From d14b855670ed71ccf135f67ed78ca32dbc9c0ce3 Mon Sep 17 00:00:00 2001 From: bcmmbaga Date: Tue, 24 Sep 2024 22:57:04 +0300 Subject: [PATCH] Refactor user permissions and retrieves PAT Signed-off-by: bcmmbaga --- management/server/group.go | 2 +- management/server/policy.go | 4 +-- management/server/user.go | 62 ++++++++++++++++--------------------- 3 files changed, 29 insertions(+), 39 deletions(-) diff --git a/management/server/group.go b/management/server/group.go index 60d895d0a..9bc32dde1 100644 --- a/management/server/group.go +++ b/management/server/group.go @@ -37,7 +37,7 @@ func (am *DefaultAccountManager) CheckGroupPermissions(ctx context.Context, acco return err } - if !user.HasAdminPower() && !user.IsServiceUser && settings.RegularUsersViewBlocked { + if (!user.IsAdminOrServiceUser() && settings.RegularUsersViewBlocked) || user.AccountID != accountID { return status.Errorf(status.PermissionDenied, "groups are blocked for users") } diff --git a/management/server/policy.go b/management/server/policy.go index 204d719c1..c10be5c0c 100644 --- a/management/server/policy.go +++ b/management/server/policy.go @@ -320,7 +320,7 @@ func (am *DefaultAccountManager) GetPolicy(ctx context.Context, accountID, polic return nil, err } - if (!user.HasAdminPower() && !user.IsServiceUser) || user.AccountID != accountID { + if !user.IsAdminOrServiceUser() || user.AccountID != accountID { return nil, status.Errorf(status.PermissionDenied, "only users with admin power are allowed to view policies") } @@ -391,7 +391,7 @@ func (am *DefaultAccountManager) ListPolicies(ctx context.Context, accountID, us return nil, err } - if (!user.HasAdminPower() && !user.IsServiceUser) || user.AccountID != accountID { + if !user.IsAdminOrServiceUser() || user.AccountID != accountID { return nil, status.Errorf(status.PermissionDenied, "only users with admin power are allowed to view policies") } diff --git a/management/server/user.go b/management/server/user.go index 3c2feec9f..6d01561c6 100644 --- a/management/server/user.go +++ b/management/server/user.go @@ -94,6 +94,11 @@ func (u *User) HasAdminPower() bool { return u.Role == UserRoleAdmin || u.Role == UserRoleOwner } +// IsAdminOrServiceUser checks if the user has admin power or is a service user. +func (u *User) IsAdminOrServiceUser() bool { + return u.HasAdminPower() || u.IsServiceUser +} + // ToUserInfo converts a User object to a UserInfo object. func (u *User) ToUserInfo(userData *idp.UserData, settings *Settings) (*UserInfo, error) { autoGroups := u.AutoGroups @@ -638,63 +643,48 @@ func (am *DefaultAccountManager) DeletePAT(ctx context.Context, accountID string // GetPAT returns a specific PAT from a user func (am *DefaultAccountManager) GetPAT(ctx context.Context, accountID string, initiatorUserID string, targetUserID string, tokenID string) (*PersonalAccessToken, error) { - unlock := am.Store.AcquireWriteLockByUID(ctx, accountID) - defer unlock() - - account, err := am.Store.GetAccount(ctx, accountID) + initiatorUser, err := am.Store.GetUserByUserID(ctx, LockingStrengthShare, initiatorUserID) if err != nil { - return nil, status.Errorf(status.NotFound, "account not found: %s", err) + return nil, err } - targetUser, ok := account.Users[targetUserID] - if !ok { - return nil, status.Errorf(status.NotFound, "user not found") + targetUser, err := am.Store.GetUserByUserID(ctx, LockingStrengthShare, targetUserID) + if err != nil { + return nil, err } - executingUser, ok := account.Users[initiatorUserID] - if !ok { - return nil, status.Errorf(status.NotFound, "user not found") + if (initiatorUserID != targetUserID && !initiatorUser.IsAdminOrServiceUser()) || initiatorUser.AccountID != accountID { + return nil, status.Errorf(status.PermissionDenied, "no permission to get PAT for this user") } - if !(initiatorUserID == targetUserID || (executingUser.HasAdminPower() && targetUser.IsServiceUser)) { - return nil, status.Errorf(status.PermissionDenied, "no permission to get PAT for this userser") + for _, pat := range targetUser.PATsG { + if pat.ID == tokenID { + return pat.Copy(), nil + } } - pat := targetUser.PATs[tokenID] - if pat == nil { - return nil, status.Errorf(status.NotFound, "PAT not found") - } - - return pat, nil + return nil, status.Errorf(status.NotFound, "PAT not found") } // GetAllPATs returns all PATs for a user func (am *DefaultAccountManager) GetAllPATs(ctx context.Context, accountID string, initiatorUserID string, targetUserID string) ([]*PersonalAccessToken, error) { - unlock := am.Store.AcquireWriteLockByUID(ctx, accountID) - defer unlock() - - account, err := am.Store.GetAccount(ctx, accountID) + initiatorUser, err := am.Store.GetUserByUserID(ctx, LockingStrengthShare, initiatorUserID) if err != nil { - return nil, status.Errorf(status.NotFound, "account not found: %s", err) + return nil, err } - targetUser, ok := account.Users[targetUserID] - if !ok { - return nil, status.Errorf(status.NotFound, "user not found") + targetUser, err := am.Store.GetUserByUserID(ctx, LockingStrengthShare, targetUserID) + if err != nil { + return nil, err } - executingUser, ok := account.Users[initiatorUserID] - if !ok { - return nil, status.Errorf(status.NotFound, "user not found") - } - - if !(initiatorUserID == targetUserID || (executingUser.HasAdminPower() && targetUser.IsServiceUser)) { + if (initiatorUserID != targetUserID && !initiatorUser.IsAdminOrServiceUser()) || initiatorUser.AccountID != accountID { return nil, status.Errorf(status.PermissionDenied, "no permission to get PAT for this user") } - var pats []*PersonalAccessToken - for _, pat := range targetUser.PATs { - pats = append(pats, pat) + pats := make([]*PersonalAccessToken, 0, len(targetUser.PATsG)) + for _, pat := range targetUser.PATsG { + pats = append(pats, pat.Copy()) } return pats, nil