Skip to content

Commit

Permalink
add http access marks to whoami response (#4586)
Browse files Browse the repository at this point in the history
  • Loading branch information
@adameat
adameat authored May 23, 2024
1 parent 0fcb49f commit c054f5e
Show file tree
Hide file tree
Showing 2 changed files with 84 additions and 13 deletions.
7 changes: 6 additions & 1 deletion ydb/core/viewer/json_handlers.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,12 @@ struct TJsonHandlers {
json << ',';
}
TString name = itJson->first;
json << "\"/" << name << '"' << ":{";
if (name.StartsWith("/json/")) {
name = "/viewer" + name;
} else {
name = "/" + name;
}
json << '"' << name << '"' << ":{";
json << "\"get\":{";
json << "\"tags\":[\"" << TTagInfo::TagName << "\"],";
json << "\"produces\":[\"application/json\"],";
Expand Down
90 changes: 78 additions & 12 deletions ydb/core/viewer/json_whoami.h
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
#pragma once
#include <ydb/library/actors/core/actor_bootstrapped.h>
#include <ydb/library/actors/core/mon.h>
#include <library/cpp/json/json_value.h>
#include <library/cpp/json/json_writer.h>
#include <ydb/core/base/tablet_pipe.h>
#include <ydb/library/services/services.pb.h>
#include <ydb/core/tx/schemeshard/schemeshard.h>
Expand All @@ -14,7 +16,6 @@ using namespace NActors;

class TJsonWhoAmI : public TActorBootstrapped<TJsonWhoAmI> {
IViewer* Viewer;
TJsonSettings JsonSettings;
NMon::TEvHttpInfo::TPtr Event;

public:
Expand All @@ -28,18 +29,48 @@ class TJsonWhoAmI : public TActorBootstrapped<TJsonWhoAmI> {
{}

void Bootstrap(const TActorContext& ctx) {
const auto& params(Event->Get()->Request.GetParams());
JsonSettings.EnumAsNumbers = !FromStringWithDefault<bool>(params.Get("enums"), false);
JsonSettings.UI64AsString = !FromStringWithDefault<bool>(params.Get("ui64"), false);
ReplyAndDie(ctx);
}

bool CheckGroupMembership(std::unique_ptr<NACLib::TUserToken>& token, const NProtoBuf::RepeatedPtrField<TString>& sids) {
if (sids.empty()) {
return true;
}
for (const auto& sid : sids) {
if (token->IsExist(sid)) {
return true;
}
}
return false;
}

void ReplyAndDie(const TActorContext &ctx) {
NACLibProto::TUserToken userToken;
Y_PROTOBUF_SUPPRESS_NODISCARD userToken.ParseFromString(Event->Get()->UserToken);
TStringStream json;
TProtoToJson::ProtoToJson(json, userToken, JsonSettings);
ctx.Send(Event->Sender, new NMon::TEvHttpInfoRes(Viewer->GetHTTPOKJSON(Event->Get()) + json.Str(), 0, NMon::IEvHttpInfoRes::EContentType::Custom));
NJson::TJsonValue json(NJson::JSON_MAP);
if (userToken.HasUserSID()) {
json["UserSID"] = userToken.GetUserSID();
}
if (userToken.HasGroupSIDs() && userToken.GetGroupSIDs().BucketsSize() > 0) {
NJson::TJsonValue& groupSIDs(json["GroupSIDs"]);
groupSIDs.SetType(NJson::JSON_ARRAY);
for (const auto& buckets : userToken.GetGroupSIDs().GetBuckets()) {
for (const auto& group : buckets.GetValues()) {
groupSIDs.AppendValue(group);
}
}
}
if (userToken.HasOriginalUserToken()) {
json["OriginalUserToken"] = userToken.GetOriginalUserToken();
}
if (userToken.HasAuthType()) {
json["AuthType"] = userToken.GetAuthType();
}
auto token = std::make_unique<NACLib::TUserToken>(userToken);
json["IsViewerAllowed"] = CheckGroupMembership(token, AppData()->DomainsConfig.GetSecurityConfig().GetViewerAllowedSIDs());
json["IsMonitoringAllowed"] = CheckGroupMembership(token, AppData()->DomainsConfig.GetSecurityConfig().GetMonitoringAllowedSIDs());
json["IsAdministrationAllowed"] = CheckGroupMembership(token, AppData()->DomainsConfig.GetSecurityConfig().GetAdministrationAllowedSIDs());
ctx.Send(Event->Sender, new NMon::TEvHttpInfoRes(Viewer->GetHTTPOKJSON(Event->Get()) + NJson::WriteJson(json, false), 0, NMon::IEvHttpInfoRes::EContentType::Custom));
Die(ctx);
}

Expand All @@ -52,17 +83,52 @@ class TJsonWhoAmI : public TActorBootstrapped<TJsonWhoAmI> {
template <>
struct TJsonRequestSchema<TJsonWhoAmI> {
static TString GetSchema() {
TStringStream stream;
TProtoToJson::ProtoToJsonSchema<NACLibProto::TUserToken>(stream);
return stream.Str();
return R"___(
{
"type": "object",
"title": "WhoAmI",
"properties": {
"UserSID": {
"type": "string",
"description": "User ID / name"
},
"GroupSID": {
"type": "array",
"items": {
"type": "string"
},
"description": "User groups"
},
"OriginalUserToken": {
"type": "string",
"description": "User's token used to authenticate"
},
"AuthType": {
"type": "string",
"description": "Authentication type"
},
"IsViewerAllowed": {
"type": "boolean",
"description": "Is user allowed to view data"
},
"IsMonitoringAllowed": {
"type": "boolean",
"description": "Is user allowed to view deeper and make simple changes"
},
"IsAdministrationAllowed": {
"type": "boolean",
"description": "Is user allowed to do unrestricted changes in the system"
}
}
}
)___";
}
};

template <>
struct TJsonRequestParameters<TJsonWhoAmI> {
static TString GetParameters() {
return R"___([{"name":"enums","in":"query","description":"convert enums to strings","required":false,"type":"boolean"},
{"name":"ui64","in":"query","description":"return ui64 as numbers","required":false,"type":"boolean"}])___";
return "[]";
}
};

Expand Down

0 comments on commit c054f5e

Please sign in to comment.