|
|
|
@ -175,106 +175,123 @@ func (policy *SimplePolicy) Allows(node Node, resource string, action string, pr
|
|
|
|
|
return policy.Actions.Allows(resource, action)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type PerTagPolicy struct {
|
|
|
|
|
SimpleNode
|
|
|
|
|
Actions map[string]NodeActions
|
|
|
|
|
|
|
|
|
|
type DependencyPolicy struct {
|
|
|
|
|
SimplePolicy
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type PerTagPolicyJSON struct {
|
|
|
|
|
SimpleNodeJSON
|
|
|
|
|
Actions map[string]map[string][]string `json:"json"`
|
|
|
|
|
|
|
|
|
|
func (policy *DependencyPolicy) Type() NodeType {
|
|
|
|
|
return NodeType("dependency_policy")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (policy *PerTagPolicy) Type() NodeType {
|
|
|
|
|
return NodeType("per_tag_policy")
|
|
|
|
|
func NewDependencyPolicy(id NodeID, actions NodeActions) DependencyPolicy {
|
|
|
|
|
return DependencyPolicy{
|
|
|
|
|
SimplePolicy: NewSimplePolicy(id, actions),
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (policy *PerTagPolicy) Serialize() ([]byte, error) {
|
|
|
|
|
actions := map[string]map[string][]string{}
|
|
|
|
|
for tag, tag_actions := range(policy.Actions) {
|
|
|
|
|
actions[tag] = tag_actions
|
|
|
|
|
func (policy *DependencyPolicy) Allows(node Node, resource string, action string, principal Node) bool {
|
|
|
|
|
lockable, ok := node.(LockableNode)
|
|
|
|
|
if ok == false {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return json.MarshalIndent(&PerTagPolicyJSON{
|
|
|
|
|
SimpleNodeJSON: NewSimpleNodeJSON(&policy.SimpleNode),
|
|
|
|
|
Actions: actions,
|
|
|
|
|
}, "", " ")
|
|
|
|
|
for _, dep := range(lockable.LockableHandle().Dependencies) {
|
|
|
|
|
if dep.ID() == principal.ID() {
|
|
|
|
|
return policy.Actions.Allows(resource, action)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func NewPerTagPolicy(id NodeID, actions map[string]NodeActions) PerTagPolicy {
|
|
|
|
|
if actions == nil {
|
|
|
|
|
actions = map[string]NodeActions{}
|
|
|
|
|
}
|
|
|
|
|
type RequirementPolicy struct {
|
|
|
|
|
SimplePolicy
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return PerTagPolicy{
|
|
|
|
|
SimpleNode: NewSimpleNode(id),
|
|
|
|
|
Actions: actions,
|
|
|
|
|
|
|
|
|
|
func (policy *RequirementPolicy) Type() NodeType {
|
|
|
|
|
return NodeType("dependency_policy")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func NewRequirementPolicy(id NodeID, actions NodeActions) RequirementPolicy {
|
|
|
|
|
return RequirementPolicy{
|
|
|
|
|
SimplePolicy: NewSimplePolicy(id, actions),
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func LoadPerTagPolicy(ctx *Context, id NodeID, data []byte, nodes NodeMap) (Node, error) {
|
|
|
|
|
var j PerTagPolicyJSON
|
|
|
|
|
err := json.Unmarshal(data, &j)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
func (policy *RequirementPolicy) Allows(node Node, resource string, action string, principal Node) bool {
|
|
|
|
|
lockable_node, ok := node.(LockableNode)
|
|
|
|
|
if ok == false {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
lockable := lockable_node.LockableHandle()
|
|
|
|
|
|
|
|
|
|
actions := map[string]NodeActions{}
|
|
|
|
|
for tag, tag_actions := range(j.Actions) {
|
|
|
|
|
actions[tag] = tag_actions
|
|
|
|
|
for _, req := range(lockable.Requirements) {
|
|
|
|
|
if req.ID() == principal.ID() {
|
|
|
|
|
return policy.Actions.Allows(resource, action)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
policy := NewPerTagPolicy(id, actions)
|
|
|
|
|
nodes[id] = &policy
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
err = RestoreSimpleNode(ctx, &policy.SimpleNode, j.SimpleNodeJSON, nodes)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
type ParentPolicy struct {
|
|
|
|
|
SimplePolicy
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return &policy, nil
|
|
|
|
|
|
|
|
|
|
func (policy *ParentPolicy) Type() NodeType {
|
|
|
|
|
return NodeType("parent_policy")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (policy *PerTagPolicy) Allows(node Node, resource string, action string, principal Node) bool {
|
|
|
|
|
user, ok := principal.(*User)
|
|
|
|
|
func NewParentPolicy(id NodeID, actions NodeActions) ParentPolicy {
|
|
|
|
|
return ParentPolicy{
|
|
|
|
|
SimplePolicy: NewSimplePolicy(id, actions),
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (policy *ParentPolicy) Allows(node Node, resource string, action string, principal Node) bool {
|
|
|
|
|
thread_node, ok := node.(ThreadNode)
|
|
|
|
|
if ok == false {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
thread := thread_node.ThreadHandle()
|
|
|
|
|
|
|
|
|
|
for _, tag := range(user.Tags) {
|
|
|
|
|
tag_actions, exists := policy.Actions[tag]
|
|
|
|
|
if exists == true {
|
|
|
|
|
if tag_actions.Allows(resource, action) == true {
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
if thread.Owner != nil {
|
|
|
|
|
if thread.Owner.ID() == principal.ID() {
|
|
|
|
|
return policy.Actions.Allows(resource, action)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type DependencyPolicy struct {
|
|
|
|
|
type ChildrenPolicy struct {
|
|
|
|
|
SimplePolicy
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
func (policy *DependencyPolicy) Type() NodeType {
|
|
|
|
|
return NodeType("parent_policy")
|
|
|
|
|
func (policy *ChildrenPolicy) Type() NodeType {
|
|
|
|
|
return NodeType("children_policy")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func NewDependencyPolicy(id NodeID, actions NodeActions) DependencyPolicy {
|
|
|
|
|
return DependencyPolicy{
|
|
|
|
|
func NewChildrenPolicy(id NodeID, actions NodeActions) ChildrenPolicy {
|
|
|
|
|
return ChildrenPolicy{
|
|
|
|
|
SimplePolicy: NewSimplePolicy(id, actions),
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (policy *DependencyPolicy) Allows(node Node, resource string, action string, principal Node) bool {
|
|
|
|
|
lockable, ok := node.(LockableNode)
|
|
|
|
|
func (policy *ChildrenPolicy) Allows(node Node, resource string, action string, principal Node) bool {
|
|
|
|
|
thread_node, ok := node.(ThreadNode)
|
|
|
|
|
if ok == false {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
thread := thread_node.ThreadHandle()
|
|
|
|
|
|
|
|
|
|
for _, dep := range(lockable.LockableHandle().Dependencies) {
|
|
|
|
|
if dep.ID() == principal.ID() {
|
|
|
|
|
for _, info := range(thread.Children) {
|
|
|
|
|
if info.Child.ID() == principal.ID() {
|
|
|
|
|
return policy.Actions.Allows(resource, action)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|