From 74ccc8db6bcf1aa6ec959d82b28bb48c3241f8e0 Mon Sep 17 00:00:00 2001
From: Valera Shaitorov <shaitorov@perx.ru>
Date: Tue, 23 May 2023 12:37:51 +0700
Subject: [PATCH] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB=D0=B5?=
=?UTF-8?q?=D0=BD=D1=8B=20=D0=B8=D1=81=D0=BF=D1=80=D0=B0=D0=B2=D0=BB=D0=B5?=
=?UTF-8?q?=D0=BD=D0=B8=D1=8F=20=D0=BE=D1=88=D0=B8=D0=B1=D0=BA=D0=B8=20?=
=?UTF-8?q?=D0=B2=20=D0=BD=D0=B0=D1=81=D1=82=D1=80=D0=BE=D0=B9=D0=BA=D0=B0?=
=?UTF-8?q?=D1=85=20=D1=80=D0=BE=D0=BB=D0=B5=D0=B9,=20=D0=B8=D0=B7-=D0=B7?=
=?UTF-8?q?=D0=B0=20=D0=BA=D0=BE=D1=82=D0=BE=D1=80=D0=BE=D0=B9=20=D0=BD?=
=?UTF-8?q?=D0=B5=20=D1=80=D0=B0=D0=B1=D0=BE=D1=82=D0=B0=D0=BB=D0=B8=20glo?=
=?UTF-8?q?b-=D0=B2=D1=8B=D1=80=D0=B0=D0=B6=D0=B5=D0=BD=D0=B8=D1=8F=20?=
=?UTF-8?q?=D0=B0=20=D1=83=D0=BA=D0=B0=D0=B7=D0=B0=D0=BD=D0=B8=D0=B8=20?=
=?UTF-8?q?=D0=B4=D0=BE=D1=81=D1=82=D1=83=D0=BF=D0=B0=20=D0=BA=20=D0=BE?=
=?UTF-8?q?=D0=BA=D1=80=D1=83=D0=B6=D0=B5=D0=BD=D0=B8=D1=8F=D0=BC?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
pkg/auth/principal.go | 39 +------------------
pkg/roles/role.go | 26 ++++++-------
.../principal_test.go => roles/role_test.go} | 39 +++++++++----------
3 files changed, 33 insertions(+), 71 deletions(-)
rename pkg/{auth/principal_test.go => roles/role_test.go} (83%)
diff --git a/pkg/auth/principal.go b/pkg/auth/principal.go
index 78da09cb..004db35f 100644
--- a/pkg/auth/principal.go
+++ b/pkg/auth/principal.go
@@ -3,7 +3,6 @@ package auth
import (
"context"
- "git.perx.ru/perxis/perxis-go/pkg/data"
"git.perx.ru/perxis/perxis-go/pkg/environments"
"git.perx.ru/perxis/perxis-go/pkg/members"
"git.perx.ru/perxis/perxis-go/pkg/permission"
@@ -46,41 +45,5 @@ type OrganizationAccessor interface {
}
func hasEnvironmentAccess(ctx context.Context, envsrv environments.Environments, role *roles.Role, envID string) bool {
- if role == nil || role.SpaceID == "" || envID == "" {
- return false
- }
-
- if role.AllowManagement {
- return true
- }
-
- envs := role.Environments
-
- // Если явно не указаны доступные окружения - доступ по умолчанию к окружению master
- if len(envs) == 0 {
- envs = []string{environments.DefaultEnvironment}
- }
-
- for _, ce := range envs {
- if envID == ce || data.GlobMatch(envID, ce) {
- return true
- }
- }
-
- e, err := envsrv.Get(WithSystem(ctx), role.SpaceID, envID)
- if err != nil || e == nil {
- return false
- }
-
- aliases := append(e.Aliases, e.ID)
-
- for _, ce := range envs {
- for _, al := range aliases {
- if al == ce || data.GlobMatch(al, ce) {
- return true
- }
- }
- }
-
- return false
+ return role != nil && role.CanAccessEnvironment(ctx, &environments.Environment{SpaceID: role.SpaceID, ID: envID}, envsrv)
}
diff --git a/pkg/roles/role.go b/pkg/roles/role.go
index eecafb64..37047067 100644
--- a/pkg/roles/role.go
+++ b/pkg/roles/role.go
@@ -34,8 +34,8 @@ type Role struct {
AllowManagement bool `json:"allow_management" bson:"allow_management"`
}
-func (r Role) CanAccessEnvironment(ctx context.Context, service environments.Environments, spaceID, envID string) bool {
- if spaceID == "" || envID == "" {
+func (r Role) CanAccessEnvironment(ctx context.Context, env *environments.Environment, service environments.Environments) bool {
+ if env.SpaceID == "" || env.ID == "" {
return false
}
@@ -48,24 +48,24 @@ func (r Role) CanAccessEnvironment(ctx context.Context, service environments.Env
r.Environments = []string{environments.DefaultEnvironment}
}
- for _, e := range r.Environments {
- if envID == e || data.GlobMatch(envID, e) {
+ // Если окружение передано не полное, это означает, что надо его перезапросить
+ if env.Description == "" && env.Aliases == nil && env.StateInfo == nil {
+ if data.GlobMatch(env.ID, r.Environments...) {
return true
}
- }
- env, err := service.Get(ctx, spaceID, envID)
- if err != nil || env == nil {
- return false
+ var err error
+ env, err = service.Get(ctx, env.SpaceID, env.ID)
