permissions

package
v2.2.8+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 31, 2021 License: AGPL-3.0 Imports: 31 Imported by: 0

Documentation

Overview

Package permissions provides high-level tools for computing permissions from ACLs

Index

Constants

View Source
const (
	FrontWsScopeAll    = "PYDIO_REPO_SCOPE_ALL"
	FrontWsScopeShared = "PYDIO_REPO_SCOPE_SHARED"
)
View Source
const (
	PolicyNodeMetaName      = "NodeMetaName"
	PolicyNodeMetaPath      = "NodeMetaPath"
	PolicyNodeMetaType      = "NodeMetaType"
	PolicyNodeMetaExtension = "NodeMetaExtension"
	PolicyNodeMetaSize      = "NodeMetaSize"
	PolicyNodeMetaMTime     = "NodeMetaMTime"
	PolicyNodeMeta_         = "NodeMeta:"
)

Variables

View Source
var (
	AclRead        = &idm.ACLAction{Name: "read", Value: "1"}
	AclWrite       = &idm.ACLAction{Name: "write", Value: "1"}
	AclDeny        = &idm.ACLAction{Name: "deny", Value: "1"}
	AclPolicy      = &idm.ACLAction{Name: "policy"}
	AclQuota       = &idm.ACLAction{Name: "quota"}
	AclLock        = &idm.ACLAction{Name: "lock"}
	AclChildLock   = &idm.ACLAction{Name: "child_lock"}
	AclContentLock = &idm.ACLAction{Name: "content_lock"}
	// Not used yet
	AclFrontAction_      = &idm.ACLAction{Name: "action:*"}
	AclFrontParam_       = &idm.ACLAction{Name: "parameter:*"}
	AclDelete            = &idm.ACLAction{Name: "delete", Value: "1"}
	AclList              = &idm.ACLAction{Name: "list", Value: "1"}
	AclWsrootActionName  = "workspace-path"
	AclRecycleRoot       = &idm.ACLAction{Name: "recycle_root", Value: "1"}
	ResolvePolicyRequest PolicyResolver
)
View Source
var (
	NamesToFlags = map[string]BitmaskFlag{
		"read":   FlagRead,
		"write":  FlagWrite,
		"deny":   FlagDeny,
		"list":   FlagList,
		"delete": FlagDelete,
		"policy": FlagPolicy,
		"quota":  FlagQuota,
		"lock":   FlagLock,
	}

	FlagsToNames = map[BitmaskFlag]string{
		FlagRead:   "read",
		FlagWrite:  "write",
		FlagDeny:   "deny",
		FlagList:   "list",
		FlagDelete: "delete",
		FlagPolicy: "policy",
		FlagQuota:  "quota",
		FlagLock:   "lock",
	}
)

Functions

func AccessListLoadFrontValues

func AccessListLoadFrontValues(ctx context.Context, accessList *AccessList) error

AccessListLoadFrontValues loads all ACLs starting with actions: and parameters: for the current list of ordered roles

func CachedPoliciesChecker

func CachedPoliciesChecker(ctx context.Context, resType string) (ladon.Warden, error)

func CheckContentLock

func CheckContentLock(ctx context.Context, node *tree.Node) error

CheckContentLock finds if there is a global lock registered in ACLs.

func FindUserNameInContext

func FindUserNameInContext(ctx context.Context) (string, claim.Claims)

func ForceClearUserCache

func ForceClearUserCache(login string)

func FrontValuesScopesFromWorkspaceRelativePaths

func FrontValuesScopesFromWorkspaceRelativePaths(wss []*tree.WorkspaceRelativePath) (scopes []string)

FrontValuesScopesFromWorkspaceRelativePaths computes scopes to check when retrieving front plugin configuration, based on a list of Node.AppearsIn workspaces descriptions

func FrontValuesScopesFromWorkspaces

func FrontValuesScopesFromWorkspaces(wss []*idm.Workspace) (scopes []string)

FrontValuesScopesFromWorkspaces computes scopes to check when retrieving front plugin configuration

func GetACLsForActions

func GetACLsForActions(ctx context.Context, actions ...*idm.ACLAction) (acls []*idm.ACL, err error)

func GetACLsForRoles

func GetACLsForRoles(ctx context.Context, roles []*idm.Role, actions ...*idm.ACLAction) []*idm.ACL

GetACLsForRoles compiles ALCs for a list of roles.

func GetACLsForWorkspace

func GetACLsForWorkspace(ctx context.Context, workspaceIds []string, actions ...*idm.ACLAction) (acls []*idm.ACL, err error)

GetACLsForWorkspace compiles ACLs list attached to a given workspace.

func GetRoles

func GetRoles(ctx context.Context, names []string) []*idm.Role

GetRoles Objects from a list of role names.

func GetRolesForUser

func GetRolesForUser(ctx context.Context, user *idm.User, createMissing bool) []*idm.Role

GetRolesForUser loads the roles of a given user.

func GetWorkspacesForACLs

func GetWorkspacesForACLs(ctx context.Context, list *AccessList) []*idm.Workspace

