Line data Source code
1 : use utils::auth::{AuthError, Claims, Scope};
2 : use utils::id::TenantId;
3 :
4 : /// If tenant_id is provided, allow if token (claims) is for this tenant or
5 : /// whole safekeeper scope (SafekeeperData). Else, allow only if token is
6 : /// SafekeeperData.
7 0 : pub fn check_permission(claims: &Claims, tenant_id: Option<TenantId>) -> Result<(), AuthError> {
8 0 : match (&claims.scope, tenant_id) {
9 0 : (Scope::Tenant, None) => Err(AuthError(
10 0 : "Attempt to access management api with tenant scope. Permission denied".into(),
11 0 : )),
12 0 : (Scope::Tenant, Some(tenant_id)) => {
13 0 : if claims.tenant_id.unwrap() != tenant_id {
14 0 : return Err(AuthError("Tenant id mismatch. Permission denied".into()));
15 0 : }
16 0 : Ok(())
17 : }
18 : (
19 : Scope::Admin
20 : | Scope::PageServerApi
21 : | Scope::GenerationsApi
22 : | Scope::Infra
23 : | Scope::Scrubber
24 : | Scope::ControllerPeer,
25 : _,
26 0 : ) => Err(AuthError(
27 0 : format!(
28 0 : "JWT scope '{:?}' is ineligible for Safekeeper auth",
29 0 : claims.scope
30 0 : )
31 0 : .into(),
32 0 : )),
33 0 : (Scope::SafekeeperData, _) => Ok(()),
34 : }
35 0 : }
|