permissions

package
v5.0.0-...-2679821 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 6, 2025 License: AGPL-3.0 Imports: 40 Imported by: 0

Documentation

Overview

Package permissions provides high-level tools for computing permissions from ACLs

Index

Constants

View Source
const (
	FrontWsScopeAll    = "PYDIO_REPO_SCOPE_ALL"
	FrontWsScopeShared = "PYDIO_REPO_SCOPE_SHARED"
)
View Source
const (
	PolicyNodeMetaName      = "NodeMetaName"
	PolicyNodeMetaPath      = "NodeMetaPath"
	PolicyNodeMetaType      = "NodeMetaType"
	PolicyNodeMetaExtension = "NodeMetaExtension"
	PolicyNodeMetaSize      = "NodeMetaSize"
	PolicyNodeMetaMTime     = "NodeMetaMTime"
	PolicyNodeMeta_         = "NodeMeta:"
)

Variables

View Source
var (
	AclRead              = &idm.ACLAction{Name: "read", Value: "1"}
	AclWrite             = &idm.ACLAction{Name: "write", Value: "1"}
	AclDeny              = &idm.ACLAction{Name: "deny", Value: "1"}
	AclPolicy            = &idm.ACLAction{Name: "policy"}
	AclQuota             = &idm.ACLAction{Name: "quota"}
	AclLock              = &idm.ACLAction{Name: "lock"}
	AclChildLock         = &idm.ACLAction{Name: "child_lock"}
	AclContentLock       = &idm.ACLAction{Name: "content_lock"}
	AclFrontAction_      = &idm.ACLAction{Name: "action:*"}
	AclFrontParam_       = &idm.ACLAction{Name: "parameter:*"}
	AclWsrootActionName  = "workspace-path"
	AclRecycleRoot       = &idm.ACLAction{Name: "recycle_root", Value: "1"}
	ResolvePolicyRequest PolicyResolver
)
View Source
var (
	NamesToFlags = map[string]BitmaskFlag{
		"read":     FlagRead,
		"write":    FlagWrite,
		"deny":     FlagDeny,
		"list":     FlagList,
		"remove":   FlagDelete,
		"policy":   FlagPolicy,
		"quota":    FlagQuota,
		"lock":     FlagLock,
		"download": FlagDownload,
		"upload":   FlagUpload,
		"sync":     FlagSync,
	}

	FlagsToNames = map[BitmaskFlag]string{
		FlagRead:     "read",
		FlagWrite:    "write",
		FlagDeny:     "deny",
		FlagList:     "list",
		FlagDelete:   "remove",
		FlagPolicy:   "policy",
		FlagQuota:    "quota",
		FlagLock:     "lock",
		FlagDownload: "download",
		FlagUpload:   "upload",
		FlagSync:     "sync",
	}
)

Functions

func AccessListLoadFrontValues

func AccessListLoadFrontValues(ctx context.Context, accessList *AccessList) error

AccessListLoadFrontValues loads all ACLs starting with actions: and parameters: for the current list of ordered roles

func BulkReadDefaultRights

func BulkReadDefaultRights(ctx context.Context, uuids []string, wss map[string]*idm.Workspace) error

BulkReadDefaultRights matches ROOT_GROUP ACLs and set them as Workspace Attributes "DEFAULT_RIGHTS". It is a batch version of ManageDefaultRights in read mode.

func CachedPoliciesChecker

func CachedPoliciesChecker(ctx context.Context, resType string, requestContext map[string]string) (ladon.Warden, error)

func CheckContentLock

func CheckContentLock(ctx context.Context, node *tree.Node) error

CheckContentLock finds if there is a global lock registered in ACLs.

func CheckDefinedRootsForWorkspace

func CheckDefinedRootsForWorkspace(ctx context.Context, ws *idm.Workspace, resolver VirtualPathResolver) error

CheckDefinedRootsForWorkspace reads roots from tree service

func ClearCachedPolicies

func ClearCachedPolicies(ctx context.Context, resType string)

