func (s *S) TestAddDefaultRole(c *check.C) { _, err := permission.NewRole("r1", "team") c.Assert(err, check.IsNil) _, err = permission.NewRole("r2", "team") c.Assert(err, check.IsNil) _, err = permission.NewRole("r3", "global") c.Assert(err, check.IsNil) rec := httptest.NewRecorder() body := bytes.NewBufferString("team-create=r1&team-create=r2&user-create=r3") req, err := http.NewRequest("POST", "/role/default", body) c.Assert(err, check.IsNil) token := userWithPermission(c, permission.Permission{ Scheme: permission.PermRoleDefaultCreate, Context: permission.Context(permission.CtxGlobal, ""), }) req.Header.Set("Content-Type", "application/x-www-form-urlencoded") req.Header.Set("Authorization", "bearer "+token.GetValue()) server := RunServer(true) server.ServeHTTP(rec, req) c.Assert(rec.Code, check.Equals, http.StatusOK) r1, err := permission.FindRole("r1") c.Assert(err, check.IsNil) c.Assert(r1.Events, check.DeepEquals, []string{permission.RoleEventTeamCreate.String()}) r2, err := permission.FindRole("r2") c.Assert(err, check.IsNil) c.Assert(r2.Events, check.DeepEquals, []string{permission.RoleEventTeamCreate.String()}) r3, err := permission.FindRole("r3") c.Assert(err, check.IsNil) c.Assert(r3.Events, check.DeepEquals, []string{permission.RoleEventUserCreate.String()}) }
func (s *S) TestAddDefaultRole(c *check.C) { _, err := permission.NewRole("r1", "team", "") c.Assert(err, check.IsNil) _, err = permission.NewRole("r2", "team", "") c.Assert(err, check.IsNil) _, err = permission.NewRole("r3", "global", "") c.Assert(err, check.IsNil) rec := httptest.NewRecorder() body := bytes.NewBufferString("team-create=r1&team-create=r2&user-create=r3") req, err := http.NewRequest("POST", "/role/default", body) c.Assert(err, check.IsNil) token := userWithPermission(c, permission.Permission{ Scheme: permission.PermRoleDefaultCreate, Context: permission.Context(permission.CtxGlobal, ""), }) req.Header.Set("Content-Type", "application/x-www-form-urlencoded") req.Header.Set("Authorization", "bearer "+token.GetValue()) server := RunServer(true) server.ServeHTTP(rec, req) c.Assert(rec.Code, check.Equals, http.StatusOK) r1, err := permission.FindRole("r1") c.Assert(err, check.IsNil) c.Assert(r1.Events, check.DeepEquals, []string{permission.RoleEventTeamCreate.String()}) r2, err := permission.FindRole("r2") c.Assert(err, check.IsNil) c.Assert(r2.Events, check.DeepEquals, []string{permission.RoleEventTeamCreate.String()}) r3, err := permission.FindRole("r3") c.Assert(err, check.IsNil) c.Assert(r3.Events, check.DeepEquals, []string{permission.RoleEventUserCreate.String()}) c.Assert(eventtest.EventDesc{ Target: event.Target{Type: event.TargetTypeRole, Value: "r1"}, Owner: token.GetUserName(), Kind: "role.default.create", StartCustomData: []map[string]interface{}{ {"name": "team-create", "value": []string{"r1", "r2"}}, {"name": "user-create", "value": "r3"}, }, }, eventtest.HasEvent) c.Assert(eventtest.EventDesc{ Target: event.Target{Type: event.TargetTypeRole, Value: "r2"}, Owner: token.GetUserName(), Kind: "role.default.create", StartCustomData: []map[string]interface{}{ {"name": "team-create", "value": []string{"r1", "r2"}}, {"name": "user-create", "value": "r3"}, }, }, eventtest.HasEvent) c.Assert(eventtest.EventDesc{ Target: event.Target{Type: event.TargetTypeRole, Value: "r3"}, Owner: token.GetUserName(), Kind: "role.default.create", StartCustomData: []map[string]interface{}{ {"name": "team-create", "value": []string{"r1", "r2"}}, {"name": "user-create", "value": "r3"}, }, }, eventtest.HasEvent) }
