Documentation ¶
Overview ¶
Package permissions provides high-level tools for computing permissions from ACLs
Index ¶
- Constants
- Variables
- func AccessListLoadFrontValues(ctx context.Context, accessList *AccessList) error
- func BulkReadDefaultRights(ctx context.Context, uuids []string, wss map[string]*idm.Workspace) error
- func CachedPoliciesChecker(ctx context.Context, resType string) (ladon.Warden, error)
- func CheckContentLock(ctx context.Context, node *tree.Node) error
- func CheckDefinedRootsForWorkspace(ctx context.Context, ws *idm.Workspace, resolver VirtualPathResolver) error
- func ClearCachedPolicies(ctx context.Context, resType string)
- func ExtractDefaultRights(ctx context.Context, workspace *idm.Workspace) (string, string)
- func FindUserNameInContext(ctx context.Context) (string, claim.Claims)
- func ForceClearUserCache(login string)
- func FrontValuesScopesFromWorkspaceRelativePaths(wss []*tree.WorkspaceRelativePath) (scopes []string)
- func FrontValuesScopesFromWorkspaces(wss []*idm.Workspace) (scopes []string)
- func GetACLsForActions(ctx context.Context, actions ...*idm.ACLAction) (acls []*idm.ACL, err error)
- func GetACLsForRoles(ctx context.Context, roles []*idm.Role, actions ...*idm.ACLAction) ([]*idm.ACL, error)
- func GetACLsForWorkspace(ctx context.Context, workspaceIds []string, actions ...*idm.ACLAction) (acls []*idm.ACL, err error)
- func GetRoles(ctx context.Context, names []string) ([]*idm.Role, error)
- func GetRolesForUser(ctx context.Context, user *idm.User, createMissing bool) []*idm.Role
- func GroupExists(ctx context.Context, group string) (*idm.User, bool)
- func HasChildLocks(ctx context.Context, node *tree.Node) bool
- func IsUserLocked(user *idm.User) bool
- func LoadRootNodesForWorkspaces(ctx context.Context, wsUUIDs []string, wss map[string]*idm.Workspace, ...) error
- func LocalACLPoliciesResolver(ctx context.Context, request *idm.PolicyEngineRequest, explicitOnly bool) (*idm.PolicyEngineResponse, error)
- func ManageDefaultRights(ctx context.Context, workspace *idm.Workspace, read bool, rightsValue string, ...) error
- func PolicyContextFromMetadata(policyContext map[string]string, ctx context.Context)
- func PolicyContextFromNode(policyContext map[string]string, node *tree.Node)
- func PolicyRequestSubjectsFromClaims(claims claim.Claims) []string
- func PolicyRequestSubjectsFromUser(user *idm.User) []string
- func RunJavaScript(ctx context.Context, script string, inputs map[string]interface{}, ...) error
- func SearchUniqueUser(ctx context.Context, login string, uuid string, ...) (user *idm.User, err error)
- func SearchUniqueWorkspace(ctx context.Context, wsUuid string, wsSlug string, ...) (*idm.Workspace, error)
- func StoreRootNodesAsACLs(ctx context.Context, ws *idm.Workspace, update bool) error
- type AccessList
- func AccessListForLockedNodes(ctx context.Context, resolver VirtualPathResolver) (accessList *AccessList, err error)
- func AccessListFromContextClaims(ctx context.Context) (accessList *AccessList, err error)
- func AccessListFromRoles(ctx context.Context, roles []*idm.Role, countPolicies bool, ...) (accessList *AccessList, err error)
- func AccessListFromUser(ctx context.Context, userNameOrUuid string, isUuid bool) (accessList *AccessList, user *idm.User, err error)
- func NewAccessList(roles ...*idm.Role) *AccessList
- func (a *AccessList) AddNodeBitmask(id string, b Bitmask)
- func (a *AccessList) AppendACLs(aa ...*idm.ACL)
- func (a *AccessList) AppendClaimsScopes(ss []string)
- func (a *AccessList) AppendFrontACLs(aa ...*idm.ACL)
- func (a *AccessList) AppendRoles(rr ...*idm.Role)
- func (a *AccessList) BelongsToWorkspaces(ctx context.Context, nodes ...*tree.Node) (workspaces []*idm.Workspace, workspacesRoots map[string]string)
- func (a *AccessList) CanRead(ctx context.Context, nodes ...*tree.Node) bool
- func (a *AccessList) CanReadPath(ctx context.Context, resolver VirtualPathResolver, nodes ...*tree.Node) bool
