fabaccess-bffh/src/db/access.rs

363 lines
12 KiB
Rust
Raw Normal View History

2020-02-14 12:20:17 +01:00
//! Access control logic
//!
2020-10-26 12:58:55 +01:00
use std::fmt;
2020-09-10 11:50:19 +02:00
use std::collections::HashSet;
2020-10-28 23:24:02 +01:00
use std::cmp::Ordering;
2020-09-10 11:50:19 +02:00
use std::convert::TryInto;
use std::path::{Path, PathBuf};
use std::fs;
use std::io::Write;
2020-10-23 16:35:10 +02:00
use std::sync::Arc;
2020-09-10 11:50:19 +02:00
use flexbuffers;
use serde::{Serialize, Deserialize};
2020-02-17 15:07:55 +01:00
use slog::Logger;
2020-10-23 16:35:10 +02:00
use lmdb::{Environment, Transaction, RwTransaction, Cursor};
2020-02-17 15:07:55 +01:00
2020-09-15 14:31:10 +02:00
use crate::config::Settings;
2020-09-10 11:50:19 +02:00
use crate::error::Result;
2020-02-18 16:55:19 +01:00
2020-10-26 12:58:55 +01:00
mod adapter_lmdb;
2020-10-28 23:24:02 +01:00
use crate::db::user::User;
2020-10-26 12:58:55 +01:00
use adapter_lmdb::PermissionsDB;
pub use adapter_lmdb::init;
2020-10-28 19:22:11 +01:00
pub trait RoleDB {
2020-10-28 23:24:02 +01:00
fn get_role(&self, roleID: &RoleIdentifier) -> Result<Option<Role>>;
2020-10-28 19:22:11 +01:00
/// Check if a given user has the given permission
///
/// Default implementation which adapter may overwrite with more efficient specialized
/// implementations.
2020-10-28 23:24:02 +01:00
fn check(&self, user: &User, permID: &PermIdentifier) -> Result<bool> {
self.check_roles(&user.roles, permID)
2020-10-28 19:22:11 +01:00
}
/// Check if a given permission is granted by any of the given roles or their respective
/// parents
///
/// Default implementation which adapter may overwrite with more efficient specialized
/// implementations.
2020-10-28 23:24:02 +01:00
fn check_roles(&self, roles: &[RoleIdentifier], permID: &PermIdentifier) -> Result<bool> {
2020-10-28 19:22:11 +01:00
// Tally all roles. Makes dependent roles easier
2020-10-28 23:24:02 +01:00
let mut roleset = HashSet::new();
2020-10-28 19:22:11 +01:00
for roleID in roles {
2020-10-28 23:24:02 +01:00
self.tally_role(&mut roleset, roleID)?;
2020-10-28 19:22:11 +01:00
}
// Iter all unique role->permissions we've found and early return on match.
2020-10-28 23:24:02 +01:00
for role in roleset.iter() {
2020-10-28 19:22:11 +01:00
for perm in role.permissions.iter() {
2020-10-28 23:24:02 +01:00
if permID == perm {
2020-10-28 19:22:11 +01:00
return Ok(true);
}
}
}
return Ok(false);
}
/// Tally a role dependency tree into a set
///
/// Default implementation which adapter may overwrite with more efficient implementations
2020-10-28 23:24:02 +01:00
fn tally_role(&self, roles: &mut HashSet<Role>, roleID: &RoleIdentifier) -> Result<()> {
if let Some(role) = self.get_role(roleID)? {
2020-10-28 19:22:11 +01:00
// Only check and tally parents of a role at the role itself if it's the first time we
// see it
if !roles.contains(&role) {
for parent in role.parents.iter() {
2020-10-28 23:24:02 +01:00
self.tally_role(roles, parent)?;
2020-10-28 19:22:11 +01:00
}
roles.insert(role);
}
}
Ok(())
}
2020-10-23 16:35:10 +02:00
}
/// A "Role" from the Authorization perspective
///
/// You can think of a role as a bundle of permissions relating to other roles. In most cases a
/// role represents a real-world education or apprenticeship, which gives a person the education
/// necessary to use a machine safely.
/// Roles are assigned permissions which in most cases evaluate to granting a person the right to
/// use certain (potentially) dangerous machines.
/// Using this indirection makes administration easier in certain ways; instead of maintaining
/// permissions on users directly the user is given a role after having been educated on the safety
/// of a machine; if later on a similar enough machine is put to use the administrator can just add
/// the permission for that machine to an already existing role instead of manually having to
/// assign to all users.
#[derive(Debug, Clone, PartialEq, Eq, Hash, Serialize, Deserialize)]
2020-10-26 12:58:55 +01:00
pub struct Role {
2020-10-23 16:35:10 +02:00
name: String,
/// A Role can have parents, inheriting all permissions
///
/// This makes situations where different levels of access are required easier: Each higher
/// level of access sets the lower levels of access as parent, inheriting their permission; if
/// you are allowed to manage a machine you are then also allowed to use it and so on
parents: Vec<RoleIdentifier>,
permissions: Vec<PermIdentifier>,
}
2020-10-26 12:58:55 +01:00
type SourceID = String;
2020-10-28 23:24:02 +01:00
fn split_once(s: &str, split: char) -> Option<(&str, &str)> {
s
.find(split)
.map(|idx| s.split_at(idx))
}
#[derive(Debug, Clone, PartialEq, Eq, Hash, Serialize, Deserialize)]
2020-10-26 12:58:55 +01:00
/// Universal (relative) id of a role
2020-10-28 23:24:02 +01:00
pub enum RoleIdentifier {
2020-10-26 12:58:55 +01:00
/// The role comes from this instance
Local {
/// Locally unique name for the role. No other role at this instance no matter the source
/// may have the same name
name: String,
/// Role Source, i.e. the database the role comes from
source: SourceID,
},
/// The role comes from a federated instance
Remote {
/// Name of the role. This role is unique in that instance so the tuple (name, location)
/// refers to a unique role
name: String,
/// The federated instance this role comes from
location: String,
2020-09-10 11:50:19 +02:00
}
2020-10-26 12:58:55 +01:00
}
2020-10-28 23:24:02 +01:00
impl std::str::FromStr for RoleIdentifier {
type Err = RoleFromStrError;
fn from_str(s: &str) -> std::result::Result<Self, Self::Err> {
if let Some((name, location)) = split_once(s, '@') {
Ok(RoleIdentifier::Remote { name: name.to_string(), location: location.to_string() })
} else if let Some((name, source)) = split_once(s, '%') {
Ok(RoleIdentifier::Local { name: name.to_string(), source: source.to_string() })
} else {
Err(RoleFromStrError::Invalid)
}
}
}
impl fmt::Display for RoleIdentifier {
2020-10-26 12:58:55 +01:00
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
2020-10-28 23:24:02 +01:00
match self {
2020-10-28 19:22:11 +01:00
RoleIdentifier::Local {name, source} => write!(f, "{}/{}@local", name, source),
RoleIdentifier::Remote {name, location} => write!(f, "{}@{}", name, location),
2020-09-10 12:32:33 +02:00
}
}
2020-09-10 10:39:46 +02:00
}
2020-10-28 19:22:11 +01:00
2020-10-28 23:24:02 +01:00
#[derive(Debug, Copy, Clone, PartialEq, Eq, PartialOrd, Ord)]
pub enum RoleFromStrError {
/// No '@' or '%' found. That's strange, huh?
Invalid
}
#[derive(Debug, Clone, PartialEq, Eq, Hash, Serialize, Deserialize)]
2020-10-28 19:22:11 +01:00
/// An identifier for a permission
// XXX: Does remote permissions ever make sense?
// I mean we kinda get them for free so maybe?
pub enum PermIdentifier {
Local(PermRule),
Remote(PermRule, String),
}
impl fmt::Display for PermIdentifier {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
2020-10-28 23:24:02 +01:00
match self {
2020-10-28 19:22:11 +01:00
PermIdentifier::Local(perm)
=> write!(f, "{}", perm),
PermIdentifier::Remote(perm, source)
=> write!(f, "{}@{}", perm, source),
}
}
}
2020-10-28 23:24:02 +01:00
fn is_sep_char(c: char) -> bool {
c == '.'
}
#[derive(Debug, Clone, PartialEq, Eq, Hash, Serialize, Deserialize)]
2020-10-28 19:22:11 +01:00
#[repr(transparent)]
/// An owned permission string
///
/// This is under the hood just a fancy std::String.
// TODO: What is the possible fallout from homograph attacks?
// i.e. "bffh.perm" is not the same as "bffհ.реrm" (Armenian 'հ':Հ and Cyrillic 'е':Е)
// See also https://util.unicode.org/UnicodeJsps/confusables.jsp
pub struct PermissionBuf {
inner: String,
}
impl PermissionBuf {
/// Allocate an empty `PermissionBuf`
pub fn new() -> Self {
PermissionBuf { inner: String::new() }
}
/// Allocate a `PermissionBuf` with the given capacity given to the internal [`String`]
2020-10-28 23:24:02 +01:00
pub fn with_capacity(cap: usize) -> Self {
PermissionBuf { inner: String::with_capacity(cap) }
2020-10-28 19:22:11 +01:00
}
#[inline(always)]
pub fn as_permission(&self) -> &Permission {
2020-10-28 23:24:02 +01:00
self.as_ref()
2020-10-28 19:22:11 +01:00
}
pub fn push<P: AsRef<Permission>>(&mut self, perm: P) {
self._push(perm.as_ref())
}
pub fn _push(&mut self, perm: &Permission) {
// in general we always need a separator unless the last byte is one or the string is empty
let need_sep = self.inner.chars().rev().next().map(|c| !is_sep_char(c)).unwrap_or(false);
if need_sep {
self.inner.push('.')
}
2020-10-28 23:24:02 +01:00
self.inner.push_str(perm.as_str())
2020-10-28 19:22:11 +01:00
}
pub fn from_string(inner: String) -> Self {
Self { inner }
}
}
2020-10-28 23:24:02 +01:00
impl AsRef<str> for PermissionBuf {
2020-10-28 19:22:11 +01:00
#[inline(always)]
2020-10-28 23:24:02 +01:00
fn as_ref(&self) -> &str {
&self.inner[..]
}
}
impl AsRef<Permission> for PermissionBuf {
#[inline]
2020-10-28 19:22:11 +01:00
fn as_ref(&self) -> &Permission {
2020-10-28 23:24:02 +01:00
Permission::new(self)
}
}
impl PartialOrd for PermissionBuf {
fn partial_cmp(&self, other: &Self) -> Option<Ordering> {
let a: &Permission = self.as_ref();
a.partial_cmp(other.as_ref())
}
}
impl fmt::Display for PermissionBuf {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
self.inner.fmt(f)
2020-10-28 19:22:11 +01:00
}
}
#[repr(transparent)]
2020-10-28 23:24:02 +01:00
#[derive(PartialEq, Eq, Hash)]
2020-10-28 19:22:11 +01:00
/// A borrowed permission string
///
/// Permissions have total equality and partial ordering.
/// Specifically permissions on the same path in a tree can be compared for specificity.
/// This means that ```(bffh.perm) > (bffh.perm.sub) == true```
/// but ```(bffh.perm) > (unrelated.but.specific.perm) == false```
pub struct Permission {
inner: str
}
impl Permission {
2020-10-28 23:24:02 +01:00
pub fn new<S: AsRef<str> + ?Sized>(s: &S) -> &Permission {
unsafe { &*(s.as_ref() as *const str as *const Permission) }
}
2020-10-28 19:22:11 +01:00
pub fn as_str(&self) -> &str {
2020-10-28 23:24:02 +01:00
&self.inner
2020-10-28 19:22:11 +01:00
}
2020-10-28 23:24:02 +01:00
pub fn iter(&self) -> std::str::Split<char> {
2020-10-28 19:22:11 +01:00
self.inner.split('.')
}
}
impl PartialOrd for Permission {
fn partial_cmp(&self, other: &Permission) -> Option<Ordering> {
2020-10-28 23:24:02 +01:00
let mut i = self.iter();
let mut j = other.iter();
let (mut l, mut r) = (None, None);
2020-10-28 19:22:11 +01:00
while {
2020-10-28 23:24:02 +01:00
l = i.next();
r = j.next();
2020-10-28 19:22:11 +01:00
l.is_some() && r.is_some()
} {
if l.unwrap() != r.unwrap() {
return None;
}
}
match (l,r) {
(None, None) => Some(Ordering::Equal),
2020-10-28 23:24:02 +01:00
(Some(_), None) => Some(Ordering::Less),
2020-10-28 19:22:11 +01:00
(None, Some(_)) => Some(Ordering::Greater),
(Some(_), Some(_)) => panic!("Broken contract in Permission::partial_cmp: sides should never be both Some!"),
}
}
}
2020-10-28 23:24:02 +01:00
#[derive(Clone, Debug, PartialEq, Eq, Hash, Serialize, Deserialize)]
2020-10-28 19:22:11 +01:00
pub enum PermRule {
/// The permission is precise,
///
/// i.e. `Base("bffh.perm")` grants bffh.perm but does not grant permission for bffh.perm.sub
Base(PermissionBuf),
/// The permissions is for the children of the node
///
/// i.e. `Children("bffh.perm")` grants bffh.perm.sub, bffh.perm.sub.two *BUT NOT* bffh.perm
/// itself.
Children(PermissionBuf),
/// The permissions is for the subtree marked by the node
///
/// i.e. `Children("bffh.perm")` grants bffh.perm.sub, bffh.perm.sub.two and also bffh.perm
/// itself.
Subtree(PermissionBuf),
// This lacks what LDAP calls ONELEVEL: The ability to grant the exact children but not several
// levels deep, i.e. Onelevel("bffh.perm") grants bffh.perm.sub *BUT NOT* bffh.perm.sub.two or
// bffh.perm itself.
// I can't think of a reason to use that so I'm skipping it for now.
}
impl PermRule {
// Does this rule match that permission
fn match_perm<P: AsRef<Permission>>(rule: &PermRule, perm: P) -> bool {
match rule {
2020-10-28 23:24:02 +01:00
PermRule::Base(base) => base.as_permission() == perm.as_ref(),
PermRule::Children(parent) => parent.as_permission() > perm.as_ref() ,
PermRule::Subtree(parent) => parent.as_permission() >= perm.as_ref(),
2020-10-28 19:22:11 +01:00
}
}
}
impl fmt::Display for PermRule {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
2020-10-28 23:24:02 +01:00
match self {
2020-10-28 19:22:11 +01:00
PermRule::Base(perm)
=> write!(f, "{}", perm),
PermRule::Children(parent)
=> write!(f,"{}.+", parent),
PermRule::Subtree(parent)
=> write!(f,"{}.*", parent),
}
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn permission_ord_test() {
assert!(PermissionBuf::from_string("bffh.perm") > PermissionBuf::from_string("bffh.perm.sub"));
}
}