Join enforcers with OR and AND logic (oceanbase#550)

lizzy-0323 · Sep 26, 2024 · 171e7da · 171e7da
1 parent 2960f79
commit 171e7da
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 2 deletions.
diff --git a/internal/dashboard/business/ac/enforcers.go b/internal/dashboard/business/ac/enforcers.go
@@ -58,3 +58,34 @@ func PathGuard(domain, resource, action string) EnforceFunc {
 		return true, nil
 	}
 }
+
+type unionLogic string
+
+const (
+	unionOr  unionLogic = "OR"
+	unionAnd unionLogic = "AND"
+)
+
+func unionHelper(logic unionLogic, enforces ...EnforceFunc) EnforceFunc {
+	allPass := logic == unionAnd
+	return func(c *gin.Context) (bool, error) {
+		for _, enforce := range enforces {
+			ok, err := enforce(c)
+			if err != nil {
+				return false, err
+			}
+			if ok == !allPass {
+				return !allPass, nil
+			}
+		}
+		return allPass, nil
+	}
+}
+
+func OR(enforces ...EnforceFunc) EnforceFunc {
+	return unionHelper(unionOr, enforces...)
+}
+
+func AND(enforces ...EnforceFunc) EnforceFunc {
+	return unionHelper(unionAnd, enforces...)
+}
diff --git a/internal/dashboard/router/v1/metric_router.go b/internal/dashboard/router/v1/metric_router.go
@@ -19,7 +19,12 @@ import (
 	h "github.com/oceanbase/ob-operator/internal/dashboard/handler"
 )
 
+var metricGuard = acbiz.OR(
+	acbiz.PathGuard(string(acbiz.DomainOBCluster), "*", "read"),
+	acbiz.PathGuard(string(acbiz.DomainOBProxy), "*", "read"),
+)
+
 func InitMetricRoutes(g *gin.RouterGroup) {
-	g.GET("/metrics", h.Wrap(h.ListMetricMetas, acbiz.PathGuard("system", "*", "read")))
-	g.POST("/metrics/query", h.Wrap(h.QueryMetrics, acbiz.PathGuard("system", "*", "read")))
+	g.GET("/metrics", h.Wrap(h.ListMetricMetas, metricGuard))
+	g.POST("/metrics/query", h.Wrap(h.QueryMetrics, metricGuard))
 }