appview/state/rbac.go at 8be01c94e62a57befd1083527a39c63f9ed996f3 · tangled.org/core

tangled.org / core
this repo has no description
core / appview / state / rbac.go
at 8be01c94e62a57befd1083527a39c63f9ed996f3 2.4 kB view raw
  1package state
  2
  3import (
  4	"database/sql"
  5	"path"
  6
  7	sqladapter "github.com/Blank-Xu/sql-adapter"
  8	"github.com/casbin/casbin/v2"
  9	"github.com/casbin/casbin/v2/model"
 10)
 11
 12const (
 13	Model = `
 14[request_definition]
 15r = sub, dom, obj, act
 16
 17[policy_definition]
 18p = sub, dom, obj, act
 19
 20[role_definition]
 21g = _, _, _
 22
 23[policy_effect]
 24e = some(where (p.eft == allow))
 25
 26[matchers]
 27m = (r.act == p.act && r.dom == p.dom && keyMatch2(r.obj, p.obj) && g(r.sub, p.sub, r.dom))
 28`
 29)
 30
 31type Enforcer struct {
 32	E      *casbin.SyncedEnforcer
 33	domain string
 34}
 35
 36func keyMatch2(key1 string, key2 string) bool {
 37	matched, _ := path.Match(key2, key1)
 38	return matched
 39}
 40
 41func NewEnforcer(domain string) (*Enforcer, error) {
 42	m, err := model.NewModelFromString(Model)
 43	if err != nil {
 44		return nil, err
 45	}
 46
 47	// TODO: conf this
 48	db, err := sql.Open("sqlite3", "appview.db")
 49	if err != nil {
 50		return nil, err
 51	}
 52
 53	a, err := sqladapter.NewAdapter(db, "sqlite3", "acl")
 54	if err != nil {
 55		return nil, err
 56	}
 57
 58	e, err := casbin.NewSyncedEnforcer(m, a)
 59	if err != nil {
 60		return nil, err
 61	}
 62
 63	e.EnableAutoSave(true)
 64	e.AddFunction("keyMatch2", keyMatch2Func)
 65
 66	// Add policies with patterns
 67	_, err = e.AddPolicies([][]string{
 68		{"server:owner", domain, domain, "server:invite"},
 69		{"server:owner", domain, domain, "repo:create"},
 70		{"server:owner", domain, domain, "repo:delete"},  // priveledged operation, delete any repo in domain
 71		{"server:member", domain, domain, "repo:create"}, // priveledged operation, delete any repo in domain
 72	})
 73	if err != nil {
 74		return nil, err
 75	}
 76
 77	return &Enforcer{e, domain}, nil
 78}
 79
 80func (e *Enforcer) AddOwner(owner string) error {
 81	_, err := e.E.AddGroupingPolicy(owner, "server:owner", e.domain)
 82	return err
 83}
 84
 85func (e *Enforcer) AddMember(member string) error {
 86	_, err := e.E.AddGroupingPolicy(member, "server:member", e.domain)
 87	return err
 88}
 89
 90func (e *Enforcer) AddRepo(member, domain, repo string) error {
 91	_, err := e.E.AddPolicies([][]string{
 92		{member, e.domain, repo, "repo:push"},
 93		{member, e.domain, repo, "repo:owner"},
 94		{member, e.domain, repo, "repo:invite"},
 95		{member, e.domain, repo, "repo:delete"},
 96	})
 97	return err
 98}
 99
100// keyMatch2Func is a wrapper for keyMatch2 to make it compatible with Casbin
101func keyMatch2Func(args ...interface{}) (interface{}, error) {
102	name1 := args[0].(string)
103	name2 := args[1].(string)
104
105	return keyMatch2(name1, name2), nil
106}