use of com.netflix.spinnaker.fiat.model.resources.Account in project fiat by spinnaker.
the class FiatPermissionEvaluator method permissionContains.
private boolean permissionContains(UserPermission.View permission, String resourceName, ResourceType resourceType, Authorization authorization) {
if (permission == null) {
return false;
}
if (permission.isAdmin()) {
// grant access regardless of whether an explicit permission to the resource exists
return true;
}
Function<Set<? extends Authorizable>, Boolean> containsAuth = resources -> resources.stream().anyMatch(view -> {
Set<Authorization> authorizations = Optional.ofNullable(view.getAuthorizations()).orElse(Collections.emptySet());
return view.getName().equalsIgnoreCase(resourceName) && authorizations.contains(authorization);
});
if (resourceType.equals(ResourceType.ACCOUNT)) {
boolean authorized = containsAuth.apply(permission.getAccounts());
// Todo(jonsie): Debug transitory access denied issue, remove when not necessary
if (!authorized) {
Map<String, Set<Authorization>> accounts = permission.getAccounts().stream().collect(Collectors.toMap(Account.View::getName, Account.View::getAuthorizations));
log.debug("Authorization={} denied to account={} for user permission={}, found={}", authorization.toString(), resourceName, permission.getName(), accounts.toString());
}
return authorized;
} else if (resourceType.equals(ResourceType.APPLICATION)) {
boolean applicationHasPermissions = permission.getApplications().stream().anyMatch(a -> a.getName().equalsIgnoreCase(resourceName));
if (!applicationHasPermissions && permission.isAllowAccessToUnknownApplications()) {
// allow access to any applications w/o explicit permissions
return true;
}
return permission.isLegacyFallback() || containsAuth.apply(permission.getApplications());
} else if (resourceType.equals(ResourceType.SERVICE_ACCOUNT)) {
return permission.getServiceAccounts().stream().anyMatch(view -> view.getName().equalsIgnoreCase(resourceName));
} else if (resourceType.equals(ResourceType.BUILD_SERVICE)) {
return permission.isLegacyFallback() || containsAuth.apply(permission.getBuildServices());
} else if (permission.getExtensionResources() != null && permission.getExtensionResources().containsKey(resourceType)) {
val extensionResources = permission.getExtensionResources().get(resourceType);
return permission.isLegacyFallback() || containsAuth.apply(extensionResources);
} else {
return false;
}
}
Aggregations