ClearCachedPolicies empties local cache

func ExtractDefaultRights

func ExtractDefaultRights(ctx context.Context, workspace *idm.Workspace) (string, string)

ExtractDefaultRights loads known workspace attributes, extract defaultRights and quotaValue as strings and remove them from the attributes map

func FindUserNameInContext

func FindUserNameInContext(ctx context.Context) (string, claim.Claims)

func ForceClearUserCache

func ForceClearUserCache(ctx context.Context, login string)

func FrontValuesScopesFromWorkspaceRelativePaths

func FrontValuesScopesFromWorkspaceRelativePaths(wss []*tree.WorkspaceRelativePath) (scopes []string)

FrontValuesScopesFromWorkspaceRelativePaths computes scopes to check when retrieving front plugin configuration, based on a list of N.AppearsIn workspaces descriptions

func FrontValuesScopesFromWorkspaces

func FrontValuesScopesFromWorkspaces(wss []*idm.Workspace) (scopes []string)

FrontValuesScopesFromWorkspaces computes scopes to check when retrieving front plugin configuration

func GetACLsForActions

func GetACLsForActions(ctx context.Context, actions ...*idm.ACLAction) ([]*idm.ACL, error)

GetACLsForActions find all ACLs for a given list of actions

func GetACLsForRoles

func GetACLsForRoles(ctx context.Context, roles []*idm.Role, actions ...*idm.ACLAction) ([]*idm.ACL, error)

GetACLsForRoles compiles ALCs for a list of roles.

func GetACLsForWorkspace

func GetACLsForWorkspace(ctx context.Context, workspaceIds []string, actions ...*idm.ACLAction) ([]*idm.ACL, error)

GetACLsForWorkspace compiles ACLs list attached to a given workspace.

func GetRoles

func GetRoles(ctx context.Context, names []string) ([]*idm.Role, error)

GetRoles Objects from a list of role names.

func GetRolesForUser

func GetRolesForUser(ctx context.Context, user *idm.User, createMissing bool) ([]*idm.Role, error)

GetRolesForUser loads the roles of a given user.

func GroupExists

func GroupExists(ctx context.Context, group string) (*idm.User, bool)

GroupExists finds a group by its full path

func HasChildLocks

func HasChildLocks(ctx context.Context, node *tree.Node) bool

func IsUserLocked

func IsUserLocked(user *idm.User) bool

IsUserLocked checks if the passed user has a logout attribute defined.

func LoadRootNodesForWorkspaces

func LoadRootNodesForWorkspaces(ctx context.Context, wsUUIDs []string, wss map[string]*idm.Workspace, resolver VirtualPathResolver) error

LoadRootNodesForWorkspaces finds all root nodes based on the ACLs

func LocalACLPoliciesResolver

func LocalACLPoliciesResolver(ctx context.Context, request *idm.PolicyEngineRequest, explicitOnly bool) (*idm.PolicyEngineResponse, error)

func ManageDefaultRights

func ManageDefaultRights(ctx context.Context, workspace *idm.Workspace, read bool, rightsValue string, newQuota string) error

ManageDefaultRights either read or write default rights by transforming ACLs into workspace attributes back and forth. For reading on many workspace, use BulkReadDefaultRights instead.

func PolicyContextFromClaims

func PolicyContextFromClaims(policyContext map[string]string, ctx context.Context)

func PolicyContextFromMetadata

func PolicyContextFromMetadata(policyContext map[string]string, ctx context.Context)

PolicyContextFromMetadata extracts metadata directly from the context and enriches the passed policyContext.

func PolicyContextFromNode

func PolicyContextFromNode(policyContext map[string]string, node *tree.Node)

PolicyContextFromNode extracts metadata from the N and enriches the passed policyContext.

func PolicyRequestSubjectsFromClaims

func PolicyRequestSubjectsFromClaims(claims claim.Claims) []string

PolicyRequestSubjectsFromClaims builds an array of string subjects from the passed Claims.

