MCPcopy Index your code
hub / github.com/coder/coder / authorize

Method authorize

coderd/rbac/authz.go:452–482  ·  view source on GitHub ↗

authorize is the internal function that does the actual authorization. It is a different function so the exported one can add tracing + metrics. That code tends to clutter up the actual logic, so it's separated out. nolint:revive

(ctx context.Context, subject Subject, action policy.Action, object Object)

Source from the content-addressed store, hash-verified

450// That code tends to clutter up the actual logic, so it's separated out.
451// nolint:revive
452func (a RegoAuthorizer) authorize(ctx context.Context, subject Subject, action policy.Action, object Object) error {
453 if subject.Roles == nil {
454 return xerrors.Errorf("subject must have roles")
455 }
456 if subject.Scope == nil {
457 return xerrors.Errorf("subject must have a scope")
458 }
459
460 // The caller should use either 1 or the other (or none).
461 // Using "AnyOrgOwner" and an OrgID is a contradiction.
462 // An empty uuid or a nil uuid means "no org owner".
463 if object.AnyOrgOwner && !(object.OrgID == "" || object.OrgID == "00000000-0000-0000-0000-000000000000") {
464 return xerrors.Errorf("object cannot have 'any_org' and an 'org_id' specified, values are mutually exclusive")
465 }
466
467 astV, err := regoInputValue(subject, action, object)
468 if err != nil {
469 return xerrors.Errorf("convert input to value: %w", err)
470 }
471
472 results, err := a.query.Eval(ctx, rego.EvalParsedInput(astV))
473 if err != nil {
474 err = correctCancelError(err)
475 return xerrors.Errorf("evaluate rego: %w", err)
476 }
477
478 if !results.Allowed() {
479 return ForbiddenWithInternal(xerrors.Errorf("policy disallows request"), subject, action, object, results)
480 }
481 return nil
482}
483
484// Prepare will partially execute the rego policy leaving the object fields unknown (except for the type).
485// This will vastly speed up performance if batch authorization on the same type of objects is needed.

Callers 1

AuthorizeMethod · 0.95

Calls 4

regoInputValueFunction · 0.85
correctCancelErrorFunction · 0.85
ForbiddenWithInternalFunction · 0.85
ErrorfMethod · 0.45

Tested by

no test coverage detected