permissionHandler.go 5.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205
  1. package user
  2. import (
  3. //"log"
  4. "errors"
  5. "path/filepath"
  6. "strings"
  7. permission "imuslab.com/arozos/mod/permission"
  8. storage "imuslab.com/arozos/mod/storage"
  9. )
  10. //Permissions related to modules
  11. func (u *User) GetModuleAccessPermission(moduleName string) bool {
  12. //Check if this module permission is within user's permission group access
  13. moduleName = strings.ToLower(moduleName)
  14. for _, pg := range u.PermissionGroup {
  15. if pg.IsAdmin == true {
  16. //This user is admin. Allow all module access
  17. return true
  18. } else if inSliceIgnoreCase(pg.AccessibleModules, moduleName) {
  19. //This permission group contain the module we want. Allow accessed
  20. return true
  21. } else if moduleName == strings.ToLower(pg.DefaultInterfaceModule) {
  22. //This is the interfacing module for the group this user is in
  23. return true
  24. }
  25. }
  26. //This user has no permission group that has access to this module
  27. return false
  28. }
  29. func (u *User) GetUserAccessibleModules() []string {
  30. userAccessibleModules := []string{}
  31. for _, pg := range u.GetUserPermissionGroup() {
  32. groupAccessiableModules := pg.AccessibleModules
  33. for _, gmod := range groupAccessiableModules {
  34. userAccessibleModules = append(userAccessibleModules, gmod)
  35. }
  36. }
  37. return userAccessibleModules
  38. }
  39. func (u *User) IsAdmin() bool {
  40. isAdmin := false
  41. for _, pg := range u.PermissionGroup {
  42. if pg.IsAdmin == true {
  43. isAdmin = true
  44. }
  45. }
  46. return isAdmin
  47. }
  48. //Get the (or a list of ) Interface Module (aka booting module) for this user, returning module uuids
  49. func (u *User) GetInterfaceModules() []string {
  50. results := []string{}
  51. for _, pg := range u.PermissionGroup {
  52. if !inSlice(results, pg.DefaultInterfaceModule) {
  53. results = append(results, pg.DefaultInterfaceModule)
  54. }
  55. }
  56. if len(results) == 0 && u.IsAdmin() {
  57. //Critial error occured. Assign desktop module to admin
  58. results = append(results, "desktop")
  59. }
  60. return results
  61. }
  62. //Check if the user has access to this virthal filepath
  63. func (u *User) GetPathAccessPermission(vpath string) string {
  64. fsid, _, err := getIDFromVirtualPath(filepath.ToSlash(vpath))
  65. if err != nil {
  66. return "denied"
  67. }
  68. topAccessRightStoragePool, err := u.GetHighestAccessRightStoragePool(fsid)
  69. if err != nil {
  70. return "denied"
  71. }
  72. if topAccessRightStoragePool.Owner == u.Username {
  73. //This user own this storage pool. CHeck if the fs itself is readonly
  74. fsHandler, _ := getHandlerFromID(u.GetAllFileSystemHandler(), fsid)
  75. if fsHandler.ReadOnly {
  76. return "readonly"
  77. }
  78. return "readwrite"
  79. } else if topAccessRightStoragePool.Owner == "system" {
  80. //System storage pool. Allow both read and write if the system handler is readwrite
  81. fsHandler, _ := getHandlerFromID(u.GetAllFileSystemHandler(), fsid)
  82. if fsHandler.ReadOnly {
  83. return "readonly"
  84. }
  85. return "readwrite"
  86. } else {
  87. //This user do not own this storage pool. Use the pools' config
  88. fsHandler, _ := getHandlerFromID(u.GetAllFileSystemHandler(), fsid)
  89. if fsHandler.ReadOnly {
  90. return "readonly"
  91. }
  92. return topAccessRightStoragePool.OtherPermission
  93. }
  94. }
  95. //Helper function for checking permission
  96. func (u *User) CanRead(vpath string) bool {
  97. rwp := u.GetPathAccessPermission(vpath)
  98. if rwp == "readonly" || rwp == "readwrite" {
  99. return true
  100. } else {
  101. return false
  102. }
  103. }
  104. func (u *User) CanWrite(vpath string) bool {
  105. rwp := u.GetPathAccessPermission(vpath)
  106. if rwp == "readwrite" {
  107. return true
  108. } else {
  109. return false
  110. }
  111. }
  112. //Get the highest access right to the given fs uuid
  113. func (u *User) GetHighestAccessRightStoragePool(fsUUID string) (*storage.StoragePool, error) {
  114. //List all storage pool that have access to this fsUUID
  115. matchingStoragePool := []*storage.StoragePool{}
  116. for _, h := range u.HomeDirectories.Storages {
  117. if h.UUID == fsUUID {
  118. //User Home directory contain access to this fsUUID
  119. matchingStoragePool = append(matchingStoragePool, u.HomeDirectories)
  120. }
  121. }
  122. //Look for other permission groups this user is in
  123. for _, pg := range u.PermissionGroup {
  124. for _, h := range pg.StoragePool.Storages {
  125. if h.UUID == fsUUID {
  126. //User Home directory contain access to this fsUUID
  127. matchingStoragePool = append(matchingStoragePool, u.HomeDirectories)
  128. }
  129. }
  130. }
  131. //Check the highest priority in the list
  132. if len(matchingStoragePool) == 0 {
  133. return &storage.StoragePool{}, errors.New("No access to this filesystem was found")
  134. }
  135. currentTopStoragePool := matchingStoragePool[0]
  136. for _, storagePool := range matchingStoragePool {
  137. if storagePool.Owner == u.Username {
  138. //Owner of this ppol. Return this
  139. return storagePool, nil
  140. } else if storagePool.Owner == "system" {
  141. //System storage pool. Everyone can read write to this.
  142. return storagePool, nil
  143. } else {
  144. //Compare the priority. Replace the top one if the current one has higher priority
  145. if storagePool.HasHigherOrEqualPermissionThan(currentTopStoragePool) {
  146. currentTopStoragePool = storagePool
  147. }
  148. }
  149. }
  150. return currentTopStoragePool, nil
  151. }
  152. func (u *User) GetUserPermissionGroup() []*permission.PermissionGroup {
  153. return u.PermissionGroup
  154. }
  155. func (u *User) GetUserPermissionGroupNames() []string {
  156. userPermissionGroups := []string{}
  157. for _, pg := range u.PermissionGroup {
  158. userPermissionGroups = append(userPermissionGroups, pg.Name)
  159. }
  160. return userPermissionGroups
  161. }
  162. //Check if the user is in one of the permission groups, require groupname
  163. func (u *User) UserIsInOneOfTheGroupOf(groupnames []string) bool {
  164. userpg := u.GetUserPermissionGroup()
  165. for _, thispg := range userpg {
  166. for _, thisname := range groupnames {
  167. if thispg.Name == thisname {
  168. return true
  169. }
  170. }
  171. }
  172. return false
  173. }
  174. func (u *User) SetUserPermissionGroup(groups []*permission.PermissionGroup) {
  175. groupIds := []string{}
  176. for _, gp := range groups {
  177. groupIds = append(groupIds, gp.Name)
  178. }
  179. u.parent.database.Write("auth", "group/"+u.Username, groupIds)
  180. }