@jfvilas/plugin-kwirth-backend/dist/service/permissions.cjs.js

Backstage backend plugin for Kwirth plugins

'use strict';

var KwirthStaticData = require('../model/KwirthStaticData.cjs.js');

const checkNamespaceAccess = (channel, cluster, podData, userEntityRef, userGroups) => {
  let allowedToNamespace = false;
  let namespacePermissions = KwirthStaticData.KwirthStaticData.clusterKwirthData.get(cluster.name)?.namespacePermissions;
  if (namespacePermissions?.has(channel)) {
    let rule = namespacePermissions?.get(channel).find((ns) => ns.namespace === podData.namespace);
    if (rule) {
      if (rule.identityRefs.includes(userEntityRef.toLowerCase())) {
        allowedToNamespace = true;
      } else {
        var groupResult = rule.identityRefs.some((identityRef) => userGroups.includes(identityRef));
        if (groupResult) {
          allowedToNamespace = true;
        }
      }
    } else {
      allowedToNamespace = true;
    }
  } else {
    console.log(`Invalid channel: ${channel}`);
  }
  return allowedToNamespace;
};
const checkPodPermissionRule = (ppr, entityName, userEntityRef, userGroups) => {
  var refMatch = false;
  for (var podNameRegex of ppr.pods) {
    if (podNameRegex.test(entityName)) {
      for (var refRegex of ppr.refs) {
        refMatch = refRegex.test(userEntityRef.toLowerCase());
        if (refMatch) {
          break;
        } else {
          refMatch = userGroups.some((g) => refRegex.test(g));
          if (refMatch) {
            break;
          }
        }
      }
    }
    if (refMatch) break;
  }
  return refMatch;
};
const getPodPermissionSet = (channel, cluster) => {
  if (cluster.podPermissions.has(channel)) {
    return cluster.podPermissions.get(channel);
  } else {
    console.log(`Invalid channel ${channel} for permission set`);
    return void 0;
  }
};
const checkPodAccess = (reqPod, podPermissionSet, entityName, userEntityRef, userGroups) => {
  for (var podPermission of podPermissionSet.filter((pp) => pp.namespace === reqPod.namespace)) {
    if (podPermission.allow) {
      var allowMatches = false;
      var exceptMatches = false;
      for (var prr of podPermission.allow) {
        allowMatches = checkPodPermissionRule(prr, entityName, userEntityRef, userGroups);
      }
      if (allowMatches) {
        if (podPermission.except) {
          for (var prr of podPermission.except) {
            exceptMatches = checkPodPermissionRule(prr, entityName, userEntityRef, userGroups);
            if (exceptMatches) {
              break;
            }
          }
        }
      }
      if (allowMatches && !exceptMatches) {
        if (podPermission.deny) {
          var denyMatches = false;
          var unlessMatches = false;
          for (var prr of podPermission.deny) {
            denyMatches = checkPodPermissionRule(prr, entityName, userEntityRef, userGroups);
            if (denyMatches) {
              break;
            }
          }
          if (denyMatches && podPermission.unless) {
            for (var prr of podPermission.unless) {
              unlessMatches = checkPodPermissionRule(prr, entityName, userEntityRef, userGroups);
              if (unlessMatches) {
                break;
              }
            }
          }
          if (!denyMatches || denyMatches && unlessMatches) {
            return true;
          }
        } else {
          return true;
        }
      }
    } else {
      return true;
    }
  }
  return false;
};

exports.checkNamespaceAccess = checkNamespaceAccess;
exports.checkPodAccess = checkPodAccess;
exports.getPodPermissionSet = getPodPermissionSet;
//# sourceMappingURL=permissions.cjs.js.map