Home Explore Help
Register Sign In
publics
/
etcd-io__etcd
0
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 1dc0e664f0
Branches Tags
etcd-io__etcd
/
etcdserver
/
auth
/
auth.go

auth.go 17 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669 
  1. // Copyright 2015 CoreOS, Inc.
    2. 

  2. //
    3. 

  3. // Licensed under the Apache License, Version 2.0 (the "License");
    4. 

  4. // you may not use this file except in compliance with the License.
    5. 

  5. // You may obtain a copy of the License at
    6. 

  6. //
    7. 

  7. //     http://www.apache.org/licenses/LICENSE-2.0
    8. 

  8. //
    9. 

  9. // Unless required by applicable law or agreed to in writing, software
    10. 

  10. // distributed under the License is distributed on an "AS IS" BASIS,
    11. 

  11. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12. 

  12. // See the License for the specific language governing permissions and
    13. 

  13. // limitations under the License.
    14. 

  14. 

  15. // Package auth implements etcd authentication.
    16. 

  16. package auth
    17. 

  17. 

  18. import (
    19. 

  19. 	"encoding/json"
    20. 

  20. 	"fmt"
    21. 

  21. 	"net/http"
    22. 

  22. 	"path"
    23. 

  23. 	"reflect"
    24. 

  24. 	"sort"
    25. 

  25. 	"strings"
    26. 

  26. 	"sync"
    27. 

  27. 	"time"
    28. 

  28. 

  29. 	"github.com/coreos/etcd/Godeps/_workspace/src/github.com/coreos/pkg/capnslog"
    30. 

  30. 	"github.com/coreos/etcd/Godeps/_workspace/src/golang.org/x/crypto/bcrypt"
    31. 

  31. 	"github.com/coreos/etcd/Godeps/_workspace/src/golang.org/x/net/context"
    32. 

  32. 	etcderr "github.com/coreos/etcd/error"
    33. 

  33. 	"github.com/coreos/etcd/etcdserver"
    34. 

  34. 	"github.com/coreos/etcd/etcdserver/etcdserverpb"
    35. 

  35. 	"github.com/coreos/etcd/pkg/types"
    36. 

  36. )
    37. 

  37. 

  38. const (
    39. 

  39. 	// StorePermsPrefix is the internal prefix of the storage layer dedicated to storing user data.
    40. 

  40. 	StorePermsPrefix = "/2"
    41. 

  41. 

  42. 	// RootRoleName is the name of the ROOT role, with privileges to manage the cluster.
    43. 

  43. 	RootRoleName = "root"
    44. 

  44. 

  45. 	// GuestRoleName is the name of the role that defines the privileges of an unauthenticated user.
    46. 

  46. 	GuestRoleName = "guest"
    47. 

  47. )
    48. 

  48. 

  49. var (
    50. 

  50. 	plog = capnslog.NewPackageLogger("github.com/coreos/etcd/etcdserver", "auth")
    51. 

  51. )
    52. 

  52. 

  53. var rootRole = Role{
    54. 

  54. 	Role: RootRoleName,
    55. 

  55. 	Permissions: Permissions{
    56. 

  56. 		KV: RWPermission{
    57. 

  57. 			Read:  []string{"/*"},
    58. 

  58. 			Write: []string{"/*"},
    59. 

  59. 		},
    60. 

  60. 	},
    61. 

  61. }
    62. 

  62. 

  63. var guestRole = Role{
    64. 

  64. 	Role: GuestRoleName,
    65. 

  65. 	Permissions: Permissions{
    66. 

  66. 		KV: RWPermission{
    67. 

  67. 			Read:  []string{"/*"},
    68. 

  68. 			Write: []string{"/*"},
    69. 

  69. 		},
    70. 

  70. 	},
    71. 

  71. }
    72. 

  72. 

  73. type doer interface {
    74. 

  74. 	Do(context.Context, etcdserverpb.Request) (etcdserver.Response, error)
    75. 

  75. }
    76. 

  76. 

  77. type Store interface {
    78. 

