RiskRancher/core
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 3 Wiki Activity

First release of open core

Browse Source
This commit is contained in:
t
2026-04-02 10:57:36 -04:00
parent 1c94f12d1c
commit 084c1321fc
101 changed files with 8812 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
pkg/auth/rbac_middleware.go Normal file
View File

@@ -0,0 +1,74 @@
package auth
import (
"net/http"
)
// RequireRole acts as the checker
func (h *Handler) RequireRole(requiredRole string) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
userIDVal := r.Context().Value(UserIDKey)
if userIDVal == nil {
http.Error(w, "Unauthorized: No user context", http.StatusUnauthorized)
return
}
userID, ok := userIDVal.(int)
if !ok {
http.Error(w, "Internal Server Error: Invalid user context", http.StatusInternalServerError)
return
}
user, err := h.Store.GetUserByID(r.Context(), userID)
if err != nil {
http.Error(w, "Forbidden: User not found", http.StatusForbidden)
return
}
if user.GlobalRole != requiredRole {
http.Error(w, "Forbidden: Insufficient permissions", http.StatusForbidden)
return
}
next.ServeHTTP(w, r)
})
}
}
// RequireAnyRole allows access if the user has ANY of the provided roles.
func (h *Handler) RequireAnyRole(allowedRoles ...string) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
userIDVal := r.Context().Value(UserIDKey)
if userIDVal == nil {
http.Error(w, "Unauthorized: No user context", http.StatusUnauthorized)
return
}
userID, ok := userIDVal.(int)
if !ok {
http.Error(w, "Internal Server Error: Invalid user context", http.StatusInternalServerError)
return
}
user, err := h.Store.GetUserByID(r.Context(), userID)
if err != nil {
http.Error(w, "Forbidden: User not found", http.StatusForbidden)
return
}
for _, role := range allowedRoles {
if user.GlobalRole == role {
// Match found! Open the door.
next.ServeHTTP(w, r)
return
}
}
http.Error(w, "Forbidden: Insufficient permissions", http.StatusForbidden)
})
}
}