add migration from manifest to policies

reddec · Jul 25, 2020 · 7b235f0 · 7b235f0
1 parent 1e0b3e2
commit 7b235f0
Show file tree

Hide file tree

Showing 4 changed files with 64 additions and 6 deletions.
diff --git a/application/cases/migration.go b/application/cases/migration.go
@@ -2,15 +2,24 @@ package cases
 
 import (
 	"encoding/json"
+	"os"
+	"path/filepath"
+
 	"github.com/reddec/trusted-cgi/application"
 	"github.com/reddec/trusted-cgi/internal"
 	"github.com/reddec/trusted-cgi/types"
-	"os"
-	"path/filepath"
 )
 
 type legacyManifestPart struct {
-	Aliases types.JsonStringSet `json:"aliases"`
+	Aliases       types.JsonStringSet `json:"aliases"`
+	AllowedIP     types.JsonStringSet `json:"allowed_ip,omitempty"`     // limit incoming connections from list of IP
+	AllowedOrigin types.JsonStringSet `json:"allowed_origin,omitempty"` // limit incoming connections by origin header
+	Public        bool                `json:"public"`                   // if public, tokens are ignores
+	Tokens        map[string]string   `json:"tokens,omitempty"`
+}
+
+func (lmr *legacyManifestPart) hasPolicy() bool {
+	return len(lmr.AllowedIP) > 0 || len(lmr.AllowedOrigin) > 0 || len(lmr.Tokens) > 0
 }
 
 func (lmr *legacyManifestPart) Read(file string) error {
@@ -34,5 +43,23 @@ func (impl *casesImpl) applyMigration(uid, path string, fn application.Lambda) e
 			return err
 		}
 	}
+	if !m.hasPolicy() {
+		return fn.SetManifest(fn.Manifest())
+	}
+
+	policy := application.PolicyDefinition{
+		AllowedIP:     m.AllowedIP,
+		AllowedOrigin: m.AllowedOrigin,
+		Public:        m.Public,
+		Tokens:        m.Tokens,
+	}
+	p, err := impl.policies.Create(uid+"-"+fn.Manifest().Name, policy)
+	if err != nil {
+		return err
+	}
+	err = impl.policies.Apply(uid, p.ID)
+	if err != nil {
+		return err
+	}
 	return fn.SetManifest(fn.Manifest())
 }
diff --git a/application/interfaces.go b/application/interfaces.go
@@ -2,11 +2,12 @@ package application
 
 import (
 	"context"
-	"github.com/reddec/trusted-cgi/templates"
-	"github.com/reddec/trusted-cgi/types"
 	"io"
 	"regexp"
 	"time"
+
+	"github.com/reddec/trusted-cgi/templates"
+	"github.com/reddec/trusted-cgi/types"
 )
 
 type FileSystem interface {
@@ -166,4 +167,8 @@ type Policies interface {
 	Apply(lambda string, policy string) error
 	// Clear applied policy for the lambda
 	Clear(lambda string) error
+	// Get policy by name or return error
+	Get(policy string) (*Policy, error)
+	// Find policy by lambda
+	Find(lambda string) (*Policy, error)
 }
diff --git a/application/policy/impl.go b/application/policy/impl.go
@@ -131,6 +131,30 @@ func (policies *policiesImpl) Clear(lambda string) error {
 	return policies.store.SetPolicies(policies.unsafeList())
 }
 
+func (policies *policiesImpl) Get(policy string) (*application.Policy, error) {
+	policies.lock.RLock()
+	defer policies.lock.RUnlock()
+	inst, exists := policies.policiesByID[policy]
+	if !exists {
+		return nil, fmt.Errorf("policy %s does not exist", policy)
+	}
+	return inst, nil
+}
+
+func (policies *policiesImpl) Find(lambda string) (*application.Policy, error) {
+	policies.lock.RLock()
+	defer policies.lock.RUnlock()
+	policy, exists := policies.policiesByLambda[lambda]
+	if !exists {
+		return nil, fmt.Errorf("lambda %s has no applied policy", lambda)
+	}
+	inst, exists := policies.policiesByID[policy]
+	if !exists {
+		return nil, fmt.Errorf("policy %s does not exist - corrupted data", policy)
+	}
+	return inst, nil
+}
+
 func (policies *policiesImpl) unsafeUnlink(lambda string) bool {
 	policyId, hasPolicy := policies.policiesByLambda[lambda]
 	if !hasPolicy {

diff --git a/docs/usage/security.md b/docs/usage/security.md
@@ -7,4 +7,6 @@ nav_order: 5
 
 # Security
 
-Since `0.3.5` most security migrated to separate entity - [Policy](../administrating/policies.md).
+Since `0.3.5` most security migrated to separate entity - [Policy](../administrating/policies.md).
+
+Migration from `0.3.4` should be done automatically after restart.