hace 4 años · 6070d4ae01
--- a/api/server/authz/policy.go
+++ b/api/server/authz/policy.go
@@ -39,13 +39,8 @@ type PolicyHandler struct {
 
				 }
			
 
				 
			
 
				 func (h *PolicyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
			
 
				-	// get the full map of scopes to resource actions
			
 
				-	reqScopes, reqErr := getRequestActionForEndpoint(r, h.endpointMeta)
			
 
				-
			
 
				-	if reqErr != nil {
			
 
				-		apierrors.HandleAPIError(h.config.Logger, h.config.Alerter, w, r, reqErr, true)
			
 
				-		return
			
 
				-	}
			
 
				+	// get the project id from the URL param context
			
 
				+	reqScopes, _ := r.Context().Value(types.RequestScopeCtxKey).(map[types.PermissionScope]*types.RequestAction)
			
 
				 
			
 
				 	policyLoaderOpts := &policy.PolicyLoaderOpts{}
			
 
				 
			
--- a/api/server/authz/project.go
+++ b/api/server/authz/project.go
@@ -13,27 +13,35 @@ import (
 
				 )
			
 
				 
			
 
				 type ProjectScopedFactory struct {
			
 
				-	config *config.Config
			
 
				+	config       *config.Config
			
 
				+	endpointMeta types.APIRequestMetadata
			
 
				 }
			
 
				 
			
 
				 func NewProjectScopedFactory(
			
 
				 	config *config.Config,
			
 
				+	endpointMeta types.APIRequestMetadata,
			
 
				 ) *ProjectScopedFactory {
			
 
				-	return &ProjectScopedFactory{config}
			
 
				+	return &ProjectScopedFactory{config, endpointMeta}
			
 
				 }
			
 
				 
			
 
				 func (p *ProjectScopedFactory) Middleware(next http.Handler) http.Handler {
			
 
				-	return &ProjectScopedMiddleware{next, p.config}
			
 
				+	return &ProjectScopedMiddleware{next, p.endpointMeta, p.config}
			
 
				 }
			
 
				 
			
 
				 type ProjectScopedMiddleware struct {
			
 
				-	next   http.Handler
			
 
				-	config *config.Config
			
 
				+	next         http.Handler
			
 
				+	endpointMeta types.APIRequestMetadata
			
 
				+	config       *config.Config
			
 
				 }
			
 
				 
			
 
				 func (p *ProjectScopedMiddleware) ServeHTTP(w http.ResponseWriter, r *http.Request) {
			
 
				-	// get the project id from the URL param context
			
 
				-	reqScopes, _ := r.Context().Value(types.RequestScopeCtxKey).(map[types.PermissionScope]*types.RequestAction)
			
 
				+	// get the full map of scopes to resource actions
			
 
				+	reqScopes, reqErr := getRequestActionForEndpoint(r, p.endpointMeta)
			
 
				+
			
 
				+	if reqErr != nil {
			
 
				+		apierrors.HandleAPIError(p.config.Logger, p.config.Alerter, w, r, reqErr, true)
			
 
				+		return
			
 
				+	}
			
 
				 
			
 
				 	projID := reqScopes[types.ProjectScope].Resource.UInt
			
 
				 
			
@@ -53,6 +61,7 @@ func (p *ProjectScopedMiddleware) ServeHTTP(w http.ResponseWriter, r *http.Reque
 
				 	}
			
 
				 
			
 
				 	ctx := NewProjectContext(r.Context(), project)
			
 
				+	ctx = NewRequestScopeCtx(ctx, reqScopes)
			
 
				 	r = r.Clone(ctx)
			
 
				 	p.next.ServeHTTP(w, r)
			
 
				 }
			
--- a/api/server/router/project.go
+++ b/api/server/router/project.go
@@ -945,7 +945,7 @@ func getProjectRoutes(
 
				 		factory.GetResultWriter(),
			
 
				 	)
			
 
				 
			
 
				-	routes = append(routes, &Route{
			
 
				+	routes = append(routes, &router.Route{
			
 
				 		Endpoint: policyCreateEndpoint,
			
 
				 		Handler:  policyCreateHandler,
			
 
				 		Router:   r,
			
@@ -974,7 +974,7 @@ func getProjectRoutes(
 
				 		factory.GetResultWriter(),
			
 
				 	)
			
 
				 
			
 
