Documentation ¶
Overview ¶
Package permissions provides high-level tools for computing permissions from ACLs
Index ¶
- Constants
- Variables
- func AccessListLoadFrontValues(ctx context.Context, accessList *AccessList) error
- func CachedPoliciesChecker(ctx context.Context, resType string) (ladon.Warden, error)
- func CheckContentLock(ctx context.Context, node *tree.Node) error
- func ClearCachedPolicies(ctx context.Context, resType string)
- func FindUserNameInContext(ctx context.Context) (string, claim.Claims)
- func ForceClearUserCache(login string)
- func FrontValuesScopesFromWorkspaceRelativePaths(wss []*tree.WorkspaceRelativePath) (scopes []string)
- func FrontValuesScopesFromWorkspaces(wss []*idm.Workspace) (scopes []string)
- func GetACLsForActions(ctx context.Context, actions ...*idm.ACLAction) (acls []*idm.ACL, err error)
- func GetACLsForRoles(ctx context.Context, roles []*idm.Role, actions ...*idm.ACLAction) ([]*idm.ACL, error)
- func GetACLsForWorkspace(ctx context.Context, workspaceIds []string, actions ...*idm.ACLAction) (acls []*idm.ACL, err error)
- func GetRoles(ctx context.Context, names []string) ([]*idm.Role, error)
- func GetRolesForUser(ctx context.Context, user *idm.User, createMissing bool) []*idm.Role
- func HasChildLocks(ctx context.Context, node *tree.Node) bool
- func IsUserLocked(user *idm.User) bool
- func LocalACLPoliciesResolver(ctx context.Context, request *idm.PolicyEngineRequest, explicitOnly bool) (*idm.PolicyEngineResponse, error)
- func PolicyContextFromMetadata(policyContext map[string]string, ctx context.Context)
- func PolicyContextFromNode(policyContext map[string]string, node *tree.Node)
- func PolicyRequestSubjectsFromClaims(claims claim.Claims) []string
- func PolicyRequestSubjectsFromUser(user *idm.User) []string
- func RunJavaScript(ctx context.Context, script string, inputs map[string]interface{}, ...) error
- func SearchUniqueUser(ctx context.Context, login string, uuid string, ...) (user *idm.User, err error)
- func SearchUniqueWorkspace(ctx context.Context, wsUuid string, wsSlug string, ...) (*idm.Workspace, error)
- type AccessList
- func AccessListForLockedNodes(ctx context.Context, resolver VirtualPathResolver) (accessList *AccessList, err error)
- func AccessListFromContextClaims(ctx context.Context) (accessList *AccessList, err error)
- func AccessListFromRoles(ctx context.Context, roles []*idm.Role, countPolicies bool, ...) (accessList *AccessList, err error)
- func AccessListFromUser(ctx context.Context, userNameOrUuid string, isUuid bool) (accessList *AccessList, user *idm.User, err error)
- func NewAccessList(roles ...*idm.Role) *AccessList
- func (a *AccessList) AddNodeBitmask(id string, b Bitmask)
- func (a *AccessList) AppendACLs(aa ...*idm.ACL)
- func (a *AccessList) AppendClaimsScopes(ss []string)
- func (a *AccessList) AppendFrontACLs(aa ...*idm.ACL)
- func (a *AccessList) AppendRoles(rr ...*idm.Role)
- func (a *AccessList) BelongsToWorkspaces(ctx context.Context, nodes ...*tree.Node) (workspaces []*idm.Workspace, workspacesRoots map[string]string)
- func (a *AccessList) CanRead(ctx context.Context, nodes ...*tree.Node) bool
- func (a *AccessList) CanReadPath(ctx context.Context, resolver VirtualPathResolver, nodes ...*tree.Node) bool
- func (a *AccessList) CanReadWithResolver(ctx context.Context, resolver VirtualPathResolver, nodes ...*tree.Node) bool
- func (a *AccessList) CanWrite(ctx context.Context, nodes ...*tree.Node) bool
