apps/core
1
0
Fork 0
mirror of https://github.com/datarhei/core.git synced 2025-10-06 00:17:07 +08:00
Code Issues Packages Projects Releases Wiki Activity

WIP: add /api/v3/iam/group/* endpoints

Browse Source
This commit is contained in:
Ingo Oppermann
2023-03-09 19:03:58 +01:00
parent d101a76e9e
commit a0ef3ab5ee
10 changed files with 1752 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/api/api.go
View File

@@ -453,6 +453,7 @@ func (a *api) start() error {
if !cfg.API.Auth.Enable { if !cfg.API.Auth.Enable {
iam.AddPolicy("$anon", "$none", "api:/api/**", []string{"ANY"}) iam.AddPolicy("$anon", "$none", "api:/api/**", []string{"ANY"})
iam.AddPolicy("$anon", "$none", "process:*", []string{"ANY"}) iam.AddPolicy("$anon", "$none", "process:*", []string{"ANY"})
iam.AddPolicy("$anon", "$none", "iam:*", []string{"ANY"})
} else { } else {
if cfg.API.Auth.DisableLocalhost { if cfg.API.Auth.DisableLocalhost {
iam.AddPolicy("$localhost", "$none", "api:/api", []string{"GET", "HEAD", "OPTIONS"}) iam.AddPolicy("$localhost", "$none", "api:/api", []string{"GET", "HEAD", "OPTIONS"})
@@ -460,6 +461,7 @@ func (a *api) start() error {
iam.AddPolicy("$localhost", "$none", "api:/api/**", []string{"ANY"}) iam.AddPolicy("$localhost", "$none", "api:/api/**", []string{"ANY"})
iam.AddPolicy("$localhost", "$none", "process:*", []string{"ANY"}) iam.AddPolicy("$localhost", "$none", "process:*", []string{"ANY"})
iam.AddPolicy("$localhost", "$none", "iam:*", []string{"ANY"})
} }
} }

512
docs/docs.go
View File

@@ -468,6 +468,487 @@ const docTemplate = `{
} }
} }
}, },
"/api/v3/iam/group": {
"get": {
"security": [
{
"ApiKeyAuth": []
}
],
"description": "List all groups",
"produces": [
"application/json"
],
"tags": [
"v16.?.?"
],
"summary": "List all groups",
"operationId": "iam-3-list-groups",
"responses": {
"200": {
"description": "OK",
"schema": {
"type": "array",
"items": {
"type": "string"
}
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/definitions/api.Error"
}
}
}
},
"post": {
"security": [
{
"ApiKeyAuth": []
}
],
"description": "Create a group with admins",
"produces": [
"application/json"
],
"tags": [
"v16.?.?"
],
"summary": "Create a group with admins",
"operationId": "iam-3-add-group",
"parameters": [
{
"description": "Group to add",
"name": "config",
"in": "body",
"required": true,
"schema": {
"$ref": "#/definitions/api.IAMGroup"
}
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"$ref": "#/definitions/api.IAMGroup"
}
},
"400": {
"description": "Bad Request",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"404": {
"description": "Not Found",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"409": {
"description": "Conflict",
"schema": {
"$ref": "#/definitions/api.Error"
}
}
}
}
},
"/api/v3/iam/group/{group}": {
"get": {
"security": [
{
"ApiKeyAuth": []
}
],
"description": "Get details of a group",
"produces": [
"application/json"
],
"tags": [
"v16.?.?"
],
"summary": "Get details of a group",
"operationId": "iam-3-get-group",
"parameters": [
{
"type": "string",
"description": "group name",
"name": "group",
"in": "path",
"required": true
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"$ref": "#/definitions/api.IAMGroup"
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"404": {
"description": "Not Found",
"schema": {
"$ref": "#/definitions/api.Error"
}
}
}
},
"delete": {
"security": [
{
"ApiKeyAuth": []
}
],
"description": "Remove a group",
"produces": [
"application/json"
],
"tags": [
"v16.?.?"
],
"summary": "Remove a group",
"operationId": "iam-3-remove-group",
"parameters": [
{
"type": "string",
"description": "group name",
"name": "group",
"in": "path",
"required": true
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"$ref": "#/definitions/api.IAMGroup"
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"404": {
"description": "Not Found",
"schema": {
"$ref": "#/definitions/api.Error"
}
}
}
}
},
"/api/v3/iam/group/{group}/user": {
"get": {
"security": [
{
"ApiKeyAuth": []
}
],
"description": "List all users in a group",
"produces": [
"application/json"
],
"tags": [
"v16.?.?"
],
"summary": "List all users in a group",
"operationId": "iam-3-get-group-users",
"parameters": [
{
"type": "string",
"description": "group name",
"name": "group",
"in": "path",
"required": true
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"type": "array",
"items": {
"type": "string"
}
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"404": {
"description": "Not Found",
"schema": {
"$ref": "#/definitions/api.Error"
}
}
}
},
"post": {
"security": [
{
"ApiKeyAuth": []
}
],
"description": "Add an user to a group",
"produces": [
"application/json"
],
"tags": [
"v16.?.?"
],
"summary": "Add an user to a group",
"operationId": "iam-3-add-group-user",
"parameters": [
{
"type": "string",
"description": "group name",
"name": "group",
"in": "path",
"required": true
},
{
"description": "User to add",
"name": "config",
"in": "body",
"required": true,
"schema": {
"$ref": "#/definitions/api.IAMGroupUser"
}
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"type": "array",
"items": {
"type": "string"
}
}
},
"400": {
"description": "Bad Request",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"404": {
"description": "Not Found",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"409": {
"description": "Conflict",
"schema": {
"$ref": "#/definitions/api.Error"
}
}
}
}
},
"/api/v3/iam/group/{group}/user/{name}": {
"get": {
"security": [
{
"ApiKeyAuth": []
}
],
"description": "Get the details of a user in a group",
"produces": [
"application/json"
],
"tags": [
"v16.?.?"
],
"summary": "Get the details of a user in a group",
"operationId": "iam-3-get-group-user",
"parameters": [
{
"type": "string",
"description": "group name",
"name": "group",
"in": "path",
"required": true
},
{
"type": "string",
"description": "user name",
"name": "name",
"in": "path",
"required": true
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"type": "array",
"items": {
"type": "string"
}
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"404": {
"description": "Not Found",
"schema": {
"$ref": "#/definitions/api.Error"
}
}
}
},
"put": {
"security": [
{
"ApiKeyAuth": []
}
],
"description": "Set the policies of a user in a group",
"produces": [
"application/json"
],
"tags": [
"v16.?.?"
],
"summary": "Set the policies of a user in a group",
"operationId": "iam-3-update-group-user",
"parameters": [
{
"type": "string",
"description": "group name",
"name": "group",
"in": "path",
"required": true
},
{
"type": "string",
"description": "user name",
"name": "name",
"in": "path",
"required": true
},
{
"description": "User to add",
"name": "config",
"in": "body",
"required": true,
"schema": {
"$ref": "#/definitions/api.IAMPolicy"
}
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"type": "array",
"items": {
"type": "string"
}
}
},
"400": {
"description": "Bad Request",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/definitions/api.Error"
}
}
}
},
"delete": {
"security": [
{
"ApiKeyAuth": []
}
],
"description": "Remove a user from a group",
"produces": [
"application/json"
],
"tags": [
"v16.?.?"
],
"summary": "Remove a user from a group",
"operationId": "iam-3-remove-group-user",
"parameters": [
{
"type": "string",
"description": "group name",
"name": "group",
"in": "path",
"required": true
},
{
"type": "string",
"description": "user name",
"name": "name",
"in": "path",
"required": true
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"type": "array",
"items": {
"type": "string"
}
}
},
"400": {
"description": "Bad Request",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/definitions/api.Error"
}
}
}
}
},
"/api/v3/iam/user": { "/api/v3/iam/user": {
"post": { "post": {
"security": [ "security": [
@@ -2823,6 +3304,37 @@ const docTemplate = `{
} }
} }
}, },
"api.IAMGroup": {
"type": "object",
"properties": {
"admins": {
"type": "array",
"items": {
"type": "string"
}
},
"name": {
"type": "string"
}
}
},
"api.IAMGroupUser": {
"type": "object",
"properties": {
"admin": {
"type": "boolean"
},
"name": {
"type": "string"
},
"policies": {
"type": "array",
"items": {
"$ref": "#/definitions/api.IAMPolicy"
}
}
}
},
"api.IAMPolicy": { "api.IAMPolicy": {
"type": "object", "type": "object",
"properties": { "properties": {

