2020-02-14 12:20:17 +01:00
|
|
|
//! Access control logic
|
|
|
|
//!
|
|
|
|
|
2020-02-17 15:07:55 +01:00
|
|
|
use slog::Logger;
|
|
|
|
|
2020-02-14 12:20:17 +01:00
|
|
|
use casbin::prelude::*;
|
|
|
|
|
|
|
|
use super::config::Config;
|
|
|
|
|
2020-02-17 14:56:43 +01:00
|
|
|
use futures_signals::signal::Mutable;
|
|
|
|
|
2020-02-17 03:44:02 +01:00
|
|
|
use crate::api::api;
|
2020-02-17 14:56:43 +01:00
|
|
|
use crate::auth::Authentication;
|
|
|
|
use crate::error::Result;
|
2020-02-17 03:44:02 +01:00
|
|
|
|
|
|
|
#[derive(Clone)]
|
2020-02-17 14:56:43 +01:00
|
|
|
pub struct Permissions {
|
2020-02-17 15:07:55 +01:00
|
|
|
log: Logger,
|
2020-02-17 14:56:43 +01:00
|
|
|
pdb: Mutable<Enforcer>,
|
|
|
|
auth: Authentication,
|
|
|
|
}
|
|
|
|
|
|
|
|
impl Permissions {
|
2020-02-17 15:07:55 +01:00
|
|
|
pub fn new(log: Logger, pdb: Mutable<Enforcer>, auth: Authentication) -> Self {
|
|
|
|
Self { log, pdb, auth }
|
2020-02-17 14:56:43 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
pub fn enforce(&self, object: &str, action: &str) -> bool {
|
|
|
|
if let Some(actor) = self.auth.get_authzid() {
|
2020-02-17 15:07:55 +01:00
|
|
|
trace!(self.log, "Checking permission {} for {} on {}", action, actor, object);
|
|
|
|
let r = self.pdb.lock_ref().enforce(vec![&actor,object,action]).unwrap();
|
|
|
|
if !r {
|
|
|
|
info!(self.log, "Failed permission {} for {} on {}", action, actor, object);
|
|
|
|
}
|
|
|
|
return r;
|
2020-02-17 14:56:43 +01:00
|
|
|
} else {
|
2020-02-17 15:07:55 +01:00
|
|
|
info!(self.log, "Attempted anonymous access: {} on {}", action, object);
|
2020-02-17 14:56:43 +01:00
|
|
|
false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2020-02-17 03:44:02 +01:00
|
|
|
|
|
|
|
impl api::permissions::Server for Permissions {
|
|
|
|
|
|
|
|
}
|
|
|
|
|
2020-02-16 16:02:03 +01:00
|
|
|
/// This line documents init
|
2020-02-17 14:56:43 +01:00
|
|
|
pub async fn init(config: &Config) -> std::result::Result<Enforcer, Box<dyn std::error::Error>> {
|
2020-02-14 12:20:17 +01:00
|
|
|
let model = Model::from_file(config.access.model.clone()).await?;
|
|
|
|
let adapter = Box::new(FileAdapter::new(config.access.policy.clone()));
|
|
|
|
|
|
|
|
let e = Enforcer::new(model, adapter).await?;
|
|
|
|
|
|
|
|
return Ok(e);
|
|
|
|
}
|