- func (a *AccessList) CanWritePath(ctx context.Context, resolver VirtualPathResolver, nodes ...*tree.Node) bool
- func (a *AccessList) CanWriteWithResolver(ctx context.Context, resolver VirtualPathResolver, nodes ...*tree.Node) bool
- func (a *AccessList) DetectedWsRights(ctx context.Context) map[string]SimpleRight
- func (a *AccessList) Flatten(ctx context.Context)
- func (a *AccessList) FlattenedFrontValues() configx.Values
- func (a *AccessList) GetNodesBitmasks() map[string]Bitmask
- func (a *AccessList) GetRoles() []*idm.Role
- func (a *AccessList) GetWorkspaces() map[string]*idm.Workspace
- func (a *AccessList) GetWorkspacesRoots() map[string]map[string]Bitmask
- func (a *AccessList) HasExplicitDeny(ctx context.Context, flag BitmaskFlag, nodes ...*tree.Node) bool
- func (a *AccessList) HasPolicyBasedAcls() bool
- func (a *AccessList) IsLocked(ctx context.Context, nodes ...*tree.Node) bool
- func (a *AccessList) LoadWorkspaces(ctx context.Context, loader WsLoader) error
- func (a *AccessList) ReplicateBitmask(fromUuid, toUuid string, replaceInRoots ...bool) bool
- func (a *AccessList) Zap() zapcore.Field
- type Bitmask
- func (f *Bitmask) AddFlag(flag BitmaskFlag)
- func (f *Bitmask) AddPolicyFlag(policyId string)
- func (f *Bitmask) AddValueFlag(flag BitmaskFlag, value string)
- func (f Bitmask) HasFlag(ctx context.Context, flag BitmaskFlag, ctxNodes ...*tree.Node) bool
- func (f Bitmask) HasPolicyExplicitDeny(ctx context.Context, flag BitmaskFlag, ctxNodes ...*tree.Node) bool
- type BitmaskFlag
- type JsRequest
- type JsUser
- type LockSession
- type PolicyResolver
- type SessionLocker
- type SimpleRight
- type VirtualPathResolver
- type WsLoader
Constants ¶
const ( FrontWsScopeAll = "PYDIO_REPO_SCOPE_ALL" )
const ( PolicyNodeMetaName = "NodeMetaName" PolicyNodeMetaPath = "NodeMetaPath" PolicyNodeMetaType = "NodeMetaType" PolicyNodeMetaExtension = "NodeMetaExtension" PolicyNodeMetaSize = "NodeMetaSize" PolicyNodeMetaMTime = "NodeMetaMTime" PolicyNodeMeta_ = "NodeMeta:" )
Variables ¶
var ( AclRead = &idm.ACLAction{Name: "read", Value: "1"} AclWrite = &idm.ACLAction{Name: "write", Value: "1"} AclDeny = &idm.ACLAction{Name: "deny", Value: "1"} AclPolicy = &idm.ACLAction{Name: "policy"} AclQuota = &idm.ACLAction{Name: "quota"} AclLock = &idm.ACLAction{Name: "lock"} AclChildLock = &idm.ACLAction{Name: "child_lock"} AclContentLock = &idm.ACLAction{Name: "content_lock"} AclFrontAction_ = &idm.ACLAction{Name: "action:*"} AclFrontParam_ = &idm.ACLAction{Name: "parameter:*"} AclWsrootActionName = "workspace-path" AclRecycleRoot = &idm.ACLAction{Name: "recycle_root", Value: "1"} ResolvePolicyRequest PolicyResolver )
var ( NamesToFlags = map[string]BitmaskFlag{ "read": FlagRead, "write": FlagWrite, "deny": FlagDeny, "list": FlagList, "remove": FlagDelete, "policy": FlagPolicy, "quota": FlagQuota, "lock": FlagLock, "download": FlagDownload, "upload": FlagUpload, "sync": FlagSync, } FlagsToNames = map[BitmaskFlag]string{ FlagRead: "read", FlagWrite: "write", FlagDeny: "deny", FlagList: "list", FlagDelete: "remove", FlagPolicy: "policy", FlagQuota: "quota", FlagLock: "lock", FlagDownload: "download", FlagUpload: "upload", FlagSync: "sync", } )
Functions ¶
func AccessListLoadFrontValues ¶
func AccessListLoadFrontValues(ctx context.Context, accessList *AccessList) error
AccessListLoadFrontValues loads all ACLs starting with actions: and parameters: for the current list of ordered roles
func CachedPoliciesChecker ¶
func CheckContentLock ¶
CheckContentLock finds if there is a global lock registered in ACLs.
