Merge 74d26de into 3c54c2c

uc-cdis · Aug 21, 2019 · 9564b57 · 9564b57
2 parents 3c54c2c + 74d26de
commit 9564b57
Show file tree

Hide file tree

Showing 10 changed files with 183 additions and 184 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -1,7 +1,7 @@
 language: go
 
 go:
-  - "1.10"
+  - "1.12"
 
 # Restrict to cloning only 1 commit.
 git:

diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.10-alpine as build
+FROM golang:1.12-alpine as build
 
 # Install SSL certificates
 RUN apk update && apk add --no-cache git ca-certificates gcc musl-dev jq curl bash postgresql

diff --git a/DockerfileAlpine b/DockerfileAlpine
@@ -1,4 +1,4 @@
-FROM golang:1.10-alpine as build
+FROM golang:1.12-alpine as build
 
 # Install SSL certificates
 RUN apk update && apk add --no-cache git ca-certificates gcc musl-dev bash jq

diff --git a/Makefile b/Makefile
@@ -1,4 +1,5 @@
 _default: bin/arborist
+	@:  # if we have a command this silences "nothing to be done"
 
 bin/arborist: arborist/*.go # help: run the server
 	go build -o bin/arborist
@@ -13,7 +14,8 @@ coverage: test # help: generate test coverage file
 	go test --coverprofile=coverage.out ./arborist/
 
 db-test: $(which psql) # help: set up the database for testing (run automatically by `test`)
-	createdb || true
+	@echo 'createdb || true'
+	@createdb 2>&1 | grep -v 'already exist' || true
 	./migrations/latest
 
 up: upgrade # help: try to migrate the database to the next more recent version

diff --git a/arborist/auth.go b/arborist/auth.go
@@ -111,7 +111,7 @@ func authorizeAnonymous(request *AuthRequest) (*AuthResponse, error) {
 	resource := request.Resource
 	// See if the resource field is a path or a tag.
 	if strings.HasPrefix(resource, "/") {
-		resource = formatPathForDb(resource)
+		resource = FormatPathForDb(resource)
 	} else {
 		tag = resource
 		resource = ""
@@ -203,7 +203,7 @@ func authorizeUser(request *AuthRequest) (*AuthResponse, error) {
 	resource := request.Resource
 	// See if the resource field is a path or a tag.
 	if strings.HasPrefix(resource, "/") {
-		resource = formatPathForDb(resource)
+		resource = FormatPathForDb(resource)
 	} else {
 		tag = resource
 		resource = ""
@@ -212,34 +212,36 @@ func authorizeUser(request *AuthRequest) (*AuthResponse, error) {
 	if resource != "" {
 		err = request.stmts.Select(
 			`
-			SELECT coalesce(text2ltree($6) <@ resource.path, FALSE) FROM (
-				SELECT usr_policy.policy_id FROM usr
-				INNER JOIN usr_policy ON usr_policy.usr_id = usr.id
-				WHERE usr.name = $1
-				UNION
-				SELECT grp_policy.policy_id FROM usr
-				INNER JOIN usr_grp ON usr_grp.usr_id = usr.id
-				INNER JOIN grp_policy ON grp_policy.grp_id = usr_grp.grp_id
-				WHERE usr.name = $1
-				UNION
-				SELECT grp_policy.policy_id FROM grp
-				INNER JOIN grp_policy ON grp_policy.grp_id = grp.id
-				WHERE grp.name = 'anonymous' OR grp.name = 'logged-in'
-			) AS policies
-			JOIN policy_resource ON policy_resource.policy_id = policies.policy_id
-			JOIN resource ON resource.id = policy_resource.resource_id
-			WHERE EXISTS (
-				SELECT 1 FROM policy_role
-				JOIN permission ON permission.role_id = policy_role.role_id
-				WHERE policy_role.policy_id = policies.policy_id
-				AND (permission.service = $2 OR permission.service = '*')
-				AND (permission.method = $3 OR permission.method = '*')
-			) AND (
-				$4 OR policies.policy_id IN (
-					SELECT id FROM policy
-					WHERE policy.name = ANY($5)
+			SELECT coalesce(text2ltree($6) <@ allowed, FALSE) FROM (
+				SELECT array_agg(resource.path) AS allowed FROM (
+					SELECT usr_policy.policy_id FROM usr
+					INNER JOIN usr_policy ON usr_policy.usr_id = usr.id
+					WHERE usr.name = $1
+					UNION
+					SELECT grp_policy.policy_id FROM usr
+					INNER JOIN usr_grp ON usr_grp.usr_id = usr.id
+					INNER JOIN grp_policy ON grp_policy.grp_id = usr_grp.grp_id
+					WHERE usr.name = $1
+					UNION
+					SELECT grp_policy.policy_id FROM grp
+					INNER JOIN grp_policy ON grp_policy.grp_id = grp.id
+					WHERE grp.name = 'anonymous' OR grp.name = 'logged-in'
+				) AS policies
+				JOIN policy_resource ON policy_resource.policy_id = policies.policy_id
+				JOIN resource ON resource.id = policy_resource.resource_id
+				WHERE EXISTS (
+					SELECT 1 FROM policy_role
+					JOIN permission ON permission.role_id = policy_role.role_id
+					WHERE policy_role.policy_id = policies.policy_id
+					AND (permission.service = $2 OR permission.service = '*')
+					AND (permission.method = $3 OR permission.method = '*')
+				) AND (
+					$4 OR policies.policy_id IN (
+						SELECT id FROM policy
+						WHERE policy.name = ANY($5)
+					)
 				)
-			)
+			) _
 			`,
 			&authorized,
 			request.Username,           // $1
@@ -252,34 +254,36 @@ func authorizeUser(request *AuthRequest) (*AuthResponse, error) {
 	} else if tag != "" {
 		err = request.stmts.Select(
 			`
-			SELECT coalesce((SELECT resource.path FROM resource WHERE resource.tag = $6) <@ resource.path, FALSE) FROM (
-				SELECT usr_policy.policy_id FROM usr
-				INNER JOIN usr_policy ON usr_policy.usr_id = usr.id
-				WHERE usr.name = $1
-				UNION
-				SELECT grp_policy.policy_id FROM usr
-				INNER JOIN usr_grp ON usr_grp.usr_id = usr.id
-				INNER JOIN grp_policy ON grp_policy.grp_id = usr_grp.grp_id
-				WHERE usr.name = $1
-				UNION
-				SELECT grp_policy.policy_id FROM grp
-				INNER JOIN grp_policy ON grp_policy.grp_id = grp.id
-				WHERE grp.name = 'anonymous' OR grp.name = 'logged-in'
-			) AS policies
-			JOIN policy_resource ON policy_resource.policy_id = policies.policy_id
-			JOIN resource ON resource.id = policy_resource.resource_id
-			WHERE EXISTS (
-				SELECT 1 FROM policy_role
-				JOIN permission ON permission.role_id = policy_role.role_id
-				WHERE policy_role.policy_id = policies.policy_id
-				AND (permission.service = $2 OR permission.service = '*')
-				AND (permission.method = $3 OR permission.method = '*')
-			) AND (
-				$4 OR policies.policy_id IN (
-					SELECT id FROM policy
-					WHERE policy.name = ANY($5)
+			SELECT coalesce((SELECT resource.path FROM resource WHERE resource.tag = $6) <@ allowed, FALSE) FROM (
+				SELECT array_agg(resource.path) AS allowed FROM (
+					SELECT usr_policy.policy_id FROM usr
+					INNER JOIN usr_policy ON usr_policy.usr_id = usr.id
+					WHERE usr.name = $1
+					UNION
+					SELECT grp_policy.policy_id FROM usr
+					INNER JOIN usr_grp ON usr_grp.usr_id = usr.id
+					INNER JOIN grp_policy ON grp_policy.grp_id = usr_grp.grp_id
+					WHERE usr.name = $1
+					UNION
+					SELECT grp_policy.policy_id FROM grp
+					INNER JOIN grp_policy ON grp_policy.grp_id = grp.id
+					WHERE grp.name = 'anonymous' OR grp.name = 'logged-in'
+				) AS policies
+				JOIN policy_resource ON policy_resource.policy_id = policies.policy_id
+				JOIN resource ON resource.id = policy_resource.resource_id
+				WHERE EXISTS (
+					SELECT 1 FROM policy_role
+					JOIN permission ON permission.role_id = policy_role.role_id
+					WHERE policy_role.policy_id = policies.policy_id
+					AND (permission.service = $2 OR permission.service = '*')
+					AND (permission.method = $3 OR permission.method = '*')
+				) AND (
+					$4 OR policies.policy_id IN (
+						SELECT id FROM policy
+						WHERE policy.name = ANY($5)
+					)
 				)
-			)
+			) _
 			`,
 			&authorized,
 			request.Username,           // $1
@@ -299,7 +303,7 @@ func authorizeUser(request *AuthRequest) (*AuthResponse, error) {
 	return &AuthResponse{result}, nil
 }
 
-// This is similar as authorizeUser, only that this method checks for clientID only
+// This is similar to authorizeUser, only that this method checks for clientID only
 func authorizeClient(request *AuthRequest) (*AuthResponse, error) {
 	var err error
 	var tag string
@@ -308,7 +312,7 @@ func authorizeClient(request *AuthRequest) (*AuthResponse, error) {
 	resource := request.Resource
 	// See if the resource field is a path or a tag.
 	if strings.HasPrefix(resource, "/") {
-		resource = formatPathForDb(resource)
+		resource = FormatPathForDb(resource)
 	} else {
 		tag = resource
 		resource = ""
@@ -424,6 +428,7 @@ func authRequestFromGET(decode func(string, []string) (*TokenInfo, error), r *ht
 	return &authRequest, nil
 }
 
+// See the FIXME inside. Be careful how this is called, until the implementation is updated.
 func authorizedResources(db *sqlx.DB, request *AuthRequest) ([]ResourceFromQuery, *ErrorResponse) {
 	// if policies are specified in the request, we can use those (simplest query).
 	if request.Policies != nil && len(request.Policies) > 0 {

diff --git a/arborist/policy.go b/arborist/policy.go
@@ -141,7 +141,7 @@ func (policy *Policy) resources(tx *sqlx.Tx) ([]ResourceFromQuery, error) {
 	resources := []ResourceFromQuery{}
 	queryPaths := make([]string, len(policy.ResourcePaths))
 	for i, path := range policy.ResourcePaths {
-		queryPaths[i] = formatPathForDb(path)
+		queryPaths[i] = FormatPathForDb(path)
 	}
 	resourcesStmt := selectInStmt("resource", "ltree2text(path)", queryPaths)
 	err := tx.Select(&resources, resourcesStmt)