permissions

package
v2.3.3+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 9, 2021 License: AGPL-3.0 Imports: 33 Imported by: 346

Documentation

Overview

Package permissions provides high-level tools for computing permissions from ACLs

Index

Constants

View Source
const (
	FrontWsScopeAll    = "PYDIO_REPO_SCOPE_ALL"
	FrontWsScopeShared = "PYDIO_REPO_SCOPE_SHARED"
)
View Source
const (
	PolicyNodeMetaName      = "NodeMetaName"
	PolicyNodeMetaPath      = "NodeMetaPath"
	PolicyNodeMetaType      = "NodeMetaType"
	PolicyNodeMetaExtension = "NodeMetaExtension"
	PolicyNodeMetaSize      = "NodeMetaSize"
	PolicyNodeMetaMTime     = "NodeMetaMTime"
	PolicyNodeMeta_         = "NodeMeta:"
)

Variables

View Source
var (
	AclRead              = &idm.ACLAction{Name: "read", Value: "1"}
	AclWrite             = &idm.ACLAction{Name: "write", Value: "1"}
	AclDeny              = &idm.ACLAction{Name: "deny", Value: "1"}
	AclPolicy            = &idm.ACLAction{Name: "policy"}
	AclQuota             = &idm.ACLAction{Name: "quota"}
	AclLock              = &idm.ACLAction{Name: "lock"}
	AclChildLock         = &idm.ACLAction{Name: "child_lock"}
	AclContentLock       = &idm.ACLAction{Name: "content_lock"}
	AclFrontAction_      = &idm.ACLAction{Name: "action:*"}
	AclFrontParam_       = &idm.ACLAction{Name: "parameter:*"}
	AclWsrootActionName  = "workspace-path"
	AclRecycleRoot       = &idm.ACLAction{Name: "recycle_root", Value: "1"}
	ResolvePolicyRequest PolicyResolver
)
View Source
var (
	NamesToFlags = map[string]BitmaskFlag{
		"read":     FlagRead,
		"write":    FlagWrite,
		"deny":     FlagDeny,
		"list":     FlagList,
		"remove":   FlagDelete,
		"policy":   FlagPolicy,
		"quota":    FlagQuota,
		"lock":     FlagLock,
		"download": FlagDownload,
		"upload":   FlagUpload,
		"sync":     FlagSync,
	}

	FlagsToNames = map[BitmaskFlag]string{
		FlagRead:     "read",
		FlagWrite:    "write",
		FlagDeny:     "deny",
		FlagList:     "list",
		FlagDelete:   "remove",
		FlagPolicy:   "policy",
		FlagQuota:    "quota",
		FlagLock:     "lock",
		FlagDownload: "download",
		FlagUpload:   "upload",
		FlagSync:     "sync",
	}
)

Functions

func AccessListLoadFrontValues

func AccessListLoadFrontValues(ctx context.Context, accessList *AccessList) error

AccessListLoadFrontValues loads all ACLs starting with actions: and parameters: for the current list of ordered roles

func CachedPoliciesChecker

func CachedPoliciesChecker(ctx context.Context, resType string) (ladon.Warden, error)

func CheckContentLock

func CheckContentLock(ctx context.Context, node *tree.Node) error

CheckContentLock finds if there is a global lock registered in ACLs.

func FindUserNameInContext

func FindUserNameInContext(ctx context.Context) (string, claim.Claims)

func ForceClearUserCache

func ForceClearUserCache(login string)

func FrontValuesScopesFromWorkspaceRelativePaths

func FrontValuesScopesFromWorkspaceRelativePaths(wss []*tree.WorkspaceRelativePath) (scopes []string)

FrontValuesScopesFromWorkspaceRelativePaths computes scopes to check when retrieving front plugin configuration, based on a list of Node.AppearsIn workspaces descriptions

func FrontValuesScopesFromWorkspaces

func FrontValuesScopesFromWorkspaces(wss []*idm.Workspace) (scopes []string)

