mirror of
https://gitlab.com/fabinfra/fabaccess/bffh.git
synced 2025-03-12 16:11:43 +01:00
191 lines
5.9 KiB
Rust
191 lines
5.9 KiB
Rust
use std::collections::HashSet;
|
|
|
|
use std::convert::TryInto;
|
|
|
|
use std::path::{Path, PathBuf};
|
|
use std::fs;
|
|
use std::io::Write;
|
|
use std::sync::Arc;
|
|
|
|
use flexbuffers;
|
|
use serde::{Serialize, Deserialize};
|
|
|
|
use slog::Logger;
|
|
use lmdb::{Environment, Transaction, RwTransaction, Cursor};
|
|
|
|
use crate::config::Settings;
|
|
use crate::error::Result;
|
|
|
|
use crate::db::access::{Permission, Role, RoleIdentifier, RoleDB};
|
|
use crate::db::user::{UserIdentifier, User};
|
|
|
|
#[derive(Clone, Debug)]
|
|
pub struct Internal {
|
|
log: Logger,
|
|
env: Arc<Environment>,
|
|
roledb: lmdb::Database,
|
|
userdb: lmdb::Database,
|
|
}
|
|
|
|
impl Internal {
|
|
pub fn new(log: Logger, env: Arc<Environment>, roledb: lmdb::Database, userdb: lmdb::Database) -> Self {
|
|
Self { log, env, roledb, userdb }
|
|
}
|
|
|
|
/// Check if a given user has the given permission
|
|
#[allow(unused)]
|
|
pub fn _check<T: Transaction, P: AsRef<Permission>>(&self, txn: &T, user: &User, perm: &P)
|
|
-> Result<bool>
|
|
{
|
|
// Tally all roles. Makes dependent roles easier
|
|
let mut roles = HashSet::new();
|
|
for roleID in user.roles.iter() {
|
|
self._tally_role(txn, &mut roles, roleID)?;
|
|
}
|
|
|
|
// Iter all unique role->permissions we've found and early return on match.
|
|
// TODO: Change this for negative permissions?
|
|
for role in roles.iter() {
|
|
for perm_rule in role.permissions.iter() {
|
|
if perm_rule.match_perm(perm) {
|
|
return Ok(true);
|
|
}
|
|
}
|
|
}
|
|
|
|
return Ok(false);
|
|
}
|
|
|
|
fn _tally_role<T: Transaction>(&self, txn: &T, roles: &mut HashSet<Role>, roleID: &RoleIdentifier) -> Result<()> {
|
|
if let Some(role) = self._get_role(txn, roleID)? {
|
|
// Only check and tally parents of a role at the role itself if it's the first time we
|
|
// see it
|
|
if !roles.contains(&role) {
|
|
for parent in role.parents.iter() {
|
|
self._tally_role(txn, roles, parent)?;
|
|
}
|
|
|
|
roles.insert(role);
|
|
}
|
|
}
|
|
|
|
Ok(())
|
|
}
|
|
|
|
pub fn _get_role<'txn, T: Transaction>(&self, txn: &'txn T, roleID: &RoleIdentifier) -> Result<Option<Role>> {
|
|
let string = format!("{}", roleID);
|
|
match txn.get(self.roledb, &string.as_bytes()) {
|
|
Ok(bytes) => {
|
|
Ok(Some(flexbuffers::from_slice(bytes)?))
|
|
},
|
|
Err(lmdb::Error::NotFound) => { Ok(None) },
|
|
Err(e) => { Err(e.into()) }
|
|
}
|
|
}
|
|
|
|
fn put_role(&self, txn: &mut RwTransaction, roleID: &RoleIdentifier, role: Role) -> Result<()> {
|
|
let bytes = flexbuffers::to_vec(role)?;
|
|
let string = format!("{}", roleID);
|
|
txn.put(self.roledb, &string.as_bytes(), &bytes, lmdb::WriteFlags::empty())?;
|
|
|
|
Ok(())
|
|
}
|
|
|
|
pub fn dump_db<T: Transaction>(&mut self, txn: &T, mut path: PathBuf) -> Result<()> {
|
|
path.push("roles");
|
|
let mut k = Ok(());
|
|
if !path.is_dir() {
|
|
k = fs::create_dir(&path);
|
|
}
|
|
if let Err(e) = k {
|
|
error!(self.log, "Failed to create 'roles' directory: {}, skipping!", e);
|
|
return Ok(())
|
|
} else {
|
|
// Rust's stdlib considers the last element the file name even when it's a directory so
|
|
// we have to put a dummy here for .set_filename() to work correctly
|
|
path.push("dummy");
|
|
self.dump_roles(txn, path.clone())?;
|
|
path.pop();
|
|
}
|
|
path.pop();
|
|
|
|
Ok(())
|
|
}
|
|
|
|
fn dump_roles<T: Transaction>(&mut self, txn: &T, mut path: PathBuf) -> Result<()> {
|
|
// TODO implement this for the new format
|
|
unimplemented!()
|
|
}
|
|
|
|
pub fn load_db(&mut self, txn: &mut RwTransaction, mut path: PathBuf) -> Result<()> {
|
|
path.push("roles");
|
|
if !path.is_dir() {
|
|
error!(self.log, "Given load directory is malformed, no 'roles' subdir, not loading roles!");
|
|
} else {
|
|
self.load_roles(txn, path.as_path())?;
|
|
}
|
|
|
|
Ok(())
|
|
}
|
|
|
|
fn load_roles(&mut self, txn: &mut RwTransaction, path: &Path) -> Result<()> {
|
|
if path.is_file() {
|
|
let roles = Role::load_file(path)?;
|
|
|
|
for (k,v) in roles.iter() {
|
|
self.put_role(txn, k, v.clone())?;
|
|
}
|
|
} else {
|
|
for entry in std::fs::read_dir(path)? {
|
|
let roles = Role::load_file(entry?.path())?;
|
|
|
|
for (k,v) in roles.iter() {
|
|
self.put_role(txn, k, v.clone())?;
|
|
}
|
|
}
|
|
}
|
|
|
|
Ok(())
|
|
}
|
|
}
|
|
|
|
impl RoleDB for Internal {
|
|
fn get_type_name(&self) -> &'static str {
|
|
"Internal"
|
|
}
|
|
|
|
fn check(&self, user: &User, perm: &Permission) -> Result<bool> {
|
|
let txn = self.env.begin_ro_txn()?;
|
|
self._check(&txn, user, &perm)
|
|
}
|
|
|
|
fn get_role(&self, roleID: &RoleIdentifier) -> Result<Option<Role>> {
|
|
let txn = self.env.begin_ro_txn()?;
|
|
self._get_role(&txn, roleID)
|
|
}
|
|
|
|
fn tally_role(&self, roles: &mut HashSet<Role>, roleID: &RoleIdentifier) -> Result<()> {
|
|
let txn = self.env.begin_ro_txn()?;
|
|
self._tally_role(&txn, roles, roleID)
|
|
}
|
|
}
|
|
|
|
|
|
|
|
/// Initialize the access db by loading all the lmdb databases
|
|
pub fn init(log: Logger, config: &Settings, env: Arc<lmdb::Environment>)
|
|
-> std::result::Result<Internal, crate::error::Error>
|
|
{
|
|
let mut flags = lmdb::DatabaseFlags::empty();
|
|
flags.set(lmdb::DatabaseFlags::INTEGER_KEY, true);
|
|
let roledb = env.create_db(Some("role"), flags)?;
|
|
debug!(&log, "Opened access database '{}' successfully.", "role");
|
|
//let permdb = env.create_db(Some("perm"), flags)?;
|
|
//debug!(&log, "Opened access database '{}' successfully.", "perm");
|
|
let userdb = env.create_db(Some("user"), flags)?;
|
|
debug!(&log, "Opened access database '{}' successfully.", "user");
|
|
info!(&log, "Opened all access databases");
|
|
|
|
Ok(Internal::new(log, env, roledb, userdb))
|
|
}
|