tangled.org
+22
-18
appview/state/rbac.go
+22
-18
appview/state/rbac.go
···
24
e = some(where (p.eft == allow))
25
26
[matchers]
27
-
m = (r.act == p.act && r.dom == p.dom && keyMatch2(r.obj, p.obj) && g(r.sub, p.sub, r.dom))
28
`
29
)
30
31
type Enforcer struct {
32
-
E *casbin.SyncedEnforcer
33
-
domain string
34
}
35
36
func keyMatch2(key1 string, key2 string) bool {
···
38
return matched
39
}
40
41
-
func NewEnforcer(domain string) (*Enforcer, error) {
42
m, err := model.NewModelFromString(Model)
43
if err != nil {
44
return nil, err
···
63
e.EnableAutoSave(true)
64
e.AddFunction("keyMatch2", keyMatch2Func)
65
66
// Add policies with patterns
67
-
_, err = e.AddPolicies([][]string{
68
{"server:owner", domain, domain, "server:invite"},
69
-
{"server:owner", domain, domain, "repo:create"},
70
-
{"server:owner", domain, domain, "repo:delete"}, // priveledged operation, delete any repo in domain
71
-
{"server:member", domain, domain, "repo:create"}, // priveledged operation, delete any repo in domain
72
})
73
if err != nil {
74
-
return nil, err
75
}
76
77
-
return &Enforcer{e, domain}, nil
78
}
79
80
-
func (e *Enforcer) AddOwner(owner string) error {
81
-
_, err := e.E.AddGroupingPolicy(owner, "server:owner", e.domain)
82
return err
83
}
84
85
-
func (e *Enforcer) AddMember(member string) error {
86
-
_, err := e.E.AddGroupingPolicy(member, "server:member", e.domain)
87
return err
88
}
89
90
func (e *Enforcer) AddRepo(member, domain, repo string) error {
91
_, err := e.E.AddPolicies([][]string{
92
-
{member, e.domain, repo, "repo:push"},
93
-
{member, e.domain, repo, "repo:owner"},
94
-
{member, e.domain, repo, "repo:invite"},
95
-
{member, e.domain, repo, "repo:delete"},
96
})
97
return err
98
}
···
24
e = some(where (p.eft == allow))
25
26
[matchers]
27
+
m = r.act == p.act && r.dom == p.dom && keyMatch2(r.obj, p.obj) && g(r.sub, p.sub, r.dom)
28
`
29
)
30
31
type Enforcer struct {
32
+
E *casbin.SyncedEnforcer
33
}
34
35
func keyMatch2(key1 string, key2 string) bool {
···
37
return matched
38
}
39
40
+
func NewEnforcer() (*Enforcer, error) {
41
m, err := model.NewModelFromString(Model)
42
if err != nil {
43
return nil, err
···
62
e.EnableAutoSave(true)
63
e.AddFunction("keyMatch2", keyMatch2Func)
64
65
+
return &Enforcer{e}, nil
66
+
}
67
+
68
+
func (e *Enforcer) AddDomain(domain string) error {
69
// Add policies with patterns
70
+
_, err := e.E.AddPolicies([][]string{
71
{"server:owner", domain, domain, "server:invite"},
72
+
{"server:member", domain, domain, "repo:create"},
73
})
74
if err != nil {
75
+
return err
76
}
77
78
+
// all owners are also members
79
+
_, err = e.E.AddGroupingPolicy("server:owner", "server:member", domain)
80
+
return err
81
}
82
83
+
func (e *Enforcer) AddOwner(domain, owner string) error {
84
+
_, err := e.E.AddGroupingPolicy(owner, "server:owner", domain)
85
return err
86
}
87
88
+
func (e *Enforcer) AddMember(domain, member string) error {
89
+
_, err := e.E.AddGroupingPolicy(member, "server:member", domain)
90
return err
91
}
92
93
func (e *Enforcer) AddRepo(member, domain, repo string) error {
94
_, err := e.E.AddPolicies([][]string{
95
+
{member, domain, repo, "repo:push"},
96
+
{member, domain, repo, "repo:owner"},
97
+
{member, domain, repo, "repo:invite"},
98
+
{member, domain, repo, "repo:delete"},
99
+
{"server:owner", domain, repo, "repo:delete"}, // server owner can delete any repo
100
})
101
return err
102
}
+20
-7
appview/state/state.go
+20
-7
appview/state/state.go
···
21
)
22
23
type State struct {
24
-
Db *db.DB
25
-
Auth *auth.Auth
26
}
27
28
func Make() (*State, error) {
···
36
return nil, err
37
}
38
39
-
return &State{db, auth}, nil
40
}
41
42
func (s *State) Login(w http.ResponseWriter, r *http.Request) {
···
223
w.Write([]byte("check success"))
224
225
// mark as registered
226
-
err = s.Db.Register(domain)
227
if err != nil {
228
log.Println("failed to register domain", err)
229
http.Error(w, err.Error(), http.StatusInternalServerError)
230
}
231
232
// set permissions for this did as owner
233
-
_, did, err := s.Db.RegistrationStatus(domain)
234
if err != nil {
235
log.Println("failed to register domain", err)
236
http.Error(w, err.Error(), http.StatusInternalServerError)
237
}
238
239
-
e, err := NewEnforcer(domain)
240
if err != nil {
241
log.Println("failed to setup owner of domain", err)
242
http.Error(w, err.Error(), http.StatusInternalServerError)
243
}
244
245
-
err = e.AddOwner(did)
246
if err != nil {
247
log.Println("failed to setup owner of domain", err)
248
http.Error(w, err.Error(), http.StatusInternalServerError)
···
21
)
22
23
type State struct {
24
+
db *db.DB
25
+
auth *auth.Auth
26
+
enforcer *Enforcer
27
}
28
29
func Make() (*State, error) {
···
37
return nil, err
38
}
39
40
+
enforcer, err := NewEnforcer()
41
+
if err != nil {
42
+
return nil, err
43
+
}
44
+
45
+
return &State{db, auth, enforcer}, nil
46
}
47
48
func (s *State) Login(w http.ResponseWriter, r *http.Request) {
···
229
w.Write([]byte("check success"))
230
231
// mark as registered
232
+
err = s.db.Register(domain)
233
if err != nil {
234
log.Println("failed to register domain", err)
235
http.Error(w, err.Error(), http.StatusInternalServerError)
236
}
237
238
// set permissions for this did as owner
239
+
_, did, err := s.db.RegistrationStatus(domain)
240
if err != nil {
241
log.Println("failed to register domain", err)
242
http.Error(w, err.Error(), http.StatusInternalServerError)
243
}
244
245
+
if err != nil {
246
+
log.Println("failed to setup owner of domain", err)
247
+
http.Error(w, err.Error(), http.StatusInternalServerError)
248
+
}
249
+
250
+
// add basic acls for this domain
251
+
err = s.enforcer.AddDomain(domain)
252
if err != nil {
253
log.Println("failed to setup owner of domain", err)
254
http.Error(w, err.Error(), http.StatusInternalServerError)
255
}
256
257
+
// add this did as owner of this domain
258
+
err = s.enforcer.AddOwner(domain, did)
259
if err != nil {
260
log.Println("failed to setup owner of domain", err)
261
http.Error(w, err.Error(), http.StatusInternalServerError)