waf-platform/EdgeAPI/internal/rpc/services/httpdns/user_auth_helpers.go

package httpdns

import (
	"errors"
	"strings"

	"github.com/TeaOSLab/EdgeAPI/internal/db/models"
	"github.com/iwind/TeaGo/dbs"
)

func ensureAppAccess(tx *dbs.Tx, appDbId int64, userId int64) (*models.HTTPDNSApp, error) {
	app, err := models.SharedHTTPDNSAppDAO.FindEnabledApp(tx, appDbId)
	if err != nil {
		return nil, err
	}
	if app == nil {
		return nil, nil
	}
	if userId > 0 && app.UserId != userId {
		return nil, errors.New("access denied")
	}
	return app, nil
}

func ensureAppAccessByAppId(tx *dbs.Tx, appId string, userId int64) (*models.HTTPDNSApp, error) {
	appId = strings.TrimSpace(appId)
	if len(appId) == 0 {
		return nil, nil
	}
	app, err := models.SharedHTTPDNSAppDAO.FindEnabledAppWithAppId(tx, appId)
	if err != nil {
		return nil, err
	}
	if app == nil {
		return nil, nil
	}
	if userId > 0 && app.UserId != userId {
		return nil, errors.New("access denied")
	}
	return app, nil
}

func ensureDomainAccess(tx *dbs.Tx, domainId int64, userId int64) (*models.HTTPDNSDomain, *models.HTTPDNSApp, error) {
	domain, err := models.SharedHTTPDNSDomainDAO.FindEnabledDomain(tx, domainId)
	if err != nil {
		return nil, nil, err
	}
	if domain == nil {
		return nil, nil, nil
	}

	app, err := ensureAppAccess(tx, int64(domain.AppId), userId)
	if err != nil {
		return nil, nil, err
	}
	if app == nil {
		return nil, nil, nil
	}

	return domain, app, nil
}

func ensureRuleAccess(tx *dbs.Tx, ruleId int64, userId int64) (*models.HTTPDNSCustomRule, *models.HTTPDNSApp, error) {
	rule, err := models.SharedHTTPDNSCustomRuleDAO.FindEnabledRule(tx, ruleId)
	if err != nil {
		return nil, nil, err
	}
	if rule == nil {
		return nil, nil, nil
	}

	app, err := ensureAppAccess(tx, int64(rule.AppId), userId)
	if err != nil {
		return nil, nil, err
	}
	if app == nil {
		return nil, nil, nil
	}

	return rule, app, nil
}