treeverse · tkalir · Aug 12, 2025 · Aug 13, 2025 · arielshaqed · Aug 13, 2025
diff --git a/pkg/api/controller.go b/pkg/api/controller.go
@@ -111,6 +111,10 @@ type Controller struct {
 	licenseManager  license.Manager
 }
 
+type AuthOpts struct {
+	callback func(w http.ResponseWriter, r *http.Request, code int, v interface{})
+}
+
 var usageCounter = stats.NewUsageCounter()
 
 func NewController(cfg config.Config, catalog *catalog.Catalog, authenticator auth.Authenticator, authService auth.Service, authenticationService authentication.Service, blockAdapter block.Adapter, metadataManager auth.MetadataManager, migrator Migrator, collector stats.Collector, actions actionsHandler, auditChecker AuditChecker, logger logging.Logger, sessionStore sessions.Store, pathProvider upload.PathProvider, usageReporter stats.UsageReporterOperations, licenseManager license.Manager) *Controller {
@@ -3377,12 +3381,7 @@ func (c *Controller) DeleteObject(w http.ResponseWriter, r *http.Request, reposi
 }
 
 func (c *Controller) UploadObjectPreflight(w http.ResponseWriter, r *http.Request, repository, branch string, params apigen.UploadObjectPreflightParams) {
-	if !c.authorize(w, r, permissions.Node{
-		Permission: permissions.Permission{
-			Action:   permissions.WriteObjectAction,
-			Resource: permissions.ObjectArn(repository, params.Path),
-		},
-	}) {
+	if !c.authorizeReq(w, r, "UploadObjectPreflight", permissions.PermissionParams{Repository: &repository, Path: &params.Path}, nil) {
 		return
 	}
 
@@ -3393,12 +3392,7 @@ func (c *Controller) UploadObjectPreflight(w http.ResponseWriter, r *http.Reques
 }
 
 func (c *Controller) UploadObject(w http.ResponseWriter, r *http.Request, repository, branch string, params apigen.UploadObjectParams) {
-	if !c.authorize(w, r, permissions.Node{
-		Permission: permissions.Permission{
-			Action:   permissions.WriteObjectAction,
-			Resource: permissions.ObjectArn(repository, params.Path),
-		},
-	}) {
+	if !c.authorizeReq(w, r, "UploadObject", permissions.PermissionParams{Repository: &repository, Path: &params.Path}, nil) {
 		return
 	}
 	ctx := r.Context()
@@ -3563,12 +3557,7 @@ func (c *Controller) UploadObject(w http.ResponseWriter, r *http.Request, reposi
 }
 
 func (c *Controller) StageObject(w http.ResponseWriter, r *http.Request, body apigen.StageObjectJSONRequestBody, repository, branch string, params apigen.StageObjectParams) {
-	if !c.authorize(w, r, permissions.Node{
-		Permission: permissions.Permission{
-			Action:   permissions.WriteObjectAction,
-			Resource: permissions.ObjectArn(repository, params.Path),
-		},
-	}) {
+	if !c.authorizeReq(w, r, "StageObject", permissions.PermissionParams{Repository: &repository, Path: &params.Path}, nil) {
 		return
 	}
 	ctx := r.Context()
@@ -4383,12 +4372,7 @@ func (c *Controller) RestoreStatus(w http.ResponseWriter, r *http.Request, repos
 }
 
 func (c *Controller) CreateSymlinkFile(w http.ResponseWriter, r *http.Request, repository, branch string, params apigen.CreateSymlinkFileParams) {
-	if !c.authorize(w, r, permissions.Node{
-		Permission: permissions.Permission{
-			Action:   permissions.WriteObjectAction,
-			Resource: permissions.ObjectArn(repository, branch),
-		},
-	}) {
+	if !c.authorizeReq(w, r, "CreateSymlinkFile", permissions.PermissionParams{Repository: &repository, Path: &branch}, nil) {
 		return
 	}
 	ctx := r.Context()
@@ -4582,14 +4566,10 @@ func (c *Controller) LogCommits(w http.ResponseWriter, r *http.Request, reposito
 }
 
 func (c *Controller) HeadObject(w http.ResponseWriter, r *http.Request, repository, ref string, params apigen.HeadObjectParams) {
-	if !c.authorizeCallback(w, r, permissions.Node{
-		Permission: permissions.Permission{
-			Action:   permissions.ReadObjectAction,
-			Resource: permissions.ObjectArn(repository, params.Path),
-		},
-	}, func(w http.ResponseWriter, r *http.Request, code int, v interface{}) {
-		writeResponse(w, r, code, nil)
-	}) {
+	if !c.authorizeReq(w, r, "HeadObject", permissions.PermissionParams{Repository: &repository, Path: &params.Path},
+		&AuthOpts{callback: func(w http.ResponseWriter, r *http.Request, code int, v interface{}) {
+			writeResponse(w, r, code, nil)
+		}}) {
 		return
 	}
 	ctx := r.Context()
@@ -4724,12 +4704,7 @@ func (c *Controller) GetMetadataObject(w http.ResponseWriter, r *http.Request, r
 }
 
 func (c *Controller) GetObject(w http.ResponseWriter, r *http.Request, repository, ref string, params apigen.GetObjectParams) {
-	if !c.authorize(w, r, permissions.Node{
-		Permission: permissions.Permission{
-			Action:   permissions.ReadObjectAction,
-			Resource: permissions.ObjectArn(repository, params.Path),
-		},
-	}) {
+	if !c.authorizeReq(w, r, "GetObject", permissions.PermissionParams{Repository: &repository, Path: &params.Path}, nil) {
 		return
 	}
 	ctx := r.Context()
@@ -4947,12 +4922,7 @@ func (c *Controller) ListObjects(w http.ResponseWriter, r *http.Request, reposit
 }
 
 func (c *Controller) StatObject(w http.ResponseWriter, r *http.Request, repository, ref string, params apigen.StatObjectParams) {
-	if !c.authorize(w, r, permissions.Node{
-		Permission: permissions.Permission{
-			Action:   permissions.ReadObjectAction,
-			Resource: permissions.ObjectArn(repository, params.Path),
-		},
-	}) {
+	if !c.authorizeReq(w, r, "StatObject", permissions.PermissionParams{Repository: &repository, Path: &params.Path}, nil) {
 		return
 	}
 	ctx := r.Context()
@@ -5015,12 +4985,7 @@ func (c *Controller) StatObject(w http.ResponseWriter, r *http.Request, reposito
 }
 
 func (c *Controller) UpdateObjectUserMetadata(w http.ResponseWriter, r *http.Request, body apigen.UpdateObjectUserMetadataJSONRequestBody, repository, branch string, params apigen.UpdateObjectUserMetadataParams) {
-	if !c.authorize(w, r, permissions.Node{
-		Permission: permissions.Permission{
-			Action:   permissions.WriteObjectAction,
-			Resource: permissions.ObjectArn(repository, params.Path),
-		},
-	}) {
+	if !c.authorizeReq(w, r, "UpdateObjectUserMetadata", permissions.PermissionParams{Repository: &repository, Path: &params.Path}, nil) {
 		return
 	}
 	ctx := r.Context()
@@ -5036,12 +5001,7 @@ func (c *Controller) UpdateObjectUserMetadata(w http.ResponseWriter, r *http.Req
 }
 
 func (c *Controller) GetUnderlyingProperties(w http.ResponseWriter, r *http.Request, repository, ref string, params apigen.GetUnderlyingPropertiesParams) {
-	if !c.authorize(w, r, permissions.Node{
-		Permission: permissions.Permission{
-			Action:   permissions.ReadObjectAction,
-			Resource: permissions.ObjectArn(repository, params.Path),
-		},
-	}) {
+	if !c.authorizeReq(w, r, "GetUnderlyingProperties", permissions.PermissionParams{Repository: &repository, Path: &params.Path}, nil) {
 		return
 	}
 	ctx := r.Context()
@@ -5944,6 +5904,19 @@ func (c *Controller) authorize(w http.ResponseWriter, r *http.Request, perms per
 	return c.authorizeCallback(w, r, perms, writeError)
 }
 
+func (c *Controller) authorizeReq(w http.ResponseWriter, r *http.Request, operationId string, params permissions.PermissionParams, opts *AuthOpts) bool {
+	desc := permissions.GetPermissionDescriptor(operationId)
+	if desc == nil {
+		c.Logger.Error(fmt.Sprintf("missing permission descriptor for %s", operationId))
+		return false
+	}
+	callback := writeError
+	if opts != nil && opts.callback != nil {
+		callback = opts.callback
+	}
+	return c.authorizeCallback(w, r, desc.Permission(params), callback)
+}
+
 func (c *Controller) isNameValid(name, nameType string) (bool, string) {
 	// URLs are % encoded. Allowing % signs in entity names would
 	// limit the ability to use these entity names in the URL for both

diff --git a/pkg/permissions/permission.go b/pkg/permissions/permission.go
@@ -61,3 +61,44 @@ func PolicyArn(policyID string) string {
 func ExternalPrincipalArn(principalID string) string {
 	return authArnPrefix + "externalPrincipal/" + principalID
 }
+
+type PermissionParams struct {
+	Repository *string
+	Path       *string
+}
+
+type PermissionDescriptor interface {
+	Permission(PermissionParams) Node
+}
+
+type ObjectPermission struct {
+	Action string
+}
+
+func (o *ObjectPermission) Permission(params PermissionParams) Node {
+	return Node{
+		Permission: Permission{
+			Action:   o.Action,
+			Resource: ObjectArn(*params.Repository, *params.Path),
+		},
+	}
+}
+
+var readObjectPermission = ObjectPermission{Action: ReadObjectAction}
+var writeObjectPermission = ObjectPermission{Action: WriteObjectAction}
+
+var permissionByOp = map[string]PermissionDescriptor{
+	"HeadObject":               &readObjectPermission,
+	"GetObject":                &readObjectPermission,
+	"StatObject":               &readObjectPermission,
+	"GetUnderlyingProperties":  &readObjectPermission,
+	"StageObject":              &writeObjectPermission,
+	"CreateSymlinkFile":        &writeObjectPermission,
+	"UpdateObjectUserMetadata": &writeObjectPermission,
+	"UploadObject":             &writeObjectPermission,
+	"UploadObjectPreflight":    &writeObjectPermission,
+}
+
+func GetPermissionDescriptor(operationId string) PermissionDescriptor {
+	return permissionByOp[operationId]
+}