", item.GetPermissionRef()),
|
|
zap.String("collection", item.Collection()))
|
|
}
|
|
res, err := enforcer.EnforceBatch(ctx, l, accountRef, action)
|
|
if err != nil {
|
|
db.Logger.Warn("Failed to enforce permission", zap.Error(err),
|
|
mzap.ObjRef("account_ref", accountRef), zap.String("action", string(action)))
|
|
}
|
|
for objectRef, hasPermission := range res {
|
|
if !hasPermission {
|
|
db.Logger.Info("Permission denied for object during reordering", mzap.ObjRef("account_ref", accountRef),
|
|
mzap.ObjRef("object_ref", objectRef), zap.String("action", string(model.ActionUpdate)))
|
|
return merrors.AccessDenied(db.Repository.Collection(), string(action), objectRef)
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func enforceObjectByRef[T model.PermissionBoundStorable](ctx context.Context, db *template.DBImp[T], enforcer Enforcer, action model.Action, accountRef, objectRef primitive.ObjectID) error {
|
|
err := enforceObject(ctx, db, enforcer, action, accountRef, repository.IDFilter(objectRef))
|
|
if err != nil {
|
|
if errors.Is(err, merrors.ErrAccessDenied) {
|
|
db.Logger.Debug("Access denied", mzap.ObjRef("account_ref", accountRef), mzap.ObjRef("object_ref", objectRef), zap.String("action", string(action)))
|
|
return merrors.AccessDenied(db.Repository.Collection(), string(action), objectRef)
|
|
} else {
|
|
db.Logger.Warn("Error occurred while checking permissions", zap.Error(err),
|
|
mzap.ObjRef("account_ref", accountRef), mzap.ObjRef("object_ref", objectRef), zap.String("action", string(action)))
|
|
}
|
|
}
|
|
return err
|
|
}
|