func NewRbacSuite(s rbac.Store) *RbacSuite {
return &RbacSuite{
&RbacTests{&StoreTests{s},
rbac.NewAccess(s, FuturamaRoles),
rbac.NewAdmin(s, FuturamaRoles),
},
}
}
func ExampleAccess(t *testing.T) {
// Let's set up an RBAC store. We'll use the in-memory store
// for this example. You should use something more permanent like the Mongo store.
store := mem.NewStore()
// Admin lets us grant and revoke roles
admin := rbac.NewAdmin(store, MessageBoardRoles)
// Anonymous scheme users can lurk and that's all
admin.Grant(User{Identity: Identity{"anon", "*"}}, LurkerRole, MessageBoardResource)
// Verified Gooble users can post
admin.Grant(User{Identity: Identity{"gooble", "*"}}, PosterRole, MessageBoardResource)
// A wild anon appears
anon := User{Identity: Identity{"anon", "10.55.61.128"}}
// Connect to the message board service as this user
// In a web application, you'll likely derive the user from http.Request, using
// OAuth, OpenID, cookies, etc.
mb := &mbConn{&rbac.Access{store, MessageBoardRoles}, anon}
// Print the first page of the message board. The MessageBoard will check
// Access.Can(user, ListPerm, MessageBoardResource).
content, err := mb.Lurk(0)
if err != nil {
panic(err)
}
fmt.Println(content)
// A tame authenticated user appears. Reattach as tame user now.
// In real life, this would likely be in a distinct http.Handler with its own session.
tame := User{Identity: Identity{"gooble", "YourRealName"}}
mb = &mbConn{&rbac.Access{store, MessageBoardRoles}, tame}
// Post a message.
_, err = mb.Post("check 'em")
if err != nil {
panic(err)
}
}
func (c *serveCmd) Main() {
if c.extName == "" {
Usage(c, "--name is required")
}
c.serviceAdmins = strings.Split(c.serviceAdminCsv, ",")
for i := range c.serviceAdmins {
c.serviceAdmins[i] = strings.TrimSpace(c.serviceAdmins[i])
}
session, err := mgo.Dial(c.mongo)
if err != nil {
die(err)
}
store, err := mongo.NewMongoStore(session, c.dbname, "", "")
if err != nil {
die(err)
}
s := NewGroupServer(store)
// Grant service role to configured admins
for _, serviceAdmin := range c.serviceAdmins {
admin := rbac.NewAdmin(store, group.GroupRoles)
u, err := affinity.ParseUser(serviceAdmin)
if err != nil {
die(err)
}
err = admin.Grant(u, group.ServiceRole, group.ServiceResource)
if err != nil {
log.Println("Warning:", err)
}
}
s.Schemes.Register(usso.NewOauthCli(c.extName, &affinity.PasswordUnavailable{}))
err = http.ListenAndServe(c.addr, s)
die(err)
}
// NewGroupService creates a new group service using the given storage, with access
// to operations as the given user.
func NewGroupService(store rbac.Store, asUser User) *GroupService {
return &GroupService{rbac.NewAdmin(store, GroupRoles), asUser}
}
