ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
69769a4072
TenantAtlas/apps/platform/app/Policies/ProviderConnectionPolicy.php

361 lines
10 KiB
PHP
Raw Blame History

<?php
namespace App\Policies;
use App\Models\ManagedEnvironment;
use App\Models\ProviderConnection;
use App\Models\User;
use App\Models\Workspace;
use App\Services\Auth\ManagedEnvironmentAccessScopeResolver;
use App\Support\Auth\Capabilities;
use App\Support\Workspaces\WorkspaceContext;
use Illuminate\Auth\Access\HandlesAuthorization;
use Illuminate\Auth\Access\Response;
use Illuminate\Support\Facades\Gate;
use Livewire\Livewire as LivewireFacade;
class ProviderConnectionPolicy
{
use HandlesAuthorization;
public function viewAny(User $user): Response|bool
{
$workspace = $this->currentWorkspace($user);
if (! $workspace instanceof Workspace) {
return Response::denyAsNotFound();
}
/** @var ManagedEnvironmentAccessScopeResolver $scopeResolver */
$scopeResolver = app(ManagedEnvironmentAccessScopeResolver::class);
$entitledTenantsQuery = ManagedEnvironment::query()
->where('managed_environments.workspace_id', (int) $workspace->getKey());
$scopeResolver->applyWorkspaceScopeToQuery(
query: $entitledTenantsQuery,
user: $user,
workspaceId: (int) $workspace->getKey(),
qualifiedEnvironmentColumn: 'managed_environments.id',
);
$entitledTenants = $entitledTenantsQuery->get();
if ($entitledTenants->isEmpty()) {
return true;
}
foreach ($entitledTenants as $tenant) {
if (Gate::forUser($user)->allows(Capabilities::PROVIDER_VIEW, $tenant)) {
return true;
}
}
return false;
}
public function view(User $user, ProviderConnection $connection): Response|bool
{
$workspace = $this->currentWorkspace($user);
if (! $workspace instanceof Workspace) {
return Response::denyAsNotFound();
}
$tenant = $this->tenantForConnection($connection);
if (! $tenant instanceof ManagedEnvironment || (int) $tenant->workspace_id !== (int) $workspace->getKey()) {
return Response::denyAsNotFound();
}
if (! $this->isTenantMember($user, $tenant)) {
return Response::denyAsNotFound();
}
if (! Gate::forUser($user)->allows(Capabilities::PROVIDER_VIEW, $tenant)) {
return false;
}
if ((int) $connection->managed_environment_id !== (int) $tenant->getKey()) {
return Response::denyAsNotFound();
}
if ((int) $connection->workspace_id !== (int) $workspace->getKey()) {
return Response::denyAsNotFound();
}
return true;
}
public function create(User $user): Response|bool
{
$workspace = $this->currentWorkspace($user);
if (! $workspace instanceof Workspace) {
return Response::denyAsNotFound();
}
$tenant = $this->resolveCreateTenant($workspace);
if (! $tenant instanceof ManagedEnvironment || ! $this->isTenantMember($user, $tenant)) {
return Response::denyAsNotFound();
}
if (! Gate::forUser($user)->allows(Capabilities::PROVIDER_MANAGE, $tenant)) {
return false;
}
return true;
}
public function update(User $user, ProviderConnection $connection): Response|bool
{
$workspace = $this->currentWorkspace($user);
if (! $workspace instanceof Workspace) {
return Response::denyAsNotFound();
}
$tenant = $this->tenantForConnection($connection);
if (! $tenant instanceof ManagedEnvironment || (int) $tenant->workspace_id !== (int) $workspace->getKey()) {
return Response::denyAsNotFound();
}
if (! $this->isTenantMember($user, $tenant)) {
return Response::denyAsNotFound();
}
if (! Gate::forUser($user)->allows(Capabilities::PROVIDER_MANAGE, $tenant)) {
return false;
}
if ((int) $connection->managed_environment_id !== (int) $tenant->getKey()) {
return Response::denyAsNotFound();
}
if ((int) $connection->workspace_id !== (int) $workspace->getKey()) {
return Response::denyAsNotFound();
}
return true;
}
public function delete(User $user, ProviderConnection $connection): Response|bool
{
$workspace = $this->currentWorkspace($user);
if (! $workspace instanceof Workspace) {
return Response::denyAsNotFound();
}
$tenant = $this->tenantForConnection($connection);
if (! $tenant instanceof ManagedEnvironment || (int) $tenant->workspace_id !== (int) $workspace->getKey()) {
return Response::denyAsNotFound();
}
if (! $this->isTenantMember($user, $tenant)) {
return Response::denyAsNotFound();
}
if (! Gate::forUser($user)->allows(Capabilities::PROVIDER_MANAGE, $tenant)) {
return false;
}
if ((int) $connection->managed_environment_id !== (int) $tenant->getKey()) {
return Response::denyAsNotFound();
}
if ((int) $connection->workspace_id !== (int) $workspace->getKey()) {
