commit dc76a4042a29e46ef7038a2767a9844587340b66 · veryroundbird.house/core

+1 -1

appview/oauth/handler/handler.go

···

       336
       336
        
       	defaultKnot := "knot1.tangled.sh"

     

       337
       337
        
       

     

       338
       338
        
       	log.Printf("adding %s to default knot", did)

     

       339
       339
       -
       	err := o.enforcer.AddMember(defaultKnot, did)

     

       339
       339
       +
       	err := o.enforcer.AddKnotMember(defaultKnot, did)

     

       340
       340
        
       	if err != nil {

     

       341
       341
        
       		log.Println("failed to add user to knot1.tangled.sh: ", err)

     

       342
       342
        
       		return

+1 -1

appview/repo/repo.go

···

       1090
       1090
        
       	switch r.Method {

     

       1091
       1091
        
       	case http.MethodGet:

     

       1092
       1092
        
       		user := rp.oauth.GetUser(r)

     

       1093
       1093
       -
       		knots, err := rp.enforcer.GetDomainsForUser(user.Did)

     

       1093
       1093
       +
       		knots, err := rp.enforcer.GetKnotsForUser(user.Did)

     

       1094
       1094
        
       		if err != nil {

     

       1095
       1095
        
       			rp.pages.Notice(w, "repo", "Invalid user account.")

     

       1096
       1096
        
       			return

+1 -1

appview/state/knotstream.go

···

       71
       71
        
       		return err

     

       72
       72
        
       	}

     

       73
       73
        
       

     

       74
       74
       -
       	knownKnots, err := enforcer.GetDomainsForUser(record.CommitterDid)

     

       74
       74
       +
       	knownKnots, err := enforcer.GetKnotsForUser(record.CommitterDid)

     

       75
       75
        
       	if err != nil {

     

       76
       76
        
       		return err

     

       77
       77
        
       	}

+5 -5

appview/state/state.go

···

       336
       336
        
       	}

     

       337
       337
        
       

     

       338
       338
        
       	// add basic acls for this domain

     

       339
       339
       -
       	err = s.enforcer.AddDomain(domain)

     

       339
       339
       +
       	err = s.enforcer.AddKnot(domain)

     

       340
       340
        
       	if err != nil {

     

       341
       341
        
       		log.Println("failed to setup owner of domain", err)

     

       342
       342
        
       		http.Error(w, err.Error(), http.StatusInternalServerError)

     
···

       344
       344
        
       	}

     

       345
       345
        
       

     

       346
       346
        
       	// add this did as owner of this domain

     

       347
       347
       -
       	err = s.enforcer.AddOwner(domain, reg.ByDid)

     

       347
       347
       +
       	err = s.enforcer.AddKnotOwner(domain, reg.ByDid)

     

       348
       348
        
       	if err != nil {

     

       349
       349
        
       		log.Println("failed to setup owner of domain", err)

     

       350
       350
        
       		http.Error(w, err.Error(), http.StatusInternalServerError)

     
···

       409
       409
        
       		}

     

       410
       410
        
       	}

     

       411
       411
        
       

     

       412
       412
       -
       	ok, err := s.enforcer.IsServerOwner(user.Did, domain)

     

       412
       412
       +
       	ok, err := s.enforcer.IsKnotOwner(user.Did, domain)

     

       413
       413
        
       	isOwner := err == nil && ok

     

       414
       414
        
       

     

       415
       415
        
       	p := pages.KnotParams{

     
···

       528
       528
        
       		return

     

       529
       529
        
       	}

     

       530
       530
        
       

     

       531
       531
       -
       	err = s.enforcer.AddMember(domain, subjectIdentity.DID.String())

     

       531
       531
       +
       	err = s.enforcer.AddKnotMember(domain, subjectIdentity.DID.String())

     

       532
       532
        
       	if err != nil {

     

       533
       533
        
       		w.Write([]byte(fmt.Sprint("failed to add member: ", err)))

     

       534
       534
        
       		return

     
···

       576
       576
        
       	switch r.Method {

     

       577
       577
        
       	case http.MethodGet:

     

       578
       578
        
       		user := s.oauth.GetUser(r)

     

       579
       579
       -
       		knots, err := s.enforcer.GetDomainsForUser(user.Did)

     

       579
       579
       +
       		knots, err := s.enforcer.GetKnotsForUser(user.Did)

     

       580
       580
        
       		if err != nil {

     

       581
       581
        
       			s.pages.Notice(w, "repo", "Invalid user account.")

     

       582
       582
        
       			return

-4

knotclient/events.go

···

       44
       44
        
       	}

     

       45
       45
        
       }

     

       46
       46
        
       

     

       47
       47
       -
       func (cc *ConsumerConfig) AddEventSource(es EventSource) {

     

       48
       48
       -
       	cc.Sources[es] = struct{}{}

     

       49
       49
       -
       }

     

       50
       50
       -
       

     

       51
       47
        
       type EventSource struct {

     

       52
       48
        
       	Knot string

     

       53
       49
        
       }

+1 -1

knotserver/handler.go

···

       46
       46
        
       		init: make(chan struct{}),

     

       47
       47
        
       	}

     

       48
       48
        
       

     

       49
       49
       -
       	err := e.AddDomain(ThisServer)

     

       49
       49
       +
       	err := e.AddKnot(ThisServer)

     

       50
       50
        
       	if err != nil {

     

       51
       51
        
       		return nil, fmt.Errorf("failed to setup enforcer: %w", err)

     

       52
       52
        
       	}

+1 -1

knotserver/jetstream.go

···

       43
       43
        
       		return fmt.Errorf("failed to enforce permissions: %w", err)

     

       44
       44
        
       	}

     

       45
       45
        
       

     

       46
       46
       -
       	if err := h.e.AddMember(ThisServer, record.Subject); err != nil {

     

       46
       46
       +
       	if err := h.e.AddKnotMember(ThisServer, record.Subject); err != nil {

     

       47
       47
        
       		l.Error("failed to add member", "error", err)

     

       48
       48
        
       		return fmt.Errorf("failed to add member: %w", err)

     

       49
       49
        
       	}

+2 -2

knotserver/routes.go

···

       1177
       1177
        
       	}

     

       1178
       1178
        
       	h.jc.AddDid(did)

     

       1179
       1179
        
       

     

       1180
       1180
       -
       	if err := h.e.AddMember(ThisServer, did); err != nil {

     

       1180
       1180
       +
       	if err := h.e.AddKnotMember(ThisServer, did); err != nil {

     

       1181
       1181
        
       		l.Error("adding member", "error", err.Error())

     

       1182
       1182
        
       		writeError(w, err.Error(), http.StatusInternalServerError)

     

       1183
       1183
        
       		return

     
···

       1312
       1312
        
       	}

     

       1313
       1313
        
       	h.jc.AddDid(data.Did)

     

       1314
       1314
        
       

     

       1315
       1315
       -
       	if err := h.e.AddOwner(ThisServer, data.Did); err != nil {

     

       1315
       1315
       +
       	if err := h.e.AddKnotOwner(ThisServer, data.Did); err != nil {

     

       1316
       1316
        
       		l.Error("adding owner", "error", err.Error())

     

       1317
       1317
        
       		writeError(w, err.Error(), http.StatusInternalServerError)

     

       1318
       1318
        
       		return

+79 -27

rbac/rbac.go

···

       2
       2
        
       

     

       3
       3
        
       import (

     

       4
       4
        
       	"database/sql"

     

       5
       5
       -
       	"fmt"

     

       5
       5
       +
       	"slices"

     

       6
       6
        
       	"strings"

     

       7
       7
        
       

     

       8
       8
        
       	adapter "github.com/Blank-Xu/sql-adapter"

     
···

       59
       59
        
       	return &Enforcer{e}, nil

     

       60
       60
        
       }

     

       61
       61
        
       

     

       62
       62
       -
       func (e *Enforcer) AddDomain(domain string) error {

     

       62
       62
       +
       func (e *Enforcer) AddKnot(knot string) error {

     

       63
       63
        
       	// Add policies with patterns

     

       64
       64
        
       	_, err := e.E.AddPolicies([][]string{

     

       65
       65
       -
       		{"server:owner", domain, domain, "server:invite"},

     

       66
       66
       -
       		{"server:member", domain, domain, "repo:create"},

     

       65
       65
       +
       		{"server:owner", knot, knot, "server:invite"},

     

       66
       66
       +
       		{"server:member", knot, knot, "repo:create"},

     

       67
       67
       +
       	})

     

       68
       68
       +
       	if err != nil {

     

       69
       69
       +
       		return err

     

       70
       70
       +
       	}

     

       71
       71
       +
       

     

       72
       72
       +
       	// all owners are also members

     

       73
       73
       +
       	_, err = e.E.AddGroupingPolicy("server:owner", "server:member", knot)

     

       74
       74
       +
       	return err

     

       75
       75
       +
       }

     

       76
       76
       +
       

     

       77
       77
       +
       func (e *Enforcer) AddSpindle(spindle string) error {

     

       78
       78
       +
       	// the internal repr for spindles is spindle:foo.com

     

       79
       79
       +
       	spindle = intoSpindle(spindle)

     

       80
       80
       +
       

     

       81
       81
       +
       	_, err := e.E.AddPolicies([][]string{

     

       82
       82
       +
       		{"server:owner", spindle, spindle, "server:invite"},

     

       67
       83
        
       	})

     

       68
       84
        
       	if err != nil {

     

       69
       85
        
       		return err

     

       70
       86
        
       	}

     

       71
       87
        
       

     

       72
       88
        
       	// all owners are also members

     

       73
       73
       -
       	_, err = e.E.AddGroupingPolicy("server:owner", "server:member", domain)

     

       89
       89
       +
       	_, err = e.E.AddGroupingPolicy("server:owner", "server:member", spindle)

     

       74
       90
        
       	return err

     

       75
       91
        
       }

     

       76
       92
        
       

     

       77
       77
       -
       func (e *Enforcer) GetDomainsForUser(did string) ([]string, error) {

     

       78
       78
       -
       	return e.E.GetDomainsForUser(did)

     

       93
       93
       +
       func (e *Enforcer) GetKnotsForUser(did string) ([]string, error) {

     

       94
       94
       +
       	keepFunc := isNotSpindle

     

       95
       95
       +
       	stripFunc := unSpindle

     

       96
       96
       +
       	return e.getDomainsForUser(did, keepFunc, stripFunc)

     

       79
       97
        
       }

     

       80
       98
        
       

     

       81
       81
       -
       func (e *Enforcer) AddOwner(domain, owner string) error {

     

       82
       82
       -
       	_, err := e.E.AddGroupingPolicy(owner, "server:owner", domain)

     

       83
       83
       -
       	return err

     

       99
       99
       +
       func (e *Enforcer) GetSpindlesForUser(did string) ([]string, error) {

     

       100
       100
       +
       	keepFunc := isSpindle

     

       101
       101
       +
       	stripFunc := unSpindle

     

       102
       102
       +
       	return e.getDomainsForUser(did, keepFunc, stripFunc)

     

       84
       103
        
       }

     

       85
       104
        
       

     

       86
       86
       -
       func (e *Enforcer) AddMember(domain, member string) error {

     

       87
       87
       -
       	_, err := e.E.AddGroupingPolicy(member, "server:member", domain)

     

       88
       88
       -
       	return err

     

       105
       105
       +
       func (e *Enforcer) AddKnotOwner(domain, owner string) error {

     

       106
       106
       +
       	return e.addOwner(domain, owner)

     

       107
       107
       +
       }

     

       108
       108
       +
       

     

       109
       109
       +
       func (e *Enforcer) AddKnotMember(domain, member string) error {

     

       110
       110
       +
       	return e.addMember(domain, member)

     

       111
       111
       +
       }

     

       112
       112
       +
       

     

       113
       113
       +
       func (e *Enforcer) AddSpindleOwner(domain, owner string) error {

     

       114
       114
       +
       	return e.addOwner(intoSpindle(domain), owner)

     

       115
       115
       +
       }

     

       116
       116
       +
       

     

       117
       117
       +
       func (e *Enforcer) AddSpindleMember(domain, member string) error {

     

       118
       118
       +
       	return e.addMember(intoSpindle(domain), member)

     

       89
       119
        
       }

     

       90
       120
        
       

     

       91
       121
        
       func repoPolicies(member, domain, repo string) [][]string {

     
···

       162
       192
        
       		return nil, err

     

       163
       193
        
       	}

     

       164
       194
        
       

     

       165
       165
       -
       	return membersWithoutRoles, nil

     

       195
       195
       +
       	slices.Sort(membersWithoutRoles)

     

       196
       196
       +
       	return slices.Compact(membersWithoutRoles), nil

     

       166
       197
        
       }

     

       167
       198
        
       

     

       168
       168
       -
       func (e *Enforcer) isRole(user, role, domain string) (bool, error) {

     

       169
       169
       -
       	return e.E.HasGroupingPolicy(user, role, domain)

     

       199
       199
       +
       func (e *Enforcer) GetUserByRoleInRepo(role, domain, repo string) ([]string, error) {

     

       200
       200
       +
       	var users []string

     

       201
       201
       +
       

     

       202
       202
       +
       	policies, err := e.E.GetImplicitUsersForResourceByDomain(repo, domain)

     

       203
       203
       +
       	for _, p := range policies {

     

       204
       204
       +
       		user := p[0]

     

       205
       205
       +
       		if strings.HasPrefix(user, "did:") {

     

       206
       206
       +
       			users = append(users, user)

     

       207
       207
       +
       		}

     

       208
       208
       +
       	}

     

       209
       209
       +
       	if err != nil {

     

       210
       210
       +
       		return nil, err

     

       211
       211
       +
       	}

     

       212
       212
       +
       

     

       213
       213
       +
       	slices.Sort(users)

     

       214
       214
       +
       	return slices.Compact(users), nil

     

       170
       215
        
       }

     

       171
       216
        
       

     

       172
       172
       -
       func (e *Enforcer) IsServerOwner(user, domain string) (bool, error) {

     

       217
       217
       +
       func (e *Enforcer) IsKnotOwner(user, domain string) (bool, error) {

     

       173
       218
        
       	return e.isRole(user, "server:owner", domain)

     

       174
       219
        
       }

     

       175
       220
        
       

     

       176
       176
       -
       func (e *Enforcer) IsServerMember(user, domain string) (bool, error) {

     

       221
       221
       +
       func (e *Enforcer) IsKnotMember(user, domain string) (bool, error) {

     

       177
       222
        
       	return e.isRole(user, "server:member", domain)

     

       178
       223
        
       }

     

       179
       224
        
       

     

       225
       225
       +
       func (e *Enforcer) IsSpindleOwner(user, domain string) (bool, error) {

     

       226
       226
       +
       	return e.isRole(user, "server:owner", intoSpindle(domain))

     

       227
       227
       +
       }

     

       228
       228
       +
       

     

       229
       229
       +
       func (e *Enforcer) IsSpindleMember(user, domain string) (bool, error) {

     

       230
       230
       +
       	return e.isRole(user, "server:member", intoSpindle(domain))

     

       231
       231
       +
       }

     

       232
       232
       +
       

     

       233
       233
       +
       func (e *Enforcer) IsKnotInviteAllowed(user, domain string) (bool, error) {

     

       234
       234
       +
       	return e.isInviteAllowed(user, domain)

     

       235
       235
       +
       }

     

       236
       236
       +
       

     

       237
       237
       +
       func (e *Enforcer) IsSpindleInviteAllowed(user, domain string) (bool, error) {

     

       238
       238
       +
       	return e.isInviteAllowed(user, intoSpindle(domain))

     

       239
       239
       +
       }

     

       240
       240
       +
       

     

       180
       241
        
       func (e *Enforcer) IsPushAllowed(user, domain, repo string) (bool, error) {

     

       181
       242
        
       	return e.E.Enforce(user, domain, repo, "repo:push")

     

       182
       243
        
       }

     
···

       202
       263
        
       

     

       203
       264
        
       	return permissions

     

       204
       265
        
       }

     

       205
       205
       -
       

     

       206
       206
       -
       func checkRepoFormat(repo string) error {

     

       207
       207
       -
       	// sanity check, repo must be of the form ownerDid/repo

     

       208
       208
       -
       	if parts := strings.SplitN(repo, "/", 2); !strings.HasPrefix(parts[0], "did:") {

     

       209
       209
       -
       		return fmt.Errorf("invalid repo: %s", repo)

     

       210
       210
       -
       	}

     

       211
       211
       -
       

     

       212
       212
       -
       	return nil

     

       213
       213
       -
       }

+83

rbac/util.go

···

       1
       1
       +
       package rbac

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"fmt"

     

       5
       5
       +
       	"slices"

     

       6
       6
       +
       	"strings"

     

       7
       7
       +
       )

     

       8
       8
       +
       

     

       9
       9
       +
       func (e *Enforcer) getDomainsForUser(did string, keepFunc func(string) bool, stripFunc func(string) string) ([]string, error) {

     

       10
       10
       +
       	domains, err := e.E.GetDomainsForUser(did)

     

       11
       11
       +
       	if err != nil {

     

       12
       12
       +
       		return nil, err

     

       13
       13
       +
       	}

     

       14
       14
       +
       

     

       15
       15
       +
       	n := 0

     

       16
       16
       +
       	for _, x := range domains {

     

       17
       17
       +
       		if keepFunc(x) {

     

       18
       18
       +
       			domains[n] = stripFunc(x)

     

       19
       19
       +
       			n++

     

       20
       20
       +
       		}

     

       21
       21
       +
       	}

     

       22
       22
       +
       	domains = domains[:n]

     

       23
       23
       +
       

     

       24
       24
       +
       	return domains, nil

     

       25
       25
       +
       }

     

       26
       26
       +
       

     

       27
       27
       +
       func (e *Enforcer) addOwner(domain, owner string) error {

     

       28
       28
       +
       	_, err := e.E.AddGroupingPolicy(owner, "server:owner", domain)

     

       29
       29
       +
       	return err

     

       30
       30
       +
       }

     

       31
       31
       +
       

     

       32
       32
       +
       func (e *Enforcer) addMember(domain, member string) error {

     

       33
       33
       +
       	_, err := e.E.AddGroupingPolicy(member, "server:member", domain)

     

       34
       34
       +
       	return err

     

       35
       35
       +
       }

     

       36
       36
       +
       

     

       37
       37
       +
       func (e *Enforcer) isRole(user, role, domain string) (bool, error) {

     

       38
       38
       +
       	roles, err := e.E.GetImplicitRolesForUser(user, domain)

     

       39
       39
       +
       	if err != nil {

     

       40
       40
       +
       		return false, err

     

       41
       41
       +
       	}

     

       42
       42
       +
       	if slices.Contains(roles, role) {

     

       43
       43
       +
       		return true, nil

     

       44
       44
       +
       	}

     

       45
       45
       +
       	return false, nil

     

       46
       46
       +
       }

     

       47
       47
       +
       

     

       48
       48
       +
       func (e *Enforcer) isInviteAllowed(user, domain string) (bool, error) {

     

       49
       49
       +
       	return e.E.Enforce(user, domain, domain, "server:invite")

     

       50
       50
       +
       }

     

       51
       51
       +
       

     

       52
       52
       +
       func checkRepoFormat(repo string) error {

     

       53
       53
       +
       	// sanity check, repo must be of the form ownerDid/repo

     

       54
       54
       +
       	if parts := strings.SplitN(repo, "/", 2); !strings.HasPrefix(parts[0], "did:") {

     

       55
       55
       +
       		return fmt.Errorf("invalid repo: %s", repo)

     

       56
       56
       +
       	}

     

       57
       57
       +
       

     

       58
       58
       +
       	return nil

     

       59
       59
       +
       }

     

       60
       60
       +
       

     

       61
       61
       +
       const spindlePrefix = "spindle:"

     

       62
       62
       +
       

     

       63
       63
       +
       func intoSpindle(domain string) string {

     

       64
       64
       +
       	if !isSpindle(domain) {

     

       65
       65
       +
       		return spindlePrefix + domain

     

       66
       66
       +
       	}

     

       67
       67
       +
       	return domain

     

       68
       68
       +
       }

     

       69
       69
       +
       

     

       70
       70
       +
       func unSpindle(domain string) string {

     

       71
       71
       +
       	if !isSpindle(domain) {

     

       72
       72
       +
       		return domain

     

       73
       73
       +
       	}

     

       74
       74
       +
       	return strings.TrimPrefix(domain, spindlePrefix)

     

       75
       75
       +
       }

     

       76
       76
       +
       

     

       77
       77
       +
       func isSpindle(domain string) bool {

     

       78
       78
       +
       	return strings.HasPrefix(domain, spindlePrefix)

     

       79
       79
       +
       }

     

       80
       80
       +
       

     

       81
       81
       +
       func isNotSpindle(domain string) bool {

     

       82
       82
       +
       	return !isSpindle(domain)

     

       83
       83
       +
       }