Module: Bosh::Director::Api::Extensions::Scoping

Defined in:

lib/bosh/director/api/extensions/scoping.rb

Defined Under Namespace

Modules: Helpers Classes: ParamsScope

Class Method Summary

• .registered(app) ⇒ Object

Instance Method Summary

• #route(verb, path, options = {}, &block) ⇒ Object
• #scope(allowed_scope) ⇒ Object

Class Method Details

.registered(app) ⇒ Object

# File 'lib/bosh/director/api/extensions/scoping.rb', line 11

def self.registered(app)
  app.set default_scope: :write
  app.helpers(Helpers)
end

Instance Method Details

#route(verb, path, options = {}, &block) ⇒ Object

# File 'lib/bosh/director/api/extensions/scoping.rb', line 49

def route(verb, path, options = {}, &block)
  options[:scope] ||= :default
  super(verb, path, options, &block)
end

#scope(allowed_scope) ⇒ Object

# File 'lib/bosh/director/api/extensions/scoping.rb', line 16

def scope(allowed_scope)
  condition do
    if allowed_scope == :default
      scope = settings.default_scope
    elsif allowed_scope.kind_of?(ParamsScope)
      scope = allowed_scope.scope(params, settings.default_scope)
    else
      scope = allowed_scope
    end

    auth_provided = %w(HTTP_AUTHORIZATION X-HTTP_AUTHORIZATION X_HTTP_AUTHORIZATION).detect do |key|
      request.env.has_key?(key)
    end

    if auth_provided
      begin
        @user = identity_provider.get_user(request.env)
      rescue AuthenticationError
      end
    end

    if requires_authentication? && (@user.nil? || !identity_provider.valid_access?(@user, scope))
      response['WWW-Authenticate'] = 'Basic realm="BOSH Director"'
      if @user.nil?
        message = "Not authorized: '#{request.path}'\n"
      else
        message = "Not authorized: '#{request.path}' requires one of the scopes: #{identity_provider.required_scopes(scope).join(", ")}\n"
      end
      throw(:halt, [401, message])
    end
  end
end