commit 1598091a65033ce6bcdc4a1197a092852aac4ba5 · foxwitch.net/core

+22 -18

appview/state/rbac.go

···

       24
        
       e = some(where (p.eft == allow))

     

       25
        
       

     

       26
        
       [matchers]

     

       27
       -
       m = (r.act == p.act && r.dom == p.dom && keyMatch2(r.obj, p.obj) && g(r.sub, p.sub, r.dom))

     

       28
        
       `

     

       29
        
       )

     

       30
        
       

     

       31
        
       type Enforcer struct {

     

       32
       -
       	E      *casbin.SyncedEnforcer

     

       33
       -
       	domain string

     

       34
        
       }

     

       35
        
       

     

       36
        
       func keyMatch2(key1 string, key2 string) bool {

     
···

       38
        
       	return matched

     

       39
        
       }

     

       40
        
       

     

       41
       -
       func NewEnforcer(domain string) (*Enforcer, error) {

     

       42
        
       	m, err := model.NewModelFromString(Model)

     

       43
        
       	if err != nil {

     

       44
        
       		return nil, err

     
···

       63
        
       	e.EnableAutoSave(true)

     

       64
        
       	e.AddFunction("keyMatch2", keyMatch2Func)

     

       65
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       66
        
       	// Add policies with patterns

     

       67
       -
       	_, err = e.AddPolicies([][]string{

     

       68
        
       		{"server:owner", domain, domain, "server:invite"},

     

       69
       -
       		{"server:owner", domain, domain, "repo:create"},

     

       70
       -
       		{"server:owner", domain, domain, "repo:delete"},  // priveledged operation, delete any repo in domain

     

       71
       -
       		{"server:member", domain, domain, "repo:create"}, // priveledged operation, delete any repo in domain

     

       72
        
       	})

     

       73
        
       	if err != nil {

     

       74
       -
       		return nil, err

     

       75
        
       	}

     

       76
        
       

     

       77
       -
       	return &Enforcer{e, domain}, nil

     

       0
        
       
     

       0
        
       
     

       78
        
       }

     

       79
        
       

     

       80
       -
       func (e *Enforcer) AddOwner(owner string) error {

     

       81
       -
       	_, err := e.E.AddGroupingPolicy(owner, "server:owner", e.domain)

     

       82
        
       	return err

     

       83
        
       }

     

       84
        
       

     

       85
       -
       func (e *Enforcer) AddMember(member string) error {

     

       86
       -
       	_, err := e.E.AddGroupingPolicy(member, "server:member", e.domain)

     

       87
        
       	return err

     

       88
        
       }

     

       89
        
       

     

       90
        
       func (e *Enforcer) AddRepo(member, domain, repo string) error {

     

       91
        
       	_, err := e.E.AddPolicies([][]string{

     

       92
       -
       		{member, e.domain, repo, "repo:push"},

     

       93
       -
       		{member, e.domain, repo, "repo:owner"},

     

       94
       -
       		{member, e.domain, repo, "repo:invite"},

     

       95
       -
       		{member, e.domain, repo, "repo:delete"},

     

       0
        
       
     

       96
        
       	})

     

       97
        
       	return err

     

       98
        
       }

···

       24
        
       e = some(where (p.eft == allow))

     

       25
        
       

     

       26
        
       [matchers]

     

       27
       +
       m = r.act == p.act && r.dom == p.dom && keyMatch2(r.obj, p.obj) && g(r.sub, p.sub, r.dom)

     

       28
        
       `

     

       29
        
       )

     

       30
        
       

     

       31
        
       type Enforcer struct {

     

       32
       +
       	E *casbin.SyncedEnforcer

     

       0
        
       
     

       33
        
       }

     

       34
        
       

     

       35
        
       func keyMatch2(key1 string, key2 string) bool {

     
···

       37
        
       	return matched

     

       38
        
       }

     

       39
        
       

     

       40
       +
       func NewEnforcer() (*Enforcer, error) {

     

       41
        
       	m, err := model.NewModelFromString(Model)

     

       42
        
       	if err != nil {

     

       43
        
       		return nil, err

     
···

       62
        
       	e.EnableAutoSave(true)

     

       63
        
       	e.AddFunction("keyMatch2", keyMatch2Func)

     

       64
        
       

     

       65
       +
       	return &Enforcer{e}, nil

     

       66
       +
       }

     

       67
       +
       

     

       68
       +
       func (e *Enforcer) AddDomain(domain string) error {

     

       69
        
       	// Add policies with patterns

     

       70
       +
       	_, err := e.E.AddPolicies([][]string{

     

       71
        
       		{"server:owner", domain, domain, "server:invite"},

     

       72
       +
       		{"server:member", domain, domain, "repo:create"},

     

       0
        
       
     

       0
        
       
     

       73
        
       	})

     

       74
        
       	if err != nil {

     

       75
       +
       		return err

     

       76
        
       	}

     

       77
        
       

     

       78
       +
       	// all owners are also members

     

       79
       +
       	_, err = e.E.AddGroupingPolicy("server:owner", "server:member", domain)

     

       80
       +
       	return err

     

       81
        
       }

     

       82
        
       

     

       83
       +
       func (e *Enforcer) AddOwner(domain, owner string) error {

     

       84
       +
       	_, err := e.E.AddGroupingPolicy(owner, "server:owner", domain)

     

       85
        
       	return err

     

       86
        
       }

     

       87
        
       

     

       88
       +
       func (e *Enforcer) AddMember(domain, member string) error {

     

       89
       +
       	_, err := e.E.AddGroupingPolicy(member, "server:member", domain)

     

       90
        
       	return err

     

       91
        
       }

     

       92
        
       

     

       93
        
       func (e *Enforcer) AddRepo(member, domain, repo string) error {

     

       94
        
       	_, err := e.E.AddPolicies([][]string{

     

       95
       +
       		{member, domain, repo, "repo:push"},

     

       96
       +
       		{member, domain, repo, "repo:owner"},

     

       97
       +
       		{member, domain, repo, "repo:invite"},

     

       98
       +
       		{member, domain, repo, "repo:delete"},

     

       99
       +
       		{"server:owner", domain, repo, "repo:delete"}, // server owner can delete any repo

     

       100
        
       	})

     

       101
        
       	return err

     

       102
        
       }

+20 -7

appview/state/state.go

···

       21
        
       )

     

       22
        
       

     

       23
        
       type State struct {

     

       24
       -
       	Db   *db.DB

     

       25
       -
       	Auth *auth.Auth

     

       0
        
       
     

       26
        
       }

     

       27
        
       

     

       28
        
       func Make() (*State, error) {

     
···

       36
        
       		return nil, err

     

       37
        
       	}

     

       38
        
       

     

       39
       -
       	return &State{db, auth}, nil

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       40
        
       }

     

       41
        
       

     

       42
        
       func (s *State) Login(w http.ResponseWriter, r *http.Request) {

     
···

       223
        
       	w.Write([]byte("check success"))

     

       224
        
       

     

       225
        
       	// mark as registered

     

       226
       -
       	err = s.Db.Register(domain)

     

       227
        
       	if err != nil {

     

       228
        
       		log.Println("failed to register domain", err)

     

       229
        
       		http.Error(w, err.Error(), http.StatusInternalServerError)

     

       230
        
       	}

     

       231
        
       

     

       232
        
       	// set permissions for this did as owner

     

       233
       -
       	_, did, err := s.Db.RegistrationStatus(domain)

     

       234
        
       	if err != nil {

     

       235
        
       		log.Println("failed to register domain", err)

     

       236
        
       		http.Error(w, err.Error(), http.StatusInternalServerError)

     

       237
        
       	}

     

       238
        
       

     

       239
       -
       	e, err := NewEnforcer(domain)

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       240
        
       	if err != nil {

     

       241
        
       		log.Println("failed to setup owner of domain", err)

     

       242
        
       		http.Error(w, err.Error(), http.StatusInternalServerError)

     

       243
        
       	}

     

       244
        
       

     

       245
       -
       	err = e.AddOwner(did)

     

       0
        
       
     

       246
        
       	if err != nil {

     

       247
        
       		log.Println("failed to setup owner of domain", err)

     

       248
        
       		http.Error(w, err.Error(), http.StatusInternalServerError)

···

       21
        
       )

     

       22
        
       

     

       23
        
       type State struct {

     

       24
       +
       	db       *db.DB

     

       25
       +
       	auth     *auth.Auth

     

       26
       +
       	enforcer *Enforcer

     

       27
        
       }

     

       28
        
       

     

       29
        
       func Make() (*State, error) {

     
···

       37
        
       		return nil, err

     

       38
        
       	}

     

       39
        
       

     

       40
       +
       	enforcer, err := NewEnforcer()

     

       41
       +
       	if err != nil {

     

       42
       +
       		return nil, err

     

       43
       +
       	}

     

       44
       +
       

     

       45
       +
       	return &State{db, auth, enforcer}, nil

     

       46
        
       }

     

       47
        
       

     

       48
        
       func (s *State) Login(w http.ResponseWriter, r *http.Request) {

     
···

       229
        
       	w.Write([]byte("check success"))

     

       230
        
       

     

       231
        
       	// mark as registered

     

       232
       +
       	err = s.db.Register(domain)

     

       233
        
       	if err != nil {

     

       234
        
       		log.Println("failed to register domain", err)

     

       235
        
       		http.Error(w, err.Error(), http.StatusInternalServerError)

     

       236
        
       	}

     

       237
        
       

     

       238
        
       	// set permissions for this did as owner

     

       239
       +
       	_, did, err := s.db.RegistrationStatus(domain)

     

       240
        
       	if err != nil {

     

       241
        
       		log.Println("failed to register domain", err)

     

       242
        
       		http.Error(w, err.Error(), http.StatusInternalServerError)

     

       243
        
       	}

     

       244
        
       

     

       245
       +
       	if err != nil {

     

       246
       +
       		log.Println("failed to setup owner of domain", err)

     

       247
       +
       		http.Error(w, err.Error(), http.StatusInternalServerError)

     

       248
       +
       	}

     

       249
       +
       

     

       250
       +
       	// add basic acls for this domain

     

       251
       +
       	err = s.enforcer.AddDomain(domain)

     

       252
        
       	if err != nil {

     

       253
        
       		log.Println("failed to setup owner of domain", err)

     

       254
        
       		http.Error(w, err.Error(), http.StatusInternalServerError)

     

       255
        
       	}

     

       256
        
       

     

       257
       +
       	// add this did as owner of this domain

     

       258
       +
       	err = s.enforcer.AddOwner(domain, did)

     

       259
        
       	if err != nil {

     

       260
        
       		log.Println("failed to setup owner of domain", err)

     

       261
        
       		http.Error(w, err.Error(), http.StatusInternalServerError)