				-	routes = append(routes, &Route{
			
 
				+	routes = append(routes, &router.Route{
			
 
				 		Endpoint: policyListEndpoint,
			
 
				 		Handler:  policyListHandler,
			
 
				 		Router:   r,
			
@@ -1003,7 +1003,7 @@ func getProjectRoutes(
 
				 		factory.GetResultWriter(),
			
 
				 	)
			
 
				 
			
 
				-	routes = append(routes, &Route{
			
 
				+	routes = append(routes, &router.Route{
			
 
				 		Endpoint: policyGetEndpoint,
			
 
				 		Handler:  policyGetHandler,
			
 
				 		Router:   r,
			
@@ -1032,7 +1032,7 @@ func getProjectRoutes(
 
				 		factory.GetResultWriter(),
			
 
				 	)
			
 
				 
			
 
				-	routes = append(routes, &Route{
			
 
				+	routes = append(routes, &router.Route{
			
 
				 		Endpoint: apiTokenCreateEndpoint,
			
 
				 		Handler:  apiTokenCreateHandler,
			
 
				 		Router:   r,
			
@@ -1061,7 +1061,7 @@ func getProjectRoutes(
 
				 		factory.GetResultWriter(),
			
 
				 	)
			
 
				 
			
 
				-	routes = append(routes, &Route{
			
 
				+	routes = append(routes, &router.Route{
			
 
				 		Endpoint: apiTokenListEndpoint,
			
 
				 		Handler:  apiTokenListHandler,
			
 
				 		Router:   r,
			
@@ -1090,7 +1090,7 @@ func getProjectRoutes(
 
				 		factory.GetResultWriter(),
			
 
				 	)
			
 
				 
			
 
				-	routes = append(routes, &Route{
			
 
				+	routes = append(routes, &router.Route{
			
 
				 		Endpoint: apiTokenGetEndpoint,
			
 
				 		Handler:  apiTokenGetHandler,
			
 
				 		Router:   r,
			
@@ -1119,7 +1119,7 @@ func getProjectRoutes(
 
				 		factory.GetResultWriter(),
			
 
				 	)
			
 
				 
			
 
				-	routes = append(routes, &Route{
			
 
				+	routes = append(routes, &router.Route{
			
 
				 		Endpoint: apiTokenRevokeEndpoint,
			
 
				 		Handler:  apiTokenRevokeHandler,
			
 
				 		Router:   r,
			
--- a/api/server/router/router.go
+++ b/api/server/router/router.go
@@ -168,10 +168,6 @@ func registerRoutes(config *config.Config, routes []*router.Route) {
 
				 	// after authentication. Each subsequent http.Handler can lookup the user in context.
			
 
				 	authNFactory := authn.NewAuthNFactory(config)
			
 
				 
			
 
				-	// Create a new "project-scoped" factory which will create a new project-scoped request
			
 
				-	// after authorization. Each subsequent http.Handler can lookup the project in context.
			
 
				-	projFactory := authz.NewProjectScopedFactory(config)
			
 
				-
			
 
				 	// Create a new "cluster-scoped" factory which will create a new cluster-scoped request
			
 
				 	// after authorization. Each subsequent http.Handler can lookup the cluster in context.
			
 
				 	clusterFactory := authz.NewClusterScopedFactory(config)
			
@@ -230,10 +226,14 @@ func registerRoutes(config *config.Config, routes []*router.Route) {
 
				 					atomicGroup.Use(authNFactory.NewAuthenticated)
			
 
				 				}
			
 
				 			case types.ProjectScope:
			
 
				+				// Create a new "project-scoped" factory which will create a new project-scoped request
			
 
				+				// after authorization. Each subsequent http.Handler can lookup the project in context.
			
 
				+				projFactory := authz.NewProjectScopedFactory(config, *route.Endpoint.Metadata)
			
 
				+
			
 
				 				policyFactory := authz.NewPolicyMiddleware(config, *route.Endpoint.Metadata, policyDocLoader)
			
 
				 
			
 
				-				atomicGroup.Use(policyFactory.Middleware)
			
 
				 				atomicGroup.Use(projFactory.Middleware)
			
 
				+				atomicGroup.Use(policyFactory.Middleware)
			
 
				 			case types.ClusterScope:
			
 
				 				atomicGroup.Use(clusterFactory.Middleware)
			
 
				 			case types.NamespaceScope: