|
7 | 7 |
|
8 | 8 | {{ $genPackage := base $.Config.Package }} |
9 | 9 |
|
10 | | - import "go.infratographer.com/permissions-api/pkg/permissions" |
| 10 | + import ( |
| 11 | + "github.com/metal-toolbox/iam-runtime/pkg/iam/runtime/authorization" |
| 12 | + "github.com/metal-toolbox/iam-runtime-contrib/iamruntime" |
| 13 | + "go.infratographer.com/permissions-api/pkg/permissions" |
| 14 | + ) |
11 | 15 |
|
12 | 16 | {{- range $node := $.Nodes }} |
13 | 17 | {{- if $nodeAnnotation := $node.Annotations.INFRA9_EVENTHOOKS }} |
|
19 | 23 | return hook.{{ $node.Name }}Func(func(ctx context.Context, m *generated.{{ $node.Name }}Mutation) (ent.Value, error) { |
20 | 24 | var err error |
21 | 25 | additionalSubjects := []gidx.PrefixedID{} |
22 | | - relationships := []events.AuthRelationshipRelation{} |
| 26 | + relationships := []*authorization.Relationship{} |
23 | 27 |
|
24 | 28 | objID, ok := m.{{ $node.ID.MutationGet }}() |
25 | 29 | if !ok { |
|
56 | 60 | additionalSubjects = append(additionalSubjects, {{ $f.Name }}) |
57 | 61 |
|
58 | 62 | {{- if $annotation.AdditionalSubjectRelation }} |
59 | | - relationships = append(relationships, events.AuthRelationshipRelation{ |
| 63 | + relationships = append(relationships, &authorization.Relationship{ |
60 | 64 | Relation: "{{ $annotation.AdditionalSubjectRelation }}", |
61 | | - SubjectID: {{ $f.Name }}, |
| 65 | + SubjectId: {{ $f.Name }}.String(), |
62 | 66 | }) |
63 | 67 | {{- end }} |
64 | 68 | } |
65 | 69 | {{- else }} |
66 | 70 | additionalSubjects = append(additionalSubjects, {{ $f.Name }}) |
67 | 71 |
|
68 | 72 | {{- if $annotation.AdditionalSubjectRelation }} |
69 | | - relationships = append(relationships, events.AuthRelationshipRelation{ |
| 73 | + relationships = append(relationships, &authorization.Relationship{ |
70 | 74 | Relation: "{{ $annotation.AdditionalSubjectRelation }}", |
71 | | - SubjectID: {{ $f.Name }}, |
| 75 | + SubjectId: {{ $f.Name }}.String(), |
72 | 76 | }) |
73 | 77 | {{- end }} |
74 | 78 | {{- end }} |
|
132 | 136 | } |
133 | 137 |
|
134 | 138 | if len(relationships) != 0 && m.Op().Is(ent.OpCreate) { |
135 | | - if err := permissions.CreateAuthRelationships(ctx, "{{ $nodeAnnotation.SubjectName }}", objID, relationships...); err != nil { |
| 139 | + if err := createAuthRelationships(ctx, "{{ $nodeAnnotation.SubjectName }}", objID, relationships...); err != nil { |
136 | 140 | return nil, fmt.Errorf("relationship request failed with error: %w", err) |
137 | 141 | } |
138 | 142 | } |
|
151 | 155 | func(next ent.Mutator) ent.Mutator { |
152 | 156 | return hook.{{ $node.Name }}Func(func(ctx context.Context, m *generated.{{ $node.Name }}Mutation) (ent.Value, error) { |
153 | 157 | additionalSubjects := []gidx.PrefixedID{} |
154 | | - relationships := []events.AuthRelationshipRelation{} |
| 158 | + relationships := []*authorization.Relationship{} |
155 | 159 |
|
156 | 160 | objID, ok := m.{{ $node.ID.MutationGet }}() |
157 | 161 | if !ok { |
|
172 | 176 | additionalSubjects = append(additionalSubjects, dbObj.{{ $f.MutationGet }}) |
173 | 177 |
|
174 | 178 | {{- if $annotation.AdditionalSubjectRelation }} |
175 | | - relationships = append(relationships, events.AuthRelationshipRelation{ |
| 179 | + relationships = append(relationships, &authorization.Relationship{ |
176 | 180 | Relation: "{{ $annotation.AdditionalSubjectRelation }}", |
177 | | - SubjectID: dbObj.{{ $f.MutationGet }}, |
| 181 | + SubjectId: dbObj.{{ $f.MutationGet }}.String(), |
178 | 182 | }) |
179 | 183 | {{- end }} |
180 | 184 | } |
181 | 185 | {{- else }} |
182 | 186 | additionalSubjects = append(additionalSubjects, dbObj.{{ $f.MutationGet }}) |
183 | 187 |
|
184 | 188 | {{- if $annotation.AdditionalSubjectRelation }} |
185 | | - relationships = append(relationships, events.AuthRelationshipRelation{ |
| 189 | + relationships = append(relationships, &authorization.Relationship{ |
186 | 190 | Relation: "{{ $annotation.AdditionalSubjectRelation }}", |
187 | | - SubjectID: dbObj.{{ $f.MutationGet }}, |
| 191 | + SubjectId: dbObj.{{ $f.MutationGet }}.String(), |
188 | 192 | }) |
189 | 193 | {{- end }} |
190 | 194 | {{- end }} |
|
199 | 203 | } |
200 | 204 |
|
201 | 205 | if len(relationships) != 0 { |
202 | | - if err := permissions.DeleteAuthRelationships(ctx, "{{ $nodeAnnotation.SubjectName }}", objID, relationships...); err != nil { |
| 206 | + if err := deleteAuthRelationships(ctx, "{{ $nodeAnnotation.SubjectName }}", objID, relationships...); err != nil { |
203 | 207 | return nil, fmt.Errorf("relationship request failed with error: %w", err) |
204 | 208 | } |
205 | 209 | } |
|
248 | 252 | } |
249 | 253 | } |
250 | 254 |
|
| 255 | + func createAuthRelationships(ctx context.Context, resourceType string, resourceID gidx.PrefixedID, relationships ...*authorization.Relationship) error { |
| 256 | + request := &authorization.CreateRelationshipsRequest{ |
| 257 | + ResourceId: resourceID.String(), |
| 258 | + Relationships: relationships, |
| 259 | + } |
| 260 | + |
| 261 | + if _, err := iamruntime.ContextCreateRelationships(ctx, request); err == nil || !errors.Is(err, iamruntime.ErrRuntimeNotFound) { |
| 262 | + return err |
| 263 | + } |
| 264 | + |
| 265 | + eventRelationships := make([]events.AuthRelationshipRelation, len(request.Relationships)) |
| 266 | + |
| 267 | + for i, rel := range request.Relationships { |
| 268 | + eventRelationships[i] = events.AuthRelationshipRelation{ |
| 269 | + Relation: rel.Relation, |
| 270 | + SubjectID: gidx.PrefixedID(rel.SubjectId), |
| 271 | + } |
| 272 | + } |
| 273 | + |
| 274 | + return permissions.CreateAuthRelationships(ctx, resourceType, gidx.PrefixedID(request.ResourceId), eventRelationships...) |
| 275 | + } |
| 276 | + |
| 277 | + func deleteAuthRelationships(ctx context.Context, resourceType string, resourceID gidx.PrefixedID, relationships ...*authorization.Relationship) error { |
| 278 | + request := &authorization.DeleteRelationshipsRequest{ |
| 279 | + ResourceId: resourceID.String(), |
| 280 | + Relationships: relationships, |
| 281 | + } |
| 282 | + |
| 283 | + if _, err := iamruntime.ContextDeleteRelationships(ctx, request); err == nil || !errors.Is(err, iamruntime.ErrRuntimeNotFound) { |
| 284 | + return err |
| 285 | + } |
| 286 | + |
| 287 | + eventRelationships := make([]events.AuthRelationshipRelation, len(request.Relationships)) |
| 288 | + |
| 289 | + for i, rel := range request.Relationships { |
| 290 | + eventRelationships[i] = events.AuthRelationshipRelation{ |
| 291 | + Relation: rel.Relation, |
| 292 | + SubjectID: gidx.PrefixedID(rel.SubjectId), |
| 293 | + } |
| 294 | + } |
| 295 | + |
| 296 | + return permissions.DeleteAuthRelationships(ctx, resourceType, gidx.PrefixedID(request.ResourceId), eventRelationships...) |
| 297 | + } |
251 | 298 |
|
252 | 299 | {{ end }} |
0 commit comments