-
Notifications
You must be signed in to change notification settings - Fork 28
/
rest_list.go
126 lines (109 loc) · 3.49 KB
/
rest_list.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
// Copyright 2017-Present Couchbase, Inc.
//
// Use of this software is governed by the Business Source License included
// in the file licenses/BSL-Couchbase.txt. As of the Change Date specified
// in that file, in accordance with the Business Source License, use of this
// software will be governed by the Apache License, Version 2.0, included in
// the file licenses/APL2.txt.
package cbft
import (
"fmt"
"net/http"
"strings"
"github.com/couchbase/cbgt"
"github.com/couchbase/cbgt/rest"
)
// FilteredListIndexHandler is a REST handler that lists indexes,
// similar to cbgt.rest.ListIndexHandler, but filters results based on
// cbauth permissions.
type FilteredListIndexHandler struct {
mgr definitionLookuper
isCBAuth bool
}
func NewFilteredListIndexHandler(mgr *cbgt.Manager) *FilteredListIndexHandler {
return &FilteredListIndexHandler{
mgr: mgr,
isCBAuth: mgr != nil && mgr.GetOption("authType") == "cbauth",
}
}
func (h *FilteredListIndexHandler) ServeHTTP(
w http.ResponseWriter, req *http.Request) {
var scopedPrefix string
bucketName := rest.BucketNameLookup(req)
scopeName := rest.ScopeNameLookup(req)
if len(bucketName) > 0 && len(scopeName) > 0 {
scopedPrefix = bucketName + "." + scopeName + "."
}
indexDefs, indexDefsByName, err := h.mgr.GetIndexDefs(false)
if err != nil {
rest.PropagateError(w, nil, fmt.Sprintf("rest_list: filteredListIndex,"+
" could not retrieve index defs, err: %v", err),
http.StatusInternalServerError)
return
}
if h.isCBAuth {
creds, err := CBAuthWebCreds(req)
if err != nil {
rest.PropagateError(w, nil, fmt.Sprintf("rest_list: filteredListIndex,"+
" cbauth.AuthWebCreds, err: %v", err), http.StatusForbidden)
return
}
if indexDefs != nil && indexDefsByName != nil {
allowSourceName := func(sourceName string) bool {
perm := decoratePermStrings(
"cluster.collection["+sourceName+"].fts!read",
sourceName)
allowed, err := CBAuthIsAllowed(creds, perm)
return allowed && err == nil
}
// Copy fields, but start a separate, filtered IndexDefs map.
out := *indexDefs
out.IndexDefs = map[string]*cbgt.IndexDef{}
var sourceNames []string
OUTER:
for indexName, indexDef := range indexDefsByName {
var indexDefCopy = *indexDef
if indexDefCopy.Type == "fulltext-alias" {
var visitedAliases map[string]bool
sourceNames, err = sourceNamesForAlias(indexName, indexDefsByName, visitedAliases)
if err != nil {
rest.PropagateError(w, nil,
fmt.Sprintf("rest_list: filteredListIndex, sourceNamesForAlias,"+
" err: %v", err), http.StatusInternalServerError)
return
}
} else {
sourceNames, err = getSourceNamesFromIndexDef(&indexDefCopy)
if err != nil {
rest.PropagateError(w, nil,
fmt.Sprintf("rest_list: filteredListIndex, getSourceNamesFromIndexDef,"+
" err: %v", err), http.StatusInternalServerError)
return
}
}
for _, sourceName := range sourceNames {
if !allowSourceName(sourceName) {
continue OUTER
}
}
if len(scopedPrefix) > 0 {
if !strings.HasPrefix(indexName, scopedPrefix) {
continue
}
// Drop the scopedIndexName prefix.
indexDefCopy.Name = indexDefCopy.Name[len(scopedPrefix):]
}
out.IndexDefs[indexName] = &indexDefCopy
}
indexDefs = &out
}
}
rv := struct {
Status string `json:"status"`
IndexDefs *cbgt.IndexDefs `json:"indexDefs"`
}{
Status: "ok",
IndexDefs: indexDefs,
}
rest.MustEncode(w, rv)
}