From 1e74f11f5e5e8f6c9b61a71f9e2770acc935044b Mon Sep 17 00:00:00 2001 From: Ingo Oppermann Date: Thu, 16 Feb 2023 21:47:56 +0100 Subject: [PATCH] WIP: policy update --- app/api/api.go | 13 ++++++++----- http/middleware/iam/iam.go | 2 +- iam/access.go | 5 +++++ iam/iam.go | 31 +++++++++++++++++++++++++++++-- iam/identity.go | 10 +++++----- iam/identity_test.go | 12 ++++++------ rtmp/rtmp.go | 2 +- srt/srt.go | 2 +- 8 files changed, 56 insertions(+), 21 deletions(-) diff --git a/app/api/api.go b/app/api/api.go index f4de261f..a51607b5 100644 --- a/app/api/api.go +++ b/app/api/api.go @@ -456,17 +456,20 @@ func (a *api) start() error { iam.AddPolicy("$localhost", "$none", "api:/api/v3/widget/process/**", "GET|HEAD|OPTIONS") if !cfg.API.Auth.Enable { - iam.AddPolicy("$anon", "$none", "api:/api/**", "GET|HEAD|OPTIONS|POST|PUT|DELETE") - iam.AddPolicy("$localhost", "$none", "api:/api/**", "GET|HEAD|OPTIONS|POST|PUT|DELETE") + iam.AddPolicy("$anon", "$none", "api:/api/**", "ANY") + iam.AddPolicy("$anon", "$none", "process:*", "ANY") + iam.AddPolicy("$localhost", "$none", "api:/api/**", "ANY") + iam.AddPolicy("$localhost", "$none", "process:*", "ANY") } if cfg.API.Auth.DisableLocalhost { - iam.AddPolicy("$localhost", "$none", "api:/api/**", "GET|HEAD|OPTIONS|POST|PUT|DELETE") + iam.AddPolicy("$localhost", "$none", "api:/api/**", "ANY") + iam.AddPolicy("$localhost", "$none", "process:*", "ANY") } if !cfg.Storage.Memory.Auth.Enable { - iam.AddPolicy("$anon", "$none", "fs:/memfs/**", "GET|HEAD|OPTIONS|POST|PUT|DELETE") - iam.AddPolicy("$localhost", "$none", "fs:/memfs/**", "GET|HEAD|OPTIONS|POST|PUT|DELETE") + iam.AddPolicy("$anon", "$none", "fs:/memfs/**", "ANY") + iam.AddPolicy("$localhost", "$none", "fs:/memfs/**", "ANY") } if cfg.RTMP.Enable && len(cfg.RTMP.Token) == 0 { diff --git a/http/middleware/iam/iam.go b/http/middleware/iam/iam.go index e06eb924..1fcbf44c 100644 --- a/http/middleware/iam/iam.go +++ b/http/middleware/iam/iam.go @@ -403,7 +403,7 @@ func (m *iammiddleware) findDomainFromFilesystem(path string) string { prefix := filepath.Clean(mount) + "/" if strings.HasPrefix(path, prefix) { elements := strings.Split(strings.TrimPrefix(path, prefix), "/") - if m.iam.IsDomain(elements[0]) { + if m.iam.HasDomain(elements[0]) { return elements[0] } } diff --git a/iam/access.go b/iam/access.go index 13c57bcf..73d334dc 100644 --- a/iam/access.go +++ b/iam/access.go @@ -21,6 +21,7 @@ type AccessManager interface { AddPolicy(username, domain, resource, actions string) bool RemovePolicy(username, domain, resource, actions string) bool + ListPolicies(username, domain, resource, actions string) [][]string } type access struct { @@ -92,6 +93,10 @@ func (am *access) RemovePolicy(username, domain, resource, actions string) bool return true } +func (am *access) ListPolicies(username, domain, resource, actions string) [][]string { + return am.enforcer.GetFilteredPolicy(0, username, domain, resource, actions) +} + func (am *access) HasGroup(name string) bool { groups, err := am.enforcer.GetAllDomains() if err != nil { diff --git a/iam/iam.go b/iam/iam.go index 806066fc..19fe0628 100644 --- a/iam/iam.go +++ b/iam/iam.go @@ -7,13 +7,20 @@ import ( type IAM interface { Enforce(user, domain, resource, action string) bool - IsDomain(domain string) bool + HasDomain(domain string) bool AddPolicy(username, domain, resource, actions string) bool RemovePolicy(username, domain, resource, actions string) bool + ListPolicies(username, domain, resource, actions string) [][]string + Validators() []string + CreateIdentity(u User) error + UpdateIdentity(name string, u User) error + DeleteIdentity(name string) error + ListIdentities() []User + GetIdentity(name string) (IdentityVerifier, error) GetIdentityByAuth0(name string) (IdentityVerifier, error) GetDefaultIdentity() (IdentityVerifier, error) @@ -110,6 +117,22 @@ func (i *iam) Enforce(user, domain, resource, action string) bool { return ok } +func (i *iam) CreateIdentity(u User) error { + return i.im.Create(u) +} + +func (i *iam) UpdateIdentity(name string, u User) error { + return