Documentation ¶
Overview ¶
Package permissions provides high-level tools for computing permissions from ACLs
Copyright (c) 2019. Abstrium SAS <team (at) pydio.com>
This file is part of Pydio Cells. *
Pydio Cells is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version. *
Pydio Cells is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details. *
You should have received a copy of the GNU Affero General Public License
along with Pydio Cells. If not, see <http://www.gnu.org/licenses/>. *
The latest code can be found at <https://pydio.com>.
Copyright (c) 2019. Abstrium SAS <team (at) pydio.com>
This file is part of Pydio Cells. *
Pydio Cells is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version. *
Pydio Cells is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details. *
You should have received a copy of the GNU Affero General Public License
along with Pydio Cells. If not, see <http://www.gnu.org/licenses/>. *
The latest code can be found at <https://pydio.com>.
Copyright (c) 2019. Abstrium SAS <team (at) pydio.com>
This file is part of Pydio Cells. *
Pydio Cells is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version. *
Pydio Cells is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details. *
You should have received a copy of the GNU Affero General Public License
along with Pydio Cells. If not, see <http://www.gnu.org/licenses/>. *
The latest code can be found at <https://pydio.com>.
Index ¶
- Constants
- Variables
- func AccessListLoadFrontValues(ctx context.Context, accessList *AccessList) error
- func CheckContentLock(ctx context.Context, node *tree.Node) error
- func FindUserNameInContext(ctx context.Context) (string, claim.Claims)
- func GetACLsForRoles(ctx context.Context, roles []*idm.Role, actions ...*idm.ACLAction) []*idm.ACL
- func GetACLsForWorkspace(ctx context.Context, workspaceIds []string, actions ...*idm.ACLAction) (acls []*idm.ACL, err error)
- func GetRoles(ctx context.Context, names []string) []*idm.Role
- func GetRolesForUser(ctx context.Context, user *idm.User, createMissing bool) []*idm.Role
- func GetWorkspacesForACLs(ctx context.Context, list *AccessList) []*idm.Workspace
- func IsUserLocked(user *idm.User) bool
- func PolicyContextFromMetadata(policyContext map[string]string, ctx context.Context)
- func PolicyContextFromNode(policyContext map[string]string, node *tree.Node)
- func PolicyRequestSubjectsFromClaims(claims claim.Claims) []string
- func PolicyRequestSubjectsFromUser(user *idm.User) []string
- func RunJavaScript(ctx context.Context, script string, inputs map[string]interface{}, ...) error
- func SearchUniqueUser(ctx context.Context, login string, uuid string, ...) (user *idm.User, err error)
- type AccessList
- func AccessListFromContextClaims(ctx context.Context) (accessList *AccessList, err error)
- func AccessListFromRoles(ctx context.Context, roles []*idm.Role, countPolicies bool, ...) (accessList *AccessList, err error)
- func AccessListFromUser(ctx context.Context, userNameOrUuid string, isUuid bool) (accessList *AccessList, user *idm.User, err error)
- func NewAccessList(orderedRoles []*idm.Role, Acls ...[]*idm.ACL) *AccessList
- func (a *AccessList) Append(acls []*idm.ACL)
- func (a *AccessList) BelongsToWorkspaces(ctx context.Context, nodes ...*tree.Node) (workspaces []*idm.Workspace, workspacesRoots map[string]string)
- func (a *AccessList) CanRead(ctx context.Context, nodes ...*tree.Node) bool
- func (a *AccessList) CanWrite(ctx context.Context, nodes ...*tree.Node) bool