func ClearCachedPolicies ¶
ClearCachedPolicies empties local cache
func ForceClearUserCache ¶
func ForceClearUserCache(login string)
func FrontValuesScopesFromWorkspaceRelativePaths ¶
func FrontValuesScopesFromWorkspaceRelativePaths(wss []*tree.WorkspaceRelativePath) (scopes []string)
FrontValuesScopesFromWorkspaceRelativePaths computes scopes to check when retrieving front plugin configuration, based on a list of Node.AppearsIn workspaces descriptions
func FrontValuesScopesFromWorkspaces ¶
FrontValuesScopesFromWorkspaces computes scopes to check when retrieving front plugin configuration
func GetACLsForActions ¶
func GetACLsForRoles ¶
func GetACLsForRoles(ctx context.Context, roles []*idm.Role, actions ...*idm.ACLAction) ([]*idm.ACL, error)
GetACLsForRoles compiles ALCs for a list of roles.
func GetACLsForWorkspace ¶
func GetACLsForWorkspace(ctx context.Context, workspaceIds []string, actions ...*idm.ACLAction) (acls []*idm.ACL, err error)
GetACLsForWorkspace compiles ACLs list attached to a given workspace.
func GetRolesForUser ¶
GetRolesForUser loads the roles of a given user.
func IsUserLocked ¶
IsUserLocked checks if the passed user has a logout attribute defined.
func LocalACLPoliciesResolver ¶
func LocalACLPoliciesResolver(ctx context.Context, request *idm.PolicyEngineRequest, explicitOnly bool) (*idm.PolicyEngineResponse, error)
func PolicyContextFromMetadata ¶
PolicyContextFromMetadata extracts metadata directly from the context and enriches the passed policyContext.
func PolicyContextFromNode ¶
PolicyContextFromNode extracts metadata from the Node and enriches the passed policyContext.
func PolicyRequestSubjectsFromClaims ¶
PolicyRequestSubjectsFromClaims builds an array of string subjects from the passed Claims.
func PolicyRequestSubjectsFromUser ¶
PolicyRequestSubjectsFromUser builds an array of string subjects from the passed User.
func RunJavaScript ¶
Types ¶
type AccessList ¶
type AccessList struct {
// contains filtered or unexported fields
}
AccessList is a merged representation of all ACLs that a user has access to. ACLs are merged using a Bitmask form to ease flags detections and comparisons.
func AccessListForLockedNodes ¶
func AccessListForLockedNodes(ctx context.Context, resolver VirtualPathResolver) (accessList *AccessList, err error)
AccessListForLockedNodes builds a flattened node list containing all currently locked nodes
func AccessListFromContextClaims ¶
func AccessListFromContextClaims(ctx context.Context) (accessList *AccessList, err error)
AccessListFromContextClaims uses package function to compile ACL and Workspaces for a given user ( = list of roles inside the Claims)
func AccessListFromRoles ¶
func AccessListFromRoles(ctx context.Context, roles []*idm.Role, countPolicies bool, loadWorkspaces bool) (accessList *AccessList, err error)
AccessListFromRoles loads the Acls and flatten them, eventually loading the discovered workspaces.
