diff --git a/pkg/api/controller.go b/pkg/api/controller.go index 91de92c2df3..6fb0bf406c1 100644 --- a/pkg/api/controller.go +++ b/pkg/api/controller.go @@ -135,12 +135,7 @@ func NewController(cfg config.Config, catalog *catalog.Catalog, authenticator au } func (c *Controller) DeleteUser(w http.ResponseWriter, r *http.Request, userID string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.DeleteUserAction, - Resource: permissions.UserArn(userID), - }, - }) { + if !c.authorize(w, r, permissions.DeleteUserPermissions(userID)) { return } @@ -158,12 +153,7 @@ func (c *Controller) DeleteUser(w http.ResponseWriter, r *http.Request, userID s } func (c *Controller) CreatePresignMultipartUpload(w http.ResponseWriter, r *http.Request, repository string, branch string, params apigen.CreatePresignMultipartUploadParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.WriteObjectAction, - Resource: permissions.ObjectArn(repository, params.Path), - }, - }) { + if !c.authorize(w, r, permissions.CreatePresignMultipartUploadPermissions(repository, params.Path)) { return } ctx := r.Context() @@ -425,12 +415,7 @@ func (c *Controller) UploadPartCopy(w http.ResponseWriter, r *http.Request, } func (c *Controller) AbortPresignMultipartUpload(w http.ResponseWriter, r *http.Request, body apigen.AbortPresignMultipartUploadJSONRequestBody, repository string, branch string, uploadID string, params apigen.AbortPresignMultipartUploadParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.WriteObjectAction, - Resource: permissions.ObjectArn(repository, params.Path), - }, - }) { + if !c.authorize(w, r, permissions.AbortPresignMultipartUploadPermissions(repository, params.Path)) { return } ctx := r.Context() @@ -489,12 +474,7 @@ func (c *Controller) AbortPresignMultipartUpload(w http.ResponseWriter, r *http. } func (c *Controller) CompletePresignMultipartUpload(w http.ResponseWriter, r *http.Request, body apigen.CompletePresignMultipartUploadJSONRequestBody, repository string, branch string, uploadID string, params apigen.CompletePresignMultipartUploadParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.WriteObjectAction, - Resource: permissions.ObjectArn(repository, params.Path), - }, - }) { + if !c.authorize(w, r, permissions.CompletePresignMultipartUploadPermissions(repository, params.Path)) { return } ctx := r.Context() @@ -609,12 +589,7 @@ func (c *Controller) CompletePresignMultipartUpload(w http.ResponseWriter, r *ht } func (c *Controller) PrepareGarbageCollectionUncommitted(w http.ResponseWriter, r *http.Request, body apigen.PrepareGarbageCollectionUncommittedJSONRequestBody, repository string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.PrepareGarbageCollectionUncommittedAction, - Resource: permissions.RepoArn(repository), - }, - }) { + if !c.authorize(w, r, permissions.PrepareGarbageCollectionUncommittedPermissions(repository)) { return } ctx := r.Context() @@ -681,12 +656,7 @@ func (c *Controller) DeleteObjects(w http.ResponseWriter, r *http.Request, body // check if we authorize to delete each object, prepare a list of paths we can delete var pathsToDelete []string for _, objectPath := range body.Paths { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.DeleteObjectAction, - Resource: permissions.ObjectArn(repository, objectPath), - }, - }) { + if !c.authorize(w, r, permissions.DeleteObjectsPermissions(repository, objectPath)) { errs = append(errs, apigen.ObjectError{ Path: swag.String(objectPath), StatusCode: http.StatusUnauthorized, @@ -846,12 +816,7 @@ func (c *Controller) StsLogin(w http.ResponseWriter, r *http.Request, body apige } func (c *Controller) GetPhysicalAddress(w http.ResponseWriter, r *http.Request, repository, branch string, params apigen.GetPhysicalAddressParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.WriteObjectAction, - Resource: permissions.ObjectArn(repository, params.Path), - }, - }) { + if !c.authorize(w, r, permissions.GetPhysicalAddressPermissions(repository, params.Path)) { return } ctx := r.Context() @@ -905,12 +870,7 @@ func (c *Controller) GetPhysicalAddress(w http.ResponseWriter, r *http.Request, } func (c *Controller) LinkPhysicalAddress(w http.ResponseWriter, r *http.Request, body apigen.LinkPhysicalAddressJSONRequestBody, repository, branch string, params apigen.LinkPhysicalAddressParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.WriteObjectAction, - Resource: permissions.ObjectArn(repository, params.Path), - }, - }) { + if !c.authorize(w, r, permissions.LinkPhysicalAddressPermissions(repository, params.Path)) { return } @@ -1030,12 +990,7 @@ func normalizePhysicalAddress(storageNamespace, physicalAddress string) (string, } func (c *Controller) ListGroups(w http.ResponseWriter, r *http.Request, params apigen.ListGroupsParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ListGroupsAction, - Resource: permissions.All, - }, - }) { + if !c.authorize(w, r, permissions.ListGroupsPermissions()) { return } @@ -1071,12 +1026,7 @@ func (c *Controller) ListGroups(w http.ResponseWriter, r *http.Request, params a } func (c *Controller) CreateGroup(w http.ResponseWriter, r *http.Request, body apigen.CreateGroupJSONRequestBody) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.CreateGroupAction, - Resource: permissions.GroupArn(body.Id), - }, - }) { + if !c.authorize(w, r, permissions.CreateGroupPermissions(body.Id)) { return } ctx := r.Context() @@ -1108,12 +1058,7 @@ func (c *Controller) CreateGroup(w http.ResponseWriter, r *http.Request, body ap } func (c *Controller) DeleteGroup(w http.ResponseWriter, r *http.Request, groupID string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.DeleteGroupAction, - Resource: permissions.GroupArn(groupID), - }, - }) { + if !c.authorize(w, r, permissions.DeleteGroupPermissions(groupID)) { return } @@ -1131,12 +1076,7 @@ func (c *Controller) DeleteGroup(w http.ResponseWriter, r *http.Request, groupID } func (c *Controller) GetGroup(w http.ResponseWriter, r *http.Request, groupID string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ReadGroupAction, - Resource: permissions.GroupArn(groupID), - }, - }) { + if !c.authorize(w, r, permissions.GetGroupPermissions(groupID)) { return } ctx := r.Context() @@ -1160,23 +1100,7 @@ func (c *Controller) GetGroup(w http.ResponseWriter, r *http.Request, groupID st func (c *Controller) GetGroupACL(w http.ResponseWriter, r *http.Request, groupID string) { aclPolicyName := authacl.PolicyName(groupID) - if !c.authorize(w, r, permissions.Node{ - Type: permissions.NodeTypeAnd, - Nodes: []permissions.Node{ - { - Permission: permissions.Permission{ - Action: permissions.ReadGroupAction, - Resource: permissions.GroupArn(groupID), - }, - }, - { - Permission: permissions.Permission{ - Action: permissions.ReadPolicyAction, - Resource: permissions.PolicyArn(aclPolicyName), - }, - }, - }, - }) { + if !c.authorize(w, r, permissions.GetGroupACLPermissions(groupID, aclPolicyName)) { return } @@ -1232,29 +1156,7 @@ func (c *Controller) GetGroupACL(w http.ResponseWriter, r *http.Request, groupID func (c *Controller) SetGroupACL(w http.ResponseWriter, r *http.Request, body apigen.SetGroupACLJSONRequestBody, groupID string) { aclPolicyName := authacl.PolicyName(groupID) - if !c.authorize(w, r, permissions.Node{ - Type: permissions.NodeTypeAnd, - Nodes: []permissions.Node{ - { - Permission: permissions.Permission{ - Action: permissions.ReadGroupAction, - Resource: permissions.GroupArn(groupID), - }, - }, - { - Permission: permissions.Permission{ - Action: permissions.AttachPolicyAction, - Resource: permissions.PolicyArn(aclPolicyName), - }, - }, - { - Permission: permissions.Permission{ - Action: permissions.UpdatePolicyAction, - Resource: permissions.PolicyArn(aclPolicyName), - }, - }, - }, - }) { + if !c.authorize(w, r, permissions.SetGroupACLPermissions(groupID, aclPolicyName)) { return } @@ -1274,12 +1176,7 @@ func (c *Controller) SetGroupACL(w http.ResponseWriter, r *http.Request, body ap } func (c *Controller) ListGroupMembers(w http.ResponseWriter, r *http.Request, groupID string, params apigen.ListGroupMembersParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ReadGroupAction, - Resource: permissions.GroupArn(groupID), - }, - }) { + if !c.authorize(w, r, permissions.ListGroupMembersPermissions(groupID)) { return } ctx := r.Context() @@ -1313,12 +1210,7 @@ func (c *Controller) ListGroupMembers(w http.ResponseWriter, r *http.Request, gr } func (c *Controller) DeleteGroupMembership(w http.ResponseWriter, r *http.Request, groupID, userID string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.RemoveGroupMemberAction, - Resource: permissions.GroupArn(groupID), - }, - }) { + if !c.authorize(w, r, permissions.DeleteGroupMembershipPermissions(groupID)) { return } @@ -1332,12 +1224,7 @@ func (c *Controller) DeleteGroupMembership(w http.ResponseWriter, r *http.Reques } func (c *Controller) AddGroupMembership(w http.ResponseWriter, r *http.Request, groupID, userID string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.AddGroupMemberAction, - Resource: permissions.GroupArn(groupID), - }, - }) { + if !c.authorize(w, r, permissions.AddGroupMembershipPermissions(groupID)) { return } ctx := r.Context() @@ -1354,12 +1241,7 @@ func (c *Controller) ListGroupPolicies(w http.ResponseWriter, r *http.Request, g writeError(w, r, http.StatusNotImplemented, "Not implemented") return } - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ReadGroupAction, - Resource: permissions.GroupArn(groupID), - }, - }) { + if !c.authorize(w, r, permissions.ListGroupPoliciesPermissions(groupID)) { return } @@ -1411,12 +1293,7 @@ func (c *Controller) DetachPolicyFromGroup(w http.ResponseWriter, r *http.Reques writeError(w, r, http.StatusNotImplemented, "Not implemented") return } - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.DetachPolicyAction, - Resource: permissions.GroupArn(groupID), - }, - }) { + if !c.authorize(w, r, permissions.DetachPolicyFromGroupPermissions(groupID)) { return } ctx := r.Context() @@ -1433,12 +1310,7 @@ func (c *Controller) AttachPolicyToGroup(w http.ResponseWriter, r *http.Request, writeError(w, r, http.StatusNotImplemented, "Not implemented") return } - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.AttachPolicyAction, - Resource: permissions.GroupArn(groupID), - }, - }) { + if !c.authorize(w, r, permissions.AttachPolicyToGroupPermissions(groupID)) { return } @@ -1456,12 +1328,7 @@ func (c *Controller) ListPolicies(w http.ResponseWriter, r *http.Request, params writeError(w, r, http.StatusNotImplemented, "Not implemented") return } - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ListPoliciesAction, - Resource: permissions.All, - }, - }) { + if !c.authorize(w, r, permissions.ListPoliciesPermissions()) { return } @@ -1495,12 +1362,7 @@ func (c *Controller) CreatePolicy(w http.ResponseWriter, r *http.Request, body a writeError(w, r, http.StatusNotImplemented, "Not implemented") return } - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.CreatePolicyAction, - Resource: permissions.PolicyArn(body.Id), - }, - }) { + if !c.authorize(w, r, permissions.CreatePolicyPermissions(body.Id)) { return } ctx := r.Context() @@ -1541,12 +1403,7 @@ func (c *Controller) DeletePolicy(w http.ResponseWriter, r *http.Request, policy writeError(w, r, http.StatusNotImplemented, "Not implemented") return } - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.DeletePolicyAction, - Resource: permissions.PolicyArn(policyID), - }, - }) { + if !c.authorize(w, r, permissions.DeletePolicyPermissions(policyID)) { return } ctx := r.Context() @@ -1567,12 +1424,7 @@ func (c *Controller) GetPolicy(w http.ResponseWriter, r *http.Request, policyID writeError(w, r, http.StatusNotImplemented, "Not implemented") return } - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ReadPolicyAction, - Resource: permissions.PolicyArn(policyID), - }, - }) { + if !c.authorize(w, r, permissions.GetPolicyPermissions(policyID)) { return } ctx := r.Context() @@ -1595,12 +1447,7 @@ func (c *Controller) UpdatePolicy(w http.ResponseWriter, r *http.Request, body a writeError(w, r, http.StatusNotImplemented, "Not implemented") return } - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.UpdatePolicyAction, - Resource: permissions.PolicyArn(policyID), - }, - }) { + if !c.authorize(w, r, permissions.UpdatePolicyPermissions(policyID)) { return } // verify requested policy match the policy document id @@ -1635,12 +1482,7 @@ func (c *Controller) UpdatePolicy(w http.ResponseWriter, r *http.Request, body a } func (c *Controller) ListUsers(w http.ResponseWriter, r *http.Request, params apigen.ListUsersParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ListUsersAction, - Resource: permissions.All, - }, - }) { + if !c.authorize(w, r, permissions.ListUsersPermissions()) { return } ctx := r.Context() @@ -1696,12 +1538,7 @@ func (c *Controller) CreateUser(w http.ResponseWriter, r *http.Request, body api username = strings.ToLower(addr.Address) parsedEmail = &addr.Address } - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.CreateUserAction, - Resource: permissions.UserArn(username), - }, - }) { + if !c.authorize(w, r, permissions.CreateUserPermissions(username)) { return } ctx := r.Context() @@ -1742,12 +1579,7 @@ func (c *Controller) CreateUser(w http.ResponseWriter, r *http.Request, body api } func (c *Controller) GetUser(w http.ResponseWriter, r *http.Request, userID string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ReadUserAction, - Resource: permissions.UserArn(userID), - }, - }) { + if !c.authorize(w, r, permissions.GetUserPermissions(userID)) { return } ctx := r.Context() @@ -1770,12 +1602,7 @@ func (c *Controller) GetUser(w http.ResponseWriter, r *http.Request, userID stri } func (c *Controller) ListUserCredentials(w http.ResponseWriter, r *http.Request, userID string, params apigen.ListUserCredentialsParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ListCredentialsAction, - Resource: permissions.UserArn(userID), - }, - }) { + if !c.authorize(w, r, permissions.ListUserCredentialsPermissions(userID)) { return } ctx := r.Context() @@ -1807,12 +1634,7 @@ func (c *Controller) ListUserCredentials(w http.ResponseWriter, r *http.Request, } func (c *Controller) CreateCredentials(w http.ResponseWriter, r *http.Request, userID string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.CreateCredentialsAction, - Resource: permissions.UserArn(userID), - }, - }) { + if !c.authorize(w, r, permissions.CreateCredentialsPermissions(userID)) { return } ctx := r.Context() @@ -1830,12 +1652,7 @@ func (c *Controller) CreateCredentials(w http.ResponseWriter, r *http.Request, u } func (c *Controller) DeleteCredentials(w http.ResponseWriter, r *http.Request, userID, accessKeyID string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.DeleteCredentialsAction, - Resource: permissions.UserArn(userID), - }, - }) { + if !c.authorize(w, r, permissions.DeleteCredentialsPermissions(userID)) { return } @@ -1853,12 +1670,7 @@ func (c *Controller) DeleteCredentials(w http.ResponseWriter, r *http.Request, u } func (c *Controller) GetCredentials(w http.ResponseWriter, r *http.Request, userID, accessKeyID string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ReadCredentialsAction, - Resource: permissions.UserArn(userID), - }, - }) { + if !c.authorize(w, r, permissions.GetCredentialsPermissions(userID)) { return } ctx := r.Context() @@ -1880,12 +1692,7 @@ func (c *Controller) GetCredentials(w http.ResponseWriter, r *http.Request, user } func (c *Controller) ListUserGroups(w http.ResponseWriter, r *http.Request, userID string, params apigen.ListUserGroupsParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ReadUserAction, - Resource: permissions.UserArn(userID), - }, - }) { + if !c.authorize(w, r, permissions.ListUserGroupsPermissions(userID)) { return } ctx := r.Context() @@ -1923,12 +1730,7 @@ func (c *Controller) ListUserPolicies(w http.ResponseWriter, r *http.Request, us writeError(w, r, http.StatusNotImplemented, "Not implemented") return } - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ReadUserAction, - Resource: permissions.UserArn(userID), - }, - }) { + if !c.authorize(w, r, permissions.ListUserPoliciesPermissions(userID)) { return } @@ -1968,12 +1770,7 @@ func (c *Controller) DetachPolicyFromUser(w http.ResponseWriter, r *http.Request writeError(w, r, http.StatusNotImplemented, "Not implemented") return } - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.DetachPolicyAction, - Resource: permissions.UserArn(userID), - }, - }) { + if !c.authorize(w, r, permissions.DetachPolicyFromUserPermissions(userID)) { return } ctx := r.Context() @@ -1990,12 +1787,7 @@ func (c *Controller) AttachPolicyToUser(w http.ResponseWriter, r *http.Request, writeError(w, r, http.StatusNotImplemented, "Not implemented") return } - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.AttachPolicyAction, - Resource: permissions.UserArn(userID), - }, - }) { + if !c.authorize(w, r, permissions.AttachPolicyToUserPermissions(userID)) { return } @@ -2015,12 +1807,7 @@ func (c *Controller) GetConfig(w http.ResponseWriter, r *http.Request) { return } internalError := false - if !c.authorizeCallback(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ReadConfigAction, - Resource: permissions.All, - }, - }, func(_ http.ResponseWriter, _ *http.Request, code int, v interface{}) { + if !c.authorizeCallback(w, r, permissions.GetConfigPermissions(), func(_ http.ResponseWriter, _ *http.Request, code int, v interface{}) { switch code { case http.StatusInternalServerError: writeError(w, r, code, v) @@ -2040,12 +1827,7 @@ func (c *Controller) GetConfig(w http.ResponseWriter, r *http.Request) { } func (c *Controller) GetStorageConfig(w http.ResponseWriter, r *http.Request) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ReadConfigAction, - Resource: permissions.All, - }, - }) { + if !c.authorize(w, r, permissions.GetStorageConfigPermissions()) { return } @@ -2111,12 +1893,7 @@ func (c *Controller) HealthCheck(w http.ResponseWriter, r *http.Request) { } func (c *Controller) ListRepositories(w http.ResponseWriter, r *http.Request, params apigen.ListRepositoriesParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ListRepositoriesAction, - Resource: permissions.All, - }, - }) { + if !c.authorize(w, r, permissions.ListRepositoriesPermissions()) { return } ctx := r.Context() @@ -2150,23 +1927,7 @@ func (c *Controller) CreateRepository(w http.ResponseWriter, r *http.Request, bo storageID := config.GetActualStorageID(c.Config.StorageConfig(), swag.StringValue(body.StorageId)) storageNamespace := body.StorageNamespace - if !c.authorize(w, r, permissions.Node{ - Type: permissions.NodeTypeAnd, - Nodes: []permissions.Node{ - { - Permission: permissions.Permission{ - Action: permissions.CreateRepositoryAction, - Resource: permissions.RepoArn(body.Name), - }, - }, - { - Permission: permissions.Permission{ - Action: permissions.AttachStorageNamespaceAction, - Resource: permissions.StorageNamespace(storageNamespace), - }, - }, - }, - }) { + if !c.authorize(w, r, permissions.CreateRepositoryPermissions(body.Name, storageNamespace)) { return } ctx := r.Context() @@ -2373,12 +2134,7 @@ func (c *Controller) ensureStorageNamespace(ctx context.Context, storageID, stor } func (c *Controller) DeleteRepository(w http.ResponseWriter, r *http.Request, repository string, params apigen.DeleteRepositoryParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.DeleteRepositoryAction, - Resource: permissions.RepoArn(repository), - }, - }) { + if !c.authorize(w, r, permissions.DeleteRepositoryPermissions(repository)) { return } ctx := r.Context() @@ -2391,12 +2147,7 @@ func (c *Controller) DeleteRepository(w http.ResponseWriter, r *http.Request, re } func (c *Controller) GetRepository(w http.ResponseWriter, r *http.Request, repository string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ReadRepositoryAction, - Resource: permissions.RepoArn(repository), - }, - }) { + if !c.authorize(w, r, permissions.GetRepositoryPermissions(repository)) { return } ctx := r.Context() @@ -2426,12 +2177,7 @@ func (c *Controller) GetRepository(w http.ResponseWriter, r *http.Request, repos } func (c *Controller) GetRepositoryMetadata(w http.ResponseWriter, r *http.Request, repository string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ReadRepositoryAction, - Resource: permissions.RepoArn(repository), - }, - }) { + if !c.authorize(w, r, permissions.GetRepositoryMetadataPermissions(repository)) { return } ctx := r.Context() @@ -2444,12 +2190,7 @@ func (c *Controller) GetRepositoryMetadata(w http.ResponseWriter, r *http.Reques } func (c *Controller) SetRepositoryMetadata(w http.ResponseWriter, r *http.Request, body apigen.SetRepositoryMetadataJSONRequestBody, repository string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.UpdateRepositoryAction, - Resource: permissions.RepoArn(repository), - }, - }) { + if !c.authorize(w, r, permissions.SetRepositoryMetadataPermissions(repository)) { return } ctx := r.Context() @@ -2462,12 +2203,7 @@ func (c *Controller) SetRepositoryMetadata(w http.ResponseWriter, r *http.Reques } func (c *Controller) DeleteRepositoryMetadata(w http.ResponseWriter, r *http.Request, body apigen.DeleteRepositoryMetadataJSONRequestBody, repository string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.UpdateRepositoryAction, - Resource: permissions.RepoArn(repository), - }, - }) { + if !c.authorize(w, r, permissions.DeleteRepositoryMetadataPermissions(repository)) { return } ctx := r.Context() @@ -2480,12 +2216,7 @@ func (c *Controller) DeleteRepositoryMetadata(w http.ResponseWriter, r *http.Req } func (c *Controller) GetBranchProtectionRules(w http.ResponseWriter, r *http.Request, repository string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.GetBranchProtectionRulesAction, - Resource: permissions.RepoArn(repository), - }, - }) { + if !c.authorize(w, r, permissions.GetBranchProtectionRulesPermissions(repository)) { return } ctx := r.Context() @@ -2504,12 +2235,7 @@ func (c *Controller) GetBranchProtectionRules(w http.ResponseWriter, r *http.Req } func (c *Controller) SetBranchProtectionRules(w http.ResponseWriter, r *http.Request, body apigen.SetBranchProtectionRulesJSONRequestBody, repository string, params apigen.SetBranchProtectionRulesParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.SetBranchProtectionRulesAction, - Resource: permissions.RepoArn(repository), - }, - }) { + if !c.authorize(w, r, permissions.SetBranchProtectionRulesPermissions(repository)) { return } ctx := r.Context() @@ -2534,12 +2260,7 @@ func (c *Controller) SetBranchProtectionRules(w http.ResponseWriter, r *http.Req } func (c *Controller) DeleteGCRules(w http.ResponseWriter, r *http.Request, repository string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.SetGarbageCollectionRulesAction, - Resource: permissions.RepoArn(repository), - }, - }) { + if !c.authorize(w, r, permissions.DeleteGCRulesPermissions(repository)) { return } ctx := r.Context() @@ -2551,12 +2272,7 @@ func (c *Controller) DeleteGCRules(w http.ResponseWriter, r *http.Request, repos } func (c *Controller) GetGCRules(w http.ResponseWriter, r *http.Request, repository string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.GetGarbageCollectionRulesAction, - Resource: permissions.RepoArn(repository), - }, - }) { + if !c.authorize(w, r, permissions.GetGCRulesPermissions(repository)) { return } ctx := r.Context() @@ -2573,12 +2289,7 @@ func (c *Controller) GetGCRules(w http.ResponseWriter, r *http.Request, reposito } func (c *Controller) SetGCRules(w http.ResponseWriter, r *http.Request, body apigen.SetGCRulesJSONRequestBody, repository string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.SetGarbageCollectionRulesAction, - Resource: permissions.RepoArn(repository), - }, - }) { + if !c.authorize(w, r, permissions.SetGCRulesPermissions(repository)) { return } ctx := r.Context() @@ -2597,12 +2308,7 @@ func (c *Controller) SetGCRules(w http.ResponseWriter, r *http.Request, body api } func (c *Controller) ListRepositoryRuns(w http.ResponseWriter, r *http.Request, repository string, params apigen.ListRepositoryRunsParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ReadActionsAction, - Resource: permissions.RepoArn(repository), - }, - }) { + if !c.authorize(w, r, permissions.ListRepositoryRunsPermissions(repository)) { return } ctx := r.Context() @@ -2665,12 +2371,7 @@ func runResultToActionRun(val *actions.RunResult) apigen.ActionRun { } func (c *Controller) GetRun(w http.ResponseWriter, r *http.Request, repository, runID string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ReadActionsAction, - Resource: permissions.RepoArn(repository), - }, - }) { + if !c.authorize(w, r, permissions.GetRunPermissions(repository)) { return } ctx := r.Context() @@ -2704,12 +2405,7 @@ func (c *Controller) GetRun(w http.ResponseWriter, r *http.Request, repository, } func (c *Controller) ListRunHooks(w http.ResponseWriter, r *http.Request, repository, runID string, params apigen.ListRunHooksParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ReadActionsAction, - Resource: permissions.RepoArn(repository), - }, - }) { + if !c.authorize(w, r, permissions.ListRunHooksPermissions(repository)) { return } ctx := r.Context() @@ -2769,12 +2465,7 @@ func (c *Controller) ListRunHooks(w http.ResponseWriter, r *http.Request, reposi } func (c *Controller) GetRunHookOutput(w http.ResponseWriter, r *http.Request, repository, runID, hookRunID string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ReadActionsAction, - Resource: permissions.RepoArn(repository), - }, - }) { + if !c.authorize(w, r, permissions.GetRunHookOutputPermissions(repository)) { return } ctx := r.Context() @@ -2819,12 +2510,7 @@ func (c *Controller) GetRunHookOutput(w http.ResponseWriter, r *http.Request, re } func (c *Controller) ListBranches(w http.ResponseWriter, r *http.Request, repository string, params apigen.ListBranchesParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ListBranchesAction, - Resource: permissions.RepoArn(repository), - }, - }) { + if !c.authorize(w, r, permissions.ListBranchesPermissions(repository)) { return } ctx := r.Context() @@ -2855,12 +2541,7 @@ func (c *Controller) ListBranches(w http.ResponseWriter, r *http.Request, reposi } func (c *Controller) CreateBranch(w http.ResponseWriter, r *http.Request, body apigen.CreateBranchJSONRequestBody, repository string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.CreateBranchAction, - Resource: permissions.BranchArn(repository, body.Name), - }, - }) { + if !c.authorize(w, r, permissions.CreateBranchPermissions(repository, body.Name)) { return } ctx := r.Context() @@ -2882,12 +2563,7 @@ func (c *Controller) CreateBranch(w http.ResponseWriter, r *http.Request, body a } func (c *Controller) DeleteBranch(w http.ResponseWriter, r *http.Request, repository, branch string, body apigen.DeleteBranchParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.DeleteBranchAction, - Resource: permissions.BranchArn(repository, branch), - }, - }) { + if !c.authorize(w, r, permissions.DeleteBranchPermissions(repository, branch)) { return } ctx := r.Context() @@ -2901,12 +2577,7 @@ func (c *Controller) DeleteBranch(w http.ResponseWriter, r *http.Request, reposi } func (c *Controller) GetBranch(w http.ResponseWriter, r *http.Request, repository, branch string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ReadBranchAction, - Resource: permissions.BranchArn(repository, branch), - }, - }) { + if !c.authorize(w, r, permissions.GetBranchPermissions(repository, branch)) { return } ctx := r.Context() @@ -3035,12 +2706,7 @@ func (c *Controller) handleAPIError(ctx context.Context, w http.ResponseWriter, } func (c *Controller) ResetBranch(w http.ResponseWriter, r *http.Request, body apigen.ResetBranchJSONRequestBody, repository, branch string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.RevertBranchAction, - Resource: permissions.BranchArn(repository, branch), - }, - }) { + if !c.authorize(w, r, permissions.ResetBranchPermissions(repository, branch)) { return } ctx := r.Context() @@ -3068,13 +2734,7 @@ func (c *Controller) ResetBranch(w http.ResponseWriter, r *http.Request, body ap } func (c *Controller) HardResetBranch(w http.ResponseWriter, r *http.Request, repository, branch string, params apigen.HardResetBranchParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - // TODO(ozkatz): Can we have another action here? - Action: permissions.RevertBranchAction, - Resource: permissions.BranchArn(repository, branch), - }, - }) { + if !c.authorize(w, r, permissions.HardResetBranchPermissions(repository, branch)) { return } ctx := r.Context() @@ -3089,23 +2749,7 @@ func (c *Controller) HardResetBranch(w http.ResponseWriter, r *http.Request, rep } func (c *Controller) ImportStart(w http.ResponseWriter, r *http.Request, body apigen.ImportStartJSONRequestBody, repository, branch string) { - perm := permissions.Node{ - Type: permissions.NodeTypeAnd, - Nodes: []permissions.Node{ - { - Permission: permissions.Permission{ - Action: permissions.WriteObjectAction, - Resource: permissions.BranchArn(repository, branch), - }, - }, - { - Permission: permissions.Permission{ - Action: permissions.CreateCommitAction, - Resource: permissions.BranchArn(repository, branch), - }, - }, - }, - } + perm := permissions.ImportStartPermissions(repository, branch) // Add import permissions per source // Add object permissions per destination for _, source := range body.Paths { @@ -3199,12 +2843,7 @@ func importStatusToResponse(status *graveler.ImportStatus) apigen.ImportStatus { } func (c *Controller) ImportStatus(w http.ResponseWriter, r *http.Request, repository, branch string, params apigen.ImportStatusParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ReadBranchAction, - Resource: permissions.BranchArn(repository, branch), - }, - }) { + if !c.authorize(w, r, permissions.ImportStatusPermissions(repository, branch)) { return } ctx := r.Context() @@ -3218,12 +2857,7 @@ func (c *Controller) ImportStatus(w http.ResponseWriter, r *http.Request, reposi } func (c *Controller) ImportCancel(w http.ResponseWriter, r *http.Request, repository, branch string, params apigen.ImportCancelParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ImportCancelAction, - Resource: permissions.BranchArn(repository, branch), - }, - }) { + if !c.authorize(w, r, permissions.ImportCancelPermissions(repository, branch)) { return } ctx := r.Context() @@ -3237,12 +2871,7 @@ func (c *Controller) ImportCancel(w http.ResponseWriter, r *http.Request, reposi } func (c *Controller) Commit(w http.ResponseWriter, r *http.Request, body apigen.CommitJSONRequestBody, repository, branch string, params apigen.CommitParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.CreateCommitAction, - Resource: permissions.BranchArn(repository, branch), - }, - }) { + if !c.authorize(w, r, permissions.CommitPermissions(repository, branch)) { return } ctx := r.Context() @@ -3265,12 +2894,7 @@ func (c *Controller) Commit(w http.ResponseWriter, r *http.Request, body apigen. } func (c *Controller) CreateCommitRecord(w http.ResponseWriter, r *http.Request, body apigen.CreateCommitRecordJSONRequestBody, repository string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.CreateCommitAction, - Resource: permissions.RepoArn(repository), - }, - }) { + if !c.authorize(w, r, permissions.CreateCommitRecordPermissions(repository)) { return } ctx := r.Context() @@ -3304,12 +2928,7 @@ func commitResponse(w http.ResponseWriter, r *http.Request, newCommit *catalog.C } func (c *Controller) DiffBranch(w http.ResponseWriter, r *http.Request, repository, branch string, params apigen.DiffBranchParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ListObjectsAction, - Resource: permissions.RepoArn(repository), - }, - }) { + if !c.authorize(w, r, permissions.DiffBranchPermissions(repository)) { return } ctx := r.Context() @@ -3352,12 +2971,7 @@ func (c *Controller) DiffBranch(w http.ResponseWriter, r *http.Request, reposito } func (c *Controller) DeleteObject(w http.ResponseWriter, r *http.Request, repository, branch string, params apigen.DeleteObjectParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.DeleteObjectAction, - Resource: permissions.ObjectArn(repository, params.Path), - }, - }) { + if !c.authorize(w, r, permissions.DeleteObjectPermissions(repository, params.Path)) { return } ctx := r.Context() @@ -3370,12 +2984,7 @@ func (c *Controller) DeleteObject(w http.ResponseWriter, r *http.Request, reposi } func (c *Controller) UploadObjectPreflight(w http.ResponseWriter, r *http.Request, repository, branch string, params apigen.UploadObjectPreflightParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.WriteObjectAction, - Resource: permissions.ObjectArn(repository, params.Path), - }, - }) { + if !c.authorize(w, r, permissions.UploadObjectPreflightPermissions(repository, params.Path)) { return } @@ -3386,12 +2995,7 @@ func (c *Controller) UploadObjectPreflight(w http.ResponseWriter, r *http.Reques } func (c *Controller) UploadObject(w http.ResponseWriter, r *http.Request, repository, branch string, params apigen.UploadObjectParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.WriteObjectAction, - Resource: permissions.ObjectArn(repository, params.Path), - }, - }) { + if !c.authorize(w, r, permissions.UploadObjectPermissions(repository, params.Path)) { return } ctx := r.Context() @@ -3556,12 +3160,7 @@ func (c *Controller) UploadObject(w http.ResponseWriter, r *http.Request, reposi } func (c *Controller) StageObject(w http.ResponseWriter, r *http.Request, body apigen.StageObjectJSONRequestBody, repository, branch string, params apigen.StageObjectParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.WriteObjectAction, - Resource: permissions.ObjectArn(repository, params.Path), - }, - }) { + if !c.authorize(w, r, permissions.StageObjectPermissions(repository, params.Path)) { return } ctx := r.Context() @@ -3634,23 +3233,7 @@ func (c *Controller) StageObject(w http.ResponseWriter, r *http.Request, body ap func (c *Controller) CopyObject(w http.ResponseWriter, r *http.Request, body apigen.CopyObjectJSONRequestBody, repository, branch string, params apigen.CopyObjectParams) { srcPath := body.SrcPath destPath := params.DestPath - if !c.authorize(w, r, permissions.Node{ - Type: permissions.NodeTypeAnd, - Nodes: []permissions.Node{ - { - Permission: permissions.Permission{ - Action: permissions.ReadObjectAction, - Resource: permissions.ObjectArn(repository, srcPath), - }, - }, - { - Permission: permissions.Permission{ - Action: permissions.WriteObjectAction, - Resource: permissions.ObjectArn(repository, destPath), - }, - }, - }, - }) { + if !c.authorize(w, r, permissions.CopyObjectPermissions(repository, srcPath, destPath)) { return } @@ -3711,12 +3294,7 @@ func (c *Controller) CopyObject(w http.ResponseWriter, r *http.Request, body api } func (c *Controller) RevertBranch(w http.ResponseWriter, r *http.Request, body apigen.RevertBranchJSONRequestBody, repository, branch string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.RevertBranchAction, - Resource: permissions.BranchArn(repository, branch), - }, - }) { + if !c.authorize(w, r, permissions.RevertBranchPermissions(repository, branch)) { return } ctx := r.Context() @@ -3742,23 +3320,7 @@ func (c *Controller) RevertBranch(w http.ResponseWriter, r *http.Request, body a } func (c *Controller) CherryPick(w http.ResponseWriter, r *http.Request, body apigen.CherryPickJSONRequestBody, repository string, branch string) { - if !c.authorize(w, r, permissions.Node{ - Type: permissions.NodeTypeAnd, - Nodes: []permissions.Node{ - { - Permission: permissions.Permission{ - Action: permissions.CreateCommitAction, - Resource: permissions.BranchArn(repository, branch), - }, - }, - { - Permission: permissions.Permission{ - Action: permissions.ReadCommitAction, - Resource: permissions.RepoArn(repository), - }, - }, - }, - }) { + if !c.authorize(w, r, permissions.CherryPickPermissions(repository, branch)) { return } ctx := r.Context() @@ -3799,12 +3361,7 @@ func getCommitOverrides(commitOverrides *apigen.CommitOverrides) *graveler.Commi } func (c *Controller) GetCommit(w http.ResponseWriter, r *http.Request, repository, commitID string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ReadCommitAction, - Resource: permissions.RepoArn(repository), - }, - }) { + if !c.authorize(w, r, permissions.GetCommitPermissions(repository)) { return } ctx := r.Context() @@ -3841,12 +3398,7 @@ func (c *Controller) InternalGetGarbageCollectionRules(w http.ResponseWriter, r } func (c *Controller) SetGarbageCollectionRulesPreflight(w http.ResponseWriter, r *http.Request, repository string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.SetGarbageCollectionRulesAction, - Resource: permissions.RepoArn(repository), - }, - }) { + if !c.authorize(w, r, permissions.SetGarbageCollectionRulesPreflightPermissions(repository)) { return } @@ -3865,12 +3417,7 @@ func (c *Controller) InternalDeleteGarbageCollectionRules(w http.ResponseWriter, } func (c *Controller) PrepareGarbageCollectionCommits(w http.ResponseWriter, r *http.Request, repository string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.PrepareGarbageCollectionCommitsAction, - Resource: permissions.RepoArn(repository), - }, - }) { + if !c.authorize(w, r, permissions.PrepareGarbageCollectionCommitsPermissions(repository)) { return } ctx := r.Context() @@ -3905,12 +3452,7 @@ func (c *Controller) InternalGetBranchProtectionRules(w http.ResponseWriter, r * } func (c *Controller) InternalDeleteBranchProtectionRule(w http.ResponseWriter, r *http.Request, body apigen.InternalDeleteBranchProtectionRuleJSONRequestBody, repository string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.SetBranchProtectionRulesAction, - Resource: permissions.RepoArn(repository), - }, - }) { + if !c.authorize(w, r, permissions.InternalDeleteBranchProtectionRulePermissions(repository)) { return } ctx := r.Context() @@ -3935,12 +3477,7 @@ func (c *Controller) InternalDeleteBranchProtectionRule(w http.ResponseWriter, r } func (c *Controller) CreateBranchProtectionRulePreflight(w http.ResponseWriter, r *http.Request, repository string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.SetBranchProtectionRulesAction, - Resource: permissions.RepoArn(repository), - }, - }) { + if !c.authorize(w, r, permissions.CreateBranchProtectionRulePreflightPermissions(repository)) { return } @@ -3951,12 +3488,7 @@ func (c *Controller) CreateBranchProtectionRulePreflight(w http.ResponseWriter, } func (c *Controller) InternalCreateBranchProtectionRule(w http.ResponseWriter, r *http.Request, body apigen.InternalCreateBranchProtectionRuleJSONRequestBody, repository string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.SetBranchProtectionRulesAction, - Resource: permissions.RepoArn(repository), - }, - }) { + if !c.authorize(w, r, permissions.InternalCreateBranchProtectionRulePermissions(repository)) { return } ctx := r.Context() @@ -3985,23 +3517,7 @@ func (c *Controller) InternalCreateBranchProtectionRule(w http.ResponseWriter, r } func (c *Controller) GetMetaRange(w http.ResponseWriter, r *http.Request, repository, metaRange string) { - if !c.authorize(w, r, permissions.Node{ - Type: permissions.NodeTypeAnd, - Nodes: []permissions.Node{ - { - Permission: permissions.Permission{ - Action: permissions.ListObjectsAction, - Resource: permissions.RepoArn(repository), - }, - }, - { - Permission: permissions.Permission{ - Action: permissions.ReadRepositoryAction, - Resource: permissions.RepoArn(repository), - }, - }, - }, - }) { + if !c.authorize(w, r, permissions.GetMetaRangePermissions(repository)) { return } ctx := r.Context() @@ -4020,23 +3536,7 @@ func (c *Controller) GetMetaRange(w http.ResponseWriter, r *http.Request, reposi } func (c *Controller) GetRange(w http.ResponseWriter, r *http.Request, repository, pRange string) { - if !c.authorize(w, r, permissions.Node{ - Type: permissions.NodeTypeAnd, - Nodes: []permissions.Node{ - { - Permission: permissions.Permission{ - Action: permissions.ListObjectsAction, - Resource: permissions.RepoArn(repository), - }, - }, - { - Permission: permissions.Permission{ - Action: permissions.ReadRepositoryAction, - Resource: permissions.RepoArn(repository), - }, - }, - }, - }) { + if !c.authorize(w, r, permissions.GetRangePermissions(repository)) { return } ctx := r.Context() @@ -4054,29 +3554,7 @@ func (c *Controller) GetRange(w http.ResponseWriter, r *http.Request, repository } func (c *Controller) DumpRefs(w http.ResponseWriter, r *http.Request, repository string) { - if !c.authorize(w, r, permissions.Node{ - Type: permissions.NodeTypeAnd, - Nodes: []permissions.Node{ - { - Permission: permissions.Permission{ - Action: permissions.ListTagsAction, - Resource: permissions.RepoArn(repository), - }, - }, - { - Permission: permissions.Permission{ - Action: permissions.ListBranchesAction, - Resource: permissions.RepoArn(repository), - }, - }, - { - Permission: permissions.Permission{ - Action: permissions.ListCommitsAction, - Resource: permissions.RepoArn(repository), - }, - }, - }, - }) { + if !c.authorize(w, r, permissions.DumpRefsPermissions(repository)) { return } ctx := r.Context() @@ -4128,29 +3606,7 @@ func (c *Controller) DumpRefs(w http.ResponseWriter, r *http.Request, repository } func (c *Controller) RestoreRefs(w http.ResponseWriter, r *http.Request, body apigen.RestoreRefsJSONRequestBody, repository string) { - if !c.authorize(w, r, permissions.Node{ - Type: permissions.NodeTypeAnd, - Nodes: []permissions.Node{ - { - Permission: permissions.Permission{ - Action: permissions.CreateTagAction, - Resource: permissions.RepoArn(repository), - }, - }, - { - Permission: permissions.Permission{ - Action: permissions.CreateBranchAction, - Resource: permissions.RepoArn(repository), - }, - }, - { - Permission: permissions.Permission{ - Action: permissions.CreateCommitAction, - Resource: permissions.RepoArn(repository), - }, - }, - }, - }) { + if !c.authorize(w, r, permissions.RestoreRefsPermissions(repository)) { return } ctx := r.Context() @@ -4190,29 +3646,7 @@ func (c *Controller) RestoreRefs(w http.ResponseWriter, r *http.Request, body ap } func (c *Controller) DumpSubmit(w http.ResponseWriter, r *http.Request, repository string) { - if !c.authorize(w, r, permissions.Node{ - Type: permissions.NodeTypeAnd, - Nodes: []permissions.Node{ - { - Permission: permissions.Permission{ - Action: permissions.ListTagsAction, - Resource: permissions.RepoArn(repository), - }, - }, - { - Permission: permissions.Permission{ - Action: permissions.ListBranchesAction, - Resource: permissions.RepoArn(repository), - }, - }, - { - Permission: permissions.Permission{ - Action: permissions.ListCommitsAction, - Resource: permissions.RepoArn(repository), - }, - }, - }, - }) { + if !c.authorize(w, r, permissions.DumpSubmitPermissions(repository)) { return } ctx := r.Context() @@ -4229,29 +3663,7 @@ func (c *Controller) DumpSubmit(w http.ResponseWriter, r *http.Request, reposito } func (c *Controller) DumpStatus(w http.ResponseWriter, r *http.Request, repository string, params apigen.DumpStatusParams) { - if !c.authorize(w, r, permissions.Node{ - Type: permissions.NodeTypeAnd, - Nodes: []permissions.Node{ - { - Permission: permissions.Permission{ - Action: permissions.ListTagsAction, - Resource: permissions.RepoArn(repository), - }, - }, - { - Permission: permissions.Permission{ - Action: permissions.ListBranchesAction, - Resource: permissions.RepoArn(repository), - }, - }, - { - Permission: permissions.Permission{ - Action: permissions.ListCommitsAction, - Resource: permissions.RepoArn(repository), - }, - }, - }, - }) { + if !c.authorize(w, r, permissions.DumpStatusPermissions(repository)) { return } @@ -4282,29 +3694,7 @@ func (c *Controller) DumpStatus(w http.ResponseWriter, r *http.Request, reposito } func (c *Controller) RestoreSubmit(w http.ResponseWriter, r *http.Request, body apigen.RestoreSubmitJSONRequestBody, repository string) { - if !c.authorize(w, r, permissions.Node{ - Type: permissions.NodeTypeAnd, - Nodes: []permissions.Node{ - { - Permission: permissions.Permission{ - Action: permissions.CreateTagAction, - Resource: permissions.RepoArn(repository), - }, - }, - { - Permission: permissions.Permission{ - Action: permissions.CreateBranchAction, - Resource: permissions.RepoArn(repository), - }, - }, - { - Permission: permissions.Permission{ - Action: permissions.CreateCommitAction, - Resource: permissions.RepoArn(repository), - }, - }, - }, - }) { + if !c.authorize(w, r, permissions.RestoreSubmitPermissions(repository)) { return } @@ -4330,29 +3720,7 @@ func (c *Controller) RestoreSubmit(w http.ResponseWriter, r *http.Request, body } func (c *Controller) RestoreStatus(w http.ResponseWriter, r *http.Request, repository string, params apigen.RestoreStatusParams) { - if !c.authorize(w, r, permissions.Node{ - Type: permissions.NodeTypeAnd, - Nodes: []permissions.Node{ - { - Permission: permissions.Permission{ - Action: permissions.CreateTagAction, - Resource: permissions.RepoArn(repository), - }, - }, - { - Permission: permissions.Permission{ - Action: permissions.CreateBranchAction, - Resource: permissions.RepoArn(repository), - }, - }, - { - Permission: permissions.Permission{ - Action: permissions.CreateCommitAction, - Resource: permissions.RepoArn(repository), - }, - }, - }, - }) { + if !c.authorize(w, r, permissions.RestoreStatusPermissions(repository)) { return } @@ -4376,12 +3744,7 @@ func (c *Controller) RestoreStatus(w http.ResponseWriter, r *http.Request, repos } func (c *Controller) CreateSymlinkFile(w http.ResponseWriter, r *http.Request, repository, branch string, params apigen.CreateSymlinkFileParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.WriteObjectAction, - Resource: permissions.ObjectArn(repository, branch), - }, - }) { + if !c.authorize(w, r, permissions.CreateSymlinkFilePermissions(repository, branch)) { return } ctx := r.Context() @@ -4465,12 +3828,7 @@ func writeSymlink(ctx context.Context, repo *catalog.Repository, branch, path st } func (c *Controller) DiffRefs(w http.ResponseWriter, r *http.Request, repository, leftRef, rightRef string, params apigen.DiffRefsParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ListObjectsAction, - Resource: permissions.RepoArn(repository), - }, - }) { + if !c.authorize(w, r, permissions.DiffRefsPermissions(repository)) { return } ctx := r.Context() @@ -4514,12 +3872,7 @@ func (c *Controller) DiffRefs(w http.ResponseWriter, r *http.Request, repository } func (c *Controller) LogCommits(w http.ResponseWriter, r *http.Request, repository, ref string, params apigen.LogCommitsParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ReadBranchAction, - Resource: permissions.BranchArn(repository, ref), - }, - }) { + if !c.authorize(w, r, permissions.LogCommitsPermissions(repository, ref)) { return } ctx := r.Context() @@ -4565,12 +3918,7 @@ func (c *Controller) LogCommits(w http.ResponseWriter, r *http.Request, reposito } func (c *Controller) HeadObject(w http.ResponseWriter, r *http.Request, repository, ref string, params apigen.HeadObjectParams) { - if !c.authorizeCallback(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ReadObjectAction, - Resource: permissions.ObjectArn(repository, params.Path), - }, - }, func(w http.ResponseWriter, r *http.Request, code int, v interface{}) { + if !c.authorizeCallback(w, r, permissions.HeadObjectPermissions(repository, params.Path), func(w http.ResponseWriter, r *http.Request, code int, v interface{}) { writeResponse(w, r, code, nil) }) { return @@ -4620,23 +3968,7 @@ func (c *Controller) GetMetadataObject(w http.ResponseWriter, r *http.Request, r const getTypeMetaRange = "meta_range" const getTypeRange = "range" - if !c.authorize(w, r, permissions.Node{ - Type: permissions.NodeTypeAnd, - Nodes: []permissions.Node{ - { - Permission: permissions.Permission{ - Action: permissions.ListObjectsAction, - Resource: permissions.RepoArn(repository), - }, - }, - { - Permission: permissions.Permission{ - Action: permissions.ReadRepositoryAction, - Resource: permissions.RepoArn(repository), - }, - }, - }, - }) { + if !c.authorize(w, r, permissions.GetMetadataObjectPermissions(repository)) { return } ctx := r.Context() @@ -4707,12 +4039,7 @@ func (c *Controller) GetMetadataObject(w http.ResponseWriter, r *http.Request, r } func (c *Controller) GetObject(w http.ResponseWriter, r *http.Request, repository, ref string, params apigen.GetObjectParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ReadObjectAction, - Resource: permissions.ObjectArn(repository, params.Path), - }, - }) { + if !c.authorize(w, r, permissions.GetObjectPermissions(repository, params.Path)) { return } ctx := r.Context() @@ -4821,12 +4148,7 @@ func (c *Controller) GetObject(w http.ResponseWriter, r *http.Request, repositor } func (c *Controller) ListObjects(w http.ResponseWriter, r *http.Request, repository, ref string, params apigen.ListObjectsParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ListObjectsAction, - Resource: permissions.RepoArn(repository), - }, - }) { + if !c.authorize(w, r, permissions.ListObjectsPermissions(repository)) { return } ctx := r.Context() @@ -4930,12 +4252,7 @@ func (c *Controller) ListObjects(w http.ResponseWriter, r *http.Request, reposit } func (c *Controller) StatObject(w http.ResponseWriter, r *http.Request, repository, ref string, params apigen.StatObjectParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ReadObjectAction, - Resource: permissions.ObjectArn(repository, params.Path), - }, - }) { + if !c.authorize(w, r, permissions.StatObjectPermissions(repository, params.Path)) { return } ctx := r.Context() @@ -4998,12 +4315,7 @@ func (c *Controller) StatObject(w http.ResponseWriter, r *http.Request, reposito } func (c *Controller) UpdateObjectUserMetadata(w http.ResponseWriter, r *http.Request, body apigen.UpdateObjectUserMetadataJSONRequestBody, repository, branch string, params apigen.UpdateObjectUserMetadataParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.WriteObjectAction, - Resource: permissions.ObjectArn(repository, params.Path), - }, - }) { + if !c.authorize(w, r, permissions.UpdateObjectUserMetadataPermissions(repository, params.Path)) { return } ctx := r.Context() @@ -5019,12 +4331,7 @@ func (c *Controller) UpdateObjectUserMetadata(w http.ResponseWriter, r *http.Req } func (c *Controller) GetUnderlyingProperties(w http.ResponseWriter, r *http.Request, repository, ref string, params apigen.GetUnderlyingPropertiesParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ReadObjectAction, - Resource: permissions.ObjectArn(repository, params.Path), - }, - }) { + if !c.authorize(w, r, permissions.GetUnderlyingPropertiesPermissions(repository, params.Path)) { return } ctx := r.Context() @@ -5060,12 +4367,7 @@ func (c *Controller) GetUnderlyingProperties(w http.ResponseWriter, r *http.Requ } func (c *Controller) MergeIntoBranch(w http.ResponseWriter, r *http.Request, body apigen.MergeIntoBranchJSONRequestBody, repository, sourceRef, destinationBranch string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.CreateCommitAction, - Resource: permissions.BranchArn(repository, destinationBranch), - }, - }) { + if !c.authorize(w, r, permissions.MergeIntoBranchPermissions(repository, destinationBranch)) { return } ctx := r.Context() @@ -5106,12 +4408,7 @@ func (c *Controller) MergeIntoBranch(w http.ResponseWriter, r *http.Request, bod } func (c *Controller) FindMergeBase(w http.ResponseWriter, r *http.Request, repository string, sourceRef string, destinationRef string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ListCommitsAction, - Resource: permissions.RepoArn(repository), - }, - }) { + if !c.authorize(w, r, permissions.FindMergeBasePermissions(repository)) { return } ctx := r.Context() @@ -5129,12 +4426,7 @@ func (c *Controller) FindMergeBase(w http.ResponseWriter, r *http.Request, repos } func (c *Controller) ListTags(w http.ResponseWriter, r *http.Request, repository string, params apigen.ListTagsParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ListTagsAction, - Resource: permissions.RepoArn(repository), - }, - }) { + if !c.authorize(w, r, permissions.ListTagsPermissions(repository)) { return } ctx := r.Context() @@ -5160,12 +4452,7 @@ func (c *Controller) ListTags(w http.ResponseWriter, r *http.Request, repository } func (c *Controller) CreateTag(w http.ResponseWriter, r *http.Request, body apigen.CreateTagJSONRequestBody, repository string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.CreateTagAction, - Resource: permissions.TagArn(repository, body.Id), - }, - }) { + if !c.authorize(w, r, permissions.CreateTagPermissions(repository, body.Id)) { return } ctx := r.Context() @@ -5183,12 +4470,7 @@ func (c *Controller) CreateTag(w http.ResponseWriter, r *http.Request, body apig } func (c *Controller) DeleteTag(w http.ResponseWriter, r *http.Request, repository, tag string, params apigen.DeleteTagParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.DeleteTagAction, - Resource: permissions.TagArn(repository, tag), - }, - }) { + if !c.authorize(w, r, permissions.DeleteTagPermissions(repository, tag)) { return } ctx := r.Context() @@ -5201,12 +4483,7 @@ func (c *Controller) DeleteTag(w http.ResponseWriter, r *http.Request, repositor } func (c *Controller) GetTag(w http.ResponseWriter, r *http.Request, repository, tag string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ReadTagAction, - Resource: permissions.TagArn(repository, tag), - }, - }) { + if !c.authorize(w, r, permissions.GetTagPermissions(repository, tag)) { return } ctx := r.Context() @@ -5526,12 +4803,7 @@ func (c *Controller) PostStatsEvents(w http.ResponseWriter, r *http.Request, bod } func (c *Controller) ListPullRequests(w http.ResponseWriter, r *http.Request, repository string, params apigen.ListPullRequestsParams) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ListPullRequestsAction, - Resource: permissions.RepoArn(repository), - }, - }) { + if !c.authorize(w, r, permissions.ListPullRequestsPermissions(repository)) { return } ctx := r.Context() @@ -5568,12 +4840,7 @@ func (c *Controller) ListPullRequests(w http.ResponseWriter, r *http.Request, re } func (c *Controller) CreatePullRequest(w http.ResponseWriter, r *http.Request, body apigen.CreatePullRequestJSONRequestBody, repository string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.WritePullRequestAction, - Resource: permissions.RepoArn(repository), - }, - }) { + if !c.authorize(w, r, permissions.CreatePullRequestPermissions(repository)) { return } ctx := r.Context() @@ -5604,12 +4871,7 @@ func (c *Controller) CreatePullRequest(w http.ResponseWriter, r *http.Request, b } func (c *Controller) GetPullRequest(w http.ResponseWriter, r *http.Request, repository string, pullRequestID string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ReadPullRequestAction, - Resource: permissions.RepoArn(repository), - }, - }) { + if !c.authorize(w, r, permissions.GetPullRequestPermissions(repository)) { return } ctx := r.Context() @@ -5636,12 +4898,7 @@ func (c *Controller) GetPullRequest(w http.ResponseWriter, r *http.Request, repo } func (c *Controller) UpdatePullRequest(w http.ResponseWriter, r *http.Request, body apigen.UpdatePullRequestJSONRequestBody, repository string, pullRequestID string) { - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.WritePullRequestAction, - Resource: permissions.RepoArn(repository), - }, - }) { + if !c.authorize(w, r, permissions.UpdatePullRequestPermissions(repository)) { return } ctx := r.Context() @@ -5665,23 +4922,7 @@ func (c *Controller) MergePullRequest(w http.ResponseWriter, r *http.Request, re return } - if !c.authorize(w, r, permissions.Node{ - Type: permissions.NodeTypeAnd, - Nodes: []permissions.Node{ - { - Permission: permissions.Permission{ - Action: permissions.CreateCommitAction, - Resource: permissions.BranchArn(repository, pr.Destination), - }, - }, - { - Permission: permissions.Permission{ - Action: permissions.WritePullRequestAction, - Resource: permissions.RepoArn(repository), - }, - }, - }, - }) { + if !c.authorize(w, r, permissions.MergePullRequestPermissions(repository, pr.Destination)) { return } @@ -6023,12 +5264,7 @@ func (c *Controller) CreateUserExternalPrincipal(w http.ResponseWriter, r *http. writeError(w, r, http.StatusNotImplemented, "Not implemented") return } - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.CreateUserExternalPrincipalAction, - Resource: permissions.UserArn(userID), - }, - }) { + if !c.authorize(w, r, permissions.CreateUserExternalPrincipalPermissions(userID)) { return } @@ -6047,12 +5283,7 @@ func (c *Controller) DeleteUserExternalPrincipal(w http.ResponseWriter, r *http. writeError(w, r, http.StatusNotImplemented, "Not implemented") return } - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.DeleteUserExternalPrincipalAction, - Resource: permissions.UserArn(userID), - }, - }) { + if !c.authorize(w, r, permissions.DeleteUserExternalPrincipalPermissions(userID)) { return } c.LogAction(ctx, "delete_user_external_principal", r, "", "", "") @@ -6069,12 +5300,7 @@ func (c *Controller) GetExternalPrincipal(w http.ResponseWriter, r *http.Request writeError(w, r, http.StatusNotImplemented, "Not implemented") return } - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ReadExternalPrincipalAction, - Resource: permissions.ExternalPrincipalArn(params.PrincipalId), - }, - }) { + if !c.authorize(w, r, permissions.GetExternalPrincipalPermissions(params.PrincipalId)) { return } c.LogAction(ctx, "get_external_principal", r, "", "", "") @@ -6096,12 +5322,7 @@ func (c *Controller) ListUserExternalPrincipals(w http.ResponseWriter, r *http.R writeError(w, r, http.StatusNotImplemented, "Not implemented") return } - if !c.authorize(w, r, permissions.Node{ - Permission: permissions.Permission{ - Action: permissions.ReadUserAction, - Resource: permissions.UserArn(userID), - }, - }) { + if !c.authorize(w, r, permissions.ListUserExternalPrincipalsPermissions(userID)) { return } diff --git a/pkg/permissions/operationPermissions.go b/pkg/permissions/operationPermissions.go new file mode 100644 index 00000000000..e04fccd0787 --- /dev/null +++ b/pkg/permissions/operationPermissions.go @@ -0,0 +1,1228 @@ +package permissions + +func CreatePresignMultipartUploadPermissions(repository string, path string) Node { + return Node{ + Permission: Permission{ + Action: WriteObjectAction, + Resource: ObjectArn(repository, path), + }, + } +} + +func AbortPresignMultipartUploadPermissions(repository string, path string) Node { + return Node{ + Permission: Permission{ + Action: WriteObjectAction, + Resource: ObjectArn(repository, path), + }, + } +} + +func CompletePresignMultipartUploadPermissions(repository string, path string) Node { + return Node{ + Permission: Permission{ + Action: WriteObjectAction, + Resource: ObjectArn(repository, path), + }, + } +} + +func ListGroupsPermissions() Node { + return Node{ + Permission: Permission{ + Action: ListGroupsAction, + Resource: All, + }, + } +} + +func CreateGroupPermissions(groupID string) Node { + return Node{ + Permission: Permission{ + Action: CreateGroupAction, + Resource: GroupArn(groupID), + }, + } +} + +func DeleteGroupPermissions(groupID string) Node { + return Node{ + Permission: Permission{ + Action: DeleteGroupAction, + Resource: GroupArn(groupID), + }, + } +} + +func GetGroupPermissions(groupID string) Node { + return Node{ + Permission: Permission{ + Action: ReadGroupAction, + Resource: GroupArn(groupID), + }, + } +} + +func GetGroupACLPermissions(groupID string, aclPolicyName string) Node { + return Node{ + Type: NodeTypeAnd, + Nodes: []Node{ + { + Permission: Permission{ + Action: ReadGroupAction, + Resource: GroupArn(groupID), + }, + }, + { + Permission: Permission{ + Action: ReadPolicyAction, + Resource: PolicyArn(aclPolicyName), + }, + }, + }, + } +} + +func SetGroupACLPermissions(groupID string, aclPolicyName string) Node { + return Node{ + Type: NodeTypeAnd, + Nodes: []Node{ + { + Permission: Permission{ + Action: ReadGroupAction, + Resource: GroupArn(groupID), + }, + }, + { + Permission: Permission{ + Action: AttachPolicyAction, + Resource: PolicyArn(aclPolicyName), + }, + }, + { + Permission: Permission{ + Action: UpdatePolicyAction, + Resource: PolicyArn(aclPolicyName), + }, + }, + }, + } +} + +func ListGroupMembersPermissions(groupID string) Node { + return Node{ + Permission: Permission{ + Action: ReadGroupAction, + Resource: GroupArn(groupID), + }, + } +} + +func DeleteGroupMembershipPermissions(groupID string) Node { + return Node{ + Permission: Permission{ + Action: RemoveGroupMemberAction, + Resource: GroupArn(groupID), + }, + } +} + +func AddGroupMembershipPermissions(groupID string) Node { + return Node{ + Permission: Permission{ + Action: AddGroupMemberAction, + Resource: GroupArn(groupID), + }, + } +} + +func ListGroupPoliciesPermissions(groupID string) Node { + return Node{ + Permission: Permission{ + Action: ReadGroupAction, + Resource: GroupArn(groupID), + }, + } +} + +func DetachPolicyFromGroupPermissions(groupID string) Node { + return Node{ + Permission: Permission{ + Action: DetachPolicyAction, + Resource: GroupArn(groupID), + }, + } +} + +func AttachPolicyToGroupPermissions(groupID string) Node { + return Node{ + Permission: Permission{ + Action: AttachPolicyAction, + Resource: GroupArn(groupID), + }, + } +} + +func ListPoliciesPermissions() Node { + return Node{ + Permission: Permission{ + Action: ListPoliciesAction, + Resource: All, + }, + } +} + +func CreatePolicyPermissions(policyID