aherman
/
boundary
mirror of https://github.com/hashicorp/boundary
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'jeff-error-cli-update'
${ noResults }
boundary/internal/iam/resource.go

110 lines
3.2 KiB
Raw Permalink Blame History

package iam
import (
"context"
"errors"
"fmt"
"github.com/hashicorp/boundary/internal/db"
"github.com/hashicorp/boundary/internal/types/action"
"github.com/hashicorp/boundary/internal/types/resource"
"github.com/hashicorp/boundary/internal/types/scope"
)
// Resource declares the shared behavior of IAM Resources
type Resource interface {
// GetPublicId is the resource ID used to access the resource via an API
GetPublicId() string
// GetName is the optional friendly name used to
// access the resource via an API
GetName() string
// GetDescription is the optional description of the resource
GetDescription() string
// GetScope is the Scope that owns the Resource
GetScope(ctx context.Context, r db.Reader) (*Scope, error)
// Type of Resource (Target, Policy, User, Group, etc)
ResourceType() resource.Type
// Actions that can be assigned permissions for
// the Resource in Policies. Action String() is key for
// the map of Actions returned.
Actions() map[string]action.Type
}
type Cloneable interface {
Clone() interface{}
}
// ResourceWithScope defines an interface for Resources that have a scope
type ResourceWithScope interface {
GetPublicId() string
GetScopeId() string
validScopeTypes() []scope.Type
}
// LookupScope looks up the resource's scope
func LookupScope(ctx context.Context, reader db.Reader, resource ResourceWithScope) (*Scope, error) {
if reader == nil {
return nil, errors.New("error reader is nil for LookupScope")
}
if resource == nil {
return nil, errors.New("error resource is nil for LookupScope")
}
if resource.GetPublicId() == "" {
return nil, fmt.Errorf("LookupScope: scope id is unset %w", db.ErrInvalidParameter)
}
if resource.GetScopeId() == "" {
// try to retrieve it from db with it's scope id
if err := reader.LookupById(ctx, resource); err != nil {
return nil, fmt.Errorf("unable to get resource by public id: %w", err)
}
// if it's still not set after getting it from the db...
if resource.GetScopeId() == "" {
return nil, errors.New("error scope is unset for LookupScope")
}
}
var p Scope
if err := reader.LookupWhere(ctx, &p, "public_id = ?", resource.GetScopeId()); err != nil {
return nil, err
}
return &p, nil
}
// validateScopeForWrite will validate that the scope is okay for db write operations
func validateScopeForWrite(ctx context.Context, r db.Reader, resource ResourceWithScope, opType db.OpType, opt ...db.Option) error {
opts := db.GetOpts(opt...)
if opType == db.CreateOp {
if resource.GetScopeId() == "" {
return errors.New("error scope id not set for user write")
}
ps, err := LookupScope(ctx, r, resource)
if err != nil {
if errors.Is(err, db.ErrRecordNotFound) {
return errors.New("scope is not found")
}
return err
}
validScopeType := false
for _, t := range resource.validScopeTypes() {
if ps.Type == t.String() {
validScopeType = true
}
}
if !validScopeType {
return fmt.Errorf("%s not a valid scope type for this resource", ps.Type)
}
}
if opType == db.UpdateOp && resource.GetScopeId() != "" {
if contains(opts.WithFieldMaskPaths, "ScopeId") || contains(opts.WithNullPaths, "ScopeId") {
return errors.New("not allowed to change a resource's scope")
}
}
return nil
}
Reference in new issue View Git Blame Copy Permalink