+ if err != nil || env == nil {
+ return false
+ }
}
aliases := append(env.Aliases, env.ID)
- for _, e := range r.Environments {
- for _, a := range aliases {
- if a == e || data.GlobMatch(a, e) {
- return true
- }
+ for _, a := range aliases {
+ if data.GlobMatch(a, r.Environments...) {
+ return true
}
}
diff --git a/pkg/auth/principal_test.go b/pkg/roles/role_test.go
similarity index 83%
rename from pkg/auth/principal_test.go
rename to pkg/roles/role_test.go
index 54e04ee4..ca794b18 100644
--- a/pkg/auth/principal_test.go
+++ b/pkg/roles/role_test.go
@@ -1,4 +1,4 @@
-package auth
+package roles
import (
"context"
@@ -6,16 +6,15 @@ import (
"git.perx.ru/perxis/perxis-go/pkg/environments"
mocksenvs "git.perx.ru/perxis/perxis-go/pkg/environments/mocks"
- "git.perx.ru/perxis/perxis-go/pkg/roles"
"github.com/stretchr/testify/mock"
)
-func Test_hasEnvironmentAccess(t *testing.T) {
+func TestRoleCanAccessEnvironment(t *testing.T) {
type args struct {
ctx context.Context
envscall func(envsservice *mocksenvs.Environments)
- role *roles.Role
- envID string
+ role *Role
+ env *environments.Environment
}
tests := []struct {
name string
@@ -26,13 +25,13 @@ func Test_hasEnvironmentAccess(t *testing.T) {
name: "simple",
args: args{
ctx: context.Background(),
- role: &roles.Role{
+ role: &Role{
ID: "1",
SpaceID: "space",
Description: "Current",
Environments: []string{"env1", "env2"},
},
- envID: "env1",
+ env: &environments.Environment{ID: "env1", SpaceID: "sp"},
},
want: true,
},
@@ -47,13 +46,13 @@ func Test_hasEnvironmentAccess(t *testing.T) {
Aliases: []string{"master"},
}, nil).Once()
},
- role: &roles.Role{
+ role: &Role{
ID: "1",
SpaceID: "space",
Description: "Current",
Environments: []string{"e*"},
},
- envID: "env",
+ env: &environments.Environment{ID: "env", SpaceID: "sp"},
},
want: true,
},
@@ -68,13 +67,13 @@ func Test_hasEnvironmentAccess(t *testing.T) {
Aliases: []string{"master"},
}, nil).Once()
},
- role: &roles.Role{
+ role: &Role{
ID: "1",
SpaceID: "space",
Description: "Current",
Environments: []string{"*n*"},
},
- envID: "env",
+ env: &environments.Environment{ID: "env", SpaceID: "sp"},
},
want: true,
},
@@ -89,13 +88,13 @@ func Test_hasEnvironmentAccess(t *testing.T) {
Aliases: []string{"master"},
}, nil).Once()
},
- role: &roles.Role{
+ role: &Role{
ID: "1",
SpaceID: "space",
Description: "Current",
Environments: []string{"*1"},
},
- envID: "env",
+ env: &environments.Environment{ID: "env", SpaceID: "sp"},
},
want: true,
},
@@ -110,13 +109,13 @@ func Test_hasEnvironmentAccess(t *testing.T) {
Aliases: []string{"master"},
}, nil).Once()
},
- role: &roles.Role{
+ role: &Role{
ID: "1",
SpaceID: "space",
Description: "Current",
Environments: []string{"ma*"},
},
- envID: "env1",
+ env: &environments.Environment{ID: "env1", SpaceID: "sp"},
},
want: true,
},
@@ -131,13 +130,13 @@ func Test_hasEnvironmentAccess(t *testing.T) {
Aliases: []string{"master"},
}, nil).Once()
},
- role: &roles.Role{
+ role: &Role{
ID: "1",
SpaceID: "space",
Description: "Current",
Environments: []string{"*"},
},
- envID: "env1",
+ env: &environments.Environment{ID: "env1", SpaceID: "sp"},
},
want: true,
},
@@ -152,13 +151,13 @@ func Test_hasEnvironmentAccess(t *testing.T) {
Aliases: []string{"master"},
}, nil).Once()
},
- role: &roles.Role{
+ role: &Role{
ID: "1",
SpaceID: "space",
Description: "Current",
Environments: []string{"q*"},
},
- envID: "env1",
+ env: &environments.Environment{ID: "env1", SpaceID: "sp"},
},
want: false,
},
@@ -170,7 +169,7 @@ func Test_hasEnvironmentAccess(t *testing.T) {
tt.args.envscall(envsservice)
}
- if got := hasEnvironmentAccess(tt.args.ctx, envsservice, tt.args.role, tt.args.envID); got != tt.want {
+ if got := tt.args.role.CanAccessEnvironment(tt.args.ctx, tt.args.env, envsservice); got != tt.want {
t.Errorf("hasEnvironmentAccess() = %v, want %v", got, tt.want)
}
})
--
GitLab