permissions

package
v1.6.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 24, 2019 License: AGPL-3.0 Imports: 23 Imported by: 346

Documentation

Overview

Package permissions provides high-level tools for computing permissions from ACLs

  • Copyright (c) 2019. Abstrium SAS <team (at) pydio.com>

  • This file is part of Pydio Cells. *

  • Pydio Cells is free software: you can redistribute it and/or modify

  • it under the terms of the GNU Affero General Public License as published by

  • the Free Software Foundation, either version 3 of the License, or

  • (at your option) any later version. *

  • Pydio Cells is distributed in the hope that it will be useful,

  • but WITHOUT ANY WARRANTY; without even the implied warranty of

  • MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

  • GNU Affero General Public License for more details. *

  • You should have received a copy of the GNU Affero General Public License

  • along with Pydio Cells. If not, see <http://www.gnu.org/licenses/>. *

  • The latest code can be found at <https://pydio.com>.

  • Copyright (c) 2019. Abstrium SAS <team (at) pydio.com>

  • This file is part of Pydio Cells. *

  • Pydio Cells is free software: you can redistribute it and/or modify

  • it under the terms of the GNU Affero General Public License as published by

  • the Free Software Foundation, either version 3 of the License, or

  • (at your option) any later version. *

  • Pydio Cells is distributed in the hope that it will be useful,

  • but WITHOUT ANY WARRANTY; without even the implied warranty of

  • MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

  • GNU Affero General Public License for more details. *

  • You should have received a copy of the GNU Affero General Public License

  • along with Pydio Cells. If not, see <http://www.gnu.org/licenses/>. *

  • The latest code can be found at <https://pydio.com>.

  • Copyright (c) 2019. Abstrium SAS <team (at) pydio.com>

  • This file is part of Pydio Cells. *

  • Pydio Cells is free software: you can redistribute it and/or modify

  • it under the terms of the GNU Affero General Public License as published by

  • the Free Software Foundation, either version 3 of the License, or

  • (at your option) any later version. *

  • Pydio Cells is distributed in the hope that it will be useful,

  • but WITHOUT ANY WARRANTY; without even the implied warranty of

  • MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

  • GNU Affero General Public License for more details. *

  • You should have received a copy of the GNU Affero General Public License

  • along with Pydio Cells. If not, see <http://www.gnu.org/licenses/>. *

  • The latest code can be found at <https://pydio.com>.

Index

Constants

View Source
const (
	PolicyNodeMetaName      = "NodeMetaName"
	PolicyNodeMetaPath      = "NodeMetaPath"
	PolicyNodeMetaExtension = "NodeMetaExtension"
	PolicyNodeMetaMimeType  = "NodeMetaMimeType"
	PolicyNodeMetaSize      = "NodeMetaSize"
	PolicyNodeMetaMTime     = "NodeMetaMTime"
	PolicyNodeMeta_         = "NodeMeta:"
)

Variables

View Source
var (
	NamesToFlags = map[string]BitmaskFlag{
		"read":   FlagRead,
		"write":  FlagWrite,
		"deny":   FlagDeny,
		"list":   FlagList,
		"delete": FlagDelete,
		"policy": FlagPolicy,
		"quota":  FlagQuota,
		"lock":   FlagLock,
	}
	FlagsToNames = map[BitmaskFlag]string{
		FlagRead:   "read",
		FlagWrite:  "write",
		FlagDeny:   "deny",
		FlagList:   "list",
		FlagDelete: "delete",
		FlagPolicy: "policy",
		FlagQuota:  "quota",
		FlagLock:   "lock",
	}
	AclRead        = &idm.ACLAction{Name: "read", Value: "1"}
	AclWrite       = &idm.ACLAction{Name: "write", Value: "1"}
	AclDeny        = &idm.ACLAction{Name: "deny", Value: "1"}
	AclPolicy      = &idm.ACLAction{Name: "policy"}
	AclQuota       = &idm.ACLAction{Name: "quota"}
	AclLock        = &idm.ACLAction{Name: "lock", Value: "1"}
	AclContentLock = &idm.ACLAction{Name: "content_lock"}
	// Not used yet
	AclFrontAction_      = &idm.ACLAction{Name: "action:*"}
	AclFrontParam_       = &idm.ACLAction{Name: "parameter:*"}
	AclDelete            = &idm.ACLAction{Name: "delete", Value: "1"}
	AclList              = &idm.ACLAction{Name: "list", Value: "1"}
	AclWsrootActionName  = "workspace-path"
	AclRecycleRoot       = &idm.ACLAction{Name: "recycle_root", Value: "1"}
	ResolvePolicyRequest PolicyResolver
)

