Monorepo for Tangled
tangled.org
1package rbac
2
3import (
4 "database/sql"
5 "slices"
6 "strings"
7
8 adapter "github.com/Blank-Xu/sql-adapter"
9 "github.com/casbin/casbin/v2"
10 "github.com/casbin/casbin/v2/model"
11)
12
13const (
14 ThisServer = "thisserver" // resource identifier for local rbac enforcement
15)
16
17const (
18 Model = `
19[request_definition]
20r = sub, dom, obj, act
21
22[policy_definition]
23p = sub, dom, obj, act
24
25[role_definition]
26g = _, _, _
27
28[policy_effect]
29e = some(where (p.eft == allow))
30
31[matchers]
32m = r.act == p.act && r.dom == p.dom && r.obj == p.obj && g(r.sub, p.sub, r.dom)
33`
34)
35
36type Enforcer struct {
37 E *casbin.SyncedEnforcer
38}
39
40func NewEnforcer(path string) (*Enforcer, error) {
41 m, err := model.NewModelFromString(Model)
42 if err != nil {
43 return nil, err
44 }
45
46 db, err := sql.Open("sqlite3", path+"?_foreign_keys=1&_journal_mode=WAL&_busy_timeout=5000")
47 if err != nil {
48 return nil, err
49 }
50
51 a, err := adapter.NewAdapter(db, "sqlite3", "acl")
52 if err != nil {
53 return nil, err
54 }
55
56 e, err := casbin.NewSyncedEnforcer(m, a)
57 if err != nil {
58 return nil, err
59 }
60
61 e.EnableAutoSave(false)
62
63 return &Enforcer{e}, nil
64}
65
66func (e *Enforcer) AddKnot(knot string) error {
67 // Add policies with patterns
68 _, err := e.E.AddPolicies([][]string{
69 {"server:owner", knot, knot, "server:invite"},
70 {"server:member", knot, knot, "repo:create"},
71 })
72 if err != nil {
73 return err
74 }
75
76 // all owners are also members
77 _, err = e.E.AddGroupingPolicy("server:owner", "server:member", knot)
78 return err
79}
80
81func (e *Enforcer) AddSpindle(spindle string) error {
82 // the internal repr for spindles is spindle:foo.com
83 spindle = intoSpindle(spindle)
84
85 _, err := e.E.AddPolicies([][]string{
86 {"server:owner", spindle, spindle, "server:invite"},
87 })
88 if err != nil {
89 return err
90 }
91
92 // all owners are also members
93 _, err = e.E.AddGroupingPolicy("server:owner", "server:member", spindle)
94 return err
95}
96
97func (e *Enforcer) RemoveSpindle(spindle string) error {
98 spindle = intoSpindle(spindle)
99 _, err := e.E.DeleteDomains(spindle)
100 return err
101}
102
103func (e *Enforcer) RemoveKnot(knot string) error {
104 _, err := e.E.DeleteDomains(knot)
105 return err
106}
107
108func (e *Enforcer) GetKnotsForUser(did string) ([]string, error) {
109 keepFunc := isNotSpindle
110 stripFunc := unSpindle
111 return e.getDomainsForUser(did, keepFunc, stripFunc)
112}
113
114func (e *Enforcer) GetSpindlesForUser(did string) ([]string, error) {
115 keepFunc := isSpindle
116 stripFunc := unSpindle
117 return e.getDomainsForUser(did, keepFunc, stripFunc)
118}
119
120func (e *Enforcer) AddKnotOwner(domain, owner string) error {
121 return e.addOwner(domain, owner)
122}
123
124func (e *Enforcer) RemoveKnotOwner(domain, owner string) error {
125 return e.removeOwner(domain, owner)
126}
127
128func (e *Enforcer) AddKnotMember(domain, member string) error {
129 _, err := e.addMember(domain, member)
130 return err
131}
132
133func (e *Enforcer) RemoveKnotMember(domain, member string) error {
134 _, err := e.removeMember(domain, member)
135 return err