func addDefaultRole(w http.ResponseWriter, r *http.Request, t auth.Token) error { if !permission.Check(t, permission.PermRoleDefaultCreate) { return permission.ErrUnauthorized } err := r.ParseForm() if err != nil { return err } for evtName := range permission.RoleEventMap { roles := r.Form[evtName] for _, roleName := range roles { role, err := permission.FindRole(roleName) if err != nil { if err == permission.ErrRoleNotFound { return &errors.HTTP{ Code: http.StatusBadRequest, Message: err.Error(), } } return err } err = role.AddEvent(evtName) if err != nil { if _, ok := err.(permission.ErrRoleEventWrongContext); ok { return &errors.HTTP{ Code: http.StatusBadRequest, Message: err.Error(), } } return err } } } return nil }
func addPermissions(w http.ResponseWriter, r *http.Request, t auth.Token) error { if !permission.Check(t, permission.PermRoleUpdate) { return permission.ErrUnauthorized } roleName := r.URL.Query().Get(":name") role, err := permission.FindRole(roleName) if err != nil { return err } err = r.ParseForm() if err != nil { return err } users, err := auth.ListUsersWithRole(roleName) if err != nil { return err } err = runWithPermSync(users, func() error { return role.AddPermissions(r.Form["permission"]...) }) if err == nil { w.WriteHeader(http.StatusOK) } return err }
func deployableApps(u *auth.User, rolesCache map[string]*permission.Role) ([]string, error) { var perms []permission.Permission for _, roleData := range u.Roles { role := rolesCache[roleData.Name] if role == nil { foundRole, err := permission.FindRole(roleData.Name) if err != nil { return nil, err } role = &foundRole rolesCache[roleData.Name] = role } perms = append(perms, role.PermissionsFor(roleData.ContextValue)...) } contexts := permission.ContextsFromListForPermission(perms, permission.PermAppDeploy) if len(contexts) == 0 { return nil, nil } filter := appFilterByContext(contexts, nil) apps, err := app.List(filter) if err != nil { return nil, err } appNames := make([]string, len(apps)) for i := range apps { appNames[i] = apps[i].GetName() } return appNames, nil }
func createRole(name, contextType string) (permission.Role, error) { role, err := permission.NewRole(name, contextType, "") if err == permission.ErrRoleAlreadyExists { role, err = permission.FindRole(name) } return role, err }
// title: role info // path: /roles/{name} // method: GET // produce: application/json // responses: // 200: OK // 401: Unauthorized // 404: Role not found func roleInfo(w http.ResponseWriter, r *http.Request, t auth.Token) error { if !(permission.Check(t, permission.PermRoleUpdate) || permission.Check(t, permission.PermRoleUpdateAssign) || permission.Check(t, permission.PermRoleUpdateDissociate) || permission.Check(t, permission.PermRoleCreate) || permission.Check(t, permission.PermRoleDelete)) { return permission.ErrUnauthorized } roleName := r.URL.Query().Get(":name") role, err := permission.FindRole(roleName) if err == permission.ErrRoleNotFound { return &errors.HTTP{ Code: http.StatusNotFound, Message: err.Error(), } } if err != nil { return err } b, err := json.Marshal(role) if err != nil { return err } w.Header().Set("Content-Type", "application/json") _, err = w.Write(b) return err }
func (u *User) AddRole(roleName string, contextValue string) error { _, err := permission.FindRole(roleName) if err != nil { return err } conn, err := db.Conn() if err != nil { return err } defer conn.Close() err = conn.Users().Update(bson.M{"email": u.Email}, bson.M{ "$addToSet": bson.M{ // Order matters in $addToSet, that's why bson.D is used instead // of bson.M. "roles": bson.D([]bson.DocElem{ {Name: "name", Value: roleName}, {Name: "contextvalue", Value: contextValue}, }), }, }) if err != nil { return err } return u.Reload() }
