async authorize()

in components/vam-api/packages/vam-services/lib/appstream/appstream-authz-service.js [50:92]

• 40 lines of code
• 24 McCabe index (conditional complexity)

  async authorize(requestContext, { resource, action, effect, reason }, ...args) {
    if (!action) {
      const noActionResult = deny(`Invalid action '${action}'`);
      effect = noActionResult.effect;
      reason = noActionResult.reason;
    }
    let permissionSoFar = { effect };
    // if effect is "deny" already (due to any of the previous plugins returning "deny") then return "deny" right away
    if (isDeny(permissionSoFar)) return { resource, action, effect, reason };
    // Make sure the caller is active. This basic check is required irrespective of "action" so checking it here
    permissionSoFar = await allowIfActive(requestContext, { action });
    if (isDeny(permissionSoFar)) return permissionSoFar; // return if denying

    switch (action) {
      case AppstreamAuthzService.LIST_APPLICATIONS:
      case AppstreamAuthzService.LIST_IMAGE_BUILDERS:
      case AppstreamAuthzService.LIST_FLEETS:
      case AppstreamAuthzService.LIST_DYNAMIC_CATALOGS:
      case AppstreamAuthzService.GET_FLEET:
        return allowIfNotGuest(requestContext, { action });
      case AppstreamAuthzService.SHARE_IMAGE:
      case AppstreamAuthzService.REVOKE_IMAGE_SHARING:
      case AppstreamAuthzService.CREATE_FLEET:
      case AppstreamAuthzService.SWAP_IMAGE:
        return allowIfPoweruserOrAdmin(requestContext, { action });
      case AppstreamAuthzService.START_FLEET:
      case AppstreamAuthzService.STOP_FLEET:
      case AppstreamAuthzService.DELETE_FLEET:
      case AppstreamAuthzService.GET_FLEET_LINK:
      case AppstreamAuthzService.CREATE_DYNAMIC_CATALOG:
      case AppstreamAuthzService.DELETE_DYNAMIC_CATALOG:
        return this.allowPowerusersAndGroupMembers(requestContext, { action }, ...args);
      case AppstreamAuthzService.GRANT_ACCESS_TO_GROUP:
      case AppstreamAuthzService.REVOKE_ACCESS_TO_GROUP:
        return this.allowPowerusersAndGroupMembersForGroups(requestContext, { action }, ...args);
      case AppstreamAuthzService.CREATE_IMAGE:
      case AppstreamAuthzService.LIST_IMAGES:
      case AppstreamAuthzService.DELETE_IMAGE:
        return allowIfAdmin(requestContext, { action });
      default:
        return deny(`Unknown action: ${action}`);
    }
  }