WIP: policy update

2023-02-16 21:47:56 +01:00 · 2023-02-16 21:47:56 +01:00 · 1e74f11f5e
commit 1e74f11f5e
parent ca2fc5fe26
8 changed files with 56 additions and 21 deletions
--- a/app/api/api.go
+++ b/app/api/api.go
@ -456,17 +456,20 @@ func (a *api) start() error {
 		iam.AddPolicy("$localhost", "$none", "api:/api/v3/widget/process/**", "GET|HEAD|OPTIONS")

 		if !cfg.API.Auth.Enable {
-			iam.AddPolicy("$anon", "$none", "api:/api/**", "GET|HEAD|OPTIONS|POST|PUT|DELETE")
-			iam.AddPolicy("$localhost", "$none", "api:/api/**", "GET|HEAD|OPTIONS|POST|PUT|DELETE")
+			iam.AddPolicy("$anon", "$none", "api:/api/**", "ANY")
+			iam.AddPolicy("$anon", "$none", "process:*", "ANY")
+			iam.AddPolicy("$localhost", "$none", "api:/api/**", "ANY")
+			iam.AddPolicy("$localhost", "$none", "process:*", "ANY")
 		}

 		if cfg.API.Auth.DisableLocalhost {
-			iam.AddPolicy("$localhost", "$none", "api:/api/**", "GET|HEAD|OPTIONS|POST|PUT|DELETE")
+			iam.AddPolicy("$localhost", "$none", "api:/api/**", "ANY")
+			iam.AddPolicy("$localhost", "$none", "process:*", "ANY")
 		}

 		if !cfg.Storage.Memory.Auth.Enable {
-			iam.AddPolicy("$anon", "$none", "fs:/memfs/**", "GET|HEAD|OPTIONS|POST|PUT|DELETE")
-			iam.AddPolicy("$localhost", "$none", "fs:/memfs/**", "GET|HEAD|OPTIONS|POST|PUT|DELETE")
+			iam.AddPolicy("$anon", "$none", "fs:/memfs/**", "ANY")
+			iam.AddPolicy("$localhost", "$none", "fs:/memfs/**", "ANY")
 		}

 		if cfg.RTMP.Enable && len(cfg.RTMP.Token) == 0 {
--- a/http/middleware/iam/iam.go
+++ b/http/middleware/iam/iam.go
@ -403,7 +403,7 @@ func (m *iammiddleware) findDomainFromFilesystem(path string) string {
 		prefix := filepath.Clean(mount) + "/"
 		if strings.HasPrefix(path, prefix) {
 			elements := strings.Split(strings.TrimPrefix(path, prefix), "/")
-			if m.iam.IsDomain(elements[0]) {
+			if m.iam.HasDomain(elements[0]) {
 				return elements[0]
 			}
 		}
--- a/iam/access.go
+++ b/iam/access.go
@ -21,6 +21,7 @@ type AccessManager interface {

 	AddPolicy(username, domain, resource, actions string) bool
 	RemovePolicy(username, domain, resource, actions string) bool
+	ListPolicies(username, domain, resource, actions string) [][]string
 }

 type access struct {
@ -92,6 +93,10 @@ func (am *access) RemovePolicy(username, domain, resource, actions string) bool
 	return true
 }

+func (am *access) ListPolicies(username, domain, resource, actions string) [][]string {
+	return am.enforcer.GetFilteredPolicy(0, username, domain, resource, actions)
+}
+
 func (am *access) HasGroup(name string) bool {
 	groups, err := am.enforcer.GetAllDomains()
 	if err != nil {
--- a/iam/iam.go
+++ b/iam/iam.go
@ -7,13 +7,20 @@ import (

 type IAM interface {
 	Enforce(user, domain, resource, action string) bool
-	IsDomain(domain string) bool
+	HasDomain(domain string) bool

 	AddPolicy(username, domain, resource, actions string) bool
 	RemovePolicy(username, domain, resource, actions string) bool

+	ListPolicies(username, domain, resource, actions string) [][]string
+
 	Validators() []string

+	CreateIdentity(u User) error
+	UpdateIdentity(name string, u User) error
+	DeleteIdentity(name string) error
+	ListIdentities() []User
+
 	GetIdentity(name string) (IdentityVerifier, error)
 	GetIdentityByAuth0(name string) (IdentityVerifier, error)
 	GetDefaultIdentity() (IdentityVerifier, error)
@ -110,6 +117,22 @@ func (i *iam) Enforce(user, domain, resource, action string) bool {
 	return ok
 }

+func (i *iam) CreateIdentity(u User) error {
+	return i.im.Create(u)
+}
+
+func (i *iam) UpdateIdentity(name string, u User) error {
+	return i.im.Update(name, u)
+}
+
+func (i *iam) DeleteIdentity(name string) error {
+	return i.im.Delete(name)
+}
+
+func (i *iam) ListIdentities() []User {
+	return nil
+}
+
 func (i *iam) GetIdentity(name string) (IdentityVerifier, error) {
 	return i.im.GetVerifier(name)
 }
@ -126,7 +149,7 @@ func (i *iam) CreateJWT(name string) (string, string, error) {
 	return i.im.CreateJWT(name)
 }

-func (i *iam) IsDomain(domain string) bool {
+func (i *iam) HasDomain(domain string) bool {
 	return i.am.HasGroup(domain)
 }

@ -141,3 +164,7 @@ func (i *iam) AddPolicy(username, domain, resource, actions string) bool {
 func (i *iam) RemovePolicy(username, domain, resource, actions string) bool {
 	return i.am.RemovePolicy(username, domain, resource, actions)
 }
+
+func (i *iam) ListPolicies(username, domain, resource, actions string) [][]string {
+	return i.am.ListPolicies(username, domain, resource, actions)
+}
--- a/iam/identity.go
+++ b/iam/identity.go
@ -374,7 +374,7 @@ func (i *identity) IsSuperuser() bool {
 type IdentityManager interface {
 	Create(identity User) error
 	Update(name string, identity User) error
-	Remove(name string) error
+	Delete(name string) error

 	Get(name string) (User, error)
 	GetVerifier(name string) (IdentityVerifier, error)
@ -555,7 +555,7 @@ func (im *identityManager) Update(name string, u User) error {
 		}
 	}

-	err := im.remove(name)
+	err := im.delete(name)
 	if err != nil {
 		return err
 	}
@ -580,14 +580,14 @@ func (im *identityManager) Update(name string, u User) error {
 	return nil
 }

-func (im *identityManager) Remove(name string) error {
+func (im *identityManager) Delete(name string) error {
 	im.lock.Lock()
 	defer im.lock.Unlock()

-	return im.remove(name)
+	return im.delete(name)
 }

-func (im *identityManager) remove(name string) error {
+func (im *identityManager) delete(name string) error {
 	if im.root.user.Name == name {
 		return fmt.Errorf("this identity can't be removed")
 	}
--- a/iam/identity_test.go
+++ b/iam/identity_test.go
@ -575,10 +575,10 @@ func TestRemoveUser(t *testing.T) {
 	require.NoError(t, err)
 	require.NotNil(t, im)

-	err = im.Remove("fooboz")
+	err = im.Delete("fooboz")
 	require.Error(t, err)

-	err = im.Remove("foobar")
+	err = im.Delete("foobar")
 	require.Error(t, err)

 	err = im.Create(User{
@ -630,7 +630,7 @@ func TestRemoveUser(t *testing.T) {
 	require.True(t, ok)
 	require.NoError(t, err)

-	err = im.Remove("foobaz")
+	err = im.Delete("foobaz")
 	require.NoError(t, err)

 	ok, err = identity.VerifyAPIPassword("apisecret")
@ -728,7 +728,7 @@ func TestRemoveUserAuth0(t *testing.T) {
 		"auth0 domain=datarhei-demo.eu.auth0.com audience=https://datarhei-demo.eu.auth0.com/api/v2/ clientid=987654",
 	}, im.Validators())

-	err = im.Remove("foobaz")
+	err = im.Delete("foobaz")
 	require.NoError(t, err)

 	require.Equal(t, 1, len(manager.tenants))
@ -739,7 +739,7 @@ func TestRemoveUserAuth0(t *testing.T) {
 		"auth0 domain=datarhei-demo.eu.auth0.com audience=https://datarhei-demo.eu.auth0.com/api/v2/ clientid=987654",
 	}, im.Validators())

-	err = im.Remove("fooboz")
+	err = im.Delete("fooboz")
 	require.NoError(t, err)

 	require.Equal(t, 0, len(manager.tenants))
@ -793,7 +793,7 @@ func TestAutosave(t *testing.T) {
 	require.NoError(t, err)
 	require.NotEqual(t, []byte("[]"), data)

-	err = im.Remove("fooboz")
+	err = im.Delete("fooboz")
 	require.NoError(t, err)

 	data, err = dummyfs.ReadFile("./users.json")
--- a/rtmp/rtmp.go
+++ b/rtmp/rtmp.go
@ -433,7 +433,7 @@ func (s *server) findDomainFromPlaypath(path string) string {

 	domain := elements[0]

-	if s.iam.IsDomain(domain) {
+	if s.iam.HasDomain(domain) {
 		return domain
 	}

--- a/srt/srt.go
+++ b/srt/srt.go
@ -413,7 +413,7 @@ func (s *server) findDomainFromPlaypath(path string) string {

 	domain := elements[0]

-	if s.iam.IsDomain(domain) {
+	if s.iam.HasDomain(domain) {
 		return domain
 	}