Line data Source code
1 : use utils::auth::{AuthError, Claims, Scope};
2 : use utils::id::TenantId;
3 :
4 0 : pub fn check_permission(claims: &Claims, tenant_id: Option<TenantId>) -> Result<(), AuthError> {
5 0 : match (&claims.scope, tenant_id) {
6 0 : (Scope::Tenant, None) => Err(AuthError(
7 0 : "Attempt to access management api with tenant scope. Permission denied".into(),
8 0 : )),
9 0 : (Scope::Tenant, Some(tenant_id)) => {
10 0 : if claims.tenant_id.unwrap() != tenant_id {
11 0 : return Err(AuthError("Tenant id mismatch. Permission denied".into()));
12 0 : }
13 0 : Ok(())
14 : }
15 0 : (Scope::PageServerApi, None) => Ok(()), // access to management api for PageServerApi scope
16 0 : (Scope::PageServerApi, Some(_)) => Ok(()), // access to tenant api using PageServerApi scope
17 : (
18 : Scope::Admin
19 : | Scope::SafekeeperData
20 : | Scope::GenerationsApi
21 : | Scope::Infra
22 : | Scope::Scrubber
23 : | Scope::ControllerPeer,
24 : _,
25 0 : ) => Err(AuthError(
26 0 : format!(
27 0 : "JWT scope '{:?}' is ineligible for Pageserver auth",
28 0 : claims.scope
29 0 : )
30 0 : .into(),
31 0 : )),
32 : }
33 0 : }
|
