/
base.go
121 lines (111 loc) · 2.84 KB
/
base.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
package auth
import (
"errors"
"fmt"
"github.com/treeverse/lakefs/pkg/auth/model"
"github.com/treeverse/lakefs/pkg/permissions"
)
var (
ErrStatementNotFound = errors.New("statement not found")
)
// statementForPolicyType holds the Statement for a policy by its name,
// without the required ARN.
var statementByName = map[string]model.Statement{
"AllAccess": {
Action: []string{"fs:*", "auth:*", "ci:*", "retention:*", "branches:*"},
Effect: model.StatementEffectAllow,
},
"FSFullAccess": {
Action: []string{
"fs:*",
},
Effect: model.StatementEffectAllow,
},
"FSReadWrite": {
Action: []string{
"fs:Read*",
"fs:List*",
permissions.WriteObjectAction,
permissions.DeleteObjectAction,
permissions.RevertBranchAction,
permissions.CreateBranchAction,
permissions.CreateTagAction,
permissions.DeleteBranchAction,
permissions.DeleteTagAction,
permissions.CreateCommitAction,
permissions.CreateMetaRangeAction,
},
Effect: model.StatementEffectAllow,
},
"FSReadConfig": {
Action: []string{
permissions.ReadConfigAction,
},
Effect: model.StatementEffectAllow,
},
"FSRead": {
Action: []string{
"fs:List*",
"fs:Read*",
},
Effect: model.StatementEffectAllow,
},
"RepoManagementRead": {
Action: []string{
"ci:Read*",
"retention:Get*",
"branches:Get*",
permissions.ReadConfigAction,
},
Effect: model.StatementEffectAllow,
},
"AuthManageOwnCredentials": {
Action: []string{
permissions.CreateCredentialsAction,
permissions.DeleteCredentialsAction,
permissions.ListCredentialsAction,
permissions.ReadCredentialsAction,
},
Effect: model.StatementEffectAllow,
},
}
// GetActionsForPolicyType returns the actions for police type typ.
func GetActionsForPolicyType(typ string) ([]string, error) {
statement, ok := statementByName[typ]
if !ok {
return nil, fmt.Errorf("%w: %s", ErrStatementNotFound, typ)
}
actions := make([]string, len(statement.Action))
copy(actions, statement.Action)
return actions, nil
}
func GetActionsForPolicyTypeOrDie(typ string) []string {
ret, err := GetActionsForPolicyType(typ)
if err != nil {
panic(err)
}
return ret
}
// MakeStatementForPolicyType returns statements for policy type typ,
// limited to resources.
func MakeStatementForPolicyType(typ string, resources []string) (model.Statements, error) {
statement, ok := statementByName[typ]
if !ok {
return nil, fmt.Errorf("%w: %s", ErrStatementNotFound, typ)
}
statements := make(model.Statements, len(resources))
for i, resource := range resources {
if statement.Resource == "" {
statements[i] = statement
statements[i].Resource = resource
}
}
return statements, nil
}
func MakeStatementForPolicyTypeOrDie(typ string, resources []string) model.Statements {
statements, err := MakeStatementForPolicyType(typ, resources)
if err != nil {
panic(err)
}
return statements
}