string) Node { + return Node{ + Permission: Permission{ + Action: CreatePolicyAction, + Resource: PolicyArn(policyID), + }, + } +} + +func DeletePolicyPermissions(policyID string) Node { + return Node{ + Permission: Permission{ + Action: DeletePolicyAction, + Resource: PolicyArn(policyID), + }, + } +} + +func GetPolicyPermissions(policyID string) Node { + return Node{ + Permission: Permission{ + Action: ReadPolicyAction, + Resource: PolicyArn(policyID), + }, + } +} + +func UpdatePolicyPermissions(policyID string) Node { + return Node{ + Permission: Permission{ + Action: UpdatePolicyAction, + Resource: PolicyArn(policyID), + }, + } +} + +func ListUsersPermissions() Node { + return Node{ + Permission: Permission{ + Action: ListUsersAction, + Resource: All, + }, + } +} + +func CreateUserPermissions(username string) Node { + return Node{ + Permission: Permission{ + Action: CreateUserAction, + Resource: UserArn(username), + }, + } +} + +func GetUserPermissions(userID string) Node { + return Node{ + Permission: Permission{ + Action: ReadUserAction, + Resource: UserArn(userID), + }, + } +} + +func ListUserCredentialsPermissions(userID string) Node { + return Node{ + Permission: Permission{ + Action: ListCredentialsAction, + Resource: UserArn(userID), + }, + } +} + +func CreateCredentialsPermissions(userID string) Node { + return Node{ + Permission: Permission{ + Action: CreateCredentialsAction, + Resource: UserArn(userID), + }, + } +} + +func DeleteCredentialsPermissions(userID string) Node { + return Node{ + Permission: Permission{ + Action: DeleteCredentialsAction, + Resource: UserArn(userID), + }, + } +} + +func GetCredentialsPermissions(userID string) Node { + return Node{ + Permission: Permission{ + Action: ReadCredentialsAction, + Resource: UserArn(userID), + }, + } +} + +func ListUserGroupsPermissions(userID string) Node { + return Node{ + Permission: Permission{ + Action: ReadUserAction, + Resource: UserArn(userID), + }, + } +} + +func ListUserPoliciesPermissions(userID string) Node { + return Node{ + Permission: Permission{ + Action: ReadUserAction, + Resource: UserArn(userID), + }, + } +} + +func DetachPolicyFromUserPermissions(userID string) Node { + return Node{ + Permission: Permission{ + Action: DetachPolicyAction, + Resource: UserArn(userID), + }, + } +} + +func AttachPolicyToUserPermissions(userID string) Node { + return Node{ + Permission: Permission{ + Action: AttachPolicyAction, + Resource: UserArn(userID), + }, + } +} + +func CreateRepositoryPermissions(repoName string, storageNamespace string) Node { + return Node{ + Type: NodeTypeAnd, + Nodes: []Node{ + { + Permission: Permission{ + Action: CreateRepositoryAction, + Resource: RepoArn(repoName), + }, + }, + { + Permission: Permission{ + Action: AttachStorageNamespaceAction, + Resource: StorageNamespace(storageNamespace), + }, + }, + }, + } +} + +func DeleteRepositoryPermissions(repository string) Node { + return Node{ + Permission: Permission{ + Action: DeleteRepositoryAction, + Resource: RepoArn(repository), + }, + } +} + +func GetRepositoryPermissions(repository string) Node { + return Node{ + Permission: Permission{ + Action: ReadRepositoryAction, + Resource: RepoArn(repository), + }, + } +} + +func GetRepositoryMetadataPermissions(repository string) Node { + return Node{ + Permission: Permission{ + Action: ReadRepositoryAction, + Resource: RepoArn(repository), + }, + } +} + +func SetRepositoryMetadataPermissions(repository string) Node { + return Node{ + Permission: Permission{ + Action: UpdateRepositoryAction, + Resource: RepoArn(repository), + }, + } +} + +func DeleteRepositoryMetadataPermissions(repository string) Node { + return Node{ + Permission: Permission{ + Action: UpdateRepositoryAction, + Resource: RepoArn(repository), + }, + } +} + +func DeleteUserPermissions(userID string) Node { + return Node{ + Permission: Permission{ + Action: DeleteUserAction, + Resource: UserArn(userID), + }, + } +} + +func GetBranchProtectionRulesPermissions(repository string) Node { + return Node{ + Permission: Permission{ + Action: GetBranchProtectionRulesAction, + Resource: RepoArn(repository), + }, + } +} + +func DeleteGCRulesPermissions(repository string) Node { + return Node{ + Permission: Permission{ + Action: SetGarbageCollectionRulesAction, + Resource: RepoArn(repository), + }, + } +} + +func GetGCRulesPermissions(repository string) Node { + return Node{ + Permission: Permission{ + Action: GetGarbageCollectionRulesAction, + Resource: RepoArn(repository), + }, + } +} + +func SetGCRulesPermissions(repository string) Node { + return Node{ + Permission: Permission{ + Action: SetGarbageCollectionRulesAction, + Resource: RepoArn(repository), + }, + } +} + +func ListRepositoryRunsPermissions(repository string) Node { + return Node{ + Permission: Permission{ + Action: ReadActionsAction, + Resource: RepoArn(repository), + }, + } +} + +func GetRunPermissions(repository string) Node { + return Node{ + Permission: Permission{ + Action: ReadActionsAction, + Resource: RepoArn(repository), + }, + } +} + +func ListRunHooksPermissions(repository string) Node { + return Node{ + Permission: Permission{ + Action: ReadActionsAction, + Resource: RepoArn(repository), + }, + } +} + +func GetRunHookOutputPermissions(repository string) Node { + return Node{ + Permission: Permission{ + Action: ReadActionsAction, + Resource: RepoArn(repository), + }, + } +} + +func ListBranchesPermissions(repository string) Node { + return Node{ + Permission: Permission{ + Action: ListBranchesAction, + Resource: RepoArn(repository), + }, + } +} + +func CreateBranchPermissions(repository string, branchName string) Node { + return Node{ + Permission: Permission{ + Action: CreateBranchAction, + Resource: BranchArn(repository, branchName), + }, + } +} + +func DeleteBranchPermissions(repository string, branch string) Node { + return Node{ + Permission: Permission{ + Action: DeleteBranchAction, + Resource: BranchArn(repository, branch), + }, + } +} + +func GetBranchPermissions(repository string, branch string) Node { + return Node{ + Permission: Permission{ + Action: ReadBranchAction, + Resource: BranchArn(repository, branch), + }, + } +} + +func ResetBranchPermissions(repository string, branch string) Node { + return Node{ + Permission: Permission{ + Action: RevertBranchAction, + Resource: BranchArn(repository, branch), + }, + } +} + +func HardResetBranchPermissions(repository string, branch string) Node { + return Node{ + Permission: Permission{ + // TODO(ozkatz): Can we have another action here? + Action: RevertBranchAction, + Resource: BranchArn(repository, branch), + }, + } +} + +func ImportStartPermissions(repository string, branch string) Node { + return Node{ + Type: NodeTypeAnd, + Nodes: []Node{ + { + Permission: Permission{ + Action: WriteObjectAction, + Resource: BranchArn(repository, branch), + }, + }, + { + Permission: Permission{ + Action: CreateCommitAction, + Resource: BranchArn(repository, branch), + }, + }, + }, + } +} + +func ImportStatusPermissions(repository string, branch string) Node { + return Node{ + Permission: Permission{ + Action: ReadBranchAction, + Resource: BranchArn(repository, branch), + }, + } +} + +func ImportCancelPermissions(repository string, branch string) Node { + return Node{ + Permission: Permission{ + Action: ImportCancelAction, + Resource: BranchArn(repository, branch), + }, + } +} + +func CommitPermissions(repository string, branch string) Node { + return Node{ + Permission: Permission{ + Action: CreateCommitAction, + Resource: BranchArn(repository, branch), + }, + } +} + +func CreateCommitRecordPermissions(repository string) Node { + return Node{ + Permission: Permission{ + Action: CreateCommitAction, + Resource: RepoArn(repository), + }, + } +} + +func DiffBranchPermissions(repository string) Node { + return Node{ + Permission: Permission{ + Action: ListObjectsAction, + Resource: RepoArn(repository), + }, + } +} + +func DeleteObjectPermissions(repository string, path string) Node { + return Node{ + Permission: Permission{ + Action: DeleteObjectAction, + Resource: ObjectArn(repository, path), + }, + } +} + +func UploadObjectPreflightPermissions(repository string, path string) Node { + return Node{ + Permission: Permission{ + Action: WriteObjectAction, + Resource: ObjectArn(repository, path), + }, + } +} + +func PrepareGarbageCollectionUncommittedPermissions(repository string) Node { + return Node{ + Permission: Permission{ + Action: PrepareGarbageCollectionUncommittedAction, + Resource: RepoArn(repository), + }, + } +} + +func DeleteObjectsPermissions(repository string, objectPath string) Node { + return Node{ + Permission: Permission{ + Action: DeleteObjectAction, + Resource: ObjectArn(repository, objectPath), + }, + } +} + +func GetPhysicalAddressPermissions(repository string, path string) Node { + return Node{ + Permission: Permission{ + Action: WriteObjectAction, + Resource: ObjectArn(repository, path), + }, + } +} + +func StageObjectPermissions(repository string, path string) Node { + return Node{ + Permission: Permission{ + Action: WriteObjectAction, + Resource: ObjectArn(repository, path), + }, + } +} + +func LinkPhysicalAddressPermissions(repository string, path string) Node { + return Node{ + Permission: Permission{ + Action: WriteObjectAction, + Resource: ObjectArn(repository, path), + }, + } +} + +func ListRepositoriesPermissions() Node { + return Node{ + Permission: Permission{ + Action: ListRepositoriesAction, + Resource: All, + }, + } +} + +func UploadObjectPermissions(repository string, path string) Node { + return Node{ + Permission: Permission{ + Action: WriteObjectAction, + Resource: ObjectArn(repository, path), + }, + } +} + +func CopyObjectPermissions(repository string, srcPath string, destPath string) Node { + return Node{ + Type: NodeTypeAnd, + Nodes: []Node{ + { + Permission: Permission{ + Action: ReadObjectAction, + Resource: ObjectArn(repository, srcPath), + }, + }, + { + Permission: Permission{ + Action: WriteObjectAction, + Resource: ObjectArn(repository, destPath), + }, + }, + }, + } +} + +func RevertBranchPermissions(repository string, branch string) Node { + return Node{ + Permission: Permission{ + Action: RevertBranchAction, + Resource: BranchArn(repository, branch), + }, + } +} + +func CherryPickPermissions(repository string, branch string) Node { + return Node{ + Type: NodeTypeAnd, + Nodes: []Node{ + { + Permission: Permission{ + Action: CreateCommitAction, + Resource: BranchArn(repository, branch), + }, + }, + { + Permission: Permission{ + Action: ReadCommitAction, + Resource: RepoArn(repository), + }, + }, + }, + } +} + +func GetCommitPermissions(repository string) Node { + return Node{ + Permission: Permission{ + Action: ReadCommitAction, + Resource: RepoArn(repository), + }, + } +} + +func SetGarbageCollectionRulesPreflightPermissions(repository string) Node { + return Node{ + Permission: Permission{ + Action: SetGarbageCollectionRulesAction, + Resource: RepoArn(repository), + }, + } +} + +func PrepareGarbageCollectionCommitsPermissions(repository string) Node { + return Node{ + Permission: Permission{ + Action: PrepareGarbageCollectionCommitsAction, + Resource: RepoArn(repository), + }, + } +} + +func InternalDeleteBranchProtectionRulePermissions(repository string) Node { + return Node{ + Permission: Permission{ + Action: SetBranchProtectionRulesAction, + Resource: RepoArn(repository), + }, + } +} + +func CreateBranchProtectionRulePreflightPermissions(repository string) Node { + return Node{ + Permission: Permission{ + Action: SetBranchProtectionRulesAction, + Resource: RepoArn(repository), + }, + } +} + +func SetBranchProtectionRulesPermissions(repository string) Node { + return Node{ + Permission: Permission{ + Action: SetBranchProtectionRulesAction, + Resource: RepoArn(repository), + }, + } +} + +func InternalCreateBranchProtectionRulePermissions(repository string) Node { + return Node{ + Permission: Permission{ + Action: SetBranchProtectionRulesAction, + Resource: RepoArn(repository), + }, + } +} + +func GetMetaRangePermissions(repository string) Node { + return Node{ + Type: NodeTypeAnd, + Nodes: []Node{ + { + Permission: Permission{ + Action: ListObjectsAction, + Resource: RepoArn(repository), + }, + }, + { + Permission: Permission{ + Action: ReadRepositoryAction, + Resource: RepoArn(repository), + }, + }, + }, + } +} + +func GetRangePermissions(repository string) Node { + return Node{ + Type: NodeTypeAnd, + Nodes: []Node{ + { + Permission: Permission{ + Action: ListObjectsAction, + Resource: RepoArn(repository), + }, + }, + { + Permission: Permission{ + Action: ReadRepositoryAction, + Resource: RepoArn(repository), + }, + }, + }, + } +} + +func DumpRefsPermissions(repository string) Node { + return Node{ + Type: NodeTypeAnd, + Nodes: []Node{ + { + Permission: Permission{ + Action: ListTagsAction, + Resource: RepoArn(repository), + }, + }, + { + Permission: Permission{ + Action: ListBranchesAction, + Resource: RepoArn(repository), + }, + }, + { + Permission: Permission{ + Action: ListCommitsAction, + Resource: RepoArn(repository), + }, + }, + }, + } +} + +func RestoreRefsPermissions(repository string) Node { + return Node{ + Type: NodeTypeAnd, + Nodes: []Node{ + { + Permission: Permission{ + Action: CreateTagAction, + Resource: RepoArn(repository), + }, + }, + { + Permission: Permission{ + Action: CreateBranchAction, + Resource: RepoArn(repository), + }, + }, + { + Permission: Permission{ + Action: CreateCommitAction, + Resource: RepoArn(repository), + }, + }, + }, + } +} + +func DumpSubmitPermissions(repository string) Node { + return Node{ + Type: NodeTypeAnd, + Nodes: []Node{ + { + Permission: Permission{ + Action: ListTagsAction, + Resource: RepoArn(repository), + }, + }, + { + Permission: Permission{ + Action: ListBranchesAction, + Resource: RepoArn(repository), + }, + }, + { + Permission: Permission{ + Action: ListCommitsAction, + Resource: RepoArn(repository), + }, + }, + }, + } +} + +func DumpStatusPermissions(repository string) Node { + return Node{ + Type: NodeTypeAnd, + Nodes: []Node{ + { + Permission: Permission{ + Action: ListTagsAction, + Resource: RepoArn(repository), + }, + }, + { + Permission: Permission{ + Action: ListBranchesAction, + Resource: RepoArn(repository), + }, + }, + { + Permission: Permission{ + Action: ListCommitsAction, + Resource: RepoArn(repository), + }, + }, + }, + } +} + +func RestoreSubmitPermissions(repository string) Node { + return Node{ + Type: NodeTypeAnd, + Nodes: []Node{ + { + Permission: Permission{ + Action: CreateTagAction, + Resource: RepoArn(repository), + }, + }, + { + Permission: Permission{ + Action: CreateBranchAction, + Resource: RepoArn(repository), + }, + }, + { + Permission: Permission{ + Action: CreateCommitAction, + Resource: RepoArn(repository), + }, + }, + }, + } +} + +func RestoreStatusPermissions(repository string) Node { + return Node{ + Type: NodeTypeAnd, + Nodes: []Node{ + { + Permission: Permission{ + Action: CreateTagAction, + Resource: RepoArn(repository), + }, + }, + { + Permission: Permission{ + Action: CreateBranchAction, + Resource: RepoArn(repository), + }, + }, + { + Permission: Permission{ + Action: CreateCommitAction, + Resource: RepoArn(repository), + }, + }, + }, + } +} + +func CreateSymlinkFilePermissions(repository string, branch string) Node { + return Node{ + Permission: Permission{ + Action: WriteObjectAction, + Resource: ObjectArn(repository, branch), + }, + } +} + +func DiffRefsPermissions(repository string) Node { + return Node{ + Permission: Permission{ + Action: ListObjectsAction, + Resource: RepoArn(repository), + }, + } +} + +func LogCommitsPermissions(repository string, ref string) Node { + return Node{ + Permission: Permission{ + Action: ReadBranchAction, + Resource: BranchArn(repository, ref), + }, + } +} + +func HeadObjectPermissions(repository string, path string) Node { + return Node{ + Permission: Permission{ + Action: ReadObjectAction, + Resource: ObjectArn(repository, path), + }, + } +} + +func GetMetadataObjectPermissions(repository string) Node { + return Node{ + Type: NodeTypeAnd, + Nodes: []Node{ + { + Permission: Permission{ + Action: ListObjectsAction, + Resource: RepoArn(repository), + }, + }, + { + Permission: Permission{ + Action: ReadRepositoryAction, + Resource: RepoArn(repository), + }, + }, + }, + } +} + +func GetObjectPermissions(repository string, path string) Node { + return Node{ + Permission: Permission{ + Action: ReadObjectAction, + Resource: ObjectArn(repository, path), + }, + } +} + +func ListObjectsPermissions(repository string) Node { + return Node{ + Permission: Permission{ + Action: ListObjectsAction, + Resource: RepoArn(repository), + }, + } +} + +func StatObjectPermissions(repository string, path string) Node { + return Node{ + Permission: Permission{ + Action: ReadObjectAction, + Resource: ObjectArn(repository, path), + }, + } +} + +func UpdateObjectUserMetadataPermissions(repository string, path string) Node { + return Node{ + Permission: Permission{ + Action: WriteObjectAction, + Resource: ObjectArn(repository, path), + }, + } +} + +func GetUnderlyingPropertiesPermissions(repository string, path string) Node { + return Node{ + Permission: Permission{ + Action: ReadObjectAction, + Resource: ObjectArn(repository, path), + }, + } +} + +func MergeIntoBranchPermissions(repository string, destinationBranch string) Node { + return Node{ + Permission: Permission{ + Action: CreateCommitAction, + Resource: BranchArn(repository, destinationBranch), + }, + } +} + +func FindMergeBasePermissions(repository string) Node { + return Node{ + Permission: Permission{ + Action: ListCommitsAction, + Resource: RepoArn(repository), + }, + } +} + +func ListTagsPermissions(repository string) Node { + return Node{ + Permission: Permission{ + Action: ListTagsAction, + Resource: RepoArn(repository), + }, + } +} + +func CreateTagPermissions(repository string, tagID string) Node { + return Node{ + Permission: Permission{ + Action: CreateTagAction, + Resource: TagArn(repository, tagID), + }, + } +} + +func DeleteTagPermissions(repository string, tag string) Node { + return Node{ + Permission: Permission{ + Action: DeleteTagAction, + Resource: TagArn(repository, tag), + }, + } +} + +func GetTagPermissions(repository string, tag string) Node { + return Node{ + Permission: Permission{ + Action: ReadTagAction, + Resource: TagArn(repository, tag), + }, + } +} + +func ListPullRequestsPermissions(repository string) Node { + return Node{ + Permission: Permission{ + Action: ListPullRequestsAction, + Resource: RepoArn(repository), + }, + } +} + +func CreatePullRequestPermissions(repository string) Node { + return Node{ + Permission: Permission{ + Action: WritePullRequestAction, + Resource: RepoArn(repository), + }, + } +} + +func GetPullRequestPermissions(repository string) Node { + return Node{ + Permission: Permission{ + Action: ReadPullRequestAction, + Resource: RepoArn(repository), + }, + } +} + +func UpdatePullRequestPermissions(repository string) Node { + return Node{ + Permission: Permission{ + Action: WritePullRequestAction, + Resource: RepoArn(repository), + }, + } +} + +func MergePullRequestPermissions(repository string, destination string) Node { + return Node{ + Type: NodeTypeAnd, + Nodes: []Node{ + { + Permission: Permission{ + Action: CreateCommitAction, + Resource: BranchArn(repository, destination), + }, + }, + { + Permission: Permission{ + Action: WritePullRequestAction, + Resource: RepoArn(repository), + }, + }, + }, + } +} + +func CreateUserExternalPrincipalPermissions(userID string) Node { + return Node{ + Permission: Permission{ + Action: CreateUserExternalPrincipalAction, + Resource: UserArn(userID), + }, + } +} + +func DeleteUserExternalPrincipalPermissions(userID string) Node { + return Node{ + Permission: Permission{ + Action: DeleteUserExternalPrincipalAction, + Resource: UserArn(userID), + }, + } +} + +func GetExternalPrincipalPermissions(principalID string) Node { + return Node{ + Permission: Permission{ + Action: ReadExternalPrincipalAction, + Resource: ExternalPrincipalArn(principalID), + }, + } +} + +func ListUserExternalPrincipalsPermissions(userID string) Node { + return Node{ + Permission: Permission{ + Action: ReadUserAction, + Resource: UserArn(userID), + }, + } +} + +func GetStorageConfigPermissions() Node { + return Node{ + Permission: Permission{ + Action: ReadConfigAction, + Resource: All, + }, + } +} + +func GetConfigPermissions() Node { + return Node{ + Permission: Permission{ + Action: ReadConfigAction, + Resource: All, + }, + } +}