Home Explore Help
Register Sign In
publics
/
etcd-io__etcd
0
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 47d5257622
Branches Tags
etcd-io__etcd
/
etcdserver
/
auth
/
auth.go

auth.go 16 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643 
  1. // Copyright 2015 The etcd Authors
    2. 

  2. //
    3. 

  3. // Licensed under the Apache License, Version 2.0 (the "License");
    4. 

  4. // you may not use this file except in compliance with the License.
    5. 

  5. // You may obtain a copy of the License at
    6. 

  6. //
    7. 

  7. //     http://www.apache.org/licenses/LICENSE-2.0
    8. 

  8. //
    9. 

  9. // Unless required by applicable law or agreed to in writing, software
    10. 

  10. // distributed under the License is distributed on an "AS IS" BASIS,
    11. 

  11. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12. 

  12. // See the License for the specific language governing permissions and
    13. 

  13. // limitations under the License.
    14. 

  14. 

  15. // Package auth implements etcd authentication.
    16. 

  16. package auth
    17. 

  17. 

  18. import (
    19. 

  19. 	"encoding/json"
    20. 

  20. 	"fmt"
    21. 

  21. 	"net/http"
    22. 

  22. 	"path"
    23. 

  23. 	"reflect"
    24. 

  24. 	"sort"
    25. 

  25. 	"strings"
    26. 

  26. 	"time"
    27. 

  27. 

  28. 	etcderr "github.com/coreos/etcd/error"
    29. 

  29. 	"github.com/coreos/etcd/etcdserver"
    30. 

  30. 	"github.com/coreos/etcd/etcdserver/etcdserverpb"
    31. 

  31. 	"github.com/coreos/etcd/pkg/types"
    32. 

  32. 	"github.com/coreos/pkg/capnslog"
    33. 

  33. 	"golang.org/x/crypto/bcrypt"
    34. 

  34. 	"golang.org/x/net/context"
    35. 

  35. )
    36. 

  36. 

  37. const (
    38. 

  38. 	// StorePermsPrefix is the internal prefix of the storage layer dedicated to storing user data.
    39. 

  39. 	StorePermsPrefix = "/2"
    40. 

  40. 

  41. 	// RootRoleName is the name of the ROOT role, with privileges to manage the cluster.
    42. 

  42. 	RootRoleName = "root"
    43. 

  43. 

  44. 	// GuestRoleName is the name of the role that defines the privileges of an unauthenticated user.
    45. 

  45. 	GuestRoleName = "guest"
    46. 

  46. )
    47. 

  47. 

  48. var (
    49. 

  49. 	plog = capnslog.NewPackageLogger("github.com/coreos/etcd/etcdserver", "auth")
    50. 

  50. )
    51. 

  51. 

  52. var rootRole = Role{
    53. 

  53. 	Role: RootRoleName,
    54. 

  54. 	Permissions: Permissions{
    55. 

  55. 		KV: RWPermission{
    56. 

  56. 			Read:  []string{"/*"},
    57. 

  57. 			Write: []string{"/*"},
    58. 

  58. 		},
    59. 

  59. 	},
    60. 

  60. }
    61. 

  61. 

  62. var guestRole = Role{
    63. 

  63. 	Role: GuestRoleName,
    64. 

  64. 	Permissions: Permissions{
    65. 

  65. 		KV: RWPermission{
    66. 

  66. 			Read:  []string{"/*"},
    67. 

  67. 			Write: []string{"/*"},
    68. 

  68. 		},
    69. 

  69. 	},
    70. 

  70. }
    71. 

  71. 

  72. type doer interface {
    73. 

  73. 	Do(context.Context, etcdserverpb.Request) (etcdserver.Response, error)
    74. 

  74. }
    75. 

  75. 

  76. type Store interface {
    77. 

