Ejemplo n.º 1
0
func NewRbacSuite(s rbac.Store) *RbacSuite {
	return &RbacSuite{
		&RbacTests{&StoreTests{s},
			rbac.NewAccess(s, FuturamaRoles),
			rbac.NewAdmin(s, FuturamaRoles),
		},
	}
}
Ejemplo n.º 2
0
func ExampleAccess(t *testing.T) {
	// Let's set up an RBAC store. We'll use the in-memory store
	// for this example. You should use something more permanent like the Mongo store.
	store := mem.NewStore()
	// Admin lets us grant and revoke roles
	admin := rbac.NewAdmin(store, MessageBoardRoles)
	// Anonymous scheme users can lurk and that's all
	admin.Grant(User{Identity: Identity{"anon", "*"}}, LurkerRole, MessageBoardResource)
	// Verified Gooble users can post
	admin.Grant(User{Identity: Identity{"gooble", "*"}}, PosterRole, MessageBoardResource)

	// A wild anon appears
	anon := User{Identity: Identity{"anon", "10.55.61.128"}}

	// Connect to the message board service as this user
	// In a web application, you'll likely derive the user from http.Request, using
	// OAuth, OpenID, cookies, etc.
	mb := &mbConn{&rbac.Access{store, MessageBoardRoles}, anon}

	// Print the first page of the message board. The MessageBoard will check
	// Access.Can(user, ListPerm, MessageBoardResource).
	content, err := mb.Lurk(0)
	if err != nil {
		panic(err)
	}
	fmt.Println(content)

	// A tame authenticated user appears. Reattach as tame user now.
	// In real life, this would likely be in a distinct http.Handler with its own session.
	tame := User{Identity: Identity{"gooble", "YourRealName"}}
	mb = &mbConn{&rbac.Access{store, MessageBoardRoles}, tame}

	// Post a message.
	_, err = mb.Post("check 'em")
	if err != nil {
		panic(err)
	}
}
Ejemplo n.º 3
0
func (c *serveCmd) Main() {
	if c.extName == "" {
		Usage(c, "--name is required")
	}

	c.serviceAdmins = strings.Split(c.serviceAdminCsv, ",")
	for i := range c.serviceAdmins {
		c.serviceAdmins[i] = strings.TrimSpace(c.serviceAdmins[i])
	}

	session, err := mgo.Dial(c.mongo)
	if err != nil {
		die(err)
	}
	store, err := mongo.NewMongoStore(session, c.dbname, "", "")
	if err != nil {
		die(err)
	}

	s := NewGroupServer(store)

	// Grant service role to configured admins
	for _, serviceAdmin := range c.serviceAdmins {
		admin := rbac.NewAdmin(store, group.GroupRoles)
		u, err := affinity.ParseUser(serviceAdmin)
		if err != nil {
			die(err)
		}
		err = admin.Grant(u, group.ServiceRole, group.ServiceResource)
		if err != nil {
			log.Println("Warning:", err)
		}
	}

	s.Schemes.Register(usso.NewOauthCli(c.extName, &affinity.PasswordUnavailable{}))
	err = http.ListenAndServe(c.addr, s)
	die(err)
}
Ejemplo n.º 4
0
// NewGroupService creates a new group service using the given storage, with access
// to operations as the given user.
func NewGroupService(store rbac.Store, asUser User) *GroupService {
	return &GroupService{rbac.NewAdmin(store, GroupRoles), asUser}
}