func canUseRole(t auth.Token, roleName, contextValue string) error { role, err := permission.FindRole(roleName) if err != nil { if err == permission.ErrRoleNotFound { return &errors.HTTP{ Code: http.StatusNotFound, Message: err.Error(), } } return err } userPerms, err := t.Permissions() if err != nil { return err } perms := role.PermissionsFor(contextValue) for _, p := range perms { if !permission.CheckFromPermList(userPerms, p.Scheme, p.Context) { return &errors.HTTP{ Code: http.StatusForbidden, Message: fmt.Sprintf("User not authorized to use permission %s", p.String()), } } } return nil }
func (s *S) TestRemoveDefaultRole(c *check.C) { r1, err := permission.NewRole("r1", "team", "") c.Assert(err, check.IsNil) err = r1.AddEvent(permission.RoleEventTeamCreate.String()) c.Assert(err, check.IsNil) rec := httptest.NewRecorder() req, err := http.NewRequest("DELETE", "/role/default?team-create=r1", nil) c.Assert(err, check.IsNil) token := userWithPermission(c, permission.Permission{ Scheme: permission.PermRoleDefaultDelete, Context: permission.Context(permission.CtxGlobal, ""), }) req.Header.Set("Authorization", "bearer "+token.GetValue()) server := RunServer(true) server.ServeHTTP(rec, req) c.Assert(rec.Code, check.Equals, http.StatusOK) r1, err = permission.FindRole("r1") c.Assert(err, check.IsNil) c.Assert(r1.Events, check.DeepEquals, []string{}) c.Assert(eventtest.EventDesc{ Target: event.Target{Type: event.TargetTypeRole, Value: "r1"}, Owner: token.GetUserName(), Kind: "role.default.delete", StartCustomData: []map[string]interface{}{ {"name": "team-create", "value": "r1"}, }, }, eventtest.HasEvent) }
func (s *S) TestAddPermissionsToARole(c *check.C) { _, err := permission.NewRole("test", "team", "") c.Assert(err, check.IsNil) rec := httptest.NewRecorder() b := bytes.NewBufferString(`permission=app.update&permission=app.deploy`) req, err := http.NewRequest("POST", "/roles/test/permissions", b) c.Assert(err, check.IsNil) token := userWithPermission(c, permission.Permission{ Scheme: permission.PermRoleUpdate, Context: permission.Context(permission.CtxGlobal, ""), }) req.Header.Set("Content-Type", "application/x-www-form-urlencoded") req.Header.Set("Authorization", "bearer "+token.GetValue()) server := RunServer(true) server.ServeHTTP(rec, req) c.Assert(rec.Code, check.Equals, http.StatusOK) r, err := permission.FindRole("test") c.Assert(err, check.IsNil) sort.Strings(r.SchemeNames) c.Assert(r.SchemeNames, check.DeepEquals, []string{"app.deploy", "app.update"}) c.Assert(eventtest.EventDesc{ Target: event.Target{Type: event.TargetTypeRole, Value: "test"}, Owner: token.GetUserName(), Kind: "role.update.permission.add", StartCustomData: []map[string]interface{}{ {"name": "permission", "value": []string{"app.update", "app.deploy"}}, }, }, eventtest.HasEvent) }
func (s *S) TestRemovePermissionsFromRole(c *check.C) { r, err := permission.NewRole("test", "team", "") c.Assert(err, check.IsNil) defer permission.DestroyRole(r.Name) err = r.AddPermissions("app.update") c.Assert(err, check.IsNil) rec := httptest.NewRecorder() req, err := http.NewRequest("DELETE", "/roles/test/permissions/app.update", nil) c.Assert(err, check.IsNil) token := userWithPermission(c, permission.Permission{ Scheme: permission.PermRoleUpdate, Context: permission.Context(permission.CtxGlobal, ""), }) req.Header.Set("Content-Type", "application/x-www-form-urlencoded") req.Header.Set("Authorization", "bearer "+token.GetValue()) server := RunServer(true) server.ServeHTTP(rec, req) c.Assert(rec.Code, check.Equals, http.StatusOK) r, err = permission.FindRole("test") c.Assert(err, check.IsNil) c.Assert(r.SchemeNames, check.DeepEquals, []string{}) c.Assert(eventtest.EventDesc{ Target: event.Target{Type: event.TargetTypeRole, Value: "test"}, Owner: token.GetUserName(), Kind: "role.update.permission.remove", StartCustomData: []map[string]interface{}{ {"name": ":name", "value": "test"}, {"name": ":permission", "value": "app.update"}, }, }, eventtest.HasEvent) }
func removeDefaultRole(w http.ResponseWriter, r *http.Request, t auth.Token) error { if !permission.Check(t, permission.PermRoleDefaultDelete) { return permission.ErrUnauthorized } err := r.ParseForm() if err != nil { return err } for evtName := range permission.RoleEventMap { roles := r.Form[evtName] for _, roleName := range roles { role, err := permission.FindRole(roleName) if err != nil { if err == permission.ErrRoleNotFound { return &errors.HTTP{ Code: http.StatusBadRequest, Message: err.Error(), } } return err } err = role.RemoveEvent(evtName) if err != nil { return err } } } w.WriteHeader(http.StatusOK) return nil }
func (s *S) TestRemovePermissionsFromRoleSyncGitRepository(c *check.C) { r, err := permission.NewRole("test", "team") c.Assert(err, check.IsNil) defer permission.DestroyRole(r.Name) err = r.AddPermissions("app.deploy") c.Assert(err, check.IsNil) user := &auth.User{Email: "*****@*****.**", Password: "******"} _, err = nativeScheme.Create(user) c.Assert(err, check.IsNil) err = user.AddRole("test", s.team.Name) c.Assert(err, check.IsNil) a := app.App{Name: "myapp", TeamOwner: s.team.Name} err = app.CreateApp(&a, s.user) err = repository.Manager().GrantAccess(a.Name, user.Email) c.Assert(err, check.IsNil) rec := httptest.NewRecorder() req, err := http.NewRequest("DELETE", "/roles/test/permissions/app.deploy", nil) c.Assert(err, check.IsNil) token := userWithPermission(c, permission.Permission{ Scheme: permission.PermRoleUpdate, Context: permission.Context(permission.CtxGlobal, ""), }) req.Header.Set("Content-Type", "application/x-www-form-urlencoded") req.Header.Set("Authorization", "bearer "+token.GetValue()) server := RunServer(true) server.ServeHTTP(rec, req) c.Assert(rec.Code, check.Equals, http.StatusOK) r, err = permission.FindRole("test") c.Assert(err, check.IsNil) c.Assert(r.SchemeNames, check.DeepEquals, []string{}) users, err := repositorytest.Granted(a.Name) c.Assert(err, check.IsNil) c.Assert(users, check.DeepEquals, []string{s.user.Email}) }
func createApiUser(t auth.Token, user *auth.User) (*apiUser, error) { permissions, err := user.Permissions() if err != nil { return nil, err } permData := make([]rolePermissionData, len(permissions)) for i, p := range permissions { if !permission.Check(t, p.Scheme, p.Context) { return nil, nil } permData[i] = rolePermissionData{ Name: p.Scheme.FullName(), ContextType: string(p.Context.CtxType), ContextValue: p.Context.Value, } } roleData := make([]rolePermissionData, len(user.Roles)) for i, userRole := range user.Roles { r, err := permission.FindRole(userRole.Name) if err != nil { return nil, err } roleData[i] = rolePermissionData{ Name: userRole.Name, ContextType: string(r.ContextType), ContextValue: userRole.ContextValue, } } return &apiUser{ Email: user.Email, Roles: roleData, Permissions: permData, }, nil }
func createApiUser(perms []permission.Permission, user *auth.User, roleMap map[string]*permission.Role, includeAll bool) (*apiUser, error) { var permData []rolePermissionData roleData := make([]rolePermissionData, 0, len(user.Roles)) if roleMap == nil { roleMap = make(map[string]*permission.Role) } allGlobal := true for _, userRole := range user.Roles { role := roleMap[userRole.Name] if role == nil { r, err := permission.FindRole(userRole.Name) if err != nil { return nil, err } role = &r roleMap[userRole.Name] = role } allPermsMatch := true permissions := role.PermissionsFor(userRole.ContextValue) if len(permissions) == 0 && !includeAll { continue } rolePerms := make([]rolePermissionData, len(permissions)) for i, p := range permissions { if perms != nil && allPermsMatch && !permission.CheckFromPermList(perms, p.Scheme, p.Context) { allPermsMatch = false