512
docs/swagger.json
View File

@@ -461,6 +461,487 @@
} }
} }
}, },
"/api/v3/iam/group": {
"get": {
"security": [
{
"ApiKeyAuth": []
}
],
"description": "List all groups",
"produces": [
"application/json"
],
"tags": [
"v16.?.?"
],
"summary": "List all groups",
"operationId": "iam-3-list-groups",
"responses": {
"200": {
"description": "OK",
"schema": {
"type": "array",
"items": {
"type": "string"
}
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/definitions/api.Error"
}
}
}
},
"post": {
"security": [
{
"ApiKeyAuth": []
}
],
"description": "Create a group with admins",
"produces": [
"application/json"
],
"tags": [
"v16.?.?"
],
"summary": "Create a group with admins",
"operationId": "iam-3-add-group",
"parameters": [
{
"description": "Group to add",
"name": "config",
"in": "body",
"required": true,
"schema": {
"$ref": "#/definitions/api.IAMGroup"
}
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"$ref": "#/definitions/api.IAMGroup"
}
},
"400": {
"description": "Bad Request",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"404": {
"description": "Not Found",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"409": {
"description": "Conflict",
"schema": {
"$ref": "#/definitions/api.Error"
}
}
}
}
},
"/api/v3/iam/group/{group}": {
"get": {
"security": [
{
"ApiKeyAuth": []
}
],
"description": "Get details of a group",
"produces": [
"application/json"
],
"tags": [
"v16.?.?"
],
"summary": "Get details of a group",
"operationId": "iam-3-get-group",
"parameters": [
{
"type": "string",
"description": "group name",
"name": "group",
"in": "path",
"required": true
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"$ref": "#/definitions/api.IAMGroup"
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"404": {
"description": "Not Found",
"schema": {
"$ref": "#/definitions/api.Error"
}
}
}
},
"delete": {
"security": [
{
"ApiKeyAuth": []
}
],
"description": "Remove a group",
"produces": [
"application/json"
],
"tags": [
"v16.?.?"
],
"summary": "Remove a group",
"operationId": "iam-3-remove-group",
"parameters": [
{
"type": "string",
"description": "group name",
"name": "group",
"in": "path",
"required": true
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"$ref": "#/definitions/api.IAMGroup"
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"404": {
"description": "Not Found",
"schema": {
"$ref": "#/definitions/api.Error"
}
}
}
}
},
"/api/v3/iam/group/{group}/user": {
"get": {
"security": [
{
"ApiKeyAuth": []
}
],
"description": "List all users in a group",
"produces": [
"application/json"
],
"tags": [
"v16.?.?"
],
"summary": "List all users in a group",
"operationId": "iam-3-get-group-users",
"parameters": [
{
"type": "string",
"description": "group name",
"name": "group",
"in": "path",
"required": true
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"type": "array",
"items": {
"type": "string"
}
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"404": {
"description": "Not Found",
"schema": {
"$ref": "#/definitions/api.Error"
}
}
}
},
"post": {
"security": [
{
"ApiKeyAuth": []
}
],
"description": "Add an user to a group",
"produces": [
"application/json"
],
"tags": [
"v16.?.?"
],
"summary": "Add an user to a group",
"operationId": "iam-3-add-group-user",
"parameters": [
{
"type": "string",
"description": "group name",
"name": "group",
"in": "path",
"required": true
},
{
"description": "User to add",
"name": "config",
"in": "body",
"required": true,
"schema": {
"$ref": "#/definitions/api.IAMGroupUser"
}
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"type": "array",
"items": {
"type": "string"
}
}
},
"400": {
"description": "Bad Request",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"404": {
"description": "Not Found",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"409": {
"description": "Conflict",
"schema": {
"$ref": "#/definitions/api.Error"
}
}
}
}
},
"/api/v3/iam/group/{group}/user/{name}": {
"get": {
"security": [
{
"ApiKeyAuth": []
}
],
"description": "Get the details of a user in a group",
"produces": [
"application/json"
],
"tags": [
"v16.?.?"
],
"summary": "Get the details of a user in a group",
"operationId": "iam-3-get-group-user",
"parameters": [
{
"type": "string",
"description": "group name",
"name": "group",
"in": "path",
"required": true
},
{
"type": "string",
"description": "user name",
"name": "name",
"in": "path",
"required": true
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"type": "array",
"items": {
"type": "string"
}
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"404": {
"description": "Not Found",
"schema": {
"$ref": "#/definitions/api.Error"
}
}
}
},
"put": {
"security": [
{
"ApiKeyAuth": []
}
],
"description": "Set the policies of a user in a group",
"produces": [
"application/json"
],
"tags": [
"v16.?.?"
],
"summary": "Set the policies of a user in a group",
"operationId": "iam-3-update-group-user",
"parameters": [
{
"type": "string",
"description": "group name",
"name": "group",
"in": "path",
"required": true
},
{
"type": "string",
"description": "user name",
"name": "name",
"in": "path",
"required": true
},
{
"description": "User to add",
"name": "config",
"in": "body",
"required": true,
"schema": {
"$ref": "#/definitions/api.IAMPolicy"
}
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"type": "array",
"items": {
"type": "string"
}
}
},
"400": {
"description": "Bad Request",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/definitions/api.Error"
}
}
}
},
"delete": {
"security": [
{
"ApiKeyAuth": []
}
],
"description": "Remove a user from a group",
"produces": [
"application/json"
],
"tags": [
"v16.?.?"
],
"summary": "Remove a user from a group",
"operationId": "iam-3-remove-group-user",
"parameters": [
{
"type": "string",
"description": "group name",
"name": "group",
"in": "path",
"required": true
},
{
"type": "string",
"description": "user name",
"name": "name",
"in": "path",
"required": true
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"type": "array",
"items": {
"type": "string"
}
}
},
"400": {
"description": "Bad Request",
"schema": {
"$ref": "#/definitions/api.Error"
}
},
"403": {
"description": "Forbidden",
"schema": {
"$ref": "#/definitions/api.Error"
}
}
}
}
},
"/api/v3/iam/user": { "/api/v3/iam/user": {
"post": { "post": {
"security": [ "security": [
@@ -2816,6 +3297,37 @@
} }
} }
}, },
"api.IAMGroup": {
"type": "object",
"properties": {
"admins": {
"type": "array",
"items": {
"type": "string"
}
},
"name": {
"type": "string"
}
}
},
"api.IAMGroupUser": {
"type": "object",
"properties": {
"admin": {
"type": "boolean"
},
"name": {
"type": "string"
},
"policies": {
"type": "array",
"items": {
"$ref": "#/definitions/api.IAMPolicy"
}
}
}
},
"api.IAMPolicy": { "api.IAMPolicy": {
"type": "object", "type": "object",
"properties": { "properties": {

331
docs/swagger.yaml
View File

@@ -478,6 +478,26 @@ definitions:
domain: domain:
type: string type: string
type: object type: object
api.IAMGroup:
properties:
admins:
items:
type: string
type: array
name:
type: string
type: object
api.IAMGroupUser:
properties:
admin:
type: boolean
name:
type: string
policies:
items:
$ref: '#/definitions/api.IAMPolicy'
type: array
type: object
api.IAMPolicy: api.IAMPolicy:
properties: properties:
actions: actions:
@@ -2266,6 +2286,317 @@ paths:
security: security:
- ApiKeyAuth: [] - ApiKeyAuth: []
summary: Add a file to a filesystem summary: Add a file to a filesystem
/api/v3/iam/group:
get:
description: List all groups
operationId: iam-3-list-groups
produces:
- application/json
responses:
"200":
description: OK
schema:
items:
type: string
type: array
"403":
description: Forbidden
schema:
$ref: '#/definitions/api.Error'
security:
- ApiKeyAuth: []
summary: List all groups
tags:
- v16.?.?
post:
description: Create a group with admins
operationId: iam-3-add-group
parameters:
- description: Group to add
in: body
name: config
required: true
schema:
$ref: '#/definitions/api.IAMGroup'
produces:
- application/json
responses:
"200":
description: OK
schema:
$ref: '#/definitions/api.IAMGroup'
"400":
description: Bad Request
schema:
$ref: '#/definitions/api.Error'
"403":
description: Forbidden
schema:
$ref: '#/definitions/api.Error'
"404":
description: Not Found
schema:
$ref: '#/definitions/api.Error'
"409":
description: Conflict
schema:
$ref: '#/definitions/api.Error'
security:
- ApiKeyAuth: []
summary: Create a group with admins
tags:
- v16.?.?
/api/v3/iam/group/{group}:
delete:
description: Remove a group
operationId: iam-3-remove-group
parameters:
- description: group name
in: path
name: group
required: true
type: string
produces:
- application/json
responses:
"200":
description: OK
schema:
$ref: '#/definitions/api.IAMGroup'
"403":
description: Forbidden
schema:
$ref: '#/definitions/api.Error'
"404":
description: Not Found
schema:
$ref: '#/definitions/api.Error'
security:
- ApiKeyAuth: []
summary: Remove a group
tags:
- v16.?.?
get:
description: Get details of a group
operationId: iam-3-get-group
parameters:
- description: group name
in: path
name: group
required: true
type: string
produces:
- application/json
responses:
"200":
description: OK
schema:
$ref: '#/definitions/api.IAMGroup'
"403":
description: Forbidden
schema:
$ref: '#/definitions/api.Error'
"404":
description: Not Found
schema:
$ref: '#/definitions/api.Error'
security:
- ApiKeyAuth: []
summary: Get details of a group
tags:
- v16.?.?
/api/v3/iam/group/{group}/user:
get:
description: List all users in a group
operationId: iam-3-get-group-users
parameters:
- description: group name
in: path
name: group
required: true
type: string
produces:
- application/json
responses:
"200":
description: OK
schema:
items:
type: string
type: array
"403":
description: Forbidden
schema:
$ref: '#/definitions/api.Error'
"404":
description: Not Found
schema:
$ref: '#/definitions/api.Error'
security:
- ApiKeyAuth: []
summary: List all users in a group
tags:
- v16.?.?
post:
description: Add an user to a group
operationId: iam-3-add-group-user
parameters:
- description: group name
in: path
name: group
required: true
type: string
- description: User to add
in: body
name: config
required: true
schema:
$ref: '#/definitions/api.IAMGroupUser'
produces:
- application/json
responses:
"200":
description: OK
schema:
items:
type: string
type: array
"400":
description: Bad Request
schema:
$ref: '#/definitions/api.Error'
"403":
description: Forbidden
schema:
$ref: '#/definitions/api.Error'
"404":
description: Not Found
schema:
$ref: '#/definitions/api.Error'
"409":
description: Conflict
schema:
$ref: '#/definitions/api.Error'
security:
- ApiKeyAuth: []
summary: Add an user to a group
tags:
- v16.?.?
/api/v3/iam/group/{group}/user/{name}:
delete:
description: Remove a user from a group
operationId: iam-3-remove-group-user
parameters:
- description: group name
in: path
name: group
required: true
type: string
- description: user name
in: path
name: name
required: true
type: string
produces:
- application/json
responses:
"200":
description: OK
schema:
items:
type: string
type: array
"400":
description: Bad Request
schema:
$ref: '#/definitions/api.Error'
"403":
description: Forbidden
schema:
$ref: '#/definitions/api.Error'
security:
- ApiKeyAuth: []
summary: Remove a user from a group
tags:
- v16.?.?
get:
description: Get the details of a user in a group
operationId: iam-3-get-group-user
parameters:
- description: group name
in: path
name: group
required: true
type: string
- description: user name
in: path
name: name
required: true
type: string
produces:
- application/json
responses:
"200":
description: OK
schema:
items:
type: string
type: array
"403":
description: Forbidden
schema:
$ref: '#/definitions/api.Error'
"404":
description: Not Found
schema:
$ref: '#/definitions/api.Error'
security:
- ApiKeyAuth: []
summary: Get the details of a user in a group
tags:
- v16.?.?
put:
description: Set the policies of a user in a group
operationId: iam-3-update-group-user
parameters:
- description: group name
in: path
name: group
required: true
type: string
- description: user name
in: path
name: name
required: true
type: string
- description: User to add
in: body
name: config
required: true
schema:
$ref: '#/definitions/api.IAMPolicy'
produces:
- application/json
responses:
"200":
description: OK
schema:
items:
type: string
type: array
"400":
description: Bad Request
schema:
$ref: '#/definitions/api.Error'
"403":
description: Forbidden
schema:
$ref: '#/definitions/api.Error'
security:
- ApiKeyAuth: []
summary: Set the policies of a user in a group
tags:
- v16.?.?
/api/v3/iam/user: /api/v3/iam/user:
post: post:
consumes: consumes:

