permissions

package
v4.0.6-rc1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 16, 2022 License: AGPL-3.0 Imports: 33 Imported by: 0

Documentation

Overview

Package permissions provides high-level tools for computing permissions from ACLs

Index

Constants

View Source 
const (
	FrontWsScopeAll    = "PYDIO_REPO_SCOPE_ALL"
	FrontWsScopeShared = "PYDIO_REPO_SCOPE_SHARED"
)
View Source 
const (
	PolicyNodeMetaName      = "NodeMetaName"
	PolicyNodeMetaPath      = "NodeMetaPath"
	PolicyNodeMetaType      = "NodeMetaType"
	PolicyNodeMetaExtension = "NodeMetaExtension"
	PolicyNodeMetaSize      = "NodeMetaSize"
	PolicyNodeMetaMTime     = "NodeMetaMTime"
	PolicyNodeMeta_         = "NodeMeta:"
)

Variables

View Source 
var (
	AclRead              = &idm.ACLAction{Name: "read", Value: "1"}
	AclWrite             = &idm.ACLAction{Name: "write", Value: "1"}
	AclDeny              = &idm.ACLAction{Name: "deny", Value: "1"}
	AclPolicy            = &idm.ACLAction{Name: "policy"}
	AclQuota             = &idm.ACLAction{Name: "quota"}
	AclLock              = &idm.ACLAction{Name: "lock"}
	AclChildLock         = &idm.ACLAction{Name: "child_lock"}
	AclContentLock       = &idm.ACLAction{Name: "content_lock"}
	AclFrontAction_      = &idm.ACLAction{Name: "action:*"}
	AclFrontParam_       = &idm.ACLAction{Name: "parameter:*"}
	AclWsrootActionName  = "workspace-path"
	AclRecycleRoot       = &idm.ACLAction{Name: "recycle_root", Value: "1"}
	ResolvePolicyRequest PolicyResolver
)
View Source 
var (
	NamesToFlags = map[string]BitmaskFlag{
		"read":     FlagRead,
		"write":    FlagWrite,
		"deny":     FlagDeny,
		"list":     FlagList,
		"remove":   FlagDelete,
		"policy":   FlagPolicy,
		"quota":    FlagQuota,
		"lock":     FlagLock,
		"download": FlagDownload,
		"upload":   FlagUpload,
		"sync":     FlagSync,
	}

	FlagsToNames = map[BitmaskFlag]string{
		FlagRead:     "read",
		FlagWrite:    "write",
		FlagDeny:     "deny",
		FlagList:     "list",
		FlagDelete:   "remove",
		FlagPolicy:   "policy",
		FlagQuota:    "quota",
		FlagLock:     "lock",
		FlagDownload: "download",
		FlagUpload:   "upload",
		FlagSync:     "sync",
	}
)

Functions

func AccessListLoadFrontValues 

func AccessListLoadFrontValues(ctx context.Context, accessList *AccessList) error

AccessListLoadFrontValues loads all ACLs starting with actions: and parameters: for the current list of ordered roles

func BulkReadDefaultRights added in v4.0.2 

func BulkReadDefaultRights(ctx context.Context, uuids []string, wss map[string]*idm.Workspace) error

BulkReadDefaultRights matches ROOT_GROUP ACLs and set them as Workspace Attributes "DEFAULT_RIGHTS". It is a batch version of ManageDefaultRights in read mode.

func CachedPoliciesChecker 

func CachedPoliciesChecker(ctx context.Context, resType string) (ladon.Warden, error)

func CheckContentLock 

func CheckContentLock(ctx context.Context, node *tree.Node) error

CheckContentLock finds if there is a global lock registered in ACLs.

func CheckDefinedRootsForWorkspace added in v4.0.2 

func CheckDefinedRootsForWorkspace(ctx context.Context, ws *idm.Workspace, resolver VirtualPathResolver) error

CheckDefinedRootsForWorkspace reads roots from tree service

func ClearCachedPolicies 

func ClearCachedPolicies(ctx context.Context, resType string)

