From 4545ffa666dc3091c82c2c92dcc1b8df828f97af Mon Sep 17 00:00:00 2001 From: Johannes Batzill Date: Mon, 5 Sep 2022 22:29:40 -0700 Subject: [PATCH] add one more assumption to harness ACL client --- internal/auth/authz/harness/authorizer.go | 4 ++++ internal/auth/authz/harness/types.go | 9 +++++---- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/internal/auth/authz/harness/authorizer.go b/internal/auth/authz/harness/authorizer.go index 78141990f..87f9ad6a7 100644 --- a/internal/auth/authz/harness/authorizer.go +++ b/internal/auth/authz/harness/authorizer.go @@ -128,9 +128,13 @@ func checkAclResponse(permissionChecks []*types.PermissionCheck, responseDto acl * We are assuming two things: * - All permission checks were made for the same principal. * - Permissions inherit down the hierarchy (Account -> Organization -> Project -> Repository) + * - No two checks are for the same permission - is similar to ff implementation: + * https://github.com/wings-software/ff-server/blob/master/pkg/rbac/client.go#L88 * * Based on that, if there's any permitted result for a permission check the permission is allowed. * Now we just have to ensure that all permissions are allowed + * + * TODO: Use resource name + scope for verifying results. */ for _, check := range permissionChecks { diff --git a/internal/auth/authz/harness/types.go b/internal/auth/authz/harness/types.go index d010c185c..b10bcd25c 100644 --- a/internal/auth/authz/harness/types.go +++ b/internal/auth/authz/harness/types.go @@ -26,10 +26,11 @@ type aclResponseData struct { } type aclControlElement struct { - Permission string `json:"permission"` - ResourceScope aclResourceScope `json:"resourceScope,omitempty"` - ResourceType string `json:"resourceType"` - Permitted bool `json:"permitted"` + Permission string `json:"permission"` + ResourceScope aclResourceScope `json:"resourceScope,omitempty"` + ResourceType string `json:"resourceType"` + ResourceIdentifier string `json:"resourceIdentifier"` + Permitted bool `json:"permitted"` } type aclResourceScope struct {