kuma

1
package access
2

3
import (
4
	"context"
5

6
	config_access "github.com/kumahq/kuma/pkg/config/access"
7
	"github.com/kumahq/kuma/pkg/core/access"
8
	"github.com/kumahq/kuma/pkg/core/user"
9
)
10

11
type staticGenerateDataplaneTokenAccess struct {
12
	usernames map[string]bool
13
	groups    map[string]bool
14
}
15

16
var _ DataplaneTokenAccess = &staticGenerateDataplaneTokenAccess{}
17

18
func NewStaticGenerateDataplaneTokenAccess(cfg config_access.GenerateDPTokenStaticAccessConfig) DataplaneTokenAccess {
19
	s := &staticGenerateDataplaneTokenAccess{
20
		usernames: map[string]bool{},
21
		groups:    map[string]bool{},
22
	}
23
	for _, user := range cfg.Users {
24
		s.usernames[user] = true
25
	}
26
	for _, group := range cfg.Groups {
27
		s.groups[group] = true
28
	}
29
	return s
30
}
31

32
func (s *staticGenerateDataplaneTokenAccess) ValidateGenerateDataplaneToken(ctx context.Context, name string, mesh string, tags map[string][]string, user user.User) error {
33
	return s.validateAccess(user)
34
}
35

36
func (s *staticGenerateDataplaneTokenAccess) ValidateGenerateZoneIngressToken(ctx context.Context, zone string, user user.User) error {
37
	return s.validateAccess(user)
38
}
39

40
func (s *staticGenerateDataplaneTokenAccess) validateAccess(user user.User) error {
41
	allowed := s.usernames[user.Name]
42
	for _, group := range user.Groups {
43
		if s.groups[group] {
44
			allowed = true
45
		}
46
	}
47
	if !allowed {
48
		return &access.AccessDeniedError{Reason: "action not allowed"}
49
	}
50
	return nil
51
}
52