MCPcopy Index your code
hub / github.com/coder/coder / newPartialAuthorizer

Method newPartialAuthorizer

coderd/rbac/authz.go:631–683  ·  view source on GitHub ↗
(ctx context.Context, subject Subject, action policy.Action, objectType string)

Source from the content-addressed store, hash-verified

629}
630
631func (a RegoAuthorizer) newPartialAuthorizer(ctx context.Context, subject Subject, action policy.Action, objectType string) (*PartialAuthorizer, error) {
632 if subject.Roles == nil {
633 return nil, xerrors.Errorf("subject must have roles")
634 }
635 if subject.Scope == nil {
636 return nil, xerrors.Errorf("subject must have a scope")
637 }
638
639 input, err := regoPartialInputValue(subject, action, objectType)
640 if err != nil {
641 return nil, xerrors.Errorf("prepare input: %w", err)
642 }
643
644 partialQueries, err := a.partialQuery.Partial(ctx, rego.EvalParsedInput(input))
645 if err != nil {
646 return nil, xerrors.Errorf("prepare: %w", err)
647 }
648
649 pAuth := &PartialAuthorizer{
650 partialQueries: partialQueries,
651 preparedQueries: []rego.PreparedEvalQuery{},
652 subjectInput: subject,
653 subjectResourceType: Object{
654 Type: objectType,
655 ID: "prepared-object",
656 },
657 subjectAction: action,
658 }
659
660 // Prepare each query to optimize the runtime when we iterate over the objects.
661 preparedQueries := make([]rego.PreparedEvalQuery, 0, len(partialQueries.Queries))
662 for _, q := range partialQueries.Queries {
663 if q.String() == "" {
664 // No more work needed. An empty query is the same as
665 // 'WHERE true'
666 // This is likely an admin. We don't even need to use rego going
667 // forward.
668 pAuth.alwaysTrue = true
669 preparedQueries = []rego.PreparedEvalQuery{}
670 break
671 }
672 results, err := rego.New(
673 rego.ParsedQuery(q),
674 ).PrepareForEval(ctx)
675 if err != nil {
676 return nil, xerrors.Errorf("prepare query %s: %w", q.String(), err)
677 }
678 preparedQueries = append(preparedQueries, results)
679 }
680 pAuth.preparedQueries = preparedQueries
681
682 return pAuth, nil
683}
684
685// AuthorizeFilter is a compiled partial query that can be converted to SQL.
686// This allows enforcing the policy on the database side in a WHERE clause.

Callers 1

PrepareMethod · 0.95

Calls 4

regoPartialInputValueFunction · 0.85
NewMethod · 0.65
ErrorfMethod · 0.45
StringMethod · 0.45

Tested by

no test coverage detected