FabInfra-Mirror/api.fabaccess-api
1
0
Fork 0
mirror of https://gitlab.com/fabinfra/fabaccess/fabaccess-api.git synced 2025-03-12 14:51:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

Results from a call with JoKlLa

Browse Source
This commit is contained in:
Gregor Reitzenstein 2020-04-23 14:32:57 +02:00
parent a10b5f1a45
commit 86698c260b
2 changed files with 47 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

117
api.capnp
View File

@ -29,14 +29,10 @@ interface Diflouroborane {
# `initializeAuthentication` on it in one roundtrip, provided one gets granted access to the # `initializeAuthentication` on it in one roundtrip, provided one gets granted access to the
# Authentication subsystem (which in all fairness is a reasonable assumption) # Authentication subsystem (which in all fairness is a reasonable assumption)
authentication @0 () -> ( auth :Authentication ); permissions @0 () -> ( perm :Permissions );
# Then authentication subsystem handles authentication of clients and servers. Multiple
# authentication is possible, see the `Authentication` interface for details.
permissions @1 () -> ( perm :Permissions );
# Permission subsystem to manage permissions and systems underlying the authorization process # Permission subsystem to manage permissions and systems underlying the authorization process
machines @2 () -> ( mach :Machines ); machines @1 () -> ( mach :Machines );
# Diflouroborane stores machine¹ information in an opaque internal database. This interface is # Diflouroborane stores machine¹ information in an opaque internal database. This interface is
# the only stable process of modifying that information # the only stable process of modifying that information
@ -59,79 +55,56 @@ struct UUID {
uuid1 @1 :UInt64; uuid1 @1 :UInt64;
} }
interface Machines { struct Maybe(T) {
interface Manage { union {
setBlocked @0 ( blocked :Bool ) -> (); none @0 :Void;
# Block or Unblock the machine. A blocked machine can not be used. some @1 :T;
forceReturn @1 () -> ();
# Forcefully marking a machine as `returned` — i.e. not used.
} }
}
enum State {
free @0;
inUse @1;
toCheck @2;
blocked @3;
disabled @4;
reserved @5;
}
interface Machine {
struct MInfo {
state @0 :State;
name @1 :Text;
description @2 :Text;
responsible @3 :Text;
# TODO: Make that an user, issue #XXX
}
info @0 () -> ( minfo :MInfo );
# Check the state of a machine.
interface GiveBack { interface GiveBack {
# The only way of getting a `return` interface is by successfully calling `use`. This means ret @0 () -> ();
# only the user that marked a machine as `used` can return it again. (Baring force override)
giveback @0 () -> ();
} }
manage @0 ( uuid :UUID ) -> ( manage :Manage ); use @1 () -> ( ret :Maybe(GiveBack) );
# Try to use a machine. Fails if the user doesn't have enough permissions
use @1 ( uuid :UUID ) -> ( giveback :GiveBack ); interface Check {
# Use a machine, identified by its UUID. If the caller is allowed to and the machine is ok @0 () -> ();
# available to being used a `return` Capability will be returned — the person using a machine is not_ok @1 () -> ();
# after all the only person that can return the machine after use. }
check @2 () -> ( chk :Maybe(Check) );
reserve @3 () -> ( rsrv :Maybe(AnyPointer) );
}
interface Machines {
lookup @0 ( uuid :UUID ) -> ( machine :Maybe(Machine) );
# Get a machine interface. Returns `none` if there is no Machine with the given uuid.
} }
interface Permissions { interface Permissions {
# The permission system of FabAccess is a role-based access control (RBAC).
# This means that a principal is assigned to 0…N roles, and each role has 1…M permissions
# attached. A role can inherit from up to one other role meaning that roles are a set of
# cycle-free hierarchies.
getAllSubjects @0 () -> ( subjects :List(Text) );
getAllObjects @1 () -> ( objects :List(Text) );
getAllAction @2 () -> ( actions :List(Text) );
getAllRoles @3 () -> ( roles :List(Text) );
removePolicy @4 ( p :List(Text) ) -> ();
addPolicy @5 ( p :List(Text) ) -> ();
}
interface Authentication {
# List all SASL mechs the server is willing to use
availableMechanisms @0 () -> ( mechanisms :List(Text) );
# Start authentication using the given mechanism and optional initial data
initializeAuthentication @1 ( mechanism :Text, initialData :MaybeData )
-> (response :StepResult );
getAuthzid @2 () -> ( authzid :Text );
struct StepResult {
union {
challenge @0 :Challenge;
outcome @1 :Outcome;
}
}
struct MaybeData {
union {
some @0 :Data;
none @1 :Void;
}
}
interface Challenge {
# Access the challenge data
read @0 () -> ( data :MaybeData );
respond @1 ( data :MaybeData )
-> ( response :StepResult );
}
interface Outcome {
# Outcomes may contain additional data
read @0 () -> ( data :MaybeData );
# The actual outcome.
value @1 () -> ( granted :Bool );
}
} }

2
connection.capnp
View File

@ -23,6 +23,7 @@
@0x9e1c146a27dcc635; @0x9e1c146a27dcc635;
using Auth = import "auth.capnp"; using Auth = import "auth.capnp";
using Api = import "api.capnp"
struct Message { struct Message {
union { union {
@ -30,6 +31,7 @@ struct Message {
bye @1 :Bye; bye @1 :Bye;
starttls @2 :Void; starttls @2 :Void;
auth @3 :Auth.Message; auth @3 :Auth.Message;
bootstrap @4 :Api.Diflouroborane
} }
} }