mirror of
https://github.com/SigNoz/signoz.git
synced 2025-12-17 15:36:48 +00:00
1b818dd05d
* feat(authz): build role module * feat(authz): build role module * feat(authz): refactor the role module to move transactions out * feat(authz): add handler implementation except patch objects * feat(authz): added the missing handler * feat(authz): added changes for selectors * feat(authz): added changes for selectors * feat(authz): added changes for selectors * feat(authz): make the role create handler just to create metadata * feat(authz): address review comments * feat(authz): address review comments * feat(authz): address review comments * feat(authz): address review comments
133 lines
3.4 KiB
Go
133 lines
3.4 KiB
Go
package middleware
|
|
|
|
import (
|
|
"log/slog"
|
|
"net/http"
|
|
|
|
"github.com/SigNoz/signoz/pkg/authz"
|
|
"github.com/SigNoz/signoz/pkg/http/render"
|
|
"github.com/SigNoz/signoz/pkg/types/authtypes"
|
|
"github.com/gorilla/mux"
|
|
)
|
|
|
|
const (
|
|
authzDeniedMessage string = "::AUTHZ-DENIED::"
|
|
)
|
|
|
|
type AuthZ struct {
|
|
logger *slog.Logger
|
|
authzService authz.AuthZ
|
|
}
|
|
|
|
func NewAuthZ(logger *slog.Logger) *AuthZ {
|
|
if logger == nil {
|
|
panic("cannot build authz middleware, logger is empty")
|
|
}
|
|
|
|
return &AuthZ{logger: logger}
|
|
}
|
|
|
|
func (middleware *AuthZ) ViewAccess(next http.HandlerFunc) http.HandlerFunc {
|
|
return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
|
|
claims, err := authtypes.ClaimsFromContext(req.Context())
|
|
if err != nil {
|
|
render.Error(rw, err)
|
|
return
|
|
}
|
|
|
|
if err := claims.IsViewer(); err != nil {
|
|
middleware.logger.WarnContext(req.Context(), authzDeniedMessage, "claims", claims)
|
|
render.Error(rw, err)
|
|
return
|
|
}
|
|
|
|
next(rw, req)
|
|
})
|
|
}
|
|
|
|
func (middleware *AuthZ) EditAccess(next http.HandlerFunc) http.HandlerFunc {
|
|
return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
|
|
claims, err := authtypes.ClaimsFromContext(req.Context())
|
|
if err != nil {
|
|
render.Error(rw, err)
|
|
return
|
|
}
|
|
|
|
if err := claims.IsEditor(); err != nil {
|
|
middleware.logger.WarnContext(req.Context(), authzDeniedMessage, "claims", claims)
|
|
render.Error(rw, err)
|
|
return
|
|
}
|
|
|
|
next(rw, req)
|
|
})
|
|
}
|
|
|
|
func (middleware *AuthZ) AdminAccess(next http.HandlerFunc) http.HandlerFunc {
|
|
return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
|
|
claims, err := authtypes.ClaimsFromContext(req.Context())
|
|
if err != nil {
|
|
render.Error(rw, err)
|
|
return
|
|
}
|
|
|
|
if err := claims.IsAdmin(); err != nil {
|
|
middleware.logger.WarnContext(req.Context(), authzDeniedMessage, "claims", claims)
|
|
render.Error(rw, err)
|
|
return
|
|
}
|
|
|
|
next(rw, req)
|
|
})
|
|
}
|
|
|
|
func (middleware *AuthZ) SelfAccess(next http.HandlerFunc) http.HandlerFunc {
|
|
return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
|
|
claims, err := authtypes.ClaimsFromContext(req.Context())
|
|
if err != nil {
|
|
render.Error(rw, err)
|
|
return
|
|
}
|
|
|
|
id := mux.Vars(req)["id"]
|
|
if err := claims.IsSelfAccess(id); err != nil {
|
|
middleware.logger.WarnContext(req.Context(), authzDeniedMessage, "claims", claims)
|
|
render.Error(rw, err)
|
|
return
|
|
}
|
|
|
|
next(rw, req)
|
|
})
|
|
}
|
|
|
|
func (middleware *AuthZ) OpenAccess(next http.HandlerFunc) http.HandlerFunc {
|
|
return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
|
|
next(rw, req)
|
|
})
|
|
}
|
|
|
|
// Check middleware accepts the relation, typeable, parentTypeable (for direct access + group relations) and a callback function to derive selector and parentSelectors on per request basis.
|
|
func (middleware *AuthZ) Check(next http.HandlerFunc, relation authtypes.Relation, translation authtypes.Relation, typeable authtypes.Typeable, cb authtypes.SelectorCallbackFn) http.HandlerFunc {
|
|
return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
|
|
claims, err := authtypes.ClaimsFromContext(req.Context())
|
|
if err != nil {
|
|
render.Error(rw, err)
|
|
return
|
|
}
|
|
|
|
selector, err := cb(req.Context(), claims)
|
|
if err != nil {
|
|
render.Error(rw, err)
|
|
return
|
|
}
|
|
|
|
err = middleware.authzService.CheckWithTupleCreation(req.Context(), claims, relation, typeable, selector)
|
|
if err != nil {
|
|
render.Error(rw, err)
|
|
return
|
|
}
|
|
|
|
next(rw, req)
|
|
})
|
|
}
|