dzming.li
A vibe coded tangled fork which supports pijul.
1package rbac
2
3import (
4 "database/sql"
5 "slices"
6 "strings"
7
8 adapter "github.com/Blank-Xu/sql-adapter"
9 "github.com/casbin/casbin/v2"
10 "github.com/casbin/casbin/v2/model"
11)
12
13const (
14 ThisServer = "thisserver" // resource identifier for local rbac enforcement
15)
16
17const (
18 Model = `
19[request_definition]
20r = sub, dom, obj, act
21
22[policy_definition]
23p = sub, dom, obj, act
24
25[role_definition]
26g = _, _, _
27
28[policy_effect]
29e = some(where (p.eft == allow))
30
31[matchers]
32m = r.act == p.act && r.dom == p.dom && r.obj == p.obj && g(r.sub, p.sub, r.dom)
33`
34)
35
36type Enforcer struct {
37 E *casbin.Enforcer
38}
39
40func NewEnforcer(path string) (*Enforcer, error) {
41 m, err := model.NewModelFromString(Model)
42 if err != nil {
43 return nil, err
44 }
45
46 db, err := sql.Open("sqlite3", path+"?_foreign_keys=1")
47 if err != nil {
48 return nil, err
49 }
50
51 a, err := adapter.NewAdapter(db, "sqlite3", "acl")
52 if err != nil {
53 return nil, err
54 }
55
56 e, err := casbin.NewEnforcer(m, a)
57 if err != nil {
58 return nil, err
59 }
60
61 e.EnableAutoSave(false)
62
63 return &Enforcer{e}, nil
64}
65
66func (e *Enforcer) AddKnot(knot string) error {
67 // Add policies with patterns
68 _, err := e.E.AddPolicies([][]string{
69 {"server:owner", knot, knot, "server:invite"},
70 {"server:member", knot, knot, "repo:create"},
71 })
72 if err != nil {
73 return err
74 }
75
76 // all owners are also members
77 _, err = e.E.AddGroupingPolicy("server:owner", "server:member", knot)
78 return err
79}
80
81func (e *Enforcer) AddSpindle(spindle string) error {
82 // the internal repr for spindles is spindle:foo.com
83 spindle = intoSpindle(spindle)
84
85 _, err := e.E.AddPolicies([][]string{
86 {"server:owner", spindle, spindle, "server:invite"},
87 })
88 if err != nil {
89 return err
90 }
91
92 // all owners are also members
93 _, err = e.E.AddGroupingPolicy("server:owner", "server:member", spindle)
94 return err
95}
96
97func (e *Enforcer) RemoveSpindle(spindle string) error {
98 spindle = intoSpindle(spindle)
99 _, err := e.E.DeleteDomains(spindle)
100 return err
101}
102
103func (e *Enforcer) RemoveKnot(knot string) error {
104 _, err := e.E.DeleteDomains(knot)
105 return err
106}
107
108func (e *Enforcer) GetKnotsForUser(did string) ([]string, error) {
109 keepFunc := isNotSpindle
110 stripFunc := unSpindle
111 return e.getDomainsForUser(did, keepFunc, stripFunc)
112}
113
114func (e *Enforcer) GetSpindlesForUser(did string) ([]string, error) {
115 keepFunc := isSpindle
116 stripFunc := unSpindle
117 return e.getDomainsForUser(did, keepFunc, stripFunc)
118}
119
120func (e *Enforcer) AddKnotOwner(domain, owner string) error {
121 return e.addOwner(domain, owner)
122}
123
124func (e *Enforcer) RemoveKnotOwner(domain, owner string) error {
125 return e.removeOwner(domain, owner)
126}
127
128func (e *Enforcer) AddKnotMember(domain, member string) error {
129 return e.addMember(domain, member)
130}
131
132func (e *Enforcer) RemoveKnotMember(domain, member string) error {
133 return e.removeMember(domain, member)
134}
135
136func (e *Enforcer) AddSpindleOwner(domain, owner string) error {
137 return e.addOwner(intoSpindle(domain), owner)
138}
139
140func (e *Enforcer) RemoveSpindleOwner(domain, owner string) error {
141 return e.removeOwner(intoSpindle(domain), owner)
142}
143
144func (e *Enforcer) AddSpindleMember(domain, member string) error {
145 return e.addMember(intoSpindle(domain), member)
146}
147
148func (e *Enforcer) RemoveSpindleMember(domain, member string) error {
149 return e.removeMember(intoSpindle(domain), member)
150}
151
152func repoPolicies(member, domain, repo string) [][]string {
153 return [][]string{
154 {member, domain, repo, "repo:settings"},
155 {member, domain, repo, "repo:push"},
156 {member, domain, repo, "repo:owner"},
157 {member, domain, repo, "repo:invite"},
158 {member, domain, repo, "repo:delete"},
159 {member, domain, repo, RepoCreateDiscussion},
160 {member, domain, repo, RepoEditDiscussion},
161 {member, domain, repo, RepoTagDiscussion},
162 {"server:owner", domain, repo, "repo:delete"}, // server owner can delete any repo
163 }
164}
165func (e *Enforcer) AddRepo(member, domain, repo string) error {
166 err := checkRepoFormat(repo)
167 if err != nil {
168 return err
169 }
170
171 _, err = e.E.AddPolicies(repoPolicies(member, domain, repo))
172 return err
173}
174func (e *Enforcer) RemoveRepo(member, domain, repo string) error {
175 err := checkRepoFormat(repo)
176 if err != nil {
177 return err
178 }
179
180 _, err = e.E.RemovePolicies(repoPolicies(member, domain, repo))
181 return err
182}
183
184var (
185 collaboratorPolicies = func(collaborator, domain, repo string) [][]string {
186 return [][]string{
187 {collaborator, domain, repo, "repo:collaborator"},
188 {collaborator, domain, repo, "repo:settings"},
189 {collaborator, domain, repo, "repo:push"},
190 {collaborator, domain, repo, RepoCreateDiscussion},
191 {collaborator, domain, repo, RepoEditDiscussion},
192 {collaborator, domain, repo, RepoTagDiscussion},
193 }
194 }
195)
196
197func (e *Enforcer) AddCollaborator(collaborator, domain, repo string) error {
198 err := checkRepoFormat(repo)
199 if err != nil {
200 return err
201 }
202
203 _, err = e.E.AddPolicies(collaboratorPolicies(collaborator, domain, repo))
204 return err
205}
206
207func (e *Enforcer) RemoveCollaborator(collaborator, domain, repo string) error {
208 err := checkRepoFormat(repo)
209 if err != nil {
210 return err
211 }
212
213 _, err = e.E.RemovePolicies(collaboratorPolicies(collaborator, domain, repo))
214 return err
215}
216
217func (e *Enforcer) GetUserByRole(role, domain string) ([]string, error) {
218 var membersWithoutRoles []string
219
220 // this includes roles too, casbin does not differentiate.
