apps/core
1
0
Fork 0
mirror of https://github.com/datarhei/core.git synced 2025-10-05 07:57:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

Remove IAM group semantics

Browse Source
This commit is contained in:
Ingo Oppermann
2023-05-23 16:05:04 +02:00
parent ccac2ffd5d
commit 7a1eb1251b
5 changed files with 6 additions and 1735 deletions
Download Patch File Download Diff File Expand all files Collapse all files

512
docs/docs.go
View File

@@ -483,487 +483,6 @@ const docTemplate = `{
} }
} }
}, },
"/api/v3/iam/group": {
"get": {
"security": [
{
"ApiKeyAuth": []
}
],
"description": "List all groups",
"produces": [
"application/json"
],
"tags": [
"v16.?.?"
],
"summary": "List all groups",
"operationId": "iam-3-list-groups",
"responses": {
"200": {
"description": "OK",
"schema": {
"type": "array",
"items": {
"type": "string"
}
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/definitions/api.Error"
}
}
}
},
"post": {
"security": [
{
"ApiKeyAuth": []
}
],
"description": "Create a group with admins",
"produces": [
"application/json"
],
"tags": [
"v16.?.?"
],
"summary": "Create a group with admins",
"operationId": "iam-3-add-group",
"parameters": [
{
"description": "Group to add",
"name": "config",
"in": "body",
"required": true,
"schema": {
"$ref": "#/definitions/api.IAMGroup"
}
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"$ref": "#/definitions/api.IAMGroup"
}
},
"400": {
"description": "Bad Request",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"404": {
"description": "Not Found",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"409": {
"description": "Conflict",
"schema": {
"$ref": "#/definitions/api.Error"
}
}
}
}
},
"/api/v3/iam/group/{group}": {
"get": {
"security": [
{
"ApiKeyAuth": []
}
],
"description": "Get details of a group",
"produces": [
"application/json"
],
"tags": [
"v16.?.?"
],
"summary": "Get details of a group",
"operationId": "iam-3-get-group",
"parameters": [
{
"type": "string",
"description": "group name",
"name": "group",
"in": "path",
"required": true
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"$ref": "#/definitions/api.IAMGroup"
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"404": {
"description": "Not Found",
"schema": {
"$ref": "#/definitions/api.Error"
}
}
}
},
"delete": {
"security": [
{
"ApiKeyAuth": []
}
],
"description": "Remove a group",
"produces": [
"application/json"
],
"tags": [
"v16.?.?"
],
"summary": "Remove a group",
"operationId": "iam-3-remove-group",
"parameters": [
{
"type": "string",
"description": "group name",
"name": "group",
"in": "path",
"required": true
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"$ref": "#/definitions/api.IAMGroup"
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"404": {
"description": "Not Found",
"schema": {
"$ref": "#/definitions/api.Error"
}
}
}
}
},
"/api/v3/iam/group/{group}/user": {
"get": {
"security": [
{
"ApiKeyAuth": []
}
],
"description": "List all users in a group",
"produces": [
"application/json"
],
"tags": [
"v16.?.?"
],
"summary": "List all users in a group",
"operationId": "iam-3-get-group-users",
"parameters": [
{
"type": "string",
"description": "group name",
"name": "group",
"in": "path",
"required": true
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"type": "array",
"items": {
"type": "string"
}
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"404": {
"description": "Not Found",
"schema": {
"$ref": "#/definitions/api.Error"
}
}
}
},
"post": {
"security": [
{
"ApiKeyAuth": []
}
],
"description": "Add an user to a group",
"produces": [
"application/json"
],
"tags": [
"v16.?.?"
],
"summary": "Add an user to a group",
"operationId": "iam-3-add-group-user",
"parameters": [
{
"type": "string",
"description": "group name",
"name": "group",
"in": "path",
"required": true
},
{
"description": "User to add",
"name": "config",
"in": "body",
"required": true,
"schema": {
"$ref": "#/definitions/api.IAMGroupUser"
}
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"type": "array",
"items": {
"type": "string"
}
}
},
"400": {
"description": "Bad Request",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"404": {
"description": "Not Found",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"409": {
"description": "Conflict",
"schema": {
"$ref": "#/definitions/api.Error"
}
}
}
}
},
"/api/v3/iam/group/{group}/user/{name}": {
"get": {
"security": [
{
"ApiKeyAuth": []
}
],
"description": "Get the details of a user in a group",
"produces": [
"application/json"
],
"tags": [
"v16.?.?"