i.im.Update(name, u) +} + +func (i *iam) DeleteIdentity(name string) error { + return i.im.Delete(name) +} + +func (i *iam) ListIdentities() []User { + return nil +} + func (i *iam) GetIdentity(name string) (IdentityVerifier, error) { return i.im.GetVerifier(name) } @@ -126,7 +149,7 @@ func (i *iam) CreateJWT(name string) (string, string, error) { return i.im.CreateJWT(name) } -func (i *iam) IsDomain(domain string) bool { +func (i *iam) HasDomain(domain string) bool { return i.am.HasGroup(domain) } @@ -141,3 +164,7 @@ func (i *iam) AddPolicy(username, domain, resource, actions string) bool { func (i *iam) RemovePolicy(username, domain, resource, actions string) bool { return i.am.RemovePolicy(username, domain, resource, actions) } + +func (i *iam) ListPolicies(username, domain, resource, actions string) [][]string { + return i.am.ListPolicies(username, domain, resource, actions) +} diff --git a/iam/identity.go b/iam/identity.go index 5d83b3e5..ead90ba5 100644 --- a/iam/identity.go +++ b/iam/identity.go @@ -374,7 +374,7 @@ func (i *identity) IsSuperuser() bool { type IdentityManager interface { Create(identity User) error Update(name string, identity User) error - Remove(name string) error + Delete(name string) error Get(name string) (User, error) GetVerifier(name string) (IdentityVerifier, error) @@ -555,7 +555,7 @@ func (im *identityManager) Update(name string, u User) error { } } - err := im.remove(name) + err := im.delete(name) if err != nil { return err } @@ -580,14 +580,14 @@ func (im *identityManager) Update(name string, u User) error { return nil } -func (im *identityManager) Remove(name string) error { +func (im *identityManager) Delete(name string) error { im.lock.Lock() defer im.lock.Unlock() - return im.remove(name) + return im.delete(name) } -func (im *identityManager) remove(name string) error { +func (im *identityManager) delete(name string) error { if im.root.user.Name == name { return fmt.Errorf("this identity can't be removed") } diff --git a/iam/identity_test.go b/iam/identity_test.go index f6a07fe4..7e032fe9 100644 --- a/iam/identity_test.go +++ b/iam/identity_test.go @@ -575,10 +575,10 @@ func TestRemoveUser(t *testing.T) { require.NoError(t, err) require.NotNil(t, im) - err = im.Remove("fooboz") + err = im.Delete("fooboz") require.Error(t, err) - err = im.Remove("foobar") + err = im.Delete("foobar") require.Error(t, err) err = im.Create(User{ @@ -630,7 +630,7 @@ func TestRemoveUser(t *testing.T) { require.True(t, ok) require.NoError(t, err) - err = im.Remove("foobaz") + err = im.Delete("foobaz") require.NoError(t, err) ok, err = identity.VerifyAPIPassword("apisecret") @@ -728,7 +728,7 @@ func TestRemoveUserAuth0(t *testing.T) { "auth0 domain=datarhei-demo.eu.auth0.com audience=https://datarhei-demo.eu.auth0.com/api/v2/ clientid=987654", }, im.Validators()) - err = im.Remove("foobaz") + err = im.Delete("foobaz") require.NoError(t, err) require.Equal(t, 1, len(manager.tenants)) @@ -739,7 +739,7 @@ func TestRemoveUserAuth0(t *testing.T) { "auth0 domain=datarhei-demo.eu.auth0.com audience=https://datarhei-demo.eu.auth0.com/api/v2/ clientid=987654", }, im.Validators()) - err = im.Remove("fooboz") + err = im.Delete("fooboz") require.NoError(t, err) require.Equal(t, 0, len(manager.tenants)) @@ -793,7 +793,7 @@ func TestAutosave(t *testing.T) { require.NoError(t, err) require.NotEqual(t, []byte("[]"), data) - err = im.Remove("fooboz") + err = im.Delete("fooboz") require.NoError(t, err) data, err = dummyfs.ReadFile("./users.json") diff --git a/rtmp/rtmp.go b/rtmp/rtmp.go index 3331fdbf..dc569831 100644 --- a/rtmp/rtmp.go +++ b/rtmp/rtmp.go @@ -433,7 +433,7 @@ func (s *server) findDomainFromPlaypath(path string) string { domain := elements[0] - if s.iam.IsDomain(domain) { + if s.iam.HasDomain(domain) { return domain } diff --git a/srt/srt.go b/srt/srt.go index e1c2cbb3..374672a8 100644 --- a/srt/srt.go +++ b/srt/srt.go @@ -413,7 +413,7 @@ func (s *server) findDomainFromPlaypath(path string) string { domain := elements[0] - if s.iam.IsDomain(domain) { + if s.iam.HasDomain(domain) { return domain }