class Bosh::Director::PermissionAuthorizer

Public Class Methods

new(uuid_provider) click to toggle source
# File lib/bosh/director/permission_authorizer.rb, line 3
def initialize(uuid_provider)
  @uuid_provider = uuid_provider
end

Public Instance Methods

granted_or_raise(subject, permission, user_scopes) click to toggle source
# File lib/bosh/director/permission_authorizer.rb, line 7
def granted_or_raise(subject, permission, user_scopes)
  if !is_granted?(subject, permission, user_scopes)
    raise UnauthorizedToAccessDeployment, "Require one of the scopes: #{list_expected_scope(subject, permission, user_scopes).join(', ')}"
  end
end
is_granted?(subject, permission, user_scopes) click to toggle source
# File lib/bosh/director/permission_authorizer.rb, line 13
def is_granted?(subject, permission, user_scopes)
  !intersect(user_scopes, list_expected_scope(subject, permission, user_scopes)).empty?
end
list_expected_scope(subject, permission, user_scopes) click to toggle source
# File lib/bosh/director/permission_authorizer.rb, line 17
def list_expected_scope(subject, permission, user_scopes)
  expected_scope = director_permissions[:admin]

  if subject.instance_of? Models::Deployment
    expected_scope << subject_team_scopes(subject, 'admin')

    if :admin == permission
      # already allowed with initial expected_scope
    elsif :read == permission
      expected_scope << director_permissions[:read]
    else
      raise ArgumentError, "Unexpected permission for deployment: #{permission}"
    end
  elsif :director == subject
    if :admin == permission
      # already allowed with initial expected_scope
    elsif :create_deployment == permission
      expected_scope << add_bosh_admin_scopes(user_scopes)
    elsif [:read_releases, :list_deployments, :read_stemcells, :list_tasks].include?(permission)
      expected_scope << director_permissions[:read]
      expected_scope << add_bosh_admin_scopes(user_scopes)
    elsif :read == permission
      expected_scope << director_permissions[:read]
    else
      raise ArgumentError, "Unexpected permission for director: #{permission}"
    end
  elsif subject.instance_of?(Models::Task)
    expected_scope << subject_team_scopes(subject, 'admin')

    if :admin == permission
      # already allowed with initial expected_scope
    elsif :read == permission
      expected_scope << director_permissions[:read]
    else
      raise ArgumentError, "Unexpected permission for task: #{permission}"
    end
  else
    raise ArgumentError, "Unexpected subject: #{subject}"
  end

  expected_scope.flatten.uniq
end

Private Instance Methods

add_bosh_admin_scopes(user_scopes) click to toggle source
# File lib/bosh/director/permission_authorizer.rb, line 62
def add_bosh_admin_scopes(user_scopes)
  user_scopes.select do |scope|
    scope.match(/\Abosh\.teams\.([^\.]*)\.admin\z/)
  end
end
director_permissions() click to toggle source
# File lib/bosh/director/permission_authorizer.rb, line 68
def director_permissions
  {
    read: ['bosh.read', "bosh.#{@uuid_provider.uuid}.read"],
    admin: ['bosh.admin', "bosh.#{@uuid_provider.uuid}.admin"],
  }
end
intersect(valid_scopes, token_scopes) click to toggle source
# File lib/bosh/director/permission_authorizer.rb, line 80
def intersect(valid_scopes, token_scopes)
  valid_scopes & token_scopes
end
subject_team_scopes(subject, permission) click to toggle source
# File lib/bosh/director/permission_authorizer.rb, line 75
def subject_team_scopes(subject, permission)
  teams = subject.teams.nil? ? [] : subject.teams
  teams.map{ |team| "bosh.teams.#{team.name}.#{permission}" }
end