// Test that a new user AM is generated only when all the parameters are valid
func Test_addValidAM(t *testing.T) {
	usersName := []string{defaultUserName, ""}
	privilege := make(map[string]interface{})
	for k, v := range usersPrivilege {
		privilege[k] = v
	}
	privilege["undef"] = ""
	userPwd, _ := password.NewUserPwd(defaultPassword, defaultSalt)
	pwd := ""
	for _, userName := range usersName {
		for p, _ := range privilege {
			for i := 0; i < password.MaxPasswordLength; i++ {
				ok := en.IsEntityNameValid(userName) == nil &&
					IsValidPrivilege(p) == nil &&
					userPwd.IsNewPwdValid([]byte(pwd)) == nil
				_, err := NewUserAm(p, []byte(pwd), defaultSalt)
				if ok == false && err == nil {
					t.Errorf("Test fail: Successfully generated new AM with invalid parameters: user name '%v' (%v), privilege '%v' (%v) password '%v' (%v)",
						userName, en.IsEntityNameValid(userName), p, IsValidPrivilege(p), pwd, userPwd.IsNewPwdValid([]byte(pwd)))
					t.FailNow()
				} else if ok == true && err != nil {
					t.Errorf("Test fail: Error while generated new AM with valid parameters: user name '%v' (%v), privilege '%v' (%v) password '%v' (%v), error: %v",
						userName, en.IsEntityNameValid(userName), p, IsValidPrivilege(p), pwd, userPwd.IsNewPwdValid([]byte(pwd)), err)
					t.FailNow()
				}
				pwd += "a"
			}
		}
	}
}
示例#2
0
// Get all the permissions of a given user to a given resource-
// return the user's list of permissions to the given resource
// The permissions may be listed as the user's permissions, permissions to groups
// in which the user is a member or permissions that are given to 'all'
func GetUserPermissions(el *en.EntityManager, userName string, resourceName string) (PermissionsMap, error) {
	lock.Lock()
	defer lock.Unlock()

	if el == nil {
		return nil, fmt.Errorf("Error: EntityManager is nil")
	}
	err := en.IsEntityNameValid(userName)
	if err != nil {
		return nil, err
	}
	err = en.IsEntityNameValid(resourceName)
	if err != nil {
		return nil, err
	}
	permissions := make(PermissionsMap)
	data, err := el.GetPropertyAttachedToEntity(resourceName, stc.AclPropertyName)
	if err != nil {
		return nil, fmt.Errorf("Resource '%v' dose not have an ACL property", resourceName)
	}
	acl, ok := data.(*Acl)
	if ok == false {
		return nil, fmt.Errorf("Resource '%v' ACL property is in the wrong type", resourceName)
	}
	for name, p := range acl.Permissions {
		if name == userName || name == stc.AclAllEntryName || el.IsUserPartOfAGroup(name, userName) {
			for permission, _ := range p.Permissions {
				permissions[permission] = ""
			}
		}
	}
	logger.Trace.Println("The permissions of:", userName, "are:", permissions)
	return permissions, nil
}
示例#3
0
// Callback from EntityManager, when an entity is removed in order to remove
// the entity's permissions. This is needed to avoid giving a future
// new (unrelated) entity with the same name the permissions that
// were given to the original entity that was removed
func RemoveEntityFromAcl(el1 interface{}, userName string) {
	if el1 == nil {
		return
	}
	el, ok := el1.(*en.EntityManager)
	if ok == false {
		return
	}
	err := en.IsEntityNameValid(userName)
	if err != nil {
		return
	}
	for resourceName, _ := range el.Resources {
		data, err := el.GetPropertyAttachedToEntity(resourceName, stc.AclPropertyName)
		if err != nil {
			continue
		}
		acl, ok := data.(*Acl)
		if ok == false {
			return
		}
		for name, _ := range acl.Permissions {
			if name == userName {
				acl.removeEntry(userName)
			}
		}
	}
	return
}
示例#4
0
func NewEntry(name string) (*AclEntry, error) {
	err := en.IsEntityNameValid(name)
	if err != nil {
		return nil, err
	}
	a := AclEntry{EntityName: name, Permissions: make(PermissionsMap)}
	return &a, nil
}
示例#5
0
// Check if the given user name has a given permission to the given entity
func CheckUserPermission(el *en.EntityManager, userName string, resourceName string, permission Permission) bool {
	if el == nil {
		return false
	}
	if en.IsEntityNameValid(userName) != nil {
		return false
	}
	if en.IsEntityNameValid(resourceName) != nil {
		return false
	}
	permissions, _ := GetUserPermissions(el, userName, resourceName)
	lock.Lock()
	defer lock.Unlock()
	_, exist := permissions[permission]
	logger.Trace.Println("Is permission:", permission, "of:", userName, "for entity:", resourceName, "set:", exist)
	return exist
}
示例#6
0
func (a aclRestful) checkEntityNameParamValidity(request *restful.Request, response *restful.Response, name string) bool {
	err := en.IsEntityNameValid(name)
	if err != nil {
		a.setError(response, http.StatusNotFound, err)
		return false
	}
	if a.st.UsersList.IsEntityInList(name) == false {
		err := fmt.Sprintf("Entity '%v' doesn't have ACL property", name)
		a.setError(response, http.StatusNotFound, errors.New(err))
		return false
	}
	return true
}
示例#7
0
// Remove the given entry from the ACL
func (a *Acl) removeEntry(name string) error {
	lock.Lock()
	defer lock.Unlock()