  78. 	AllUsers() ([]string, error)
    79. 

  79. 	GetUser(name string) (User, error)
    80. 

  80. 	CreateOrUpdateUser(user User) (out User, created bool, err error)
    81. 

  81. 	CreateUser(user User) (User, error)
    82. 

  82. 	DeleteUser(name string) error
    83. 

  83. 	UpdateUser(user User) (User, error)
    84. 

  84. 	AllRoles() ([]string, error)
    85. 

  85. 	GetRole(name string) (Role, error)
    86. 

  86. 	CreateRole(role Role) error
    87. 

  87. 	DeleteRole(name string) error
    88. 

  88. 	UpdateRole(role Role) (Role, error)
    89. 

  89. 	AuthEnabled() bool
    90. 

  90. 	EnableAuth() error
    91. 

  91. 	DisableAuth() error
    92. 

  92. 	PasswordStore
    93. 

  93. }
    94. 

  94. 

  95. type PasswordStore interface {
    96. 

  96. 	CheckPassword(user User, password string) bool
    97. 

  97. 	HashPassword(password string) (string, error)
    98. 

  98. }
    99. 

  99. 

  100. type store struct {
    101. 

  101. 	server      doer
    102. 

  102. 	timeout     time.Duration
    103. 

  103. 	ensuredOnce bool
    104. 

  104. 

  105. 	mu      sync.Mutex // protect enabled
    106. 

  106. 	enabled *bool
    107. 

  107. 

  108. 	PasswordStore
    109. 

  109. }
    110. 

  110. 

  111. type User struct {
    112. 

  112. 	User     string   `json:"user"`
    113. 

  113. 	Password string   `json:"password,omitempty"`
    114. 

  114. 	Roles    []string `json:"roles"`
    115. 

  115. 	Grant    []string `json:"grant,omitempty"`
    116. 

  116. 	Revoke   []string `json:"revoke,omitempty"`
    117. 

  117. }
    118. 

  118. 

  119. type Role struct {
    120. 

  120. 	Role        string       `json:"role"`
    121. 

  121. 	Permissions Permissions  `json:"permissions"`
    122. 

  122. 	Grant       *Permissions `json:"grant,omitempty"`
    123. 

  123. 	Revoke      *Permissions `json:"revoke,omitempty"`
    124. 

  124. }
    125. 

  125. 

  126. type Permissions struct {
    127. 

  127. 	KV RWPermission `json:"kv"`
    128. 

  128. }
    129. 

  129. 

  130. func (p *Permissions) IsEmpty() bool {
    131. 

  131. 	return p == nil || (len(p.KV.Read) == 0 && len(p.KV.Write) == 0)
    132. 

  132. }
    133. 

  133. 

  134. type RWPermission struct {
    135. 

  135. 	Read  []string `json:"read"`
    136. 

  136. 	Write []string `json:"write"`
    137. 

  137. }
    138. 

  138. 

  139. type Error struct {
    140. 

  140. 	Status int
    141. 

  141. 	Errmsg string
    142. 

  142. }
    143. 

  143. 

  144. func (ae Error) Error() string   { return ae.Errmsg }
    145. 

  145. func (ae Error) HTTPStatus() int { return ae.Status }
    146. 

  146. 

  147. func authErr(hs int, s string, v ...interface{}) Error {
    148. 

  148. 	return Error{Status: hs, Errmsg: fmt.Sprintf("auth: "+s, v...)}
    149. 

  149. }
    150. 

  150. 

  151. func NewStore(server doer, timeout time.Duration) Store {
    152. 

  152. 	s := &store{
    153. 

  153. 		server:        server,
    154. 

  154. 		timeout:       timeout,
    155. 

  155. 		PasswordStore: passwordStore{},
    156. 

  156. 	}
    157. 

  157. 	return s
    158. 

  158. }
    159. 

  159. 

  160. // passwordStore implements PasswordStore using bcrypt to hash user passwords
    161. 

  161. type passwordStore struct{}
    162. 

  162. 

  163. func (_ passwordStore) CheckPassword(user User, password string) bool {
    164. 

  164. 	err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password))
    165. 

  165. 	return err == nil
    166. 

  166. }
    167. 

  167. 

  168. func (_ passwordStore) HashPassword(password string) (string, error) {
    169. 

  169. 	hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
    170. 

  170. 	return string(hash), err
    171. 

  171. }
    172. 

  172. 

  173. func (s *store) AllUsers() ([]string, error) {
    174. 

