-
Notifications
You must be signed in to change notification settings - Fork 0
/
introspection.go
75 lines (64 loc) · 1.55 KB
/
introspection.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
// Copyright 2017 Canonical Ltd.
// Licensed under the AGPLv3, see LICENCE file for details.
package apiserver
import (
"net/http"
"github.com/juju/names/v4"
"github.com/juju/juju/apiserver/common"
"github.com/juju/juju/core/permission"
"github.com/juju/juju/rpc/params"
)
// introspectionHandler is an http.Handler that wraps an http.Handler
// from the worker/introspection package, adding authentication.
type introspectionHandler struct {
ctx httpContext
handler http.Handler
}
// ServeHTTP is part of the http.Handler interface.
func (h introspectionHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
if err := h.checkAuth(r); err != nil {
if err := sendError(w, err); err != nil {
logger.Debugf("%v", err)
}
return
}
h.handler.ServeHTTP(w, r)
}
func (h introspectionHandler) checkAuth(r *http.Request) error {
st, entity, err := h.ctx.stateAndEntityForRequestAuthenticatedUser(r)
if err != nil {
return err
}
defer st.Release()
// Users with "superuser" access on the controller,
// or "read" access on the controller model, can
// access these endpoints.
ok, err := common.HasPermission(
st.UserPermission,
entity.Tag(),
permission.SuperuserAccess,
st.ControllerTag(),
)
if err != nil {
return err
}
if ok {
return nil
}
ok, err = common.HasPermission(
st.UserPermission,
entity.Tag(),
permission.ReadAccess,
names.NewModelTag(st.ControllerModelUUID()),
)
if err != nil {
return err
}
if ok {
return nil
}
return ¶ms.Error{
Code: params.CodeForbidden,
Message: "access denied",
}
}