forked from sourcegraph/sourcegraph-public-snapshot
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathauthz.go
More file actions
82 lines (73 loc) · 3.45 KB
/
authz.go
File metadata and controls
82 lines (73 loc) · 3.45 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
package database
import (
"context"
"github.com/sourcegraph/sourcegraph/internal/authz"
"github.com/sourcegraph/sourcegraph/internal/database/basestore"
"github.com/sourcegraph/sourcegraph/internal/extsvc"
"github.com/sourcegraph/sourcegraph/internal/types"
)
// GrantPendingPermissionsArgs contains required arguments to grant pending permissions for a user
// by username or verified email address(es) according to the site configuration.
type GrantPendingPermissionsArgs struct {
// The user ID that will be used to bind pending permissions.
UserID int32
// The permission level to be granted.
Perm authz.Perms
// The type of permissions to be granted.
Type authz.PermType
}
// AuthorizedReposArgs contains required arguments to verify if a user is authorized to access some
// or all of the repositories from the candidate list with the given level and type of permissions.
type AuthorizedReposArgs struct {
// The candidate list of repositories to be verified.
Repos []*types.Repo
// The user whose authorization to access the repos is being checked.
UserID int32
// The permission level to be verified.
Perm authz.Perms
// The type of permissions to be verified.
Type authz.PermType
}
// RevokeUserPermissionsArgs contains required arguments to revoke user permissions, it includes all
// possible leads to grant or authorize access for a user.
type RevokeUserPermissionsArgs struct {
// The user ID that will be used to revoke effective permissions.
UserID int32
// The list of external accounts related to the user. This is list because a user could have
// multiple external accounts, including ones from code hosts and/or Sourcegraph authz provider.
Accounts []*extsvc.Accounts
}
// AuthzStore contains methods for manipulating user permissions.
type AuthzStore interface {
// GrantPendingPermissions grants pending permissions for a user. It is a no-op in the OSS version.
GrantPendingPermissions(ctx context.Context, args *GrantPendingPermissionsArgs) error
// AuthorizedRepos checks if a user is authorized to access repositories in the candidate list.
// The returned list must be a list of repositories that are authorized to the given user.
// It is a no-op in the OSS version.
AuthorizedRepos(ctx context.Context, args *AuthorizedReposArgs) ([]*types.Repo, error)
// RevokeUserPermissions deletes both effective and pending permissions that could be related to a user.
// It is a no-op in the OSS version.
RevokeUserPermissions(ctx context.Context, args *RevokeUserPermissionsArgs) error
// Bulk "RevokeUserPermissions" action.
RevokeUserPermissionsList(ctx context.Context, argsList []*RevokeUserPermissionsArgs) error
}
// AuthzWith instantiates and returns a new AuthzStore using the other store
// handle. In the OSS version, this is a no-op AuthzStore, but this constructor
// is overridden in enterprise versions.
var AuthzWith = func(other basestore.ShareableStore) AuthzStore {
return &authzStore{}
}
// authzStore is a no-op placeholder for the OSS version.
type authzStore struct{}
func (*authzStore) GrantPendingPermissions(_ context.Context, _ *GrantPendingPermissionsArgs) error {
return nil
}
func (*authzStore) AuthorizedRepos(_ context.Context, _ *AuthorizedReposArgs) ([]*types.Repo, error) {
return []*types.Repo{}, nil
}
func (*authzStore) RevokeUserPermissions(_ context.Context, _ *RevokeUserPermissionsArgs) error {
return nil
}
func (*authzStore) RevokeUserPermissionsList(_ context.Context, _ []*RevokeUserPermissionsArgs) error {
return nil
}