HGKeeper

package access

import (

"io/ioutil"

"os"

"path/filepath"

"sync"

log "github.com/sirupsen/logrus"

)

const (

modelFilename = "model.conf"

policyFilename = "policy.csv"

)

var (

accessLock sync.Mutex

reposPath string

adminRepoPath string

adminRepoName string

hgwebConfigPath string

)

func Setup(repositoriesPath, adminRepo string) error {

reposPath = repositoriesPath

adminRepoName = adminRepo

adminRepoPath = filepath.Join(reposPath, adminRepo)

configPath, err := ioutil.TempFile("", "hgkeeper-hgweb-*.config")

if err != nil {

return err

}

configPath.Close()

hgwebConfigPath = configPath.Name()

return Refresh()

}

func Teardown() {

if err := os.Remove(hgwebConfigPath); err != nil {

log.Warnf(

"failed to remove temporary hgweb config from %q",

hgwebConfigPath,

)

}

func AdminRepo() string {

return adminRepoName

}

func AdminRepoPath() string {

return adminRepoPath

}

func HgwebConfigPath() string {

return hgwebConfigPath

}

// Refresh will try to reload the casbin model and policies followed by SSH

// keys. If there is an error it's possible that the casbin model and polcies

// could have been updated but the ssh keys were not.

func Refresh() error {

accessLock.Lock()

defer accessLock.Unlock()

if err := refreshEnforcer(adminRepoPath); err != nil {

return err

}

if err := refreshKeys(adminRepoPath); err != nil {

return err

}

if err := refreshHgWeb(reposPath, adminRepoPath); err != nil {

return err

}

return nil

}

func check(user, repo, action string) bool {

r, err := enforcer.Enforce(user, repo, action)

if err != nil {

log.Errorf(

"failed to authenticate (%q, %q, %q): %v",

user,

repo,

action,

err,

)

return false

}

return r

}

func CanRead(user, repo string) bool {

return check(user, repo, "read")

}

func CanWrite(user, repo string) bool {

return check(user, repo, "write")

}

func CanInit(user, repo string) bool {

return check(user, repo, "init")

}

grim/hgkeeper