-
Notifications
You must be signed in to change notification settings - Fork 262
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(sdf): Protect Admin Routes behind a new Administer role
We have an admin page controlled by a feature flag. We locked the API endpoints down to be those with systeminit.com emails, but we want to take advantage of spicedb to make this work correctly Even if a user gets to the WorkspaceAdmin page, we have locked down all of the API endpoints for them based on a new role in spicedb This role will be manually granted and can be done so using the following Zed cli command: ``` zed relationship create system:system admin administer:<user_pk> ``` This will be granted by TechOps on the SystemInitiative users that need access to it so that it can be tracked correctly
- Loading branch information
Showing
5 changed files
with
115 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,5 @@ | ||
mod system_permission; | ||
mod workspace_permission; | ||
|
||
pub use self::system_permission::{SystemPermission, SystemPermissionLayer}; | ||
pub use self::workspace_permission::{WorkspacePermission, WorkspacePermissionLayer}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,96 @@ | ||
use std::task::{Context, Poll}; | ||
|
||
use axum::{ | ||
body::Body, | ||
extract::FromRequestParts, | ||
http::Request, | ||
response::{IntoResponse, Response}, | ||
}; | ||
use futures::future::BoxFuture; | ||
use permissions::{Permission, PermissionBuilder}; | ||
use tower::{Layer, Service}; | ||
|
||
use crate::{ | ||
extract::{self, Authorization}, | ||
AppState, | ||
}; | ||
|
||
#[derive(Clone)] | ||
pub struct SystemPermissionLayer { | ||
state: AppState, | ||
permission: Permission, | ||
} | ||
|
||
impl SystemPermissionLayer { | ||
pub fn new(state: AppState, permission: Permission) -> Self { | ||
Self { state, permission } | ||
} | ||
} | ||
|
||
impl<S> Layer<S> for SystemPermissionLayer { | ||
type Service = SystemPermission<S>; | ||
|
||
fn layer(&self, inner: S) -> Self::Service { | ||
SystemPermission { | ||
inner, | ||
state: self.state.clone(), | ||
permission: self.permission, | ||
} | ||
} | ||
} | ||
|
||
#[derive(Clone)] | ||
pub struct SystemPermission<S> { | ||
inner: S, | ||
state: AppState, | ||
permission: Permission, | ||
} | ||
|
||
impl<S> Service<Request<Body>> for SystemPermission<S> | ||
where | ||
S: Service<Request<Body>, Response = Response> + Clone + Send + 'static, | ||
S::Future: Send + 'static, | ||
{ | ||
type Response = S::Response; | ||
type Error = S::Error; | ||
type Future = BoxFuture<'static, Result<Self::Response, Self::Error>>; | ||
|
||
fn poll_ready(&mut self, cx: &mut Context<'_>) -> Poll<Result<(), Self::Error>> { | ||
self.inner.poll_ready(cx) | ||
} | ||
|
||
fn call(&mut self, req: Request<Body>) -> Self::Future { | ||
let mut me = self.clone(); | ||
|
||
Box::pin(async move { | ||
let (mut parts, body) = req.into_parts(); | ||
|
||
let Authorization(claim) = | ||
match Authorization::from_request_parts(&mut parts, &me.state).await { | ||
Ok(claim) => claim, | ||
Err(err) => return Ok(err.into_response()), | ||
}; | ||
|
||
if let Some(client) = me.state.spicedb_client() { | ||
let is_allowed = match PermissionBuilder::new() | ||
.system_object() | ||
.permission(me.permission) | ||
.user_subject(claim.user_pk.into()) | ||
.has_permission(client) | ||
.await | ||
{ | ||
Ok(is_allowed) => is_allowed, | ||
Err(_) => return Ok(extract::unauthorized_error().into_response()), | ||
}; | ||
if !is_allowed { | ||
return Ok(extract::unauthorized_error().into_response()); | ||
} | ||
} | ||
|
||
let req = Request::from_parts(parts, body); | ||
|
||
let response = me.inner.call(req).await?; | ||
Ok(response) | ||
}) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters