@@ -19,28 +19,34 @@ type PreparedAuthorized interface {
1919}
2020
2121// Filter takes in a list of objects, and will filter the list removing all
22- // the elements the subject does not have permission for. All objects must be
23- // of the same type.
22+ // the elements the subject does not have permission for. This function slows
23+ // down if the list contains objects of multiple types. Attempt to only
24+ // filter objects of the same type for faster performance.
2425func Filter [O Objecter ](ctx context.Context ,auth Authorizer ,subjID string ,subjRoles []string ,action Action ,objects []O ) ([]O ,error ) {
2526if len (objects )== 0 {
2627// Nothing to filter
2728return objects ,nil
2829}
29- objectType := objects [0 ].RBACObject ().Type
3030
3131filtered := make ([]O ,0 )
32- prepared ,err := auth .PrepareByRoleName (ctx ,subjID ,subjRoles ,action ,objectType )
33- if err != nil {
34- return nil ,xerrors .Errorf ("prepare: %w" ,err )
35- }
32+ prepared := make (map [string ]PreparedAuthorized )
3633
3734for i := range objects {
3835object := objects [i ]
39- rbacObj := object .RBACObject ()
40- if rbacObj .Type != objectType {
41- return nil ,xerrors .Errorf ("object types must be uniform across the set (%s), found %s" ,objectType ,object .RBACObject ().Type )
36+ objectType := object .RBACObject ().Type
37+ // objectAuth is the prepared authorization for the object type.
38+ objectAuth ,ok := prepared [object .RBACObject ().Type ]
39+ if ! ok {
40+ var err error
41+ objectAuth ,err = auth .PrepareByRoleName (ctx ,subjID ,subjRoles ,action ,objectType )
42+ if err != nil {
43+ return nil ,xerrors .Errorf ("prepare: %w" ,err )
44+ }
45+ prepared [objectType ]= objectAuth
4246}
43- err := prepared .Authorize (ctx ,rbacObj )
47+
48+ rbacObj := object .RBACObject ()
49+ err := objectAuth .Authorize (ctx ,rbacObj )
4450if err == nil {
4551filtered = append (filtered ,object )
4652}