- func (a *AccessList) CanReadWithResolver(ctx context.Context, resolver VirtualPathResolver, nodes ...*tree.Node) bool
- func (a *AccessList) CanWrite(ctx context.Context, nodes ...*tree.Node) bool
- func (a *AccessList) CanWritePath(ctx context.Context, resolver VirtualPathResolver, nodes ...*tree.Node) bool
- func (a *AccessList) CanWriteWithResolver(ctx context.Context, resolver VirtualPathResolver, nodes ...*tree.Node) bool
- func (a *AccessList) DetectedWsRights(ctx context.Context) map[string]SimpleRight
- func (a *AccessList) Flatten(ctx context.Context)
- func (a *AccessList) FlattenedFrontValues() configx.Values
- func (a *AccessList) GetNodesBitmasks() map[string]Bitmask
- func (a *AccessList) GetRoles() []*idm.Role
- func (a *AccessList) GetWorkspaces() map[string]*idm.Workspace
- func (a *AccessList) GetWorkspacesRoots() map[string]map[string]Bitmask
- func (a *AccessList) HasExplicitDeny(ctx context.Context, flag BitmaskFlag, nodes ...*tree.Node) bool
- func (a *AccessList) HasPolicyBasedAcls() bool
- func (a *AccessList) IsLocked(ctx context.Context, nodes ...*tree.Node) bool
- func (a *AccessList) LoadWorkspaces(ctx context.Context, loader WsLoader) error
- func (a *AccessList) ReplicateBitmask(fromUuid, toUuid string, replaceInRoots ...bool) bool
- func (a *AccessList) Zap() zapcore.Field
- type Bitmask
- func (f *Bitmask) AddFlag(flag BitmaskFlag)
- func (f *Bitmask) AddPolicyFlag(policyId string)
- func (f *Bitmask) AddValueFlag(flag BitmaskFlag, value string)
- func (f *Bitmask) HasFlag(ctx context.Context, flag BitmaskFlag, ctxNodes ...*tree.Node) bool
- func (f *Bitmask) HasPolicyExplicitDeny(ctx context.Context, flag BitmaskFlag, ctxNodes ...*tree.Node) bool
- type BitmaskFlag
- type CachedAccessList
- type JsRequest
- type JsUser
- type LockSession
- type PolicyResolver
- type SessionLocker
- type SimpleRight
- type VirtualPathResolver
- type WsLoader
Constants ¶
const ( FrontWsScopeAll = "PYDIO_REPO_SCOPE_ALL" )
const ( PolicyNodeMetaName = "NodeMetaName" PolicyNodeMetaPath = "NodeMetaPath" PolicyNodeMetaType = "NodeMetaType" PolicyNodeMetaExtension = "NodeMetaExtension" PolicyNodeMetaSize = "NodeMetaSize" PolicyNodeMetaMTime = "NodeMetaMTime" PolicyNodeMeta_ = "NodeMeta:" )
Variables ¶
var ( AclRead = &idm.ACLAction{Name: "read", Value: "1"} AclWrite = &idm.ACLAction{Name: "write", Value: "1"} AclDeny = &idm.ACLAction{Name: "deny", Value: "1"} AclPolicy = &idm.ACLAction{Name: "policy"} AclQuota = &idm.ACLAction{Name: "quota"} AclLock = &idm.ACLAction{Name: "lock"} AclChildLock = &idm.ACLAction{Name: "child_lock"} AclContentLock = &idm.ACLAction{Name: "content_lock"} AclFrontAction_ = &idm.ACLAction{Name: "action:*"} AclFrontParam_ = &idm.ACLAction{Name: "parameter:*"} AclWsrootActionName = "workspace-path" AclRecycleRoot = &idm.ACLAction{Name: "recycle_root", Value: "1"} ResolvePolicyRequest PolicyResolver )
var ( NamesToFlags = map[string]BitmaskFlag{ "read": FlagRead, "write": FlagWrite, "deny": FlagDeny, "list": FlagList, "remove": FlagDelete, "policy": FlagPolicy, "quota": FlagQuota, "lock": FlagLock, "download": FlagDownload, "upload": FlagUpload, "sync": FlagSync, } FlagsToNames = map[BitmaskFlag]string{ FlagRead: "read", FlagWrite: "write", FlagDeny: "deny", FlagList: "list", FlagDelete: "remove", FlagPolicy: "policy", FlagQuota: "quota", FlagLock: "lock", FlagDownload: "download", FlagUpload: "upload", FlagSync: "sync", } )
Functions ¶
func AccessListLoadFrontValues ¶
func AccessListLoadFrontValues(ctx context.Context, accessList *AccessList) error
AccessListLoadFrontValues loads all ACLs starting with actions: and parameters: for the current list of ordered roles
func BulkReadDefaultRights ¶ added in v4.0.2
func BulkReadDefaultRights(ctx context.Context, uuids []string, wss map[string]*idm.Workspace) error
BulkReadDefaultRights matches ROOT_GROUP ACLs and set them as Workspace Attributes "DEFAULT_RIGHTS". It is a batch version of ManageDefaultRights in read mode.
func CachedPoliciesChecker ¶
func CheckContentLock ¶
CheckContentLock finds if there is a global lock registered in ACLs.
func CheckDefinedRootsForWorkspace ¶ added in v4.0.2
func CheckDefinedRootsForWorkspace(ctx context.Context, ws *idm.Workspace, resolver VirtualPathResolver) error
CheckDefinedRootsForWorkspace reads roots from tree service
func ClearCachedPolicies ¶
ClearCachedPolicies empties local cache
func ExtractDefaultRights ¶ added in v4.0.2
ExtractDefaultRights loads known workspace attributes, extract defaultRights and quotaValue as strings and remove them from the attributes map
func ForceClearUserCache ¶
func ForceClearUserCache(login string)
func FrontValuesScopesFromWorkspaceRelativePaths ¶
func FrontValuesScopesFromWorkspaceRelativePaths(wss []*tree.WorkspaceRelativePath) (scopes []string)
FrontValuesScopesFromWorkspaceRelativePaths computes scopes to check when retrieving front plugin configuration, based on a list of Node.AppearsIn workspaces descriptions
func FrontValuesScopesFromWorkspaces ¶
FrontValuesScopesFromWorkspaces computes scopes to check when retrieving front plugin configuration
func GetACLsForActions ¶
func GetACLsForRoles ¶
func GetACLsForRoles(ctx context.Context, roles []*idm.Role, actions ...*idm.ACLAction) ([]*idm.ACL, error)
GetACLsForRoles compiles ALCs for a list of roles.
func GetACLsForWorkspace ¶
func GetACLsForWorkspace(ctx context.Context, workspaceIds []string, actions ...*idm.ACLAction) (acls []*idm.ACL, err error)
GetACLsForWorkspace compiles ACLs list attached to a given workspace.
func GetRolesForUser ¶
GetRolesForUser loads the roles of a given user.
func GroupExists ¶ added in v4.1.4
GroupExists finds a group by its full path
func IsUserLocked ¶
IsUserLocked checks if the passed user has a logout attribute defined.
func LoadRootNodesForWorkspaces ¶ added in v4.0.2
func LoadRootNodesForWorkspaces(ctx context.Context, wsUUIDs []string, wss map[string]*idm.Workspace, resolver VirtualPathResolver) error
LoadRootNodesForWorkspaces finds all root nodes based on the ACLs
func LocalACLPoliciesResolver ¶
func LocalACLPoliciesResolver(ctx context.Context, request *idm.PolicyEngineRequest, explicitOnly bool) (*idm.PolicyEngineResponse, error)
func ManageDefaultRights ¶ added in v4.0.2
func ManageDefaultRights(ctx context.Context, workspace *idm.Workspace, read bool, rightsValue string, newQuota string) error
ManageDefaultRights either read or write default rights by transforming ACLs into workspace attributes back and forth. For reading on many workspace, use BulkReadDefaultRights instead.
func PolicyContextFromMetadata ¶
PolicyContextFromMetadata extracts metadata directly from the context and enriches the passed policyContext.
func PolicyContextFromNode ¶
PolicyContextFromNode extracts metadata from the Node and enriches the passed policyContext.
func PolicyRequestSubjectsFromClaims ¶
PolicyRequestSubjectsFromClaims builds an array of string subjects from the passed Claims.
func PolicyRequestSubjectsFromUser ¶
PolicyRequestSubjectsFromUser builds an array of string subjects from the passed User.
func RunJavaScript ¶
func SearchUniqueUser ¶
func SearchUniqueUser(ctx context.Context, login string, uuid string, queries ...*idm.UserSingleQuery) (user *idm.User, err error)
SearchUniqueUser provides a shortcurt to search user services for one specific user.
