forked from mdklein/candid
-
Notifications
You must be signed in to change notification settings - Fork 0
/
auth.go
67 lines (63 loc) · 2.43 KB
/
auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
// Copyright 2017 Canonical Ltd.
// Licensed under the AGPLv3, see LICENCE file for details.
package v1
import (
"gopkg.in/CanonicalLtd/candidclient.v1/params"
"gopkg.in/macaroon-bakery.v2/bakery"
"gopkg.in/macaroon-bakery.v2/bakery/identchecker"
"github.com/CanonicalLtd/candid/internal/auth"
)
// opForRequest returns the operation that will be performed
// by the API handler method which takes the given argument r.
// See aclForOp in ../auth/auth.go for the mapping from
// operation to ACLs.
func opForRequest(r interface{}) bakery.Op {
switch r := r.(type) {
case *params.QueryUsersRequest:
return auth.GlobalOp(auth.ActionRead)
case *params.UserRequest:
return auth.UserOp(r.Username, auth.ActionRead)
case *params.SetUserRequest:
// TODO require special permissions if the user
// expiry time is less than some threshold?
if r.Owner != "" {
return auth.UserOp(r.Owner, auth.ActionCreateAgent)
}
return auth.UserOp(r.Username, auth.ActionWriteAdmin)
case *params.CreateAgentRequest:
return auth.GlobalOp(auth.ActionCreateAgent)
case *params.UserGroupsRequest:
return auth.UserOp(r.Username, auth.ActionReadGroups)
case *params.SetUserGroupsRequest:
return auth.UserOp(r.Username, auth.ActionWriteGroups)
case *params.ModifyUserGroupsRequest:
return auth.UserOp(r.Username, auth.ActionWriteGroups)
case *params.UserIDPGroupsRequest:
return auth.UserOp(r.Username, auth.ActionReadGroups)
case *params.WhoAmIRequest:
return identchecker.LoginOp
case *params.SSHKeysRequest:
return auth.UserOp(r.Username, auth.ActionReadSSHKeys)
case *params.PutSSHKeysRequest:
return auth.UserOp(r.Username, auth.ActionWriteSSHKeys)
case *params.DeleteSSHKeysRequest:
return auth.UserOp(r.Username, auth.ActionWriteSSHKeys)
case *params.UserTokenRequest:
return auth.UserOp(r.Username, auth.ActionReadAdmin)
case *params.VerifyTokenRequest:
return auth.GlobalOp(auth.ActionVerify)
case *params.UserExtraInfoRequest:
return auth.UserOp(r.Username, auth.ActionReadAdmin)
case *params.SetUserExtraInfoRequest:
return auth.UserOp(r.Username, auth.ActionWriteAdmin)
case *params.UserExtraInfoItemRequest:
return auth.UserOp(r.Username, auth.ActionReadAdmin)
case *params.SetUserExtraInfoItemRequest:
return auth.UserOp(r.Username, auth.ActionWriteAdmin)
case *params.DischargeTokenForUserRequest:
return auth.GlobalOp(auth.ActionDischargeFor)
default:
logger.Infof("unknown API argument type %#v", r)
}
return bakery.Op{}
}