Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 13:37:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 91
fleet/server/authz/errors.go
Victor Lyuboslavsky 6019fa6d5a
Activity bounded context: /api/latest/fleet/activities (1 of 2) (#38115) 
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #37806 

This PR creates an activity bounded context and moves the following HTTP
endpoint (including the full vertical slice) there:
`/api/latest/fleet/activities`

NONE of the other activity functionality is moved! This is an
incremental approach starting with just 1 API/service endpoint.

A significant part of this PR is tests. This feature is now receiving
significantly more unit/integration test coverage than before.

Also, this PR does not remove the `ListActivities` datastore method in
the legacy code. That will be done in the follow up PR (part 2 of 2).

This refactoring effort also uncovered an activity/user authorization
issue: https://fleetdm.slack.com/archives/C02A8BRABB5/p1768582236611479

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.

## Testing

- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

## Release Notes

* **New Features**
* Activity listing API now available with query filtering, date-range
filtering, and type-based filtering
* Pagination support for activity results with cursor-based and
offset-based options
* Configurable sorting by creation date or activity ID in ascending or
descending order
* Automatic enrichment of activity records with actor user details
(name, email, avatar)
* Role-based access controls applied to activity visibility based on
user permissions

<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-01-19 09:07:14 -05:00

84 lines
2.4 KiB
Go
Raw Blame History

package authz
import (
"net/http"
"github.com/fleetdm/fleet/v4/server/fleet"
platform_http "github.com/fleetdm/fleet/v4/server/platform/http"
)
const (
// ForbiddenErrorMessage is the error message that should be returned to
// clients when an action is forbidden. It is intentionally vague to prevent
// disclosing information that a client should not have access to.
ForbiddenErrorMessage = "forbidden"
)
// Forbidden is the error type for authorization errors
type Forbidden struct {
internal string
subject *fleet.User
object interface{}
action interface{}
fleet.ErrorWithUUID
}
// ForbiddenWithInternal creates a new error that will return a simple
// "forbidden" to the client, logging internally the more detailed message
// provided.
func ForbiddenWithInternal(internal string, subject *fleet.User, object, action interface{}) *Forbidden {
return &Forbidden{
internal: internal,
subject: subject,
object: object,
action: action,
}
}
// Error implements the error interface.
func (e *Forbidden) Error() string {
return ForbiddenErrorMessage
}
// StatusCode implements the go-kit http StatusCoder interface.
func (e *Forbidden) StatusCode() int {
return http.StatusForbidden
}
// Forbidden implements platform_authz.Forbidden interface.
func (e *Forbidden) Forbidden() {}
// Internal allows the internal error message to be logged.
func (e *Forbidden) Internal() string {
return e.internal
}
// LogFields allows this error to be logged with subject, object, and action.
func (e *Forbidden) LogFields() []interface{} {
// Only logging User's email, and not other details such as Password and Salt.
email := "nil"
if e.subject != nil {
email = e.subject.Email
}
return []interface{}{
"subject", email,
"object", e.object,
"action", e.action,
}
}
// CheckMissing is the error to return when no authorization check was performed
// by the service.
//
// Deprecated: Use platform_http.CheckMissing instead. This alias is kept for
// backward compatibility.
type CheckMissing = platform_http.CheckMissing
// CheckMissingWithResponse creates a new error indicating the authorization
// check was missed, and including the response for further analysis by the error
// encoder.
//
// Deprecated: Use platform_http.CheckMissingWithResponse instead. This alias is
// kept for backward compatibility.
var CheckMissingWithResponse = platform_http.CheckMissingWithResponse
Reference in a new issue View git blame Copy permalink