func PolicyRequestSubjectsFromUser

func PolicyRequestSubjectsFromUser(user *idm.User) []string

PolicyRequestSubjectsFromUser builds an array of string subjects from the passed User.

func RunJavaScript

func RunJavaScript(ctx context.Context, script string, inputs map[string]interface{}, outputs map[string]interface{}) error

func SearchUniqueUser

func SearchUniqueUser(ctx context.Context, login string, uuid string, queries ...*idm.UserSingleQuery) (user *idm.User, err error)

SearchUniqueUser provides a shortcut to search user services for one specific user.

func SearchUniqueWorkspace

func SearchUniqueWorkspace(ctx context.Context, wsUuid string, wsSlug string, queries ...*idm.WorkspaceSingleQuery) (*idm.Workspace, error)

SearchUniqueWorkspace is a wrapper of SearchWorkspace to load a unique workspace

func StoreRootNodesAsACLs

func StoreRootNodesAsACLs(ctx context.Context, ws *idm.Workspace, update bool) error

StoreRootNodesAsACLs transforms a list of RootNodes into a list of ACL and store them.

Types

type AccessList

type AccessList struct {
	// contains filtered or unexported fields
}

AccessList is a merged representation of all ACLs that a user has access to. ACLs are merged using a Bitmask form to ease flags detections and comparisons.

func AccessListForLockedNodes

func AccessListForLockedNodes(ctx context.Context, resolver VirtualPathResolver) (accessList *AccessList, err error)

AccessListForLockedNodes builds a flattened node list containing all currently locked nodes

func AccessListFromContextClaims

func AccessListFromContextClaims(ctx context.Context) (accessList *AccessList, err error)

AccessListFromContextClaims uses package function to compile ACL and Workspaces for a given user ( = list of roles inside the Claims)

func AccessListFromRoles

func AccessListFromRoles(ctx context.Context, roles []*idm.Role, countPolicies bool, loadWorkspaces bool) (accessList *AccessList, err error)

AccessListFromRoles loads the Acls and flatten them, eventually loading the discovered workspaces.

func AccessListFromUser

func AccessListFromUser(ctx context.Context, userNameOrUuid string, isUuid bool) (accessList *AccessList, user *idm.User, err error)

AccessListFromUser loads roles for a given user, by name or UUID, and subsequently calls AccessListFromRoles

func NewAccessList

func NewAccessList(roles ...*idm.Role) *AccessList

NewAccessList creates a new AccessList.

func (*AccessList) AddNodeBitmask

func (a *AccessList) AddNodeBitmask(id string, b Bitmask)

AddNodeBitmask appends a node bitmask to the internal list

func (*AccessList) AppendACLs

func (a *AccessList) AppendACLs(aa ...*idm.ACL)

AppendACLs appends an additional list of ACLs.

func (*AccessList) AppendClaimsScopes

func (a *AccessList) AppendClaimsScopes(ss []string)

AppendClaimsScopes appends some specific permissions passed through claims. Currently only strings like "node:uuid:perm" are supported

func (*AccessList) AppendFrontACLs

func (a *AccessList) AppendFrontACLs(aa ...*idm.ACL)

AppendFrontACLs appends an additional list of front-related ACLs.

func (*AccessList) AppendRoles

func (a *AccessList) AppendRoles(rr ...*idm.Role)

AppendRoles appends one or more roles. They are kept in order, which is very important.

func (*AccessList) BelongsToWorkspaces

func (a *AccessList) BelongsToWorkspaces(ctx context.Context, nodes ...*tree.Node) (workspaces []*idm.Workspace, workspacesRoots map[string]string)

BelongsToWorkspaces finds corresponding workspace parents for this node.

func (*AccessList) CanRead

func (a *AccessList) CanRead(ctx context.Context, nodes ...*tree.Node) bool

CanRead checks if a node has READ access.

func (*AccessList) CanReadPath

func (a *AccessList) CanReadPath(ctx context.Context, resolver VirtualPathResolver, nodes ...*tree.Node) bool

