mirror of
https://github.com/neondatabase/neon.git
synced 2026-01-08 05:52:55 +00:00
b7fc5a2fe0
## Summary of changes A bunch of no-op changes. --------- Co-authored-by: Vlad Lazar <vlad@neon.tech>
35 lines
1.2 KiB
Rust
35 lines
1.2 KiB
Rust
use utils::auth::{AuthError, Claims, Scope};
|
|
use utils::id::TenantId;
|
|
|
|
pub fn check_permission(claims: &Claims, tenant_id: Option<TenantId>) -> Result<(), AuthError> {
|
|
match (&claims.scope, tenant_id) {
|
|
(Scope::Tenant, None) => Err(AuthError(
|
|
"Attempt to access management api with tenant scope. Permission denied".into(),
|
|
)),
|
|
(Scope::Tenant, Some(tenant_id)) => {
|
|
if claims.tenant_id.unwrap() != tenant_id {
|
|
return Err(AuthError("Tenant id mismatch. Permission denied".into()));
|
|
}
|
|
Ok(())
|
|
}
|
|
(Scope::PageServerApi, None) => Ok(()), // access to management api for PageServerApi scope
|
|
(Scope::PageServerApi, Some(_)) => Ok(()), // access to tenant api using PageServerApi scope
|
|
(
|
|
Scope::Admin
|
|
| Scope::SafekeeperData
|
|
| Scope::GenerationsApi
|
|
| Scope::Infra
|
|
| Scope::Scrubber
|
|
| Scope::ControllerPeer
|
|
| Scope::TenantEndpoint,
|
|
_,
|
|
) => Err(AuthError(
|
|
format!(
|
|
"JWT scope '{:?}' is ineligible for Pageserver auth",
|
|
claims.scope
|
|
)
|
|
.into(),
|
|
)),
|
|
}
|
|
}
|