// Grant allows a team to have access to an app. It returns an error if the
// team already have access to the app.
func (app *App) Grant(team *auth.Team) error {
if _, found := app.findTeam(team); found {
return ErrAlreadyHaveAccess
}
app.Teams = append(app.Teams, team.Name)
conn, err := db.Conn()
if err != nil {
return err
}
defer conn.Close()
err = conn.Apps().Update(bson.M{"name": app.Name}, bson.M{"$addToSet": bson.M{"teams": team.Name}})
if err != nil {
return err
}
users, err := auth.ListUsersWithPermissions(permission.Permission{
Scheme: permission.PermAppDeploy,
Context: permission.Context(permission.CtxTeam, team.Name),
})
if err != nil {
conn.Apps().Update(bson.M{"name": app.Name}, bson.M{"$pull": bson.M{"teams": team.Name}})
return err
}
for _, user := range users {
err = repository.Manager().GrantAccess(app.Name, user.Email)
if err != nil {
conn.Apps().Update(bson.M{"name": app.Name}, bson.M{"$pull": bson.M{"teams": team.Name}})
return err
}
}
return nil
}
// Revoke removes the access from a team. It returns an error if the team do
// not have access to the app.
func (app *App) Revoke(team *auth.Team) error {
if len(app.Teams) == 1 {
return ErrCannotOrphanApp
}
index, found := app.findTeam(team)
if !found {
return ErrNoAccess
}
last := len(app.Teams) - 1
app.Teams[index] = app.Teams[last]
app.Teams = app.Teams[:last]
conn, err := db.Conn()
if err != nil {
return err
}
defer conn.Close()
err = conn.Apps().Update(bson.M{"name": app.Name}, bson.M{"$pull": bson.M{"teams": team.Name}})
if err != nil {
return err
}
users, err := auth.ListUsersWithPermissions(permission.Permission{
Scheme: permission.PermAppDeploy,
Context: permission.Context(permission.CtxTeam, team.Name),
})
if err != nil {
conn.Apps().Update(bson.M{"name": app.Name}, bson.M{"$addToSet": bson.M{"teams": team.Name}})
return err
}
for _, user := range users {
perms, err := user.Permissions()
if err != nil {
conn.Apps().Update(bson.M{"name": app.Name}, bson.M{"$addToSet": bson.M{"teams": team.Name}})
return err
}
canDeploy := permission.CheckFromPermList(perms, permission.PermAppDeploy,
append(permission.Contexts(permission.CtxTeam, app.Teams),
permission.Context(permission.CtxApp, app.Name),
permission.Context(permission.CtxPool, app.Pool),
)...,
)
if canDeploy {
continue
}
err = repository.Manager().RevokeAccess(app.Name, user.Email)
if err != nil {
conn.Apps().Update(bson.M{"name": app.Name}, bson.M{"$addToSet": bson.M{"teams": team.Name}})
return err
}
}
return nil
}
func Sync(w io.Writer) error {
var m gandalfManager
users, err := auth.ListUsers()
if err != nil {
return err
}
for _, user := range users {
fmt.Fprintf(w, "Syncing user %q... ", user.Email)
err = m.CreateUser(user.Email)
switch err {
case repository.ErrUserAlreadyExists:
fmt.Fprintln(w, "already present in Gandalf")
case nil:
fmt.Fprintln(w, "OK")
default:
return err
}
}
apps, err := app.List(nil)
if err != nil {
return err
}
for _, app := range apps {
allowedPerms := []permission.Permission{
{
Scheme: permission.PermAppDeploy,
Context: permission.Context(permission.CtxGlobal, ""),
},
{
Scheme: permission.PermAppDeploy,
Context: permission.Context(permission.CtxPool, app.Pool),
},
}
for _, t := range app.GetTeams() {
allowedPerms = append(allowedPerms, permission.Permission{
Scheme: permission.PermAppDeploy,
Context: permission.Context(permission.CtxTeam, t.Name),
})
}
users, err := auth.ListUsersWithPermissions(allowedPerms...)
if err != nil {
return err
}
userNames := make([]string, len(users))
for i := range users {
userNames[i] = users[i].Email
}
fmt.Fprintf(w, "Syncing app %q... ", app.Name)
err = m.CreateRepository(app.Name, userNames)
switch err {
case repository.ErrRepositoryAlreadExists:
fmt.Fprintln(w, "already present in Gandalf")
case nil:
fmt.Fprintln(w, "OK")
default:
return err
}
for _, user := range userNames {
m.GrantAccess(app.Name, user)
}
}
return nil
}
{
Scheme: permission.PermAppDeploy,
Context: permission.Context(permission.CtxGlobal, ""),
},
{
Scheme: permission.PermAppDeploy,
Context: permission.Context(permission.CtxPool, app.Pool),
},
}
for _, t := range app.GetTeams() {
allowedPerms = append(allowedPerms, permission.Permission{
Scheme: permission.PermAppDeploy,
Context: permission.Context(permission.CtxTeam, t.Name),
})
}
users, err := auth.ListUsersWithPermissions(allowedPerms...)
if err != nil {
return nil, err
}
userNames := make([]string, len(users))
for i := range users {
userNames[i] = users[i].Email
}
manager := repository.Manager()
err = manager.CreateRepository(app.Name, userNames)
if err != nil {
return nil, err
}
return app, err
},
Backward: func(ctx action.BWContext) {