],
"summary": "Get the details of a user in a group",
"operationId": "iam-3-get-group-user",
"parameters": [
{
"type": "string",
"description": "group name",
"name": "group",
"in": "path",
"required": true
},
{
"type": "string",
"description": "user name",
"name": "name",
"in": "path",
"required": true
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"type": "array",
"items": {
"type": "string"
}
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"404": {
"description": "Not Found",
"schema": {
"$ref": "#/definitions/api.Error"
}
}
}
},
"put": {
"security": [
{
"ApiKeyAuth": []
}
],
"description": "Set the policies of a user in a group",
"produces": [
"application/json"
],
"tags": [
"v16.?.?"
],
"summary": "Set the policies of a user in a group",
"operationId": "iam-3-update-group-user",
"parameters": [
{
"type": "string",
"description": "group name",
"name": "group",
"in": "path",
"required": true
},
{
"type": "string",
"description": "user name",
"name": "name",
"in": "path",
"required": true
},
{
"description": "User to add",
"name": "config",
"in": "body",
"required": true,
"schema": {
"$ref": "#/definitions/api.IAMPolicy"
}
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"type": "array",
"items": {
"type": "string"
}
}
},
"400": {
"description": "Bad Request",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/definitions/api.Error"
}
}
}
},
"delete": {
"security": [
{
"ApiKeyAuth": []
}
],
"description": "Remove a user from a group",
"produces": [
"application/json"
],
"tags": [
"v16.?.?"
],
"summary": "Remove a user from a group",
"operationId": "iam-3-remove-group-user",
"parameters": [
{
"type": "string",
"description": "group name",
"name": "group",
"in": "path",
"required": true
},
{
"type": "string",
"description": "user name",
"name": "name",
"in": "path",
"required": true
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"type": "array",
"items": {
"type": "string"
}
}
},
"400": {
"description": "Bad Request",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/definitions/api.Error"
}
}
}
}
},
"/api/v3/iam/user": { "/api/v3/iam/user": {
"post": { "post": {
"security": [ "security": [
@@ -3424,37 +2943,6 @@ const docTemplate = `{
} }
} }
}, },
"api.IAMGroup": {
"type": "object",
"properties": {
"admins": {
"type": "array",
"items": {
"type": "string"
}
},
"name": {
"type": "string"
}
}
},
"api.IAMGroupUser": {
"type": "object",
"properties": {
"admin": {
"type": "boolean"
},
"name": {
"type": "string"
},
"policies": {
"type": "array",
"items": {
"$ref": "#/definitions/api.IAMPolicy"
}
}
}
},
"api.IAMPolicy": { "api.IAMPolicy": {
"type": "object", "type": "object",
"properties": { "properties": {

512
docs/swagger.json
View File

@@ -476,487 +476,6 @@
} }
} }
}, },
"/api/v3/iam/group": {
"get": {
"security": [
{
"ApiKeyAuth": []
}
],
"description": "List all groups",
"produces": [
"application/json"
],
"tags": [
"v16.?.?"
],
"summary": "List all groups",
"operationId": "iam-3-list-groups",
"responses": {
"200": {
"description": "OK",
"schema": {
"type": "array",
"items": {
"type": "string"
}
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/definitions/api.Error"
}
}
}
},
"post": {
"security": [
{
"ApiKeyAuth": []
}
],
"description": "Create a group with admins",
"produces": [
"application/json"
],
"tags": [
"v16.?.?"
],
"summary": "Create a group with admins",
"operationId": "iam-3-add-group",
"parameters": [
{
"description": "Group to add",
"name": "config",
"in": "body",
"required": true,
"schema": {
"$ref": "#/definitions/api.IAMGroup"
}
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"$ref": "#/definitions/api.IAMGroup"
}
},
"400": {
"description": "Bad Request",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"404": {
"description": "Not Found",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"409": {
"description": "Conflict",
"schema": {
"$ref": "#/definitions/api.Error"
}
}
}
}
},
"/api/v3/iam/group/{group}": {
"get": {
"security": [
{
"ApiKeyAuth": []
}
],
"description": "Get details of a group",
"produces": [
"application/json"
],
"tags": [
"v16.?.?"
],
"summary": "Get details of a group",
"operationId": "iam-3-get-group",
"parameters": [
{
"type": "string",
"description": "group name",
"name": "group",
"in": "path",
"required": true
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"$ref": "#/definitions/api.IAMGroup"
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"404": {
"description": "Not Found",
"schema": {
"$ref": "#/definitions/api.Error"
}
}
}
},
"delete": {
"security": [
{
"ApiKeyAuth": []
}
],
"description": "Remove a group",
"produces": [
"application/json"
],
"tags": [
"v16.?.?"
