Create identity and access packages for IAM

2025-10-06 00:17:07 +08:00 · 2023-05-25 16:16:29 +02:00
parent 710d5c595f
commit e9034aa171
22 changed files with 514 additions and 286 deletions
--- a/iam/access/functions.go
+++ b/iam/access/functions.go
@@ -0,0 +1,86 @@
+package access
+
+import (
+	"strings"
+
+	"github.com/gobwas/glob"
+)
+
+func resourceMatch(request, domain, policy string) bool {
+	reqPrefix, reqResource := getPrefix(request)
+	polPrefix, polResource := getPrefix(policy)
+
+	if reqPrefix != polPrefix {
+		return false
+	}
+
+	var match bool
+	var err error
+
+	if reqPrefix == "api" || reqPrefix == "fs" || reqPrefix == "rtmp" || reqPrefix == "srt" {
+		match, err = globMatch(polResource, reqResource, rune('/'))
+		if err != nil {
+			return false
+		}
+	} else {
+		match, err = globMatch(polResource, reqResource)
+		if err != nil {
+			return false
+		}
+	}
+
+	return match
+}
+
+func resourceMatchFunc(args ...interface{}) (interface{}, error) {
+	request := args[0].(string)
+	domain := args[1].(string)
+	policy := args[2].(string)
+
+	return (bool)(resourceMatch(request, domain, policy)), nil
+}
+
+func actionMatch(request string, policy string) bool {
+	request = strings.ToUpper(request)
+	actions := strings.Split(strings.ToUpper(policy), "|")
+	if len(actions) == 0 {
+		return false
+	}
+
+	if len(actions) == 1 && actions[0] == "ANY" {
+		return true
+	}
+
+	for _, a := range actions {
+		if request == a {
+			return true
+		}
+	}
+
+	return false
+}
+
+func actionMatchFunc(args ...interface{}) (interface{}, error) {
+	request := args[0].(string)
+	policy := args[1].(string)
+
+	return (bool)(actionMatch(request, policy)), nil
+}
+
+func getPrefix(s string) (string, string) {
+	prefix, resource, found := strings.Cut(s, ":")
+	if !found {
+		return "", s
+	}
+
+	return prefix, resource
+}
+
+func globMatch(pattern, name string, separators ...rune) (bool, error) {
+	g, err := glob.Compile(pattern, separators...)
+	if err != nil {
+		return false, err
+	}
+
+	return g.Match(name), nil
+}