in hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeGraphAuthProxy.java [957:1015]
private <V> V verifyResPermission(HugePermission actionPerm,
boolean throwIfNoPerm,
Supplier<ResourceObject<V>> fetcher,
Supplier<Boolean> checker) {
// TODO: call verifyPermission() before actual action
Context context = getContext();
E.checkState(context != null,
"Missing authentication context " +
"when verifying resource permission");
String username = context.user().username();
Object role = context.user().role();
ResourceObject<V> ro = fetcher.get();
String action = actionPerm.string();
if (LOG.isDebugEnabled()) {
LOG.debug("Verify permission {} {} for user '{}' with role {}",
action, ro, username, role);
}
V result = ro.operated();
// Verify role permission
if (!RolePerm.match(role, actionPerm, ro)) {
result = null;
}
// Verify permission for one access another, like: granted <= user role
else if (ro.type().isGrantOrUser()) {
AuthElement element = (AuthElement) ro.operated();
RolePermission grant = this.hugegraph.authManager()
.rolePermission(element);
if (!RolePerm.match(role, grant, ro)) {
result = null;
}
}
// Check resource detail if needed
if (result != null && checker != null && !checker.get()) {
result = null;
}
// Log user action, limit rate for each user
Id usrId = context.user().userId();
RateLimiter auditLimiter = this.auditLimiters.getOrFetch(usrId, id -> {
return RateLimiter.create(this.auditLogMaxRate);
});
if (!(actionPerm == HugePermission.READ && ro.type().isSchema()) &&
auditLimiter.tryAcquire()) {
String status = result == null ? "denied" : "allowed";
LOG.info("User '{}' is {} to {} {}", username, status, action, ro);
}
// result = null means no permission, throw if needed
if (result == null && throwIfNoPerm) {
String error = String.format("Permission denied: %s %s",
action, ro);
throw new ForbiddenException(error);
}
return result;
}