],
"summary": "Remove a group",
"operationId": "iam-3-remove-group",
"parameters": [
{
"type": "string",
"description": "group name",
"name": "group",
"in": "path",
"required": true
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"$ref": "#/definitions/api.IAMGroup"
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"404": {
"description": "Not Found",
"schema": {
"$ref": "#/definitions/api.Error"
}
}
}
}
},
"/api/v3/iam/group/{group}/user": {
"get": {
"security": [
{
"ApiKeyAuth": []
}
],
"description": "List all users in a group",
"produces": [
"application/json"
],
"tags": [
"v16.?.?"
],
"summary": "List all users in a group",
"operationId": "iam-3-get-group-users",
"parameters": [
{
"type": "string",
"description": "group name",
"name": "group",
"in": "path",
"required": true
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"type": "array",
"items": {
"type": "string"
}
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"404": {
"description": "Not Found",
"schema": {
"$ref": "#/definitions/api.Error"
}
}
}
},
"post": {
"security": [
{
"ApiKeyAuth": []
}
],
"description": "Add an user to a group",
"produces": [
"application/json"
],
"tags": [
"v16.?.?"
],
"summary": "Add an user to a group",
"operationId": "iam-3-add-group-user",
"parameters": [
{
"type": "string",
"description": "group name",
"name": "group",
"in": "path",
"required": true
},
{
"description": "User to add",
"name": "config",
"in": "body",
"required": true,
"schema": {
"$ref": "#/definitions/api.IAMGroupUser"
}
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"type": "array",
"items": {
"type": "string"
}
}
},
"400": {
"description": "Bad Request",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"404": {
"description": "Not Found",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"409": {
"description": "Conflict",
"schema": {
"$ref": "#/definitions/api.Error"
}
}
}
}
},
"/api/v3/iam/group/{group}/user/{name}": {
"get": {
"security": [
{
"ApiKeyAuth": []
}
],
"description": "Get the details of a user in a group",
"produces": [
"application/json"
],
"tags": [
"v16.?.?"
],
"summary": "Get the details of a user in a group",
"operationId": "iam-3-get-group-user",
"parameters": [
{
"type": "string",
"description": "group name",
"name": "group",
"in": "path",
"required": true
},
{
"type": "string",
"description": "user name",
"name": "name",
"in": "path",
"required": true
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"type": "array",
"items": {
"type": "string"
}
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"404": {
"description": "Not Found",
"schema": {
"$ref": "#/definitions/api.Error"
}
}
}
},
"put": {
"security": [
{
"ApiKeyAuth": []
}
],
"description": "Set the policies of a user in a group",
"produces": [
"application/json"
],
"tags": [
"v16.?.?"
],
"summary": "Set the policies of a user in a group",
"operationId": "iam-3-update-group-user",
"parameters": [
{
"type": "string",
"description": "group name",
"name": "group",
"in": "path",
"required": true
},
{
"type": "string",
"description": "user name",
"name": "name",
"in": "path",
"required": true
},
{
"description": "User to add",
"name": "config",
"in": "body",
"required": true,
"schema": {
"$ref": "#/definitions/api.IAMPolicy"
}
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"type": "array",
"items": {
"type": "string"
}
}
},
"400": {
"description": "Bad Request",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/definitions/api.Error"
}
}
}
},
"delete": {
"security": [
{
"ApiKeyAuth": []
}
],
"description": "Remove a user from a group",
"produces": [
"application/json"
],
"tags": [
"v16.?.?"
],
"summary": "Remove a user from a group",
"operationId": "iam-3-remove-group-user",
"parameters": [
{
"type": "string",
"description": "group name",
"name": "group",
"in": "path",
"required": true
},
{
"type": "string",
"description": "user name",
"name": "name",
"in": "path",
"required": true
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"type": "array",
"items": {
"type": "string"
}
}
},
"400": {
"description": "Bad Request",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/definitions/api.Error"
}
}
}
}
},
"/api/v3/iam/user": { "/api/v3/iam/user": {
"post": { "post": {
"security": [ "security": [
@@ -3417,37 +2936,6 @@
} }
} }
}, },
"api.IAMGroup": {
"type": "object",
"properties": {
"admins": {
"type": "array",
"items": {
"type": "string"
}
},
"name": {
"type": "string"
}
}
},
"api.IAMGroupUser": {
"type": "object",
"properties": {
"admin": {
"type": "boolean"
},
"name": {
"type": "string"
},
"policies": {
"type": "array",
"items": {
"$ref": "#/definitions/api.IAMPolicy"
}
}
}
},
"api.IAMPolicy": { "api.IAMPolicy": {
"type": "object", "type": "object",
"properties": { "properties": {

331
docs/swagger.yaml
View File

@@ -481,26 +481,6 @@ definitions:
domain: domain:
type: string type: string
type: object type: object
api.IAMGroup:
properties:
admins:
items:
type: string
type: array
name:
type: string
type: object
api.IAMGroupUser:
properties:
admin:
type: boolean
name:
type: string
policies:
items:
$ref: '#/definitions/api.IAMPolicy'
type: array
type: object
api.IAMPolicy: api.IAMPolicy:
properties: properties:
actions: actions:
@@ -2322,317 +2302,6 @@ paths:
summary: Add a file to a filesystem summary: Add a file to a filesystem
tags: tags:
- v16.7.2 - v16.7.2
/api/v3/iam/group:
get:
description: List all groups
operationId: iam-3-list-groups
produces:
- application/json
responses:
"200":
description: OK
schema:
items:
type: string
type: array
"403":
description: Forbidden
schema:
$ref: '#/definitions/api.Error'
security:
- ApiKeyAuth: []
summary: List all groups
tags:
- v16.?.?
post:
description: Create a group with admins
operationId: iam-3-add-group
parameters:
- description: Group to add
in: body
name: config
required: true
schema:
$ref: '#/definitions/api.IAMGroup'
produces:
- application/json
responses:
"200":
description: OK
schema:
$ref: '#/definitions/api.IAMGroup'
"400":
description: Bad Request
schema:
$ref: '#/definitions/api.Error'
"403":
description: Forbidden
schema:
$ref: '#/definitions/api.Error'
"404":
description: Not Found
schema:
$ref: '#/definitions/api.Error'
"409":
description: Conflict
schema:
$ref: '#/definitions/api.Error'
security:
- ApiKeyAuth: []
summary: Create a group with admins
tags:
- v16.?.?
/api/v3/iam/group/{group}:
delete:
description: Remove a group
operationId: iam-3-remove-group
parameters:
- description: group name
in: path
name: group
required: true
type: string
produces:
- application/json
responses:
"200":
description: OK
schema:
$ref: '#/definitions/api.IAMGroup'
"403":
description: Forbidden
schema:
$ref: '#/definitions/api.Error'
"404":
description: Not Found
schema:
$ref: '#/definitions/api.Error'
security:
- ApiKeyAuth: []
summary: Remove a group
tags:
- v16.?.?
get:
description: Get details of a group
operationId: iam-3-get-group
parameters:
- description: group name
in: path
name: group
required: true
type: string
produces:
- application/json
responses:
"200":
description: OK
schema:
$ref: '#/definitions/api.IAMGroup'
"403":
description: Forbidden
schema:
$ref: '#/definitions/api.Error'
"404":
description: Not Found
schema:
$ref: '#/definitions/api.Error'
security:
- ApiKeyAuth: []
summary: Get details of a group
tags:
- v16.?.?
/api/v3/iam/group/{group}/user:
get:
description: List all users in a group
operationId: iam-3-get-group-users
parameters:
- description: group name
in: path
name: group
required: true
type: string
produces:
- application/json
responses:
"200":
description: OK
schema:
items:
type: string
type: array
"403":
description: Forbidden
schema:
$ref: '#/definitions/api.Error'
"404":
description: Not Found
schema:
$ref: '#/definitions/api.Error'
security:
- ApiKeyAuth: []
summary: List all users in a group
tags:
- v16.?.?
post:
description: Add an user to a group
operationId: iam-3-add-group-user
parameters:
- description: group name
in: path
name: group
required: true
type: string
- description: User to add
in: body
name: config
required: true
schema:
$ref: '#/definitions/api.IAMGroupUser'
produces:
- application/json
responses:
"200":
description: OK
schema:
items:
type: string
type: array
"400":
description: Bad Request
schema:
$ref: '#/definitions/api.Error'
"403":
description: Forbidden
schema:
$ref: '#/definitions/api.Error'
"404":
description: Not Found
schema:
$ref: '#/definitions/api.Error'
"409":
description: Conflict
schema:
$ref: '#/definitions/api.Error'
security:
- ApiKeyAuth: []
summary: Add an user to a group
tags:
- v16.?.?
/api/v3/iam/group/{group}/user/{name}:
delete:
description: Remove a user from a group
operationId: iam-3-remove-group-user
parameters:
- description: group name
in: path
name: group
required: true
type: string
- description: user name
in: path
name: name
required: true
type: string
produces:
- application/json
responses:
"200":
description: OK
schema:
items:
type: string
type: array
"400":
description: Bad Request
schema:
$ref: '#/definitions/api.Error'
"403":
description: Forbidden
schema:
$ref: '#/definitions/api.Error'
security:
- ApiKeyAuth: []
summary: Remove a user from a group
tags:
- v16.?.?
get:
description: Get the details of a user in a group
operationId: iam-3-get-group-user
parameters:
- description: group name
in: path
name: group
required: true
type: string
- description: user name
in: path
name: name
required: true
type: string
produces:
- application/json
responses:
"200":
description: OK
schema:
items:
type: string
type: array
"403":
description: Forbidden
schema:
$ref: '#/definitions/api.Error'
"404":
description: Not Found
schema:
$ref: '#/definitions/api.Error'
security:
- ApiKeyAuth: []
summary: Get the details of a user in a group
tags:
- v16.?.?
put:
description: Set the policies of a user in a group
operationId: iam-3-update-group-user
parameters:
- description: group name
in: path
name: group
required: true
type: string
- description: user name
in: path
name: name
required: true
type: string
- description: User to add
in: body
name: config
required: true
schema:
$ref: '#/definitions/api.IAMPolicy'
produces:
- application/json
responses:
"200":
description: OK
schema:
items:
type: string
type: array
"400":
description: Bad Request
schema:
$ref: '#/definitions/api.Error'
"403":
description: Forbidden
schema:
$ref: '#/definitions/api.Error'
security:
- ApiKeyAuth: []
summary: Set the policies of a user in a group
tags:
- v16.?.?
/api/v3/iam/user: /api/v3/iam/user:
post: post:
consumes: consumes:

11
http/api/iam.go
View File

@@ -123,14 +123,3 @@ type IAMPolicy struct {
Resource string `json:"resource"` Resource string `json:"resource"`
Actions []string `json:"actions"` Actions []string `json:"actions"`
} }
type IAMGroup struct {
Name string `json:"name"`
Admins []string `json:"admins"`
}
type IAMGroupUser struct {
Name string `json:"name"`
Admin bool `json:"admin"`
Policies []IAMPolicy `json:"policies"`
}

375
http/handler/api/iam.go
View File

@@ -48,7 +48,7 @@ func (h *IAMHandler) AddUser(c echo.Context) error {
iamuser, iampolicies := user.Unmarshal() iamuser, iampolicies := user.Unmarshal()
if !h.iam.Enforce(ctxuser, domain, "iam:"+iamuser.Name, "write") { if !h.iam.Enforce(ctxuser, domain, "iam:"+iamuser.Name, "write") {
return api.Err(http.StatusForbidden, "Forbidden") return api.Err(http.StatusForbidden, "Forbidden", "Not allowed to create user '%s'", iamuser.Name)
} }
for _, p := range iampolicies { for _, p := range iampolicies {
@@ -98,7 +98,7 @@ func (h *IAMHandler) RemoveUser(c echo.Context) error {
name := util.PathParam(c, "name") name := util.PathParam(c, "name")
if !h.iam.Enforce(ctxuser, domain, "iam:"+name, "write") { if !h.iam.Enforce(ctxuser, domain, "iam:"+name, "write") {
return api.Err(http.StatusForbidden, "Forbidden") return api.Err(http.StatusForbidden, "Forbidden", "Not allowed to delete this user")
} }
iamuser, err := h.iam.GetIdentity(name) iamuser, err := h.iam.GetIdentity(name)
@@ -150,7 +150,7 @@ func (h *IAMHandler) UpdateUser(c echo.Context) error {
name := util.PathParam(c, "name") name := util.PathParam(c, "name")
if !h.iam.Enforce(ctxuser, domain, "iam:"+name, "write") { if !h.iam.Enforce(ctxuser, domain, "iam:"+name, "write") {
return api.Err(http.StatusForbidden, "Forbidden") return api.Err(http.StatusForbidden, "Forbidden", "Not allowed to modify this user")
} }
var iamuser iam.User var iamuser iam.User
@@ -179,7 +179,7 @@ func (h *IAMHandler) UpdateUser(c echo.Context) error {
iamuser, iampolicies = user.Unmarshal() iamuser, iampolicies = user.Unmarshal()
if !h.iam.Enforce(ctxuser, domain, "iam:"+iamuser.Name, "write") { if !h.iam.Enforce(ctxuser, domain, "iam:"+iamuser.Name, "write") {
return api.Err(http.StatusForbidden, "Forbidden") return api.Err(http.StatusForbidden, "Forbidden", "Not allowed to create user '%s'", iamuser.Name)
} }
for _, p := range iampolicies { for _, p := range iampolicies {
@@ -236,7 +236,7 @@ func (h *IAMHandler) UpdateUserPolicies(c echo.Context) error {
name := util.PathParam(c, "name") name := util.PathParam(c, "name")
if !h.iam.Enforce(ctxuser, domain, "iam:"+name, "write") { if !h.iam.Enforce(ctxuser, domain, "iam:"+name, "write") {
return api.Err(http.StatusForbidden, "Forbidden") return api.Err(http.StatusForbidden, "Forbidden", "Not allowed to modify this user")
} }
var iamuser iam.User var iamuser iam.User
@@ -297,7 +297,7 @@ func (h *IAMHandler) GetUser(c echo.Context) error {
name := util.PathParam(c, "name") name := util.PathParam(c, "name")
if !h.iam.Enforce(ctxuser, domain, "iam:"+name, "read") { if !h.iam.Enforce(ctxuser, domain, "iam:"+name, "read") {
return api.Err(http.StatusForbidden, "Forbidden") return api.Err(http.StatusForbidden, "Forbidden", "Not allowed to access this user")
} }
var iamuser iam.User var iamuser iam.User
@@ -329,366 +329,3 @@ func (h *IAMHandler) GetUser(c echo.Context) error {
return c.JSON(http.StatusOK, user) return c.JSON(http.StatusOK, user)
} }
// AddGroup creates a group with admins
// @Summary Create a group with admins
// @Description Create a group with admins
// @Tags v16.?.?
// @ID iam-3-add-group
// @Produce json
// @Param config body api.IAMGroup true "Group to add"
// @Success 200 {object} api.IAMGroup
// @Failure 400 {object} api.Error
// @Failure 403 {object} api.Error
// @Failure 404 {object} api.Error
// @Failure 409 {object} api.Error
// @Security ApiKeyAuth
// @Router /api/v3/iam/group [post]
func (h *IAMHandler) AddGroup(c echo.Context) error {
ctxuser := util.DefaultContext(c, "user", "")
if !h.iam.Enforce(ctxuser, "$none", "iam:/group", "write") {
return api.Err(http.StatusForbidden, "Forbidden")
}
group := api.IAMGroup{}
if err := util.ShouldBindJSON(c, &group); err != nil {
return api.Err(http.StatusBadRequest, "Invalid JSON", "%s", err)
}
if h.iam.HasDomain(group.Name) {
return api.Err(http.StatusConflict, "Conflict", "this group already exists")
}
if len(group.Admins) == 0 {
return api.Err(http.StatusBadRequest, "Bad request", "at leas one admin must be defined")
}
for _, admin := range group.Admins {
_, err := h.iam.GetIdentity(admin)
if err != nil {
return api.Err(http.StatusBadRequest, "Bad request", "the user %s doesn't exist", admin)
}
}
for _, admin := range group.Admins {
h.iam.AddPolicy(admin, group.Name, "api:/api/**", []string{"get", "options", "head"})
h.iam.AddPolicy(admin, group.Name, "api:/api/v3/process", []string{"ANY"})
h.iam.AddPolicy(admin, group.Name, "api:/api/v3/process/**", []string{"ANY"})
h.iam.AddPolicy(admin, group.Name, "process:*", []string{"ANY"})
h.iam.AddPolicy(admin, group.Name, "fs:/"+group.Name+"/**", []string{"ANY"})
h.iam.AddPolicy(admin, group.Name, "fs:/memfs/"+group.Name+"/**", []string{"ANY"})
h.iam.AddPolicy(admin, group.Name, "rtmp:/"+group.Name+"/**", []string{"ANY"})
h.iam.AddPolicy(admin, group.Name, "srt:"+group.Name+"/**", []string{"ANY"})
h.iam.AddPolicy(admin, group.Name, "iam:/group/"+group.Name, []string{"ANY"})
}
return c.JSON(http.StatusOK, group)
}
// ListGroups lists all groups
// @Summary List all groups
// @Description List all groups
// @Tags v16.?.?
// @ID iam-3-list-groups
// @Produce json
// @Success 200 {array} string
// @Failure 403 {object} api.Error
// @Security ApiKeyAuth
// @Router /api/v3/iam/group [get]
func (h *IAMHandler) ListGroups(c echo.Context) error {
ctxuser := util.DefaultContext(c, "user", "")
if !h.iam.Enforce(ctxuser, "$none", "iam:/group", "read") {
return api.Err(http.StatusForbidden, "Forbidden")
}
return c.JSON(http.StatusOK, h.iam.ListDomains())
}
// RemoveGroup removes a group
// @Summary Remove a group
// @Description Remove a group
// @Tags v16.?.?
