appengine/logdog/coordinator/endpoints/logs/service.go - Issue 1971493003: LogDog: Project READ access for user endpoints.

Side by Side Diff: appengine/logdog/coordinator/endpoints/logs/service.go

Issue 1971493003: LogDog: Project READ access for user endpoints. (Closed) Base URL: https://github.com/luci/luci-go@logdog-project-service-config

Patch Set: Updated patchset dependency Created 4 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« appengine/logdog/coordinator/context.go ('K') | « appengine/logdog/coordinator/endpoints/logs/query_test.go ('k') | appengine/logdog/coordinator/endpoints/services/registerStream.go » ('j') | appengine/logdog/coordinator/endpoints/services/registerStream.go » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright 2015 The Chromium Authors. All rights reserved.	1 // Copyright 2015 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 package logs	5 package logs

6	6

7 import (	7 import (

8 "github.com/golang/protobuf/proto"	8 "github.com/golang/protobuf/proto"

9 "github.com/luci/luci-go/appengine/logdog/coordinator"	9 "github.com/luci/luci-go/appengine/logdog/coordinator"

10 "github.com/luci/luci-go/appengine/logdog/coordinator/endpoints"	10 "github.com/luci/luci-go/appengine/logdog/coordinator/endpoints"

11 "github.com/luci/luci-go/common/api/logdog_coordinator/logs/v1"	11 "github.com/luci/luci-go/common/api/logdog_coordinator/logs/v1"

12 "github.com/luci/luci-go/common/config"	12 "github.com/luci/luci-go/common/config"

13 "github.com/luci/luci-go/common/grpcutil"	13 "github.com/luci/luci-go/common/grpcutil"

	14 log "github.com/luci/luci-go/common/logging"

14 "golang.org/x/net/context"	15 "golang.org/x/net/context"

15 )	16 )

16	17

17 // Server is the user-facing log access and query endpoint service.	18 // Server is the user-facing log access and query endpoint service.

18 type server struct {	19 type server struct {

19 // resultLimit is the maximum number of query results to return in a	20 // resultLimit is the maximum number of query results to return in a

20 // single query. If zero, the default will be used.	21 // single query. If zero, the default will be used.

21 //	22 //

22 // This is provided for testing purposes.	23 // This is provided for testing purposes.

23 resultLimit int	24 resultLimit int

24 }	25 }

25	26

26 // New creates a new authenticating LogsServer instance.	27 // New creates a new authenticating LogsServer instance.

27 func New() logdog.LogsServer {	28 func New() logdog.LogsServer {

28 return newService(&server{})	29 return newService(&server{})

29 }	30 }

30	31

31 func newService(svr *server) logdog.LogsServer {	32 func newService(svr *server) logdog.LogsServer {

32 return &logdog.DecoratedLogs{	33 return &logdog.DecoratedLogs{

33 Service: svr,	34 Service: svr,

34 Prelude: func(c context.Context, methodName string, req proto.Me ssage) (context.Context, error) {	35 Prelude: func(c context.Context, methodName string, req proto.Me ssage) (context.Context, error) {

35 // Enter a datastore namespace based on the message type .	36 // Enter a datastore namespace based on the message type .

36 //	37 //

37 // We use a type switch here because this is a shared de corator. All user	38 // We use a type switch here because this is a shared de corator. All user

38 // mesages must implement ProjectBoundMessage.	39 // mesages must implement ProjectBoundMessage.

39 pbm, ok := req.(endpoints.ProjectBoundMessage)	40 pbm, ok := req.(endpoints.ProjectBoundMessage)

40 if ok {	41 if ok {

41 » » » » if err := coordinator.WithProjectNamespace(&c, c onfig.ProjectName(pbm.GetMessageProject())); err != nil {	42 » » » » // Enter the requested project namespace. This v alidates that the

42 » » » » » // If access is explicitly denied, retur n the appropriate gRPC error.	43 » » » » // current user has READ access.

43 » » » » » if err == coordinator.ErrNoAccess {	44 » » » » project := config.ProjectName(pbm.GetMessageProj ect())

44 » » » » » » return nil, grpcutil.NotFound	45 » » » » log.Fields{

45 » » » » » }	46 » » » » » "project": project,

46 » » » » » return nil, grpcutil.Internal	47 » » » » }.Debugf(c, "User is accessing project.")

	48 » » » » if err := coordinator.WithProjectNamespace(&c, p roject); err != nil {

	49 » » » » » return nil, getGRPCError(c, err)

47 }	50 }

48 }	51 }

49	52

50 return c, nil	53 return c, nil

51 },	54 },

52 }	55 }

53 }	56 }

54	57

	58 func getGRPCError(c context.Context, err error) error {

	59 switch {

	60 case err == nil:

	61 return nil

	62

	63 case err == config.ErrNoConfig:

	64 log.WithError(err).Errorf(c, "No project configuration defined." )

	65 return grpcutil.PermissionDenied

	66

	67 case coordinator.IsMembershipError(err):

	68 log.WithError(err).Errorf(c, "User does not have READ access to project.")

	69 return grpcutil.PermissionDenied

	70

	71 default:

	72 return grpcutil.Internal

	73 }

	74 }

	75

55 func (s *server) limit(v int, d int) int {	76 func (s *server) limit(v int, d int) int {

56 if s.resultLimit > 0 {	77 if s.resultLimit > 0 {

57 d = s.resultLimit	78 d = s.resultLimit

58 }	79 }

59 if v <= 0 \|\| v > d {	80 if v <= 0 \|\| v > d {

60 return d	81 return d

61 }	82 }

62 return v	83 return v

63 }	84 }

OLD	NEW