func AccessListFromUser ¶
func AccessListFromUser(ctx context.Context, userNameOrUuid string, isUuid bool) (accessList *AccessList, user *idm.User, err error)
AccessListFromUser loads roles for a given user, by name or UUID, and subsequently calls AccessListFromRoles
func NewAccessList ¶
func NewAccessList(roles ...*idm.Role) *AccessList
NewAccessList creates a new AccessList.
func (*AccessList) AddNodeBitmask ¶ added in v4.0.1
func (a *AccessList) AddNodeBitmask(id string, b Bitmask)
AddNodeBitmask appends a node bitmask to the internal list
func (*AccessList) AppendACLs ¶ added in v4.0.1
func (a *AccessList) AppendACLs(aa ...*idm.ACL)
AppendACLs appends an additional list of ACLs.
func (*AccessList) AppendClaimsScopes ¶
func (a *AccessList) AppendClaimsScopes(ss []string)
AppendClaimsScopes appends some specific permissions passed through claims. Currently only strings like "node:uuid:perm" are supported
func (*AccessList) AppendFrontACLs ¶ added in v4.0.1
func (a *AccessList) AppendFrontACLs(aa ...*idm.ACL)
AppendFrontACLs appends an additional list of front-related ACLs.
func (*AccessList) AppendRoles ¶ added in v4.0.1
func (a *AccessList) AppendRoles(rr ...*idm.Role)
AppendRoles appends one or more roles. They are kept in order, which is very important.
func (*AccessList) BelongsToWorkspaces ¶
func (a *AccessList) BelongsToWorkspaces(ctx context.Context, nodes ...*tree.Node) (workspaces []*idm.Workspace, workspacesRoots map[string]string)
BelongsToWorkspaces finds corresponding workspace parents for this node.
func (*AccessList) CanReadPath ¶
func (a *AccessList) CanReadPath(ctx context.Context, resolver VirtualPathResolver, nodes ...*tree.Node) bool
CanReadPath checks if a node has READ access based on its Path
func (*AccessList) CanReadWithResolver ¶
func (a *AccessList) CanReadWithResolver(ctx context.Context, resolver VirtualPathResolver, nodes ...*tree.Node) bool
CanReadWithResolver checks if a node has READ access, using VirtualPathResolver if necessary
func (*AccessList) CanWritePath ¶
func (a *AccessList) CanWritePath(ctx context.Context, resolver VirtualPathResolver, nodes ...*tree.Node) bool
CanWritePath checks if a node has WRITE access based on its path.
func (*AccessList) CanWriteWithResolver ¶
func (a *AccessList) CanWriteWithResolver(ctx context.Context, resolver VirtualPathResolver, nodes ...*tree.Node) bool
CanWriteWithResolver checks if a node has WRITE access, using VirtualPathResolver if necessary.
func (*AccessList) DetectedWsRights ¶ added in v4.0.1
func (a *AccessList) DetectedWsRights(ctx context.Context) map[string]SimpleRight
DetectedWsRights retrieves a map of accessible workspaces.
func (*AccessList) Flatten ¶
func (a *AccessList) Flatten(ctx context.Context)
Flatten performs actual flatten.
func (*AccessList) FlattenedFrontValues ¶
func (a *AccessList) FlattenedFrontValues() configx.Values
FlattenedFrontValues generates a configx.Values with frontend actions/parameters configs
func (*AccessList) GetNodesBitmasks ¶
func (a *AccessList) GetNodesBitmasks() map[string]Bitmask
GetNodesBitmasks returns internal bitmask
func (*AccessList) GetRoles ¶ added in v4.0.1
func (a *AccessList) GetRoles() []*idm.Role
GetRoles returns ordered list of roles
func (*AccessList) GetWorkspaces ¶ added in v4.0.1
func (a *AccessList) GetWorkspaces() map[string]*idm.Workspace
GetWorkspaces returns internally stored workspaces
func (*AccessList) GetWorkspacesRoots ¶ added in v4.0.1
func (a *AccessList) GetWorkspacesRoots() map[string]map[string]Bitmask
GetWorkspacesRoots gets detected workspace root nodes that are then used to populate the Workspace keys.
