tangled.org / core
this repo has no description
fork atom

simplify enforcer

Akshay ea06000f 9b9c40d6

options
unified split
Changed files
+42 -25
appview
state
rbac.go
state.go
+22 -18
appview/state/rbac.go
··· 24 24 e = some(where (p.eft == allow)) 25 25 26 26 [matchers] 27 - m = (r.act == p.act && r.dom == p.dom && keyMatch2(r.obj, p.obj) && g(r.sub, p.sub, r.dom)) 27 + m = r.act == p.act && r.dom == p.dom && keyMatch2(r.obj, p.obj) && g(r.sub, p.sub, r.dom) 28 28 ` 29 29 ) 30 30 31 31 type Enforcer struct { 32 - E *casbin.SyncedEnforcer 33 - domain string 32 + E *casbin.SyncedEnforcer 34 33 } 35 34 36 35 func keyMatch2(key1 string, key2 string) bool { ··· 38 37 return matched 39 38 } 40 39 41 - func NewEnforcer(domain string) (*Enforcer, error) { 40 + func NewEnforcer() (*Enforcer, error) { 42 41 m, err := model.NewModelFromString(Model) 43 42 if err != nil { 44 43 return nil, err ··· 63 62 e.EnableAutoSave(true) 64 63 e.AddFunction("keyMatch2", keyMatch2Func) 65 64 65 + return &Enforcer{e}, nil 66 + } 67 + 68 + func (e *Enforcer) AddDomain(domain string) error { 66 69 // Add policies with patterns 67 - _, err = e.AddPolicies([][]string{ 70 + _, err := e.E.AddPolicies([][]string{ 68 71 {"server:owner", domain, domain, "server:invite"}, 69 - {"server:owner", domain, domain, "repo:create"}, 70 - {"server:owner", domain, domain, "repo:delete"}, // priveledged operation, delete any repo in domain 71 - {"server:member", domain, domain, "repo:create"}, // priveledged operation, delete any repo in domain 72 + {"server:member", domain, domain, "repo:create"}, 72 73 }) 73 74 if err != nil { 74 - return nil, err 75 + return err 75 76 } 76 77 77 - return &Enforcer{e, domain}, nil 78 + // all owners are also members 79 + _, err = e.E.AddGroupingPolicy("server:owner", "server:member", domain) 80 + return err 78 81 } 79 82 80 - func (e *Enforcer) AddOwner(owner string) error { 81 - _, err := e.E.AddGroupingPolicy(owner, "server:owner", e.domain) 83 + func (e *Enforcer) AddOwner(domain, owner string) error { 84 + _, err := e.E.AddGroupingPolicy(owner, "server:owner", domain) 82 85 return err 83 86 } 84 87 85 - func (e *Enforcer) AddMember(member string) error { 86 - _, err := e.E.AddGroupingPolicy(member, "server:member", e.domain) 88 + func (e *Enforcer) AddMember(domain, member string) error { 89 + _, err := e.E.AddGroupingPolicy(member, "server:member", domain) 87 90 return err 88 91 } 89 92 90 93 func (e *Enforcer) AddRepo(member, domain, repo string) error { 91 94 _, err := e.E.AddPolicies([][]string{ 92 - {member, e.domain, repo, "repo:push"}, 93 - {member, e.domain, repo, "repo:owner"}, 94 - {member, e.domain, repo, "repo:invite"}, 95 - {member, e.domain, repo, "repo:delete"}, 95 + {member, domain, repo, "repo:push"}, 96 + {member, domain, repo, "repo:owner"}, 97 + {member, domain, repo, "repo:invite"}, 98 + {member, domain, repo, "repo:delete"}, 99 + {"server:owner", domain, repo, "repo:delete"}, // server owner can delete any repo 96 100 }) 97 101 return err 98 102 }
+20 -7
appview/state/state.go
··· 21 21 ) 22 22 23 23 type State struct { 24 - Db *db.DB 25 - Auth *auth.Auth 24 + db *db.DB 25 + auth *auth.Auth 26 + enforcer *Enforcer 26 27 } 27 28 28 29 func Make() (*State, error) { ··· 36 37 return nil, err 37 38 } 38 39 39 - return &State{db, auth}, nil 40 + enforcer, err := NewEnforcer() 41 + if err != nil { 42 + return nil, err 43 + } 44 + 45 + return &State{db, auth, enforcer}, nil 40 46 } 41 47 42 48 func (s *State) Login(w http.ResponseWriter, r *http.Request) { ··· 223 229 w.Write([]byte("check success")) 224 230 225 231 // mark as registered 226 - err = s.Db.Register(domain) 232 + err = s.db.Register(domain) 227 233 if err != nil { 228 234 log.Println("failed to register domain", err) 229 235 http.Error(w, err.Error(), http.StatusInternalServerError) 230 236 } 231 237 232 238 // set permissions for this did as owner 233 - _, did, err := s.Db.RegistrationStatus(domain) 239 + _, did, err := s.db.RegistrationStatus(domain) 234 240 if err != nil { 235 241 log.Println("failed to register domain", err) 236 242 http.Error(w, err.Error(), http.StatusInternalServerError) 237 243 } 238 244 239 - e, err := NewEnforcer(domain) 245 + if err != nil { 246 + log.Println("failed to setup owner of domain", err) 247 + http.Error(w, err.Error(), http.StatusInternalServerError) 248 + } 249 + 250 + // add basic acls for this domain 251 + err = s.enforcer.AddDomain(domain) 240 252 if err != nil { 241 253 log.Println("failed to setup owner of domain", err) 242 254 http.Error(w, err.Error(), http.StatusInternalServerError) 243 255 } 244 256 245 - err = e.AddOwner(did) 257 + // add this did as owner of this domain 258 + err = s.enforcer.AddOwner(domain, did) 246 259 if err != nil { 247 260 log.Println("failed to setup owner of domain", err) 248 261 http.Error(w, err.Error(), http.StatusInternalServerError)