// @ID iam-3-remove-group
// @Produce json
// @Param group path string true "group name"
// @Success 200 {object} api.IAMGroup
// @Failure 403 {object} api.Error
// @Failure 404 {object} api.Error
// @Security ApiKeyAuth
// @Router /api/v3/iam/group/{group} [delete]
func (h *IAMHandler) RemoveGroup(c echo.Context) error {
ctxuser := util.DefaultContext(c, "user", "")
group := util.PathParam(c, "group")
if !h.iam.Enforce(ctxuser, group, "iam:/group/"+group, "admin") {
return api.Err(http.StatusForbidden, "Forbidden", "only group admin can remove a group")
}
if !h.iam.HasDomain(group) {
return api.Err(http.StatusNotFound, "Not found")
}
h.iam.RemovePolicy("", group, "", nil)
return c.JSON(http.StatusOK, "OK")
}
// GetGroup returns details of a group
// @Summary Get details of a group
// @Description Get details of a group
// @Tags v16.?.?
// @ID iam-3-get-group
// @Produce json
// @Param group path string true "group name"
// @Success 200 {object} api.IAMGroup
// @Failure 403 {object} api.Error
// @Failure 404 {object} api.Error
// @Security ApiKeyAuth
// @Router /api/v3/iam/group/{group} [get]
func (h *IAMHandler) GetGroup(c echo.Context) error {
ctxuser := util.DefaultContext(c, "user", "")
group := util.PathParam(c, "group")
if !h.iam.Enforce(ctxuser, group, "iam:/group/"+group, "read") {
return api.Err(http.StatusForbidden, "Forbidden")
}
if !h.iam.HasDomain(group) {
return api.Err(http.StatusNotFound, "Not found")
}
g := api.IAMGroup{
Name: group,
}
admins := map[string]struct{}{}
policies := h.iam.ListPolicies("", group, "iam:/group/"+g.Name, []string{"any"})
for _, p := range policies {
admins[p.Name] = struct{}{}
}
for name := range admins {
g.Admins = append(g.Admins, name)
}
return c.JSON(http.StatusOK, g)
}
// ListGroupUsers lists all users of a group
// @Summary List all users in a group
// @Description List all users in a group
// @Tags v16.?.?
// @ID iam-3-get-group-users
// @Produce json
// @Param group path string true "group name"
// @Success 200 {array} string
// @Failure 403 {object} api.Error
// @Failure 404 {object} api.Error
// @Security ApiKeyAuth
// @Router /api/v3/iam/group/{group}/user [get]
func (h *IAMHandler) ListGroupUsers(c echo.Context) error {
ctxuser := util.DefaultContext(c, "user", "")
group := util.PathParam(c, "group")
if !h.iam.Enforce(ctxuser, group, "iam:/group/"+group, "read") {
return api.Err(http.StatusForbidden, "Forbidden")
}
if !h.iam.HasDomain(group) {
return api.Err(http.StatusNotFound, "Not found")
}
members := map[string]struct{}{}
policies := h.iam.ListPolicies("", group, "", nil)
for _, p := range policies {
members[p.Name] = struct{}{}
}
list := []string{}
for name := range members {
list = append(list, name)
}
return c.JSON(http.StatusOK, list)
}
// AddGroupUser adds an user to a group
// @Summary Add an user to a group
// @Description Add an user to a group
// @Tags v16.?.?
// @ID iam-3-add-group-user
// @Produce json
// @Param group path string true "group name"
// @Param config body api.IAMGroupUser true "User to add"
// @Success 200 {array} string
// @Failure 400 {object} api.Error
// @Failure 403 {object} api.Error
// @Failure 404 {object} api.Error
// @Failure 409 {object} api.Error
// @Security ApiKeyAuth
// @Router /api/v3/iam/group/{group}/user [post]
func (h *IAMHandler) AddGroupUser(c echo.Context) error {
ctxuser := util.DefaultContext(c, "user", "")
group := util.PathParam(c, "group")
if !h.iam.Enforce(ctxuser, group, "iam:/group/"+group, "write") {
return api.Err(http.StatusForbidden, "Forbidden")
}
if !h.iam.HasDomain(group) {
return api.Err(http.StatusNotFound, "Not found", "this group doesn't exists")
}
user := api.IAMGroupUser{}
if err := util.ShouldBindJSON(c, &user); err != nil {
return api.Err(http.StatusBadRequest, "Invalid JSON", "%s", err)
}
policies := h.iam.ListPolicies(user.Name, group, "", nil)
if len(policies) != 0 {
return api.Err(http.StatusConflict, "Conflict", "this user is already in the group")
}
// Check if admin and add admin rights if required
if user.Admin {
if !h.iam.Enforce(ctxuser, group, "iam:/group/"+group, "admin") {
return api.Err(http.StatusForbidden, "Forbidden", "you can't add admins to this group")
}
h.iam.AddPolicy(user.Name, group, "iam:/group/"+group, []string{"ANY"})
}
for _, p := range user.Policies {
if p.Domain != group {
continue
}
h.iam.AddPolicy(user.Name, group, p.Resource, p.Actions)
}
return c.JSON(http.StatusOK, "OK")
}
// GetGroupUser returns the details of a user in a group
// @Summary Get the details of a user in a group
// @Description Get the details of a user in a group
// @Tags v16.?.?