break } rolePerms[i] = rolePermissionData{ Name: p.Scheme.FullName(), ContextType: string(p.Context.CtxType), ContextValue: p.Context.Value, } } if !allPermsMatch { continue } roleData = append(roleData, rolePermissionData{ Name: userRole.Name, ContextType: string(role.ContextType), ContextValue: userRole.ContextValue, }) permData = append(permData, rolePerms...) if role.ContextType != permission.CtxGlobal { allGlobal = false } } if len(roleData) == 0 || (!includeAll && allGlobal) { return nil, nil } return &apiUser{ Email: user.Email, Roles: roleData, Permissions: permData, }, nil }
func (u *User) Permissions() ([]permission.Permission, error) { var permissions []permission.Permission for _, roleData := range u.Roles { role, err := permission.FindRole(roleData.Name) if err != nil { return nil, err } permissions = append(permissions, role.PermisionsFor(roleData.ContextValue)...) } return permissions, nil }
// title: add permissions // path: /roles/{name}/permissions // method: POST // consume: application/x-www-form-urlencoded // responses: // 200: Ok // 400: Invalid data // 401: Unauthorized // 409: Permission not allowed func addPermissions(w http.ResponseWriter, r *http.Request, t auth.Token) (err error) { r.ParseForm() if !permission.Check(t, permission.PermRoleUpdatePermissionAdd) { return permission.ErrUnauthorized } roleName := r.URL.Query().Get(":name") evt, err := event.New(&event.Opts{ Target: event.Target{Type: event.TargetTypeRole, Value: roleName}, Kind: permission.PermRoleUpdatePermissionAdd, Owner: t, CustomData: event.FormToCustomData(r.Form), Allowed: event.Allowed(permission.PermRoleReadEvents), }) if err != nil { return err } defer func() { evt.Done(err) }() role, err := permission.FindRole(roleName) if err != nil { return err } err = r.ParseForm() if err != nil { return err } users, err := auth.ListUsersWithRole(roleName) if err != nil { return err } err = runWithPermSync(users, func() error { return role.AddPermissions(r.Form["permission"]...) }) if err == permission.ErrInvalidPermissionName { return &errors.HTTP{ Code: http.StatusBadRequest, Message: err.Error(), } } if perr, ok := err.(*permission.ErrPermissionNotFound); ok { return &errors.HTTP{ Code: http.StatusBadRequest, Message: perr.Error(), } } if perr, ok := err.(*permission.ErrPermissionNotAllowed); ok { return &errors.HTTP{ Code: http.StatusConflict, Message: perr.Error(), } } return err }
// title: add default role // path: /role/default // method: POST // consme: application/x-www-form-urlencoded // responses: // 200: Ok // 400: Invalid data // 401: Unauthorized func addDefaultRole(w http.ResponseWriter, r *http.Request, t auth.Token) (err error) { if !permission.Check(t, permission.PermRoleDefaultCreate) { return permission.ErrUnauthorized } err = r.ParseForm() if err != nil { return err } rolesMap := map[string][]string{} for evtName := range permission.RoleEventMap { roles := r.Form[evtName] for _, roleName := range roles { rolesMap[roleName] = append(rolesMap[roleName], evtName) } } for roleName, evts := range rolesMap { evt, err := event.New(&event.Opts{ Target: event.Target{Type: event.TargetTypeRole, Value: roleName}, Kind: permission.PermRoleDefaultCreate, Owner: t, CustomData: event.FormToCustomData(r.Form), Allowed: event.Allowed(permission.PermRoleReadEvents), }) if err != nil { return err } defer func() { evt.Done(err) }() role, err := permission.FindRole(roleName) if err != nil { if err == permission.ErrRoleNotFound { return &errors.HTTP{ Code: http.StatusBadRequest, Message: err.Error(), } } return err } for _, evtName := range evts { err = role.AddEvent(evtName) if err != nil { if _, ok := err.(permission.ErrRoleEventWrongContext); ok { return &errors.HTTP{ Code: http.StatusBadRequest, Message: err.Error(), } } return err } } } return nil }
func addSuperRole(u *auth.User) error { defaultRoleName := "AllowAll" r, err := permission.FindRole(defaultRoleName) if err != nil { r, err = permission.NewRole(defaultRoleName, string(permission.CtxGlobal), "") if err != nil { return err } } err = r.AddPermissions("*") if err != nil { return err } return u.AddRole(defaultRoleName, "") }
func (u *User) Permissions() ([]permission.Permission, error) { var permissions []permission.Permission roles := make(map[string]*permission.Role) for _, roleData := range u.Roles { role := roles[roleData.Name] if role == nil { foundRole, err := permission.FindRole(roleData.Name) if err != nil && err != permission.ErrRoleNotFound { return nil, err } role = &foundRole roles[roleData.Name] = role } permissions = append(permissions, role.PermissionsFor(roleData.ContextValue)...) } return permissions, nil }
func removePermissions(w http.ResponseWriter, r *http.Request, t auth.Token) error { roleName := r.URL.Query().Get(":name") role, err := permission.FindRole(roleName) if err != nil { return err } defer r.Body.Close() b, err := ioutil.ReadAll(r.Body) if err != nil { return err } var params map[string][]string err = json.Unmarshal(b, ¶ms) if err != nil { return err } return role.RemovePermissions(params["permissions"]...) }
func removePermissions(w http.ResponseWriter, r *http.Request, t auth.Token) error { if !permission.Check(t, permission.PermRoleUpdate) { return permission.ErrUnauthorized } roleName := r.URL.Query().Get(":name") permName := r.URL.Query().Get(":permission") role, err := permission.FindRole(roleName) if err != nil { return err } users, err := auth.ListUsersWithRole(roleName) if err != nil { return err } err = runWithPermSync(users, func() error { return role.RemovePermissions(permName) }) return err }
func (s *S) TestRemoveDefaultRole(c *check.C) { r1, err := permission.NewRole("r1", "team") c.Assert(err, check.IsNil) err = r1.AddEvent(permission.RoleEventTeamCreate.String()) c.Assert(err, check.IsNil) rec := httptest.NewRecorder() req, err := http.NewRequest("DELETE", "/role/default?team-create=r1", nil) c.Assert(err, check.IsNil) token := userWithPermission(c, permission.Permission{ Scheme: permission.PermRoleDefaultDelete, Context: permission.Context(permission.CtxGlobal, ""), }) req.Header.Set("Authorization", "bearer "+token.GetValue()) server := RunServer(true) server.ServeHTTP(rec, req) c.Assert(rec.Code, check.Equals, http.StatusOK) r1, err = permission.FindRole("r1") c.Assert(err, check.IsNil) c.Assert(r1.Events, check.DeepEquals, []string{}) }
func (s *S) TestAddPermissionsToARole(c *check.C) { _, err := permission.NewRole("test", "team") c.Assert(err, check.IsNil) rec := httptest.NewRecorder() b := bytes.NewBufferString(`permission=app.update&permission=app.deploy`) req, err := http.NewRequest("POST", "/roles/test/permissions", b) c.Assert(err, check.IsNil) token := userWithPermission(c, permission.Permission{ Scheme: permission.PermRoleUpdate, Context: permission.Context(permission.CtxGlobal, ""), }) req.Header.Set("Content-Type", "application/x-www-form-urlencoded") req.Header.Set("Authorization", "bearer "+token.GetValue()) server := RunServer(true) server.ServeHTTP(rec, req) c.Assert(rec.Code, check.Equals, http.StatusOK) r, err := permission.FindRole("test") c.Assert(err, check.IsNil) sort.Strings(r.SchemeNames) c.Assert(r.SchemeNames, check.DeepEquals, []string{"app.deploy", "app.update"}) }
func addPermissions(w http.ResponseWriter, r *http.Request, t auth.Token) error { if !permission.Check(t, permission.PermRoleUpdate) { return permission.ErrUnauthorized } roleName := r.URL.Query().Get(":name") role, err := permission.FindRole(roleName) if err != nil { return err } err = r.ParseForm() if err != nil { return err } users, err := auth.ListUsersWithRole(roleName) if err != nil { return err } err = runWithPermSync(users, func() error { return role.AddPermissions(r.Form["permission"]...) }) if err == permission.ErrInvalidPermissionName { return &errors.HTTP{ Code: http.StatusBadRequest, Message: err.Error(), } } if perr, ok := err.(*permission.ErrPermissionNotFound); ok { return &errors.HTTP{ Code: http.StatusBadRequest, Message: perr.Error(), } } if perr, ok := err.(*permission.ErrPermissionNotAllowed); ok { return &errors.HTTP{ Code: http.StatusConflict, Message: perr.Error(), } } return err }
func createApiUser(perms []permission.Permission, user *auth.User, roleMap map[string]*permission.Role) (*apiUser, error) { permData := make([]rolePermissionData, 0, len(user.Roles)) roleData := make([]rolePermissionData, len(user.Roles)) if roleMap == nil { roleMap = make(map[string]*permission.Role) } for i, userRole := range user.Roles { role := roleMap[userRole.Name] if role == nil { r, err := permission.FindRole(userRole.Name) if err != nil { return nil, err } role = &r roleMap[userRole.Name] = role } roleData[i] = rolePermissionData{ Name: userRole.Name, ContextType: string(role.ContextType), ContextValue: userRole.ContextValue, } permissions := role.PermissionsFor(userRole.ContextValue) for _, p := range permissions { if !permission.CheckFromPermList(perms, p.Scheme, p.Context) { return nil, nil } permData = append(permData, rolePermissionData{ Name: p.Scheme.FullName(), ContextType: string(p.Context.CtxType), ContextValue: p.Context.Value, }) } } return &apiUser{ Email: user.Email, Roles: roleData, Permissions: permData, }, nil }
func (s *S) TestRemovePermissionsFromRole(c *check.C) { r, err := permission.NewRole("test", "team") c.Assert(err, check.IsNil) defer permission.DestroyRole(r.Name) err = r.AddPermissions("app.update") c.Assert(err, check.IsNil) rec := httptest.NewRecorder() req, err := http.NewRequest("DELETE", "/roles/test/permissions/app.update", nil) c.Assert(err, check.IsNil) token := userWithPermission(c, permission.Permission{ Scheme: permission.PermRoleUpdate, Context: permission.Context(permission.CtxGlobal, ""), }) req.Header.Set("Content-Type", "application/x-www-form-urlencoded") req.Header.Set("Authorization", "bearer "+token.GetValue()) server := RunServer(true) server.ServeHTTP(rec, req) c.Assert(rec.Code, check.Equals, http.StatusOK) r, err = permission.FindRole("test") c.Assert(err, check.IsNil) c.Assert(r.SchemeNames, check.DeepEquals, []string{}) }
// title: remove permission // path: /roles/{name}/permissions/{permission} // method: DELETE // responses: // 200: Permission removed // 401: Unauthorized // 404: Not found func removePermissions(w http.ResponseWriter, r *http.Request, t auth.Token) (err error) { r.ParseForm() if !permission.Check(t, permission.PermRoleUpdatePermissionRemove) { return permission.ErrUnauthorized } roleName := r.URL.Query().Get(":name") evt, err := event.New(&event.Opts{ Target: event.Target{Type: event.TargetTypeRole, Value: roleName}, Kind: permission.PermRoleUpdatePermissionRemove, Owner: t, CustomData: event.FormToCustomData(r.Form), Allowed: event.Allowed(permission.PermRoleReadEvents), }) if err != nil { return err } defer func() { evt.Done(err) }() permName := r.URL.Query().Get(":permission") role, err := permission.FindRole(roleName) if err != nil { if err == permission.ErrRoleNotFound { return &errors.HTTP{ Code: http.StatusNotFound, Message: err.Error(), } } return err } users, err := auth.ListUsersWithRole(roleName) if err != nil { return err } err = runWithPermSync(users, func() error { return role.RemovePermissions(permName) }) return err }