return Response::denyAsNotFound();
}
return true;
}
public function manageDedicated(User $user, ProviderConnection $connection): Response|bool
{
$baseAccess = $this->update($user, $connection);
if ($baseAccess !== true) {
return $baseAccess;
}
$tenant = $this->tenantForConnection($connection);
if (! $tenant instanceof ManagedEnvironment) {
return Response::denyAsNotFound();
}
return Gate::forUser($user)->allows(Capabilities::PROVIDER_MANAGE_DEDICATED, $tenant);
}
public function changeConnectionType(User $user, ProviderConnection $connection): Response|bool
{
return $this->manageDedicated($user, $connection);
}
public function manageDedicatedCredential(User $user, ProviderConnection $connection): Response|bool
{
return $this->manageDedicated($user, $connection);
}
public function deleteDedicatedCredential(User $user, ProviderConnection $connection): Response|bool
{
return $this->manageDedicated($user, $connection);
}
private function currentWorkspace(User $user): ?Workspace
{
$workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
if (! is_int($workspaceId)) {
return null;
}
$workspace = Workspace::query()->whereKey($workspaceId)->first();
if (! $workspace instanceof Workspace) {
return null;
}
if (! app(WorkspaceContext::class)->isMember($user, $workspace)) {
return null;
}
return $workspace;
}
private function resolveCreateTenant(Workspace $workspace): ?ManagedEnvironment
{
$requestedEnvironmentId = $this->requestedEnvironmentId();
if ($requestedEnvironmentId === null) {
return null;
}
return ManagedEnvironment::query()
->whereKey($requestedEnvironmentId)
->where('workspace_id', (int) $workspace->getKey())
->first();
}
private function requestedEnvironmentId(): ?int
{
$environmentId = request()->query('environment_id');
if (is_numeric($environmentId)) {
return (int) $environmentId;
}
if (is_array($environmentId)) {
return null;
}
try {
$resolved = $this->extractEnvironmentIdFromLivewireSnapshot();
if ($resolved !== null) {
return $resolved;
}
} catch (\Throwable) {
// Ignore and fall back to originalUrl() parsing.
}
try {
$url = LivewireFacade::originalUrl();
$resolved = $this->extractEnvironmentIdFromUrl($url);
if ($resolved !== null) {
return $resolved;
}
} catch (\Throwable) {
// Ignore and fall back to referer header.
}
$referer = request()->headers->get('referer');
if (! is_string($referer) || $referer === '') {
return null;
}
return $this->extractEnvironmentIdFromUrl($referer);
}
private function extractEnvironmentIdFromLivewireSnapshot(): ?int
{
if (! request()->headers->has('x-livewire') && ! request()->headers->has('x-livewire-navigate')) {
return null;
}
$snapshotJson = request()->input('components.0.snapshot');
if (! is_string($snapshotJson) || $snapshotJson === '') {
return null;
}
$snapshot = json_decode($snapshotJson, true);
if (! is_array($snapshot)) {
return null;
}
$componentName = data_get($snapshot, 'memo.name');
if (! is_string($componentName) || $componentName !== \App\Filament\Resources\ProviderConnectionResource\Pages\CreateProviderConnection::class) {
return null;
}
$environmentId = data_get($snapshot, 'data.environmentId');
if (is_array($environmentId) || filter_var($environmentId, FILTER_VALIDATE_INT) === false) {
return null;
}
return (int) $environmentId;
}
private function extractEnvironmentIdFromUrl(?string $url): ?int
{
if (! is_string($url) || $url === '') {
return null;
}
$query = parse_url($url, PHP_URL_QUERY);
if (! is_string($query) || $query === '') {
return null;
}
parse_str($query, $params);
$environmentId = $params['environment_id'] ?? null;
if (is_array($environmentId) || filter_var($environmentId, FILTER_VALIDATE_INT) === false) {
return null;
}
return (int) $environmentId;
}
private function tenantForConnection(ProviderConnection $connection): ?ManagedEnvironment
{
if ($connection->relationLoaded('tenant') && $connection->tenant instanceof ManagedEnvironment) {
return $connection->tenant;
}
if (is_int($connection->managed_environment_id) || is_numeric($connection->managed_environment_id)) {
return ManagedEnvironment::query()->whereKey((int) $connection->managed_environment_id)->first();
}
return null;
}
private function isTenantMember(User $user, ManagedEnvironment $tenant): bool
{
return app(ManagedEnvironmentAccessScopeResolver::class)->canAccess($user, $tenant);
}
}
Reference in New Issue View Git Blame Copy Permalink