-
Notifications
You must be signed in to change notification settings - Fork 8
/
keeper.go
160 lines (132 loc) · 4.24 KB
/
keeper.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
package keeper
import (
"fmt"
gogotypes "github.com/gogo/protobuf/types"
"github.com/cosmos/cosmos-sdk/codec"
sdk "github.com/cosmos/cosmos-sdk/types"
sdkerrors "github.com/cosmos/cosmos-sdk/types/errors"
"github.com/bianjieai/iritamod/modules/perm/types"
)
// keeper of the perm store
type Keeper struct {
cdc codec.Codec
storeKey sdk.StoreKey
AuthMap map[string]types.Auth
}
func NewKeeper(cdc codec.Codec, storeKey sdk.StoreKey) Keeper {
return Keeper{
cdc: cdc,
storeKey: storeKey,
AuthMap: make(map[string]types.Auth),
}
}
// RegisterMsgAuth registers the auth to send the msg.
// Each role gets the access control
func (k Keeper) RegisterMsgAuth(msg sdk.Msg, roles ...types.Role) {
if _, ok := k.AuthMap[sdk.MsgTypeURL(msg)]; ok {
panic(fmt.Sprintf("msg type or module name %s has already been initialized", sdk.MsgTypeURL(msg)))
}
auth := types.AuthDefault
for _, r := range roles {
auth = auth | r.Auth()
}
k.AuthMap[sdk.MsgTypeURL(msg)] = auth
}
// RegisterModuleAuth registers the auth to send the module related msgs.
// Each role gets the access control
func (k *Keeper) RegisterModuleAuth(module string, roles ...types.Role) {
if _, ok := k.AuthMap[module]; ok {
panic(fmt.Sprintf("msg type or module name %s has already been initialized", module))
}
auth := types.AuthDefault
for _, r := range roles {
auth = auth | r.Auth()
}
k.AuthMap[module] = auth
}
// Authorize assigns the specified roles to an address
func (k *Keeper) Authorize(ctx sdk.Context, address, operator sdk.AccAddress, rs ...types.Role) error {
if k.IsRootAdmin(ctx, address) {
return types.ErrOperateRootAdmin
}
if k.IsPermAdmin(ctx, address) &&
(!k.IsRootAdmin(ctx, operator) || operator.Equals(address)) {
return types.ErrOperatePermAdmin
}
auth := k.GetAuth(ctx, address)
for _, r := range rs {
if r == types.RoleRootAdmin {
return types.ErrAddRootAdmin
}
if r == types.RolePermAdmin && !k.IsRootAdmin(ctx, operator) {
return sdkerrors.Wrap(types.ErrUnauthorizedOperation, "can not add permission admin role")
}
if r != types.RolePowerUser && !k.IsAdminPerm(ctx, operator) {
return types.ErrUnauthorizedOperation
} else if r == types.RolePowerUser && !k.IsPowerAdminPerm(ctx, operator) {
return types.ErrUnauthorizedOperation
}
auth = auth | r.Auth()
}
k.SetAuth(ctx, address, auth)
return nil
}
// Unauthorize unassigns the specified roles from an address
func (k Keeper) Unauthorize(ctx sdk.Context, address, operator sdk.AccAddress, roles ...types.Role) error {
if k.IsRootAdmin(ctx, address) {
return types.ErrOperateRootAdmin
}
if k.IsPermAdmin(ctx, address) &&
(!k.IsRootAdmin(ctx, operator) || operator.Equals(address)) {
return types.ErrOperatePermAdmin
}
auth := k.GetAuth(ctx, address)
for _, r := range roles {
if r == types.RoleRootAdmin {
return types.ErrRemoveRootAdmin
}
if !auth.Access(r.Auth()) {
return sdkerrors.Wrapf(types.ErrRemoveUnknownRole, "%s", r)
}
if r != types.RolePowerUser && !k.IsAdminPerm(ctx, operator) {
return types.ErrUnauthorizedOperation
} else if r == types.RolePowerUser && !k.IsPowerAdminPerm(ctx, operator) {
return types.ErrUnauthorizedOperation
}
auth = auth & (auth ^ r.Auth())
}
if auth == types.AuthDefault {
k.DeleteAuth(ctx, address)
} else {
k.SetAuth(ctx, address, auth)
}
return nil
}
// GetRoles gets the role set for all accounts
func (k Keeper) GetRoles(ctx sdk.Context) (roleAccounts []types.RoleAccount) {
store := ctx.KVStore(k.storeKey)
iterator := sdk.KVStorePrefixIterator(store, types.AuthKey)
defer iterator.Close()
for ; iterator.Valid(); iterator.Next() {
var role gogotypes.Int32Value
k.cdc.MustUnmarshal(iterator.Value(), &role)
account := sdk.AccAddress(iterator.Key()[len(types.AuthKey):])
roleAccounts = append(roleAccounts, types.RoleAccount{
Address: account.String(),
Roles: types.Auth(role.Value).Roles(),
})
}
return roleAccounts
}
// Access checks the signer auth
func (k Keeper) Access(ctx sdk.Context, signer sdk.AccAddress, auth types.Auth) error {
signerAuth := k.GetAuth(ctx, signer)
if !auth.Access(signerAuth) {
return sdkerrors.Wrapf(
types.ErrUnauthorizedOperation,
"Required roles: %s; sender roles: %s. ",
auth.Roles(), signerAuth.Roles(),
)
}
return nil
}