-
Notifications
You must be signed in to change notification settings - Fork 180
/
rest-resource-handler.go
146 lines (124 loc) · 5.08 KB
/
rest-resource-handler.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
/*
* Copyright (c) 2019-2021. Abstrium SAS <team (at) pydio.com>
* This file is part of Pydio Cells.
*
* Pydio Cells is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Pydio Cells is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with Pydio Cells. If not, see <http://www.gnu.org/licenses/>.
*
* The latest code can be found at <https://pydio.com>.
*/
// Package resources provides extendable service Handler for managing resource-policy based data.
package resources
import (
"context"
"fmt"
"github.com/ory/ladon"
"github.com/ory/ladon/manager/memory"
"github.com/pydio/cells/v4/common/service/errors"
"github.com/pydio/cells/v4/common/auth"
"github.com/pydio/cells/v4/common/proto/rest"
"github.com/pydio/cells/v4/common/proto/service"
)
// PoliciesLoaderFunc is a signature for a function that can load policies from a given resource
type PoliciesLoaderFunc func(ctx context.Context, resourceId string, resourceClient interface{}) (policies []*service.ResourcePolicy, e error)
// ResourceProviderHandler abstracts class that can be implemented by REST handlers
// to add Policies checking capabilities
type ResourceProviderHandler struct {
ResourceName string
ServiceName string
PoliciesLoader PoliciesLoaderFunc
}
// IsAllowed matches a resourceId against a policy Action
// It uses the PoliciesLoader function to first grab the policies associated to this resource,
// then use an in-memory warden to check the policies stack.
func (r *ResourceProviderHandler) IsAllowed(ctx context.Context, resourceId string, action service.ResourcePolicyAction, resourceClient interface{}) (err error) {
if r.PoliciesLoader == nil {
return errors.InternalServerError(r.ServiceName, "PoliciesLoader function is not implemented")
}
if resourceId == "" {
return errors.NotFound(r.ServiceName, "Empty resourceId")
}
var policies []*service.ResourcePolicy
if policies, err = r.PoliciesLoader(ctx, resourceId, resourceClient); err != nil {
return err
}
if r.MatchPolicies(ctx, resourceId, policies, action) {
return nil
} else {
return errors.Forbidden(r.ServiceName, fmt.Sprintf("Action %s is not allowed on %s %s", action.String(), r.ResourceName, resourceId))
}
}
// IsContextEditable can be used for outputting results with a flag telling wether this resource can be edited by the
// currently logged user
func (r *ResourceProviderHandler) IsContextEditable(ctx context.Context, resourceId string, policies []*service.ResourcePolicy) bool {
return r.MatchPolicies(ctx, resourceId, policies, service.ResourcePolicyAction_WRITE)
}
// RestToServiceResourcePolicy transforms input rest.ResourcePolicy to service.ResourcePolicy that can be used internally
func (r *ResourceProviderHandler) RestToServiceResourcePolicy(ctx context.Context, input *rest.ResourcePolicyQuery) (output *service.ResourcePolicyQuery, e error) {
var subjects []string
var err error
if subjects, err = auth.SubjectsForResourcePolicyQuery(ctx, input); err != nil {
return output, errors.Forbidden(r.ServiceName, err.Error())
}
if input != nil && input.Type == rest.ResourcePolicyQuery_NONE {
return &service.ResourcePolicyQuery{
Empty: true,
}, nil
} else if input != nil && input.Type == rest.ResourcePolicyQuery_ANY {
return &service.ResourcePolicyQuery{
Any: true,
}, nil
} else {
return &service.ResourcePolicyQuery{
Subjects: subjects,
}, nil
}
}
// MatchPolicies creates an memory-based policy stack checker to check if action is allowed or denied.
// It uses a DenyByDefault strategy
func (r *ResourceProviderHandler) MatchPolicies(ctx context.Context, resourceId string, policies []*service.ResourcePolicy, action service.ResourcePolicyAction, subjects ...string) bool {
warden := &ladon.Ladon{Manager: memory.NewMemoryManager()}
for i, pol := range policies {
id := fmt.Sprintf("%v", pol.Id)
if pol.Id == 0 {
id = fmt.Sprintf("%d", i)
}
// We could add also conditions here
ladonPol := &ladon.DefaultPolicy{
ID: id,
Resources: []string{pol.Resource},
Actions: []string{pol.Action.String()},
Effect: pol.Effect.String(),
Subjects: []string{pol.Subject},
}
warden.Manager.Create(ladonPol)
}
if len(subjects) == 0 {
subjects, _ = auth.SubjectsForResourcePolicyQuery(ctx, nil)
}
// check that at least one of the subject is allowed
var allow bool
for _, subject := range subjects {
request := &ladon.Request{
Resource: resourceId,
Subject: subject,
Action: action.String(),
}
if err := warden.IsAllowed(request); err != nil && err == ladon.ErrRequestForcefullyDenied {
return false
} else if err == nil {
allow = true
} // Else "default deny" => continue checking
}
return allow
}