  174. 	resp, err := s.requestResource("/users/", false)
    175. 

  175. 	if err != nil {
    176. 

  176. 		if e, ok := err.(*etcderr.Error); ok {
    177. 

  177. 			if e.ErrorCode == etcderr.EcodeKeyNotFound {
    178. 

  178. 				return []string{}, nil
    179. 

  179. 			}
    180. 

  180. 		}
    181. 

  181. 		return nil, err
    182. 

  182. 	}
    183. 

  183. 	var nodes []string
    184. 

  184. 	for _, n := range resp.Event.Node.Nodes {
    185. 

  185. 		_, user := path.Split(n.Key)
    186. 

  186. 		nodes = append(nodes, user)
    187. 

  187. 	}
    188. 

  188. 	sort.Strings(nodes)
    189. 

  189. 	return nodes, nil
    190. 

  190. }
    191. 

  191. 

  192. func (s *store) GetUser(name string) (User, error) {
    193. 

  193. 	resp, err := s.requestResource("/users/"+name, false)
    194. 

  194. 	if err != nil {
    195. 

  195. 		if e, ok := err.(*etcderr.Error); ok {
    196. 

  196. 			if e.ErrorCode == etcderr.EcodeKeyNotFound {
    197. 

  197. 				return User{}, authErr(http.StatusNotFound, "User %s does not exist.", name)
    198. 

  198. 			}
    199. 

  199. 		}
    200. 

  200. 		return User{}, err
    201. 

  201. 	}
    202. 

  202. 	var u User
    203. 

  203. 	err = json.Unmarshal([]byte(*resp.Event.Node.Value), &u)
    204. 

  204. 	if err != nil {
    205. 

  205. 		return u, err
    206. 

  206. 	}
    207. 

  207. 	// Attach root role to root user.
    208. 

  208. 	if u.User == "root" {
    209. 

  209. 		u = attachRootRole(u)
    210. 

  210. 	}
    211. 

  211. 	return u, nil
    212. 

  212. }
    213. 

  213. 

  214. // CreateOrUpdateUser should be only used for creating the new user or when you are not
    215. 

  215. // sure if it is a create or update. (When only password is passed in, we are not sure
    216. 

  216. // if it is a update or create)
    217. 

  217. func (s *store) CreateOrUpdateUser(user User) (out User, created bool, err error) {
    218. 

  218. 	_, err = s.GetUser(user.User)
    219. 

  219. 	if err == nil {
    220. 

  220. 		out, err = s.UpdateUser(user)
    221. 

  221. 		return out, false, err
    222. 

  222. 	}
    223. 

  223. 	u, err := s.CreateUser(user)
    224. 

  224. 	return u, true, err
    225. 

  225. }
    226. 

  226. 

  227. func (s *store) CreateUser(user User) (User, error) {
    228. 

  228. 	// Attach root role to root user.
    229. 

  229. 	if user.User == "root" {
    230. 

  230. 		user = attachRootRole(user)
    231. 

  231. 	}
    232. 

  232. 	u, err := s.createUserInternal(user)
    233. 

  233. 	if err == nil {
    234. 

  234. 		plog.Noticef("created user %s", user.User)
    235. 

  235. 	}
    236. 

  236. 	return u, err
    237. 

  237. }
    238. 

  238. 

  239. func (s *store) createUserInternal(user User) (User, error) {
    240. 

  240. 	if user.Password == "" {
    241. 

  241. 		return user, authErr(http.StatusBadRequest, "Cannot create user %s with an empty password", user.User)
    242. 

  242. 	}
    243. 

  243. 	hash, err := s.HashPassword(user.Password)
    244. 

  244. 	if err != nil {
    245. 

  245. 		return user, err
    246. 

  246. 	}
    247. 

  247. 	user.Password = hash
    248. 

  248. 

  249. 	_, err = s.createResource("/users/"+user.User, user)
    250. 

  250. 	if err != nil {
    251. 

  251. 		if e, ok := err.(*etcderr.Error); ok {
    252. 

  252. 			if e.ErrorCode == etcderr.EcodeNodeExist {
    253. 

  253. 				return user, authErr(http.StatusConflict, "User %s already exists.", user.User)
    254. 

  254. 			}
    255. 

  255. 		}
    256. 

  256. 	}
    257. 

  257. 	return user, err
    258. 

  258. }
    259. 

  259. 

  260. func (s *store) DeleteUser(name string) error {
    261. 

  261. 	if s.AuthEnabled() && name == "root" {
    262. 

  262. 		return authErr(http.StatusForbidden, "Cannot delete root user while auth is enabled.")
    263. 

  263. 	}
    264. 

  264. 	_, err := s.deleteResource("/users/" + name)
    265. 

  265. 	if err != nil {
    266. 

  266. 		if e, ok := err.(*etcderr.Error); ok {
    267. 

  267. 			if e.ErrorCode == etcderr.EcodeKeyNotFound {
    268. 

  268. 				return authErr(http.StatusNotFound, "User %s does not exist", name)
    269. 

  269. 			}
    270. 

  270. 		}
    271. 

  271. 		return err
    272. 

  272. 	}
    273. 

  273. 	plog.Noticef("deleted user %s", name)
    274. 

  274. 	return nil
    275. 

  275. }
    276. 

  276. 

  277. func (s *store) UpdateUser(user User) (User, error) {
    278. 

  278. 	old, err := s.GetUser(user.User)
    279. 

  279. 	if err != nil {
    280. 

  280. 		if e, ok := err.(*etcderr.Error); ok {
    281. 

  281. 			if e.ErrorCode == etcderr.EcodeKeyNotFound {
    282. 

  282. 				return user, authErr(http.StatusNotFound, "User %s doesn't exist.", user.User)
    283. 

  283. 			}
    284. 

  284. 		}
    285. 

  285. 		return old, err
    286. 

  286. 	}
    287. 

  287. 

  288. 	hash, err := s.HashPassword(user.Password)
    289. 

  289. 	if err != nil {
    290. 

  290. 		return old, err
    291. 

  291. 	}
    292. 

  292. 	user.Password = hash
    293. 

  293. 

  294. 	newUser, err := old.merge(user)
    295. 

  295. 	if err != nil {
    296. 

  296. 		return old, err
    297. 

  297. 	}
    298. 

  298. 	if reflect.DeepEqual(old, newUser) {
    299. 

  299. 		return old, authErr(http.StatusBadRequest, "User not updated. Use grant/revoke/password to update the user.")
    300. 

  300. 	}
    301. 

  301. 	_, err = s.updateResource("/users/"+user.User, newUser)
    302. 

  302. 	if err == nil {
    303. 

  303. 		plog.Noticef("updated user %s", user.User)
    304. 

  304. 	}
    305. 

  305. 	return newUser, err
    306. 

  306. }
    307. 

  307. 

  308. func (s *store) AllRoles() ([]string, error) {
    309. 

  309. 	nodes := []string{RootRoleName}
    310. 

  310. 	resp, err := s.requestResource("/roles/", false)
    311. 

  311. 	if err != nil {
    312. 

  312. 		if e, ok := err.(*etcderr.Error); ok {
    313. 

  313. 			if e.ErrorCode == etcderr.EcodeKeyNotFound {
    314. 

  314. 				return nodes, nil
    315. 

  315. 			}
    316. 

  316. 		}
    317. 

  317. 		return nil, err
    318. 

  318. 	}
    319. 

  319. 	for _, n := range resp.Event.Node.Nodes {
    320. 

  320. 		_, role := path.Split(n.Key)
    321. 

  321. 		nodes = append(nodes, role)
    322. 

  322. 	}
    323. 

  323. 	sort.Strings(nodes)
    324. 

  324. 	return nodes, nil
    325. 

  325. }
    326. 

  326. 

  327. func (s *store) GetRole(name string) (Role, error) {
    328. 

  328. 	if name == RootRoleName {
    329. 

  329. 		return rootRole, nil
    330. 

  330. 	}
    331. 

  331. 	resp, err := s.requestResource("/roles/"+name, false)
    332. 

  332. 	if err != nil {
    333. 

  333. 		if e, ok := err.(*etcderr.Error); ok {
    334. 

  334. 			if e.ErrorCode == etcderr.EcodeKeyNotFound {
    335. 

  335. 				return Role{}, authErr(http.StatusNotFound, "Role %s does not exist.", name)
    336. 

  336. 			}
    337. 

