Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-23 08:58:41 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 114
fleet/server/platform/authz/authz.go

43 lines
1.2 KiB
Go
Raw Normal View History

Activity bounded context: `/api/latest/fleet/activities` (1 of 2) (#38115) <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #37806 This PR creates an activity bounded context and moves the following HTTP endpoint (including the full vertical slice) there: `/api/latest/fleet/activities` NONE of the other activity functionality is moved! This is an incremental approach starting with just 1 API/service endpoint. A significant part of this PR is tests. This feature is now receiving significantly more unit/integration test coverage than before. Also, this PR does not remove the `ListActivities` datastore method in the legacy code. That will be done in the follow up PR (part 2 of 2). This refactoring effort also uncovered an activity/user authorization issue: https://fleetdm.slack.com/archives/C02A8BRABB5/p1768582236611479 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Release Notes * **New Features** * Activity listing API now available with query filtering, date-range filtering, and type-based filtering * Pagination support for activity results with cursor-based and offset-based options * Configurable sorting by creation date or activity ID in ascending or descending order * Automatic enrichment of activity records with actor user details (name, email, avatar) * Role-based access controls applied to activity visibility based on user permissions <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-01-19 14:07:14 +00:00
// Package authz provides authorization interfaces for bounded contexts.
// This package contains only interfaces with no dependencies on fleet packages,
// allowing bounded contexts to use authorization without coupling to legacy code.
package authz
import (
"context"
"errors"
)
// Action represents an authorization action.
type Action string
const (
ActionRead Action = "read"
)
// Authorizer is the interface for authorization checks.
type Authorizer interface {
// Authorize checks if the current user (from context) can perform the action on the subject.
// subject must implement AuthzTyper interface.
Authorize(ctx context.Context, subject AuthzTyper, action Action) error
}
// AuthzTyper is implemented by types that can be authorized.
// Each bounded context defines its own authorization subjects that implement this interface.
type AuthzTyper interface {
AuthzType() string
}
// Forbidden is an interface for authorization errors.
// Errors implementing this interface indicate that the requested action was forbidden.
type Forbidden interface {
error
Forbidden()
}
// IsForbidden returns true if the error (or any wrapped error) is a forbidden/authorization error.
func IsForbidden(err error) bool {
var f Forbidden
return errors.As(err, &f)
}
Reference in a new issue Copy permalink