- func (a *AccessList) FirstMaskForParents(ctx context.Context, nodes ...*tree.Node) (Bitmask, *tree.Node)
- func (a *AccessList) Flatten(ctx context.Context)
- func (a *AccessList) GetAccessibleWorkspaces(ctx context.Context) map[string]string
- func (a *AccessList) GetNodesBitmasks() map[string]Bitmask
- func (a *AccessList) GetWorkspacesNodes() map[string]map[string]Bitmask
- func (a *AccessList) HasPolicyBasedAcls() bool
- func (a *AccessList) IsLocked(ctx context.Context, nodes ...*tree.Node) bool
- func (a *AccessList) ParentMaskOrDeny(ctx context.Context, nodes ...*tree.Node) (bool, Bitmask)
- func (a *AccessList) Zap() zapcore.Field
- type Bitmask
- type BitmaskFlag
- type JsRequest
- type JsUser
- type PolicyResolver
- type Right
Constants ¶
const ( PolicyNodeMetaName = "NodeMetaName" PolicyNodeMetaPath = "NodeMetaPath" PolicyNodeMetaExtension = "NodeMetaExtension" PolicyNodeMetaMimeType = "NodeMetaMimeType" PolicyNodeMetaSize = "NodeMetaSize" PolicyNodeMetaMTime = "NodeMetaMTime" PolicyNodeMeta_ = "NodeMeta:" )
Variables ¶
var ( NamesToFlags = map[string]BitmaskFlag{ "read": FlagRead, "write": FlagWrite, "deny": FlagDeny, "list": FlagList, "delete": FlagDelete, "policy": FlagPolicy, "quota": FlagQuota, "lock": FlagLock, } FlagsToNames = map[BitmaskFlag]string{ FlagRead: "read", FlagWrite: "write", FlagDeny: "deny", FlagList: "list", FlagDelete: "delete", FlagPolicy: "policy", FlagQuota: "quota", FlagLock: "lock", } AclRead = &idm.ACLAction{Name: "read", Value: "1"} AclWrite = &idm.ACLAction{Name: "write", Value: "1"} AclDeny = &idm.ACLAction{Name: "deny", Value: "1"} AclPolicy = &idm.ACLAction{Name: "policy"} AclQuota = &idm.ACLAction{Name: "quota"} AclLock = &idm.ACLAction{Name: "lock", Value: "1"} AclContentLock = &idm.ACLAction{Name: "content_lock"} // Not used yet AclFrontAction_ = &idm.ACLAction{Name: "action:*"} AclFrontParam_ = &idm.ACLAction{Name: "parameter:*"} AclDelete = &idm.ACLAction{Name: "delete", Value: "1"} AclList = &idm.ACLAction{Name: "list", Value: "1"} AclWsrootActionName = "workspace-path" AclRecycleRoot = &idm.ACLAction{Name: "recycle_root", Value: "1"} ResolvePolicyRequest PolicyResolver )
Functions ¶
func AccessListLoadFrontValues ¶
func AccessListLoadFrontValues(ctx context.Context, accessList *AccessList) error
func CheckContentLock ¶
CheckContentLock finds if there is a global lock registered in ACLs.
func GetACLsForRoles ¶
GetACLsForRoles compiles ALCs for a list of roles
func GetACLsForWorkspace ¶
func GetACLsForWorkspace(ctx context.Context, workspaceIds []string, actions ...*idm.ACLAction) (acls []*idm.ACL, err error)
GetACLsForWorkspace compiles ACLs list attached to a given workspace
func GetRolesForUser ¶
Load roles for a given user
func GetWorkspacesForACLs ¶
func GetWorkspacesForACLs(ctx context.Context, list *AccessList) []*idm.Workspace
Compute a list of accessible workspaces, given a set of Read and Deny ACLs.
func IsUserLocked ¶
IsUserLocked checks if the passed user has a logout attribute defined.
func PolicyContextFromMetadata ¶
PolicyContextFromMetadata extracts metadata directly from the context and enriches the passed policyContext.
func PolicyContextFromNode ¶
PolicyContextFromNode extracts metadata from the Node and enriches the passed policyContext.
func PolicyRequestSubjectsFromClaims ¶
PolicyRequestSubjectsFromClaims builds an array of string subjects from the passed Claims.
func PolicyRequestSubjectsFromUser ¶
PolicyRequestSubjectsFromUser builds an array of string subjects from the passed User.