6
http/api/iam.go
View File

@@ -128,3 +128,9 @@ type IAMGroup struct {
Name string `json:"name"` Name string `json:"name"`
Admins []string `json:"admins"` Admins []string `json:"admins"`
} }
type IAMGroupUser struct {
Name string `json:"name"`
Admin bool `json:"admin"`
Policies []IAMPolicy `json:"policies"`
}

361
http/handler/api/iam.go
View File

@@ -20,7 +20,7 @@ func NewIAM(iam iam.IAM) *IAMHandler {
} }
} }
// Add adds a new user // AddUser adds a new user
// @Summary Add a new user // @Summary Add a new user
// @Description Add a new user // @Description Add a new user
// @Tags v16.?.? // @Tags v16.?.?
@@ -34,7 +34,11 @@ func NewIAM(iam iam.IAM) *IAMHandler {
// @Security ApiKeyAuth // @Security ApiKeyAuth
// @Router /api/v3/iam/user [post] // @Router /api/v3/iam/user [post]
func (h *IAMHandler) AddUser(c echo.Context) error { func (h *IAMHandler) AddUser(c echo.Context) error {
//user := util.DefaultContext(c, "user", "") ctxuser := util.DefaultContext(c, "user", "")
if !h.iam.Enforce(ctxuser, "$none", "iam:/user", "write") {
return api.Err(http.StatusForbidden, "Forbidden")
}
user := api.IAMUser{} user := api.IAMUser{}
@@ -54,7 +58,7 @@ func (h *IAMHandler) AddUser(c echo.Context) error {
continue continue
} }
h.iam.AddPolicy(p.Name, "", p.Resource, p.Actions) h.iam.AddPolicy(p.Name, "$none", p.Resource, p.Actions)
} }
err = h.iam.SaveIdentities() err = h.iam.SaveIdentities()
@@ -65,7 +69,7 @@ func (h *IAMHandler) AddUser(c echo.Context) error {
return c.JSON(http.StatusOK, user) return c.JSON(http.StatusOK, user)
} }
// Delete deletes the user with the given name // RemoveUser deletes the user with the given name
// @Summary Delete an user by its name // @Summary Delete an user by its name
// @Description Delete an user by its name // @Description Delete an user by its name
// @Tags v16.?.? // @Tags v16.?.?
@@ -78,8 +82,13 @@ func (h *IAMHandler) AddUser(c echo.Context) error {
// @Security ApiKeyAuth // @Security ApiKeyAuth
// @Router /api/v3/iam/user/{name} [delete] // @Router /api/v3/iam/user/{name} [delete]
func (h *IAMHandler) RemoveUser(c echo.Context) error { func (h *IAMHandler) RemoveUser(c echo.Context) error {
ctxuser := util.DefaultContext(c, "user", "")
name := util.PathParam(c, "name") name := util.PathParam(c, "name")
if !h.iam.Enforce(ctxuser, "$none", "iam:/user", "write") {
return api.Err(http.StatusForbidden, "Forbidden")
}
// Remove all policies of that user // Remove all policies of that user
h.iam.RemovePolicy(name, "", "", nil) h.iam.RemovePolicy(name, "", "", nil)
@@ -97,7 +106,7 @@ func (h *IAMHandler) RemoveUser(c echo.Context) error {
return c.JSON(http.StatusOK, "OK") return c.JSON(http.StatusOK, "OK")
} }
// Update replaces an existing user // UpdateUser replaces an existing user
// @Summary Replace an existing user // @Summary Replace an existing user
// @Description Replace an existing user. // @Description Replace an existing user.
// @Tags v16.?.? // @Tags v16.?.?
@@ -113,8 +122,13 @@ func (h *IAMHandler) RemoveUser(c echo.Context) error {
// @Security ApiKeyAuth // @Security ApiKeyAuth
// @Router /api/v3/iam/user/{name} [put] // @Router /api/v3/iam/user/{name} [put]
func (h *IAMHandler) UpdateUser(c echo.Context) error { func (h *IAMHandler) UpdateUser(c echo.Context) error {
ctxuser := util.DefaultContext(c, "user", "")
name := util.PathParam(c, "name") name := util.PathParam(c, "name")
if !h.iam.Enforce(ctxuser, "$none", "iam:/user", "write") {
return api.Err(http.StatusForbidden, "Forbidden")
}
iamuser, err := h.iam.GetIdentity(name) iamuser, err := h.iam.GetIdentity(name)
if err != nil { if err != nil {
return api.Err(http.StatusNotFound, "Not found", "%s", err) return api.Err(http.StatusNotFound, "Not found", "%s", err)
@@ -143,7 +157,7 @@ func (h *IAMHandler) UpdateUser(c echo.Context) error {
continue continue
} }
h.iam.AddPolicy(p.Name, "", p.Resource, p.Actions) h.iam.AddPolicy(p.Name, "$none", p.Resource, p.Actions)
} }
err = h.iam.SaveIdentities() err = h.iam.SaveIdentities()
@@ -154,7 +168,7 @@ func (h *IAMHandler) UpdateUser(c echo.Context) error {
return c.JSON(http.StatusOK, user) return c.JSON(http.StatusOK, user)
} }
// Get returns the user with the given name // GetUser returns the user with the given name
// @Summary List an user by its name // @Summary List an user by its name
// @Description List aa user by its name // @Description List aa user by its name
// @Tags v16.?.? // @Tags v16.?.?
@@ -166,8 +180,13 @@ func (h *IAMHandler) UpdateUser(c echo.Context) error {
// @Security ApiKeyAuth // @Security ApiKeyAuth
// @Router /api/v3/iam/user/{name} [get] // @Router /api/v3/iam/user/{name} [get]
func (h *IAMHandler) GetUser(c echo.Context) error { func (h *IAMHandler) GetUser(c echo.Context) error {
ctxuser := util.DefaultContext(c, "user", "")
name := util.PathParam(c, "name") name := util.PathParam(c, "name")
if !h.iam.Enforce(ctxuser, "$none", "iam:/user", "read") {
return api.Err(http.StatusForbidden, "Forbidden")
}
iamuser, err := h.iam.GetIdentity(name) iamuser, err := h.iam.GetIdentity(name)
if err != nil { if err != nil {
return api.Err(http.StatusNotFound, "Not found", "%s", err) return api.Err(http.StatusNotFound, "Not found", "%s", err)
@@ -181,9 +200,26 @@ func (h *IAMHandler) GetUser(c echo.Context) error {
return c.JSON(http.StatusOK, user) return c.JSON(http.StatusOK, user)
} }
// AddGroup creates a group with admins
// @Summary Create a group with admins
// @Description Create a group with admins
// @Tags v16.?.?
// @ID iam-3-add-group
// @Produce json
// @Param config body api.IAMGroup true "Group to add"
// @Success 200 {object} api.IAMGroup
// @Failure 400 {object} api.Error
// @Failure 403 {object} api.Error
// @Failure 404 {object} api.Error
// @Failure 409 {object} api.Error
// @Security ApiKeyAuth
