-
Notifications
You must be signed in to change notification settings - Fork 1
/
accessd.go
150 lines (126 loc) · 4.82 KB
/
accessd.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
/*
Copyright 2020 The Magma Authors.
This source code is licensed under the BSD-style license found in the
LICENSE file in the root directory of this source tree.
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
/*
Accessd service provides the gRPC interface for cloud services & REST server to
check & manage Identity access permissions.
*/
package servicers
import (
"github.com/go-magma/magma/orc8r/cloud/go/services/accessd/storage"
"golang.org/x/net/context"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
"github.com/go-magma/magma/lib/go/protos"
accessprotos "github.com/go-magma/magma/orc8r/cloud/go/services/accessd/protos"
)
type AccessControlServer struct {
store storage.AccessdStorage
}
func NewAccessdServer(store storage.AccessdStorage) *AccessControlServer {
return &AccessControlServer{store}
}
// SetOperator Overwrites Permissions for operator Identity to manage others
// Request includes ACL to add for the Operator
func (srv *AccessControlServer) SetOperator(ctx context.Context, req *accessprotos.AccessControl_ListRequest) (*protos.Void, error) {
err := accessprotos.VerifyACLRequest(req)
if err != nil {
return nil, err
}
acl := &accessprotos.AccessControl_List{
Operator: req.Operator,
Entities: map[string]*accessprotos.AccessControl_Entity{},
}
err = accessprotos.AddToACL(acl, req.Entities)
if err != nil {
return nil, err
}
err = srv.store.PutACL(req.Operator, acl)
if err != nil {
return nil, err
}
return &protos.Void{}, nil
}
// AddACL Adds Permissions for one Identity to manage others
// Request includes ACL to add for the Operator
func (srv *AccessControlServer) UpdateOperator(ctx context.Context, req *accessprotos.AccessControl_ListRequest) (*protos.Void, error) {
err := accessprotos.VerifyACLRequest(req)
if err != nil {
return nil, err
}
err = srv.store.UpdateACLWithEntities(req.Operator, req.Entities)
if err != nil {
return nil, err
}
return &protos.Void{}, nil
}
// DeleteOperator Removes all operator's permissions (the entire operator's ACL)
func (srv *AccessControlServer) DeleteOperator(ctx context.Context, oper *protos.Identity) (*protos.Void, error) {
return &protos.Void{}, srv.store.DeleteACL(oper)
}
// GetOperatorACL Returns the managing Identity's permissions list
func (srv *AccessControlServer) GetOperatorACL(ctx context.Context, oper *protos.Identity) (*accessprotos.AccessControl_List, error) {
return srv.store.GetACL(oper)
}
// GetOperatorsACLs Returns the managing Identities' permissions list
func (srv *AccessControlServer) GetOperatorsACLs(
ctx context.Context, opers *protos.Identity_List,
) (*accessprotos.AccessControl_Lists, error) {
res, err := srv.store.GetManyACL(opers.GetList())
return &accessprotos.AccessControl_Lists{Acls: res}, err
}
// Returns the managing Identity's permissions for a given entity
// NOTE: Takes into account wildcards for the entity's type in the ACL
func (srv *AccessControlServer) GetPermissions(
ctx context.Context,
req *accessprotos.AccessControl_PermissionsRequest,
) (*accessprotos.AccessControl_Entity, error) {
res := &accessprotos.AccessControl_Entity{}
err := accessprotos.VerifyPermissionsRequest(req)
if err != nil {
return res, err
}
acl, err := srv.store.GetACL(req.Operator)
if err != nil {
return res, err
}
res.Id = req.Entity
res.Permissions = accessprotos.GetEntityPermissions(acl, res.Id) // Aggregated entity permissions
return res, nil
}
// Returns the managing Identity's permissions for a given entity
// NOTE: Takes into account wildcards for the entity's type in the ACL
func (srv *AccessControlServer) CheckPermissions(
ctx context.Context,
req *accessprotos.AccessControl_ListRequest,
) (*protos.Void, error) {
err := accessprotos.VerifyACLRequest(req)
if err != nil {
return nil, err
}
acl, err := srv.store.GetACL(req.Operator)
if err != nil {
return nil, err
}
return &protos.Void{}, accessprotos.CheckEntitiesPermissions(acl, req.Entities)
}
// Lists all globally registered operators on the cloud
func (srv *AccessControlServer) ListOperators(ctx context.Context, _ *protos.Void) (*protos.Identity_List, error) {
res := new(protos.Identity_List)
operators, err := srv.store.ListAllIdentity()
res.List = operators
return res, err
}
// Cleanup a given entity from all Operators' ACLs
// TBD: This needs to be implemented to avoid security venerability when deleting
// a network with customer selected ID (vs. generated by the cloud ID)
func (srv *AccessControlServer) DeleteEntity(ctx context.Context, ent *protos.Identity) (*protos.Void, error) {
return nil, status.Errorf(codes.Unimplemented, "Not Implemented")
}