136}
137
138func (e *Enforcer) TryAddKnotMember(domain, member string) (bool, error) {
139 return e.addMember(domain, member)
140}
141
142func (e *Enforcer) TryRemoveKnotMember(domain, member string) (bool, error) {
143 return e.removeMember(domain, member)
144}
145
146func (e *Enforcer) AddSpindleOwner(domain, owner string) error {
147 return e.addOwner(intoSpindle(domain), owner)
148}
149
150func (e *Enforcer) RemoveSpindleOwner(domain, owner string) error {
151 return e.removeOwner(intoSpindle(domain), owner)
152}
153
154func (e *Enforcer) AddSpindleMember(domain, member string) error {
155 _, err := e.addMember(intoSpindle(domain), member)
156 return err
157}
158
159func (e *Enforcer) RemoveSpindleMember(domain, member string) error {
160 _, err := e.removeMember(intoSpindle(domain), member)
161 return err
162}
163
164func (e *Enforcer) TryAddSpindleMember(domain, member string) (bool, error) {
165 return e.addMember(intoSpindle(domain), member)
166}
167
168func (e *Enforcer) TryRemoveSpindleMember(domain, member string) (bool, error) {
169 return e.removeMember(intoSpindle(domain), member)
170}
171
172func repoPolicies(member, domain, repo string) [][]string {
173 return [][]string{
174 {member, domain, repo, "repo:settings"},
175 {member, domain, repo, "repo:push"},
176 {member, domain, repo, "repo:owner"},
177 {member, domain, repo, "repo:invite"},
178 {member, domain, repo, "repo:delete"},
179 {"server:owner", domain, repo, "repo:delete"}, // server owner can delete any repo
180 }
181}
182func (e *Enforcer) AddRepo(member, domain, repo string) error {
183 err := checkRepoFormat(repo)
184 if err != nil {
185 return err
186 }
187
188 _, err = e.E.AddPolicies(repoPolicies(member, domain, repo))
189 return err
190}
191func (e *Enforcer) RemoveRepo(member, domain, repo string) error {
192 err := checkRepoFormat(repo)
193 if err != nil {
194 return err
195 }
196
197 _, err = e.E.RemovePolicies(repoPolicies(member, domain, repo))
198 return err
199}
200
201var (
202 collaboratorPolicies = func(collaborator, domain, repo string) [][]string {
203 return [][]string{
204 {collaborator, domain, repo, "repo:collaborator"},
205 {collaborator, domain, repo, "repo:settings"},
206 {collaborator, domain, repo, "repo:push"},
207 }
208 }
209)
210
211func (e *Enforcer) AddCollaborator(collaborator, domain, repo string) error {
212 err := checkRepoFormat(repo)
213 if err != nil {
214 return err
215 }
216
217 _, err = e.E.AddPolicies(collaboratorPolicies(collaborator, domain, repo))
218 return err
219}
220
221func (e *Enforcer) RemoveCollaborator(collaborator, domain, repo string) error {
222 err := checkRepoFormat(repo)
223 if err != nil {
224 return err
225 }
226
227 _, err = e.E.RemovePolicies(collaboratorPolicies(collaborator, domain, repo))
228 return err
229}
230
231func (e *Enforcer) WipeRepoPolicies(domain, repo string) error {
232 if err := checkRepoFormat(repo); err != nil {
233 return err
234 }
235 _, err := e.E.RemoveFilteredPolicy(1, domain, repo)
236 return err
237}
238
239func (e *Enforcer) GetUserByRole(role, domain string) ([]string, error) {
240 var membersWithoutRoles []string
241
242 // this includes roles too, casbin does not differentiate.
