From 7a1eb1251ba7531334fb0103c21d38fa5cadf0ba Mon Sep 17 00:00:00 2001 From: Ingo Oppermann Date: Tue, 23 May 2023 16:05:04 +0200 Subject: [PATCH] Remove IAM group semantics --- docs/docs.go | 512 ---------------------------------------- docs/swagger.json | 512 ---------------------------------------- docs/swagger.yaml | 331 -------------------------- http/api/iam.go | 11 - http/handler/api/iam.go | 375 +---------------------------- 5 files changed, 6 insertions(+), 1735 deletions(-) diff --git a/docs/docs.go b/docs/docs.go index 04ac457f..2fa112bd 100644 --- a/docs/docs.go +++ b/docs/docs.go @@ -483,487 +483,6 @@ const docTemplate = `{ } } }, - "/api/v3/iam/group": { - "get": { - "security": [ - { - "ApiKeyAuth": [] - } - ], - "description": "List all groups", - "produces": [ - "application/json" - ], - "tags": [ - "v16.?.?" - ], - "summary": "List all groups", - "operationId": "iam-3-list-groups", - "responses": { - "200": { - "description": "OK", - "schema": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "403": { - "description": "Forbidden", - "schema": { - "$ref": "#/definitions/api.Error" - } - } - } - }, - "post": { - "security": [ - { - "ApiKeyAuth": [] - } - ], - "description": "Create a group with admins", - "produces": [ - "application/json" - ], - "tags": [ - "v16.?.?" - ], - "summary": "Create a group with admins", - "operationId": "iam-3-add-group", - "parameters": [ - { - "description": "Group to add", - "name": "config", - "in": "body", - "required": true, - "schema": { - "$ref": "#/definitions/api.IAMGroup" - } - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/api.IAMGroup" - } - }, - "400": { - "description": "Bad Request", - "schema": { - "$ref": "#/definitions/api.Error" - } - }, - "403": { - "description": "Forbidden", - "schema": { - "$ref": "#/definitions/api.Error" - } - }, - "404": { - "description": "Not Found", - "schema": { - "$ref": "#/definitions/api.Error" - } - }, - "409": { - "description": "Conflict", - "schema": { - "$ref": "#/definitions/api.Error" - } - } - } - } - }, - "/api/v3/iam/group/{group}": { - "get": { - "security": [ - { - "ApiKeyAuth": [] - } - ], - "description": "Get details of a group", - "produces": [ - "application/json" - ], - "tags": [ - "v16.?.?" - ], - "summary": "Get details of a group", - "operationId": "iam-3-get-group", - "parameters": [ - { - "type": "string", - "description": "group name", - "name": "group", - "in": "path", - "required": true - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/api.IAMGroup" - } - }, - "403": { - "description": "Forbidden", - "schema": { - "$ref": "#/definitions/api.Error" - } - }, - "404": { - "description": "Not Found", - "schema": { - "$ref": "#/definitions/api.Error" - } - } - } - }, - "delete": { - "security": [ - { - "ApiKeyAuth": [] - } - ], - "description": "Remove a group", - "produces": [ - "application/json" - ], - "tags": [ - "v16.?.?" - ], - "summary": "Remove a group", - "operationId": "iam-3-remove-group", - "parameters": [ - { - "type": "string", - "description": "group name", - "name": "group", - "in": "path", - "required": true - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/api.IAMGroup" - } - }, - "403": { - "description": "Forbidden", - "schema": { - "$ref": "#/definitions/api.Error" - } - }, - "404": { - "description": "Not Found", - "schema": { - "$ref": "#/definitions/api.Error" - } - } - } - } - }, - "/api/v3/iam/group/{group}/user": { - "get": { - "security": [ - { - "ApiKeyAuth": [] - } - ], - "description": "List all users in a group", - "produces": [ - "application/json" - ], - "tags": [ - "v16.?.?" - ], - "summary": "List all users in a group", - "operationId": "iam-3-get-group-users", - "parameters": [ - { - "type": "string", - "description": "group name", - "name": "group", - "in": "path", - "required": true - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "403": { - "description": "Forbidden", - "schema": { - "$ref": "#/definitions/api.Error" - } - }, - "404": { - "description": "Not Found", - "schema": { - "$ref": "#/definitions/api.Error" - } - } - } - }, - "post": { - "security": [ - { - "ApiKeyAuth": [] - } - ], - "description": "Add an user to a group", - "produces": [ - "application/json" - ], - "tags": [ - "v16.?.?" - ], - "summary": "Add an user to a group", - "operationId": "iam-3-add-group-user", - "parameters": [ - { - "type": "string", - "description": "group name", - "name": "group", - "in": "path", - "required": true - }, - { - "description": "User to