| 866 | } |
| 867 | |
| 868 | func recordAuthzCheck(ctx context.Context, action policy.Action, object Object, authorized bool) { |
| 869 | r, ok := ctx.Value(authzCheckRecorderKey{}).(*AuthzCheckRecorder) |
| 870 | if !ok { |
| 871 | return |
| 872 | } |
| 873 | |
| 874 | // We serialize the check using the following syntax |
| 875 | var b strings.Builder |
| 876 | if object.OrgID != "" { |
| 877 | _, err := fmt.Fprintf(&b, "organization:%v::", object.OrgID) |
| 878 | if err != nil { |
| 879 | return |
| 880 | } |
| 881 | } |
| 882 | if object.AnyOrgOwner { |
| 883 | _, err := fmt.Fprint(&b, "organization:any::") |
| 884 | if err != nil { |
| 885 | return |
| 886 | } |
| 887 | } |
| 888 | if object.Owner != "" { |
| 889 | _, err := fmt.Fprintf(&b, "owner:%v::", object.Owner) |
| 890 | if err != nil { |
| 891 | return |
| 892 | } |
| 893 | } |
| 894 | if object.ID != "" { |
| 895 | _, err := fmt.Fprintf(&b, "id:%v::", object.ID) |
| 896 | if err != nil { |
| 897 | return |
| 898 | } |
| 899 | } |
| 900 | _, err := fmt.Fprintf(&b, "%v.%v", object.RBACObject().Type, action) |
| 901 | if err != nil { |
| 902 | return |
| 903 | } |
| 904 | |
| 905 | r.lock.Lock() |
| 906 | defer r.lock.Unlock() |
| 907 | r.checks = append(r.checks, recordedCheck{name: b.String(), result: authorized}) |
| 908 | } |
| 909 | |
| 910 | func GetAuthzCheckRecorder(ctx context.Context) (*AuthzCheckRecorder, bool) { |
| 911 | checks, ok := ctx.Value(authzCheckRecorderKey{}).(*AuthzCheckRecorder) |