mirror of
https://github.com/coder/coder.git
synced 2026-06-02 20:48:20 +00:00
Callum Styan
42 lines
1.6 KiB
Go
42 lines
1.6 KiB
Go
package dbauthz
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/google/uuid"
|
|
"golang.org/x/xerrors"
|
|
|
|
"github.com/coder/coder/v2/coderd/rbac"
|
|
)
|
|
|
|
func isWorkspaceRBACObjectEmpty(rbacObj rbac.Object) bool {
|
|
// if any of these are true then the rbac.Object work a workspace is considered empty
|
|
return rbacObj.Owner == "" || rbacObj.OrgID == "" || rbacObj.Owner == uuid.Nil.String() || rbacObj.OrgID == uuid.Nil.String()
|
|
}
|
|
|
|
type workspaceRBACContextKey struct{}
|
|
|
|
// WithWorkspaceRBAC attaches a workspace RBAC object to the context.
|
|
// RBAC fields on this RBAC object should not be used.
|
|
//
|
|
// This is primarily used by the workspace agent RPC handler to cache workspace
|
|
// authorization data for the duration of an agent connection.
|
|
func WithWorkspaceRBAC(ctx context.Context, rbacObj rbac.Object) (context.Context, error) {
|
|
if rbacObj.Type != rbac.ResourceWorkspace.Type {
|
|
return ctx, xerrors.New("RBAC Object must be of type Workspace")
|
|
}
|
|
if isWorkspaceRBACObjectEmpty(rbacObj) {
|
|
return ctx, xerrors.Errorf("cannot attach empty RBAC object to context: %+v", rbacObj)
|
|
}
|
|
if len(rbacObj.ACLGroupList) != 0 || len(rbacObj.ACLUserList) != 0 {
|
|
return ctx, xerrors.New("ACL fields for Workspace RBAC object must be nullified, the can be changed during runtime and should not be cached")
|
|
}
|
|
return context.WithValue(ctx, workspaceRBACContextKey{}, rbacObj), nil
|
|
}
|
|
|
|
// WorkspaceRBACFromContext attempts to retrieve the workspace RBAC object from context.
|
|
func WorkspaceRBACFromContext(ctx context.Context) (rbac.Object, bool) {
|
|
obj, ok := ctx.Value(workspaceRBACContextKey{}).(rbac.Object)
|
|
return obj, ok
|
|
}
|