Class: Authz::GranularScope

Inherits:

ApplicationRecord

• Object
• ActiveRecord::Base
• ApplicationRecord
• Authz::GranularScope

Defined in:

app/models/authz/granular_scope.rb

Defined Under Namespace

Modules: Access

Constant Summary

COPYABLE_ATTRIBUTES =

%w[organization_id namespace_id permissions access].freeze

Constants inherited from ApplicationRecord

ApplicationRecord::MAX_PLUCK

Constants included from HasCheckConstraints

HasCheckConstraints::NOT_NULL_CHECK_PATTERN

Constants included from ResetOnColumnErrors

ResetOnColumnErrors::MAX_RESET_PERIOD

Class Method Summary

• .permitted_for_boundary?(boundary, permissions) ⇒ Boolean
• .token_permissions(boundary) ⇒ Object

Instance Method Summary

• #build_copy ⇒ Object

Methods inherited from ApplicationRecord

===, cached_column_list, #create_or_load_association, current_transaction, declarative_enum, default_select_columns, delete_all_returning, #deleted_from_database?, id_in, id_not_in, iid_in, nullable_column?, primary_key_in, #readable_by?, safe_ensure_unique, safe_find_or_create_by, safe_find_or_create_by!, #to_ability_name, underscore, where_exists, where_not_exists, with_fast_read_statement_timeout, without_order

Methods included from Organizations::Sharding

#sharding_organization

Methods included from ResetOnColumnErrors

#reset_on_union_error, #reset_on_unknown_attribute_error

Methods included from Gitlab::SensitiveSerializableHash

#serializable_hash

Class Method Details

.permitted_for_boundary?(boundary, permissions) ⇒ Boolean

Returns:

• (Boolean)

# File 'app/models/authz/granular_scope.rb', line 47

def self.permitted_for_boundary?(boundary, permissions)
  required_permissions = Array(permissions).map(&:to_sym)
  token_permissions = token_permissions(boundary)
  (required_permissions - token_permissions).empty?
end

.token_permissions(boundary) ⇒ Object

# File 'app/models/authz/granular_scope.rb', line 53

def self.token_permissions(boundary)
  scope = case boundary.access
          when Access::USER, Access::INSTANCE
            for_standalone(boundary.access)
          when Access::SELECTED_MEMBERSHIPS
            for_namespaces(boundary.namespace.self_and_ancestor_ids)
          end

  # rubocop:disable Database/AvoidUsingPluckWithoutLimit -- limited permissions, and not used with IN clause
  scope
    .pluck(Arel.sql('DISTINCT jsonb_array_elements_text(permissions)'))
    .flat_map { |p| ::Authz::PermissionGroups::Assignable.get(p)&.permissions }
    .compact.map(&:to_sym)
  # rubocop:enable Database/AvoidUsingPluckWithoutLimit
end

Instance Method Details

#build_copy ⇒ Object

# File 'app/models/authz/granular_scope.rb', line 69

def build_copy
  self.class.build(attributes.slice(*COPYABLE_ATTRIBUTES))
end