grim/hgkeeper
Clone
Summary
Browse
Changes
Graph
Use Go 1.22 and update dependencies
default
tip
2 months ago, aklitzing
f33f223bc8fe
Use Go 1.22 and update dependencies
Reviewed at https://reviews.imfreedom.org/r/2949/
package
access
import
(
"os"
"path/filepath"
"strings"
"sync"
"go.uber.org/zap"
)
const
(
modelFilename
=
"model.conf"
policyFilename
=
"policy.csv"
)
var
(
accessLock
sync
.
Mutex
reposPath
string
adminRepoPath
string
adminRepoName
string
hgwebConfigPath
string
repositories
map
[
string
]
string
)
func
Setup
(
repositoriesPath
,
adminRepo
,
ldapConfig
string
)
error
{
reposPath
=
repositoriesPath
adminRepoName
=
adminRepo
adminRepoPath
=
filepath
.
Join
(
reposPath
,
adminRepo
)
if
err
:=
refreshLdapConfig
(
ldapConfig
);
err
!=
nil
{
zap
.
S
().
Error
(
"cannot load ldap config"
)
return
err
}
configPath
,
err
:=
os
.
CreateTemp
(
""
,
"hgkeeper-hgweb-access-*.config"
)
if
err
!=
nil
{
return
err
}
configPath
.
Close
()
hgwebConfigPath
=
configPath
.
Name
()
return
Refresh
()
}
func
Teardown
()
{
if
err
:=
os
.
Remove
(
hgwebConfigPath
);
err
!=
nil
{
zap
.
S
().
Warnf
(
"failed to remove temporary hgweb config from %q"
,
hgwebConfigPath
,
)
}
}
func
AdminRepo
()
string
{
return
adminRepoName
}
func
AdminRepoPath
()
string
{
return
adminRepoPath
}
func
HgwebConfigPath
()
string
{
return
hgwebConfigPath
}
func
ReposPath
()
string
{
return
reposPath
}
// Refresh will try to reload the casbin model and policies followed by SSH
// keys. If there is an error it's possible that the casbin model and polcies
// could have been updated but the ssh keys were not.
func
Refresh
()
error
{
accessLock
.
Lock
()
defer
accessLock
.
Unlock
()
if
err
:=
refreshEnforcer
();
err
!=
nil
{
return
err
}
if
err
:=
refreshKeys
();
err
!=
nil
{
return
err
}
if
err
:=
refreshRepositories
();
err
!=
nil
{
return
err
}
if
err
:=
refreshHgWeb
();
err
!=
nil
{
return
err
}
return
nil
}
func
check
(
user
,
repo
,
action
string
)
bool
{
// Normalize the repo to remove all trailing /'s and \'s.
repo
=
strings
.
TrimRight
(
repo
,
"\\/"
)
if
repo
==
""
{
return
false
}
r
,
err
:=
enforcer
.
Enforce
(
user
,
repo
,
action
)
if
err
!=
nil
{
zap
.
S
().
Errorf
(
"failed to authenticate (%q, %q, %q): %v"
,
user
,
repo
,
action
,
err
,
)
r
=
false
}
zap
.
S
().
Debugf
(
"permission requested (%q, %q, %q): %v"
,
user
,
repo
,
action
,
r
)
return
r
}
func
CanRead
(
user
,
repo
string
)
bool
{
return
check
(
user
,
repo
,
"read"
)
}
func
CanWrite
(
user
,
repo
string
)
bool
{
return
check
(
user
,
repo
,
"write"
)
}
func
CanInit
(
user
,
repo
string
)
bool
{
return
check
(
user
,
repo
,
"init"
)
}
func
CanRemove
(
user
,
repo
string
)
bool
{
return
check
(
user
,
repo
,
"remove"
)
}
