This commit is contained in:
Gregor Reitzenstein 2020-02-17 15:07:55 +01:00
parent 6152639564
commit e135d7c8bd
3 changed files with 20 additions and 5 deletions

View File

@ -1,6 +1,8 @@
//! Access control logic //! Access control logic
//! //!
use slog::Logger;
use casbin::prelude::*; use casbin::prelude::*;
use super::config::Config; use super::config::Config;
@ -13,19 +15,26 @@ use crate::error::Result;
#[derive(Clone)] #[derive(Clone)]
pub struct Permissions { pub struct Permissions {
log: Logger,
pdb: Mutable<Enforcer>, pdb: Mutable<Enforcer>,
auth: Authentication, auth: Authentication,
} }
impl Permissions { impl Permissions {
pub fn new(pdb: Mutable<Enforcer>, auth: Authentication) -> Self { pub fn new(log: Logger, pdb: Mutable<Enforcer>, auth: Authentication) -> Self {
Self { pdb, auth } Self { log, pdb, auth }
} }
pub fn enforce(&self, object: &str, action: &str) -> bool { pub fn enforce(&self, object: &str, action: &str) -> bool {
if let Some(actor) = self.auth.get_authzid() { if let Some(actor) = self.auth.get_authzid() {
self.pdb.lock_ref().enforce(vec![&actor,object,action]).unwrap() trace!(self.log, "Checking permission {} for {} on {}", action, actor, object);
let r = self.pdb.lock_ref().enforce(vec![&actor,object,action]).unwrap();
if !r {
info!(self.log, "Failed permission {} for {} on {}", action, actor, object);
}
return r;
} else { } else {
info!(self.log, "Attempted anonymous access: {} on {}", action, object);
false false
} }
} }

View File

@ -64,11 +64,13 @@ impl api::machines::Server for Machines {
let mut b = results.get(); let mut b = results.get();
let mngr = api::machines::manage::ToClient::new(manager).into_client::<Server>(); let mngr = api::machines::manage::ToClient::new(manager).into_client::<Server>();
b.set_manage(mngr); b.set_manage(mngr);
trace!(self.log, "Granted manage on machine {}", uuid);
Promise::ok(()) Promise::ok(())
} else { } else {
Promise::err(Error::failed("Permission denied".to_string())) Promise::err(Error::failed("Permission denied".to_string()))
} }
} else { } else {
info!(self.log, "Attempted manage on invalid machine {}", uuid);
Promise::err(Error::failed("No such machine".to_string())) Promise::err(Error::failed("No such machine".to_string()))
} }
} }
@ -84,8 +86,10 @@ impl api::machines::Server for Machines {
let mdb = self.mdb.lock_ref(); let mdb = self.mdb.lock_ref();
if let Some(m) = mdb.get(&uuid) { if let Some(m) = mdb.get(&uuid) {
trace!(self.log, "Granted use on machine {}", uuid);
Promise::ok(()) Promise::ok(())
} else { } else {
info!(self.log, "Attempted use on invalid machine {}", uuid);
Promise::err(Error::failed("No such machine".to_string())) Promise::err(Error::failed("No such machine".to_string()))
} }
} }

View File

@ -55,6 +55,8 @@ fn main() {
let addr = args[1].to_socket_addrs().unwrap().next().expect("could not parse address"); let addr = args[1].to_socket_addrs().unwrap().next().expect("could not parse address");
let permlog = log.new(o!());
let machlog = log.new(o!());
let spawner = exec.spawner(); let spawner = exec.spawner();
let result: Result<(), Box<dyn std::error::Error>> = exec.run_until(async move { let result: Result<(), Box<dyn std::error::Error>> = exec.run_until(async move {
@ -64,8 +66,8 @@ fn main() {
let socket = socket?; let socket = socket?;
// TODO: Prettify session handling // TODO: Prettify session handling
let auth = auth::Authentication::new(authp.clone()); let auth = auth::Authentication::new(authp.clone());
let perm = access::Permissions::new(enf.clone(), auth.clone()); let perm = access::Permissions::new(permlog.clone(), enf.clone(), auth.clone());
let mach = machine::Machines::new(m.clone(), perm.clone()); let mach = machine::Machines::new(machlog.clone(), m.clone(), perm.clone());
let rpc_system = api::process_socket(auth, perm, mach, socket); let rpc_system = api::process_socket(auth, perm, mach, socket);
spawner.spawn_local_obj( spawner.spawn_local_obj(