// @ID iam-3-get-group-user
// @Produce json
// @Param group path string true "group name"
// @Param name path string true "user name"
// @Success 200 {array} string
// @Failure 403 {object} api.Error
// @Failure 404 {object} api.Error
// @Security ApiKeyAuth
// @Router /api/v3/iam/group/{group}/user/{name} [get]
func (h *IAMHandler) GetGroupUser(c echo.Context) error {
ctxuser := util.DefaultContext(c, "user", "")
group := util.PathParam(c, "group")
name := util.PathParam(c, "name")
if !h.iam.Enforce(ctxuser, group, "iam:/group/"+group, "read") {
return api.Err(http.StatusForbidden, "Forbidden")
}
if !h.iam.HasDomain(group) {
return api.Err(http.StatusNotFound, "Not found")
}
policies := h.iam.ListPolicies(name, group, "", nil)
if len(policies) == 0 {
return api.Err(http.StatusNotFound, "Not found")
}
user := api.IAMGroupUser{
Name: name,
Admin: h.iam.HasPolicy(name, group, "iam:/group/"+group, []string{"any"}),
}
for _, p := range policies {
user.Policies = append(user.Policies, api.IAMPolicy{
Domain: group,
Resource: p.Resource,
Actions: p.Actions,
})
}
return c.JSON(http.StatusOK, user)
}
// UpdateGroupUser sets the policies of a user in a group
// @Summary Set the policies of a user in a group
// @Description Set the policies of a user in a group
// @Tags v16.?.?
// @ID iam-3-update-group-user
// @Produce json
// @Param group path string true "group name"
// @Param name path string true "user name"
// @Param config body api.IAMPolicy true "User to add"
// @Success 200 {array} string
// @Failure 400 {object} api.Error
// @Failure 403 {object} api.Error
// @Security ApiKeyAuth
// @Router /api/v3/iam/group/{group}/user/{name} [put]
func (h *IAMHandler) UpdateGroupUser(c echo.Context) error {
ctxuser := util.DefaultContext(c, "user", "")
group := util.PathParam(c, "group")
//name := util.PathParam(c, "name")
if !h.iam.Enforce(ctxuser, group, "iam:/group/"+group, "write") {
return api.Err(http.StatusForbidden, "Forbidden")
}
policies := []api.IAMPolicy{}
if err := util.ShouldBindJSON(c, &policies); err != nil {
return api.Err(http.StatusBadRequest, "Invalid JSON", "%s", err)
}
return c.JSON(http.StatusOK, "OK")
}
// RemoveGroupUser removes a user from a group
// @Summary Remove a user from a group
// @Description Remove a user from a group
// @Tags v16.?.?
// @ID iam-3-remove-group-user
// @Produce json
// @Param group path string true "group name"
// @Param name path string true "user name"
// @Success 200 {array} string
// @Failure 400 {object} api.Error
// @Failure 403 {object} api.Error
// @Security ApiKeyAuth
// @Router /api/v3/iam/group/{group}/user/{name} [delete]
func (h *IAMHandler) RemoveGroupUser(c echo.Context) error {
ctxuser := util.DefaultContext(c, "user", "")
group := util.PathParam(c, "group")
name := util.PathParam(c, "name")
if !h.iam.Enforce(ctxuser, group, "iam:/group/"+group, "write") {
return api.Err(http.StatusForbidden, "Forbidden")
}
// Check if the user to be deleted is an admin. If yes, you have to be an admin too.
if h.iam.HasPolicy(name, group, "iam:/group/"+group, []string{"any"}) {
if !h.iam.Enforce(ctxuser, group, "iam:/group/"+group, "admin") {
return api.Err(http.StatusForbidden, "Forbidden")
}
}
if len(h.iam.ListPolicies(name, group, "", nil)) == 0 {
return api.Err(http.StatusNotFound, "Not found")
}
h.iam.RemovePolicy(name, group, "", nil)
return c.JSON(http.StatusOK, "OK")
}