221 // the filtering criteria is to remove strings not starting with `did:`
222 members, err := e.E.GetImplicitUsersForRole(role, domain)
223 for _, m := range members {
224 if strings.HasPrefix(m, "did:") {
225 membersWithoutRoles = append(membersWithoutRoles, m)
226 }
227 }
228 if err != nil {
229 return nil, err
230 }
231
232 slices.Sort(membersWithoutRoles)
233 return slices.Compact(membersWithoutRoles), nil
234}
235
236func (e *Enforcer) GetKnotUsersByRole(role, domain string) ([]string, error) {
237 return e.GetUserByRole(role, domain)
238}
239
240func (e *Enforcer) GetSpindleUsersByRole(role, domain string) ([]string, error) {
241 return e.GetUserByRole(role, intoSpindle(domain))
242}
243
244func (e *Enforcer) GetUserByRoleInRepo(role, domain, repo string) ([]string, error) {
245 var users []string
246
247 policies, err := e.E.GetImplicitUsersForResourceByDomain(repo, domain)
248 for _, p := range policies {
249 user := p[0]
250 if strings.HasPrefix(user, "did:") {
251 users = append(users, user)
252 }
253 }
254 if err != nil {
255 return nil, err
256 }
257
258 slices.Sort(users)
259 return slices.Compact(users), nil
260}
261
262func (e *Enforcer) IsKnotOwner(user, domain string) (bool, error) {
263 return e.isRole(user, "server:owner", domain)
264}
265
266func (e *Enforcer) IsKnotMember(user, domain string) (bool, error) {
267 return e.isRole(user, "server:member", domain)
268}
269
270func (e *Enforcer) IsSpindleOwner(user, domain string) (bool, error) {
271 return e.isRole(user, "server:owner", intoSpindle(domain))
272}
273
274func (e *Enforcer) IsSpindleMember(user, domain string) (bool, error) {
275 return e.isRole(user, "server:member", intoSpindle(domain))
276}
277
278func (e *Enforcer) IsKnotInviteAllowed(user, domain string) (bool, error) {
279 return e.isInviteAllowed(user, domain)
280}
281
282func (e *Enforcer) IsSpindleInviteAllowed(user, domain string) (bool, error) {
283 return e.isInviteAllowed(user, intoSpindle(domain))
284}
285
286func (e *Enforcer) IsRepoCreateAllowed(user, domain string) (bool, error) {
287 return e.E.Enforce(user, domain, domain, "repo:create")
288}
289
290func (e *Enforcer) IsRepoDeleteAllowed(user, domain, repo string) (bool, error) {
291 return e.E.Enforce(user, domain, repo, "repo:delete")
292}
293
294func (e *Enforcer) IsRepoOwner(user, domain, repo string) (bool, error) {
295 return e.E.Enforce(user, domain, repo, "repo:owner")
296}
297
298func (e *Enforcer) IsRepoCollaborator(user, domain, repo string) (bool, error) {
299 return e.E.Enforce(user, domain, repo, "repo:collaborator")
300}
301
302func (e *Enforcer) IsPushAllowed(user, domain, repo string) (bool, error) {
303 return e.E.Enforce(user, domain, repo, "repo:push")
304}
305
306func (e *Enforcer) IsSettingsAllowed(user, domain, repo string) (bool, error) {
307 return e.E.Enforce(user, domain, repo, "repo:settings")
308}
309
310func (e *Enforcer) IsCollaboratorInviteAllowed(user, domain, repo string) (bool, error) {
311 return e.E.Enforce(user, domain, repo, "repo:invite")
312}
313
314// given a repo, what permissions does this user have? repo:owner? repo:invite? etc.
315func (e *Enforcer) GetPermissionsInRepo(user, domain, repo string) []string {
316 var permissions []string
317 res := e.E.GetPermissionsForUserInDomain(user, domain)
318 for _, p := range res {
319 // get only permissions for this resource/repo
320 if p[2] == repo {
321 permissions = append(permissions, p[3])
322 }
323 }
324
325 return permissions
326}