FrontValuesScopesFromWorkspaces computes scopes to check when retrieving front plugin configuration

func GetACLsForActions

func GetACLsForActions(ctx context.Context, actions ...*idm.ACLAction) (acls []*idm.ACL, err error)

func GetACLsForRoles

func GetACLsForRoles(ctx context.Context, roles []*idm.Role, actions ...*idm.ACLAction) []*idm.ACL

GetACLsForRoles compiles ALCs for a list of roles.

func GetACLsForWorkspace

func GetACLsForWorkspace(ctx context.Context, workspaceIds []string, actions ...*idm.ACLAction) (acls []*idm.ACL, err error)

GetACLsForWorkspace compiles ACLs list attached to a given workspace.

func GetRoles

func GetRoles(ctx context.Context, names []string) []*idm.Role

GetRoles Objects from a list of role names.

func GetRolesForUser

func GetRolesForUser(ctx context.Context, user *idm.User, createMissing bool) []*idm.Role

GetRolesForUser loads the roles of a given user.

func GetWorkspacesForACLs

func GetWorkspacesForACLs(ctx context.Context, list *AccessList) []*idm.Workspace

GetWorkspacesForACLs computes a list of accessible workspaces, given a set of Read and Deny ACLs.

func HasChildLocks

func HasChildLocks(ctx context.Context, node *tree.Node) bool

func IsUserLocked

func IsUserLocked(user *idm.User) bool

IsUserLocked checks if the passed user has a logout attribute defined.

func LocalACLPoliciesResolver

func LocalACLPoliciesResolver(ctx context.Context, request *idm.PolicyEngineRequest, explicitOnly bool) (*idm.PolicyEngineResponse, error)

func PolicyContextFromMetadata

func PolicyContextFromMetadata(policyContext map[string]string, ctx context.Context)

PolicyContextFromMetadata extracts metadata directly from the context and enriches the passed policyContext.

func PolicyContextFromNode

func PolicyContextFromNode(policyContext map[string]string, node *tree.Node)

PolicyContextFromNode extracts metadata from the Node and enriches the passed policyContext.

func PolicyRequestSubjectsFromClaims

func PolicyRequestSubjectsFromClaims(claims claim.Claims) []string

PolicyRequestSubjectsFromClaims builds an array of string subjects from the passed Claims.

func PolicyRequestSubjectsFromUser

func PolicyRequestSubjectsFromUser(user *idm.User) []string

PolicyRequestSubjectsFromUser builds an array of string subjects from the passed User.

func RunJavaScript

func RunJavaScript(ctx context.Context, script string, inputs map[string]interface{}, outputs map[string]interface{}) error

func SearchUniqueUser

func SearchUniqueUser(ctx context.Context, login string, uuid string, queries ...*idm.UserSingleQuery) (user *idm.User, err error)

SearchUniqueUser provides a shortcurt to search user services for one specific user.

Types

type AccessList

type AccessList struct {
	Workspaces         map[string]*idm.Workspace
	Acls               []*idm.ACL
	NodesAcls          map[string]Bitmask
	WorkspacesNodes    map[string]map[string]Bitmask
	OrderedRoles       []*idm.Role
	FrontPluginsValues []*idm.ACL
	// contains filtered or unexported fields
}

AccessList is a merged representation of all ACLs that a user has access to. ACLs are merged using a Bitmask form to ease flags detections and comparisons.

func AccessListForLockedNodes

func AccessListForLockedNodes(ctx context.Context, resolver VirtualPathResolver) (accessList *AccessList, err error)

AccessListForLockedNodes builds a flattened node list containing all currently locked nodes

func AccessListFromContextClaims

func AccessListFromContextClaims(ctx context.Context) (accessList *AccessList, err error)

AccessListFromContextClaims uses package function to compile ACL and Workspaces for a given user ( = list of roles inside the Claims)

func AccessListFromRoles

func AccessListFromRoles(ctx context.Context, roles []*idm.Role, countPolicies bool, loadWorkspaces bool) (accessList *AccessList, err error)

AccessListFromRoles loads the Acls and flatten them, eventually loading the discovered workspaces.

func AccessListFromUser

func AccessListFromUser(ctx context.Context, userNameOrUuid string, isUuid bool) (accessList *AccessList, user *idm.User, err error)

func NewAccessList

func NewAccessList(orderedRoles []*idm.Role, Acls ...[]*idm.ACL) *AccessList

NewAccessList creates a new AccessList.

func (*AccessList) Append

func (a *AccessList) Append(acls []*idm.ACL)

Append appends an additional list of ACLs.

func (*AccessList) AppendClaimsScopes

func (a *AccessList) AppendClaimsScopes(ss []string)

AppendClaimsScopes appends some specific permissions passed through claims. Currently only strings like "node:uuid:perm" are supported

func (*AccessList) BelongsToWorkspaces

func (a *AccessList) BelongsToWorkspaces(ctx context.Context, nodes ...*tree.Node) (workspaces []*idm.Workspace, workspacesRoots map[string]string)

BelongsToWorkspaces finds corresponding workspace parents for this node.

func (*AccessList) CanRead

func (a *AccessList) CanRead(ctx context.Context, nodes ...*tree.Node) bool

CanRead checks if a node has READ access.

func (*AccessList) CanReadPath

func (a *AccessList) CanReadPath(ctx context.Context, resolver VirtualPathResolver, nodes ...*tree.Node) bool

CanReadPath checks if a node has READ access based on its Path

func (*AccessList) CanReadWithResolver

func (a *AccessList) CanReadWithResolver(ctx context.Context, resolver VirtualPathResolver, nodes ...*tree.Node) bool

CanReadWithResolver checks if a node has READ access, using VirtualPathResolver if necessary

func (*AccessList) CanWrite

func (a *AccessList) CanWrite(ctx context.Context, nodes ...*tree.Node) bool

CanWrite checks if a node has WRITE access.

func (*AccessList) CanWritePath

func (a *AccessList) CanWritePath(ctx context.Context, resolver VirtualPathResolver, nodes ...*tree.Node) bool

CanWritePath checks if a node has WRITE access based on its path.

func (*AccessList) CanWriteWithResolver

func (a *AccessList) CanWriteWithResolver(ctx context.Context, resolver VirtualPathResolver, nodes ...*tree.Node) bool

CanWriteWithResolver checks if a node has WRITE access, using VirtualPathResolver if necessary.

func (*AccessList) Flatten

func (a *AccessList) Flatten(ctx context.Context)

Flatten performs actual flatten.

func (*AccessList) FlattenedFrontValues

func (a *AccessList) FlattenedFrontValues() configx.Values

FlattenedFrontValues generates a configx.Values with frontend actions/parameters configs

func (*AccessList) GetAccessibleWorkspaces

func (a *AccessList) GetAccessibleWorkspaces(ctx context.Context) map[string]string

GetAccessibleWorkspaces retrieves a map of accessible workspaces.

func (*AccessList) GetNodesBitmasks

func (a *AccessList) GetNodesBitmasks() map[string]Bitmask

GetNodesBitmasks returns internal bitmask

func (*AccessList) GetWorkspacesNodes

func (a *AccessList) GetWorkspacesNodes() map[string]map[string]Bitmask

GetWorkspacesNodes gets detected workspace root nodes that are then used to populate the Workspace keys.

func (*AccessList) HasExplicitDeny

func (a *AccessList) HasExplicitDeny(ctx context.Context, flag BitmaskFlag, nodes ...*tree.Node) bool

func (*AccessList) HasPolicyBasedAcls

func (a *AccessList) HasPolicyBasedAcls() bool

HasPolicyBasedAcls checks if there are policy based acls.

func (*AccessList) IsLocked added in v1.5.0

func (a *AccessList) IsLocked(ctx context.Context, nodes ...*tree.Node) bool

IsLocked checks if a node bitmask has a FlagLock value.

func (*AccessList) LoadNodePathsAcls

func (a *AccessList) LoadNodePathsAcls(ctx context.Context, resolver VirtualPathResolver) error

