mxaccessgw/src/MxGateway.Server/Security/Authorization/GatewayGrpcScopeResolver.cs

using MxGateway.Contracts.Proto;
using MxGateway.Contracts.Proto.Galaxy;

namespace MxGateway.Server.Security.Authorization;

public sealed class GatewayGrpcScopeResolver
{
    /// <summary>
    /// Resolves the required authorization scope for a gRPC request.
    /// </summary>
    /// <param name="request">The gRPC request.</param>
    /// <returns>Required authorization scope.</returns>
    public string ResolveRequiredScope(object request)
    {
        return request switch
        {
            OpenSessionRequest => GatewayScopes.SessionOpen,
            CloseSessionRequest => GatewayScopes.SessionClose,
            StreamEventsRequest => GatewayScopes.EventsRead,
            MxCommandRequest commandRequest => ResolveCommandScope(commandRequest.Command?.Kind ?? MxCommandKind.Unspecified),
            TestConnectionRequest or
            GetLastDeployTimeRequest or
            DiscoverHierarchyRequest or
            WatchDeployEventsRequest => GatewayScopes.MetadataRead,
            _ => GatewayScopes.Admin
        };
    }

    private static string ResolveCommandScope(MxCommandKind kind)
    {
        return kind switch
        {
            MxCommandKind.Write or
            MxCommandKind.Write2 => GatewayScopes.InvokeWrite,

            MxCommandKind.WriteSecured or
            MxCommandKind.WriteSecured2 or
            MxCommandKind.AuthenticateUser => GatewayScopes.InvokeSecure,

            MxCommandKind.ArchestraUserToId or
            MxCommandKind.GetSessionState or
            MxCommandKind.GetWorkerInfo => GatewayScopes.MetadataRead,

            MxCommandKind.DrainEvents => GatewayScopes.EventsRead,
            MxCommandKind.ShutdownWorker => GatewayScopes.Admin,

            _ => GatewayScopes.InvokeRead
        };
    }
}