GetWorkspacesForACLs computes a list of accessible workspaces, given a set of Read and Deny ACLs.

func HasChildLocks

func HasChildLocks(ctx context.Context, node *tree.Node) bool

func IsUserLocked

func IsUserLocked(user *idm.User) bool

IsUserLocked checks if the passed user has a logout attribute defined.

func LocalACLPoliciesResolver

func LocalACLPoliciesResolver(ctx context.Context, request *idm.PolicyEngineRequest) (*idm.PolicyEngineResponse, error)

func PolicyContextFromMetadata

func PolicyContextFromMetadata(policyContext map[string]string, ctx context.Context)

PolicyContextFromMetadata extracts metadata directly from the context and enriches the passed policyContext.

func PolicyContextFromNode

func PolicyContextFromNode(policyContext map[string]string, node *tree.Node)

PolicyContextFromNode extracts metadata from the Node and enriches the passed policyContext.

func PolicyRequestSubjectsFromClaims

func PolicyRequestSubjectsFromClaims(claims claim.Claims) []string

PolicyRequestSubjectsFromClaims builds an array of string subjects from the passed Claims.

func PolicyRequestSubjectsFromUser

func PolicyRequestSubjectsFromUser(user *idm.User) []string

PolicyRequestSubjectsFromUser builds an array of string subjects from the passed User.

func RunJavaScript

func RunJavaScript(ctx context.Context, script string, inputs map[string]interface{}, outputs map[string]interface{}) error

func SearchUniqueUser

func SearchUniqueUser(ctx context.Context, login string, uuid string, queries ...*idm.UserSingleQuery) (user *idm.User, err error)

SearchUniqueUser provides a shortcurt to search user services for one specific user.

Types

type AccessList

type AccessList struct {
	Workspaces         map[string]*idm.Workspace
	Acls               []*idm.ACL
	NodesAcls          map[string]Bitmask
	WorkspacesNodes    map[string]map[string]Bitmask
	OrderedRoles       []*idm.Role
	FrontPluginsValues []*idm.ACL
	// contains filtered or unexported fields
}

AccessList is a merged representation of all ACLs that a user has access to. ACLs are merged using a Bitmask form to ease flags detections and comparisons.

func AccessListForLockedNodes

func AccessListForLockedNodes(ctx context.Context, resolver VirtualPathResolver) (accessList *AccessList, err error)

AccessListForLockedNodes builds a flattened node list containing all currently locked nodes

func AccessListFromContextClaims

func AccessListFromContextClaims(ctx context.Context) (accessList *AccessList, err error)

AccessListFromContextClaims uses package function to compile ACL and Workspaces for a given user ( = list of roles inside the Claims)

func AccessListFromRoles

func AccessListFromRoles(ctx context.Context, roles []*idm.Role, countPolicies bool, loadWorkspaces bool) (accessList *AccessList, err error)

AccessListFromRoles loads the Acls and flatten them, eventually loading the discovered workspaces.

func AccessListFromUser

func AccessListFromUser(ctx context.Context, userNameOrUuid string, isUuid bool) (accessList *AccessList, user *idm.User, err error)

func NewAccessList

func NewAccessList(orderedRoles []*idm.Role, Acls ...[]*idm.ACL) *AccessList

NewAccessList creates a new AccessList.

func (*AccessList) Append

func (a *AccessList) Append(acls []*idm.ACL)

Append appends an additional list of ACLs.

func (*AccessList) AppendClaimsScopes

func (a *AccessList) AppendClaimsScopes(ss []string)

AppendClaimsScopes appends some specific permissions passed through claims. Currently only strings like "node:uuid:perm" are supported

func (*AccessList) BelongsToWorkspaces

func (a *AccessList) BelongsToWorkspaces(ctx context.Context, nodes ...*tree.Node) (workspaces []*idm.Workspace, workspacesRoots map[string]string)

BelongsToWorkspaces finds corresponding workspace parents for this node.

func (*AccessList) CanRead

func (a *AccessList) CanRead(ctx context.Context, nodes ...*tree.Node) bool

CanRead checks if a node has READ access.

func (*AccessList) CanReadPath

func (a *AccessList) CanReadPath(ctx context.Context, resolver VirtualPathResolver, nodes ...*tree.Node) bool

CanRead checks if a node has READ access.

func (*AccessList) CanReadWithResolver

func (a *AccessList) CanReadWithResolver(ctx context.Context, resolver VirtualPathResolver, nodes ...*tree.Node) bool

CanRead checks if a node has READ access.

func (*AccessList) CanWrite

func (a *AccessList) CanWrite(ctx context.Context, nodes ...*tree.Node) bool

CanWrite checks if a node has WRITE access.

func (*AccessList) CanWritePath

func (a *AccessList) CanWritePath(ctx context.Context, resolver VirtualPathResolver, nodes ...*tree.Node) bool

CanWrite checks if a node has WRITE access.

func (*AccessList) CanWriteWithResolver

func (a *AccessList) CanWriteWithResolver(ctx context.Context, resolver VirtualPathResolver, nodes ...*tree.Node) bool

