I added a SiloUserSessionList authz resource in #8479 in order to power the authz check on deleting all of a given user's sessions. Then I noticed we already have a ConsoleSessionList authz resource that we use to give the external authenticator user permission to create sessions on behalf of a user. I don't think we need to have both of these. Right now they're different in that the one I added references a particular user while the existing one is a global singleton, but there's no real need for the latter to be a singleton. It can just be absorbed into mine.
|
/// ConsoleSessionList is a synthetic resource used for modeling who has access |
|
/// to create sessions. |
|
#[derive(Clone, Copy, Debug, Eq, PartialEq)] |
|
pub struct ConsoleSessionList; |
|
|
|
pub const CONSOLE_SESSION_LIST: ConsoleSessionList = ConsoleSessionList {}; |
|
|
|
impl oso::PolarClass for ConsoleSessionList { |
|
fn get_polar_class_builder() -> oso::ClassBuilder<Self> { |
|
// Roles are not directly attached to ConsoleSessionList. |
|
oso::Class::builder() |
|
.with_equality_check() |
|
.add_method( |
|
"has_role", |
|
|_: &ConsoleSessionList, |
|
_actor: AuthenticatedActor, |
|
_role: String| false, |
|
) |
|
.add_attribute_getter("fleet", |_| FLEET) |
|
} |
|
} |
|
|
|
impl AuthorizedResource for ConsoleSessionList { |
|
fn load_roles<'fut>( |
|
&'fut self, |
|
opctx: &'fut OpContext, |
|
authn: &'fut authn::Context, |
|
roleset: &'fut mut RoleSet, |
|
) -> futures::future::BoxFuture<'fut, Result<(), Error>> { |
|
load_roles_for_resource_tree(&FLEET, opctx, authn, roleset).boxed() |
|
} |
|
|
|
fn on_unauthorized( |
|
&self, |
|
_: &Authz, |
|
error: Error, |
|
_: AnyActor, |
|
_: Action, |
|
) -> Error { |
|
error |
|
} |
|
|
|
fn polar_class(&self) -> oso::Class { |
|
Self::get_polar_class() |
|
} |
|
} |
