Honor workspace specified in path instad of token

- 403 if token does not authorize access to that workspace id - split admin::AdminUserContext and v2::AccessBuilder so they only work for their respective endpoints - split V1AccessBuilder for old endpoints to replicate old behavior Signed-off-by: John Keiser <[email protected]> Co-authored-by: Victor Bustamante <[email protected]>
systeminit · Jan 13, 2025 · b129d72 · b129d72
1 parent f348981
commit b129d72
Show file tree

Hide file tree

Showing 157 changed files with 1,154 additions and 828 deletions.
diff --git a/lib/dal-test/src/lib.rs b/lib/dal-test/src/lib.rs
@@ -956,7 +956,7 @@ async fn migrate_local_builtins(
         compute_executor,
     );
     let dal_context = services_context.into_builder(true);
-    let mut ctx = dal_context.build_default().await?;
+    let mut ctx = dal_context.build_default(None).await?;
 
     info!("setup builtin workspace");
     Workspace::setup_builtin(&mut ctx).await?;

diff --git a/lib/dal/src/context.rs b/lib/dal/src/context.rs
@@ -1149,7 +1149,10 @@ impl fmt::Debug for DalContextBuilder {
 
 impl DalContextBuilder {
     /// Constructs and returns a new [`DalContext`] using a default [`RequestContext`].
-    pub async fn build_default(&self) -> TransactionsResult<DalContext> {
+    pub async fn build_default(
+        &self,
+        request_ulid: Option<ulid::Ulid>,
+    ) -> TransactionsResult<DalContext> {
         let conns = self.services_context.connections().await?;
 
         Ok(DalContext {
@@ -1159,7 +1162,31 @@ impl DalContextBuilder {
             tenancy: Tenancy::new_empty(),
             visibility: Visibility::new_head_fake(),
             history_actor: HistoryActor::SystemInit,
-            request_ulid: None,
+            request_ulid,
+            no_dependent_values: self.no_dependent_values,
+            workspace_snapshot: None,
+            change_set: None,
+            event_session_id: EventSessionId::new(),
+        })
+    }
+
+    /// Constructs and returns a new [`DalContext`] with no home workspace or change set.
+    /// For admin-ish requests that are workspace-independent.
+    pub async fn build_without_workspace(
+        &self,
+        history_actor: HistoryActor,
+        request_ulid: Option<ulid::Ulid>,
+    ) -> TransactionsResult<DalContext> {
+        let conns = self.services_context.connections().await?;
+
+        Ok(DalContext {
+            services_context: self.services_context.clone(),
+            blocking: self.blocking,
+            conns_state: Arc::new(Mutex::new(ConnectionState::new_from_conns(conns))),
+            tenancy: Tenancy::new_empty(),
+            visibility: Visibility::new_head_fake(),
+            history_actor,
+            request_ulid,
             no_dependent_values: self.no_dependent_values,
             workspace_snapshot: None,
             change_set: None,
@@ -1173,6 +1200,7 @@ impl DalContextBuilder {
         &self,
         workspace_pk: WorkspacePk,
         change_set_id: ChangeSetId,
+        request_ulid: Option<ulid::Ulid>,
     ) -> TransactionsResult<DalContext> {
         let conns = self.services_context.connections().await?;
 
@@ -1183,7 +1211,7 @@ impl DalContextBuilder {
             tenancy: Tenancy::new(workspace_pk),
             visibility: Visibility::new(change_set_id),
             history_actor: HistoryActor::SystemInit,
-            request_ulid: None,
+            request_ulid,
             no_dependent_values: self.no_dependent_values,
             workspace_snapshot: None,
             change_set: None,

diff --git a/lib/dal/src/tenancy.rs b/lib/dal/src/tenancy.rs
@@ -59,6 +59,12 @@ impl Tenancy {
     }
 }
 
+impl From<WorkspacePk> for Tenancy {
+    fn from(workspace_pk: WorkspacePk) -> Self {
+        Self::new(workspace_pk)
+    }
+}
+
 impl postgres_types::ToSql for Tenancy {
     fn to_sql(
         &self,

diff --git a/lib/rebaser-server/src/change_set_processor_task.rs b/lib/rebaser-server/src/change_set_processor_task.rs
@@ -369,7 +369,7 @@ mod handlers {
             server_tracker,
         } = state;
         let mut ctx = ctx_builder
-            .build_for_change_set_as_system(workspace_id, change_set_id)
+            .build_for_change_set_as_system(workspace_id, change_set_id, None)
             .await?;
 
         let span = Span::current();

diff --git a/lib/rebaser-server/src/serial_dvu_task.rs b/lib/rebaser-server/src/serial_dvu_task.rs
@@ -102,7 +102,7 @@ impl SerialDvuTask {
     async fn run_dvu(&self) -> Result<()> {
         let builder = self.ctx_builder.clone();
         let ctx = builder
-            .build_for_change_set_as_system(self.workspace_id, self.change_set_id)
+            .build_for_change_set_as_system(self.workspace_id, self.change_set_id, None)
             .await?;
 
         ctx.enqueue_dependent_values_update().await?;