ClearCachedPolicies empties local cache

func ExtractDefaultRights added in v4.0.2 

func ExtractDefaultRights(ctx context.Context, workspace *idm.Workspace) (string, string)

ExtractDefaultRights loads known workspace attributes, extract defaultRights and quotaValue as strings and remove them from the attributes map

func FindUserNameInContext 

func FindUserNameInContext(ctx context.Context) (string, claim.Claims)

func ForceClearUserCache 

func ForceClearUserCache(login string)

func FrontValuesScopesFromWorkspaceRelativePaths 

func FrontValuesScopesFromWorkspaceRelativePaths(wss []*tree.WorkspaceRelativePath) (scopes []string)

FrontValuesScopesFromWorkspaceRelativePaths computes scopes to check when retrieving front plugin configuration, based on a list of Node.AppearsIn workspaces descriptions

func FrontValuesScopesFromWorkspaces 

func FrontValuesScopesFromWorkspaces(wss []*idm.Workspace) (scopes []string)

FrontValuesScopesFromWorkspaces computes scopes to check when retrieving front plugin configuration

func GetACLsForActions 

func GetACLsForActions(ctx context.Context, actions ...*idm.ACLAction) (acls []*idm.ACL, err error)

func GetACLsForRoles 

func GetACLsForRoles(ctx context.Context, roles []*idm.Role, actions ...*idm.ACLAction) ([]*idm.ACL, error)

GetACLsForRoles compiles ALCs for a list of roles.

func GetACLsForWorkspace 

func GetACLsForWorkspace(ctx context.Context, workspaceIds []string, actions ...*idm.ACLAction) (acls []*idm.ACL, err error)

GetACLsForWorkspace compiles ACLs list attached to a given workspace.

func GetRoles 

func GetRoles(ctx context.Context, names []string) ([]*idm.Role, error)

GetRoles Objects from a list of role names.

func GetRolesForUser 

func GetRolesForUser(ctx context.Context, user *idm.User, createMissing bool) []*idm.Role

GetRolesForUser loads the roles of a given user.

func HasChildLocks 

func HasChildLocks(ctx context.Context, node *tree.Node) bool

func IsUserLocked 

func IsUserLocked(user *idm.User) bool

IsUserLocked checks if the passed user has a logout attribute defined.

func LoadRootNodesForWorkspaces added in v4.0.2 

func LoadRootNodesForWorkspaces(ctx context.Context, wsUUIDs []string, wss map[string]*idm.Workspace, resolver VirtualPathResolver) error

LoadRootNodesForWorkspaces finds all root nodes based on the ACLs

func LocalACLPoliciesResolver 

func LocalACLPoliciesResolver(ctx context.Context, request *idm.PolicyEngineRequest, explicitOnly bool) (*idm.PolicyEngineResponse, error)

func ManageDefaultRights added in v4.0.2 

func ManageDefaultRights(ctx context.Context, workspace *idm.Workspace, read bool, rightsValue string, newQuota string) error

ManageDefaultRights either read or write default rights by transforming ACLs into workspace attributes back and forth. For reading on many workspace, use BulkReadDefaultRights instead.

func PolicyContextFromMetadata 

func PolicyContextFromMetadata(policyContext map[string]string, ctx context.Context)

PolicyContextFromMetadata extracts metadata directly from the context and enriches the passed policyContext.

func PolicyContextFromNode 

func PolicyContextFromNode(policyContext map[string]string, node *tree.Node)

PolicyContextFromNode extracts metadata from the Node and enriches the passed policyContext.

func PolicyRequestSubjectsFromClaims 

func PolicyRequestSubjectsFromClaims(claims claim.Claims) []string

PolicyRequestSubjectsFromClaims builds an array of string subjects from the passed Claims.

func PolicyRequestSubjectsFromUser 

func PolicyRequestSubjectsFromUser(user *idm.User) []string

PolicyRequestSubjectsFromUser builds an array of string subjects from the passed User.

