add HasAccess

dbrest-io · Jan 3, 2023 · c520a17 · c520a17
1 parent 3136d41
commit c520a17
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 21 deletions.
diff --git a/server/request.go b/server/request.go
@@ -86,20 +86,6 @@ func NewRequest(c echo.Context) Request {
 	return req
 }
 
-type requestCheck string
-
-const (
-	reqCheckID         requestCheck = "id"
-	reqCheckName       requestCheck = "name"
-	reqCheckConnection requestCheck = "connection"
-	reqCheckDatabase   requestCheck = "database"
-	reqCheckSchema     requestCheck = "schema"
-	reqCheckTable      requestCheck = "table"
-	reqCheckQuery      requestCheck = "query"
-	reqCheckProcedure  requestCheck = "procedure"
-	reqCheckData       requestCheck = "data"
-)
-
 func (r *Request) CanRead(table database.Table) bool {
 	if p, ok := r.Permissions["*"]; ok {
 		if p.CanRead() {
@@ -228,6 +214,20 @@ func (r *Request) GetFileUpload() (src io.ReadCloser, err error) {
 	return
 }
 
+type requestCheck string
+
+const (
+	reqCheckID         requestCheck = "id"
+	reqCheckName       requestCheck = "name"
+	reqCheckConnection requestCheck = "connection"
+	reqCheckDatabase   requestCheck = "database"
+	reqCheckSchema     requestCheck = "schema"
+	reqCheckTable      requestCheck = "table"
+	reqCheckQuery      requestCheck = "query"
+	reqCheckProcedure  requestCheck = "procedure"
+	reqCheckData       requestCheck = "data"
+)
+
 func (r *Request) Validate(checks ...requestCheck) (err error) {
 	eG := g.ErrorGroup{}
 	for _, check := range checks {
@@ -239,6 +239,8 @@ func (r *Request) Validate(checks ...requestCheck) (err error) {
 		case reqCheckConnection:
 			if cast.ToString(r.Connection) == "" {
 				eG.Add(g.Error("missing request value for: connection"))
+			} else if !r.Roles.HasAccess(r.Connection) {
+				eG.Add(g.Error("forbidden access for: connection"))
 			}
 		case reqCheckDatabase:
 			if cast.ToString(r.Database) == "" {
@@ -273,6 +275,11 @@ func (r *Request) Validate(checks ...requestCheck) (err error) {
 		}
 	}
 
+	// token has role
+	if len(r.Roles) == 0 {
+		return g.Error("Invalid token or forbidden")
+	}
+
 	return eG.Err()
 }
 

diff --git a/server/routes_connection.go b/server/routes_connection.go
@@ -28,15 +28,20 @@ func getConnections(c echo.Context) (err error) {
 		{Name: "name", Type: iop.StringType},
 		{Name: "type", Type: iop.StringType},
 		{Name: "database", Type: iop.StringType},
-		{Name: "dbt", Type: iop.BoolType},
+		{Name: "source", Type: iop.StringType},
 	}
 	resp.data = iop.NewDataset(columns)
 	for _, conn := range state.Connections {
+		connName := strings.ToLower(conn.Conn.Info().Name)
+		if !req.Roles.HasAccess(connName) {
+			continue
+		}
+
 		row := []any{
-			conn.Conn.Info().Name,
+			connName,
 			conn.Conn.Info().Type,
 			conn.Conn.Info().Database,
-			conn.Conn.Data["dbt"],
+			conn.Source,
 		}
 		resp.data.Append(row)
 	}

diff --git a/state/roles.go b/state/roles.go
@@ -67,6 +67,15 @@ func GetRoleMap(roles []string) (rm RoleMap) {
 	return
 }
 
+func (rm RoleMap) HasAccess(connection string) bool {
+	for _, role := range rm {
+		if _, ok := role[connection]; ok {
+			return true
+		}
+	}
+	return false
+}
+
 func (rm RoleMap) GetPermissions(connection string) (perms Permissions) {
 	perms = Permissions{}
 	for _, role := range rm {

diff --git a/state/state.go b/state/state.go
@@ -32,8 +32,9 @@ func init() {
 
 // Connection is a connection
 type Connection struct {
-	Conn  connection.Connection
-	Props map[string]string // to cache vars
+	Conn   connection.Connection
+	Source string
+	Props  map[string]string // to cache vars
 }
 
 // DefaultDB returns the default database
@@ -61,8 +62,9 @@ func LoadConnections(force bool) (err error) {
 
 		name := strings.ToLower(strings.ReplaceAll(entry.Name, "/", "_"))
 		Connections[name] = &Connection{
-			Conn:  entry.Connection,
-			Props: map[string]string{},
+			Conn:   entry.Connection,
+			Source: entry.Source,
+			Props:  map[string]string{},
 		}
 	}