  77. 	AllUsers() ([]string, error)
    78. 

  78. 	GetUser(name string) (User, error)
    79. 

  79. 	CreateOrUpdateUser(user User) (out User, created bool, err error)
    80. 

  80. 	CreateUser(user User) (User, error)
    81. 

  81. 	DeleteUser(name string) error
    82. 

  82. 	UpdateUser(user User) (User, error)
    83. 

  83. 	AllRoles() ([]string, error)
    84. 

  84. 	GetRole(name string) (Role, error)
    85. 

  85. 	CreateRole(role Role) error
    86. 

  86. 	DeleteRole(name string) error
    87. 

  87. 	UpdateRole(role Role) (Role, error)
    88. 

  88. 	AuthEnabled() bool
    89. 

  89. 	EnableAuth() error
    90. 

  90. 	DisableAuth() error
    91. 

  91. 	PasswordStore
    92. 

  92. }
    93. 

  93. 

  94. type PasswordStore interface {
    95. 

  95. 	CheckPassword(user User, password string) bool
    96. 

  96. 	HashPassword(password string) (string, error)
    97. 

  97. }
    98. 

  98. 

  99. type store struct {
    100. 

  100. 	server      doer
    101. 

  101. 	timeout     time.Duration
    102. 

  102. 	ensuredOnce bool
    103. 

  103. 

  104. 	PasswordStore
    105. 

  105. }
    106. 

  106. 

  107. type User struct {
    108. 

  108. 	User     string   `json:"user"`
    109. 

  109. 	Password string   `json:"password,omitempty"`
    110. 

  110. 	Roles    []string `json:"roles"`
    111. 

  111. 	Grant    []string `json:"grant,omitempty"`
    112. 

  112. 	Revoke   []string `json:"revoke,omitempty"`
    113. 

  113. }
    114. 

  114. 

  115. type Role struct {
    116. 

  116. 	Role        string       `json:"role"`
    117. 

  117. 	Permissions Permissions  `json:"permissions"`
    118. 

  118. 	Grant       *Permissions `json:"grant,omitempty"`
    119. 

  119. 	Revoke      *Permissions `json:"revoke,omitempty"`
    120. 

  120. }
    121. 

  121. 

  122. type Permissions struct {
    123. 

  123. 	KV RWPermission `json:"kv"`
    124. 

  124. }
    125. 

  125. 

  126. func (p *Permissions) IsEmpty() bool {
    127. 

  127. 	return p == nil || (len(p.KV.Read) == 0 && len(p.KV.Write) == 0)
    128. 

  128. }
    129. 

  129. 

  130. type RWPermission struct {
    131. 

  131. 	Read  []string `json:"read"`
    132. 

  132. 	Write []string `json:"write"`
    133. 

  133. }
    134. 

  134. 

  135. type Error struct {
    136. 

  136. 	Status int
    137. 

  137. 	Errmsg string
    138. 

  138. }
    139. 

  139. 

  140. func (ae Error) Error() string   { return ae.Errmsg }
    141. 

  141. func (ae Error) HTTPStatus() int { return ae.Status }
    142. 

  142. 

  143. func authErr(hs int, s string, v ...interface{}) Error {
    144. 

  144. 	return Error{Status: hs, Errmsg: fmt.Sprintf("auth: "+s, v...)}
    145. 

  145. }
    146. 

  146. 

  147. func NewStore(server doer, timeout time.Duration) Store {
    148. 

  148. 	s := &store{
    149. 

  149. 		server:        server,
    150. 

  150. 		timeout:       timeout,
    151. 

  151. 		PasswordStore: passwordStore{},
    152. 

  152. 	}
    153. 

  153. 	return s
    154. 

  154. }
    155. 

  155. 

  156. // passwordStore implements PasswordStore using bcrypt to hash user passwords
    157. 

  157. type passwordStore struct{}
    158. 

  158. 

  159. func (_ passwordStore) CheckPassword(user User, password string) bool {
    160. 

  160. 	err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password))
    161. 

  161. 	return err == nil
    162. 

  162. }
    163. 

  163. 

  164. func (_ passwordStore) HashPassword(password string) (string, error) {
    165. 

  165. 	hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
    166. 

  166. 	return string(hash), err
    167. 

  167. }
    168. 

  168. 