LoadNodePathsAcls retrieve each nodes by UUID, to which an ACL is attached

func (*AccessList) ReplicateBitmask

func (a *AccessList) ReplicateBitmask(fromUuid, toUuid string) bool

ReplicateBitmask copies a bitmask value from one position to another

func (*AccessList) Zap

func (a *AccessList) Zap() zapcore.Field

Zap simply returns a zapcore.Field object populated with this aggregated AccessList under a standard key

type Bitmask

type Bitmask struct {
	BitmaskFlag
	PolicyIds  map[string]string
	ValueFlags map[BitmaskFlag]string
}

func (*Bitmask) AddFlag

func (f *Bitmask) AddFlag(flag BitmaskFlag)

AddFlag adds a simple flag.

func (*Bitmask) AddPolicyFlag

func (f *Bitmask) AddPolicyFlag(policyId string)

AddPolicyFlag adds a policy flag and stacks policies.

func (*Bitmask) AddValueFlag

func (f *Bitmask) AddValueFlag(flag BitmaskFlag, value string)

AddValueFlag stores the value of a BitmaskFlag.

func (Bitmask) HasFlag

func (f Bitmask) HasFlag(ctx context.Context, flag BitmaskFlag, ctxNodes ...*tree.Node) bool

HasFlag checks if current bitmask matches a given flag. If bitmask has a Policy Flag, it will extract metadata from context and from nodes and use the PolicyResolver to dynamically test these properties.

func (Bitmask) HasPolicyExplicitDeny

func (f Bitmask) HasPolicyExplicitDeny(ctx context.Context, flag BitmaskFlag, ctxNodes ...*tree.Node) bool

HasPolicyExplicitDeny checks if current bitmask matches a specific flag with Deny. If bitmask has a Policy Flag, it will extract metadata from context and from nodes and use the PolicyResolver to dynamically test these properties.

type BitmaskFlag

type BitmaskFlag uint32
const (
	FlagRead BitmaskFlag = 1 << iota
	FlagWrite
	FlagDeny
	FlagList
	FlagDelete
	FlagPolicy
	FlagQuota
	FlagLock
	FlagDownload
	FlagUpload
	FlagSync
)

type JsRequest

type JsRequest struct {
	UserAgent string
	UserIP    string
}

type JsUser

type JsUser struct {
	Uuid        string
	Name        string
	GroupPath   string
	GroupFlat   string
	Profile     string
	DisplayName string
	Email       string
	AuthSource  string
	Roles       []string
}

type LockSession

type LockSession struct {
	// contains filtered or unexported fields
}

func NewLockSession

func NewLockSession(nodeUUID, sessionUUID string, expireAfter time.Duration) *LockSession

NewLockSession creates a new LockSession object

func (*LockSession) AddChildTarget

func (l *LockSession) AddChildTarget(parentUUID, targetChildName string)

func (*LockSession) Lock

func (l *LockSession) Lock(ctx context.Context) error

Lock sets an expirable lock ACL on the NodeUUID with SessionUUID as value

func (*LockSession) Unlock

func (l *LockSession) Unlock(ctx context.Context) error

Unlock manually removes the ACL

func (*LockSession) UpdateExpiration

func (l *LockSession) UpdateExpiration(ctx context.Context, expireAfter time.Duration) error

UpdateExpiration set a new expiration date on the current lock

type PolicyResolver

type PolicyResolver func(ctx context.Context, request *idm.PolicyEngineRequest, explicitOnly bool) (*idm.PolicyEngineResponse, error)

PolicyResolver implements the check of an object against a set of ACL policies

type SessionLocker

type SessionLocker interface {
	Lock(ctx context.Context) error
	UpdateExpiration(ctx context.Context, expireAfter time.Duration) error
	Unlock(ctx context.Context) error
	AddChildTarget(parentUUID, targetChildName string)
}

type VirtualPathResolver

type VirtualPathResolver func(context.Context, *tree.Node) (*tree.Node, bool)

VirtualPathResolver must be able to load virtual nodes based on their UUID

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL