leviathonbeast/ionscale
1
0
Fork 0
mirror of https://github.com/jsiebens/ionscale.git synced 2026-03-31 15:07:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat: implement tag owners

Browse Source
This commit is contained in:
Johan Siebens
2022-09-16 16:30:51 +02:00
parent 69dd1f6b95
commit b265fc42c7
11 changed files with 316 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/service/auth_keys.go
+10
View File
@@ -134,6 +134,16 @@ func (s *Service) CreateAuthKey(ctx context.Context, req *connect.Request[api.Cr
return nil, connect.NewError(connect.CodeNotFound, errors.New("tailnet not found"))
}
if principal.IsSystemAdmin() {
if err := tailnet.ACLPolicy.CheckTags(req.Msg.Tags); err != nil {
return nil, connect.NewError(connect.CodeInvalidArgument, err)
}
} else {
if err := tailnet.ACLPolicy.CheckTagOwners(req.Msg.Tags, principal.User); err != nil {
return nil, connect.NewError(connect.CodeInvalidArgument, err)
}
}
var expiresAt *time.Time
var expiresAtPb *timestamppb.Timestamp
internal/service/interceptors.go
+7 -29
View File
@@ -18,34 +18,12 @@ const (
principalKey = "principalKay"
)
type Principal struct {
SystemRole domain.SystemRole
User *domain.User
UserRole domain.UserRole
}
func (p Principal) IsSystemAdmin() bool {
return p.SystemRole.IsAdmin()
}
func (p Principal) IsTailnetAdmin(tailnetID uint64) bool {
return p.User.TailnetID == tailnetID && p.UserRole.IsAdmin()
}
func (p Principal) IsTailnetMember(tailnetID uint64) bool {
return p.User.TailnetID == tailnetID
}
func (p Principal) UserMatches(userID uint64) bool {
return p.User.ID == userID
}
func CurrentPrincipal(ctx context.Context) Principal {
func CurrentPrincipal(ctx context.Context) domain.Principal {
p := ctx.Value(principalKey)
if p == nil {
return Principal{SystemRole: domain.SystemRoleNone, UserRole: domain.UserRoleNone}
return domain.Principal{SystemRole: domain.SystemRoleNone, UserRole: domain.UserRoleNone}
}
return p.(Principal)
return p.(domain.Principal)
}
func AuthenticationInterceptor(systemAdminKey *key.ServerPrivate, repository domain.Repository) connect.UnaryInterceptorFunc {
@@ -69,7 +47,7 @@ func AuthenticationInterceptor(systemAdminKey *key.ServerPrivate, repository dom
}
}
func exchangeToken(ctx context.Context, systemAdminKey *key.ServerPrivate, repository domain.Repository, value string) *Principal {
func exchangeToken(ctx context.Context, systemAdminKey *key.ServerPrivate, repository domain.Repository, value string) *domain.Principal {
if len(value) == 0 {
return nil
}
@@ -77,7 +55,7 @@ func exchangeToken(ctx context.Context, systemAdminKey *key.ServerPrivate, repos
if systemAdminKey != nil && token.IsSystemAdminToken(value) {
_, err := token.ParseSystemAdminToken(*systemAdminKey, value)
if err == nil {
return &Principal{SystemRole: domain.SystemRoleAdmin}
return &domain.Principal{SystemRole: domain.SystemRoleAdmin}
}
}
@@ -87,12 +65,12 @@ func exchangeToken(ctx context.Context, systemAdminKey *key.ServerPrivate, repos
tailnet := apiKey.Tailnet
role := tailnet.IAMPolicy.GetRole(user)
return &Principal{User: &apiKey.User, SystemRole: domain.SystemRoleNone, UserRole: role}
return &domain.Principal{User: &apiKey.User, SystemRole: domain.SystemRoleNone, UserRole: role}
}
systemApiKey, err := repository.LoadSystemApiKey(ctx, value)
if err == nil && systemApiKey != nil {
return &Principal{SystemRole: domain.SystemRoleAdmin}
return &domain.Principal{SystemRole: domain.SystemRoleAdmin}
}
return nil