-
Notifications
You must be signed in to change notification settings - Fork 2
/
security_rr.go
103 lines (93 loc) · 3.03 KB
/
security_rr.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
// Copyright 2016 NDP Systèmes. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package models
import (
"sync"
"github.com/labneco/doxa/doxa/models/security"
)
// A RecordRule allow to grant a group some permissions
// on a selection of records.
// - If Global is true, then the RecordRule applies to all groups
// - Condition is the filter to apply on the model to retrieve
// the records on which to allow the Perms permission.
type RecordRule struct {
Name string
Global bool
Group *security.Group
Condition *Condition
Perms security.Permission
}
// A RecordRuleRegistry keeps a list of RecordRule. It is meant
// to be attached to a model.
type recordRuleRegistry struct {
sync.RWMutex
rulesByName map[string]*RecordRule
rulesByGroup map[string][]*RecordRule
globalRules map[string]*RecordRule
}
// AddRule registers the given RecordRule to the registry with the given name.
func (rrr *recordRuleRegistry) addRule(rule *RecordRule) {
rrr.Lock()
defer rrr.Unlock()
rrr.rulesByName[rule.Name] = rule
if rule.Global {
rrr.globalRules[rule.Name] = rule
} else {
rrr.rulesByGroup[rule.Group.Name] = append(rrr.rulesByGroup[rule.Group.Name], rule)
}
}
// RemoveRule removes the RecordRule with the given name
// from the rule registry.
func (rrr *recordRuleRegistry) removeRule(name string) {
rrr.Lock()
defer rrr.Unlock()
rule, exists := rrr.rulesByName[name]
if !exists {
log.Warn("Trying to remove non-existent record rule", "name", name)
return
}
delete(rrr.rulesByName, name)
if rule.Global {
delete(rrr.globalRules, name)
} else {
newRuleSlice := make([]*RecordRule, len(rrr.rulesByGroup[rule.Group.Name])-1)
i := 0
for _, r := range rrr.rulesByGroup[rule.Group.Name] {
if r.Name == rule.Name {
continue
}
newRuleSlice[i] = r
i++
}
rrr.rulesByGroup[rule.Group.Name] = newRuleSlice
}
}
// newRecordRuleRegistry returns a pointer to a new RecordRuleRegistry instance
func newRecordRuleRegistry() *recordRuleRegistry {
return &recordRuleRegistry{
rulesByName: make(map[string]*RecordRule),
rulesByGroup: make(map[string][]*RecordRule),
globalRules: make(map[string]*RecordRule),
}
}
// AddRecordRule registers the given RecordRule to the registry for
// the given model with the given name.
func (m *Model) AddRecordRule(rule *RecordRule) {
m.rulesRegistry.addRule(rule)
}
// RemoveRecordRule removes the Record Rule with the given name
// from the rule registry of the given model.
func (m *Model) RemoveRecordRule(name string) {
m.rulesRegistry.removeRule(name)
}