Line data Source code
1 : use utils::auth::{AuthError, Claims, Scope};
2 : use utils::id::TenantId;
3 :
4 0 : pub fn check_permission(claims: &Claims, tenant_id: Option<TenantId>) -> Result<(), AuthError> {
5 0 : match (&claims.scope, tenant_id) {
6 0 : (Scope::Tenant, None) => Err(AuthError(
7 0 : "Attempt to access management api with tenant scope. Permission denied".into(),
8 0 : )),
9 0 : (Scope::Tenant, Some(tenant_id)) => {
10 0 : if claims.tenant_id.unwrap() != tenant_id {
11 0 : return Err(AuthError("Tenant id mismatch. Permission denied".into()));
12 0 : }
13 0 : Ok(())
14 : }
15 0 : (Scope::Admin | Scope::PageServerApi | Scope::GenerationsApi, _) => Err(AuthError(
16 0 : format!(
17 0 : "JWT scope '{:?}' is ineligible for Safekeeper auth",
18 0 : claims.scope
19 0 : )
20 0 : .into(),
21 0 : )),
22 0 : (Scope::SafekeeperData, _) => Ok(()),
23 : }
24 0 : }
|