CanWrite checks if a node has WRITE access.

func (*AccessList) Flatten

func (a *AccessList) Flatten(ctx context.Context)

Flatten performs actual flatten.

func (*AccessList) FlattenedFrontValues

func (a *AccessList) FlattenedFrontValues() configx.Values

FlattenedFrontValues generates a configx.Values with frontend actions/parameters configs

func (*AccessList) GetAccessibleWorkspaces

func (a *AccessList) GetAccessibleWorkspaces(ctx context.Context) map[string]string

GetAccessibleWorkspaces retrieves a map of accessible workspaces.

func (*AccessList) GetNodesBitmasks

func (a *AccessList) GetNodesBitmasks() map[string]Bitmask

GetNodesBitmasks returns internal bitmask

func (*AccessList) GetWorkspacesNodes

func (a *AccessList) GetWorkspacesNodes() map[string]map[string]Bitmask

GetWorkspacesNodes gets detected workspace root nodes that are then used to populate the Workspace keys.

func (*AccessList) HasPolicyBasedAcls

func (a *AccessList) HasPolicyBasedAcls() bool

HasPolicyBasedAcls checks if there are policy based acls.

func (*AccessList) IsLocked added in v1.5.0

func (a *AccessList) IsLocked(ctx context.Context, nodes ...*tree.Node) bool

CanWrite checks if a node has WRITE access.

func (*AccessList) LoadNodePathsAcls

func (a *AccessList) LoadNodePathsAcls(ctx context.Context, resolver VirtualPathResolver) error

LoadNodePathsAcls retrieve each nodes by UUID, to which an ACL is attached

func (*AccessList) ReplicateBitmask

func (a *AccessList) ReplicateBitmask(fromUuid, toUuid string) bool

ReplicateBitmask copies a bitmask value from one position to another

func (*AccessList) Zap

func (a *AccessList) Zap() zapcore.Field

Zap simply returns a zapcore.Field object populated with this aggregated AccessList under a standard key

type Bitmask

type Bitmask struct {
	BitmaskFlag
	PolicyIds  map[string]string
	ValueFlags map[BitmaskFlag]string
}

func (*Bitmask) AddFlag

func (f *Bitmask) AddFlag(flag BitmaskFlag)

AddFlag adds a simple flag.

func (*Bitmask) AddPolicyFlag

func (f *Bitmask) AddPolicyFlag(policyId string)

AddPolicyFlag adds a policy flag and stacks policies.

func (*Bitmask) AddValueFlag

func (f *Bitmask) AddValueFlag(flag BitmaskFlag, value string)

AddValueFlag stores the value of a BitmaskFlag.

func (Bitmask) HasFlag

func (f Bitmask) HasFlag(ctx context.Context, flag BitmaskFlag, ctxNodes ...*tree.Node) bool

HasFlag checks if current bitmask matches a given flag. If bitmask has a Policy Flag, it will extract metadata from context and from nodes and use the PolicyResolver to dynamically test these properties.

type BitmaskFlag

type BitmaskFlag uint32
const (
	FlagRead BitmaskFlag = 1 << iota
	FlagWrite
	FlagDeny
	FlagList
	FlagDelete
	FlagPolicy
	FlagQuota
	FlagLock
)

type JsRequest

type JsRequest struct {
	UserAgent string
	UserIP    string
}

type JsUser

type JsUser struct {
	Uuid        string
	Name        string
	GroupPath   string
	GroupFlat   string
	Profile     string
	DisplayName string
	Email       string
	AuthSource  string
	Roles       []string
}

type LockSession

type LockSession struct {
	// contains filtered or unexported fields
}

func NewLockSession

func NewLockSession(nodeUUID, sessionUUID string, expireAfter time.Duration) *LockSession

NewLockSession creates a new LockSession object

func (*LockSession) AddChildTarget

func (l *LockSession) AddChildTarget(parentUUID, targetChildName string)

func (*LockSession) Lock

func (l *LockSession) Lock(ctx context.Context) error

Lock sets an expirable lock ACL on the NodeUUID with SessionUUID as value

func (*LockSession) Unlock

func (l *LockSession) Unlock(ctx context.Context) error

Unlock manually removes the ACL

func (*LockSession) UpdateExpiration

func (l *LockSession) UpdateExpiration(ctx context.Context, expireAfter time.Duration) error

UpdateExpiration set a new expiration date on the current lock

type PolicyResolver

type PolicyResolver func(ctx context.Context, request *idm.PolicyEngineRequest) (*idm.PolicyEngineResponse, error)

PolicyResolver implements the check of an object against a set of ACL policies

type SessionLocker

type SessionLocker interface {
	Lock(ctx context.Context) error
	UpdateExpiration(ctx context.Context, expireAfter time.Duration) error
	Unlock(ctx context.Context) error
	AddChildTarget(parentUUID, targetChildName string)
}

type VirtualPathResolver

type VirtualPathResolver func(context.Context, *tree.Node) (*tree.Node, bool)

VirtualPathResolver must be able to load virtual nodes based on their UUID

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL