// Recomputes the set of channels a User/Role has been granted access to by sync() functions.
// This is part of the ChannelComputer interface defined by the Authenticator.
func (context *DatabaseContext) ComputeChannelsForPrincipal(princ auth.Principal) (channels.TimedSet, error) {
key := princ.Name()
if _, ok := princ.(auth.User); !ok {
key = "role:" + key // Roles are identified in access view by a "role:" prefix
}
var vres struct {
Rows []struct {
Value channels.TimedSet
}
}
opts := map[string]interface{}{"stale": false, "key": key}
if verr := context.Bucket.ViewCustom(DesignDocSyncGateway, ViewAccess, opts, &vres); verr != nil {
return nil, verr
}
channelSet := channels.TimedSet{}
for _, row := range vres.Rows {
channelSet.Add(row.Value)
}
return channelSet, nil
}
func (dbc *DatabaseContext) GetPrincipal(name string, isUser bool) (info *PrincipalConfig, err error) {
var princ auth.Principal
if isUser {
princ, err = dbc.Authenticator().GetUser(name)
} else {
princ, err = dbc.Authenticator().GetRole(name)
}
if princ == nil {
return
}
info = new(PrincipalConfig)
info.Name = &name
info.ExplicitChannels = princ.ExplicitChannels().AsSet()
if user, ok := princ.(auth.User); ok {
info.Channels = user.InheritedChannels().AsSet()
info.Email = user.Email()
info.Disabled = user.Disabled()
info.ExplicitRoleNames = user.ExplicitRoles().AllChannels()
info.RoleNames = user.RoleNames().AllChannels()
} else {
info.Channels = princ.Channels().AsSet()
}
return
}
func marshalPrincipal(princ auth.Principal) ([]byte, error) {
name := externalUserName(princ.Name())
info := db.PrincipalConfig{
Name: &name,
ExplicitChannels: princ.ExplicitChannels().AsSet(),
}
if user, ok := princ.(auth.User); ok {
info.Channels = user.InheritedChannels().AsSet()
info.Email = user.Email()
info.Disabled = user.Disabled()
info.ExplicitRoleNames = user.ExplicitRoles().AllChannels()
info.RoleNames = user.RoleNames().AllChannels()
} else {
info.Channels = princ.Channels().AsSet()
}
return json.Marshal(info)
}
// Updates or creates a principal from a PrincipalConfig structure.
func (dbc *DatabaseContext) UpdatePrincipal(newInfo PrincipalConfig, isUser bool, allowReplace bool) (replaced bool, err error) {
// Get the existing principal, or if this is a POST make sure there isn't one:
var princ auth.Principal
var user auth.User
authenticator := dbc.Authenticator()
if isUser {
isValid, reason := newInfo.IsPasswordValid(dbc.AllowEmptyPassword)
if !isValid {
err = base.HTTPErrorf(http.StatusBadRequest, reason)
return
}
user, err = authenticator.GetUser(*newInfo.Name)
princ = user
} else {
princ, err = authenticator.GetRole(*newInfo.Name)
}
if err != nil {
return
}
changed := false
replaced = (princ != nil)
if !replaced {
// If user/role didn't exist already, instantiate a new one:
if isUser {
user, err = authenticator.NewUser(*newInfo.Name, "", nil)
princ = user
} else {
princ, err = authenticator.NewRole(*newInfo.Name, nil)
}
if err != nil {
return
}
changed = true
} else if !allowReplace {
err = base.HTTPErrorf(http.StatusConflict, "Already exists")
return
}
updatedChannels := princ.ExplicitChannels()
if updatedChannels == nil {
updatedChannels = ch.TimedSet{}
}
if !updatedChannels.Equals(newInfo.ExplicitChannels) {
changed = true
}
var updatedRoles ch.TimedSet
// Then the user-specific fields like roles:
if isUser {
if newInfo.Email != user.Email() {
user.SetEmail(newInfo.Email)
changed = true
}
if newInfo.Password != nil {
user.SetPassword(*newInfo.Password)
changed = true
}
if newInfo.Disabled != user.Disabled() {
user.SetDisabled(newInfo.Disabled)
changed = true
}
updatedRoles = user.ExplicitRoles()
if updatedRoles == nil {
updatedRoles = ch.TimedSet{}
}
if !updatedRoles.Equals(base.SetFromArray(newInfo.ExplicitRoleNames)) {
changed = true
}
}
// And finally save the Principal:
if changed {
// Update the persistent sequence number of this principal (only allocate a sequence when needed - issue #673):
nextSeq := uint64(0)
if dbc.writeSequences() {
var err error
nextSeq, err = dbc.sequences.nextSequence()
if err != nil {
return replaced, err
}
princ.SetSequence(nextSeq)
}
// Now update the Principal object from the properties in the request, first the channels:
if updatedChannels.UpdateAtSequence(newInfo.ExplicitChannels, nextSeq) {
princ.SetExplicitChannels(updatedChannels)
}
if isUser {
if updatedRoles.UpdateAtSequence(base.SetFromArray(newInfo.ExplicitRoleNames), nextSeq) {
user.SetExplicitRoles(updatedRoles)
}
}
err = authenticator.Save(princ)
}
return
}