func RunJavaScript ¶
Types ¶
type AccessList ¶
type AccessList struct { Workspaces map[string]*idm.Workspace Acls []*idm.ACL NodesAcls map[string]Bitmask WorkspacesNodes map[string]map[string]Bitmask OrderedRoles []*idm.Role FrontPluginsValues []*idm.ACL }
AccessList is a merged representation of all ACLs that a user has access to. ACLs are merged using a Bitmask form to ease flags detections and comparisons.
func AccessListFromContextClaims ¶
func AccessListFromContextClaims(ctx context.Context) (accessList *AccessList, err error)
Use package function to compile ACL and Workspaces for a given user ( = list of roles inside the Claims)
func AccessListFromRoles ¶
func AccessListFromRoles(ctx context.Context, roles []*idm.Role, countPolicies bool, loadWorkspaces bool) (accessList *AccessList, err error)
AccessListFromRoles loads the Acls and flatten them, eventually loading the discovered workspaces
func AccessListFromUser ¶
func NewAccessList ¶
func NewAccessList(orderedRoles []*idm.Role, Acls ...[]*idm.ACL) *AccessList
NewAccessList creates a new AccessList.
func (*AccessList) Append ¶
func (a *AccessList) Append(acls []*idm.ACL)
Append appends an additional list of ACLs.
func (*AccessList) BelongsToWorkspaces ¶
func (a *AccessList) BelongsToWorkspaces(ctx context.Context, nodes ...*tree.Node) (workspaces []*idm.Workspace, workspacesRoots map[string]string)
BelongsToWorkspaces finds corresponding workspace parents for this node.
func (*AccessList) FirstMaskForParents ¶
func (a *AccessList) FirstMaskForParents(ctx context.Context, nodes ...*tree.Node) (Bitmask, *tree.Node)
FirstMaskForParents just climbs up the tree and gets the first non empty mask found.
func (*AccessList) Flatten ¶
func (a *AccessList) Flatten(ctx context.Context)
Flatten performs actual flatten.
func (*AccessList) GetAccessibleWorkspaces ¶
func (a *AccessList) GetAccessibleWorkspaces(ctx context.Context) map[string]string
GetAccessibleWorkspaces retrieves a map of accessible workspaces.
func (*AccessList) GetNodesBitmasks ¶
func (a *AccessList) GetNodesBitmasks() map[string]Bitmask
func (*AccessList) GetWorkspacesNodes ¶
func (a *AccessList) GetWorkspacesNodes() map[string]map[string]Bitmask
GetWorkspacesNodes gets detected workspace root nodes that are then used to populate the Workspace keys.
func (*AccessList) HasPolicyBasedAcls ¶
func (a *AccessList) HasPolicyBasedAcls() bool
HasPolicyBasedAcls checks if there are policy based acls.
func (*AccessList) ParentMaskOrDeny ¶
ParentMaskOrDeny browses access list from current node to ROOT, going through each parent. If there is a deny anywhere up the path, it returns that deny, otherwise it sends the first Bitmask found (closest parent having a Bitmask set).
func (*AccessList) Zap ¶
func (a *AccessList) Zap() zapcore.Field
LOGGING SUPPORT
Zap simply returns a zapcore.Field object populated with this aggregated AccessList under a standard key
type Bitmask ¶
type Bitmask struct { BitmaskFlag PolicyIds map[string]string ValueFlags map[BitmaskFlag]string }
func (*Bitmask) AddPolicyFlag ¶
AddPolicyFlag adds a policy flag and stacks policies.
func (*Bitmask) AddValueFlag ¶
func (f *Bitmask) AddValueFlag(flag BitmaskFlag, value string)
AddValueFlag stores the value of a BitmaskFlag.
type BitmaskFlag ¶
type BitmaskFlag uint32
const ( FlagRead BitmaskFlag = 1 << iota FlagWrite FlagDeny FlagList FlagDelete FlagPolicy FlagQuota FlagLock )
type PolicyResolver ¶
type PolicyResolver func(ctx context.Context, request *idm.PolicyEngineRequest) (*idm.PolicyEngineResponse, error)