243 // the filtering criteria is to remove strings not starting with `did:`
244 members, err := e.E.GetImplicitUsersForRole(role, domain)
245 for _, m := range members {
246 if strings.HasPrefix(m, "did:") {
247 membersWithoutRoles = append(membersWithoutRoles, m)
248 }
249 }
250 if err != nil {
251 return nil, err
252 }
253
254 slices.Sort(membersWithoutRoles)
255 return slices.Compact(membersWithoutRoles), nil
256}
257
258func (e *Enforcer) GetKnotUsersByRole(role, domain string) ([]string, error) {
259 return e.GetUserByRole(role, domain)
260}
261
262func (e *Enforcer) GetSpindleUsersByRole(role, domain string) ([]string, error) {
263 return e.GetUserByRole(role, intoSpindle(domain))
264}
265
266func (e *Enforcer) GetUserByRoleInRepo(role, domain, repo string) ([]string, error) {
267 var users []string
268
269 policies, err := e.E.GetImplicitUsersForResourceByDomain(repo, domain)
270 for _, p := range policies {
271 user := p[0]
272 if strings.HasPrefix(user, "did:") {
273 users = append(users, user)
274 }
275 }
276 if err != nil {
277 return nil, err
278 }
279
280 slices.Sort(users)
281 return slices.Compact(users), nil
282}
283
284func (e *Enforcer) IsKnotOwner(user, domain string) (bool, error) {
285 return e.isRole(user, "server:owner", domain)
286}
287
288func (e *Enforcer) IsKnotMember(user, domain string) (bool, error) {
289 return e.isRole(user, "server:member", domain)
290}
291
292func (e *Enforcer) IsSpindleOwner(user, domain string) (bool, error) {
293 return e.isRole(user, "server:owner", intoSpindle(domain))
294}
295
296func (e *Enforcer) IsSpindleMember(user, domain string) (bool, error) {
297 return e.isRole(user, "server:member", intoSpindle(domain))
298}
299
300func (e *Enforcer) IsKnotInviteAllowed(user, domain string) (bool, error) {
301 return e.isInviteAllowed(user, domain)
302}
303
304func (e *Enforcer) IsSpindleInviteAllowed(user, domain string) (bool, error) {
305 return e.isInviteAllowed(user, intoSpindle(domain))
306}
307
308func (e *Enforcer) IsRepoCreateAllowed(user, domain string) (bool, error) {
309 return e.E.Enforce(user, domain, domain, "repo:create")
310}
311
312func (e *Enforcer) IsRepoDeleteAllowed(user, domain, repo string) (bool, error) {
313 return e.E.Enforce(user, domain, repo, "repo:delete")
314}
315
316func (e *Enforcer) IsRepoOwner(user, domain, repo string) (bool, error) {
317 return e.E.Enforce(user, domain, repo, "repo:owner")
318}
319
320func (e *Enforcer) IsRepoCollaborator(user, domain, repo string) (bool, error) {
321 return e.E.Enforce(user, domain, repo, "repo:collaborator")
322}
323
324func (e *Enforcer) IsPushAllowed(user, domain, repo string) (bool, error) {
325 return e.E.Enforce(user, domain, repo, "repo:push")
326}
327
328func (e *Enforcer) IsSettingsAllowed(user, domain, repo string) (bool, error) {
329 return e.E.Enforce(user, domain, repo, "repo:settings")
330}
331
332func (e *Enforcer) IsCollaboratorInviteAllowed(user, domain, repo string) (bool, error) {
333 return e.E.Enforce(user, domain, repo, "repo:invite")
334}
335
336// given a repo, what permissions does this user have? repo:owner? repo:invite? etc.
337func (e *Enforcer) GetPermissionsInRepo(user, domain, repo string) []string {
338 var permissions []string
339 res := e.E.GetPermissionsForUserInDomain(user, domain)
340 for _, p := range res {
341 // get only permissions for this resource/repo
342 if p[2] == repo {
343 permissions = append(permissions, p[3])
344 }
345 }
346
347 return permissions
348}