  337. 		}
    338. 

  338. 		return Role{}, err
    339. 

  339. 	}
    340. 

  340. 	var r Role
    341. 

  341. 	err = json.Unmarshal([]byte(*resp.Event.Node.Value), &r)
    342. 

  342. 	if err != nil {
    343. 

  343. 		return r, err
    344. 

  344. 	}
    345. 

  345. 

  346. 	return r, nil
    347. 

  347. }
    348. 

  348. 

  349. func (s *store) CreateRole(role Role) error {
    350. 

  350. 	if role.Role == RootRoleName {
    351. 

  351. 		return authErr(http.StatusForbidden, "Cannot modify role %s: is root role.", role.Role)
    352. 

  352. 	}
    353. 

  353. 	_, err := s.createResource("/roles/"+role.Role, role)
    354. 

  354. 	if err != nil {
    355. 

  355. 		if e, ok := err.(*etcderr.Error); ok {
    356. 

  356. 			if e.ErrorCode == etcderr.EcodeNodeExist {
    357. 

  357. 				return authErr(http.StatusConflict, "Role %s already exists.", role.Role)
    358. 

  358. 			}
    359. 

  359. 		}
    360. 

  360. 	}
    361. 

  361. 	if err == nil {
    362. 

  362. 		plog.Noticef("created new role %s", role.Role)
    363. 

  363. 	}
    364. 

  364. 	return err
    365. 

  365. }
    366. 

  366. 

  367. func (s *store) DeleteRole(name string) error {
    368. 

  368. 	if name == RootRoleName {
    369. 

  369. 		return authErr(http.StatusForbidden, "Cannot modify role %s: is root role.", name)
    370. 

  370. 	}
    371. 

  371. 	_, err := s.deleteResource("/roles/" + name)
    372. 

  372. 	if err != nil {
    373. 

  373. 		if e, ok := err.(*etcderr.Error); ok {
    374. 

  374. 			if e.ErrorCode == etcderr.EcodeKeyNotFound {
    375. 

  375. 				return authErr(http.StatusNotFound, "Role %s doesn't exist.", name)
    376. 

  376. 			}
    377. 

  377. 		}
    378. 

  378. 	}
    379. 

  379. 	if err == nil {
    380. 

  380. 		plog.Noticef("deleted role %s", name)
    381. 

  381. 	}
    382. 

  382. 	return err
    383. 

  383. }
    384. 

  384. 

  385. func (s *store) UpdateRole(role Role) (Role, error) {
    386. 

  386. 	if role.Role == RootRoleName {
    387. 

  387. 		return Role{}, authErr(http.StatusForbidden, "Cannot modify role %s: is root role.", role.Role)
    388. 

  388. 	}
    389. 

  389. 	old, err := s.GetRole(role.Role)
    390. 

  390. 	if err != nil {
    391. 

  391. 		if e, ok := err.(*etcderr.Error); ok {
    392. 

  392. 			if e.ErrorCode == etcderr.EcodeKeyNotFound {
    393. 

  393. 				return role, authErr(http.StatusNotFound, "Role %s doesn't exist.", role.Role)
    394. 

  394. 			}
    395. 

  395. 		}
    396. 

  396. 		return old, err
    397. 

  397. 	}
    398. 

  398. 	newRole, err := old.merge(role)
    399. 

  399. 	if err != nil {
    400. 

  400. 		return old, err
    401. 

  401. 	}
    402. 

  402. 	if reflect.DeepEqual(old, newRole) {
    403. 

  403. 		return old, authErr(http.StatusBadRequest, "Role not updated. Use grant/revoke to update the role.")
    404. 

  404. 	}
    405. 

  405. 	_, err = s.updateResource("/roles/"+role.Role, newRole)
    406. 

  406. 	if err == nil {
    407. 

  407. 		plog.Noticef("updated role %s", role.Role)
    408. 

  408. 	}
    409. 

  409. 	return newRole, err
    410. 

  410. }
    411. 

  411. 

  412. func (s *store) AuthEnabled() bool {
    413. 

  413. 	s.mu.Lock()
    414. 

  414. 	defer s.mu.Unlock()
    415. 

  415. 

  416. 	return s.detectAuth()
    417. 

  417. }
    418. 

  418. 

