Class: Bosh::Director::PermissionAuthorizer

Inherits:
Object
  • Object
show all
Defined in:
lib/bosh/director/permission_authorizer.rb

Instance Method Summary collapse

Constructor Details

#initialize(uuid_provider) ⇒ PermissionAuthorizer

Returns a new instance of PermissionAuthorizer.



3
4
5
 
# File 'lib/bosh/director/permission_authorizer.rb', line 3

def initialize(uuid_provider)
  @uuid_provider = uuid_provider
end

Instance Method Details

#granted_or_raise(subject, permission, user_scopes) ⇒ Object 



7
8
9
10
11
 
# File 'lib/bosh/director/permission_authorizer.rb', line 7

def granted_or_raise(subject, permission, user_scopes)
  if !is_granted?(subject, permission, user_scopes)
    raise UnauthorizedToAccessDeployment, "Require one of the scopes: #{list_expected_scope(subject, permission, user_scopes).join(', ')}"
  end
end

#is_granted?(subject, permission, user_scopes) ⇒ Boolean

Returns:

  • (Boolean) 


13
14
15
 
# File 'lib/bosh/director/permission_authorizer.rb', line 13

def is_granted?(subject, permission, user_scopes)
  !intersect(user_scopes, list_expected_scope(subject, permission, user_scopes)).empty?
end

#list_expected_scope(subject, permission, user_scopes) ⇒ Object 



17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
 
# File 'lib/bosh/director/permission_authorizer.rb', line 17

def list_expected_scope(subject, permission, user_scopes)
  expected_scope = director_permissions[:admin]

  if subject.instance_of? Models::Deployment
    expected_scope << subject_team_scopes(subject, 'admin')

    if :admin == permission
      # already allowed with initial expected_scope
    elsif :read == permission
      expected_scope << director_permissions[:read]
    else
      raise ArgumentError, "Unexpected permission for deployment: #{permission}"
    end
  elsif :director == subject
    if :admin == permission
      # already allowed with initial expected_scope
    elsif :create_deployment == permission
      expected_scope << add_bosh_admin_scopes(user_scopes)
    elsif [:read_releases, :list_deployments, :read_stemcells, :list_tasks].include?(permission)
      expected_scope << director_permissions[:read]
      expected_scope << add_bosh_admin_scopes(user_scopes)
    elsif :read == permission
      expected_scope << director_permissions[:read]
    else
      raise ArgumentError, "Unexpected permission for director: #{permission}"
    end
  elsif subject.instance_of?(Models::Task)
    expected_scope << subject_team_scopes(subject, 'admin')

    if :admin == permission
      # already allowed with initial expected_scope
    elsif :read == permission
      expected_scope << director_permissions[:read]
    else
      raise ArgumentError, "Unexpected permission for task: #{permission}"
    end
  else
    raise ArgumentError, "Unexpected subject: #{subject}"
  end

  expected_scope.flatten.uniq
end