ningyougang commented on a change in pull request #4058:
URL: https://github.com/apache/openwhisk/pull/4058#discussion_r641184253
##########
File path:
core/controller/src/main/scala/org/apache/openwhisk/core/entitlement/Entitlement.scala
##########
@@ -231,6 +234,157 @@ protected[core] abstract class EntitlementProvider(
.getOrElse(Future.successful(()))
}
+ /**
+ * Checks if action operation(get/write/execute) whether feasible
+ *
+ * @param operation the action operation, e.g. get/write/execute
+ * @param user the user who get/write/execute the action
+ * @param entityStore store to write the action to
+ * @param entityName entityName
+ * @param permissions the passed permission code
+ * @return a promise that completes with success iff action operation is
feasible
+ */
+ protected[core] def checkActionPermissions(
+ operation: String,
+ user: Identity,
+ entityStore: ArtifactStore[WhiskEntity],
+ entityName: FullyQualifiedEntityName,
+ get: (ArtifactStore[WhiskEntity], DocId, DocRevision, Boolean) =>
Future[WhiskAction],
+ permissions: Option[String] = None)(implicit transid: TransactionId):
Future[Unit] = {
+ if (operation == "create") {
+ permissions
+ .map { value =>
+ if (WhiskAction.permissionList.contains(value)) {
+ Future.successful(())
+ } else {
+ val errorInfo =
+ s"give error permission code: ${value}, available permission is
in ${WhiskAction.permissionList}"
+ Future.failed(RejectRequest(Forbidden,
Some(ErrorResponse(errorInfo, transid))))
+ }
+ }
+ .getOrElse(Future.successful(()))
+ } else if (operation == "update") {
+ get(entityStore, entityName.toDocId, DocRevision.empty, true)
+ .flatMap { whiskAction =>
+ val currentPermissions = whiskAction.annotations
+ .get(WhiskAction.permissionsFieldName)
+ .map(value => value.convertTo[String])
+ .getOrElse(WhiskAction.defaultPermissions)
+
+ val errorInfo = s"have no permission to ${operation} this action"
+ permissions match {
+ case Some(value) =>
+ if (!WhiskAction.permissionList.contains(value)) {
+ val errorInfo =
+ s"give error permission code: ${value}, available permission
is in ${WhiskAction.permissionList}"
+ Future.failed(RejectRequest(Forbidden,
Some(ErrorResponse(errorInfo, transid))))
+ } else {
+ val passedUpdatePermission = value.charAt(1)
+ if (passedUpdatePermission == 'w') { // make it to modifiable
+ Future.successful(())
+ } else {
+ val currentUpdatePermission = currentPermissions.charAt(1)
+ if (currentUpdatePermission == '-') {
+ Future.failed(RejectRequest(Forbidden,
Some(ErrorResponse(errorInfo, transid))))
+ } else {
+ Future.successful(())
+ }
+ }
+ }
+ case None =>
+ val currentUpdatePermission = currentPermissions.charAt(1)
+ if (currentUpdatePermission == '-') {
+ Future.failed(RejectRequest(Forbidden,
Some(ErrorResponse(errorInfo, transid))))
+ } else {
+ Future.successful(())
+ }
+ }
+ }
+ .recoverWith {
+ case t: RejectRequest =>
+ Future.failed(t)
+ case _ =>
+ Future.successful(())
+ }
+ } else if (operation == "remove") {
+ get(entityStore, entityName.toDocId, DocRevision.empty, true)
+ .flatMap { whiskAction =>
+ val currentPermissions = whiskAction.annotations
+ .get(WhiskAction.permissionsFieldName)
+ .map(value => value.convertTo[String])
+ .getOrElse(WhiskAction.defaultPermissions)
+
+ val currentUpdatePermission = currentPermissions.charAt(1)
+ if (currentUpdatePermission == '-') {
+ val errorInfo = s"have no permission to ${operation} this action"
+ Future.failed(RejectRequest(Forbidden,
Some(ErrorResponse(errorInfo, transid))))
+ } else {
+ Future.successful(())
+ }
+ }
+ .recoverWith {
+ case t: RejectRequest =>
+ Future.failed(t)
+ case _ =>
+ Future.successful(())
+ }
+ } else if (operation == "invoke") {
+ get(entityStore, entityName.toDocId, DocRevision.empty, true)
+ .flatMap { whiskAction =>
+ val currentPermissions = whiskAction.annotations
+ .get(WhiskAction.permissionsFieldName)
+ .map(value => value.convertTo[String])
+ .getOrElse(WhiskAction.defaultPermissions)
+
+ // the user who is owner by default
+ var currentExecutePermission = currentPermissions.charAt(2)
+ var errorInfo = s"have no permission to ${operation} this action"
+ if (user.namespace.name.asString != entityName.path.root.asString) {
// the user who invoke the shared action
+ currentExecutePermission = currentPermissions.charAt(5)
+ errorInfo = s"have no permission to ${operation} this shared
action"
+ }
+ if (currentExecutePermission == '-') { //have no permission
+ Future.failed(RejectRequest(Forbidden,
Some(ErrorResponse(errorInfo, transid))))
+ } else {
+ Future.successful(())
+ }
+ }
+ .recoverWith {
+ case t: RejectRequest =>
+ Future.failed(t)
+ case _ =>
+ Future.successful(())
+ }
+ } else { // download the code
+ get(entityStore, entityName.toDocId, DocRevision.empty, true)
+ .flatMap { whiskAction =>
+ val currentPermissions = whiskAction.annotations
+ .get(WhiskAction.permissionsFieldName)
+ .map(value => value.convertTo[String])
+ .getOrElse(WhiskAction.defaultPermissions)
+
+ val errorInfo = s"have no permission to download this shared action"
+ val currentDownloadPermission = currentPermissions.charAt(3)
Review comment:
It is for `the shared user`, so currentPermissions.charAt(3)
If the user is owner, the owner has download permission on any situation
hm...i will optimize the codes like below
```
if (user.namespace.name.asString != entityName.path.root.asString)
{ // the shared user who download the action
val errorInfo = s"have no permission to download this shared
action"
val downloadPermissionOfSharedUser = currentPermissions.charAt(3)
if (downloadPermissionOfSharedUser == '-') {
Future.failed(RejectRequest(Forbidden,
Some(ErrorResponse(errorInfo, transid))))
} else {
Future.successful(())
}
} else {
// the owner has download permission on any situation
Future.successful(())
}
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
