checkAuthorization returns if the current API key can use the given permissions, factoring in the current user's roles and the API key scopes. @Summary Check authorization @ID check-authorization @Security CoderSessionToken @Accept json @Produce json @Tags Authorization @Param request body codersdk
(rw http.ResponseWriter, r *http.Request)
| 167 | // @Success 200 {object} codersdk.AuthorizationResponse |
| 168 | // @Router /api/v2/authcheck [post] |
| 169 | func (api *API) checkAuthorization(rw http.ResponseWriter, r *http.Request) { |
| 170 | ctx := r.Context() |
| 171 | auth := httpmw.UserAuthorization(r.Context()) |
| 172 | |
| 173 | var params codersdk.AuthorizationRequest |
| 174 | if !httpapi.Read(ctx, rw, r, ¶ms) { |
| 175 | return |
| 176 | } |
| 177 | |
| 178 | api.Logger.Debug(ctx, "check-auth", |
| 179 | slog.F("my_id", httpmw.APIKey(r).UserID), |
| 180 | slog.F("got_id", auth.ID), |
| 181 | slog.F("name", auth), |
| 182 | slog.F("roles", auth.SafeRoleNames()), |
| 183 | slog.F("scope", auth.SafeScopeName()), |
| 184 | ) |
| 185 | |
| 186 | response := make(codersdk.AuthorizationResponse) |
| 187 | // Prevent using too many resources by ID. This prevents database abuse |
| 188 | // from this endpoint. This also prevents misuse of this endpoint, as |
| 189 | // resource_id should be used for single objects, not for a list of them. |
| 190 | var ( |
| 191 | idFetch int |
| 192 | maxFetch = 10 |
| 193 | ) |
| 194 | for _, v := range params.Checks { |
| 195 | if v.Object.ResourceID != "" { |
| 196 | idFetch++ |
| 197 | } |
| 198 | } |
| 199 | if idFetch > maxFetch { |
| 200 | httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{ |
| 201 | Message: fmt.Sprintf( |
| 202 | "Endpoint only supports using \"resource_id\" field %d times, found %d usages. Remove %d objects with this field set.", |
| 203 | maxFetch, idFetch, idFetch-maxFetch, |
| 204 | ), |
| 205 | }) |
| 206 | return |
| 207 | } |
| 208 | |
| 209 | for k, v := range params.Checks { |
| 210 | if v.Object.ResourceType == "" { |
| 211 | httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{ |
| 212 | Message: fmt.Sprintf("Object's \"resource_type\" field must be defined for key %q.", k), |
| 213 | }) |
| 214 | return |
| 215 | } |
| 216 | |
| 217 | obj := rbac.Object{ |
| 218 | Owner: v.Object.OwnerID, |
| 219 | OrgID: v.Object.OrganizationID, |
| 220 | Type: string(v.Object.ResourceType), |
| 221 | AnyOrgOwner: v.Object.AnyOrgOwner, |
| 222 | } |
| 223 | if obj.Owner == codersdk.Me { |
| 224 | obj.Owner = auth.ID |
| 225 | } |
| 226 |
no test coverage detected