func RunJavaScript 

func RunJavaScript(ctx context.Context, script string, inputs map[string]interface{}, outputs map[string]interface{}) error

func SearchUniqueUser 

func SearchUniqueUser(ctx context.Context, login string, uuid string, queries ...*idm.UserSingleQuery) (user *idm.User, err error)

SearchUniqueUser provides a shortcurt to search user services for one specific user.

func SearchUniqueWorkspace 

func SearchUniqueWorkspace(ctx context.Context, wsUuid string, wsSlug string, queries ...*idm.WorkspaceSingleQuery) (*idm.Workspace, error)

SearchUniqueWorkspace is a wrapper of SearchWorkspace to load a unique workspace

func StoreRootNodesAsACLs added in v4.0.2 

func StoreRootNodesAsACLs(ctx context.Context, ws *idm.Workspace, update bool) error

StoreRootNodesAsACLs transforms a list of RootNodes into a list of ACL and store them.

Types

type AccessList 

type AccessList struct {
	// contains filtered or unexported fields
}

AccessList is a merged representation of all ACLs that a user has access to. ACLs are merged using a Bitmask form to ease flags detections and comparisons.

func AccessListForLockedNodes 

func AccessListForLockedNodes(ctx context.Context, resolver VirtualPathResolver) (accessList *AccessList, err error)

AccessListForLockedNodes builds a flattened node list containing all currently locked nodes

func AccessListFromContextClaims 

func AccessListFromContextClaims(ctx context.Context) (accessList *AccessList, err error)

AccessListFromContextClaims uses package function to compile ACL and Workspaces for a given user ( = list of roles inside the Claims)

func AccessListFromRoles 

func AccessListFromRoles(ctx context.Context, roles []*idm.Role, countPolicies bool, loadWorkspaces bool) (accessList *AccessList, err error)

AccessListFromRoles loads the Acls and flatten them, eventually loading the discovered workspaces.

func AccessListFromUser 

func AccessListFromUser(ctx context.Context, userNameOrUuid string, isUuid bool) (accessList *AccessList, user *idm.User, err error)

AccessListFromUser loads roles for a given user, by name or UUID, and subsequently calls AccessListFromRoles

func NewAccessList 

func NewAccessList(roles ...*idm.Role) *AccessList

NewAccessList creates a new AccessList.

func (*AccessList) AddNodeBitmask added in v4.0.1 

func (a *AccessList) AddNodeBitmask(id string, b Bitmask)

AddNodeBitmask appends a node bitmask to the internal list

func (*AccessList) AppendACLs added in v4.0.1 

func (a *AccessList) AppendACLs(aa ...*idm.ACL)

AppendACLs appends an additional list of ACLs.

func (*AccessList) AppendClaimsScopes 

func (a *AccessList) AppendClaimsScopes(ss []string)

AppendClaimsScopes appends some specific permissions passed through claims. Currently only strings like "node:uuid:perm" are supported

func (*AccessList) AppendFrontACLs added in v4.0.1 

func (a *AccessList) AppendFrontACLs(aa ...*idm.ACL)

AppendFrontACLs appends an additional list of front-related ACLs.

func (*AccessList) AppendRoles added in v4.0.1 

func (a *AccessList) AppendRoles(rr ...*idm.Role)

AppendRoles appends one or more roles. They are kept in order, which is very important.

func (*AccessList) BelongsToWorkspaces 

func (a *AccessList) BelongsToWorkspaces(ctx context.Context, nodes ...*tree.Node) (workspaces []*idm.Workspace, workspacesRoots map[string]string)

BelongsToWorkspaces finds corresponding workspace parents for this node.

func (*AccessList) CanRead 

func (a *AccessList) CanRead(ctx context.Context, nodes ...*tree.Node) bool

CanRead checks if a node has READ access.

func (*AccessList) CanReadPath 

func (a *AccessList) CanReadPath(ctx context.Context, resolver VirtualPathResolver, nodes ...*tree.Node) bool

CanReadPath checks if a node has READ access based on its Path

func (*AccessList) CanReadWithResolver 

func (a *AccessList) CanReadWithResolver(ctx context.Context, resolver VirtualPathResolver, nodes ...*tree.Node) bool