add", - "name": "config", - "in": "body", - "required": true, - "schema": { - "$ref": "#/definitions/api.IAMGroupUser" - } - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "400": { - "description": "Bad Request", - "schema": { - "$ref": "#/definitions/api.Error" - } - }, - "403": { - "description": "Forbidden", - "schema": { - "$ref": "#/definitions/api.Error" - } - }, - "404": { - "description": "Not Found", - "schema": { - "$ref": "#/definitions/api.Error" - } - }, - "409": { - "description": "Conflict", - "schema": { - "$ref": "#/definitions/api.Error" - } - } - } - } - }, - "/api/v3/iam/group/{group}/user/{name}": { - "get": { - "security": [ - { - "ApiKeyAuth": [] - } - ], - "description": "Get the details of a user in a group", - "produces": [ - "application/json" - ], - "tags": [ - "v16.?.?" - ], - "summary": "Get the details of a user in a group", - "operationId": "iam-3-get-group-user", - "parameters": [ - { - "type": "string", - "description": "group name", - "name": "group", - "in": "path", - "required": true - }, - { - "type": "string", - "description": "user name", - "name": "name", - "in": "path", - "required": true - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "403": { - "description": "Forbidden", - "schema": { - "$ref": "#/definitions/api.Error" - } - }, - "404": { - "description": "Not Found", - "schema": { - "$ref": "#/definitions/api.Error" - } - } - } - }, - "put": { - "security": [ - { - "ApiKeyAuth": [] - } - ], - "description": "Set the policies of a user in a group", - "produces": [ - "application/json" - ], - "tags": [ - "v16.?.?" - ], - "summary": "Set the policies of a user in a group", - "operationId": "iam-3-update-group-user", - "parameters": [ - { - "type": "string", - "description": "group name", - "name": "group", - "in": "path", - "required": true - }, - { - "type": "string", - "description": "user name", - "name": "name", - "in": "path", - "required": true - }, - { - "description": "User to add", - "name": "config", - "in": "body", - "required": true, - "schema": { - "$ref": "#/definitions/api.IAMPolicy" - } - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "400": { - "description": "Bad Request", - "schema": { - "$ref": "#/definitions/api.Error" - } - }, - "403": { - "description": "Forbidden", - "schema": { - "$ref": "#/definitions/api.Error" - } - } - } - }, - "delete": { - "security": [ - { - "ApiKeyAuth": [] - } - ], - "description": "Remove a user from a group", - "produces": [ - "application/json" - ], - "tags": [ - "v16.?.?" - ], - "summary": "Remove a user from a group", - "operationId": "iam-3-remove-group-user", - "parameters": [ - { - "type": "string", - "description": "group name", - "name": "group", - "in": "path", - "required": true - }, - { - "type": "string", - "description": "user name", - "name": "name", - "in": "path", - "required": true - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "400": { - "description": "Bad Request", - "schema": { - "$ref": "#/definitions/api.Error" - } - }, - "403": { - "description": "Forbidden", - "schema": { - "$ref": "#/definitions/api.Error" - } - } - } - } - }, "/api/v3/iam/user": { "post": { "security": [ @@ -3424,37 +2943,6 @@ const docTemplate = `{ } } }, - "api.IAMGroup": { - "type": "object", - "properties": { - "admins": { - "type": "array", - "items": { - "type": "string" - } - }, - "name": { - "type": "string" - } - } - }, - "api.IAMGroupUser": { - "type": "object", - "properties": { - "admin": { - "type": "boolean" - }, - "name": { - "type": "string" - }, - "policies": { - "type": "array", - "items": { - "$ref": "#/definitions/api.IAMPolicy" - } - } - } - }, "api.IAMPolicy": { "type": "object", "properties": { diff --git a/docs/swagger.json b/docs/swagger.json index 9f7580da..6bf7defd 100644 --- a/docs/swagger.json +++ b/docs/swagger.json @@ -476,487 +476,6 @@ } } }, - "/api/v3/iam/group": { - "get": { - "security": [ - { - "ApiKeyAuth": [] - } - ], - "description": "List all groups", - "produces": [ - "application/json" - ], - "tags": [ - "v16.?.?" - ], - "summary": "List all groups", - "operationId": "iam-3-list-groups", - "responses": { - "200": { - "description": "OK", - "schema": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "403": { - "description": "Forbidden", - "schema": { - "$ref": "#/definitions/api.Error" - } - } - } - }, - "post": { - "security": [ - { - "ApiKeyAuth": [] - } - ], - "description": "Create a group with admins", - "produces": [ - "application/json" - ], - "tags": [ - "v16.?.?" - ], - "summary": "Create a group with admins", - "operationId": "iam-3-add-group", - "parameters": [ - { - "description": "Group to add", - "name": "config", - "in": "body", - "required": true, - "schema": { - "$ref": "#/definitions/api.IAMGroup" - } - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/api.IAMGroup" - } - }, - "400": { - "description": "Bad Request", - "schema": { - "$ref": "#/definitions/api.Error" - } - }, - "403": { - "description": "Forbidden", - "schema": { - "$ref": "#/definitions/api.Error" - } - }, - "404": { - "description": "Not Found", - "schema": { - "$ref": "#/definitions/api.Error" - } - }, - "409": { - "description": "Conflict", - "schema": { - "$ref": "#/definitions/api.Error" - } - } - } - } - }, - "/api/v3/iam/group/{group}": { - "get": { - "security": [ - { - "ApiKeyAuth": [] - } - ], - "description": "Get details of a group", - "produces": [ - "application/json" - ], - "tags": [ - "v16.?.?" - ], - "summary": "Get details of a group", - "operationId": "iam-3-get-group", - "parameters": [ - { - "type": "string", - "description": "group name", - "name": "group", - "in": "path", - "required": true - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/api.IAMGroup" - } - }, - "403": { - "description": "Forbidden", - "schema": { - "$ref": "#/definitions/api.Error" - } - }, - "404": { - "description": "Not Found", - "schema": { - "$ref": "#/definitions/api.Error" - } - } - } - }, - "delete": { - "security": [ - { - "ApiKeyAuth": [] - } - ], - "description": "Remove a group", - "produces": [ - "application/json" - ], - "tags": [ - "v16.?.?" - ], - "summary": "Remove a group", - "operationId": "iam-3-remove-group", - "parameters": [ - { - "type": "string", - "description": "group name", - "name": "group", - "in": "path", - "required": true - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "$ref": "#/definitions/api.IAMGroup" - } - }, - "403": { - "description": "Forbidden", - "schema": { - "$ref": "#/definitions/api.Error" - } - }, - "404": { - "description": "Not Found", - "schema": { - "$ref": "#/definitions/api.Error" - } - } - } - } - }, - "/api/v3/iam/group/{group}/user": { - "get": { - "security": [ - { - "ApiKeyAuth": [] - } - ], - "description": "List all users in a group", - "produces": [ - "application/json" - ], - "tags": [ - "v16.?.?" - ], - "summary": "List all users in a group", - "operationId": "iam-3-get-group-users", - "parameters": [ - { - "type": "string", - "description": "group name", - "name": "group", - "in": "path", - "required": true - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "403": { - "description": "Forbidden", - "schema": { - "$ref": "#/definitions/api.Error" - } - }, - "404": { - "description": "Not Found", - "schema": { - "$ref": "#/definitions/api.Error" - } - } - } - }, - "post": { - "security": [ - { - "ApiKeyAuth": [] - } - ], - "description": "Add an user to a group", - "produces": [ - "application/json" - ], - "tags": [ - "v16.?.?" - ], - "summary": "Add an user to a group", - "operationId": "iam-3-add-group-user", - "parameters": [ - { - "type": "string", - "description": "group name", - "name": "group", - "in": "path", - "required": true - }, - { - "description": "User to add", - "name": "config", - "in": "body", - "required": true, - "schema": { - "$ref": "#/definitions/api.IAMGroupUser" - } - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "400": { - "description": "Bad Request", - "schema": { - "$ref": "#/definitions/api.Error" - } - }, - "403": { - "description": "Forbidden", - "schema": { - "$ref": "#/definitions/api.Error" - } - }, - "404": { - "description": "Not Found", - "schema": { - "$ref": "#/definitions/api.Error" - } - }, - "409": { - "description": "Conflict", - "schema": { - "$ref": "#/definitions/api.Error" - } - } - } - } - }, - "/api/v3/iam/group/{group}/user/{name}": { - "get": { - "security": [ - { - "ApiKeyAuth": [] - } - ], - "description": "Get the details of a user in a group", - "produces": [ - "application/json" - ], - "tags": [ - "v16.?.?" - ], - "summary": "Get the details of a user in a group", - "operationId": "iam-3-get-group-user", - "parameters": [ - { - "type": "string", - "description": "group name", - "name": "group", - "in": "path", - "required": true - }, - { - "type": "string", - "description": "user name", - "name": "name", - "in": "path", - "required": true - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "403": { - "description": "Forbidden", - "schema": { - "$ref": "#/definitions/api.Error" - } - }, - "404": { - "description": "Not Found", - "schema": { - "$ref": "#/definitions/api.Error" - } - } - } - }, - "put": { - "security": [ - { - "ApiKeyAuth": [] - } - ], - "description": "Set the policies of a user in a group", - "produces": [ - "application/json" - ], - "tags": [ - "v16.?.?" - ], - "summary": "Set the policies of a user in a group", - "operationId": "iam-3-update-group-user", - "parameters": [ - { - "type": "string", - "description": "group name", - "name": "group", - "in": "path", - "required": true - }, - { - "type": "string", - "description": "user name", - "name": "name", - "in": "path", - "required": true - }, - { - "description": "User to add", - "name": "config", - "in": "body", - "required": true, - "schema": { - "$ref": "#/definitions/api.IAMPolicy" - } - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "400": { - "description": "Bad Request", - "schema": { - "$ref": "#/definitions/api.Error" - } - }, - "403": { - "description": "Forbidden", - "schema": { - "$ref": "#/definitions/api.Error" - } - } - } - }, - "delete": { - "security": [ - { - "ApiKeyAuth": [] - } - ], - "description": "Remove a user from a group", - "produces": [ - "application/json" - ], - "tags": [ - "v16.?.?" - ], - "summary": "Remove a user from a group", - "operationId": "iam-3-remove-group-user", - "parameters": [ - { - "type": "string", - "description": "group name", - "name": "group", - "in": "path", - "required": true - }, - { - "type": "string", - "description": "user name", - "name": "name", - "in": "path", - "required": true - } - ], - "responses": { - "200": { - "description": "OK", - "schema": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "400": { - "description": "Bad Request", - "schema": { - "$ref": "#/definitions/api.Error" - } - }, - "403": { - "description": "Forbidden", - "schema": { - "$ref": "#/definitions/api.Error" - } - } - } - } - }, "/api/v3/iam/user": { "post": { "security": [ @@ -3417,37 +2936,6 @@ } } }, - "api.IAMGroup": { - "type": "object", - "properties": { - "admins": { - "type": "array", - "items": { - "type": "string" - } - }, - "name": { - "type": "string" - } - } - }, - "api.IAMGroupUser": { - "type": "object", - "properties": { - "admin": { - "type": "boolean" - }, - "name": { - "type": "string" - }, - "policies": { - "type": "array", - "items": { - "$ref": "#/definitions/api.IAMPolicy" - } - } - } - }, "api.IAMPolicy": { "type": "object", "properties": { diff --git a/docs/swagger.yaml b/docs/swagger.yaml index 10b5c1d1..b62a285a 100644 --- a/docs/swagger.yaml +++ b/docs/swagger.yaml @@ -481,26 +481,6 @@ definitions: domain: type: string type: object - api.IAMGroup: - properties: - admins: - items: - type: string - type: array - name: - type: string - type: object - api.IAMGroupUser: - properties: - admin: - type: boolean - name: - type: string - policies: - items: - $ref: '#/definitions/api.IAMPolicy' - type: array - type: object api.IAMPolicy: properties: actions: @@ -2322,317 +2302,6 @@ paths: summary: Add a file to a filesystem tags: - v16.7.2 - /api/v3/iam/group: - get: - description: List all groups - operationId: iam-3-list-groups - produces: - - application/json - responses: - "200": - description: OK - schema: - items: - type: string - type: array - "403": - description: Forbidden - schema: - $ref: '#/definitions/api.Error' - security: - - ApiKeyAuth: [] - summary: List all groups - tags: - - v16.?.? - post: - description: Create a group with admins - operationId: iam-3-add-group - parameters: - - description: Group to add - in: body - name: config - required: true - schema: - $ref: '#/definitions/api.IAMGroup' - produces: - - application/json - responses: - "200": - description: OK - schema: - $ref: '#/definitions/api.IAMGroup' - "400": - description: Bad Request - schema: - $ref: '#/definitions/api.Error' - "403": - description: Forbidden - schema: - $ref: '#/definitions/api.Error' - "404": - description: Not Found - schema: - $ref: '#/definitions/api.Error' - "409": - description: Conflict - schema: - $ref: '#/definitions/api.Error' - security: - - ApiKeyAuth: [] - summary: Create a group with admins - tags: - - v16.?.? - /api/v3/iam/group/{group}: - delete: - description: Remove a group - operationId: iam-3-remove-group - parameters: - - description: group name - in: path - name: group - required: true - type: string - produces: - - application/json - responses: - "200": - description: OK - schema: - $ref: '#/definitions/api.IAMGroup' - "403": - description: Forbidden - schema: - $ref: '#/definitions/api.Error' - "404": - description: Not Found - schema: - $ref: '#/definitions/api.Error' - security: - - ApiKeyAuth: [] - summary: Remove a group - tags: - - v16.?.? - get: - description: Get details of a group - operationId: iam-3-get-group - parameters: - - description: group name - in: path - name: group - required: true - type: string - produces: - - application/json - responses: - "200": - description: OK - schema: - $ref: '#/definitions/api.IAMGroup' - "403": - description: Forbidden - schema: - $ref: '#/definitions/api.Error' - "404": - description: Not Found - schema: - $ref: '#/definitions/api.Error' - security: - - ApiKeyAuth: [] - summary: Get details of a group - tags: - - v16.?.? - /api/v3/iam/group/{group}/user: - get: - description: List all users in a group - operationId: iam-3-get-group-users - parameters: - - description: group name - in: path - name: group - required: true - type: string - produces: - - application/json - responses: - "200": - description: OK - schema: - items: - type: string - type: array - "403": - description: Forbidden - schema: - $ref: '#/definitions/api.Error' - "404": - description: Not Found - schema: - $ref: '#/definitions/api.Error' - security: - - ApiKeyAuth: [] - summary: List all users in a group - tags: - - v16.?.? - post: - description: Add an user to a group - operationId: iam-3-add-group-user - parameters: - - description: group name - in: path - name: group - required: true - type: string - - description: User to add - in: body - name: config - required: true - schema: - $ref: '#/definitions/api.IAMGroupUser' - produces: - - application/json - responses: - "200": - description: OK - schema: - items: - type: string - type: array - "400": - description: Bad Request - schema: - $ref: '#/definitions/api.Error' - "403": - description: Forbidden - schema: - $ref: '#/definitions/api.Error' - "404": - description: Not Found - schema: - $ref: '#/definitions/api.Error' - "409": - description: Conflict - schema: - $ref: '#/definitions/api.Error' - security: - - ApiKeyAuth: [] - summary: Add an user to a group - tags: - - v16.?.? - /api/v3/iam/group/{group}/user/{name}: - delete: - description: Remove a user from a group - operationId: iam-3-remove-group-user - parameters: - - description: group name - in: path - name: group - required: true - type: string - - description: user name - in: path - name: name - required: true - type: string - produces: - - application/json - responses: - "200": - description: OK - schema: - items: - type: string - type: array - "400": - description: Bad Request - schema: - $ref: '#/definitions/api.Error' - "403": - description: Forbidden - schema: - $ref: '#/definitions/api.Error' - security: - - ApiKeyAuth: [] - summary: Remove a user from a group - tags: - - v16.?.? - get: - description: Get the details of a user in a group - operationId: iam-3-get-group-user - parameters: - - description: group name - in: path - name: group - required: true - type: string - - description: user name - in: path - name: name - required: true - type: string - produces: - - application/json - responses: - "200": - description: OK - schema: - items: - type: string - type: array - "403": - description: Forbidden - schema: - $ref: '#/definitions/api.Error' - "404": - description: Not Found - schema: - $ref: '#/definitions/api.Error' - security: - - ApiKeyAuth: [] - summary: Get the details of a user in a group - tags: - - v16.?.? - put: - description: Set the policies of a user in a group - operationId: iam-3-update-group-user - parameters: - - description: group name - in: path - name: group - required: true - type: string - - description: user name - in: path - name: name - required: true - type: string - - description: User to add - in: body - name: config - required: true - schema: - $ref: '#/definitions/api.IAMPolicy' - produces: - - application/json - responses: - "200": - description: OK - schema: - items: - type: string - type: array - "400": - description: Bad Request - schema: - $ref: '#/definitions/api.Error' - "403": - description: Forbidden - schema: - $ref: '#/definitions/api.Error' - security: - - ApiKeyAuth: [] - summary: Set the policies of a user in a group - tags: - - v16.?.? /api/v3/iam/user: post: consumes: diff --git a/http/api/iam.go b/http/api/iam.go index be640bd2..a56aaf62 100644 --- a/http/api/iam.go +++ b/http/api/iam.go @@ -123,14 +123,3 @@ type IAMPolicy struct { Resource string `json:"resource"` Actions []string `json:"actions"` } - -type IAMGroup struct { - Name string `json:"name"` - Admins []string `json:"admins"` -} - -type IAMGroupUser struct { - Name string `json:"name"` - Admin bool `json:"admin"` - Policies []IAMPolicy `json:"policies"` -} diff --git a/http/handler/api/iam.go b/http/handler/api/iam.go index 3957ab53..6382e73e 100644 --- a/http/handler/api/iam.go +++ b/http/handler/api/iam.go @@ -48,7 +48,7 @@ func (h *IAMHandler) AddUser(c echo.Context) error { iamuser, iampolicies := user.Unmarshal() if !h.iam.Enforce(ctxuser, domain, "iam:"+iamuser.Name, "write") { - return api.Err(http.StatusForbidden, "Forbidden") + return api.Err(http.StatusForbidden, "Forbidden", "Not allowed to create user '%s'", iamuser.Name) } for _, p := range iampolicies { @@ -98,7 +98,7 @@ func (h *IAMHandler) RemoveUser(c echo.Context) error { name := util.PathParam(c, "name") if !h.iam.Enforce(ctxuser, domain, "iam:"+name, "write") { - return api.Err(http.StatusForbidden, "Forbidden") + return api.Err(http.StatusForbidden, "Forbidden", "Not allowed to delete this user") } iamuser, err := h.iam.GetIdentity(name) @@ -150,7 +150,7 @@ func (h *IAMHandler) UpdateUser(c echo.Context) error { name := util.PathParam(c, "name") if !h.iam.Enforce(ctxuser, domain, "iam:"+name, "write") { - return api.Err(http.StatusForbidden, "Forbidden") + return api.Err(http.StatusForbidden, "Forbidden", "Not allowed to modify this user") } var iamuser iam.User @@ -179,7 +179,7 @@ func (h *IAMHandler) UpdateUser(c echo.Context) error { iamuser, iampolicies = user.Unmarshal() if !h.iam.Enforce(ctxuser, domain, "iam:"+iamuser.Name, "write") { - return api.Err(http.StatusForbidden, "Forbidden") + return api.Err(http.StatusForbidden, "Forbidden", "Not allowed to create user '%s'", iamuser.Name) } for _, p := range iampolicies { @@ -236,7 +236,7 @@ func (h *IAMHandler) UpdateUserPolicies(c echo.Context) error { name := util.PathParam(c, "name") if !h.iam.Enforce(ctxuser, domain, "iam:"+name, "write") { - return api.Err(http.StatusForbidden, "Forbidden") + return api.Err(http.StatusForbidden, "Forbidden", "Not allowed to modify this user") } var iamuser iam.User @@ -297,7 +297,7 @@ func (h *IAMHandler) GetUser(c echo.Context) error { name := util.PathParam(c, "name") if !h.iam.Enforce(ctxuser, domain, "iam:"+name, "read") { - return api.Err(http.StatusForbidden, "Forbidden") + return api.Err(http.StatusForbidden, "Forbidden", "Not allowed to access this user") } var iamuser iam.User @@ -329,366 +329,3 @@ func (h *IAMHandler) GetUser(c echo.Context) error { return c.JSON(http.StatusOK, user) } - -// AddGroup creates a group with admins -// @Summary Create a group with admins -// @Description Create a group with admins -// @Tags v16.?.? -// @ID iam-3-add-group -// @Produce json -// @Param config body api.IAMGroup true "Group to add" -// @Success 200 {object} api.IAMGroup -// @Failure 400 {object} api.Error -// @Failure 403 {object} api.Error -// @Failure 404 {object} api.Error -// @Failure 409 {object} api.Error -// @Security ApiKeyAuth -// @Router /api/v3/iam/group [post] -func (h *IAMHandler) AddGroup(c echo.Context) error { - ctxuser := util.DefaultContext(c, "user", "") - - if !h.iam.Enforce(ctxuser, "$none", "iam:/group", "write") { - return api.Err(http.StatusForbidden, "Forbidden") - } - - group := api.IAMGroup{} - - if err := util.ShouldBindJSON(c, &group); err != nil { - return api.Err(http.StatusBadRequest, "Invalid JSON", "%s", err) - } - - if h.iam.HasDomain(group.Name) { - return api.Err(http.StatusConflict, "Conflict", "this group already exists") - } - - if len(group.Admins) == 0 { - return api.Err(http.StatusBadRequest, "Bad request", "at leas one admin must be defined") - } - - for _, admin := range group.Admins { - _, err := h.iam.GetIdentity(admin) - if err != nil { - return api.Err(http.StatusBadRequest, "Bad request", "the user %s doesn't exist", admin) - } - } - - for _, admin := range group.Admins { - h.iam.AddPolicy(admin, group.Name, "api:/api/**", []string{"get", "options", "head"}) - h.iam.AddPolicy(admin, group.Name, "api:/api/v3/process", []string{"ANY"}) - h.iam.AddPolicy(admin, group.Name, "api:/api/v3/process/**", []string{"ANY"}) - h.iam.AddPolicy(admin, group.Name, "process:*", []string{"ANY"}) - h.iam.AddPolicy(admin, group.Name, "fs:/"+group.Name+"/**", []string{"ANY"}) - h.iam.AddPolicy(admin, group.Name, "fs:/memfs/"+group.Name+"/**", []string{"ANY"}) - h.iam.AddPolicy(admin, group.Name, "rtmp:/"+group.Name+"/**", []string{"ANY"}) - h.iam.AddPolicy(admin, group.Name, "srt:"+group.Name+"/**", []string{"ANY"}) - h.iam.AddPolicy(admin, group.Name, "iam:/group/"+group.Name, []string{"ANY"}) - } - - return c.JSON(http.StatusOK, group) -} - -// ListGroups lists all groups -// @Summary List all groups -// @Description List all groups -// @Tags v16.?.? -// @ID iam-3-list-groups -// @Produce json -// @Success 200 {array} string -// @Failure 403 {object} api.Error -// @Security ApiKeyAuth -// @Router /api/v3/iam/group [get] -func (h *IAMHandler) ListGroups(c echo.Context) error { - ctxuser := util.DefaultContext(c, "user", "") - - if !h.iam.Enforce(ctxuser, "$none", "iam:/group", "read") { - return api.Err(http.StatusForbidden, "Forbidden") - } - - return c.JSON(http.StatusOK, h.iam.ListDomains()) -} - -// RemoveGroup removes a group -// @Summary Remove a group -// @Description Remove a group -// @Tags v16.?.? -// @ID iam-3-remove-group -// @Produce json -// @Param group path string true "group name" -// @Success 200 {object} api.IAMGroup -// @Failure 403 {object} api.Error -// @Failure 404 {object} api.Error -// @Security ApiKeyAuth -// @Router /api/v3/iam/group/{group} [delete] -func (h *IAMHandler) RemoveGroup(c echo.Context) error { - ctxuser := util.DefaultContext(c, "user", "") - group := util.PathParam(c, "group") - - if !h.iam.Enforce(ctxuser, group, "iam:/group/"+group, "admin") { - return api.Err(http.StatusForbidden, "Forbidden", "only group admin can remove a group") - } - - if !h.iam.HasDomain(group) { - return api.Err(http.StatusNotFound, "Not found") - } - - h.iam.RemovePolicy("", group, "", nil) - - return c.JSON(http.StatusOK, "OK") -} - -// GetGroup returns details of a group -// @Summary Get details of a group -// @Description Get details of a group -// @Tags v16.?.? -// @ID iam-3-get-group -// @Produce json -// @Param group path string true "group name" -// @Success 200 {object} api.IAMGroup -// @Failure 403 {object} api.Error -// @Failure 404 {object} api.Error -// @Security ApiKeyAuth -// @Router /api/v3/iam/group/{group} [get] -func (h *IAMHandler) GetGroup(c echo.Context) error { - ctxuser := util.DefaultContext(c, "user", "") - group := util.PathParam(c, "group") - - if !h.iam.Enforce(ctxuser, group, "iam:/group/"+group, "read") { - return api.Err(http.StatusForbidden, "Forbidden") - } - - if !h.iam.HasDomain(group) { - return api.Err(http.StatusNotFound, "Not found") - } - - g := api.IAMGroup{ - Name: group, - } - - admins := map[string]struct{}{} - - policies := h.iam.ListPolicies("", group, "iam:/group/"+g.Name, []string{"any"}) - for _, p := range policies { - admins[p.Name] = struct{}{} - } - - for name := range admins { - g.Admins = append(g.Admins, name) - } - - return c.JSON(http.StatusOK, g) -} - -// ListGroupUsers lists all users of a group -// @Summary List all users in a group -// @Description List all users in a group -// @Tags v16.?.? -// @ID iam-3-get-group-users -// @Produce json -// @Param group path string true "group name" -// @Success 200 {array} string -// @Failure 403 {object} api.Error -// @Failure 404 {object} api.Error -// @Security ApiKeyAuth -// @Router /api/v3/iam/group/{group}/user [get] -func (h *IAMHandler) ListGroupUsers(c echo.Context) error { - ctxuser := util.DefaultContext(c, "user", "") - group := util.PathParam(c, "group") - - if !h.iam.Enforce(ctxuser, group, "iam:/group/"+group, "read") { - return api.Err(http.StatusForbidden, "Forbidden") - } - - if !h.iam.HasDomain(group) { - return api.Err(http.StatusNotFound, "Not found") - } - - members := map[string]struct{}{} - - policies := h.iam.ListPolicies("", group, "", nil) - for _, p := range policies { - members[p.Name] = struct{}{} - } - - list := []string{} - - for name := range members { - list = append(list, name) - } - - return c.JSON(http.StatusOK, list) -} - -// AddGroupUser adds an user to a group -// @Summary Add an user to a group -// @Description Add an user to a group -// @Tags v16.?.? -// @ID iam-3-add-group-user -// @Produce json -// @Param group path string true "group name" -// @Param config body api.IAMGroupUser true "User to add" -// @Success 200 {array} string -// @Failure 400 {object} api.Error -// @Failure 403 {object} api.Error -// @Failure 404 {object} api.Error -// @Failure 409 {object} api.Error -// @Security ApiKeyAuth -// @Router /api/v3/iam/group/{group}/user [post] -func (h *IAMHandler) AddGroupUser(c echo.Context) error { - ctxuser := util.DefaultContext(c, "user", "") - group := util.PathParam(c, "group") - - if !h.iam.Enforce(ctxuser, group, "iam:/group/"+group, "write") { - return api.Err(http.StatusForbidden, "Forbidden") - } - - if !h.iam.HasDomain(group) { - return api.Err(http.StatusNotFound, "Not found", "this group doesn't exists") - } - - user := api.IAMGroupUser{} - - if err := util.ShouldBindJSON(c, &user); err != nil { - return api.Err(http.StatusBadRequest, "Invalid JSON", "%s", err) - } - - policies := h.iam.ListPolicies(user.Name, group, "", nil) - if len(policies) != 0 { - return api.Err(http.StatusConflict, "Conflict", "this user is already in the group") - } - - // Check if admin and add admin rights if required - if user.Admin { - if !h.iam.Enforce(ctxuser, group, "iam:/group/"+group, "admin") { - return api.Err(http.StatusForbidden, "Forbidden", "you can't add admins to this group") - } - - h.iam.AddPolicy(user.Name, group, "iam:/group/"+group, []string{"ANY"}) - } - - for _, p := range user.Policies { - if p.Domain != group { - continue - } - - h.iam.AddPolicy(user.Name, group, p.Resource, p.Actions) - } - - return c.JSON(http.StatusOK, "OK") -} - -// GetGroupUser returns the details of a user in a group -// @Summary Get the details of a user in a group -// @Description Get the details of a user in a group -// @Tags v16.?.? -// @ID iam-3-get-group-user -// @Produce json -// @Param group path string true "group name" -// @Param name path string true "user name" -// @Success 200 {array} string -// @Failure 403 {object} api.Error -// @Failure 404 {object} api.Error -// @Security ApiKeyAuth -// @Router /api/v3/iam/group/{group}/user/{name} [get] -func (h *IAMHandler) GetGroupUser(c echo.Context) error { - ctxuser := util.DefaultContext(c, "user", "") - group := util.PathParam(c, "group") - name := util.PathParam(c, "name") - - if !h.iam.Enforce(ctxuser, group, "iam:/group/"+group, "read") { - return api.Err(http.StatusForbidden, "Forbidden") - } - - if !h.iam.HasDomain(group) { - return api.Err(http.StatusNotFound, "Not found") - } - - policies := h.iam.ListPolicies(name, group, "", nil) - if len(policies) == 0 { - return api.Err(http.StatusNotFound, "Not found") - } - - user := api.IAMGroupUser{ - Name: name, - Admin: h.iam.HasPolicy(name, group, "iam:/group/"+group, []string{"any"}), - } - - for _, p := range policies { - user.Policies = append(user.Policies, api.IAMPolicy{ - Domain: group, - Resource: p.Resource, - Actions: p.Actions, - }) - } - - return c.JSON(http.StatusOK, user) -} - -// UpdateGroupUser sets the policies of a user in a group -// @Summary Set the policies of a user in a group -// @Description Set the policies of a user in a group -// @Tags v16.?.? -// @ID iam-3-update-group-user -// @Produce json -// @Param group path string true "group name" -// @Param name path string true "user name" -// @Param config body api.IAMPolicy true "User to add" -// @Success 200 {array} string -// @Failure 400 {object} api.Error -// @Failure 403 {object} api.Error -// @Security ApiKeyAuth -// @Router /api/v3/iam/group/{group}/user/{name} [put] -func (h *IAMHandler) UpdateGroupUser(c echo.Context) error { - ctxuser := util.DefaultContext(c, "user", "") - group := util.PathParam(c, "group") - //name := util.PathParam(c, "name") - - if !h.iam.Enforce(ctxuser, group, "iam:/group/"+group, "write") { - return api.Err(http.StatusForbidden, "Forbidden") - } - - policies := []api.IAMPolicy{} - - if err := util.ShouldBindJSON(c, &policies); err != nil { - return api.Err(http.StatusBadRequest, "Invalid JSON", "%s", err) - } - - return c.JSON(http.StatusOK, "OK") -} - -// RemoveGroupUser removes a user from a group -// @Summary Remove a user from a group -// @Description Remove a user from a group -// @Tags v16.?.? -// @ID iam-3-remove-group-user -// @Produce json -// @Param group path string true "group name" -// @Param name path string true "user name" -// @Success 200 {array} string -// @Failure 400 {object} api.Error -// @Failure 403 {object} api.Error -// @Security ApiKeyAuth -// @Router /api/v3/iam/group/{group}/user/{name} [delete] -func (h *IAMHandler) RemoveGroupUser(c echo.Context) error { - ctxuser := util.DefaultContext(c, "user", "") - group := util.PathParam(c, "group") - name := util.PathParam(c, "name") - - if !h.iam.Enforce(ctxuser, group, "iam:/group/"+group, "write") { - return api.Err(http.StatusForbidden, "Forbidden") - } - - // Check if the user to be deleted is an admin. If yes, you have to be an admin too. - if h.iam.HasPolicy(name, group, "iam:/group/"+group, []string{"any"}) { - if !h.iam.Enforce(ctxuser, group, "iam:/group/"+group, "admin") { - return api.Err(http.StatusForbidden, "Forbidden") - } - } - - if len(h.iam.ListPolicies(name, group, "", nil)) == 0 { - return api.Err(http.StatusNotFound, "Not found") - } - - h.iam.RemovePolicy(name, group, "", nil) - - return c.JSON(http.StatusOK, "OK") -}