  419. func (s *store) EnableAuth() error {
    420. 

  420. 	if s.AuthEnabled() {
    421. 

  421. 		return authErr(http.StatusConflict, "already enabled")
    422. 

  422. 	}
    423. 

  423. 

  424. 	s.mu.Lock()
    425. 

  425. 	defer s.mu.Unlock()
    426. 

  426. 

  427. 	if _, err := s.GetUser("root"); err != nil {
    428. 

  428. 		return authErr(http.StatusConflict, "No root user available, please create one")
    429. 

  429. 	}
    430. 

  430. 	if _, err := s.GetRole(GuestRoleName); err != nil {
    431. 

  431. 		plog.Printf("no guest role access found, creating default")
    432. 

  432. 		if err := s.CreateRole(guestRole); err != nil {
    433. 

  433. 			plog.Errorf("error creating guest role. aborting auth enable.")
    434. 

  434. 			return err
    435. 

  435. 		}
    436. 

  436. 	}
    437. 

  437. 

  438. 	if err := s.enableAuth(); err != nil {
    439. 

  439. 		plog.Errorf("error enabling auth (%v)", err)
    440. 

  440. 		return err
    441. 

  441. 	}
    442. 

  442. 

  443. 	b := true
    444. 

  444. 	s.enabled = &b
    445. 

  445. 	plog.Noticef("auth: enabled auth")
    446. 

  446. 	return nil
    447. 

  447. }
    448. 

  448. 

  449. func (s *store) DisableAuth() error {
    450. 

  450. 	if !s.AuthEnabled() {
    451. 

  451. 		return authErr(http.StatusConflict, "already disabled")
    452. 

  452. 	}
    453. 

  453. 

  454. 	s.mu.Lock()
    455. 

  455. 	defer s.mu.Unlock()
    456. 

  456. 

  457. 	err := s.disableAuth()
    458. 

  458. 	if err == nil {
    459. 

  459. 		b := false
    460. 

  460. 		s.enabled = &b
    461. 

  461. 		plog.Noticef("auth: disabled auth")
    462. 

  462. 	} else {
    463. 

  463. 		plog.Errorf("error disabling auth (%v)", err)
    464. 

  464. 	}
    465. 

  465. 	return err
    466. 

  466. }
    467. 

  467. 

  468. // merge applies the properties of the passed-in User to the User on which it
    469. 

  469. // is called and returns a new User with these modifications applied. Think of
    470. 

  470. // all Users as immutable sets of data. Merge allows you to perform the set
    471. 

  471. // operations (desired grants and revokes) atomically
    472. 

  472. func (u User) merge(n User) (User, error) {
    473. 

  473. 	var out User
    474. 

  474. 	if u.User != n.User {
    475. 

  475. 		return out, authErr(http.StatusConflict, "Merging user data with conflicting usernames: %s %s", u.User, n.User)
    476. 

  476. 	}
    477. 

  477. 	out.User = u.User
    478. 

  478. 	if n.Password != "" {
    479. 

  479. 		out.Password = n.Password
    480. 

  480. 	} else {
    481. 

  481. 		out.Password = u.Password
    482. 

  482. 	}
    483. 

  483. 	currentRoles := types.NewUnsafeSet(u.Roles...)
    484. 

  484. 	for _, g := range n.Grant {
    485. 

  485. 		if currentRoles.Contains(g) {
    486. 

  486. 			plog.Noticef("granting duplicate role %s for user %s", g, n.User)
    487. 

  487. 			return User{}, authErr(http.StatusConflict, fmt.Sprintf("Granting duplicate role %s for user %s", g, n.User))
    488. 

  488. 		}
    489. 

  489. 		currentRoles.Add(g)
    490. 

  490. 	}
    491. 

  491. 	for _, r := range n.Revoke {
    492. 

  492. 		if !currentRoles.Contains(r) {
    493. 

  493. 			plog.Noticef("revoking ungranted role %s for user %s", r, n.User)
    494. 

  494. 			return User{}, authErr(http.StatusConflict, fmt.Sprintf("Revoking ungranted role %s for user %s", r, n.User))
    495. 

  495. 		}
    496. 

  496. 		currentRoles.Remove(r)
    497. 

  497. 	}
    498. 

