WIP: add casbin to access manager, allow to persist identities

2025-10-05 07:57:13 +08:00 · 2023-02-06 17:07:20 +01:00
parent 8f1ff2d1a2
commit 11e55fc2c7
12 changed files with 919 additions and 95 deletions
--- a/app/api/api.go
+++ b/app/api/api.go
@@ -383,12 +383,50 @@ func (a *api) start() error {
 		a.sessions = sessions
 	}

-	iam, err := iam.NewIAM()
-	if err != nil {
-		return fmt.Errorf("iam: %w", err)
-	}
+	{
+		superuser := iam.User{
+			Name:      cfg.API.Auth.Username,
+			Superuser: true,
+			Auth: iam.UserAuth{
+				API: iam.UserAuthAPI{
+					Userpass: iam.UserAuthPassword{
+						Enable:   cfg.API.Auth.Enable,
+						Password: cfg.API.Auth.Password,
+					},
+					Auth0: iam.UserAuthAPIAuth0{
+						Enable: cfg.API.Auth.Auth0.Enable,
+						User:   cfg.API.Auth.Auth0.Tenants[0].Users[0],
+						Tenant: iam.Auth0Tenant{
+							Domain:   cfg.API.Auth.Auth0.Tenants[0].Domain,
+							Audience: cfg.API.Auth.Auth0.Tenants[0].Audience,
+							ClientID: cfg.API.Auth.Auth0.Tenants[0].ClientID,
+						},
+					},
+				},
+				Services: iam.UserAuthServices{
+					Basic: iam.UserAuthPassword{
+						Enable:   cfg.Storage.Memory.Auth.Enable,
+						Password: cfg.Storage.Memory.Auth.Password,
+					},
+					Token: cfg.RTMP.Token,
+				},
+			},
+		}

-	a.iam = iam
+		fs, err := fs.NewRootedDiskFilesystem(fs.RootedDiskConfig{
+			Root: filepath.Join(cfg.DB.Dir, "iam"),
+		})
+		if err != nil {
+			return err
+		}
+
+		iam, err := iam.NewIAM(fs, superuser)
+		if err != nil {
+			return fmt.Errorf("iam: %w", err)
+		}
+
+		a.iam = iam
+	}

 	diskfs, err := fs.NewRootedDiskFilesystem(fs.RootedDiskConfig{
 		Root:   cfg.Storage.Disk.Dir,
@@ -639,7 +677,7 @@ func (a *api) start() error {
 			return fmt.Errorf("unable to create JWT provider: %w", err)
 		}

-		if validator, err := jwt.NewLocalValidator(cfg.API.Auth.Username, cfg.API.Auth.Password); err == nil {
+		if validator, err := jwt.NewLocalValidator(a.iam); err == nil {
 			if err := httpjwt.AddValidator(app.Name, validator); err != nil {
 				return fmt.Errorf("unable to add local JWT validator: %w", err)
 			}
@@ -649,7 +687,7 @@ func (a *api) start() error {

 		if cfg.API.Auth.Auth0.Enable {
 			for _, t := range cfg.API.Auth.Auth0.Tenants {
-				if validator, err := jwt.NewAuth0Validator(t.Domain, t.Audience, t.ClientID, t.Users); err == nil {
+				if validator, err := jwt.NewAuth0Validator(a.iam); err == nil {
 					if err := httpjwt.AddValidator("https://"+t.Domain+"/", validator); err != nil {
 						return fmt.Errorf("unable to add Auth0 JWT validator: %w", err)
 					}
@@ -1303,6 +1341,10 @@ func (a *api) stop() {
 		return
 	}

+	if a.iam != nil {
+		a.iam.Close()
+	}
+
 	// Stop JWT authentication
 	if a.httpjwt != nil {
 		a.httpjwt.ClearValidators()