grim/hgkeeper

access: Implement stubs
access-control
2019-05-04, Wagner Riffel
208e17128bb9
Parents 2a61df813042
Children d5886fd34dc1e92e1e8ee230
access: Implement stubs
2 files changed, 39 insertions(+), 10 deletions(-)
  • +37 -8
    access/access.go
  • +2 -2
    ssh/server.go
    • --- a/access/access.go Sat May 04 04:17:51 2019 -0300
    +++ b/access/access.go Sat May 04 04:19:05 2019 -0300
    @@ -264,15 +264,44 @@
    // CheckPermission checks if we're supposed to allow the given ssh key. If the
    // key is not found error is returned. If it is found, the username it belongs
    // to is returned.
    -func CheckPermission(key ssh.PublicKey) (string, error) {
    - // stubbed out for now
    - return "hg", nil
    +func (a *Access) CheckPermission(key ssh.PublicKey) (string, error) {
    + a.keysMu.RLock()
    + defer a.keysMu.RUnlock()
    + fp := ssh.FingerprintSHA256(key)
    + u, ok := a.keys[fp]
    + if !ok {
    + return "", fmt.Errorf("access: check permission: key %q permission denied", fp)
    + }
    + return u, nil
    }
    // GetPermissions will look up the given username and find the permissions that
    -// the user has on the given path. It returns 3 bools for read, write, and
    -// init respectively.
    -func GetPermissions(username, path string) (bool, bool, bool) {
    - // stubbed for now
    - return true, false, false
    +// the user has on the given path.
    +func (a *Access) GetPermissions(username, path string) (read bool, write bool, init bool) {
    + a.usersMu.RLock()
    + defer a.usersMu.RUnlock()
    + patterns, ok := a.users[username]
    + if !ok {
    + return
    + }
    + for pattern, perm := range patterns {
    + // ignoring error because pattern was validated before
    + // its insertion in map
    + if ok, _ = filepath.Match(pattern, path); !ok {
    + continue
    + }
    +
    + if perm.can(Read) {
    + read = true
    + }
    + if perm.can(Write) {
    + write = true
    + }
    + if perm.can(Init) {
    + init = true
    + }
    + return
    + }
    +
    + return
    }
    --- a/ssh/server.go Sat May 04 04:17:51 2019 -0300
    +++ b/ssh/server.go Sat May 04 04:19:05 2019 -0300
    @@ -67,7 +67,7 @@
    }
    func (s *Server) publicKeyCallback(meta ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
    - username, err := access.CheckPermission(key)
    + username, err := s.a.CheckPermission(key)
    if err != nil {
    return nil, err
    }
    @@ -121,7 +121,7 @@
    username := serverConn.Permissions.Extensions["username"]
    // now check permissions
    - r, _, _ := access.GetPermissions(username, cmd.path)
    + r, _, _ := s.a.GetPermissions(username, cmd.path)
    if !r {
    log.Warnf("user %q does not have read access to %s", username, cmd.path)
    req.Reply(false, nil)