jiangpengcheng commented on a change in pull request #4058:
URL: https://github.com/apache/openwhisk/pull/4058#discussion_r639377253
##########
File path:
core/controller/src/main/scala/org/apache/openwhisk/core/entitlement/Entitlement.scala
##########
@@ -231,6 +234,157 @@ protected[core] abstract class EntitlementProvider(
.getOrElse(Future.successful(()))
}
+ /**
+ * Checks if action operation(get/write/execute) whether feasible
+ *
+ * @param operation the action operation, e.g. get/write/execute
+ * @param user the user who get/write/execute the action
+ * @param entityStore store to write the action to
+ * @param entityName entityName
+ * @param permissions the passed permission code
+ * @return a promise that completes with success iff action operation is
feasible
+ */
+ protected[core] def checkActionPermissions(
+ operation: String,
+ user: Identity,
+ entityStore: ArtifactStore[WhiskEntity],
+ entityName: FullyQualifiedEntityName,
+ get: (ArtifactStore[WhiskEntity], DocId, DocRevision, Boolean) =>
Future[WhiskAction],
+ permissions: Option[String] = None)(implicit transid: TransactionId):
Future[Unit] = {
+ if (operation == "create") {
+ permissions
+ .map { value =>
+ if (WhiskAction.permissionList.contains(value)) {
+ Future.successful(())
+ } else {
+ val errorInfo =
+ s"give error permission code: ${value}, available permission is
in ${WhiskAction.permissionList}"
+ Future.failed(RejectRequest(Forbidden,
Some(ErrorResponse(errorInfo, transid))))
+ }
+ }
+ .getOrElse(Future.successful(()))
+ } else if (operation == "update") {
+ get(entityStore, entityName.toDocId, DocRevision.empty, true)
+ .flatMap { whiskAction =>
+ val currentPermissions = whiskAction.annotations
+ .get(WhiskAction.permissionsFieldName)
+ .map(value => value.convertTo[String])
+ .getOrElse(WhiskAction.defaultPermissions)
+
+ val errorInfo = s"have no permission to ${operation} this action"
+ permissions match {
+ case Some(value) =>
+ if (!WhiskAction.permissionList.contains(value)) {
+ val errorInfo =
+ s"give error permission code: ${value}, available permission
is in ${WhiskAction.permissionList}"
+ Future.failed(RejectRequest(Forbidden,
Some(ErrorResponse(errorInfo, transid))))
+ } else {
+ val passedUpdatePermission = value.charAt(1)
+ if (passedUpdatePermission == 'w') { // make it to modifiable
+ Future.successful(())
+ } else {
+ val currentUpdatePermission = currentPermissions.charAt(1)
+ if (currentUpdatePermission == '-') {
+ Future.failed(RejectRequest(Forbidden,
Some(ErrorResponse(errorInfo, transid))))
+ } else {
+ Future.successful(())
+ }
+ }
+ }
+ case None =>
+ val currentUpdatePermission = currentPermissions.charAt(1)
+ if (currentUpdatePermission == '-') {
+ Future.failed(RejectRequest(Forbidden,
Some(ErrorResponse(errorInfo, transid))))
+ } else {
+ Future.successful(())
+ }
+ }
+ }
+ .recoverWith {
+ case t: RejectRequest =>
+ Future.failed(t)
+ case _ =>
+ Future.successful(())
+ }
+ } else if (operation == "remove") {
+ get(entityStore, entityName.toDocId, DocRevision.empty, true)
+ .flatMap { whiskAction =>
+ val currentPermissions = whiskAction.annotations
+ .get(WhiskAction.permissionsFieldName)
+ .map(value => value.convertTo[String])
+ .getOrElse(WhiskAction.defaultPermissions)
+
+ val currentUpdatePermission = currentPermissions.charAt(1)
+ if (currentUpdatePermission == '-') {
+ val errorInfo = s"have no permission to ${operation} this action"
+ Future.failed(RejectRequest(Forbidden,
Some(ErrorResponse(errorInfo, transid))))
+ } else {
+ Future.successful(())
+ }
+ }
+ .recoverWith {
+ case t: RejectRequest =>
+ Future.failed(t)
+ case _ =>
+ Future.successful(())
+ }
+ } else if (operation == "invoke") {
+ get(entityStore, entityName.toDocId, DocRevision.empty, true)
+ .flatMap { whiskAction =>
+ val currentPermissions = whiskAction.annotations
+ .get(WhiskAction.permissionsFieldName)
+ .map(value => value.convertTo[String])
+ .getOrElse(WhiskAction.defaultPermissions)
+
+ // the user who is owner by default
+ var currentExecutePermission = currentPermissions.charAt(2)
+ var errorInfo = s"have no permission to ${operation} this action"
+ if (user.namespace.name.asString != entityName.path.root.asString) {
// the user who invoke the shared action
+ currentExecutePermission = currentPermissions.charAt(5)
+ errorInfo = s"have no permission to ${operation} this shared
action"
+ }
+ if (currentExecutePermission == '-') { //have no permission
+ Future.failed(RejectRequest(Forbidden,
Some(ErrorResponse(errorInfo, transid))))
+ } else {
+ Future.successful(())
+ }
+ }
+ .recoverWith {
+ case t: RejectRequest =>
+ Future.failed(t)
+ case _ =>
+ Future.successful(())
+ }
+ } else { // download the code
+ get(entityStore, entityName.toDocId, DocRevision.empty, true)
+ .flatMap { whiskAction =>
+ val currentPermissions = whiskAction.annotations
+ .get(WhiskAction.permissionsFieldName)
+ .map(value => value.convertTo[String])
+ .getOrElse(WhiskAction.defaultPermissions)
+
+ val errorInfo = s"have no permission to download this shared action"
+ val currentDownloadPermission = currentPermissions.charAt(3)
Review comment:
shouldn't this be `currentPermissions.charAt(0)`? since permission
string is like `rwx---` and the first char indicate the "read" permission
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