  169. func (s *store) AllUsers() ([]string, error) {
    170. 

  170. 	resp, err := s.requestResource("/users/", false)
    171. 

  171. 	if err != nil {
    172. 

  172. 		if e, ok := err.(*etcderr.Error); ok {
    173. 

  173. 			if e.ErrorCode == etcderr.EcodeKeyNotFound {
    174. 

  174. 				return []string{}, nil
    175. 

  175. 			}
    176. 

  176. 		}
    177. 

  177. 		return nil, err
    178. 

  178. 	}
    179. 

  179. 	var nodes []string
    180. 

  180. 	for _, n := range resp.Event.Node.Nodes {
    181. 

  181. 		_, user := path.Split(n.Key)
    182. 

  182. 		nodes = append(nodes, user)
    183. 

  183. 	}
    184. 

  184. 	sort.Strings(nodes)
    185. 

  185. 	return nodes, nil
    186. 

  186. }
    187. 

  187. 

  188. func (s *store) GetUser(name string) (User, error) {
    189. 

  189. 	resp, err := s.requestResource("/users/"+name, false)
    190. 

  190. 	if err != nil {
    191. 

  191. 		if e, ok := err.(*etcderr.Error); ok {
    192. 

  192. 			if e.ErrorCode == etcderr.EcodeKeyNotFound {
    193. 

  193. 				return User{}, authErr(http.StatusNotFound, "User %s does not exist.", name)
    194. 

  194. 			}
    195. 

  195. 		}
    196. 

  196. 		return User{}, err
    197. 

  197. 	}
    198. 

  198. 	var u User
    199. 

  199. 	err = json.Unmarshal([]byte(*resp.Event.Node.Value), &u)
    200. 

  200. 	if err != nil {
    201. 

  201. 		return u, err
    202. 

  202. 	}
    203. 

  203. 	// Attach root role to root user.
    204. 

  204. 	if u.User == "root" {
    205. 

  205. 		u = attachRootRole(u)
    206. 

  206. 	}
    207. 

  207. 	return u, nil
    208. 

  208. }
    209. 

  209. 

  210. // CreateOrUpdateUser should be only used for creating the new user or when you are not
    211. 

  211. // sure if it is a create or update. (When only password is passed in, we are not sure
    212. 

  212. // if it is a update or create)
    213. 

  213. func (s *store) CreateOrUpdateUser(user User) (out User, created bool, err error) {
    214. 

  214. 	_, err = s.GetUser(user.User)
    215. 

  215. 	if err == nil {
    216. 

  216. 		out, err = s.UpdateUser(user)
    217. 

  217. 		return out, false, err
    218. 

  218. 	}
    219. 

  219. 	u, err := s.CreateUser(user)
    220. 

  220. 	return u, true, err
    221. 

  221. }
    222. 

  222. 

  223. func (s *store) CreateUser(user User) (User, error) {
    224. 

  224. 	// Attach root role to root user.
    225. 

  225. 	if user.User == "root" {
    226. 

  226. 		user = attachRootRole(user)
    227. 

  227. 	}
    228. 

  228. 	u, err := s.createUserInternal(user)
    229. 

  229. 	if err == nil {
    230. 

  230. 		plog.Noticef("created user %s", user.User)
    231. 

  231. 	}
    232. 

  232. 	return u, err
    233. 

  233. }
    234. 

  234. 

  235. func (s *store) createUserInternal(user User) (User, error) {
    236. 

  236. 	if user.Password == "" {
    237. 

  237. 		return user, authErr(http.StatusBadRequest, "Cannot create user %s with an empty password", user.User)
    238. 

  238. 	}
    239. 

  239. 	hash, err := s.HashPassword(user.Password)
    240. 

  240. 	if err != nil {
    241. 

  241. 		return user, err
    242. 

  242. 	}
    243. 

  243. 	user.Password = hash
    244. 

  244. 

  245. 	_, err = s.createResource("/users/"+user.User, user)
    246. 

  246. 	if err != nil {
    247. 

  247. 		if e, ok := err.(*etcderr.Error); ok {
    248. 

  248. 			if e.ErrorCode == etcderr.EcodeNodeExist {
    249. 

  249. 				return user, authErr(http.StatusConflict, "User %s already exists.", user.User)
    250. 

  250. 			}
    251. 

  251. 		}
    252. 

  252. 	}
    253. 

  253. 	return user, err
    254. 

  254. }
    255. 

  255. 

  256. func (s *store) DeleteUser(name string) error {
    257. 

  257. 	if s.AuthEnabled() && name == "root" {
    258. 

  258. 		return authErr(http.StatusForbidden, "Cannot delete root user while auth is enabled.")
    259. 

  259. 	}
    260. 

  260. 	_, err := s.deleteResource("/users/" + name)
    261. 

  261. 	if err != nil {
    262. 

  262. 		if e, ok := err.(*etcderr.Error); ok {
    263. 

  263. 			if e.ErrorCode == etcderr.EcodeKeyNotFound {
    264. 

  264. 				return authErr(http.StatusNotFound, "User %s does not exist", name)
    265. 

  265. 			}
    266. 

  266. 		}
    267. 

  267. 		return err
    268. 

  268. 	}
    269. 

  269. 	plog.Noticef("deleted user %s", name)
    270. 

  270. 	return nil
    271. 

  271. }
    272. 

  272. 

  273. func (s *store) UpdateUser(user User) (User, error) {
    274. 

  274. 	old, err := s.GetUser(user.User)
    275. 

  275. 	if err != nil {
    276. 

  276. 		if e, ok := err.(*etcderr.Error); ok {
    277. 

  277. 			if e.ErrorCode == etcderr.EcodeKeyNotFound {
    278. 

  278. 				return user, authErr(http.StatusNotFound, "User %s doesn't exist.", user.User)
    279. 

  279. 			}
    280. 

  280. 		}
    281. 

  281. 		return old, err
    282. 

  282. 	}
    283. 

  283. 

  284. 	newUser, err := old.merge(user, s.PasswordStore)
    285. 

  285. 	if err != nil {
    286. 

  286. 		return old, err
    287. 

  287. 	}
    288. 

  288. 	if reflect.DeepEqual(old, newUser) {
    289. 

  289. 		return old, authErr(http.StatusBadRequest, "User not updated. Use grant/revoke/password to update the user.")
    290. 

  290. 	}
    291. 

  291. 	_, err = s.updateResource("/users/"+user.User, newUser)
    292. 

  292. 	if err == nil {
    293. 

  293. 		plog.Noticef("updated user %s", user.User)
    294. 

  294. 	}
    295. 

  295. 	return newUser, err
    296. 

  296. }
    297. 

  297. 

  298. func (s *store) AllRoles() ([]string, error) {
    299. 

  299. 	nodes := []string{RootRoleName}
    300. 

  300. 	resp, err := s.requestResource("/roles/", false)
    301. 

  301. 	if err != nil {
    302. 

  302. 		if e, ok := err.(*etcderr.Error); ok {
    303. 

  303. 			if e.ErrorCode == etcderr.EcodeKeyNotFound {
    304. 

  304. 				return nodes, nil
    305. 

  305. 			}
    306. 

  306. 		}
    307. 

  307. 		return nil, err
    308. 

  308. 	}
    309. 

  309. 	for _, n := range resp.Event.Node.Nodes {
    310. 

  310. 		_, role := path.Split(n.Key)
    311. 

  311. 		nodes = append(nodes, role)
    312. 

  312. 	}
    313. 

  313. 	sort.Strings(nodes)
    314. 

  314. 	return nodes, nil
    315. 

  315. }
    316. 

  316. 

  317. func (s *store) GetRole(name string) (Role, error) {
    318. 

  318. 	if name == RootRoleName {
    319. 

  319. 		return rootRole, nil
    320. 

  320. 	}
    321. 

  321. 	resp, err := s.requestResource("/roles/"+name, false)
    322. 

  322. 	if err != nil {
    323. 

