Authorize will return false if the user is not authorized to do the action. This function will log appropriately, but the caller must return an error to the api client. Eg: if !h.Authorize(...) { httpapi.Forbidden(rw) return }
(r *http.Request, action policy.Action, object rbac.Objecter)
| 67 | // return |
| 68 | // } |
| 69 | func (h *HTTPAuthorizer) Authorize(r *http.Request, action policy.Action, object rbac.Objecter) bool { |
| 70 | roles := httpmw.UserAuthorization(r.Context()) |
| 71 | err := h.Authorizer.Authorize(r.Context(), roles, action, object.RBACObject()) |
| 72 | if err != nil { |
| 73 | // Log the errors for debugging |
| 74 | internalError := new(rbac.UnauthorizedError) |
| 75 | logger := h.Logger |
| 76 | if xerrors.As(err, internalError) { |
| 77 | logger = h.Logger.With(slog.F("internal_error", internalError.Internal())) |
| 78 | } |
| 79 | // Log information for debugging. This will be very helpful |
| 80 | // in the early days |
| 81 | logger.Warn(r.Context(), "requester is not authorized to access the object", |
| 82 | slog.F("roles", roles.SafeRoleNames()), |
| 83 | slog.F("actor_id", roles.ID), |
| 84 | slog.F("actor_name", roles), |
| 85 | slog.F("scope", roles.SafeScopeName()), |
| 86 | slog.F("route", r.URL.Path), |
| 87 | slog.F("action", action), |
| 88 | slog.F("object", object), |
| 89 | ) |
| 90 | |
| 91 | return false |
| 92 | } |
| 93 | return true |
| 94 | } |
| 95 | |
| 96 | // AuthorizeContext checks whether the RBAC subject on the context |
| 97 | // is authorized to perform the given action. The subject must have |
nothing calls this directly
no test coverage detected