permissions

package
v4.0.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 2, 2022 License: AGPL-3.0 Imports: 32 Imported by: 0

Documentation

Overview

Package permissions provides high-level tools for computing permissions from ACLs

Index

Constants

View Source
const (
	FrontWsScopeAll    = "PYDIO_REPO_SCOPE_ALL"
	FrontWsScopeShared = "PYDIO_REPO_SCOPE_SHARED"
)
View Source
const (
	PolicyNodeMetaName      = "NodeMetaName"
	PolicyNodeMetaPath      = "NodeMetaPath"
	PolicyNodeMetaType      = "NodeMetaType"
	PolicyNodeMetaExtension = "NodeMetaExtension"
	PolicyNodeMetaSize      = "NodeMetaSize"
	PolicyNodeMetaMTime     = "NodeMetaMTime"
	PolicyNodeMeta_         = "NodeMeta:"
)

Variables

View Source
var (
	AclRead              = &idm.ACLAction{Name: "read", Value: "1"}
	AclWrite             = &idm.ACLAction{Name: "write", Value: "1"}
	AclDeny              = &idm.ACLAction{Name: "deny", Value: "1"}
	AclPolicy            = &idm.ACLAction{Name: "policy"}
	AclQuota             = &idm.ACLAction{Name: "quota"}
	AclLock              = &idm.ACLAction{Name: "lock"}
	AclChildLock         = &idm.ACLAction{Name: "child_lock"}
	AclContentLock       = &idm.ACLAction{Name: "content_lock"}
	AclFrontAction_      = &idm.ACLAction{Name: "action:*"}
	AclFrontParam_       = &idm.ACLAction{Name: "parameter:*"}
	AclWsrootActionName  = "workspace-path"
	AclRecycleRoot       = &idm.ACLAction{Name: "recycle_root", Value: "1"}
	ResolvePolicyRequest PolicyResolver
)
View Source
var (
	NamesToFlags = map[string]BitmaskFlag{
		"read":     FlagRead,
		"write":    FlagWrite,
		"deny":     FlagDeny,
		"list":     FlagList,
		"remove":   FlagDelete,
		"policy":   FlagPolicy,
		"quota":    FlagQuota,
		"lock":     FlagLock,
		"download": FlagDownload,
		"upload":   FlagUpload,
		"sync":     FlagSync,
	}

	FlagsToNames = map[BitmaskFlag]string{
		FlagRead:     "read",
		FlagWrite:    "write",
		FlagDeny:     "deny",
		FlagList:     "list",
		FlagDelete:   "remove",
		FlagPolicy:   "policy",
		FlagQuota:    "quota",
		FlagLock:     "lock",
		FlagDownload: "download",
		FlagUpload:   "upload",
		FlagSync:     "sync",
	}
)

Functions

func AccessListLoadFrontValues

func AccessListLoadFrontValues(ctx context.Context, accessList *AccessList) error

AccessListLoadFrontValues loads all ACLs starting with actions: and parameters: for the current list of ordered roles

func BulkReadDefaultRights added in v4.0.2

func BulkReadDefaultRights(ctx context.Context, uuids []string, wss map[string]*idm.Workspace) error

BulkReadDefaultRights matches ROOT_GROUP ACLs and set them as Workspace Attributes "DEFAULT_RIGHTS". It is a batch version of ManageDefaultRights in read mode.

func CachedPoliciesChecker

func CachedPoliciesChecker(ctx context.Context, resType string) (ladon.Warden, error)

func CheckContentLock

func CheckContentLock(ctx context.Context, node *tree.Node) error

CheckContentLock finds if there is a global lock registered in ACLs.

func CheckDefinedRootsForWorkspace added in v4.0.2

func CheckDefinedRootsForWorkspace(ctx context.Context, ws *idm.Workspace, resolver VirtualPathResolver) error

CheckDefinedRootsForWorkspace reads roots from tree service

func ClearCachedPolicies

func ClearCachedPolicies(ctx context.Context, resType string)

