vertexproject · MichaelSquires · Sep 19, 2023 · Sep 6, 2023 · Sep 7, 2023 · Sep 7, 2023
diff --git a/synapse/cortex.py b/synapse/cortex.py
@@ -1494,12 +1494,37 @@ async def getStormIfaces(self, name):
 
     def _initCorePerms(self):
         self._cortex_permdefs.extend((
-            {'perm': ('view',), 'gate': 'cortex',
-             'desc': 'Controls all view permissions.'},
-            {'perm': ('view', 'add'), 'gate': 'cortex',
-             'desc': 'Controls access to add a new view including forks.'},
-            {'perm': ('view', 'read'), 'gate': 'view',
-             'desc': 'Used to control read access to a view.'},
+            {'perm': ('model', 'form', 'add'), 'gate': 'cortex',
+             'desc': 'Controls access to adding extended model forms.'},
+            {'perm': ('model', 'form', 'add', '<form>'), 'gate': 'cortex',
+             'desc': 'Controls access to adding specific extended model forms.',
+             'ex': 'model.form.add._foo:bar'},
+            {'perm': ('model', 'form', 'del'), 'gate': 'cortex',
+             'desc': 'Controls access to deleting extended model forms.'},
+            {'perm': ('model', 'form', 'del', '<form>'), 'gate': 'cortex',
+             'desc': 'Controls access to deleting specific extended model forms.',
+             'ex': 'model.form.del._foo:bar'},
+
+            {'perm': ('model', 'prop', 'add'), 'gate': 'cortex',
+             'desc': 'Controls access to adding extended model properties.'},
+            {'perm': ('model', 'prop', 'add', '<form>'), 'gate': 'cortex',
+             'desc': 'Controls access to adding specific extended model properties.',
+             'ex': 'model.prop.add._foo:bar'},
+            {'perm': ('model', 'prop', 'del'), 'gate': 'cortex',
+             'desc': 'Controls access to deleting extended model properties.'},
+            {'perm': ('model', 'prop', 'del', '<form>'), 'gate': 'cortex',
+             'desc': 'Controls access to deleting specific extended model properties.',
+             'ex': 'model.prop.del._foo:bar'},
+
+            {'perm': ('model', 'tagprop', 'add'), 'gate': 'cortex',
+             'desc': 'Controls access to adding extended model tag properties.'},
+            {'perm': ('model', 'tagprop', 'del'), 'gate': 'cortex',
+             'desc': 'Controls access to deleting extended model tag properties.'},
+
+            {'perm': ('model', 'univ', 'add'), 'gate': 'cortex',
+             'desc': 'Controls access to adding extended model universal properties.'},
+            {'perm': ('model', 'univ', 'del'), 'gate': 'cortex',
+             'desc': 'Controls access to deleting extended model universal properties.'},
 
             {'perm': ('node',), 'gate': 'layer',
              'desc': 'Controls all node edits in a layer.'},
@@ -1542,6 +1567,42 @@ def _initCorePerms(self):
             {'perm': ('node', 'prop', 'del', '<prop>'), 'gate': 'layer',
              'ex': 'node.prop.del.inet:ipv4:asn',
              'desc': 'Controls removing a specific property from a node in a layer.'},
+
+            {'perm': ('pkg', 'add'), 'gate': 'cortex',
+             'desc': 'Controls access to adding storm packages.'},
+            {'perm': ('pkg', 'del'), 'gate': 'cortex',
+             'desc': 'Controls access to deleting storm packages.'},
+
+            {'perm': ('storm', 'asroot', 'cmd', '<cmdname>'), 'gate': 'cortex',
+            'desc': 'Controls running storm commands requiring root privileges.',
+             'ex': 'storm.asroot.cmd.movetag'},
+            {'perm': ('storm', 'asroot', 'mod', '<modname>'), 'gate': 'cortex',
+            'desc': 'Controls importing modules requiring root privileges.',
+             'ex': 'storm.asroot.cmd.synapse-misp.privsep'},
+
+            {'perm': ('storm', 'graph', 'add'), 'gate': 'cortex',
+             'desc': 'Controls access to add a storm graph.',
+             'default': True},
+            {'perm': ('storm', 'macro', 'add'), 'gate': 'cortex',
+             'desc': 'Controls access to add a storm macro.',
+             'default': True},
+            {'perm': ('storm', 'macro', 'admin'), 'gate': 'cortex',
+             'desc': 'Controls access to edit/set/delete a storm macro.'},
+            {'perm': ('storm', 'macro', 'edit'), 'gate': 'cortex',
+             'desc': 'Controls access to edit a storm macro.'},
+
+            {'perm': ('view',), 'gate': 'cortex',
+             'desc': 'Controls all view permissions.'},
+            {'perm': ('view', 'add'), 'gate': 'cortex',
+             'desc': 'Controls access to add a new view including forks.'},
+            {'perm': ('view', 'del'), 'gate': 'view',
+             'desc': 'Controls access to delete a view.'},
+            {'perm': ('view', 'read'), 'gate': 'view',
+             'desc': 'Controls read access to view.'},
+            {'perm': ('view', 'set', '<setting>'), 'gate': 'view',
+             'desc': 'Controls access to change view settings.',
+             'ex': 'view.set.name'},
+
         ))
         for pdef in self._cortex_permdefs:
             s_storm.reqValidPermDef(pdef)

diff --git a/synapse/lib/stormlib/backup.py b/synapse/lib/stormlib/backup.py
@@ -26,6 +26,14 @@ class BackupLib(s_stormtypes.Lib):
                   'returns': {'type': 'null', }}},
     )
     _storm_lib_path = ('backup',)
+    _storm_lib_perms = (
+        {'perm': ('backup', 'del'), 'gate': 'cortex',
+         'desc': 'Permits a user to delete an existing backup.'},
+        {'perm': ('backup', 'list'), 'gate': 'cortex',
+         'desc': 'Permits a user to list existing backups.'},
+        {'perm': ('backup', 'run'), 'gate': 'cortex',
+         'desc': 'Permits a user to create a backup.'},
+    )
 
     def getObjLocals(self):
         return {

diff --git a/synapse/lib/stormlib/imap.py b/synapse/lib/stormlib/imap.py
@@ -59,6 +59,10 @@ class ImapLib(s_stormtypes.Lib):
         },
     )
     _storm_lib_path = ('inet', 'imap', )
+    _storm_lib_perms = (
+        {'perm': ('storm', 'inet', 'imap', 'connect'), 'gate': 'cortex',
+         'desc': 'Controls connecting to external servers via imap.'},
+    )
 
     def getObjLocals(self):
         return {

diff --git a/synapse/lib/stormlib/log.py b/synapse/lib/stormlib/log.py
@@ -115,6 +115,16 @@ class LoggerLib(s_stormtypes.Lib):
     )
 
     _storm_lib_path = ('log',)
+    _storm_lib_perms = (
+        {'perm': ('storm', 'lib', 'log', 'debug'), 'gate': 'cortex',
+            'desc': 'Controls the ability to log a debug level message.'},
+        {'perm': ('storm', 'lib', 'log', 'error'), 'gate': 'cortex',
+            'desc': 'Controls the ability to log a error level message.'},
+        {'perm': ('storm', 'lib', 'log', 'info'), 'gate': 'cortex',
+            'desc': 'Controls the ability to log a info level message.'},
+        {'perm': ('storm', 'lib', 'log', 'warning'), 'gate': 'cortex',
+            'desc': 'Controls the ability to log a warning level message.'},
+    )
 
     def getObjLocals(self):
         return {

diff --git a/synapse/lib/stormlib/smtp.py b/synapse/lib/stormlib/smtp.py
@@ -21,6 +21,10 @@ class SmtpLib(s_stormtypes.Lib):
                                       'desc': 'The newly constructed inet:smtp:message.'}}},
     )
     _storm_lib_path = ('inet', 'smtp',)
+    _storm_lib_perms = (
+        {'perm': ('storm', 'inet', 'smtp', 'send'), 'gate': 'cortex',
+         'desc': 'Controls sending SMTP messages to external servers.'},
+    )
 
     def getObjLocals(self):
         return {

diff --git a/synapse/lib/stormtypes.py b/synapse/lib/stormtypes.py
@@ -7214,6 +7214,24 @@ class LibTrigger(Lib):
                   'returns': {'type': 'str', 'desc': 'The iden of the modified Trigger', }}},
     )
     _storm_lib_path = ('trigger',)
+    _storm_lib_perms = (
+        {'perm': ('trigger', 'add'), 'gate': 'cortex',
+         'desc': 'Controls adding triggers.'},
+        {'perm': ('trigger', 'del'), 'gate': 'view',
+         'desc': 'Controls deleting triggers.'},
+        {'perm': ('trigger', 'get'), 'gate': 'trigger',
+         'desc': 'Controls listing/retrieving triggers.'},
+        {'perm': ('trigger', 'set'), 'gate': 'view',
+         'desc': 'Controls enabling, disabling, and modifying the query of a trigger.'},
+        {'perm': ('trigger', 'set', 'doc'), 'gate': 'trigger',
+         'desc': 'Controls modifying the doc property of triggers.'},
+        {'perm': ('trigger', 'set', 'name'), 'gate': 'trigger',
+         'desc': 'Controls modifying the name property of triggers.'},
+        {'perm': ('trigger', 'set', 'user'), 'gate': 'cortex',
+         'desc': 'Controls modifying the user property of triggers.'},
+        {'perm': ('trigger', 'set', '<property>'), 'gate': 'view',
+         'desc': 'Controls modifying specific trigger properties.'},
+    )
 
