github.com/chenbh/concourse/v6@v6.4.2/atc/wrappa/api_auth_wrappa.go (about) 1 package wrappa 2 3 import ( 4 "github.com/chenbh/concourse/v6/atc" 5 "github.com/chenbh/concourse/v6/atc/api/auth" 6 "github.com/tedsuo/rata" 7 ) 8 9 type APIAuthWrappa struct { 10 checkPipelineAccessHandlerFactory auth.CheckPipelineAccessHandlerFactory 11 checkBuildReadAccessHandlerFactory auth.CheckBuildReadAccessHandlerFactory 12 checkBuildWriteAccessHandlerFactory auth.CheckBuildWriteAccessHandlerFactory 13 checkWorkerTeamAccessHandlerFactory auth.CheckWorkerTeamAccessHandlerFactory 14 } 15 16 func NewAPIAuthWrappa( 17 checkPipelineAccessHandlerFactory auth.CheckPipelineAccessHandlerFactory, 18 checkBuildReadAccessHandlerFactory auth.CheckBuildReadAccessHandlerFactory, 19 checkBuildWriteAccessHandlerFactory auth.CheckBuildWriteAccessHandlerFactory, 20 checkWorkerTeamAccessHandlerFactory auth.CheckWorkerTeamAccessHandlerFactory, 21 ) *APIAuthWrappa { 22 return &APIAuthWrappa{ 23 checkPipelineAccessHandlerFactory: checkPipelineAccessHandlerFactory, 24 checkBuildReadAccessHandlerFactory: checkBuildReadAccessHandlerFactory, 25 checkBuildWriteAccessHandlerFactory: checkBuildWriteAccessHandlerFactory, 26 checkWorkerTeamAccessHandlerFactory: checkWorkerTeamAccessHandlerFactory, 27 } 28 } 29 30 func (wrappa *APIAuthWrappa) Wrap(handlers rata.Handlers) rata.Handlers { 31 wrapped := rata.Handlers{} 32 33 rejector := auth.UnauthorizedRejector{} 34 35 for name, handler := range handlers { 36 newHandler := handler 37 38 switch name { 39 // pipeline is public or authorized 40 case atc.GetBuild, 41 atc.BuildResources: 42 newHandler = wrappa.checkBuildReadAccessHandlerFactory.AnyJobHandler(handler, rejector) 43 44 // pipeline and job are public or authorized 45 case atc.GetBuildPreparation, 46 atc.BuildEvents, 47 atc.GetBuildPlan, 48 atc.ListBuildArtifacts: 49 newHandler = wrappa.checkBuildReadAccessHandlerFactory.CheckIfPrivateJobHandler(handler, rejector) 50 51 // resource belongs to authorized team 52 case atc.AbortBuild: 53 newHandler = wrappa.checkBuildWriteAccessHandlerFactory.HandlerFor(handler, rejector) 54 55 // requester is system, admin team, or worker owning team 56 case atc.PruneWorker, 57 atc.LandWorker, 58 atc.RetireWorker, 59 atc.ListDestroyingVolumes, 60 atc.ListDestroyingContainers, 61 atc.ReportWorkerContainers, 62 atc.ReportWorkerVolumes: 63 newHandler = wrappa.checkWorkerTeamAccessHandlerFactory.HandlerFor(handler, rejector) 64 65 // pipeline is public or authorized 66 case atc.GetPipeline, 67 atc.GetJobBuild, 68 atc.PipelineBadge, 69 atc.JobBadge, 70 atc.ListJobs, 71 atc.GetJob, 72 atc.ListJobBuilds, 73 atc.ListPipelineBuilds, 74 atc.GetResource, 75 atc.ListBuildsWithVersionAsInput, 76 atc.ListBuildsWithVersionAsOutput, 77 atc.GetResourceCausality, 78 atc.GetResourceVersion, 79 atc.ListResources, 80 atc.ListResourceTypes, 81 atc.ListResourceVersions: 82 newHandler = wrappa.checkPipelineAccessHandlerFactory.HandlerFor(handler, rejector) 83 84 // authenticated 85 case atc.CreateBuild, 86 atc.GetContainer, 87 atc.HijackContainer, 88 atc.ListContainers, 89 atc.ListWorkers, 90 atc.RegisterWorker, 91 atc.HeartbeatWorker, 92 atc.DeleteWorker, 93 atc.GetTeam, 94 atc.SetTeam, 95 atc.ListTeamBuilds, 96 atc.RenameTeam, 97 atc.DestroyTeam, 98 atc.ListVolumes, 99 atc.GetUser: 100 newHandler = auth.CheckAuthenticationHandler(handler, rejector) 101 102 // unauthenticated / delegating to handler (validate token if provided) 103 case atc.DownloadCLI, 104 atc.CheckResourceWebHook, 105 atc.GetInfo, 106 atc.GetCheck, 107 atc.ListTeams, 108 atc.ListAllPipelines, 109 atc.ListPipelines, 110 atc.ListAllJobs, 111 atc.ListAllResources, 112 atc.ListBuilds, 113 atc.MainJobBadge, 114 atc.GetWall: 115 newHandler = auth.CheckAuthenticationIfProvidedHandler(handler, rejector) 116 117 case atc.GetLogLevel, 118 atc.ListActiveUsersSince, 119 atc.SetLogLevel, 120 atc.GetInfoCreds, 121 atc.SetWall, 122 atc.ClearWall: 123 newHandler = auth.CheckAdminHandler(handler, rejector) 124 125 // authorized (requested team matches resource team) 126 case atc.CheckResource, 127 atc.CheckResourceType, 128 atc.CreateJobBuild, 129 atc.RerunJobBuild, 130 atc.CreatePipelineBuild, 131 atc.DeletePipeline, 132 atc.DisableResourceVersion, 133 atc.EnableResourceVersion, 134 atc.PinResourceVersion, 135 atc.UnpinResource, 136 atc.SetPinCommentOnResource, 137 atc.GetConfig, 138 atc.GetCC, 139 atc.GetVersionsDB, 140 atc.ListJobInputs, 141 atc.OrderPipelines, 142 atc.PauseJob, 143 atc.PausePipeline, 144 atc.RenamePipeline, 145 atc.UnpauseJob, 146 atc.UnpausePipeline, 147 atc.ExposePipeline, 148 atc.HidePipeline, 149 atc.SaveConfig, 150 atc.ArchivePipeline, 151 atc.ClearTaskCache, 152 atc.CreateArtifact, 153 atc.ScheduleJob, 154 atc.GetArtifact: 155 newHandler = auth.CheckAuthorizationHandler(handler, rejector) 156 157 // think about it! 158 default: 159 panic("you missed a spot") 160 } 161 162 wrapped[name] = newHandler 163 } 164 165 return wrapped 166 }