CanReadWithResolver checks if a node has READ access, using VirtualPathResolver if necessary

func (*AccessList) CanWrite 

func (a *AccessList) CanWrite(ctx context.Context, nodes ...*tree.Node) bool

CanWrite checks if a node has WRITE access.

func (*AccessList) CanWritePath 

func (a *AccessList) CanWritePath(ctx context.Context, resolver VirtualPathResolver, nodes ...*tree.Node) bool

CanWritePath checks if a node has WRITE access based on its path.

func (*AccessList) CanWriteWithResolver 

func (a *AccessList) CanWriteWithResolver(ctx context.Context, resolver VirtualPathResolver, nodes ...*tree.Node) bool

CanWriteWithResolver checks if a node has WRITE access, using VirtualPathResolver if necessary.

func (*AccessList) DetectedWsRights added in v4.0.1 

func (a *AccessList) DetectedWsRights(ctx context.Context) map[string]SimpleRight

DetectedWsRights retrieves a map of accessible workspaces.

func (*AccessList) Flatten 

func (a *AccessList) Flatten(ctx context.Context)

Flatten performs actual flatten.

func (*AccessList) FlattenedFrontValues 

func (a *AccessList) FlattenedFrontValues() configx.Values

FlattenedFrontValues generates a configx.Values with frontend actions/parameters configs

func (*AccessList) GetNodesBitmasks 

func (a *AccessList) GetNodesBitmasks() map[string]Bitmask

GetNodesBitmasks returns internal bitmask

func (*AccessList) GetRoles added in v4.0.1 

func (a *AccessList) GetRoles() []*idm.Role

GetRoles returns ordered list of roles

func (*AccessList) GetWorkspaces added in v4.0.1 

func (a *AccessList) GetWorkspaces() map[string]*idm.Workspace

GetWorkspaces returns internally stored workspaces

func (*AccessList) GetWorkspacesRoots added in v4.0.1 

func (a *AccessList) GetWorkspacesRoots() map[string]map[string]Bitmask

GetWorkspacesRoots gets detected workspace root nodes that are then used to populate the Workspace keys.

func (*AccessList) HasExplicitDeny 

func (a *AccessList) HasExplicitDeny(ctx context.Context, flag BitmaskFlag, nodes ...*tree.Node) bool

func (*AccessList) HasPolicyBasedAcls 

func (a *AccessList) HasPolicyBasedAcls() bool

HasPolicyBasedAcls checks if there are policy based acls.

func (*AccessList) IsLocked 

func (a *AccessList) IsLocked(ctx context.Context, nodes ...*tree.Node) bool

IsLocked checks if a node bitmask has a FlagLock value.

func (*AccessList) LoadWorkspaces added in v4.0.1 

func (a *AccessList) LoadWorkspaces(ctx context.Context, loader WsLoader) error

LoadWorkspaces loads actual idm.Workspace objects using a WsLoader

func (*AccessList) ReplicateBitmask 

func (a *AccessList) ReplicateBitmask(fromUuid, toUuid string, replaceInRoots ...bool) bool

ReplicateBitmask copies a bitmask value from one position to another

func (*AccessList) Zap 

func (a *AccessList) Zap() zapcore.Field

Zap simply returns a zapcore.Field object populated with this aggregated AccessList under a standard key

type Bitmask 

type Bitmask struct {
	BitmaskFlag
	PolicyIds  map[string]string
	ValueFlags map[BitmaskFlag]string
}

func (*Bitmask) AddFlag 

func (f *Bitmask) AddFlag(flag BitmaskFlag)

AddFlag adds a simple flag.

func (*Bitmask) AddPolicyFlag 

func (f *Bitmask) AddPolicyFlag(policyId string)

AddPolicyFlag adds a policy flag and stacks policies.

func (*Bitmask) AddValueFlag 

func (f *Bitmask) AddValueFlag(flag BitmaskFlag, value string)

AddValueFlag stores the value of a BitmaskFlag.

func (Bitmask) HasFlag 

func (f Bitmask) HasFlag(ctx context.Context, flag BitmaskFlag, ctxNodes ...*tree.Node) bool

