Skip to content

Commit f5b27a3

Browse files
tkalirtkalir
authored
migrating branch operation endpoints to use PermissionDescriptor (#9452)
1 parent db86f41 commit f5b27a3

File tree

2 files changed

+43
-67
lines changed

2 files changed

+43
-67
lines changed

pkg/api/controller.go

Lines changed: 12 additions & 67 deletions
Original file line numberDiff line numberDiff line change
@@ -2866,12 +2866,7 @@ func (c *Controller) ListBranches(w http.ResponseWriter, r *http.Request, reposi
28662866
}
28672867

28682868
func (c *Controller) CreateBranch(w http.ResponseWriter, r *http.Request, body apigen.CreateBranchJSONRequestBody, repository string) {
2869-
if !c.authorize(w, r, permissions.Node{
2870-
Permission: permissions.Permission{
2871-
Action: permissions.CreateBranchAction,
2872-
Resource: permissions.BranchArn(repository, body.Name),
2873-
},
2874-
}) {
2869+
if !c.authorizeReq(w, r, "CreateBranch", permissions.PermissionParams{Repository: &repository, Branch: &body.Name}, nil) {
28752870
return
28762871
}
28772872
ctx := r.Context()
@@ -2893,12 +2888,7 @@ func (c *Controller) CreateBranch(w http.ResponseWriter, r *http.Request, body a
28932888
}
28942889

28952890
func (c *Controller) DeleteBranch(w http.ResponseWriter, r *http.Request, repository, branch string, body apigen.DeleteBranchParams) {
2896-
if !c.authorize(w, r, permissions.Node{
2897-
Permission: permissions.Permission{
2898-
Action: permissions.DeleteBranchAction,
2899-
Resource: permissions.BranchArn(repository, branch),
2900-
},
2901-
}) {
2891+
if !c.authorizeReq(w, r, "DeleteBranch", permissions.PermissionParams{Repository: &repository, Branch: &branch}, nil) {
29022892
return
29032893
}
29042894
ctx := r.Context()
@@ -2912,12 +2902,7 @@ func (c *Controller) DeleteBranch(w http.ResponseWriter, r *http.Request, reposi
29122902
}
29132903

29142904
func (c *Controller) GetBranch(w http.ResponseWriter, r *http.Request, repository, branch string) {
2915-
if !c.authorize(w, r, permissions.Node{
2916-
Permission: permissions.Permission{
2917-
Action: permissions.ReadBranchAction,
2918-
Resource: permissions.BranchArn(repository, branch),
2919-
},
2920-
}) {
2905+
if !c.authorizeReq(w, r, "GetBranch", permissions.PermissionParams{Repository: &repository, Branch: &branch}, nil) {
29212906
return
29222907
}
29232908
ctx := r.Context()
@@ -3047,12 +3032,7 @@ func (c *Controller) handleAPIError(ctx context.Context, w http.ResponseWriter,
30473032
}
30483033

30493034
func (c *Controller) ResetBranch(w http.ResponseWriter, r *http.Request, body apigen.ResetBranchJSONRequestBody, repository, branch string) {
3050-
if !c.authorize(w, r, permissions.Node{
3051-
Permission: permissions.Permission{
3052-
Action: permissions.RevertBranchAction,
3053-
Resource: permissions.BranchArn(repository, branch),
3054-
},
3055-
}) {
3035+
if !c.authorizeReq(w, r, "ResetBranch", permissions.PermissionParams{Repository: &repository, Branch: &branch}, nil) {
30563036
return
30573037
}
30583038
ctx := r.Context()
@@ -3080,13 +3060,8 @@ func (c *Controller) ResetBranch(w http.ResponseWriter, r *http.Request, body ap
30803060
}
30813061

30823062
func (c *Controller) HardResetBranch(w http.ResponseWriter, r *http.Request, repository, branch string, params apigen.HardResetBranchParams) {
3083-
if !c.authorize(w, r, permissions.Node{
3084-
Permission: permissions.Permission{
3085-
// TODO(ozkatz): Can we have another action here?
3086-
Action: permissions.RevertBranchAction,
3087-
Resource: permissions.BranchArn(repository, branch),
3088-
},
3089-
}) {
3063+
// TODO(ozkatz): Can we have another action here?
3064+
if !c.authorizeReq(w, r, "HardResetBranch", permissions.PermissionParams{Repository: &repository, Branch: &branch}, nil) {
30903065
return
30913066
}
30923067
ctx := r.Context()
@@ -3211,12 +3186,7 @@ func importStatusToResponse(status *graveler.ImportStatus) apigen.ImportStatus {
32113186
}
32123187

32133188
func (c *Controller) ImportStatus(w http.ResponseWriter, r *http.Request, repository, branch string, params apigen.ImportStatusParams) {
3214-
if !c.authorize(w, r, permissions.Node{
3215-
Permission: permissions.Permission{
3216-
Action: permissions.ReadBranchAction,
3217-
Resource: permissions.BranchArn(repository, branch),
3218-
},
3219-
}) {
3189+
if !c.authorizeReq(w, r, "ImportStatus", permissions.PermissionParams{Repository: &repository, Branch: &branch}, nil) {
32203190
return
32213191
}
32223192
ctx := r.Context()
@@ -3230,12 +3200,7 @@ func (c *Controller) ImportStatus(w http.ResponseWriter, r *http.Request, reposi
32303200
}
32313201

32323202
func (c *Controller) ImportCancel(w http.ResponseWriter, r *http.Request, repository, branch string, params apigen.ImportCancelParams) {
3233-
if !c.authorize(w, r, permissions.Node{
3234-
Permission: permissions.Permission{
3235-
Action: permissions.ImportCancelAction,
3236-
Resource: permissions.BranchArn(repository, branch),
3237-
},
3238-
}) {
3203+
if !c.authorizeReq(w, r, "ImportCancel", permissions.PermissionParams{Repository: &repository, Branch: &branch}, nil) {
32393204
return
32403205
}
32413206
ctx := r.Context()
@@ -3249,12 +3214,7 @@ func (c *Controller) ImportCancel(w http.ResponseWriter, r *http.Request, reposi
32493214
}
32503215

32513216
func (c *Controller) Commit(w http.ResponseWriter, r *http.Request, body apigen.CommitJSONRequestBody, repository, branch string, params apigen.CommitParams) {
3252-
if !c.authorize(w, r, permissions.Node{
3253-
Permission: permissions.Permission{
3254-
Action: permissions.CreateCommitAction,
3255-
Resource: permissions.BranchArn(repository, branch),
3256-
},
3257-
}) {
3217+
if !c.authorizeReq(w, r, "Commit", permissions.PermissionParams{Repository: &repository, Branch: &branch}, nil) {
32583218
return
32593219
}
32603220
ctx := r.Context()
@@ -3708,12 +3668,7 @@ func (c *Controller) CopyObject(w http.ResponseWriter, r *http.Request, body api
37083668
}
37093669

37103670
func (c *Controller) RevertBranch(w http.ResponseWriter, r *http.Request, body apigen.RevertBranchJSONRequestBody, repository, branch string) {
3711-
if !c.authorize(w, r, permissions.Node{
3712-
Permission: permissions.Permission{
3713-
Action: permissions.RevertBranchAction,
3714-
Resource: permissions.BranchArn(repository, branch),
3715-
},
3716-
}) {
3671+
if !c.authorizeReq(w, r, "RevertBranch", permissions.PermissionParams{Repository: &repository, Branch: &branch}, nil) {
37173672
return
37183673
}
37193674
ctx := r.Context()
@@ -4516,12 +4471,7 @@ func (c *Controller) DiffRefs(w http.ResponseWriter, r *http.Request, repository
45164471
}
45174472

45184473
func (c *Controller) LogCommits(w http.ResponseWriter, r *http.Request, repository, ref string, params apigen.LogCommitsParams) {
4519-
if !c.authorize(w, r, permissions.Node{
4520-
Permission: permissions.Permission{
4521-
Action: permissions.ReadBranchAction,
4522-
Resource: permissions.BranchArn(repository, ref),
4523-
},
4524-
}) {
4474+
if !c.authorizeReq(w, r, "LogCommits", permissions.PermissionParams{Repository: &repository, Branch: &ref}, nil) {
45254475
return
45264476
}
45274477
ctx := r.Context()
@@ -5038,12 +4988,7 @@ func (c *Controller) GetUnderlyingProperties(w http.ResponseWriter, r *http.Requ
50384988
}
50394989

50404990
func (c *Controller) MergeIntoBranch(w http.ResponseWriter, r *http.Request, body apigen.MergeIntoBranchJSONRequestBody, repository, sourceRef, destinationBranch string) {
5041-
if !c.authorize(w, r, permissions.Node{
5042-
Permission: permissions.Permission{
5043-
Action: permissions.CreateCommitAction,
5044-
Resource: permissions.BranchArn(repository, destinationBranch),
5045-
},
5046-
}) {
4991+
if !c.authorizeReq(w, r, "MergeIntoBranch", permissions.PermissionParams{Repository: &repository, Branch: &destinationBranch}, nil) {
50474992
return
50484993
}
50494994
ctx := r.Context()

pkg/permissions/permission.go

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -65,6 +65,7 @@ func ExternalPrincipalArn(principalID string) string {
6565
type PermissionParams struct {
6666
Repository *string
6767
Path *string
68+
Branch *string
6869
}
6970

7071
type PermissionDescriptor interface {
@@ -84,8 +85,27 @@ func (o *ObjectPermission) Permission(params PermissionParams) Node {
8485
}
8586
}
8687

88+
type BranchPermission struct {
89+
Action string
90+
}
91+
92+
func (o *BranchPermission) Permission(params PermissionParams) Node {
93+
return Node{
94+
Permission: Permission{
95+
Action: o.Action,
96+
Resource: ObjectArn(*params.Repository, *params.Branch),
97+
},
98+
}
99+
}
100+
87101
var readObjectPermission = ObjectPermission{Action: ReadObjectAction}
88102
var writeObjectPermission = ObjectPermission{Action: WriteObjectAction}
103+
var createBranchPermission = BranchPermission{Action: CreateBranchAction}
104+
var deleteBranchPermission = BranchPermission{Action: DeleteBranchAction}
105+
var readBranchPermission = BranchPermission{Action: ReadBranchAction}
106+
var revertBranchPermission = BranchPermission{Action: RevertBranchAction}
107+
var createCommitPermission = BranchPermission{Action: CreateCommitAction}
108+
var importCancelPermission = BranchPermission{Action: ImportCancelAction}
89109

90110
var permissionByOp = map[string]PermissionDescriptor{
91111
"HeadObject": &readObjectPermission,
@@ -97,6 +117,17 @@ var permissionByOp = map[string]PermissionDescriptor{
97117
"UpdateObjectUserMetadata": &writeObjectPermission,
98118
"UploadObject": &writeObjectPermission,
99119
"UploadObjectPreflight": &writeObjectPermission,
120+
"CreateBranch": &createBranchPermission,
121+
"DeleteBranch": &deleteBranchPermission,
122+
"GetBranch": &readBranchPermission,
123+
"RevertBranch": &revertBranchPermission,
124+
"LogCommits": &readBranchPermission,
125+
"ResetBranch": &revertBranchPermission,
126+
"MergeIntoBranch": &createCommitPermission,
127+
"HardResetBranch": &revertBranchPermission,
128+
"ImportStatus": &readBranchPermission,
129+
"Commit": &createCommitPermission,
130+
"ImportCancel": &importCancelPermission,
100131
}
101132

102133
func GetPermissionDescriptor(operationId string) PermissionDescriptor {

0 commit comments

Comments
 (0)