     def getObjLocals(self):
         return {
@@ -7579,6 +7597,47 @@ class LibUsers(Lib):
     )
     _storm_lib_path = ('auth', 'users')
     _storm_lib_perms = (
+        {'perm': ('auth', 'role', 'set', 'name'), 'gate': 'cortex',
+         'desc': 'Permits a user to change the name of a role.'},
+        {'perm': ('auth', 'role', 'set', 'rules'), 'gate': 'cortex',
+         'desc': 'Permits a user to modify rules of a role.'},
+
+         {'perm': ('auth', 'self', 'set', 'email'), 'gate': 'cortex',
+         'desc': 'Permits a user to change their own email address.',
+         'default': True},
+        {'perm': ('auth', 'self', 'set', 'name'), 'gate': 'cortex',
+         'desc': 'Permits a user to change their own username.',
+         'default': True},
+        {'perm': ('auth', 'self', 'set', 'passwd'), 'gate': 'cortex',
+         'desc': 'Permits a user to change their own password.',
+         'default': True},
+
+        {'perm': ('auth', 'user', 'grant'), 'gate': 'cortex',
+         'desc': 'Controls granting roles to a user.'},
+        {'perm': ('auth', 'user', 'revoke'), 'gate': 'cortex',
+         'desc': 'Controls revoking roles from a user.'},
+
+        {'perm': ('auth', 'user', 'set', 'admin'), 'gate': 'cortex',
+         'desc': 'Controls setting/removing a user\'s admin status.'},
+        {'perm': ('auth', 'user', 'set', 'email'), 'gate': 'cortex',
+         'desc': 'Controls changing a user\'s email address.'},
+        {'perm': ('auth', 'user', 'set', 'locked'), 'gate': 'cortex',
+         'desc': 'Controls locking/unlocking a user account.'},
+        {'perm': ('auth', 'user', 'set', 'passwd'), 'gate': 'cortex',
+         'desc': 'Controls changing a user password.'},
+        {'perm': ('auth', 'user', 'set', 'rules'), 'gate': 'cortex',
+         'desc': 'Controls adding rules to a user.'},
+
+        {'perm': ('auth', 'user', 'get', 'profile', '<name>'), 'gate': 'cortex',
+         'desc': 'Permits a user to retrieve their profile information.',
+         'ex': 'auth.user.get.profile.fullname'},
+        {'perm': ('auth', 'user', 'pop', 'profile', '<name>'), 'gate': 'cortex',
+         'desc': 'Permits a user to remove profile information.',
+         'ex': 'auth.user.pop.profile.fullname'},
+        {'perm': ('auth', 'user', 'set', 'profile', '<name>'), 'gate': 'cortex',
+         'desc': 'Permits a user to set profile information.',
+         'ex': 'auth.user.set.profile.fullname'},
+
         {'perm': ('storm', 'lib', 'auth', 'users', 'add'), 'gate': 'cortex',
          'desc': 'Controls the ability to add a user to the system. USE WITH CAUTION!'},
         {'perm': ('storm', 'lib', 'auth', 'users', 'del'), 'gate': 'cortex',
@@ -8872,6 +8931,18 @@ class LibCron(Lib):
                   'returns': {'type': 'str', 'desc': 'The iden of the CronJob which was disabled.', }}},
     )
     _storm_lib_path = ('cron',)
+    _storm_lib_perms = (
+        {'perm': ('cron', 'add'), 'gate': 'view',
+         'desc': 'Permits a user to create a cron job.'},
+        {'perm': ('cron', 'del'), 'gate': 'cronjob',
+         'desc': 'Permits a user to remove a cron job.'},
+        {'perm': ('cron', 'get'), 'gate': 'cronjob',
+         'desc': 'Permits a user to list cron jobs.'},
+        {'perm': ('cron', 'set'), 'gate': 'cronjob',
+         'desc': 'Permits a user to modify/move a cron job.'},
+        {'perm': ('cron', 'set', 'creator'), 'gate': 'cortex',
+         'desc': 'Permits a user to modify the creator property of a cron job.'},
+    )
 
     def getObjLocals(self):
         return {