Types ¶
type AccessList ¶
type AccessList struct {
// contains filtered or unexported fields
}
AccessList is a merged representation of all ACLs that a user has access to. ACLs are merged using a Bitmask form to ease flags detections and comparisons.
func AccessListForLockedNodes ¶
func AccessListForLockedNodes(ctx context.Context, resolver VirtualPathResolver) (accessList *AccessList, err error)
AccessListForLockedNodes builds a flattened node list containing all currently locked nodes
func AccessListFromContextClaims ¶
func AccessListFromContextClaims(ctx context.Context) (accessList *AccessList, err error)
AccessListFromContextClaims uses package function to compile ACL and Workspaces for a given user ( = list of roles inside the Claims)
func AccessListFromRoles ¶
func AccessListFromRoles(ctx context.Context, roles []*idm.Role, countPolicies bool, loadWorkspaces bool) (accessList *AccessList, err error)
AccessListFromRoles loads the Acls and flatten them, eventually loading the discovered workspaces.
func AccessListFromUser ¶
func AccessListFromUser(ctx context.Context, userNameOrUuid string, isUuid bool) (accessList *AccessList, user *idm.User, err error)
AccessListFromUser loads roles for a given user, by name or UUID, and subsequently calls AccessListFromRoles
func NewAccessList ¶
func NewAccessList(roles ...*idm.Role) *AccessList
NewAccessList creates a new AccessList.
func (*AccessList) AddNodeBitmask ¶ added in v4.0.1
func (a *AccessList) AddNodeBitmask(id string, b Bitmask)
AddNodeBitmask appends a node bitmask to the internal list
func (*AccessList) AppendACLs ¶ added in v4.0.1
func (a *AccessList) AppendACLs(aa ...*idm.ACL)
AppendACLs appends an additional list of ACLs.
func (*AccessList) AppendClaimsScopes ¶
func (a *AccessList) AppendClaimsScopes(ss []string)
AppendClaimsScopes appends some specific permissions passed through claims. Currently only strings like "node:uuid:perm" are supported
func (*AccessList) AppendFrontACLs ¶ added in v4.0.1
func (a *AccessList) AppendFrontACLs(aa ...*idm.ACL)
AppendFrontACLs appends an additional list of front-related ACLs.
func (*AccessList) AppendRoles ¶ added in v4.0.1
func (a *AccessList) AppendRoles(rr ...*idm.Role)
AppendRoles appends one or more roles. They are kept in order, which is very important.
func (*AccessList) BelongsToWorkspaces ¶
func (a *AccessList) BelongsToWorkspaces(ctx context.Context, nodes ...*tree.Node) (workspaces []*idm.Workspace, workspacesRoots map[string]string)
BelongsToWorkspaces finds corresponding workspace parents for this node.
func (*AccessList) CanReadPath ¶
func (a *AccessList) CanReadPath(ctx context.Context, resolver VirtualPathResolver, nodes ...*tree.Node) bool
CanReadPath checks if a node has READ access based on its Path
func (*AccessList) CanReadWithResolver ¶
func (a *AccessList) CanReadWithResolver(ctx context.Context, resolver VirtualPathResolver, nodes ...*tree.Node) bool
CanReadWithResolver checks if a node has READ access, using VirtualPathResolver if necessary
func (*AccessList) CanWritePath ¶
func (a *AccessList) CanWritePath(ctx context.Context, resolver VirtualPathResolver, nodes ...*tree.Node) bool
CanWritePath checks if a node has WRITE access based on its path.
func (*AccessList) CanWriteWithResolver ¶
func (a *AccessList) CanWriteWithResolver(ctx context.Context, resolver VirtualPathResolver, nodes ...*tree.Node) bool
CanWriteWithResolver checks if a node has WRITE access, using VirtualPathResolver if necessary.
func (*AccessList) DetectedWsRights ¶ added in v4.0.1
func (a *AccessList) DetectedWsRights(ctx context.Context) map[string]SimpleRight
DetectedWsRights retrieves a map of accessible workspaces.
func (*AccessList) Flatten ¶
func (a *AccessList) Flatten(ctx context.Context)
Flatten performs actual flatten.
func (*AccessList) FlattenedFrontValues ¶
func (a *AccessList) FlattenedFrontValues() configx.Values
FlattenedFrontValues generates a configx.Values with frontend actions/parameters configs
func (*AccessList) GetNodesBitmasks ¶
func (a *AccessList) GetNodesBitmasks() map[string]Bitmask
GetNodesBitmasks returns internal bitmask
func (*AccessList) GetRoles ¶ added in v4.0.1
func (a *AccessList) GetRoles() []*idm.Role
GetRoles returns ordered list of roles
func (*AccessList) GetWorkspaces ¶ added in v4.0.1
func (a *AccessList) GetWorkspaces() map[string]*idm.Workspace
GetWorkspaces returns internally stored workspaces
func (*AccessList) GetWorkspacesRoots ¶ added in v4.0.1
func (a *AccessList) GetWorkspacesRoots() map[string]map[string]Bitmask
GetWorkspacesRoots gets detected workspace root nodes that are then used to populate the Workspace keys.
func (*AccessList) HasExplicitDeny ¶
func (a *AccessList) HasExplicitDeny(ctx context.Context, flag BitmaskFlag, nodes ...*tree.Node) bool
func (*AccessList) HasPolicyBasedAcls ¶
func (a *AccessList) HasPolicyBasedAcls() bool
HasPolicyBasedAcls checks if there are policy based acls.
func (*AccessList) LoadWorkspaces ¶ added in v4.0.1
func (a *AccessList) LoadWorkspaces(ctx context.Context, loader WsLoader) error
LoadWorkspaces loads actual idm.Workspace objects using a WsLoader
func (*AccessList) ReplicateBitmask ¶
func (a *AccessList) ReplicateBitmask(fromUuid, toUuid string, replaceInRoots ...bool) bool
ReplicateBitmask copies a bitmask value from one position to another
func (*AccessList) Zap ¶
func (a *AccessList) Zap() zapcore.Field
Zap simply returns a zapcore.Field object populated with this aggregated AccessList under a standard key
type Bitmask ¶
type Bitmask struct { BitmaskFlag PolicyIds map[string]string ValueFlags map[BitmaskFlag]string }
func (*Bitmask) AddPolicyFlag ¶
AddPolicyFlag adds a policy flag and stacks policies.
func (*Bitmask) AddValueFlag ¶
func (f *Bitmask) AddValueFlag(flag BitmaskFlag, value string)
AddValueFlag stores the value of a BitmaskFlag.
func (*Bitmask) HasFlag ¶
HasFlag checks if current bitmask matches a given flag. If bitmask has a Policy Flag, it will extract metadata from context and from nodes and use the PolicyResolver to dynamically test these properties.
func (*Bitmask) HasPolicyExplicitDeny ¶
func (f *Bitmask) HasPolicyExplicitDeny(ctx context.Context, flag BitmaskFlag, ctxNodes ...*tree.Node) bool
HasPolicyExplicitDeny checks if current bitmask matches a specific flag with Deny. If bitmask has a Policy Flag, it will extract metadata from context and from nodes and use the PolicyResolver to dynamically test these properties.
type BitmaskFlag ¶
type BitmaskFlag uint32
const ( FlagRead BitmaskFlag = 1 << iota FlagWrite FlagDeny FlagList FlagDelete FlagPolicy FlagQuota FlagLock FlagDownload FlagUpload FlagSync )
type CachedAccessList ¶ added in v4.0.1
type LockSession ¶
type LockSession struct {
// contains filtered or unexported fields
}
func NewLockSession ¶
func NewLockSession(nodeUUID, sessionUUID string, expireAfter time.Duration) *LockSession
NewLockSession creates a new LockSession object
func (*LockSession) AddChildTarget ¶
func (l *LockSession) AddChildTarget(parentUUID, targetChildName string)
func (*LockSession) Lock ¶
func (l *LockSession) Lock(ctx context.Context) error
Lock sets an expirable lock ACL on the NodeUUID with SessionUUID as value
func (*LockSession) Unlock ¶
func (l *LockSession) Unlock(ctx context.Context) error
Unlock manually removes the ACL
func (*LockSession) UpdateExpiration ¶
UpdateExpiration set a new expiration date on the current lock
type PolicyResolver ¶
type PolicyResolver func(ctx context.Context, request *idm.PolicyEngineRequest, explicitOnly bool) (*idm.PolicyEngineResponse, error)
PolicyResolver implements the check of an object against a set of ACL policies
type SessionLocker ¶
type SimpleRight ¶ added in v4.0.1
SimpleRight is a tool struct to compute SimpleRight strings
func (*SimpleRight) IsAccessible ¶ added in v4.0.1
func (r *SimpleRight) IsAccessible() bool
func (*SimpleRight) String ¶ added in v4.0.1
func (r *SimpleRight) String() string
func (*SimpleRight) UserStateString ¶ added in v4.0.1
func (r *SimpleRight) UserStateString() string
type VirtualPathResolver ¶
VirtualPathResolver must be able to load virtual nodes based on their UUID