github.com/pf-qiu/concourse/v6@v6.7.3-0.20201207032516-1f455d73275f/atc/wrappa/api_auth_wrappa.go (about)

     1  package wrappa
     2  
     3  import (
     4  	"github.com/pf-qiu/concourse/v6/atc"
     5  	"github.com/pf-qiu/concourse/v6/atc/api/auth"
     6  	"github.com/tedsuo/rata"
     7  )
     8  
     9  type APIAuthWrappa struct {
    10  	checkPipelineAccessHandlerFactory   auth.CheckPipelineAccessHandlerFactory
    11  	checkBuildReadAccessHandlerFactory  auth.CheckBuildReadAccessHandlerFactory
    12  	checkBuildWriteAccessHandlerFactory auth.CheckBuildWriteAccessHandlerFactory
    13  	checkWorkerTeamAccessHandlerFactory auth.CheckWorkerTeamAccessHandlerFactory
    14  }
    15  
    16  func NewAPIAuthWrappa(
    17  	checkPipelineAccessHandlerFactory auth.CheckPipelineAccessHandlerFactory,
    18  	checkBuildReadAccessHandlerFactory auth.CheckBuildReadAccessHandlerFactory,
    19  	checkBuildWriteAccessHandlerFactory auth.CheckBuildWriteAccessHandlerFactory,
    20  	checkWorkerTeamAccessHandlerFactory auth.CheckWorkerTeamAccessHandlerFactory,
    21  ) *APIAuthWrappa {
    22  	return &APIAuthWrappa{
    23  		checkPipelineAccessHandlerFactory:   checkPipelineAccessHandlerFactory,
    24  		checkBuildReadAccessHandlerFactory:  checkBuildReadAccessHandlerFactory,
    25  		checkBuildWriteAccessHandlerFactory: checkBuildWriteAccessHandlerFactory,
    26  		checkWorkerTeamAccessHandlerFactory: checkWorkerTeamAccessHandlerFactory,
    27  	}
    28  }
    29  
    30  func (wrappa *APIAuthWrappa) Wrap(handlers rata.Handlers) rata.Handlers {
    31  	wrapped := rata.Handlers{}
    32  
    33  	rejector := auth.UnauthorizedRejector{}
    34  
    35  	for name, handler := range handlers {
    36  		newHandler := handler
    37  
    38  		switch name {
    39  		// pipeline is public or authorized
    40  		case atc.GetBuild,
    41  			atc.BuildResources:
    42  			newHandler = wrappa.checkBuildReadAccessHandlerFactory.AnyJobHandler(handler, rejector)
    43  
    44  		// pipeline and job are public or authorized
    45  		case atc.GetBuildPreparation,
    46  			atc.BuildEvents,
    47  			atc.GetBuildPlan,
    48  			atc.ListBuildArtifacts:
    49  			newHandler = wrappa.checkBuildReadAccessHandlerFactory.CheckIfPrivateJobHandler(handler, rejector)
    50  
    51  			// resource belongs to authorized team
    52  		case atc.AbortBuild:
    53  			newHandler = wrappa.checkBuildWriteAccessHandlerFactory.HandlerFor(handler, rejector)
    54  
    55  		// requester is system, admin team, or worker owning team
    56  		case atc.PruneWorker,
    57  			atc.LandWorker,
    58  			atc.RetireWorker,
    59  			atc.ListDestroyingVolumes,
    60  			atc.ListDestroyingContainers,
    61  			atc.ReportWorkerContainers,
    62  			atc.ReportWorkerVolumes:
    63  			newHandler = wrappa.checkWorkerTeamAccessHandlerFactory.HandlerFor(handler, rejector)
    64  
    65  		// pipeline is public or authorized
    66  		case atc.GetPipeline,
    67  			atc.GetJobBuild,
    68  			atc.PipelineBadge,
    69  			atc.JobBadge,
    70  			atc.ListJobs,
    71  			atc.GetJob,
    72  			atc.ListJobBuilds,
    73  			atc.ListPipelineBuilds,
    74  			atc.GetResource,
    75  			atc.ListBuildsWithVersionAsInput,
    76  			atc.ListBuildsWithVersionAsOutput,
    77  			atc.GetResourceCausality,
    78  			atc.GetResourceVersion,
    79  			atc.ListResources,
    80  			atc.ListResourceTypes,
    81  			atc.ListResourceVersions:
    82  			newHandler = wrappa.checkPipelineAccessHandlerFactory.HandlerFor(handler, rejector)
    83  
    84  		// authenticated
    85  		case atc.CreateBuild,
    86  			atc.GetContainer,
    87  			atc.HijackContainer,
    88  			atc.ListContainers,
    89  			atc.ListWorkers,
    90  			atc.RegisterWorker,
    91  			atc.HeartbeatWorker,
    92  			atc.DeleteWorker,
    93  			atc.GetTeam,
    94  			atc.SetTeam,
    95  			atc.ListTeamBuilds,
    96  			atc.RenameTeam,
    97  			atc.DestroyTeam,
    98  			atc.ListVolumes,
    99  			atc.GetUser:
   100  			newHandler = auth.CheckAuthenticationHandler(handler, rejector)
   101  
   102  		// unauthenticated / delegating to handler (validate token if provided)
   103  		case atc.DownloadCLI,
   104  			atc.CheckResourceWebHook,
   105  			atc.GetInfo,
   106  			atc.ListTeams,
   107  			atc.ListAllPipelines,
   108  			atc.ListPipelines,
   109  			atc.ListAllJobs,
   110  			atc.ListAllResources,
   111  			atc.ListBuilds,
   112  			atc.MainJobBadge,
   113  			atc.GetWall:
   114  			newHandler = auth.CheckAuthenticationIfProvidedHandler(handler, rejector)
   115  
   116  		case atc.GetLogLevel,
   117  			atc.ListActiveUsersSince,
   118  			atc.SetLogLevel,
   119  			atc.GetInfoCreds,
   120  			atc.SetWall,
   121  			atc.ClearWall:
   122  			newHandler = auth.CheckAdminHandler(handler, rejector)
   123  
   124  		// authorized (requested team matches resource team)
   125  		case atc.CheckResource,
   126  			atc.CheckResourceType,
   127  			atc.CreateJobBuild,
   128  			atc.RerunJobBuild,
   129  			atc.CreatePipelineBuild,
   130  			atc.DeletePipeline,
   131  			atc.DisableResourceVersion,
   132  			atc.EnableResourceVersion,
   133  			atc.PinResourceVersion,
   134  			atc.UnpinResource,
   135  			atc.SetPinCommentOnResource,
   136  			atc.GetConfig,
   137  			atc.GetCC,
   138  			atc.GetVersionsDB,
   139  			atc.ListJobInputs,
   140  			atc.OrderPipelines,
   141  			atc.PauseJob,
   142  			atc.PausePipeline,
   143  			atc.RenamePipeline,
   144  			atc.UnpauseJob,
   145  			atc.UnpausePipeline,
   146  			atc.ExposePipeline,
   147  			atc.HidePipeline,
   148  			atc.SaveConfig,
   149  			atc.ArchivePipeline,
   150  			atc.ClearTaskCache,
   151  			atc.CreateArtifact,
   152  			atc.ScheduleJob,
   153  			atc.GetArtifact:
   154  			newHandler = auth.CheckAuthorizationHandler(handler, rejector)
   155  
   156  		// think about it!
   157  		default:
   158  			panic("you missed a spot")
   159  		}
   160  
   161  		wrapped[name] = newHandler
   162  	}
   163  
   164  	return wrapped
   165  }