vmario/fabaccess-bffh
1
0
Fork 0
mirror of https://gitlab.com/fabinfra/fabaccess/bffh.git synced 2024-11-22 14:57:56 +01:00
Code Issues Packages Projects Releases Wiki Activity

Make compile (well.. not really)

Browse Source
This commit is contained in:
Gregor Reitzenstein 2020-11-24 14:41:19 +01:00
parent b203edf206
commit 5c5a59a75c
7 changed files with 64 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/api.rs
View File

@ -9,6 +9,8 @@ use crate::connection::Session;
use crate::db::Databases;
use crate::builtin;
pub mod auth;
mod machine;
mod machines;
@ -36,11 +38,18 @@ impl connection_capnp::bootstrap::Server for Bootstrap {
// Forbid mutltiple authentication for now
// TODO: When should we allow multiple auth and how do me make sure that does not leak
// priviledges (e.g. due to previously issues caps)?
if self.session.user.is_none() {
res.get().set_auth(capnp_rpc::new_client(auth::Auth::new(self.session.clone())))
let session = self.session.clone();
let check_perm_future = session.check_permission(&builtin::AUTH_PERM);
let f = async {
let r = check_perm_future.await.unwrap();
if r {
res.get().set_auth(capnp_rpc::new_client(auth::Auth::new(session.clone())))
}
Promise::ok(())
Ok(())
};
Promise::from_future(f)
}
fn permissions(&mut self,

9
src/connection.rs
View File

@ -14,6 +14,7 @@ use crate::schema::connection_capnp;
use crate::db::Databases;
use crate::db::access::{AccessControl, Permission};
use crate::db::user::AuthzContext;
use crate::builtin;
#[derive(Debug, Clone)]
@ -22,20 +23,20 @@ use crate::builtin;
pub struct Session {
// Session-spezific log
pub log: Logger,
authz_data: Option<AuthorizationContext>,
authz_data: Option<AuthzContext>,
accessdb: Arc<AccessControl>,
}
impl Session {
pub fn new(log: Logger, accessdb: Arc<AccessControl>) -> Self {
let user = None;
let authz_data = None;
Session { log, user, accessdb }
Session { log, authz_data, accessdb }
}
/// Check if the current session has a certain permission
pub async fn check_permission<P: AsRef<Permission>>(&self, perm: &P) -> Result<bool> {
if let Some(user) = self.user.as_ref() {
if let Some(user) = self.authz_data.as_ref() {
self.accessdb.check(user, perm).await
} else {
self.accessdb.check_roles(builtin::DEFAULT_ROLEIDS, perm).await

6
src/db/access.rs
View File

@ -29,7 +29,7 @@ use crate::error::Result;
pub mod internal;
use crate::db::user::User;
use crate::db::user::AuthzContext;
pub use internal::init;
pub struct AccessControl {
@ -49,7 +49,7 @@ impl AccessControl {
self.sources.insert(name, source);
}
pub async fn check<P: AsRef<Permission>>(&self, user: &User, perm: &P) -> Result<bool> {
pub async fn check<P: AsRef<Permission>>(&self, user: &AuthzContext, perm: &P) -> Result<bool> {
for v in self.sources.values() {
if v.check(user, perm.as_ref())? {
return Ok(true);
@ -91,7 +91,7 @@ pub trait RoleDB {
///
/// Default implementation which adapter may overwrite with more efficient specialized
/// implementations.
fn check(&self, user: &User, perm: &Permission) -> Result<bool> {
fn check(&self, user: &AuthzContext, perm: &Permission) -> Result<bool> {
self.check_roles(&user.roles, perm)
}

6
src/db/access/internal.rs
View File

@ -17,7 +17,7 @@ use crate::config::Settings;
use crate::error::Result;
use crate::db::access::{Permission, Role, RoleIdentifier, RoleDB};
use crate::db::user::{UserIdentifier, User};
use crate::db::user::AuthzContext;
#[derive(Clone, Debug)]
pub struct Internal {
@ -34,7 +34,7 @@ impl Internal {
/// Check if a given user has the given permission
#[allow(unused)]
pub fn _check<T: Transaction, P: AsRef<Permission>>(&self, txn: &T, user: &User, perm: &P)
pub fn _check<T: Transaction, P: AsRef<Permission>>(&self, txn: &T, user: &AuthzContext, perm: &P)
-> Result<bool>
{
// Tally all roles. Makes dependent roles easier
@ -154,7 +154,7 @@ impl RoleDB for Internal {
"Internal"
}
fn check(&self, user: &User, perm: &Permission) -> Result<bool> {
fn check(&self, user: &AuthzContext, perm: &Permission) -> Result<bool> {
let txn = self.env.begin_ro_txn()?;
self._check(&txn, user, &perm)
}

3
src/db/machine.rs
View File

@ -16,8 +16,6 @@ use crate::error::Result;
use crate::config::Settings;
use crate::db::access;
use crate::db::user::UserIdentifier;
use capnp::Error;
use uuid::Uuid;
@ -30,7 +28,6 @@ use futures::{Future, Stream, StreamExt};
use futures_signals::signal::*;
use crate::registries::StatusSignal;
use crate::db::user::User;
use crate::machine::MachineDescription;

56
src/db/user.rs
View File

@ -3,11 +3,32 @@ use std::fmt;
use crate::db::access::RoleIdentifier;
use std::collections::HashMap;
#[derive(Debug, Clone, PartialEq, Eq, PartialOrd, Ord, Serialize, Deserialize)]
/// Authorization Identity
///
/// This identity is internal to FabAccess and completely independent from the authentication
/// method or source
struct AuthZId {
/// Main User ID. Generally an user name or similar
uid: String,
/// Sub user ID.
///
/// Can change scopes for permissions, e.g. having a +admin account with more permissions than
/// the default account and +dashboard et.al. accounts that have restricted permissions for
/// their applications
subuid: String,
/// Realm this account originates.
///
/// The Realm is usually described by a domain name but local policy may dictate an unrelated
/// mapping
realm: String,
}
/// A Person, from the Authorization perspective
#[derive(PartialEq, Eq, Debug, Clone, Serialize, Deserialize)]
pub struct AuthzContext {
/// The identification of this user.
pub id: UserIdentifier,
pub id: AuthZId,
/// A Person has N ≥ 0 roles.
/// Persons are only ever given roles, not permissions directly
@ -18,20 +39,23 @@ pub struct AuthzContext {
kv: HashMap<Box<[u8]>, Box<[u8]>>,
}
impl fmt::Display for UserIdentifier {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
let r = write!(f, "{}", self.uid)?;
if let Some(ref s) = self.subuid {
write!(f, "+{}", s)?;
}
if let Some(ref l) = self.location {
write!(f, "@{}", l)?;
}
Ok(r)
}
}
#[cfg(test)]
mod tests {
use super::*;
/// User Database Trait
pub trait UserDB {
fn get_user(&self, uid: UserIdentifier) -> Option<User>;
#[test]
fn format_uid_test() {
let uid = "testuser".to_string();
let suid = "testsuid".to_string();
let location = "testloc".to_string();
assert_eq!("testuser",
format!("{}", UserIdentifier::new(uid.clone(), None, None)));
assert_eq!("testuser+testsuid",
format!("{}", UserIdentifier::new(uid.clone(), Some(suid.clone()), None)));
assert_eq!("testuser+testsuid",
format!("{}", UserIdentifier::new(uid.clone(), Some(suid.clone()), None)));
assert_eq!("testuser+testsuid@testloc",
format!("{}", UserIdentifier::new(uid, Some(suid), Some(location))));
}
}

1
src/machine.rs
View File

@ -12,7 +12,6 @@ use uuid::Uuid;
use crate::error::Result;
use crate::db::user::User;
use crate::db::access;
use crate::db::machine::{MachineIdentifier, Status, MachineState};