// title: event list
// path: /events
// method: GET
// produce: application/json
// responses:
// 200: OK
// 204: No content
func eventList(w http.ResponseWriter, r *http.Request, t auth.Token) error {
r.ParseForm()
filter := &event.Filter{}
dec := form.NewDecoder(nil)
dec.IgnoreUnknownKeys(true)
dec.IgnoreCase(true)
err := dec.DecodeValues(&filter, r.Form)
if err != nil {
return &errors.HTTP{Code: http.StatusBadRequest, Message: fmt.Sprintf("unable to parse event filters: %s", err)}
}
filter.PruneUserValues()
filter.Permissions, err = t.Permissions()
if err != nil {
return err
}
events, err := event.List(filter)
if err != nil {
return err
}
if len(events) == 0 {
w.WriteHeader(http.StatusNoContent)
return nil
}
w.Header().Add("Content-Type", "application/json")
return json.NewEncoder(w).Encode(events)
}
func canUseRole(t auth.Token, roleName, contextValue string) error {
role, err := permission.FindRole(roleName)
if err != nil {
if err == permission.ErrRoleNotFound {
return &errors.HTTP{
Code: http.StatusNotFound,
Message: err.Error(),
}
}
return err
}
userPerms, err := t.Permissions()
if err != nil {
return err
}
perms := role.PermissionsFor(contextValue)
for _, p := range perms {
if !permission.CheckFromPermList(userPerms, p.Scheme, p.Context) {
return &errors.HTTP{
Code: http.StatusForbidden,
Message: fmt.Sprintf("User not authorized to use permission %s", p.String()),
}
}
}
return nil
}
func teamList(w http.ResponseWriter, r *http.Request, t auth.Token) error {
rec.Log(t.GetUserName(), "list-teams")
permsForTeam := permission.PermissionRegistry.PermissionsWithContextType(permission.CtxTeam)
teams, err := auth.ListTeams()
if err != nil {
return err
}
teamsMap := map[string][]string{}
perms, err := t.Permissions()
if err != nil {
return err
}
for _, team := range teams {
teamCtx := permission.Context(permission.CtxTeam, team.Name)
var parent *permission.PermissionScheme
for _, p := range permsForTeam {
if parent != nil && parent.IsParent(p) {
continue
}
if permission.CheckFromPermList(perms, p, teamCtx) {
parent = p
teamsMap[team.Name] = append(teamsMap[team.Name], p.FullName())
}
}
}
if len(teamsMap) == 0 {
w.WriteHeader(http.StatusNoContent)
return nil
}
var result []map[string]interface{}
for name, permissions := range teamsMap {
result = append(result, map[string]interface{}{
"name": name,
"permissions": permissions,
})
}
w.Header().Set("Content-Type", "application/json")
b, err := json.Marshal(result)
if err != nil {
return err
}
n, err := w.Write(b)
if err != nil {
return err
}
if n != len(b) {
return &errors.HTTP{Code: http.StatusInternalServerError, Message: "Failed to write response body."}
}
return nil
}
func userInfo(w http.ResponseWriter, r *http.Request, t auth.Token) error {
user, err := t.User()
if err != nil {
return err
}
perms, err := t.Permissions()
if err != nil {
return err
}
userData, err := createApiUser(perms, user, nil)
if err != nil {
return err
}
w.Header().Add("Content-Type", "application/json")
return json.NewEncoder(w).Encode(userData)
}
// title: user list
// path: /users
// method: GET
// produce: application/json
// responses:
// 200: OK
// 401: Unauthorized
func listUsers(w http.ResponseWriter, r *http.Request, t auth.Token) error {
userEmail := r.URL.Query().Get("userEmail")
roleName := r.URL.Query().Get("role")
contextValue := r.URL.Query().Get("context")
users, err := auth.ListUsers()
if err != nil {
return err
}
apiUsers := make([]apiUser, 0, len(users))
roleMap := make(map[string]*permission.Role)
includeAll := permission.Check(t, permission.PermUserUpdate)
perms, err := t.Permissions()
if err != nil {
return err
}
for _, user := range users {
usrData, err := createAPIUser(perms, &user, roleMap, includeAll)
if err != nil {
return err
}
if usrData == nil {
continue
}
if userEmail == "" && roleName == "" {
apiUsers = append(apiUsers, *usrData)
}
if userEmail != "" && usrData.Email == userEmail {
apiUsers = append(apiUsers, *usrData)
}
if roleName != "" {
for _, role := range usrData.Roles {
if role.Name == roleName {
if contextValue != "" && role.ContextValue == contextValue {
apiUsers = append(apiUsers, *usrData)
break
}
if contextValue == "" {
apiUsers = append(apiUsers, *usrData)
break
}
}
}
}
}
w.Header().Add("Content-Type", "application/json")
return json.NewEncoder(w).Encode(apiUsers)
}
func listUsers(w http.ResponseWriter, r *http.Request, t auth.Token) error {
users, err := auth.ListUsers()
if err != nil {
return err
}
apiUsers := make([]apiUser, 0, len(users))
roleMap := make(map[string]*permission.Role)
perms, err := t.Permissions()
if err != nil {
return err
}
for _, user := range users {
usrData, err := createApiUser(perms, &user, roleMap)
if err != nil {
return err
}
if usrData != nil {
apiUsers = append(apiUsers, *usrData)
}
}
return json.NewEncoder(w).Encode(apiUsers)
}
// title: team list
// path: /teams
// method: GET
// produce: application/json
// responses:
// 200: List teams
// 204: No content
// 401: Unauthorized
func teamList(w http.ResponseWriter, r *http.Request, t auth.Token) error {
permsForTeam := permission.PermissionRegistry.PermissionsWithContextType(permission.CtxTeam)
teams, err := auth.ListTeams()
if err != nil {
return err
}
teamsMap := map[string][]string{}
perms, err := t.Permissions()
if err != nil {
return err
}
for _, team := range teams {
teamCtx := permission.Context(permission.CtxTeam, team.Name)
var parent *permission.PermissionScheme
for _, p := range permsForTeam {
if parent != nil && parent.IsParent(p) {
continue
}
if permission.CheckFromPermList(perms, p, teamCtx) {
parent = p
teamsMap[team.Name] = append(teamsMap[team.Name], p.FullName())
}
}
}
if len(teamsMap) == 0 {
w.WriteHeader(http.StatusNoContent)
return nil
}
var result []map[string]interface{}
for name, permissions := range teamsMap {
result = append(result, map[string]interface{}{
"name": name,
"permissions": permissions,
})
}
w.Header().Set("Content-Type", "application/json")
return json.NewEncoder(w).Encode(result)
}