-
Notifications
You must be signed in to change notification settings - Fork 96
/
config.go
211 lines (190 loc) · 5.62 KB
/
config.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
// Copyright (c) 2018, Sylabs Inc. All rights reserved.
// This software is licensed under a 3-clause BSD license. Please consult the
// LICENSE.md file distributed with the sources of this project regarding your
// rights to use or distribute this software.
package capabilities
import (
"encoding/json"
"fmt"
"io"
"io/ioutil"
)
// Caplist defines a map of users/groups with associated list of capabilities
type Caplist map[string][]string
// Config is the in memory representation of the user/group capability
// authorizations as set by an admin
type Config struct {
Users Caplist `json:"users,omitempty"`
Groups Caplist `json:"groups,omitempty"`
}
// ReadFrom reads a capability configuration from an io.Reader and returns a capability
// config with the set of authorized user/group capabilities
func ReadFrom(r io.Reader) (*Config, error) {
c := &Config{
Users: make(Caplist, 0),
Groups: make(Caplist, 0),
}
// read all data from r into b
b, err := ioutil.ReadAll(r)
if err != nil {
return nil, fmt.Errorf("failed to read from io.Reader: %s", err)
}
if len(b) > 0 {
// if we had data to read in io.Reader, attempt to unmarshal as JSON
if err := json.Unmarshal(b, c); err != nil {
return nil, fmt.Errorf("failed to decode JSON data from io.Reader: %s", err)
}
} else {
// if no data in io.Reader, populate c with empty data
data, err := json.Marshal(c)
if err != nil {
return nil, fmt.Errorf("failed to initialize data")
}
json.Unmarshal(data, c)
}
return c, nil
}
// WriteTo writes the capability config into the provided io.Writer. If writing to the
// same file as passed to ReadFrom(io.Reader), the file should be truncated should seek to 0
// before passing the file as the io.Writer
func (c *Config) WriteTo(w io.Writer) (int64, error) {
json, err := json.MarshalIndent(c, "", "\t")
if err != nil {
return 0, fmt.Errorf("failed to marshall capability data to json: %v", err)
}
n, err := w.Write(json)
if err != nil {
return int64(n), fmt.Errorf("failed to write capability json to io.Writer: %v", err)
}
return int64(n), err
}
func (c *Config) checkCaps(caps []string) error {
for _, c := range caps {
if _, ok := Map[c]; !ok {
return fmt.Errorf("unknown capability %s", c)
}
}
return nil
}
// AddUserCaps adds an authorized capability set to user
func (c *Config) AddUserCaps(user string, caps []string) error {
if err := c.checkCaps(caps); err != nil {
return err
}
for _, cap := range caps {
present := false
for _, c := range c.Users[user] {
if c == cap {
present = true
}
}
if !present {
c.Users[user] = append(c.Users[user], cap)
}
}
return nil
}
// AddGroupCaps adds an authorized capability set to group
func (c *Config) AddGroupCaps(group string, caps []string) error {
if err := c.checkCaps(caps); err != nil {
return err
}
for _, cap := range caps {
present := false
for _, c := range c.Groups[group] {
if c == cap {
present = true
}
}
if !present {
c.Groups[group] = append(c.Groups[group], cap)
}
}
return nil
}
// DropUserCaps drops a set of capabilities for user
func (c *Config) DropUserCaps(user string, caps []string) error {
if err := c.checkCaps(caps); err != nil {
return err
}
if _, ok := c.Users[user]; !ok {
return fmt.Errorf("user '%s' not found", user)
}
for _, cap := range caps {
for i := len(c.Users[user]) - 1; i >= 0; i-- {
if c.Users[user][i] == cap {
c.Users[user] = append(c.Users[user][:i], c.Users[user][i+1:]...)
}
}
}
return nil
}
// DropGroupCaps drops a set of capabilities for group
func (c *Config) DropGroupCaps(group string, caps []string) error {
if err := c.checkCaps(caps); err != nil {
return err
}
if _, ok := c.Groups[group]; !ok {
return fmt.Errorf("group '%s' not found", group)
}
for _, cap := range caps {
for i := len(c.Groups[group]) - 1; i >= 0; i-- {
if c.Groups[group][i] == cap {
c.Groups[group] = append(c.Groups[group][:i], c.Groups[group][i+1:]...)
}
}
}
return nil
}
// ListUserCaps returns a capability list authorized for user
func (c *Config) ListUserCaps(user string) []string {
return c.Users[user]
}
// ListGroupCaps returns a capability list authorized for group
func (c *Config) ListGroupCaps(group string) []string {
return c.Groups[group]
}
// ListAllCaps returns capability list for both authorized users and groups
func (c *Config) ListAllCaps() (Caplist, Caplist) {
return c.Users, c.Groups
}
// CheckUserCaps checks if provided capability list for user are whether
// or not authorized by returning two lists, the first one containing
// authorized capabilities and the second one containing unauthorized
// capabilities
func (c *Config) CheckUserCaps(user string, caps []string) (authorized []string, unauthorized []string) {
for _, ca := range caps {
present := false
for _, userCap := range c.ListUserCaps(user) {
if userCap == ca {
authorized = append(authorized, ca)
present = true
break
}
}
if !present {
unauthorized = append(unauthorized, ca)
}
}
return authorized, unauthorized
}
// CheckGroupCaps checks if provided capability list for group are whether
// or not authorized by returning two lists, the first one containing
// authorized capabilities and the second one containing unauthorized
// capabilities
func (c *Config) CheckGroupCaps(group string, caps []string) (authorized []string, unauthorized []string) {
for _, ca := range caps {
present := false
for _, groupCap := range c.ListGroupCaps(group) {
if groupCap == ca {
authorized = append(authorized, ca)
present = true
break
}
}
if !present {
unauthorized = append(unauthorized, ca)
}
}
return authorized, unauthorized
}