mirror of
https://gitlab.com/fabinfra/fabaccess/bffh.git
synced 2024-11-29 17:44:55 +01:00
Make compile (well.. not really)
This commit is contained in:
parent
b203edf206
commit
5c5a59a75c
15
src/api.rs
15
src/api.rs
@ -9,6 +9,8 @@ use crate::connection::Session;
|
|||||||
|
|
||||||
use crate::db::Databases;
|
use crate::db::Databases;
|
||||||
|
|
||||||
|
use crate::builtin;
|
||||||
|
|
||||||
pub mod auth;
|
pub mod auth;
|
||||||
mod machine;
|
mod machine;
|
||||||
mod machines;
|
mod machines;
|
||||||
@ -36,11 +38,18 @@ impl connection_capnp::bootstrap::Server for Bootstrap {
|
|||||||
// Forbid mutltiple authentication for now
|
// Forbid mutltiple authentication for now
|
||||||
// TODO: When should we allow multiple auth and how do me make sure that does not leak
|
// TODO: When should we allow multiple auth and how do me make sure that does not leak
|
||||||
// priviledges (e.g. due to previously issues caps)?
|
// priviledges (e.g. due to previously issues caps)?
|
||||||
if self.session.user.is_none() {
|
let session = self.session.clone();
|
||||||
res.get().set_auth(capnp_rpc::new_client(auth::Auth::new(self.session.clone())))
|
let check_perm_future = session.check_permission(&builtin::AUTH_PERM);
|
||||||
|
let f = async {
|
||||||
|
let r = check_perm_future.await.unwrap();
|
||||||
|
if r {
|
||||||
|
res.get().set_auth(capnp_rpc::new_client(auth::Auth::new(session.clone())))
|
||||||
}
|
}
|
||||||
|
|
||||||
Promise::ok(())
|
Ok(())
|
||||||
|
};
|
||||||
|
|
||||||
|
Promise::from_future(f)
|
||||||
}
|
}
|
||||||
|
|
||||||
fn permissions(&mut self,
|
fn permissions(&mut self,
|
||||||
|
@ -14,6 +14,7 @@ use crate::schema::connection_capnp;
|
|||||||
|
|
||||||
use crate::db::Databases;
|
use crate::db::Databases;
|
||||||
use crate::db::access::{AccessControl, Permission};
|
use crate::db::access::{AccessControl, Permission};
|
||||||
|
use crate::db::user::AuthzContext;
|
||||||
use crate::builtin;
|
use crate::builtin;
|
||||||
|
|
||||||
#[derive(Debug, Clone)]
|
#[derive(Debug, Clone)]
|
||||||
@ -22,20 +23,20 @@ use crate::builtin;
|
|||||||
pub struct Session {
|
pub struct Session {
|
||||||
// Session-spezific log
|
// Session-spezific log
|
||||||
pub log: Logger,
|
pub log: Logger,
|
||||||
authz_data: Option<AuthorizationContext>,
|
authz_data: Option<AuthzContext>,
|
||||||
accessdb: Arc<AccessControl>,
|
accessdb: Arc<AccessControl>,
|
||||||
}
|
}
|
||||||
|
|
||||||
impl Session {
|
impl Session {
|
||||||
pub fn new(log: Logger, accessdb: Arc<AccessControl>) -> Self {
|
pub fn new(log: Logger, accessdb: Arc<AccessControl>) -> Self {
|
||||||
let user = None;
|
let authz_data = None;
|
||||||
|
|
||||||
Session { log, user, accessdb }
|
Session { log, authz_data, accessdb }
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Check if the current session has a certain permission
|
/// Check if the current session has a certain permission
|
||||||
pub async fn check_permission<P: AsRef<Permission>>(&self, perm: &P) -> Result<bool> {
|
pub async fn check_permission<P: AsRef<Permission>>(&self, perm: &P) -> Result<bool> {
|
||||||
if let Some(user) = self.user.as_ref() {
|
if let Some(user) = self.authz_data.as_ref() {
|
||||||
self.accessdb.check(user, perm).await
|
self.accessdb.check(user, perm).await
|
||||||
} else {
|
} else {
|
||||||
self.accessdb.check_roles(builtin::DEFAULT_ROLEIDS, perm).await
|
self.accessdb.check_roles(builtin::DEFAULT_ROLEIDS, perm).await
|
||||||
|
@ -29,7 +29,7 @@ use crate::error::Result;
|
|||||||
|
|
||||||
pub mod internal;
|
pub mod internal;
|
||||||
|
|
||||||
use crate::db::user::User;
|
use crate::db::user::AuthzContext;
|
||||||
pub use internal::init;
|
pub use internal::init;
|
||||||
|
|
||||||
pub struct AccessControl {
|
pub struct AccessControl {
|
||||||
@ -49,7 +49,7 @@ impl AccessControl {
|
|||||||
self.sources.insert(name, source);
|
self.sources.insert(name, source);
|
||||||
}
|
}
|
||||||
|
|
||||||
pub async fn check<P: AsRef<Permission>>(&self, user: &User, perm: &P) -> Result<bool> {
|
pub async fn check<P: AsRef<Permission>>(&self, user: &AuthzContext, perm: &P) -> Result<bool> {
|
||||||
for v in self.sources.values() {
|
for v in self.sources.values() {
|
||||||
if v.check(user, perm.as_ref())? {
|
if v.check(user, perm.as_ref())? {
|
||||||
return Ok(true);
|
return Ok(true);
|
||||||
@ -91,7 +91,7 @@ pub trait RoleDB {
|
|||||||
///
|
///
|
||||||
/// Default implementation which adapter may overwrite with more efficient specialized
|
/// Default implementation which adapter may overwrite with more efficient specialized
|
||||||
/// implementations.
|
/// implementations.
|
||||||
fn check(&self, user: &User, perm: &Permission) -> Result<bool> {
|
fn check(&self, user: &AuthzContext, perm: &Permission) -> Result<bool> {
|
||||||
self.check_roles(&user.roles, perm)
|
self.check_roles(&user.roles, perm)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -17,7 +17,7 @@ use crate::config::Settings;
|
|||||||
use crate::error::Result;
|
use crate::error::Result;
|
||||||
|
|
||||||
use crate::db::access::{Permission, Role, RoleIdentifier, RoleDB};
|
use crate::db::access::{Permission, Role, RoleIdentifier, RoleDB};
|
||||||
use crate::db::user::{UserIdentifier, User};
|
use crate::db::user::AuthzContext;
|
||||||
|
|
||||||
#[derive(Clone, Debug)]
|
#[derive(Clone, Debug)]
|
||||||
pub struct Internal {
|
pub struct Internal {
|
||||||
@ -34,7 +34,7 @@ impl Internal {
|
|||||||
|
|
||||||
/// Check if a given user has the given permission
|
/// Check if a given user has the given permission
|
||||||
#[allow(unused)]
|
#[allow(unused)]
|
||||||
pub fn _check<T: Transaction, P: AsRef<Permission>>(&self, txn: &T, user: &User, perm: &P)
|
pub fn _check<T: Transaction, P: AsRef<Permission>>(&self, txn: &T, user: &AuthzContext, perm: &P)
|
||||||
-> Result<bool>
|
-> Result<bool>
|
||||||
{
|
{
|
||||||
// Tally all roles. Makes dependent roles easier
|
// Tally all roles. Makes dependent roles easier
|
||||||
@ -154,7 +154,7 @@ impl RoleDB for Internal {
|
|||||||
"Internal"
|
"Internal"
|
||||||
}
|
}
|
||||||
|
|
||||||
fn check(&self, user: &User, perm: &Permission) -> Result<bool> {
|
fn check(&self, user: &AuthzContext, perm: &Permission) -> Result<bool> {
|
||||||
let txn = self.env.begin_ro_txn()?;
|
let txn = self.env.begin_ro_txn()?;
|
||||||
self._check(&txn, user, &perm)
|
self._check(&txn, user, &perm)
|
||||||
}
|
}
|
||||||
|
@ -16,8 +16,6 @@ use crate::error::Result;
|
|||||||
use crate::config::Settings;
|
use crate::config::Settings;
|
||||||
use crate::db::access;
|
use crate::db::access;
|
||||||
|
|
||||||
use crate::db::user::UserIdentifier;
|
|
||||||
|
|
||||||
use capnp::Error;
|
use capnp::Error;
|
||||||
|
|
||||||
use uuid::Uuid;
|
use uuid::Uuid;
|
||||||
@ -30,7 +28,6 @@ use futures::{Future, Stream, StreamExt};
|
|||||||
use futures_signals::signal::*;
|
use futures_signals::signal::*;
|
||||||
|
|
||||||
use crate::registries::StatusSignal;
|
use crate::registries::StatusSignal;
|
||||||
use crate::db::user::User;
|
|
||||||
|
|
||||||
use crate::machine::MachineDescription;
|
use crate::machine::MachineDescription;
|
||||||
|
|
||||||
|
@ -3,11 +3,32 @@ use std::fmt;
|
|||||||
use crate::db::access::RoleIdentifier;
|
use crate::db::access::RoleIdentifier;
|
||||||
use std::collections::HashMap;
|
use std::collections::HashMap;
|
||||||
|
|
||||||
|
#[derive(Debug, Clone, PartialEq, Eq, PartialOrd, Ord, Serialize, Deserialize)]
|
||||||
|
/// Authorization Identity
|
||||||
|
///
|
||||||
|
/// This identity is internal to FabAccess and completely independent from the authentication
|
||||||
|
/// method or source
|
||||||
|
struct AuthZId {
|
||||||
|
/// Main User ID. Generally an user name or similar
|
||||||
|
uid: String,
|
||||||
|
/// Sub user ID.
|
||||||
|
///
|
||||||
|
/// Can change scopes for permissions, e.g. having a +admin account with more permissions than
|
||||||
|
/// the default account and +dashboard et.al. accounts that have restricted permissions for
|
||||||
|
/// their applications
|
||||||
|
subuid: String,
|
||||||
|
/// Realm this account originates.
|
||||||
|
///
|
||||||
|
/// The Realm is usually described by a domain name but local policy may dictate an unrelated
|
||||||
|
/// mapping
|
||||||
|
realm: String,
|
||||||
|
}
|
||||||
|
|
||||||
/// A Person, from the Authorization perspective
|
/// A Person, from the Authorization perspective
|
||||||
#[derive(PartialEq, Eq, Debug, Clone, Serialize, Deserialize)]
|
#[derive(PartialEq, Eq, Debug, Clone, Serialize, Deserialize)]
|
||||||
pub struct AuthzContext {
|
pub struct AuthzContext {
|
||||||
/// The identification of this user.
|
/// The identification of this user.
|
||||||
pub id: UserIdentifier,
|
pub id: AuthZId,
|
||||||
|
|
||||||
/// A Person has N ≥ 0 roles.
|
/// A Person has N ≥ 0 roles.
|
||||||
/// Persons are only ever given roles, not permissions directly
|
/// Persons are only ever given roles, not permissions directly
|
||||||
@ -18,20 +39,23 @@ pub struct AuthzContext {
|
|||||||
kv: HashMap<Box<[u8]>, Box<[u8]>>,
|
kv: HashMap<Box<[u8]>, Box<[u8]>>,
|
||||||
}
|
}
|
||||||
|
|
||||||
impl fmt::Display for UserIdentifier {
|
#[cfg(test)]
|
||||||
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
|
mod tests {
|
||||||
let r = write!(f, "{}", self.uid)?;
|
use super::*;
|
||||||
if let Some(ref s) = self.subuid {
|
|
||||||
write!(f, "+{}", s)?;
|
|
||||||
}
|
|
||||||
if let Some(ref l) = self.location {
|
|
||||||
write!(f, "@{}", l)?;
|
|
||||||
}
|
|
||||||
Ok(r)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/// User Database Trait
|
#[test]
|
||||||
pub trait UserDB {
|
fn format_uid_test() {
|
||||||
fn get_user(&self, uid: UserIdentifier) -> Option<User>;
|
let uid = "testuser".to_string();
|
||||||
|
let suid = "testsuid".to_string();
|
||||||
|
let location = "testloc".to_string();
|
||||||
|
|
||||||
|
assert_eq!("testuser",
|
||||||
|
format!("{}", UserIdentifier::new(uid.clone(), None, None)));
|
||||||
|
assert_eq!("testuser+testsuid",
|
||||||
|
format!("{}", UserIdentifier::new(uid.clone(), Some(suid.clone()), None)));
|
||||||
|
assert_eq!("testuser+testsuid",
|
||||||
|
format!("{}", UserIdentifier::new(uid.clone(), Some(suid.clone()), None)));
|
||||||
|
assert_eq!("testuser+testsuid@testloc",
|
||||||
|
format!("{}", UserIdentifier::new(uid, Some(suid), Some(location))));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -12,7 +12,6 @@ use uuid::Uuid;
|
|||||||
|
|
||||||
use crate::error::Result;
|
use crate::error::Result;
|
||||||
|
|
||||||
use crate::db::user::User;
|
|
||||||
use crate::db::access;
|
use crate::db::access;
|
||||||
use crate::db::machine::{MachineIdentifier, Status, MachineState};
|
use crate::db::machine::{MachineIdentifier, Status, MachineState};
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user