AuthorizeContext checks whether the RBAC subject on the context is authorized to perform the given action. The subject must have been set via dbauthz.As or the ExtractAPIKey middleware. Returns false if the subject is missing or unauthorized.
(ctx context.Context, action policy.Action, object rbac.Objecter)
| 98 | // been set via dbauthz.As or the ExtractAPIKey middleware. Returns |
| 99 | // false if the subject is missing or unauthorized. |
| 100 | func (h *HTTPAuthorizer) AuthorizeContext(ctx context.Context, action policy.Action, object rbac.Objecter) bool { |
| 101 | roles, ok := dbauthz.ActorFromContext(ctx) |
| 102 | if !ok { |
| 103 | h.Logger.Error(ctx, "no authorization actor in context") |
| 104 | return false |
| 105 | } |
| 106 | err := h.Authorizer.Authorize(ctx, roles, action, object.RBACObject()) |
| 107 | if err != nil { |
| 108 | internalError := new(rbac.UnauthorizedError) |
| 109 | logger := h.Logger |
| 110 | if xerrors.As(err, internalError) { |
| 111 | logger = h.Logger.With(slog.F("internal_error", internalError.Internal())) |
| 112 | } |
| 113 | logger.Warn(ctx, "requester is not authorized to access the object", |
| 114 | slog.F("roles", roles.SafeRoleNames()), |
| 115 | slog.F("actor_id", roles.ID), |
| 116 | slog.F("actor_name", roles), |
| 117 | slog.F("scope", roles.SafeScopeName()), |
| 118 | slog.F("action", action), |
| 119 | slog.F("object", object), |
| 120 | ) |
| 121 | return false |
| 122 | } |
| 123 | return true |
| 124 | } |
| 125 | |
| 126 | // AuthorizeSQLFilter returns an authorization filter that can used in a |
| 127 | // SQL 'WHERE' clause. If the filter is used, the resulting rows returned |
no test coverage detected