  498. 	out.Roles = currentRoles.Values()
    499. 

  499. 	sort.Strings(out.Roles)
    500. 

  500. 	return out, nil
    501. 

  501. }
    502. 

  502. 

  503. // merge for a role works the same as User above -- atomic Role application to
    504. 

  504. // each of the substructures.
    505. 

  505. func (r Role) merge(n Role) (Role, error) {
    506. 

  506. 	var out Role
    507. 

  507. 	var err error
    508. 

  508. 	if r.Role != n.Role {
    509. 

  509. 		return out, authErr(http.StatusConflict, "Merging role with conflicting names: %s %s", r.Role, n.Role)
    510. 

  510. 	}
    511. 

  511. 	out.Role = r.Role
    512. 

  512. 	out.Permissions, err = r.Permissions.Grant(n.Grant)
    513. 

  513. 	if err != nil {
    514. 

  514. 		return out, err
    515. 

  515. 	}
    516. 

  516. 	out.Permissions, err = out.Permissions.Revoke(n.Revoke)
    517. 

  517. 	if err != nil {
    518. 

  518. 		return out, err
    519. 

  519. 	}
    520. 

  520. 	return out, nil
    521. 

  521. }
    522. 

  522. 

  523. func (r Role) HasKeyAccess(key string, write bool) bool {
    524. 

  524. 	if r.Role == RootRoleName {
    525. 

  525. 		return true
    526. 

  526. 	}
    527. 

  527. 	return r.Permissions.KV.HasAccess(key, write)
    528. 

  528. }
    529. 

  529. 

  530. func (r Role) HasRecursiveAccess(key string, write bool) bool {
    531. 

  531. 	if r.Role == RootRoleName {
    532. 

  532. 		return true
    533. 

  533. 	}
    534. 

  534. 	return r.Permissions.KV.HasRecursiveAccess(key, write)
    535. 

  535. }
    536. 

  536. 

  537. // Grant adds a set of permissions to the permission object on which it is called,
    538. 

  538. // returning a new permission object.
    539. 

  539. func (p Permissions) Grant(n *Permissions) (Permissions, error) {
    540. 

  540. 	var out Permissions
    541. 

  541. 	var err error
    542. 

  542. 	if n == nil {
    543. 

  543. 		return p, nil
    544. 

  544. 	}
    545. 

  545. 	out.KV, err = p.KV.Grant(n.KV)
    546. 

  546. 	return out, err
    547. 

  547. }
    548. 

  548. 

  549. // Revoke removes a set of permissions to the permission object on which it is called,
    550. 

  550. // returning a new permission object.
    551. 

  551. func (p Permissions) Revoke(n *Permissions) (Permissions, error) {
    552. 

  552. 	var out Permissions
    553. 

  553. 	var err error
    554. 

  554. 	if n == nil {
    555. 

  555. 		return p, nil
    556. 

  556. 	}
    557. 

  557. 	out.KV, err = p.KV.Revoke(n.KV)
    558. 

  558. 	return out, err
    559. 

  559. }
    560. 

  560. 

  561. // Grant adds a set of permissions to the permission object on which it is called,
    562. 

  562. // returning a new permission object.
    563. 

  563. func (rw RWPermission) Grant(n RWPermission) (RWPermission, error) {
    564. 

  564. 	var out RWPermission
    565. 

  565. 	currentRead := types.NewUnsafeSet(rw.Read...)
    566. 

  566. 	for _, r := range n.Read {
    567. 

  567. 		if currentRead.Contains(r) {
    568. 

  568. 			return out, authErr(http.StatusConflict, "Granting duplicate read permission %s", r)
    569. 

  569. 		}
    570. 

  570. 		currentRead.Add(r)
    571. 

  571. 	}
    572. 

  572. 	currentWrite := types.NewUnsafeSet(rw.Write...)
    573. 

  573. 	for _, w := range n.Write {
    574. 

  574. 		if currentWrite.Contains(w) {
    575. 

  575. 			return out, authErr(http.StatusConflict, "Granting duplicate write permission %s", w)
    576. 

  576. 		}
    577. 

  577. 		currentWrite.Add(w)
    578. 

  578. 	}
    579. 

  579. 	out.Read = currentRead.Values()
    580. 

  580. 	out.Write = currentWrite.Values()
    581. 