CanReadPath checks if a node has READ access based on its Path

func (*AccessList) CanReadWithResolver

func (a *AccessList) CanReadWithResolver(ctx context.Context, resolver VirtualPathResolver, nodes ...*tree.Node) bool

CanReadWithResolver checks if a node has READ access, using VirtualPathResolver if necessary

func (*AccessList) CanWrite

func (a *AccessList) CanWrite(ctx context.Context, nodes ...*tree.Node) bool

CanWrite checks if a node has WRITE access.

func (*AccessList) CanWritePath

func (a *AccessList) CanWritePath(ctx context.Context, resolver VirtualPathResolver, nodes ...*tree.Node) bool

CanWritePath checks if a node has WRITE access based on its path.

func (*AccessList) CanWriteWithResolver

func (a *AccessList) CanWriteWithResolver(ctx context.Context, resolver VirtualPathResolver, nodes ...*tree.Node) bool

CanWriteWithResolver checks if a node has WRITE access, using VirtualPathResolver if necessary.

func (*AccessList) DetectedWsRights

func (a *AccessList) DetectedWsRights(ctx context.Context) map[string]SimpleRight

DetectedWsRights retrieves a map of accessible workspaces.

func (*AccessList) Flatten

func (a *AccessList) Flatten(ctx context.Context)

Flatten performs actual flatten.

func (*AccessList) FlattenedFrontValues

func (a *AccessList) FlattenedFrontValues() configx.Values

FlattenedFrontValues generates a configx.Values with frontend actions/parameters configs

func (*AccessList) GetNodesBitmasks

func (a *AccessList) GetNodesBitmasks() map[string]Bitmask

GetNodesBitmasks returns internal bitmask

func (*AccessList) GetRoles

func (a *AccessList) GetRoles() []*idm.Role

GetRoles returns ordered list of roles

func (*AccessList) GetWorkspaces

func (a *AccessList) GetWorkspaces() map[string]*idm.Workspace

GetWorkspaces returns internally stored workspaces

func (*AccessList) GetWorkspacesRoots

func (a *AccessList) GetWorkspacesRoots() map[string]map[string]Bitmask

GetWorkspacesRoots gets detected workspace root nodes that are then used to populate the Workspace keys.

func (*AccessList) HasExplicitDeny

func (a *AccessList) HasExplicitDeny(ctx context.Context, flag BitmaskFlag, nodes ...*tree.Node) bool

func (*AccessList) HasPolicyBasedAcls

func (a *AccessList) HasPolicyBasedAcls() bool

HasPolicyBasedAcls checks if there are policy based acls.

func (*AccessList) IsLocked

func (a *AccessList) IsLocked(ctx context.Context, nodes ...*tree.Node) bool

IsLocked checks if a node bitmask has a FlagLock value.

func (*AccessList) LoadWorkspaces

func (a *AccessList) LoadWorkspaces(ctx context.Context, loader WsLoader) error

LoadWorkspaces loads actual idm.Workspace objects using a WsLoader

func (*AccessList) ReplicateBitmask

func (a *AccessList) ReplicateBitmask(ctx context.Context, fromUuid, toUuid string, replaceInRoots ...bool) bool

ReplicateBitmask copies a bitmask value from one position to another

func (*AccessList) Zap

func (a *AccessList) Zap() zapcore.Field

Zap simply returns a zapcore.Field object populated with this aggregated AccessList under a standard key

type Bitmask

type Bitmask struct {
	BitmaskFlag
	PolicyIds  map[string]string
	ValueFlags map[BitmaskFlag]string
}

func (*Bitmask) AddFlag

func (f *Bitmask) AddFlag(flag BitmaskFlag)

AddFlag adds a simple flag.

func (*Bitmask) AddPolicyFlag

func (f *Bitmask) AddPolicyFlag(policyId string)

AddPolicyFlag adds a policy flag and stacks policies.

func (*Bitmask) AddValueFlag

func (f *Bitmask) AddValueFlag(flag BitmaskFlag, value string)

AddValueFlag stores the value of a BitmaskFlag.

func (*Bitmask) HasFlag

func (f *Bitmask) HasFlag(ctx context.Context, flag BitmaskFlag, ctxNodes ...*tree.Node) bool

HasFlag checks if current bitmask matches a given flag. If bitmask has a Policy Flag, it will extract metadata from context and from nodes and use the PolicyResolver to dynamically test these properties.

func (*Bitmask) HasPolicyExplicitDeny

func (f *Bitmask) HasPolicyExplicitDeny(ctx context.Context, flag BitmaskFlag, ctxNodes ...*tree.Node) bool

HasPolicyExplicitDeny checks if current bitmask matches a specific flag with Deny. If bitmask has a Policy Flag, it will extract metadata from context and from nodes and use the PolicyResolver to dynamically test these properties.

type BitmaskFlag

type BitmaskFlag uint32
const (
	FlagRead BitmaskFlag = 1 << iota
	FlagWrite
	FlagDeny
	FlagList
	FlagDelete
	FlagPolicy
	FlagQuota
	FlagLock
	FlagDownload
	FlagUpload
	FlagSync
)

type CachedAccessList

type CachedAccessList struct {
	Wss             map[string]*idm.Workspace
	WssRootsMasks   map[string]map[string]Bitmask
	OrderedRoles    []*idm.Role
	WsACLs          []*idm.ACL
	FrontACLs       []*idm.ACL
	MasksByUUIDs    map[string]Bitmask
	MasksByPaths    map[string]Bitmask
	ClaimsScopes    map[string]Bitmask
	HasClaimsScopes bool
}

type JsRequest

type JsRequest struct {
	UserAgent string
	UserIP    string
}

type JsUser

type JsUser struct {
	Uuid        string
	Name        string
	GroupPath   string
	GroupFlat   string
	Profile     string
	DisplayName string
	Email       string
	AuthSource  string
	Roles       []string
}

type LockSession

type LockSession struct {
	// contains filtered or unexported fields
}

func NewLockSession

func NewLockSession(nodeUUID, sessionUUID string, expireAfter time.Duration) *LockSession

NewLockSession creates a new LockSession object

func (*LockSession) AddChildTarget

func (l *LockSession) AddChildTarget(parentUUID, targetChildName string)

func (*LockSession) Lock

func (l *LockSession) Lock(ctx context.Context) error

Lock sets an expirable lock ACL on the NodeUUID with SessionUUID as value

func (*LockSession) Unlock

func (l *LockSession) Unlock(ctx context.Context) error

Unlock manually removes the ACL

func (*LockSession) UpdateExpiration

func (l *LockSession) UpdateExpiration(ctx context.Context, expireAfter time.Duration) error

UpdateExpiration set a new expiration date on the current lock

type PolicyResolver

type PolicyResolver func(ctx context.Context, request *idm.PolicyEngineRequest, explicitOnly bool) (*idm.PolicyEngineResponse, error)

PolicyResolver implements the check of an object against a set of ACL policies

type SessionLocker

type SessionLocker interface {
	Lock(ctx context.Context) error
	UpdateExpiration(ctx context.Context, expireAfter time.Duration) error
	Unlock(ctx context.Context) error
	AddChildTarget(parentUUID, targetChildName string)
}

type SimpleRight

type SimpleRight struct {
	Read  bool
	Write bool
}

SimpleRight is a tool struct to compute SimpleRight strings

func (*SimpleRight) IsAccessible

func (r *SimpleRight) IsAccessible() bool

func (*SimpleRight) String

func (r *SimpleRight) String() string

func (*SimpleRight) UserStateString

func (r *SimpleRight) UserStateString() string

type VirtualPathResolver

type VirtualPathResolver func(context.Context, *tree.Node) (*tree.Node, bool)

VirtualPathResolver must be able to load virtual nodes based on their UUID

type WsLoader

type WsLoader func(ctx context.Context, uuids []string) ([]*idm.Workspace, error)

WsLoader is resolver for loading workspaces by their UUIDs

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL