-
Notifications
You must be signed in to change notification settings - Fork 112
/
grants.go
153 lines (132 loc) · 4.29 KB
/
grants.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
// Copyright 2018-2021 CERN
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
// In applying this license, CERN does not waive the privileges and immunities
// granted to it by virtue of its status as an Intergovernmental Organization
// or submit itself to any jurisdiction.
package grants
import (
"errors"
"strings"
provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
"github.com/cs3org/reva/v2/pkg/storage/utils/acl"
"github.com/google/go-cmp/cmp"
)
// GetACLPerm generates a string representation of CS3APIs' ResourcePermissions
// TODO(labkode): fine grained permission controls.
func GetACLPerm(set *provider.ResourcePermissions) (string, error) {
// resource permission is denied
if cmp.Equal(provider.ResourcePermissions{}, *set, ignoreProtobufXxx()) {
return "!r!w!x!m!u!d", nil
}
var b strings.Builder
if set.Stat || set.InitiateFileDownload {
b.WriteString("r")
}
if set.CreateContainer || set.InitiateFileUpload || set.Delete || set.Move {
b.WriteString("w")
}
if set.ListContainer || set.ListFileVersions {
b.WriteString("x")
}
if set.AddGrant || set.ListGrants || set.RemoveGrant {
b.WriteString("m")
}
if set.GetQuota {
b.WriteString("q")
}
if set.Delete {
b.WriteString("+d")
} else {
b.WriteString("!d")
}
return b.String(), nil
}
// GetGrantPermissionSet converts CS3APIs' ResourcePermissions from a string
// TODO(labkode): add more fine grained controls.
// EOS acls are a mix of ACLs and POSIX permissions. More details can be found in
// https://github.com/cern-eos/eos/blob/master/doc/configuration/permission.rst
func GetGrantPermissionSet(perm string) *provider.ResourcePermissions {
var rp provider.ResourcePermissions // default to 0 == all denied
if strings.Contains(perm, "r") && !strings.Contains(perm, "!r") {
rp.GetPath = true
rp.Stat = true
rp.InitiateFileDownload = true
}
if strings.Contains(perm, "w") && !strings.Contains(perm, "!w") {
rp.Move = true
rp.Delete = true
rp.PurgeRecycle = true
rp.InitiateFileUpload = true
rp.RestoreFileVersion = true
rp.RestoreRecycleItem = true
rp.CreateContainer = true
}
if strings.Contains(perm, "x") && !strings.Contains(perm, "!x") {
rp.ListFileVersions = true
rp.ListRecycle = true
rp.ListContainer = true
}
if strings.Contains(perm, "!d") {
rp.Delete = false
rp.PurgeRecycle = false
}
if strings.Contains(perm, "m") && !strings.Contains(perm, "!m") {
rp.AddGrant = true
rp.ListGrants = true
rp.RemoveGrant = true
}
if strings.Contains(perm, "q") && !strings.Contains(perm, "!q") {
rp.GetQuota = true
}
return &rp
}
// GetACLType returns a char representation of the type of grantee
func GetACLType(gt provider.GranteeType) (string, error) {
switch gt {
case provider.GranteeType_GRANTEE_TYPE_USER:
return acl.TypeUser, nil
case provider.GranteeType_GRANTEE_TYPE_GROUP:
return acl.TypeGroup, nil
default:
return "", errors.New("no eos acl for grantee type: " + gt.String())
}
}
// GetGranteeType returns the grantee type from a char
func GetGranteeType(aclType string) provider.GranteeType {
switch aclType {
case acl.TypeUser:
return provider.GranteeType_GRANTEE_TYPE_USER
case acl.TypeGroup:
return provider.GranteeType_GRANTEE_TYPE_GROUP
default:
return provider.GranteeType_GRANTEE_TYPE_INVALID
}
}
// PermissionsEqual returns true if the permissions are equal
func PermissionsEqual(p1, p2 *provider.ResourcePermissions) bool {
return p1 != nil && p2 != nil && cmp.Equal(*p1, *p2, ignoreProtobufXxx())
}
// GranteeEqual returns true if the grantee are equal
func GranteeEqual(g1, g2 *provider.Grantee) bool {
return g1 != nil && g2 != nil && cmp.Equal(*g1, *g2, ignoreProtobufXxx())
}
func ignoreProtobufXxx() cmp.Option {
return cmp.FilterPath(
func(path cmp.Path) bool {
return strings.HasPrefix(path.String(), "XXX")
},
cmp.Ignore(),
)
}