in server/datasource/auth/decision.go [30:63]
func Allow(ctx context.Context, roleList []string, targetResource *ResourceScope) ([]map[string]string, error) {
//TODO check project
allPerms, err := getPermsByRoles(ctx, roleList)
if err != nil {
openlog.Error("get role list errors", openlog.WithErr(err))
return nil, err
}
if len(allPerms) == 0 {
openlog.Warn("role list has no any permissions")
return nil, rbacmodel.NewError(rbacmodel.ErrNoPermission, "role has no any permissions")
}
allow, labelList := GetLabel(allPerms, targetResource.Type, targetResource.Verb)
if !allow {
return nil, rbacmodel.NewError(rbacmodel.ErrNoPermission,
fmt.Sprintf("role has no permissions[%s:%s]", targetResource.Type, targetResource.Verb))
}
// allow, but no label found, means we can ignore the labels
if len(labelList) == 0 {
return nil, nil
}
// target resource needs no label, return without filter
if len(targetResource.Labels) == 0 {
return labelList, nil
}
// allow, and labels found, filter the labels
filteredLabelList := FilterLabel(targetResource.Labels, labelList)
// target resource label matches no label in permission, means not allow
if len(filteredLabelList) == 0 {
return nil, rbacmodel.NewError(rbacmodel.ErrNoPermission,
fmt.Sprintf("role has no permissions[%s:%s] for labels %v",
targetResource.Type, targetResource.Verb, targetResource.Labels))
}
return filteredLabelList, nil
}