swirl/security/perm.go

153 lines
3.3 KiB
Go
Raw Normal View History

package security
2017-09-26 12:50:09 +00:00
import (
2021-12-06 12:24:22 +00:00
"net/http"
"strings"
"github.com/cuigh/auxo/net/web"
)
const ActionBits = 24
// Resources holds all resources requiring authorization. Up to 40 resources are supported.
// WARN: DO NOT CHANGE VALUES!!!
var Resources = map[string]uint64{
"registry": 1,
"node": 1 << 1,
"network": 1 << 2,
"service": 1 << 3,
"task": 1 << 4,
"stack": 1 << 5,
"config": 1 << 6,
"secret": 1 << 7,
"image": 1 << 8,
"container": 1 << 9,
"volume": 1 << 10,
"user": 1 << 11,
"role": 1 << 12,
"chart": 1 << 13,
"dashboard": 1 << 14,
"event": 1 << 15,
"setting": 1 << 16,
}
// Actions holds all actions requiring authorization. Up to 24 actions are supported.
// WARN: DO NOT CHANGE VALUES!!!
var Actions = map[string]uint64{
"view": 1,
"edit": 1 << 1,
"delete": 1 << 2,
"disconnect": 1 << 3,
"restart": 1 << 4,
"rollback": 1 << 5,
"logs": 1 << 6,
"deploy": 1 << 7,
"shutdown": 1 << 8,
"execute": 1 << 9,
}
var Perms = map[string][]string{
"registry": {"view", "edit", "delete"},
"node": {"view", "edit", "delete"},
"network": {"view", "edit", "delete", "disconnect"},
2021-12-24 09:24:09 +00:00
"service": {"view", "edit", "delete", "deploy", "restart", "rollback", "logs"},
"task": {"view", "logs"},
"stack": {"view", "edit", "delete", "deploy", "shutdown"},
"config": {"view", "edit", "delete"},
"secret": {"view", "edit", "delete"},
"image": {"view", "delete"},
"container": {"view", "delete", "logs", "execute"},
"volume": {"view", "edit", "delete"},
"user": {"view", "edit", "delete"},
"role": {"view", "edit", "delete"},
"chart": {"view", "edit", "delete"},
"dashboard": {"edit"},
"event": {"view"},
"setting": {"view", "edit"},
}
2021-12-06 12:24:22 +00:00
type Authorizer struct {
}
func NewAuthorizer() Authorizer {
return Authorizer{}
}
2021-12-06 12:24:22 +00:00
// Apply implements `web.Filter` interface.
func (p Authorizer) Apply(next web.HandlerFunc) web.HandlerFunc {
return func(ctx web.Context) error {
2021-12-06 12:24:22 +00:00
auth := ctx.Handler().Authorize()
// allow anonymous
if auth == "" || auth == web.AuthAnonymous {
return next(ctx)
}
user := ctx.User()
if user == nil || user.Anonymous() {
return web.NewError(http.StatusUnauthorized, "You are not logged in")
}
if auth != web.AuthAuthenticated && !p.check(user, auth) {
2021-12-06 12:24:22 +00:00
return web.NewError(http.StatusForbidden, "You do not have access to this resource")
}
return next(ctx)
}
}
func (p Authorizer) check(user web.User, auth string) bool {
u := user.(*User)
if u.admin {
2021-12-06 12:24:22 +00:00
return true
}
return u.perm.Contains(auth)
}
2021-12-06 12:24:22 +00:00
type PermMap uint64
2021-12-06 12:24:22 +00:00
func NewPermMap(perms []string) PermMap {
var p uint64
for _, perm := range perms {
pair := strings.SplitN(perm, ".", 2)
if len(pair) == 2 {
r, a := Resources[pair[0]], Actions[pair[1]]
p |= r << ActionBits
p |= a
2021-12-06 12:24:22 +00:00
}
}
return PermMap(p)
2017-09-26 12:50:09 +00:00
}
func (p PermMap) Contains(perm string) bool {
pair := strings.SplitN(perm, ".", 2)
if len(pair) == 2 {
r, a := Resources[pair[0]], Actions[pair[1]]
return uint64(p)&(r<<ActionBits) > 0 && uint64(p)&a > 0
2021-12-06 12:24:22 +00:00
}
return false
}
2021-12-06 12:24:22 +00:00
type User struct {
token string
id string
name string
admin bool
perm PermMap
2017-09-26 12:50:09 +00:00
}
func (u *User) Token() string {
return u.token
}
func (u *User) ID() string {
return u.id
}
func (u *User) Name() string {
return u.name
}
2021-12-06 12:24:22 +00:00
func (u *User) Anonymous() bool {
return u.id == ""
2017-09-26 12:50:09 +00:00
}