  323. 		if e, ok := err.(*etcderr.Error); ok {
    324. 

  324. 			if e.ErrorCode == etcderr.EcodeKeyNotFound {
    325. 

  325. 				return Role{}, authErr(http.StatusNotFound, "Role %s does not exist.", name)
    326. 

  326. 			}
    327. 

  327. 		}
    328. 

  328. 		return Role{}, err
    329. 

  329. 	}
    330. 

  330. 	var r Role
    331. 

  331. 	err = json.Unmarshal([]byte(*resp.Event.Node.Value), &r)
    332. 

  332. 	return r, err
    333. 

  333. }
    334. 

  334. 

  335. func (s *store) CreateRole(role Role) error {
    336. 

  336. 	if role.Role == RootRoleName {
    337. 

  337. 		return authErr(http.StatusForbidden, "Cannot modify role %s: is root role.", role.Role)
    338. 

  338. 	}
    339. 

  339. 	_, err := s.createResource("/roles/"+role.Role, role)
    340. 

  340. 	if err != nil {
    341. 

  341. 		if e, ok := err.(*etcderr.Error); ok {
    342. 

  342. 			if e.ErrorCode == etcderr.EcodeNodeExist {
    343. 

  343. 				return authErr(http.StatusConflict, "Role %s already exists.", role.Role)
    344. 

  344. 			}
    345. 

  345. 		}
    346. 

  346. 	}
    347. 

  347. 	if err == nil {
    348. 

  348. 		plog.Noticef("created new role %s", role.Role)
    349. 

  349. 	}
    350. 

  350. 	return err
    351. 

  351. }
    352. 

  352. 

  353. func (s *store) DeleteRole(name string) error {
    354. 

  354. 	if name == RootRoleName {
    355. 

  355. 		return authErr(http.StatusForbidden, "Cannot modify role %s: is root role.", name)
    356. 

  356. 	}
    357. 

  357. 	_, err := s.deleteResource("/roles/" + name)
    358. 

  358. 	if err != nil {
    359. 

  359. 		if e, ok := err.(*etcderr.Error); ok {
    360. 

  360. 			if e.ErrorCode == etcderr.EcodeKeyNotFound {
    361. 

  361. 				return authErr(http.StatusNotFound, "Role %s doesn't exist.", name)
    362. 

  362. 			}
    363. 

  363. 		}
    364. 

  364. 	}
    365. 

  365. 	if err == nil {
    366. 

  366. 		plog.Noticef("deleted role %s", name)
    367. 

  367. 	}
    368. 

  368. 	return err
    369. 

  369. }
    370. 

  370. 

  371. func (s *store) UpdateRole(role Role) (Role, error) {
    372. 

  372. 	if role.Role == RootRoleName {
    373. 

  373. 		return Role{}, authErr(http.StatusForbidden, "Cannot modify role %s: is root role.", role.Role)
    374. 

  374. 	}
    375. 

  375. 	old, err := s.GetRole(role.Role)
    376. 

  376. 	if err != nil {
    377. 

  377. 		if e, ok := err.(*etcderr.Error); ok {
    378. 

  378. 			if e.ErrorCode == etcderr.EcodeKeyNotFound {
    379. 

  379. 				return role, authErr(http.StatusNotFound, "Role %s doesn't exist.", role.Role)
    380. 

  380. 			}
    381. 

  381. 		}
    382. 

  382. 		return old, err
    383. 

  383. 	}
    384. 

  384. 	newRole, err := old.merge(role)
    385. 

  385. 	if err != nil {
    386. 

  386. 		return old, err
    387. 

  387. 	}
    388. 

  388. 	if reflect.DeepEqual(old, newRole) {
    389. 

  389. 		return old, authErr(http.StatusBadRequest, "Role not updated. Use grant/revoke to update the role.")
    390. 

  390. 	}
    391. 

  391. 	_, err = s.updateResource("/roles/"+role.Role, newRole)
    392. 

  392. 	if err == nil {
    393. 

  393. 		plog.Noticef("updated role %s", role.Role)
    394. 

  394. 	}
    395. 

  395. 	return newRole, err
    396. 

  396. }
    397. 

  397. 

  398. func (s *store) AuthEnabled() bool {
    399. 

  399. 	return s.detectAuth()
    400. 

  400. }
    401. 

  401. 

  402. func (s *store) EnableAuth() error {
    403. 

  403. 	if s.AuthEnabled() {
    404. 

  404. 		return authErr(http.StatusConflict, "already enabled")
    405. 

  405. 	}
    406. 

  406. 

  407. 	if _, err := s.GetUser("root"); err != nil {
    408. 

  408. 		return authErr(http.StatusConflict, "No root user available, please create one")
    409. 

  409. 	}
    410. 

  410. 	if _, err := s.GetRole(GuestRoleName); err != nil {
    411. 

  411. 		plog.Printf("no guest role access found, creating default")
    412. 

  412. 		if err := s.CreateRole(guestRole); err != nil {
    413. 

  413. 			plog.Errorf("error creating guest role. aborting auth enable.")
    414. 

  414. 			return err
    415. 

  415. 		}
    416. 

  416. 	}
    417. 

  417. 

  418. 	if err := s.enableAuth(); err != nil {
    419. 

  419. 		plog.Errorf("error enabling auth (%v)", err)
    420. 

  420. 		return err
    421. 

  421. 	}
    422. 

  422. 

  423. 	plog.Noticef("auth: enabled auth")
    424. 

  424. 	return nil
    425. 

  425. }
    426. 

  426. 

  427. func (s *store) DisableAuth() error {
    428. 

  428. 	if !s.AuthEnabled() {
    429. 

  429. 		return authErr(http.StatusConflict, "already disabled")
    430. 

  430. 	}
    431. 

  431. 

  432. 	err := s.disableAuth()
    433. 

  433. 	if err == nil {
    434. 

  434. 		plog.Noticef("auth: disabled auth")
    435. 

  435. 	} else {
    436. 

  436. 		plog.Errorf("error disabling auth (%v)", err)
    437. 

  437. 	}
    438. 

  438. 	return err
    439. 

  439. }
    440. 

  440. 

  441. // merge applies the properties of the passed-in User to the User on which it
    442. 

  442. // is called and returns a new User with these modifications applied. Think of
    443. 

  443. // all Users as immutable sets of data. Merge allows you to perform the set
    444. 

  444. // operations (desired grants and revokes) atomically
    445. 

  445. func (ou User) merge(nu User, s PasswordStore) (User, error) {
    446. 

  446. 	var out User
    447. 

  447. 	if ou.User != nu.User {
    448. 

  448. 		return out, authErr(http.StatusConflict, "Merging user data with conflicting usernames: %s %s", ou.User, nu.User)
    449. 

  449. 	}
    450. 

  450. 	out.User = ou.User
    451. 

  451. 	if nu.Password != "" {
    452. 

  452. 		hash, err := s.HashPassword(nu.Password)
    453. 

  453. 		if err != nil {
    454. 

  454. 			return ou, err
    455. 

  455. 		}
    456. 

  456. 		out.Password = hash
    457. 

  457. 	} else {
    458. 

  458. 		out.Password = ou.Password
    459. 

  459. 	}
    460. 

  460. 	currentRoles := types.NewUnsafeSet(ou.Roles...)
    461. 

  461. 	for _, g := range nu.Grant {
    462. 

  462. 		if currentRoles.Contains(g) {
    463. 

  463. 			plog.Noticef("granting duplicate role %s for user %s", g, nu.User)
    464. 

  464. 			return User{}, authErr(http.StatusConflict, fmt.Sprintf("Granting duplicate role %s for user %s", g, nu.User))
    465. 

  465. 		}
    466. 

  466. 		currentRoles.Add(g)
    467. 

  467. 	}
    468. 

  468. 	for _, r := range nu.Revoke {
    469. 

  469. 		if !currentRoles.Contains(r) {
    470. 

  470. 			plog.Noticef("revoking ungranted role %s for user %s", r, nu.User)
    471. 