Functions

func AccessListLoadFrontValues

func AccessListLoadFrontValues(ctx context.Context, accessList *AccessList) error

func CheckContentLock

func CheckContentLock(ctx context.Context, node *tree.Node) error

CheckContentLock finds if there is a global lock registered in ACLs.

func FindUserNameInContext

func FindUserNameInContext(ctx context.Context) (string, claim.Claims)

func GetACLsForRoles

func GetACLsForRoles(ctx context.Context, roles []*idm.Role, actions ...*idm.ACLAction) []*idm.ACL

GetACLsForRoles compiles ALCs for a list of roles

func GetACLsForWorkspace

func GetACLsForWorkspace(ctx context.Context, workspaceIds []string, actions ...*idm.ACLAction) (acls []*idm.ACL, err error)

GetACLsForWorkspace compiles ACLs list attached to a given workspace

func GetRoles

func GetRoles(ctx context.Context, names []string) []*idm.Role

GetRoles Objects from a list of role names

func GetRolesForUser

func GetRolesForUser(ctx context.Context, user *idm.User, createMissing bool) []*idm.Role

Load roles for a given user

func GetWorkspacesForACLs

func GetWorkspacesForACLs(ctx context.Context, list *AccessList) []*idm.Workspace

Compute a list of accessible workspaces, given a set of Read and Deny ACLs.

func IsUserLocked

func IsUserLocked(user *idm.User) bool

IsUserLocked checks if the passed user has a logout attribute defined.

func PolicyContextFromMetadata

func PolicyContextFromMetadata(policyContext map[string]string, ctx context.Context)

PolicyContextFromMetadata extracts metadata directly from the context and enriches the passed policyContext.

func PolicyContextFromNode

func PolicyContextFromNode(policyContext map[string]string, node *tree.Node)

PolicyContextFromNode extracts metadata from the Node and enriches the passed policyContext.

func PolicyRequestSubjectsFromClaims

func PolicyRequestSubjectsFromClaims(claims claim.Claims) []string

PolicyRequestSubjectsFromClaims builds an array of string subjects from the passed Claims.

func PolicyRequestSubjectsFromUser

func PolicyRequestSubjectsFromUser(user *idm.User) []string

PolicyRequestSubjectsFromUser builds an array of string subjects from the passed User.

func RunJavaScript

func RunJavaScript(ctx context.Context, script string, inputs map[string]interface{}, outputs map[string]interface{}) error

func SearchUniqueUser

func SearchUniqueUser(ctx context.Context, login string, uuid string, queries ...*idm.UserSingleQuery) (user *idm.User, err error)

SearchUniqueUser provides a shortcurt to search user services for one specific user

Types

type AccessList

type AccessList struct {
	Workspaces         map[string]*idm.Workspace
	Acls               []*idm.ACL
	NodesAcls          map[string]Bitmask
	WorkspacesNodes    map[string]map[string]Bitmask
	OrderedRoles       []*idm.Role
	FrontPluginsValues []*idm.ACL
}

AccessList is a merged representation of all ACLs that a user has access to. ACLs are merged using a Bitmask form to ease flags detections and comparisons.

func AccessListFromContextClaims

func AccessListFromContextClaims(ctx context.Context) (accessList *AccessList, err error)

Use package function to compile ACL and Workspaces for a given user ( = list of roles inside the Claims)

func AccessListFromRoles

func AccessListFromRoles(ctx context.Context, roles []*idm.Role, countPolicies bool, loadWorkspaces bool) (accessList *AccessList, err error)

AccessListFromRoles loads the Acls and flatten them, eventually loading the discovered workspaces

func AccessListFromUser

func AccessListFromUser(ctx context.Context, userNameOrUuid string, isUuid bool) (accessList *AccessList, user *idm.User, err error)

func NewAccessList

func NewAccessList(orderedRoles []*idm.Role, Acls ...[]*idm.ACL) *AccessList

NewAccessList creates a new AccessList.

func (*AccessList) Append

func (a *AccessList) Append(acls []*idm.ACL)

Append appends an additional list of ACLs.

func (*AccessList) BelongsToWorkspaces

func (a *AccessList) BelongsToWorkspaces(ctx context.Context, nodes ...*tree.Node) (workspaces []*idm.Workspace, workspacesRoots map[string]string)

BelongsToWorkspaces finds corresponding workspace parents for this node.

func (*AccessList) CanRead

func (a *AccessList) CanRead(ctx context.Context, nodes ...*tree.Node) bool

CanRead checks if a node has READ access.

func (*AccessList) CanWrite

func (a *AccessList) CanWrite(ctx context.Context, nodes ...*tree.Node) bool

CanWrite checks if a node has WRITE access.

func (*AccessList) FirstMaskForParents

func (a *AccessList) FirstMaskForParents(ctx context.Context, nodes ...*tree.Node) (Bitmask, *tree.Node)

FirstMaskForParents just climbs up the tree and gets the first non empty mask found.

func (*AccessList) Flatten

func (a *AccessList) Flatten(ctx context.Context)

Flatten performs actual flatten.

func (*AccessList) GetAccessibleWorkspaces

func (a *AccessList) GetAccessibleWorkspaces(ctx context.Context) map[string]string

GetAccessibleWorkspaces retrieves a map of accessible workspaces.

func (*AccessList) GetNodesBitmasks

func (a *AccessList) GetNodesBitmasks() map[string]Bitmask

func (*AccessList) GetWorkspacesNodes

func (a *AccessList) GetWorkspacesNodes() map[string]map[string]Bitmask

GetWorkspacesNodes gets detected workspace root nodes that are then used to populate the Workspace keys.

func (*AccessList) HasPolicyBasedAcls

func (a *AccessList) HasPolicyBasedAcls() bool

HasPolicyBasedAcls checks if there are policy based acls.

func (*AccessList) IsLocked added in v1.5.0

func (a *AccessList) IsLocked(ctx context.Context, nodes ...*tree.Node) bool

CanWrite checks if a node has WRITE access.

func (*AccessList) ParentMaskOrDeny

func (a *AccessList) ParentMaskOrDeny(ctx context.Context, nodes ...*tree.Node) (bool, Bitmask)

ParentMaskOrDeny browses access list from current node to ROOT, going through each parent. If there is a deny anywhere up the path, it returns that deny, otherwise it sends the first Bitmask found (closest parent having a Bitmask set).

func (*AccessList) Zap

func (a *AccessList) Zap() zapcore.Field
LOGGING SUPPORT

Zap simply returns a zapcore.Field object populated with this aggregated AccessList under a standard key

type Bitmask

type Bitmask struct {
	BitmaskFlag
	PolicyIds  map[string]string
	ValueFlags map[BitmaskFlag]string
}

func (*Bitmask) AddFlag

func (f *Bitmask) AddFlag(flag BitmaskFlag)

AddFlag adds a simple flag.

func (*Bitmask) AddPolicyFlag

func (f *Bitmask) AddPolicyFlag(policyId string)

AddPolicyFlag adds a policy flag and stacks policies.

func (*Bitmask) AddValueFlag

func (f *Bitmask) AddValueFlag(flag BitmaskFlag, value string)

AddValueFlag stores the value of a BitmaskFlag.

func (Bitmask) HasFlag

func (f Bitmask) HasFlag(ctx context.Context, flag BitmaskFlag, ctxNode ...*tree.Node) bool

type BitmaskFlag

type BitmaskFlag uint32
const (
	FlagRead BitmaskFlag = 1 << iota
	FlagWrite
	FlagDeny
	FlagList
	FlagDelete
	FlagPolicy
	FlagQuota
	FlagLock
)

type JsRequest

type JsRequest struct {
	UserAgent string
	UserIP    string
}

type JsUser

type JsUser struct {
	Name               string
	GroupPath          string
	GroupPathFlattened string
}

type PolicyResolver

type PolicyResolver func(ctx context.Context, request *idm.PolicyEngineRequest) (*idm.PolicyEngineResponse, error)
type Right struct {
	Read  bool
	Write bool
}

func (*Right) IsAccessible

func (r *Right) IsAccessible() bool

func (*Right) String

func (r *Right) String() string

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL