vmario/fabaccess-bffh
1
0
Fork 0
mirror of https://gitlab.com/fabinfra/fabaccess/bffh.git synced 2024-11-26 08:34:55 +01:00
Code Issues Packages Projects Releases Wiki Activity

Make compile (well.. not really)

Browse Source
This commit is contained in:
Gregor Reitzenstein 2020-11-24 14:41:19 +01:00
parent b203edf206
commit 5c5a59a75c
7 changed files with 64 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/api.rs
View File

@ -9,6 +9,8 @@ use crate::connection::Session;
use crate::db::Databases; use crate::db::Databases;
use crate::builtin;
pub mod auth; pub mod auth;
mod machine; mod machine;
mod machines; mod machines;
@ -36,11 +38,18 @@ impl connection_capnp::bootstrap::Server for Bootstrap {
// Forbid mutltiple authentication for now // Forbid mutltiple authentication for now
// TODO: When should we allow multiple auth and how do me make sure that does not leak // TODO: When should we allow multiple auth and how do me make sure that does not leak
// priviledges (e.g. due to previously issues caps)? // priviledges (e.g. due to previously issues caps)?
if self.session.user.is_none() { let session = self.session.clone();
res.get().set_auth(capnp_rpc::new_client(auth::Auth::new(self.session.clone()))) let check_perm_future = session.check_permission(&builtin::AUTH_PERM);
} let f = async {
let r = check_perm_future.await.unwrap();
if r {
res.get().set_auth(capnp_rpc::new_client(auth::Auth::new(session.clone())))
}
Promise::ok(()) Ok(())
};
Promise::from_future(f)
} }
fn permissions(&mut self, fn permissions(&mut self,

9
src/connection.rs
View File

@ -14,6 +14,7 @@ use crate::schema::connection_capnp;
use crate::db::Databases; use crate::db::Databases;
use crate::db::access::{AccessControl, Permission}; use crate::db::access::{AccessControl, Permission};
use crate::db::user::AuthzContext;
use crate::builtin; use crate::builtin;
#[derive(Debug, Clone)] #[derive(Debug, Clone)]
@ -22,20 +23,20 @@ use crate::builtin;
pub struct Session { pub struct Session {
// Session-spezific log // Session-spezific log
pub log: Logger, pub log: Logger,
authz_data: Option<AuthorizationContext>, authz_data: Option<AuthzContext>,
accessdb: Arc<AccessControl>, accessdb: Arc<AccessControl>,
} }
impl Session { impl Session {
pub fn new(log: Logger, accessdb: Arc<AccessControl>) -> Self { pub fn new(log: Logger, accessdb: Arc<AccessControl>) -> Self {
let user = None; let authz_data = None;
Session { log, user, accessdb } Session { log, authz_data, accessdb }
} }
/// Check if the current session has a certain permission /// Check if the current session has a certain permission
pub async fn check_permission<P: AsRef<Permission>>(&self, perm: &P) -> Result<bool> { pub async fn check_permission<P: AsRef<Permission>>(&self, perm: &P) -> Result<bool> {
if let Some(user) = self.user.as_ref() { if let Some(user) = self.authz_data.as_ref() {
self.accessdb.check(user, perm).await self.accessdb.check(user, perm).await
} else { } else {
self.accessdb.check_roles(builtin::DEFAULT_ROLEIDS, perm).await self.accessdb.check_roles(builtin::DEFAULT_ROLEIDS, perm).await

6
src/db/access.rs
View File

@ -29,7 +29,7 @@ use crate::error::Result;
pub mod internal; pub mod internal;
use crate::db::user::User; use crate::db::user::AuthzContext;
pub use internal::init; pub use internal::init;
pub struct AccessControl { pub struct AccessControl {
@ -49,7 +49,7 @@ impl AccessControl {
self.sources.insert(name, source); self.sources.insert(name, source);
} }
pub async fn check<P: AsRef<Permission>>(&self, user: &User, perm: &P) -> Result<bool> { pub async fn check<P: AsRef<Permission>>(&self, user: &AuthzContext, perm: &P) -> Result<bool> {
for v in self.sources.values() { for v in self.sources.values() {
if v.check(user, perm.as_ref())? { if v.check(user, perm.as_ref())? {
return Ok(true); return Ok(true);
@ -91,7 +91,7 @@ pub trait RoleDB {
/// ///
/// Default implementation which adapter may overwrite with more efficient specialized /// Default implementation which adapter may overwrite with more efficient specialized
/// implementations. /// implementations.
fn check(&self, user: &User, perm: &Permission) -> Result<bool> { fn check(&self, user: &AuthzContext, perm: &Permission) -> Result<bool> {
self.check_roles(&user.roles, perm) self.check_roles(&user.roles, perm)
} }

6
src/db/access/internal.rs
View File

@ -17,7 +17,7 @@ use crate::config::Settings;
use crate::error::Result; use crate::error::Result;
use crate::db::access::{Permission, Role, RoleIdentifier, RoleDB}; use crate::db::access::{Permission, Role, RoleIdentifier, RoleDB};
use crate::db::user::{UserIdentifier, User}; use crate::db::user::AuthzContext;
#[derive(Clone, Debug)] #[derive(Clone, Debug)]
pub struct Internal { pub struct Internal {
@ -34,7 +34,7 @@ impl Internal {
/// Check if a given user has the given permission /// Check if a given user has the given permission
#[allow(unused)] #[allow(unused)]
pub fn _check<T: Transaction, P: AsRef<Permission>>(&self, txn: &T, user: &User, perm: &P) pub fn _check<T: Transaction, P: AsRef<Permission>>(&self, txn: &T, user: &AuthzContext, perm: &P)
-> Result<bool> -> Result<bool>
{ {
// Tally all roles. Makes dependent roles easier // Tally all roles. Makes dependent roles easier
@ -154,7 +154,7 @@ impl RoleDB for Internal {
"Internal" "Internal"
} }
fn check(&self, user: &User, perm: &Permission) -> Result<bool> { fn check(&self, user: &AuthzContext, perm: &Permission) -> Result<bool> {
let txn = self.env.begin_ro_txn()?; let txn = self.env.begin_ro_txn()?;
self._check(&txn, user, &perm) self._check(&txn, user, &perm)
} }

3
src/db/machine.rs
View File

@ -16,8 +16,6 @@ use crate::error::Result;
use crate::config::Settings; use crate::config::Settings;
use crate::db::access; use crate::db::access;
use crate::db::user::UserIdentifier;
use capnp::Error; use capnp::Error;
use uuid::Uuid; use uuid::Uuid;
@ -30,7 +28,6 @@ use futures::{Future, Stream, StreamExt};
use futures_signals::signal::*; use futures_signals::signal::*;
use crate::registries::StatusSignal; use crate::registries::StatusSignal;
use crate::db::user::User;
use crate::machine::MachineDescription; use crate::machine::MachineDescription;

56
src/db/user.rs
View File

@ -3,11 +3,32 @@ use std::fmt;
use crate::db::access::RoleIdentifier; use crate::db::access::RoleIdentifier;
use std::collections::HashMap; use std::collections::HashMap;
#[derive(Debug, Clone, PartialEq, Eq, PartialOrd, Ord, Serialize, Deserialize)]
/// Authorization Identity
///
/// This identity is internal to FabAccess and completely independent from the authentication
/// method or source
struct AuthZId {
/// Main User ID. Generally an user name or similar
uid: String,
/// Sub user ID.
///
/// Can change scopes for permissions, e.g. having a +admin account with more permissions than
/// the default account and +dashboard et.al. accounts that have restricted permissions for
/// their applications
subuid: String,
/// Realm this account originates.
///
/// The Realm is usually described by a domain name but local policy may dictate an unrelated
/// mapping
realm: String,
}
/// A Person, from the Authorization perspective /// A Person, from the Authorization perspective
#[derive(PartialEq, Eq, Debug, Clone, Serialize, Deserialize)] #[derive(PartialEq, Eq, Debug, Clone, Serialize, Deserialize)]
pub struct AuthzContext { pub struct AuthzContext {
/// The identification of this user. /// The identification of this user.
pub id: UserIdentifier, pub id: AuthZId,
/// A Person has N ≥ 0 roles. /// A Person has N ≥ 0 roles.
/// Persons are only ever given roles, not permissions directly /// Persons are only ever given roles, not permissions directly
@ -18,20 +39,23 @@ pub struct AuthzContext {
kv: HashMap<Box<[u8]>, Box<[u8]>>, kv: HashMap<Box<[u8]>, Box<[u8]>>,
} }
impl fmt::Display for UserIdentifier { #[cfg(test)]
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { mod tests {
let r = write!(f, "{}", self.uid)?; use super::*;
if let Some(ref s) = self.subuid {
write!(f, "+{}", s)?; #[test]
} fn format_uid_test() {
if let Some(ref l) = self.location { let uid = "testuser".to_string();
write!(f, "@{}", l)?; let suid = "testsuid".to_string();
} let location = "testloc".to_string();
Ok(r)
assert_eq!("testuser",
format!("{}", UserIdentifier::new(uid.clone(), None, None)));
assert_eq!("testuser+testsuid",
format!("{}", UserIdentifier::new(uid.clone(), Some(suid.clone()), None)));
assert_eq!("testuser+testsuid",
format!("{}", UserIdentifier::new(uid.clone(), Some(suid.clone()), None)));
assert_eq!("testuser+testsuid@testloc",
format!("{}", UserIdentifier::new(uid, Some(suid), Some(location))));
} }
} }
/// User Database Trait
pub trait UserDB {
fn get_user(&self, uid: UserIdentifier) -> Option<User>;
}

1
src/machine.rs
View File

@ -12,7 +12,6 @@ use uuid::Uuid;
use crate::error::Result; use crate::error::Result;
use crate::db::user::User;
use crate::db::access; use crate::db::access;
use crate::db::machine::{MachineIdentifier, Status, MachineState}; use crate::db::machine::{MachineIdentifier, Status, MachineState};