	err := en.IsEntityNameValid(name)
	if err != nil {
		return err
	}
	_, exist := a.Permissions[name]
	if exist == false {
		return fmt.Errorf("Error: Can't remove entry '%v', it does not exist in the ACL", name)
	}
	logger.Trace.Println("Remove entry:", name, "from acl")
	delete(a.Permissions, name)
	return nil
}
示例#8
0
// Add the given permission to the given resource for the given user
func (a *Acl) AddPermissionToResource(el *en.EntityManager, userName string, permission Permission) error {
	lock.Lock()
	defer lock.Unlock()

	if el == nil {
		return fmt.Errorf("Error: entityManager is nil")
	}
	err := en.IsEntityNameValid(userName)
	if err != nil {
		return err
	}
	if el.IsEntityInList(userName) == false {
		return fmt.Errorf("Error: Can't add permission to entity '%v', it is not in the resource entity list", userName)
	}
	e, exist := a.Permissions[userName]
	if exist == false {
		e, _ = NewEntry(userName)
	}
	logger.Trace.Println("Add permission:", permission, "to:", userName)
	_, err = e.AddPermission(permission)
	a.Permissions[userName] = e
	return err
}
示例#9
0
// Return all the users that have the given permission to the given resource
func GetWhoUseAPermission(el *en.EntityManager, resourceName string, permission string) PermissionSet {
	if el == nil {
		return nil
	}
	err := en.IsEntityNameValid(resourceName)
	if err != nil {
		return nil
	}
	data, err := el.GetPropertyAttachedToEntity(resourceName, stc.AclPropertyName)
	if err != nil {
		return nil
	}
	p := make(PermissionSet)

	acl, ok := data.(*Acl)
	if ok == false {
		return p
	}
	for name, _ := range acl.Permissions {
		pVec, _ := GetUserPermissions(el, name, resourceName)
		for v, _ := range pVec {
			if string(v) == permission {
				p[name] = true
				break
			}
		}
	}
	for name, _ := range p {
		groupMembers := el.GetGroupUsers(name)
		for _, name1 := range groupMembers {
			p[name1] = true
		}
	}
	logger.Trace.Println("Who uses permission:", permission, "results:", p)
	return p
}
示例#10
0
// Verify that an entry is valid, that is it's not nil and its entry name is valid
func isValidEntry(entry *AclEntry) error {
	if entry == nil {
		return fmt.Errorf("Error: entry is nil")
	}
	return en.IsEntityNameValid(entry.EntityName)
}
示例#11
0
// Verify that an AclEntry is valid, that is it's not nil and its AclEntry name is valid
func isValidAclEntry(aclEntry *AclEntry) error {
	if aclEntry == nil {
		return fmt.Errorf("aclEntry is nil")
	}
	return en.IsEntityNameValid(aclEntry.EntityName)
}