Skip to content

Commit

Permalink
refactor: only use permit to check project permissions (#1721)
Browse files Browse the repository at this point in the history 
* refactor: only use permit to check project permissions

We saw no errors in the last 24 hours nor any results different from our
old internal checks. So it is safe to switch fully to permit.

* refactor: return error
  • Loading branch information
@chesedo
chesedo authored Apr 4, 2024
1 parent 4eda51f commit d155595
Showing 1 changed file with 14 additions and 33 deletions.
47 changes: 14 additions & 33 deletions gateway/src/auth.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,39 +82,20 @@ where

let RouterState { service, .. } = RouterState::from_ref(state);

let has_bypass = user.claim.is_admin() || user.claim.is_deployer();

let allowed = has_bypass
|| {
let projects: Vec<_> = service.iter_user_projects(&user.id).await?.collect();
let internal_allowed = projects.contains(&scope);

let permit_allowed = service
.permit_client
.allowed(
&user.id,
&service.find_project_by_name(&scope).await?.id,
"develop", // TODO?: make this configurable per endpoint?
)
.await
.map_err(|_| {
error!("failed to check Permit permission");
// Error::from_kind(ErrorKind::Internal)
})
.unwrap_or_default();

if internal_allowed != permit_allowed {
error!(
"PERMIT: Permissions for user {} project {} did not match internal permissions. Internal: {}, Permit: {}",
user.id,
scope,
internal_allowed,
permit_allowed
);
}

internal_allowed
};
let allowed = user.claim.is_admin()
|| user.claim.is_deployer()
|| service
.permit_client
.allowed(
&user.id,
&service.find_project_by_name(&scope).await?.id,
"develop", // TODO: make this configurable per endpoint?
)
.await
.map_err(|_| {
error!("failed to check Permit permission");
Error::from_kind(ErrorKind::Internal)
})?;

if allowed {
Ok(Self { user, scope })
Expand Down

0 comments on commit d155595

Please sign in to comment.