ClearCachedPolicies empties local cache

func ExtractDefaultRights added in v4.0.2

func ExtractDefaultRights(ctx context.Context, workspace *idm.Workspace) (string, string)

ExtractDefaultRights loads known workspace attributes, extract defaultRights and quotaValue as strings and remove them from the attributes map

func FindUserNameInContext

func FindUserNameInContext(ctx context.Context) (string, claim.Claims)

func ForceClearUserCache

func ForceClearUserCache(login string)

func FrontValuesScopesFromWorkspaceRelativePaths

func FrontValuesScopesFromWorkspaceRelativePaths(wss []*tree.WorkspaceRelativePath) (scopes []string)

FrontValuesScopesFromWorkspaceRelativePaths computes scopes to check when retrieving front plugin configuration, based on a list of Node.AppearsIn workspaces descriptions

func FrontValuesScopesFromWorkspaces

func FrontValuesScopesFromWorkspaces(wss []*idm.Workspace) (scopes []string)

FrontValuesScopesFromWorkspaces computes scopes to check when retrieving front plugin configuration

func GetACLsForActions

func GetACLsForActions(ctx context.Context, actions ...*idm.ACLAction) (acls []*idm.ACL, err error)

func GetACLsForRoles

func GetACLsForRoles(ctx context.Context, roles []*idm.Role, actions ...*idm.ACLAction) ([]*idm.ACL, error)

GetACLsForRoles compiles ALCs for a list of roles.

func GetACLsForWorkspace

func GetACLsForWorkspace(ctx context.Context, workspaceIds []string, actions ...*idm.ACLAction) (acls []*idm.ACL, err error)

GetACLsForWorkspace compiles ACLs list attached to a given workspace.

func GetRoles

func GetRoles(ctx context.Context, names []string) ([]*idm.Role, error)

GetRoles Objects from a list of role names.

func GetRolesForUser

func GetRolesForUser(ctx context.Context, user *idm.User, createMissing bool) []*idm.Role

GetRolesForUser loads the roles of a given user.

func HasChildLocks

func HasChildLocks(ctx context.Context, node *tree.Node) bool

func IsUserLocked

func IsUserLocked(user *idm.User) bool

IsUserLocked checks if the passed user has a logout attribute defined.

func LoadRootNodesForWorkspaces added in v4.0.2

func LoadRootNodesForWorkspaces(ctx context.Context, wsUUIDs []string, wss map[string]*idm.Workspace, resolver VirtualPathResolver) error

LoadRootNodesForWorkspaces finds all root nodes based on the ACLs

func LocalACLPoliciesResolver

func LocalACLPoliciesResolver(ctx context.Context, request *idm.PolicyEngineRequest, explicitOnly bool) (*idm.PolicyEngineResponse, error)

func ManageDefaultRights added in v4.0.2

func ManageDefaultRights(ctx context.Context, workspace *idm.Workspace, read bool, rightsValue string, newQuota string) error

ManageDefaultRights either read or write default rights by transforming ACLs into workspace attributes back and forth. For reading on many workspace, use BulkReadDefaultRights instead.

func PolicyContextFromMetadata

func PolicyContextFromMetadata(policyContext map[string]string, ctx context.Context)

PolicyContextFromMetadata extracts metadata directly from the context and enriches the passed policyContext.

func PolicyContextFromNode

func PolicyContextFromNode(policyContext map[string]string, node *tree.Node)

PolicyContextFromNode extracts metadata from the Node and enriches the passed policyContext.

func PolicyRequestSubjectsFromClaims

func PolicyRequestSubjectsFromClaims(claims claim.Claims) []string

PolicyRequestSubjectsFromClaims builds an array of string subjects from the passed Claims.

func PolicyRequestSubjectsFromUser

func PolicyRequestSubjectsFromUser(user *idm.User) []string

PolicyRequestSubjectsFromUser builds an array of string subjects from the passed User.

func RunJavaScript

func RunJavaScript(ctx context.Context, script string, inputs map[string]interface{}, outputs map[string]interface{}) error

func SearchUniqueUser

func SearchUniqueUser(ctx context.Context, login string, uuid string, queries ...*idm.UserSingleQuery) (user *idm.User, err error)

SearchUniqueUser provides a shortcurt to search user services for one specific user.

func SearchUniqueWorkspace

func SearchUniqueWorkspace(ctx context.Context, wsUuid string, wsSlug string, queries ...*idm.WorkspaceSingleQuery) (*idm.Workspace, error)

SearchUniqueWorkspace is a wrapper of SearchWorkspace to load a unique workspace

func StoreRootNodesAsACLs added in v4.0.2

func StoreRootNodesAsACLs(ctx context.Context, ws *idm.Workspace, update bool) error

StoreRootNodesAsACLs transforms a list of RootNodes into a list of ACL and store them.

Types

type AccessList

type AccessList struct {
	// contains filtered or unexported fields
}

AccessList is a merged representation of all ACLs that a user has access to. ACLs are merged using a Bitmask form to ease flags detections and comparisons.

func AccessListForLockedNodes

func AccessListForLockedNodes(ctx context.Context, resolver VirtualPathResolver) (accessList *AccessList, err error)

AccessListForLockedNodes builds a flattened node list containing all currently locked nodes

func AccessListFromContextClaims

func AccessListFromContextClaims(ctx context.Context) (accessList *AccessList, err error)

AccessListFromContextClaims uses package function to compile ACL and Workspaces for a given user ( = list of roles inside the Claims)

func AccessListFromRoles

func AccessListFromRoles(ctx context.Context, roles []*idm.Role, countPolicies bool, loadWorkspaces bool) (accessList *AccessList, err error)

AccessListFromRoles loads the Acls and flatten them, eventually loading the discovered workspaces.

func AccessListFromUser

func AccessListFromUser(ctx context.Context, userNameOrUuid string, isUuid bool) (accessList *AccessList, user *idm.User, err error)

AccessListFromUser loads roles for a given user, by name or UUID, and subsequently calls AccessListFromRoles

func NewAccessList

func NewAccessList(roles ...*idm.Role) *AccessList

NewAccessList creates a new AccessList.

func (*AccessList) AddNodeBitmask added in v4.0.1

func (a *AccessList) AddNodeBitmask(id string, b Bitmask)

AddNodeBitmask appends a node bitmask to the internal list

func (*AccessList) AppendACLs added in v4.0.1

func (a *AccessList) AppendACLs(aa ...*idm.ACL)

AppendACLs appends an additional list of ACLs.

func (*AccessList) AppendClaimsScopes

func (a *AccessList) AppendClaimsScopes(ss []string)

AppendClaimsScopes appends some specific permissions passed through claims. Currently only strings like "node:uuid:perm" are supported

func (*AccessList) AppendFrontACLs added in v4.0.1

func (a *AccessList) AppendFrontACLs(aa ...*idm.ACL)

AppendFrontACLs appends an additional list of front-related ACLs.

func (*AccessList) AppendRoles added in v4.0.1

func (a *AccessList) AppendRoles(rr ...*idm.Role)

AppendRoles appends one or more roles. They are kept in order, which is very important.

func (*AccessList) BelongsToWorkspaces

func (a *AccessList) BelongsToWorkspaces(ctx context.Context, nodes ...*tree.Node) (workspaces []*idm.Workspace, workspacesRoots map[string]string)

BelongsToWorkspaces finds corresponding workspace parents for this node.

func (*AccessList) CanRead

func (a *AccessList) CanRead(ctx context.Context, nodes ...*tree.Node) bool

CanRead checks if a node has READ access.

func (*AccessList) CanReadPath

func (a *AccessList) CanReadPath(ctx context.Context, resolver VirtualPathResolver, nodes ...*tree.Node) bool

CanReadPath checks if a node has READ access based on its Path

func (*AccessList) CanReadWithResolver

func (a *AccessList) CanReadWithResolver(ctx context.Context, resolver VirtualPathResolver, nodes ...*tree.Node) bool

CanReadWithResolver checks if a node has READ access, using VirtualPathResolver if necessary

func (*AccessList) CanWrite

func (a *AccessList) CanWrite(ctx context.Context, nodes ...*tree.Node) bool

CanWrite checks if a node has WRITE access.

func (*AccessList) CanWritePath

func (a *AccessList) CanWritePath(ctx context.Context, resolver VirtualPathResolver, nodes ...*tree.Node) bool

CanWritePath checks if a node has WRITE access based on its path.

func (*AccessList) CanWriteWithResolver

func (a *AccessList) CanWriteWithResolver(ctx context.Context, resolver VirtualPathResolver, nodes ...*tree.Node) bool

CanWriteWithResolver checks if a node has WRITE access, using VirtualPathResolver if necessary.

func (*AccessList) DetectedWsRights added in v4.0.1

func (a *AccessList) DetectedWsRights(ctx context.Context) map[string]SimpleRight

DetectedWsRights retrieves a map of accessible workspaces.

func (*AccessList) Flatten

func (a *AccessList) Flatten(ctx context.Context)

Flatten performs actual flatten.

func (*AccessList) FlattenedFrontValues

func (a *AccessList) FlattenedFrontValues() configx.Values

FlattenedFrontValues generates a configx.Values with frontend actions/parameters configs

func (*AccessList) GetNodesBitmasks

func (a *AccessList) GetNodesBitmasks() map[string]Bitmask

GetNodesBitmasks returns internal bitmask

func (*AccessList) GetRoles added in v4.0.1

func (a *AccessList) GetRoles() []*idm.Role

GetRoles returns ordered list of roles

func (*AccessList) GetWorkspaces added in v4.0.1

func (a *AccessList) GetWorkspaces() map[string]*idm.Workspace

GetWorkspaces returns internally stored workspaces

func (*AccessList) GetWorkspacesRoots added in v4.0.1

func (a *AccessList) GetWorkspacesRoots() map[string]map[string]Bitmask

GetWorkspacesRoots gets detected workspace root nodes that are then used to populate the Workspace keys.

func (*AccessList) HasExplicitDeny

func (a *AccessList) HasExplicitDeny(ctx context.Context, flag BitmaskFlag, nodes ...*tree.Node) bool

func (*AccessList) HasPolicyBasedAcls

func (a *AccessList) HasPolicyBasedAcls() bool

HasPolicyBasedAcls checks if there are policy based acls.

func (*AccessList) IsLocked

func (a *AccessList) IsLocked(ctx context.Context, nodes ...*tree.Node) bool

IsLocked checks if a node bitmask has a FlagLock value.

func (*AccessList) LoadWorkspaces added in v4.0.1

func (a *AccessList) LoadWorkspaces(ctx context.Context, loader WsLoader) error

LoadWorkspaces loads actual idm.Workspace objects using a WsLoader

func (*AccessList) ReplicateBitmask

func (a *AccessList) ReplicateBitmask(fromUuid, toUuid string, replaceInRoots ...bool) bool

ReplicateBitmask copies a bitmask value from one position to another

func (*AccessList) Zap

func (a *AccessList) Zap() zapcore.Field

Zap simply returns a zapcore.Field object populated with this aggregated AccessList under a standard key

type Bitmask

type Bitmask struct {
	BitmaskFlag
	PolicyIds  map[string]string
	ValueFlags map[BitmaskFlag]string
}

func (*Bitmask) AddFlag

func (f *Bitmask) AddFlag(flag BitmaskFlag)

AddFlag adds a simple flag.

func (*Bitmask) AddPolicyFlag

func (f *Bitmask) AddPolicyFlag(policyId string)

AddPolicyFlag adds a policy flag and stacks policies.

func (*Bitmask) AddValueFlag

func (f *Bitmask) AddValueFlag(flag BitmaskFlag, value string)

AddValueFlag stores the value of a BitmaskFlag.

func (Bitmask) HasFlag

func (f Bitmask) HasFlag(ctx context.Context, flag BitmaskFlag, ctxNodes ...*tree.Node) bool

HasFlag checks if current bitmask matches a given flag. If bitmask has a Policy Flag, it will extract metadata from context and from nodes and use the PolicyResolver to dynamically test these properties.

func (Bitmask) HasPolicyExplicitDeny

func (f Bitmask) HasPolicyExplicitDeny(ctx context.Context, flag BitmaskFlag, ctxNodes ...*tree.Node) bool

HasPolicyExplicitDeny checks if current bitmask matches a specific flag with Deny. If bitmask has a Policy Flag, it will extract metadata from context and from nodes and use the PolicyResolver to dynamically test these properties.

type BitmaskFlag

type BitmaskFlag uint32
const (
	FlagRead BitmaskFlag = 1 << iota
	FlagWrite
	FlagDeny
	FlagList
	FlagDelete
	FlagPolicy
	FlagQuota
	FlagLock
	FlagDownload
	FlagUpload
	FlagSync
)

type CachedAccessList added in v4.0.1

type CachedAccessList struct {
	Wss             map[string]*idm.Workspace
	WssRootsMasks   map[string]map[string]Bitmask
	OrderedRoles    []*idm.Role
	WsACLs          []*idm.ACL
	FrontACLs       []*idm.ACL
	MasksByUUIDs    map[string]Bitmask
	MasksByPaths    map[string]Bitmask
	ClaimsScopes    map[string]Bitmask
	HasClaimsScopes bool
}

type JsRequest

type JsRequest struct {
	UserAgent string
	UserIP    string
}

type JsUser

type JsUser struct {
	Uuid        string
	Name        string
	GroupPath   string
	GroupFlat   string
	Profile     string
	DisplayName string
	Email       string
	AuthSource  string
	Roles       []string
}

type LockSession

type LockSession struct {
	// contains filtered or unexported fields
}

func NewLockSession

func NewLockSession(nodeUUID, sessionUUID string, expireAfter time.Duration) *LockSession

NewLockSession creates a new LockSession object

func (*LockSession) AddChildTarget

func (l *LockSession) AddChildTarget(parentUUID, targetChildName string)

func (*LockSession) Lock

func (l *LockSession) Lock(ctx context.Context) error

Lock sets an expirable lock ACL on the NodeUUID with SessionUUID as value

func (*LockSession) Unlock

func (l *LockSession) Unlock(ctx context.Context) error

Unlock manually removes the ACL

func (*LockSession) UpdateExpiration

func (l *LockSession) UpdateExpiration(ctx context.Context, expireAfter time.Duration) error

UpdateExpiration set a new expiration date on the current lock

type PolicyResolver

type PolicyResolver func(ctx context.Context, request *idm.PolicyEngineRequest, explicitOnly bool) (*idm.PolicyEngineResponse, error)

PolicyResolver implements the check of an object against a set of ACL policies

type SessionLocker

type SessionLocker interface {
	Lock(ctx context.Context) error
	UpdateExpiration(ctx context.Context, expireAfter time.Duration) error
	Unlock(ctx context.Context) error
	AddChildTarget(parentUUID, targetChildName string)
}

type SimpleRight added in v4.0.1

type SimpleRight struct {
	Read  bool
	Write bool
}

SimpleRight is a tool struct to compute SimpleRight strings

func (*SimpleRight) IsAccessible added in v4.0.1

func (r *SimpleRight) IsAccessible() bool

func (*SimpleRight) String added in v4.0.1

func (r *SimpleRight) String() string

func (*SimpleRight) UserStateString added in v4.0.1

func (r *SimpleRight) UserStateString() string

type VirtualPathResolver

type VirtualPathResolver func(context.Context, *tree.Node) (*tree.Node, bool)

VirtualPathResolver must be able to load virtual nodes based on their UUID

type WsLoader added in v4.0.1

type WsLoader func(ctx context.Context, uuids []string) ([]*idm.Workspace, error)

WsLoader is resolver for loading workspaces by their UUIDs

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL