mirror of
https://github.com/neondatabase/neon.git
synced 2026-01-09 14:32:57 +00:00
ea118a238a
* lower level on auth success from info to debug (fixes #5820) * don't log stacktraces on auth errors (as requested on slack). we do this by introducing an `AuthError` type instead of using `anyhow` and `bail`. * return errors that have been censored for improved security.
21 lines
781 B
Rust
21 lines
781 B
Rust
use utils::auth::{AuthError, Claims, Scope};
|
|
use utils::id::TenantId;
|
|
|
|
pub fn check_permission(claims: &Claims, tenant_id: Option<TenantId>) -> Result<(), AuthError> {
|
|
match (&claims.scope, tenant_id) {
|
|
(Scope::Tenant, None) => Err(AuthError(
|
|
"Attempt to access management api with tenant scope. Permission denied".into(),
|
|
)),
|
|
(Scope::Tenant, Some(tenant_id)) => {
|
|
if claims.tenant_id.unwrap() != tenant_id {
|
|
return Err(AuthError("Tenant id mismatch. Permission denied".into()));
|
|
}
|
|
Ok(())
|
|
}
|
|
(Scope::PageServerApi, _) => Err(AuthError(
|
|
"PageServerApi scope makes no sense for Safekeeper".into(),
|
|
)),
|
|
(Scope::SafekeeperData, _) => Ok(()),
|
|
}
|
|
}
|