  581. 	sort.Strings(out.Read)
    582. 

  582. 	sort.Strings(out.Write)
    583. 

  583. 	return out, nil
    584. 

  584. }
    585. 

  585. 

  586. // Revoke removes a set of permissions to the permission object on which it is called,
    587. 

  587. // returning a new permission object.
    588. 

  588. func (rw RWPermission) Revoke(n RWPermission) (RWPermission, error) {
    589. 

  589. 	var out RWPermission
    590. 

  590. 	currentRead := types.NewUnsafeSet(rw.Read...)
    591. 

  591. 	for _, r := range n.Read {
    592. 

  592. 		if !currentRead.Contains(r) {
    593. 

  593. 			plog.Noticef("revoking ungranted read permission %s", r)
    594. 

  594. 			continue
    595. 

  595. 		}
    596. 

  596. 		currentRead.Remove(r)
    597. 

  597. 	}
    598. 

  598. 	currentWrite := types.NewUnsafeSet(rw.Write...)
    599. 

  599. 	for _, w := range n.Write {
    600. 

  600. 		if !currentWrite.Contains(w) {
    601. 

  601. 			plog.Noticef("revoking ungranted write permission %s", w)
    602. 

  602. 			continue
    603. 

  603. 		}
    604. 

  604. 		currentWrite.Remove(w)
    605. 

  605. 	}
    606. 

  606. 	out.Read = currentRead.Values()
    607. 

  607. 	out.Write = currentWrite.Values()
    608. 

  608. 	sort.Strings(out.Read)
    609. 

  609. 	sort.Strings(out.Write)
    610. 

  610. 	return out, nil
    611. 

  611. }
    612. 

  612. 

  613. func (rw RWPermission) HasAccess(key string, write bool) bool {
    614. 

  614. 	var list []string
    615. 

  615. 	if write {
    616. 

  616. 		list = rw.Write
    617. 

  617. 	} else {
    618. 

  618. 		list = rw.Read
    619. 

  619. 	}
    620. 

  620. 	for _, pat := range list {
    621. 

  621. 		match, err := simpleMatch(pat, key)
    622. 

  622. 		if err == nil && match {
    623. 

  623. 			return true
    624. 

  624. 		}
    625. 

  625. 	}
    626. 

  626. 	return false
    627. 

  627. }
    628. 

  628. 

  629. func (rw RWPermission) HasRecursiveAccess(key string, write bool) bool {
    630. 

  630. 	list := rw.Read
    631. 

  631. 	if write {
    632. 

  632. 		list = rw.Write
    633. 

  633. 	}
    634. 

  634. 	for _, pat := range list {
    635. 

  635. 		match, err := prefixMatch(pat, key)
    636. 

  636. 		if err == nil && match {
    637. 

  637. 			return true
    638. 

  638. 		}
    639. 

  639. 	}
    640. 

  640. 	return false
    641. 

  641. }
    642. 

  642. 

  643. func simpleMatch(pattern string, key string) (match bool, err error) {
    644. 

  644. 	if pattern[len(pattern)-1] == '*' {
    645. 

  645. 		return strings.HasPrefix(key, pattern[:len(pattern)-1]), nil
    646. 

  646. 	}
    647. 

  647. 	return key == pattern, nil
    648. 

  648. }
    649. 

  649. 

  650. func prefixMatch(pattern string, key string) (match bool, err error) {
    651. 

  651. 	if pattern[len(pattern)-1] != '*' {
    652. 

  652. 		return false, nil
    653. 

  653. 	}
    654. 

  654. 	return strings.HasPrefix(key, pattern[:len(pattern)-1]), nil
    655. 

  655. }
    656. 

  656. 

  657. func attachRootRole(u User) User {
    658. 

  658. 	inRoles := false
    659. 

  659. 	for _, r := range u.Roles {
    660. 

  660. 		if r == RootRoleName {
    661. 

  661. 			inRoles = true
    662. 

  662. 			break
    663. 

  663. 		}
    664. 

  664. 	}
    665. 

  665. 	if !inRoles {
    666. 

  666. 		u.Roles = append(u.Roles, RootRoleName)
    667. 

  667. 	}
    668. 

  668. 	return u
    669. 

  669. }
    670.