commit 1598091a65033ce6bcdc4a1197a092852aac4ba5 · foxwitch.net/core

+22 -18

appview/state/rbac.go

···

       24
       24
        
       e = some(where (p.eft == allow))

     

       25
       25
        
       

     

       26
       26
        
       [matchers]

     

       27
       27
       -
       m = (r.act == p.act && r.dom == p.dom && keyMatch2(r.obj, p.obj) && g(r.sub, p.sub, r.dom))

     

       27
       27
       +
       m = r.act == p.act && r.dom == p.dom && keyMatch2(r.obj, p.obj) && g(r.sub, p.sub, r.dom)

     

       28
       28
        
       `

     

       29
       29
        
       )

     

       30
       30
        
       

     

       31
       31
        
       type Enforcer struct {

     

       32
       32
       -
       	E      *casbin.SyncedEnforcer

     

       33
       33
       -
       	domain string

     

       32
       32
       +
       	E *casbin.SyncedEnforcer

     

       34
       33
        
       }

     

       35
       34
        
       

     

       36
       35
        
       func keyMatch2(key1 string, key2 string) bool {

     
···

       38
       37
        
       	return matched

     

       39
       38
        
       }

     

       40
       39
        
       

     

       41
       41
       -
       func NewEnforcer(domain string) (*Enforcer, error) {

     

       40
       40
       +
       func NewEnforcer() (*Enforcer, error) {

     

       42
       41
        
       	m, err := model.NewModelFromString(Model)

     

       43
       42
        
       	if err != nil {

     

       44
       43
        
       		return nil, err

     
···

       63
       62
        
       	e.EnableAutoSave(true)

     

       64
       63
        
       	e.AddFunction("keyMatch2", keyMatch2Func)

     

       65
       64
        
       

     

       65
       65
       +
       	return &Enforcer{e}, nil

     

       66
       66
       +
       }

     

       67
       67
       +
       

     

       68
       68
       +
       func (e *Enforcer) AddDomain(domain string) error {

     

       66
       69
        
       	// Add policies with patterns

     

       67
       67
       -
       	_, err = e.AddPolicies([][]string{

     

       70
       70
       +
       	_, err := e.E.AddPolicies([][]string{

     

       68
       71
        
       		{"server:owner", domain, domain, "server:invite"},

     

       69
       69
       -
       		{"server:owner", domain, domain, "repo:create"},

     

       70
       70
       -
       		{"server:owner", domain, domain, "repo:delete"},  // priveledged operation, delete any repo in domain

     

       71
       71
       -
       		{"server:member", domain, domain, "repo:create"}, // priveledged operation, delete any repo in domain

     

       72
       72
       +
       		{"server:member", domain, domain, "repo:create"},

     

       72
       73
        
       	})

     

       73
       74
        
       	if err != nil {

     

       74
       74
       -
       		return nil, err

     

       75
       75
       +
       		return err

     

       75
       76
        
       	}

     

       76
       77
        
       

     

       77
       77
       -
       	return &Enforcer{e, domain}, nil

     

       78
       78
       +
       	// all owners are also members

     

       79
       79
       +
       	_, err = e.E.AddGroupingPolicy("server:owner", "server:member", domain)

     

       80
       80
       +
       	return err

     

       78
       81
        
       }

     

       79
       82
        
       

     

       80
       80
       -
       func (e *Enforcer) AddOwner(owner string) error {

     

       81
       81
       -
       	_, err := e.E.AddGroupingPolicy(owner, "server:owner", e.domain)

     

       83
       83
       +
       func (e *Enforcer) AddOwner(domain, owner string) error {

     

       84
       84
       +
       	_, err := e.E.AddGroupingPolicy(owner, "server:owner", domain)

     

       82
       85
        
       	return err

     

       83
       86
        
       }

     

       84
       87
        
       

     

       85
       85
       -
       func (e *Enforcer) AddMember(member string) error {

     

       86
       86
       -
       	_, err := e.E.AddGroupingPolicy(member, "server:member", e.domain)

     

       88
       88
       +
       func (e *Enforcer) AddMember(domain, member string) error {

     

       89
       89
       +
       	_, err := e.E.AddGroupingPolicy(member, "server:member", domain)

     

       87
       90
        
       	return err

     

       88
       91
        
       }

     

       89
       92
        
       

     

       90
       93
        
       func (e *Enforcer) AddRepo(member, domain, repo string) error {

     

       91
       94
        
       	_, err := e.E.AddPolicies([][]string{

     

       92
       92
       -
       		{member, e.domain, repo, "repo:push"},

     

       93
       93
       -
       		{member, e.domain, repo, "repo:owner"},

     

       94
       94
       -
       		{member, e.domain, repo, "repo:invite"},

     

       95
       95
       -
       		{member, e.domain, repo, "repo:delete"},

     

       95
       95
       +
       		{member, domain, repo, "repo:push"},

     

       96
       96
       +
       		{member, domain, repo, "repo:owner"},

     

       97
       97
       +
       		{member, domain, repo, "repo:invite"},

     

       98
       98
       +
       		{member, domain, repo, "repo:delete"},

     

       99
       99
       +
       		{"server:owner", domain, repo, "repo:delete"}, // server owner can delete any repo

     

       96
       100
        
       	})

     

       97
       101
        
       	return err

     

       98
       102
        
       }

+20 -7

appview/state/state.go

···

       21
       21
        
       )

     

       22
       22
        
       

     

       23
       23
        
       type State struct {

     

       24
       24
       -
       	Db   *db.DB

     

       25
       25
       -
       	Auth *auth.Auth

     

       24
       24
       +
       	db       *db.DB

     

       25
       25
       +
       	auth     *auth.Auth

     

       26
       26
       +
       	enforcer *Enforcer

     

       26
       27
        
       }

     

       27
       28
        
       

     

       28
       29
        
       func Make() (*State, error) {

     
···

       36
       37
        
       		return nil, err

     

       37
       38
        
       	}

     

       38
       39
        
       

     

       39
       39
       -
       	return &State{db, auth}, nil

     

       40
       40
       +
       	enforcer, err := NewEnforcer()

     

       41
       41
       +
       	if err != nil {

     

       42
       42
       +
       		return nil, err

     

       43
       43
       +
       	}

     

       44
       44
       +
       

     

       45
       45
       +
       	return &State{db, auth, enforcer}, nil

     

       40
       46
        
       }

     

       41
       47
        
       

     

       42
       48
        
       func (s *State) Login(w http.ResponseWriter, r *http.Request) {

     
···

       223
       229
        
       	w.Write([]byte("check success"))

     

       224
       230
        
       

     

       225
       231
        
       	// mark as registered

     

       226
       226
       -
       	err = s.Db.Register(domain)

     

       232
       232
       +
       	err = s.db.Register(domain)

     

       227
       233
        
       	if err != nil {

     

       228
       234
        
       		log.Println("failed to register domain", err)

     

       229
       235
        
       		http.Error(w, err.Error(), http.StatusInternalServerError)

     

       230
       236
        
       	}

     

       231
       237
        
       

     

       232
       238
        
       	// set permissions for this did as owner

     

       233
       233
       -
       	_, did, err := s.Db.RegistrationStatus(domain)

     

       239
       239
       +
       	_, did, err := s.db.RegistrationStatus(domain)

     

       234
       240
        
       	if err != nil {

     

       235
       241
        
       		log.Println("failed to register domain", err)

     

       236
       242
        
       		http.Error(w, err.Error(), http.StatusInternalServerError)

     

       237
       243
        
       	}

     

       238
       244
        
       

     

       239
       239
       -
       	e, err := NewEnforcer(domain)

     

       245
       245
       +
       	if err != nil {

     

       246
       246
       +
       		log.Println("failed to setup owner of domain", err)

     

       247
       247
       +
       		http.Error(w, err.Error(), http.StatusInternalServerError)

     

       248
       248
       +
       	}

     

       249
       249
       +
       

     

       250
       250
       +
       	// add basic acls for this domain

     

       251
       251
       +
       	err = s.enforcer.AddDomain(domain)

     

       240
       252
        
       	if err != nil {

     

       241
       253
        
       		log.Println("failed to setup owner of domain", err)

     

       242
       254
        
       		http.Error(w, err.Error(), http.StatusInternalServerError)

     

       243
       255
        
       	}

     

       244
       256
        
       

     

       245
       245
       -
       	err = e.AddOwner(did)

     

       257
       257
       +
       	// add this did as owner of this domain

     

       258
       258
       +
       	err = s.enforcer.AddOwner(domain, did)

     

       246
       259
        
       	if err != nil {

     

       247
       260
        
       		log.Println("failed to setup owner of domain", err)

     

       248
       261
        
       		http.Error(w, err.Error(), http.StatusInternalServerError)