// @Router /api/v3/iam/group [post] // @Router /api/v3/iam/group [post]
func (h *IAMHandler) AddGroup(c echo.Context) error { func (h *IAMHandler) AddGroup(c echo.Context) error {
user := util.DefaultContext(c, "user", "") ctxuser := util.DefaultContext(c, "user", "")
if !h.iam.Enforce(ctxuser, "$none", "iam:/group", "write") {
return api.Err(http.StatusForbidden, "Forbidden")
}
group := api.IAMGroup{} group := api.IAMGroup{}
@@ -195,6 +231,10 @@ func (h *IAMHandler) AddGroup(c echo.Context) error {
return api.Err(http.StatusConflict, "Conflict", "this group already exists") return api.Err(http.StatusConflict, "Conflict", "this group already exists")
} }
if len(group.Admins) == 0 {
return api.Err(http.StatusBadRequest, "Bad request", "at leas one admin must be defined")
}
for _, admin := range group.Admins { for _, admin := range group.Admins {
_, err := h.iam.GetIdentity(admin) _, err := h.iam.GetIdentity(admin)
if err != nil { if err != nil {
@@ -202,51 +242,139 @@ func (h *IAMHandler) AddGroup(c echo.Context) error {
} }
} }
if !h.iam.Enforce(user, group.Name, "iam:/group", "write") {
return api.Err(http.StatusForbidden, "Forbidden")
}
for _, admin := range group.Admins { for _, admin := range group.Admins {
h.iam.AddPolicy(admin, group.Name, "iam:/group/**", []string{"read", "write"}) h.iam.AddPolicy(admin, group.Name, "api:/api/**", []string{"get", "options", "head"})
h.iam.AddPolicy(admin, group.Name, "api:/api/v3/process", []string{"ANY"})
h.iam.AddPolicy(admin, group.Name, "api:/api/v3/process/**", []string{"ANY"})
h.iam.AddPolicy(admin, group.Name, "process:*", []string{"ANY"})
h.iam.AddPolicy(admin, group.Name, "fs:/"+group.Name+"/**", []string{"ANY"})
h.iam.AddPolicy(admin, group.Name, "fs:/memfs/"+group.Name+"/**", []string{"ANY"})
h.iam.AddPolicy(admin, group.Name, "rtmp:/"+group.Name+"/**", []string{"ANY"})
h.iam.AddPolicy(admin, group.Name, "srt:"+group.Name+"/**", []string{"ANY"})
h.iam.AddPolicy(admin, group.Name, "iam:/group/"+group.Name, []string{"ANY"})
} }
return c.JSON(http.StatusOK, group) return c.JSON(http.StatusOK, group)
} }
// @Router /api/v3/iam/group/{name} [delete] // ListGroups lists all groups
func (h *IAMHandler) RemoveGroup(c echo.Context) error { // @Summary List all groups
user := util.DefaultContext(c, "user", "") // @Description List all groups
name := util.PathParam(c, "name") // @Tags v16.?.?
// @ID iam-3-list-groups
// @Produce json
// @Success 200 {array} string
// @Failure 403 {object} api.Error
// @Security ApiKeyAuth
// @Router /api/v3/iam/group [get]
func (h *IAMHandler) ListGroups(c echo.Context) error {
ctxuser := util.DefaultContext(c, "user", "")
if !h.iam.HasDomain(name) { if !h.iam.Enforce(ctxuser, "$none", "iam:/group", "read") {
return api.Err(http.StatusNotFound, "Not found")
}
if !h.iam.Enforce(user, name, "iam:/group", "write") {
return api.Err(http.StatusForbidden, "Forbidden") return api.Err(http.StatusForbidden, "Forbidden")
} }
h.iam.RemovePolicy("", name, "", nil) return c.JSON(http.StatusOK, h.iam.ListDomains())
}
// RemoveGroup removes a group
// @Summary Remove a group
// @Description Remove a group
// @Tags v16.?.?
// @ID iam-3-remove-group
// @Produce json
// @Param group path string true "group name"
// @Success 200 {object} api.IAMGroup
// @Failure 403 {object} api.Error
// @Failure 404 {object} api.Error
// @Security ApiKeyAuth
// @Router /api/v3/iam/group/{group} [delete]
func (h *IAMHandler) RemoveGroup(c echo.Context) error {
ctxuser := util.DefaultContext(c, "user", "")
group := util.PathParam(c, "group")
if !h.iam.Enforce(ctxuser, group, "iam:/group/"+group, "admin") {
return api.Err(http.StatusForbidden, "Forbidden", "only group admin can remove a group")
}
if !h.iam.HasDomain(group) {
return api.Err(http.StatusNotFound, "Not found")
}
h.iam.RemovePolicy("", group, "", nil)
return c.JSON(http.StatusOK, "OK") return c.JSON(http.StatusOK, "OK")
} }
// @Router /api/v3/iam/group/{name} [get] // GetGroup returns details of a group
// @Summary Get details of a group
// @Description Get details of a group
// @Tags v16.?.?
// @ID iam-3-get-group
// @Produce json
// @Param group path string true "group name"
// @Success 200 {object} api.IAMGroup
// @Failure 403 {object} api.Error
// @Failure 404 {object} api.Error
// @Security ApiKeyAuth
// @Router /api/v3/iam/group/{group} [get]
func (h *IAMHandler) GetGroup(c echo.Context) error { func (h *IAMHandler) GetGroup(c echo.Context) error {
user := util.DefaultContext(c, "user", "") ctxuser := util.DefaultContext(c, "user", "")
name := util.PathParam(c, "name") group := util.PathParam(c, "group")
if !h.iam.HasDomain(name) { if !h.iam.Enforce(ctxuser, group, "iam:/group/"+group, "read") {
return api.Err(http.StatusForbidden, "Forbidden")
}
if !h.iam.HasDomain(group) {
return api.Err(http.StatusNotFound, "Not found") return api.Err(http.StatusNotFound, "Not found")
} }
if !h.iam.Enforce(user, name, "iam:/group", "read") { g := api.IAMGroup{
Name: group,
}
admins := map[string]struct{}{}
policies := h.iam.ListPolicies("", group, "iam:/group/"+g.Name, []string{"any"})
for _, p := range policies {
admins[p.Name] = struct{}{}
}
for name := range admins {
g.Admins = append(g.Admins, name)
}
return c.JSON(http.StatusOK, g)
}
// ListGroupUsers lists all users of a group
// @Summary List all users in a group
// @Description List all users in a group
// @Tags v16.?.?
// @ID iam-3-get-group-users
// @Produce json
// @Param group path string true "group name"
// @Success 200 {array} string
// @Failure 403 {object} api.Error
// @Failure 404 {object} api.Error
// @Security ApiKeyAuth
// @Router /api/v3/iam/group/{group}/user [get]
func (h *IAMHandler) ListGroupUsers(c echo.Context) error {
ctxuser := util.DefaultContext(c, "user", "")
group := util.PathParam(c, "group")
if !h.iam.Enforce(ctxuser, group, "iam:/group/"+group, "read") {
return api.Err(http.StatusForbidden, "Forbidden") return api.Err(http.StatusForbidden, "Forbidden")
} }
if !h.iam.HasDomain(group) {
return api.Err(http.StatusNotFound, "Not found")
}
members := map[string]struct{}{} members := map[string]struct{}{}
policies := h.iam.ListPolicies("", name, "", nil) policies := h.iam.ListPolicies("", group, "", nil)
for _, p := range policies { for _, p := range policies {
members[p.Name] = struct{}{} members[p.Name] = struct{}{}
} }
@@ -259,3 +387,178 @@ func (h *IAMHandler) GetGroup(c echo.Context) error {
return c.JSON(http.StatusOK, list) return c.JSON(http.StatusOK, list)
} }
// AddGroupUser adds an user to a group
// @Summary Add an user to a group
// @Description Add an user to a group
// @Tags v16.?.?
// @ID iam-3-add-group-user
// @Produce json
// @Param group path string true "group name"
// @Param config body api.IAMGroupUser true "User to add"
// @Success 200 {array} string
// @Failure 400 {object} api.Error
// @Failure 403 {object} api.Error
// @Failure 404 {object} api.Error
// @Failure 409 {object} api.Error
// @Security ApiKeyAuth
// @Router /api/v3/iam/group/{group}/user [post]
func (h *IAMHandler) AddGroupUser(c echo.Context) error {
ctxuser := util.DefaultContext(c, "user", "")
group := util.PathParam(c, "group")
if !h.iam.Enforce(ctxuser, group, "iam:/group/"+group, "write") {
return api.Err(http.StatusForbidden, "Forbidden")
}
if !h.iam.HasDomain(group) {
return api.Err(http.StatusNotFound, "Not found", "this group doesn't exists")
}
user := api.IAMGroupUser{}
if err := util.ShouldBindJSON(c, &user); err != nil {
return api.Err(http.StatusBadRequest, "Invalid JSON", "%s", err)
}
policies := h.iam.ListPolicies(user.Name, group, "", nil)
if len(policies) != 0 {
return api.Err(http.StatusConflict, "Conflict", "this user is already in the group")
}
// Check if admin and add admin rights if required
if user.Admin {
if !h.iam.Enforce(ctxuser, group, "iam:/group/"+group, "admin") {
return api.Err(http.StatusForbidden, "Forbidden", "you can't add admins to this group")
}
h.iam.AddPolicy(user.Name, group, "iam:/group/"+group, []string{"ANY"})
}
for _, p := range user.Policies {
if p.Domain != group {
continue
}
h.iam.AddPolicy(user.Name, group, p.Resource, p.Actions)
}
return c.JSON(http.StatusOK, "OK")
}
// GetGroupUser returns the details of a user in a group
// @Summary Get the details of a user in a group
// @Description Get the details of a user in a group
// @Tags v16.?.?
// @ID iam-3-get-group-user
// @Produce json
// @Param group path string true "group name"
// @Param name path string true "user name"
// @Success 200 {array} string
// @Failure 403 {object} api.Error
// @Failure 404 {object} api.Error
// @Security ApiKeyAuth
// @Router /api/v3/iam/group/{group}/user/{name} [get]
func (h *IAMHandler) GetGroupUser(c echo.Context) error {
ctxuser := util.DefaultContext(c, "user", "")
group := util.PathParam(c, "group")
name := util.PathParam(c, "name")
if !h.iam.Enforce(ctxuser, group, "iam:/group/"+group, "read") {
return api.Err(http.StatusForbidden, "Forbidden")
}
if !h.iam.HasDomain(group) {
return api.Err(http.StatusNotFound, "Not found")
}
policies := h.iam.ListPolicies(name, group, "", nil)
if len(policies) == 0 {
return api.Err(http.StatusNotFound, "Not found")
}
user := api.IAMGroupUser{
Name: name,
Admin: h.iam.HasPolicy(name, group, "iam:/group/"+group, []string{"any"}),
}
for _, p := range policies {
user.Policies = append(user.Policies, api.IAMPolicy{
Domain: group,
Resource: p.Resource,
Actions: p.Actions,
})
}
return c.JSON(http.StatusOK, user)
}
// UpdateGroupUser sets the policies of a user in a group
// @Summary Set the policies of a user in a group
// @Description Set the policies of a user in a group
// @Tags v16.?.?
// @ID iam-3-update-group-user
// @Produce json
// @Param group path string true "group name"
// @Param name path string true "user name"
// @Param config body api.IAMPolicy true "User to add"
// @Success 200 {array} string
// @Failure 400 {object} api.Error
// @Failure 403 {object} api.Error
// @Security ApiKeyAuth
// @Router /api/v3/iam/group/{group}/user/{name} [put]
func (h *IAMHandler) UpdateGroupUser(c echo.Context) error {
ctxuser := util.DefaultContext(c, "user", "")
group := util.PathParam(c, "group")
//name := util.PathParam(c, "name")
if !h.iam.Enforce(ctxuser, group, "iam:/group/"+group, "write") {
return api.Err(http.StatusForbidden, "Forbidden")
}
policies := []api.IAMPolicy{}
if err := util.ShouldBindJSON(c, &policies); err != nil {
return api.Err(http.StatusBadRequest, "Invalid JSON", "%s", err)
}
return c.JSON(http.StatusOK, "OK")
}
// RemoveGroupUser removes a user from a group
// @Summary Remove a user from a group
// @Description Remove a user from a group
// @Tags v16.?.?
// @ID iam-3-remove-group-user
// @Produce json
// @Param group path string true "group name"
// @Param name path string true "user name"
// @Success 200 {array} string
// @Failure 400 {object} api.Error
// @Failure 403 {object} api.Error
// @Security ApiKeyAuth
// @Router /api/v3/iam/group/{group}/user/{name} [delete]
func (h *IAMHandler) RemoveGroupUser(c echo.Context) error {
ctxuser := util.DefaultContext(c, "user", "")
group := util.PathParam(c, "group")
name := util.PathParam(c, "name")
if !h.iam.Enforce(ctxuser, group, "iam:/group/"+group, "write") {
return api.Err(http.StatusForbidden, "Forbidden")
}
// Check if the user to be deleted is an admin. If yes, you have to be an admin too.
if h.iam.HasPolicy(name, group, "iam:/group/"+group, []string{"any"}) {
if !h.iam.Enforce(ctxuser, group, "iam:/group/"+group, "admin") {
return api.Err(http.StatusForbidden, "Forbidden")
}
}
if len(h.iam.ListPolicies(name, group, "", nil)) == 0 {
return api.Err(http.StatusNotFound, "Not found")
}
h.iam.RemovePolicy(name, group, "", nil)
return c.JSON(http.StatusOK, "OK")
}

