Skip to content

Commit

Permalink
temp: Split out protos, hierarchy utils
Browse files Browse the repository at this point in the history
  • Loading branch information
kiosion committed Oct 24, 2024
1 parent 3b03ada commit 92d0e25
Show file tree
Hide file tree
Showing 5 changed files with 479 additions and 167 deletions.
10 changes: 5 additions & 5 deletions lib/auth/access_request_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1637,17 +1637,17 @@ func TestUpdateAccessRequestWithAdditionalReviewers(t *testing.T) {
name: "with ownership through nested list",
req: mustRequest("rev1"),
accessLists: []*accesslist.AccessList{
mustAccessList("nested1", "owner1"),
mustAccessListWithMembershipKind(
"root",
"nested",
testAccessListOwner{"owner1", accesslist.MembershipKindUser},
testAccessListOwner{"nested", accesslist.MembershipKindList},
testAccessListOwner{"nested1", accesslist.MembershipKindList},
),
mustAccessListWithMembershipKind(
"nested",
"root",
testAccessListOwner{"owner1", accesslist.MembershipKindUser},
testAccessListOwner{"nested1", accesslist.MembershipKindList},
testAccessListOwner{"nested", accesslist.MembershipKindList},
),
mustAccessList("nested1", "owner1"),
},
accessListMembers: []struct {
Header header.Metadata
Expand Down
22 changes: 10 additions & 12 deletions lib/auth/userloginstate/generator.go
Original file line number Diff line number Diff line change
Expand Up @@ -177,22 +177,16 @@ func (g *Generator) addAccessListsToState(ctx context.Context, user types.User,
return nil, nil, trace.Wrap(err)
}

accessListHierarchy, err := accesslists.NewHierarchy(ctx, accesslists.HierarchyConfig{
AccessLists: accessLists,
Locks: g.accessLists,
Members: g.accessLists,
Clock: g.clock,
})
if err != nil {
return nil, nil, trace.Wrap(err)
}

var allInheritedRoles []string
allInheritedTraits := make(map[string][]string)

for _, accessList := range accessLists {
// Grants are inherited if the user is a member of the access list, explicitly or via inheritance.
if membershipKind, err := accessListHierarchy.IsAccessListMember(ctx, user, accessList.GetName()); err == nil && membershipKind != accesslists.MembershipOrOwnershipTypeNone {
membershipKind, err := accesslists.IsAccessListMember(ctx, user, accessList, g.accessLists, g.accessLists, g.clock)
if err != nil {
g.log.WithError(err).Warn("checking access list membership")
}
if membershipKind != accesslists.MembershipOrOwnershipTypeNone {
g.grantRolesAndTraits(accessList.Spec.Grants, state)
if membershipKind == accesslists.MembershipOrOwnershipTypeInherited {
allInheritedRoles = append(allInheritedRoles, accessList.Spec.Grants.Roles...)
Expand All @@ -202,7 +196,11 @@ func (g *Generator) addAccessListsToState(ctx context.Context, user types.User,
}
}
// OwnerGrants are inherited if the user is an owner of the access list, explicitly or via inheritance.
if ownershipType, err := accessListHierarchy.IsAccessListOwner(ctx, user, accessList.GetName()); err == nil && ownershipType != accesslists.MembershipOrOwnershipTypeNone {
ownershipType, err := accesslists.IsAccessListOwner(ctx, user, accessList, g.accessLists, g.accessLists, g.clock)
if err != nil {
g.log.WithError(err).Warn("checking access list ownership")
}
if ownershipType != accesslists.MembershipOrOwnershipTypeNone {
g.grantRolesAndTraits(accessList.Spec.OwnerGrants, state)
if ownershipType == accesslists.MembershipOrOwnershipTypeInherited {
allInheritedRoles = append(allInheritedRoles, accessList.Spec.OwnerGrants.Roles...)
Expand Down
8 changes: 4 additions & 4 deletions lib/cache/collections.go
Original file line number Diff line number Diff line change
Expand Up @@ -3227,7 +3227,7 @@ func (accessListExecutor) getAll(ctx context.Context, cache *Cache, loadSecrets
}

func (accessListExecutor) upsert(ctx context.Context, cache *Cache, resource *accesslist.AccessList) error {
_, err := cache.accessListCache.UpsertAccessList(ctx, resource)
_, err := cache.accessListCache.UnconditionalUpsertAccessList(ctx, resource)
return trace.Wrap(err)
}

Expand All @@ -3236,7 +3236,7 @@ func (accessListExecutor) deleteAll(ctx context.Context, cache *Cache) error {
}

func (accessListExecutor) delete(ctx context.Context, cache *Cache, resource types.Resource) error {
return cache.accessListCache.DeleteAccessList(ctx, resource.GetName())
return cache.accessListCache.UnconditionalDeleteAccessList(ctx, resource.GetName())
}

func (accessListExecutor) isSingleton() bool { return false }
Expand Down Expand Up @@ -3277,7 +3277,7 @@ func (accessListMemberExecutor) getAll(ctx context.Context, cache *Cache, loadSe
}

func (accessListMemberExecutor) upsert(ctx context.Context, cache *Cache, resource *accesslist.AccessListMember) error {
_, err := cache.accessListCache.UpsertAccessListMember(ctx, resource)
_, err := cache.accessListCache.UnconditionalUpsertAccessListMember(ctx, resource)
return trace.Wrap(err)
}

Expand All @@ -3286,7 +3286,7 @@ func (accessListMemberExecutor) deleteAll(ctx context.Context, cache *Cache) err
}

func (accessListMemberExecutor) delete(ctx context.Context, cache *Cache, resource types.Resource) error {
return cache.accessListCache.DeleteAccessListMember(ctx,
return cache.accessListCache.UnconditionalDeleteAccessListMember(ctx,
resource.GetMetadata().Description, // Cache passes access ID via description field.
resource.GetName())
}
Expand Down
Loading

0 comments on commit 92d0e25

Please sign in to comment.