func (*AccessList) HasExplicitDeny ¶
func (a *AccessList) HasExplicitDeny(ctx context.Context, flag BitmaskFlag, nodes ...*tree.Node) bool
func (*AccessList) HasPolicyBasedAcls ¶
func (a *AccessList) HasPolicyBasedAcls() bool
HasPolicyBasedAcls checks if there are policy based acls.
func (*AccessList) LoadWorkspaces ¶ added in v4.0.1
func (a *AccessList) LoadWorkspaces(ctx context.Context, loader WsLoader) error
LoadWorkspaces loads actual idm.Workspace objects using a WsLoader
func (*AccessList) ReplicateBitmask ¶
func (a *AccessList) ReplicateBitmask(fromUuid, toUuid string, replaceInRoots ...bool) bool
ReplicateBitmask copies a bitmask value from one position to another
func (*AccessList) Zap ¶
func (a *AccessList) Zap() zapcore.Field
Zap simply returns a zapcore.Field object populated with this aggregated AccessList under a standard key
type Bitmask ¶
type Bitmask struct { BitmaskFlag PolicyIds map[string]string ValueFlags map[BitmaskFlag]string }
func (*Bitmask) AddPolicyFlag ¶
AddPolicyFlag adds a policy flag and stacks policies.
func (*Bitmask) AddValueFlag ¶
func (f *Bitmask) AddValueFlag(flag BitmaskFlag, value string)
AddValueFlag stores the value of a BitmaskFlag.
func (Bitmask) HasFlag ¶
HasFlag checks if current bitmask matches a given flag. If bitmask has a Policy Flag, it will extract metadata from context and from nodes and use the PolicyResolver to dynamically test these properties.
func (Bitmask) HasPolicyExplicitDeny ¶
func (f Bitmask) HasPolicyExplicitDeny(ctx context.Context, flag BitmaskFlag, ctxNodes ...*tree.Node) bool
HasPolicyExplicitDeny checks if current bitmask matches a specific flag with Deny. If bitmask has a Policy Flag, it will extract metadata from context and from nodes and use the PolicyResolver to dynamically test these properties.
type BitmaskFlag ¶
type BitmaskFlag uint32
const ( FlagRead BitmaskFlag = 1 << iota FlagWrite FlagDeny FlagList FlagDelete FlagPolicy FlagQuota FlagLock FlagDownload FlagUpload FlagSync )
type LockSession ¶
type LockSession struct {
// contains filtered or unexported fields
}
func NewLockSession ¶
func NewLockSession(nodeUUID, sessionUUID string, expireAfter time.Duration) *LockSession
NewLockSession creates a new LockSession object
func (*LockSession) AddChildTarget ¶
func (l *LockSession) AddChildTarget(parentUUID, targetChildName string)
func (*LockSession) Lock ¶
func (l *LockSession) Lock(ctx context.Context) error
Lock sets an expirable lock ACL on the NodeUUID with SessionUUID as value
func (*LockSession) Unlock ¶
func (l *LockSession) Unlock(ctx context.Context) error
Unlock manually removes the ACL
func (*LockSession) UpdateExpiration ¶
UpdateExpiration set a new expiration date on the current lock
type PolicyResolver ¶
type PolicyResolver func(ctx context.Context, request *idm.PolicyEngineRequest, explicitOnly bool) (*idm.PolicyEngineResponse, error)
PolicyResolver implements the check of an object against a set of ACL policies
type SessionLocker ¶
type SimpleRight ¶ added in v4.0.1
SimpleRight is a tool struct to compute SimpleRight strings
func (*SimpleRight) IsAccessible ¶ added in v4.0.1
func (r *SimpleRight) IsAccessible() bool
func (*SimpleRight) String ¶ added in v4.0.1
func (r *SimpleRight) String() string
func (*SimpleRight) UserStateString ¶ added in v4.0.1
func (r *SimpleRight) UserStateString() string
type VirtualPathResolver ¶
VirtualPathResolver must be able to load virtual nodes based on their UUID