11
http/server.go
View File

@@ -538,6 +538,17 @@ func (s *server) setRoutesV3(v3 *echo.Group) {
v3.GET("/iam/user/:name", s.v3handler.iam.GetUser) v3.GET("/iam/user/:name", s.v3handler.iam.GetUser)
v3.PUT("/iam/user/:name", s.v3handler.iam.UpdateUser) v3.PUT("/iam/user/:name", s.v3handler.iam.UpdateUser)
v3.DELETE("/iam/user/:name", s.v3handler.iam.RemoveUser) v3.DELETE("/iam/user/:name", s.v3handler.iam.RemoveUser)
v3.POST("/iam/group", s.v3handler.iam.AddGroup)
v3.GET("/iam/group", s.v3handler.iam.ListGroups)
v3.GET("/iam/group/:group", s.v3handler.iam.GetGroup)
v3.DELETE("/iam/group/:group", s.v3handler.iam.RemoveGroup)
v3.POST("/iam/group/:group/user", s.v3handler.iam.AddGroupUser)
v3.GET("/iam/group/:group/user", s.v3handler.iam.ListGroupUsers)
v3.GET("/iam/group/:group/user/:name", s.v3handler.iam.GetGroupUser)
v3.PUT("/iam/group/:group/user/:name", s.v3handler.iam.UpdateGroupUser)
v3.DELETE("/iam/group/:group/user/:name", s.v3handler.iam.RemoveGroupUser)
} }
// v3 Restreamer // v3 Restreamer

