mirror of
https://github.com/fleetdm/fleet
synced 2026-04-21 13:37:30 +00:00
6019fa6d5a
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #37806 This PR creates an activity bounded context and moves the following HTTP endpoint (including the full vertical slice) there: `/api/latest/fleet/activities` NONE of the other activity functionality is moved! This is an incremental approach starting with just 1 API/service endpoint. A significant part of this PR is tests. This feature is now receiving significantly more unit/integration test coverage than before. Also, this PR does not remove the `ListActivities` datastore method in the legacy code. That will be done in the follow up PR (part 2 of 2). This refactoring effort also uncovered an activity/user authorization issue: https://fleetdm.slack.com/archives/C02A8BRABB5/p1768582236611479 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Release Notes * **New Features** * Activity listing API now available with query filtering, date-range filtering, and type-based filtering * Pagination support for activity results with cursor-based and offset-based options * Configurable sorting by creation date or activity ID in ascending or descending order * Automatic enrichment of activity records with actor user details (name, email, avatar) * Role-based access controls applied to activity visibility based on user permissions <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai -->
42 lines
1.2 KiB
Go
42 lines
1.2 KiB
Go
// Package authz provides authorization interfaces for bounded contexts.
|
|
// This package contains only interfaces with no dependencies on fleet packages,
|
|
// allowing bounded contexts to use authorization without coupling to legacy code.
|
|
package authz
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
)
|
|
|
|
// Action represents an authorization action.
|
|
type Action string
|
|
|
|
const (
|
|
ActionRead Action = "read"
|
|
)
|
|
|
|
// Authorizer is the interface for authorization checks.
|
|
type Authorizer interface {
|
|
// Authorize checks if the current user (from context) can perform the action on the subject.
|
|
// subject must implement AuthzTyper interface.
|
|
Authorize(ctx context.Context, subject AuthzTyper, action Action) error
|
|
}
|
|
|
|
// AuthzTyper is implemented by types that can be authorized.
|
|
// Each bounded context defines its own authorization subjects that implement this interface.
|
|
type AuthzTyper interface {
|
|
AuthzType() string
|
|
}
|
|
|
|
// Forbidden is an interface for authorization errors.
|
|
// Errors implementing this interface indicate that the requested action was forbidden.
|
|
type Forbidden interface {
|
|
error
|
|
Forbidden()
|
|
}
|
|
|
|
// IsForbidden returns true if the error (or any wrapped error) is a forbidden/authorization error.
|
|
func IsForbidden(err error) bool {
|
|
var f Forbidden
|
|
return errors.As(err, &f)
|
|
}
|