HasFlag checks if current bitmask matches a given flag. If bitmask has a Policy Flag, it will extract metadata from context and from nodes and use the PolicyResolver to dynamically test these properties.

func (Bitmask) HasPolicyExplicitDeny 

func (f Bitmask) HasPolicyExplicitDeny(ctx context.Context, flag BitmaskFlag, ctxNodes ...*tree.Node) bool

HasPolicyExplicitDeny checks if current bitmask matches a specific flag with Deny. If bitmask has a Policy Flag, it will extract metadata from context and from nodes and use the PolicyResolver to dynamically test these properties.

type BitmaskFlag 

type BitmaskFlag uint32
const (
	FlagRead BitmaskFlag = 1 << iota
	FlagWrite
	FlagDeny
	FlagList
	FlagDelete
	FlagPolicy
	FlagQuota
	FlagLock
	FlagDownload
	FlagUpload
	FlagSync
)

type CachedAccessList added in v4.0.1 

type CachedAccessList struct {
	Wss             map[string]*idm.Workspace
	WssRootsMasks   map[string]map[string]Bitmask
	OrderedRoles    []*idm.Role
	WsACLs          []*idm.ACL
	FrontACLs       []*idm.ACL
	MasksByUUIDs    map[string]Bitmask
	MasksByPaths    map[string]Bitmask
	ClaimsScopes    map[string]Bitmask
	HasClaimsScopes bool
}

type JsRequest 

type JsRequest struct {
	UserAgent string
	UserIP    string
}

type JsUser 

type JsUser struct {
	Uuid        string
	Name        string
	GroupPath   string
	GroupFlat   string
	Profile     string
	DisplayName string
	Email       string
	AuthSource  string
	Roles       []string
}

type LockSession 

type LockSession struct {
	// contains filtered or unexported fields
}

func NewLockSession 

func NewLockSession(nodeUUID, sessionUUID string, expireAfter time.Duration) *LockSession

NewLockSession creates a new LockSession object

func (*LockSession) AddChildTarget 

func (l *LockSession) AddChildTarget(parentUUID, targetChildName string)

func (*LockSession) Lock 

func (l *LockSession) Lock(ctx context.Context) error

Lock sets an expirable lock ACL on the NodeUUID with SessionUUID as value

func (*LockSession) Unlock 

func (l *LockSession) Unlock(ctx context.Context) error

Unlock manually removes the ACL

func (*LockSession) UpdateExpiration 

func (l *LockSession) UpdateExpiration(ctx context.Context, expireAfter time.Duration) error

UpdateExpiration set a new expiration date on the current lock

type PolicyResolver 

type PolicyResolver func(ctx context.Context, request *idm.PolicyEngineRequest, explicitOnly bool) (*idm.PolicyEngineResponse, error)

PolicyResolver implements the check of an object against a set of ACL policies

type SessionLocker 

type SessionLocker interface {
	Lock(ctx context.Context) error
	UpdateExpiration(ctx context.Context, expireAfter time.Duration) error
	Unlock(ctx context.Context) error
	AddChildTarget(parentUUID, targetChildName string)
}

type SimpleRight added in v4.0.1 

type SimpleRight struct {
	Read  bool
	Write bool
}

SimpleRight is a tool struct to compute SimpleRight strings

func (*SimpleRight) IsAccessible added in v4.0.1 

func (r *SimpleRight) IsAccessible() bool

func (*SimpleRight) String added in v4.0.1 

func (r *SimpleRight) String() string

func (*SimpleRight) UserStateString added in v4.0.1 

func (r *SimpleRight) UserStateString() string

type VirtualPathResolver 

type VirtualPathResolver func(context.Context, *tree.Node) (*tree.Node, bool)

VirtualPathResolver must be able to load virtual nodes based on their UUID

type WsLoader added in v4.0.1 

type WsLoader func(ctx context.Context, uuids []string) ([]*idm.Workspace, error)

WsLoader is resolver for loading workspaces by their UUIDs

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.