dumplingmiku/ubicloud
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
eren-kill_child_progs_of_k8sprovision
ubicloud/routes/github.rb
Jeremy Evans 096ac0111b Switch access control to use AccessControlEntry and {Subject,Action,Object}Tag 
Previously, access control was implemented via AccessPolicy and {Access/AppliedTag}.
This doesn't remove AccessPolicy/AppliedTag yet, as there are still references to
them.  They will be removed in a later commit.

In order for the new access control to work, the authorization methods need to be
passed the project_id, to force the access query to operate on a single project.
That part isn't very invasive, since authorization is mostly centralized in
helpers/general.rb, but it did require a couple other places to be changed:

* model/invoice.rb is the only caller of Authorization.authorize outside of
  the Clover helpers.  This is probably a layer violation that should be fixed
  later, but for now, add the project_id manually to the call.

* In the github route, set @project so that the helpers can access it.

Add Project#dissociate_subject, which handles remove the subject tags and
direct access control entries when removing a user or token from a project.
Call this when removing uses or tokens from a project.

Remove Authorization.authorized_resources_dataset, as it was only
needed by Dataset#authorize.  This inlines the code into Dataset#authorize.
This was done because it doesn't make sense to use the method in isolation,
and the query needed in Dataset#authorize depends on the dataset, which
isn't passed to Authorization.authorized_resources_dataset.

Remove Authorization.expand_actions.  This method has no equivalent in the
new design, and it is no longer needed.

For the api specs that use a personal access token, this adds the
token to the Admin subject tag (which has full access).  This has
similar behavior as applying the admin managed policy had previously.

The authorization queries do not currently support nested tags.  Support
for nested tags will be added later.

While here, fix parameter name for Clover#all_permissions.
This method is only currently called with @project.id as the argument,
so it doesn't technically need an argument, but it could potentially
be used later to get all permissions on an object other than the
current project.
2025-01-09 09:55:55 -08:00

3.5 KiB
Raw Permalink Blame History

View Raw
Reference in New Issue View Git Blame Copy Permalink