17
iam/access.go
View File

@@ -20,12 +20,15 @@ type Policy struct {
type AccessEnforcer interface { type AccessEnforcer interface {
Enforce(name, domain, resource, action string) (bool, string) Enforce(name, domain, resource, action string) (bool, string)
HasGroup(name string) bool
HasDomain(name string) bool
ListDomains() []string
} }
type AccessManager interface { type AccessManager interface {
AccessEnforcer AccessEnforcer
HasPolicy(name, domain, resource string, actions []string) bool
AddPolicy(name, domain, resource string, actions []string) bool AddPolicy(name, domain, resource string, actions []string) bool
RemovePolicy(name, domain, resource string, actions []string) bool RemovePolicy(name, domain, resource string, actions []string) bool
ListPolicies(name, domain, resource string, actions []string) []Policy ListPolicies(name, domain, resource string, actions []string) []Policy
@@ -84,6 +87,12 @@ func NewAccessManager(config AccessConfig) (AccessManager, error) {
return am, nil return am, nil
} }
func (am *access) HasPolicy(name, domain, resource string, actions []string) bool {
policy := []string{name, domain, resource, strings.Join(actions, "|")}
return am.enforcer.HasPolicy(policy)
}
func (am *access) AddPolicy(name, domain, resource string, actions []string) bool { func (am *access) AddPolicy(name, domain, resource string, actions []string) bool {
policy := []string{name, domain, resource, strings.Join(actions, "|")} policy := []string{name, domain, resource, strings.Join(actions, "|")}
@@ -120,7 +129,7 @@ func (am *access) ListPolicies(name, domain, resource string, actions []string)
return policies return policies
} }
func (am *access) HasGroup(name string) bool { func (am *access) HasDomain(name string) bool {
groups := am.adapter.getAllGroups() groups := am.adapter.getAllGroups()
for _, g := range groups { for _, g := range groups {
@@ -132,6 +141,10 @@ func (am *access) HasGroup(name string) bool {
return false return false
} }
func (am *access) ListDomains() []string {
return am.adapter.getAllGroups()
}
func (am *access) Enforce(name, domain, resource, action string) (bool, string) { func (am *access) Enforce(name, domain, resource, action string) (bool, string) {
ok, rule, _ := am.enforcer.EnforceEx(name, domain, resource, action) ok, rule, _ := am.enforcer.EnforceEx(name, domain, resource, action)

12
iam/access_test.go
View File

@@ -57,9 +57,9 @@ func TestAccessManager(t *testing.T) {
}, },
}, policies) }, policies)
require.True(t, am.HasGroup("igelcamp")) require.True(t, am.HasDomain("igelcamp"))
require.True(t, am.HasGroup("group")) require.True(t, am.HasDomain("group"))
require.False(t, am.HasGroup("$none")) require.False(t, am.HasDomain("$none"))
am.RemovePolicy("ingo", "", "", nil) am.RemovePolicy("ingo", "", "", nil)
@@ -73,9 +73,9 @@ func TestAccessManager(t *testing.T) {
}, },
}, policies) }, policies)
require.False(t, am.HasGroup("igelcamp")) require.False(t, am.HasDomain("igelcamp"))
require.True(t, am.HasGroup("group")) require.True(t, am.HasDomain("group"))
require.False(t, am.HasGroup("$none")) require.False(t, am.HasDomain("$none"))
ok, _ := am.Enforce("foobar", "group", "bla:/", "read") ok, _ := am.Enforce("foobar", "group", "bla:/", "read")
require.False(t, ok) require.False(t, ok)

27
iam/iam.go
View File

@@ -7,8 +7,11 @@ import (
type IAM interface { type IAM interface {
Enforce(name, domain, resource, action string) bool Enforce(name, domain, resource, action string) bool
HasDomain(domain string) bool
HasDomain(domain string) bool
ListDomains() []string
HasPolicy(name, domain, resource string, actions []string) bool
AddPolicy(name, domain, resource string, actions []string) bool AddPolicy(name, domain, resource string, actions []string) bool
RemovePolicy(name, domain, resource string, actions []string) bool RemovePolicy(name, domain, resource string, actions []string) bool
@@ -104,6 +107,10 @@ func (i *iam) Enforce(name, domain, resource, action string) bool {
} }
} }
//if name == "$localhost" {
// superuser = true
//}
l := i.logger.Debug().WithFields(log.Fields{ l := i.logger.Debug().WithFields(log.Fields{
"subject": name, "subject": name,
"domain": domain, "domain": domain,
@@ -168,13 +175,29 @@ func (i *iam) CreateJWT(name string) (string, string, error) {
} }
func (i *iam) HasDomain(domain string) bool { func (i *iam) HasDomain(domain string) bool {
return i.am.HasGroup(domain) return i.am.HasDomain(domain)
}
func (i *iam) ListDomains() []string {
return i.am.ListDomains()
} }
func (i *iam) Validators() []string { func (i *iam) Validators() []string {
return i.im.Validators() return i.im.Validators()
} }
func (i *iam) HasPolicy(name, domain, resource string, actions []string) bool {
if len(name) == 0 {
name = "$anon"
}
if len(domain) == 0 {
domain = "$none"
}
return i.am.HasPolicy(name, domain, resource, actions)
}
func (i *iam) AddPolicy(name, domain, resource string, actions []string) bool { func (i *iam) AddPolicy(name, domain, resource string, actions []string) bool {
if len(name) == 0 { if len(name) == 0 {
name = "$anon" name = "$anon"