  471. 			return User{}, authErr(http.StatusConflict, fmt.Sprintf("Revoking ungranted role %s for user %s", r, nu.User))
    472. 

  472. 		}
    473. 

  473. 		currentRoles.Remove(r)
    474. 

  474. 	}
    475. 

  475. 	out.Roles = currentRoles.Values()
    476. 

  476. 	sort.Strings(out.Roles)
    477. 

  477. 	return out, nil
    478. 

  478. }
    479. 

  479. 

  480. // merge for a role works the same as User above -- atomic Role application to
    481. 

  481. // each of the substructures.
    482. 

  482. func (r Role) merge(n Role) (Role, error) {
    483. 

  483. 	var out Role
    484. 

  484. 	var err error
    485. 

  485. 	if r.Role != n.Role {
    486. 

  486. 		return out, authErr(http.StatusConflict, "Merging role with conflicting names: %s %s", r.Role, n.Role)
    487. 

  487. 	}
    488. 

  488. 	out.Role = r.Role
    489. 

  489. 	out.Permissions, err = r.Permissions.Grant(n.Grant)
    490. 

  490. 	if err != nil {
    491. 

  491. 		return out, err
    492. 

  492. 	}
    493. 

  493. 	out.Permissions, err = out.Permissions.Revoke(n.Revoke)
    494. 

  494. 	return out, err
    495. 

  495. }
    496. 

  496. 

  497. func (r Role) HasKeyAccess(key string, write bool) bool {
    498. 

  498. 	if r.Role == RootRoleName {
    499. 

  499. 		return true
    500. 

  500. 	}
    501. 

  501. 	return r.Permissions.KV.HasAccess(key, write)
    502. 

  502. }
    503. 

  503. 

  504. func (r Role) HasRecursiveAccess(key string, write bool) bool {
    505. 

  505. 	if r.Role == RootRoleName {
    506. 

  506. 		return true
    507. 

  507. 	}
    508. 

  508. 	return r.Permissions.KV.HasRecursiveAccess(key, write)
    509. 

  509. }
    510. 

  510. 

  511. // Grant adds a set of permissions to the permission object on which it is called,
    512. 

  512. // returning a new permission object.
    513. 

  513. func (p Permissions) Grant(n *Permissions) (Permissions, error) {
    514. 

  514. 	var out Permissions
    515. 

  515. 	var err error
    516. 

  516. 	if n == nil {
    517. 

  517. 		return p, nil
    518. 

  518. 	}
    519. 

  519. 	out.KV, err = p.KV.Grant(n.KV)
    520. 

  520. 	return out, err
    521. 

  521. }
    522. 

  522. 

  523. // Revoke removes a set of permissions to the permission object on which it is called,
    524. 

  524. // returning a new permission object.
    525. 

  525. func (p Permissions) Revoke(n *Permissions) (Permissions, error) {
    526. 

  526. 	var out Permissions
    527. 

  527. 	var err error
    528. 

  528. 	if n == nil {
    529. 

  529. 		return p, nil
    530. 

  530. 	}
    531. 

  531. 	out.KV, err = p.KV.Revoke(n.KV)
    532. 

  532. 	return out, err
    533. 

  533. }
    534. 

  534. 

  535. // Grant adds a set of permissions to the permission object on which it is called,
    536. 

  536. // returning a new permission object.
    537. 

  537. func (rw RWPermission) Grant(n RWPermission) (RWPermission, error) {
    538. 

  538. 	var out RWPermission
    539. 

  539. 	currentRead := types.NewUnsafeSet(rw.Read...)
    540. 

  540. 	for _, r := range n.Read {
    541. 

  541. 		if currentRead.Contains(r) {
    542. 

  542. 			return out, authErr(http.StatusConflict, "Granting duplicate read permission %s", r)
    543. 

  543. 		}
    544. 

  544. 		currentRead.Add(r)
    545. 

  545. 	}
    546. 

  546. 	currentWrite := types.NewUnsafeSet(rw.Write...)
    547. 

  547. 	for _, w := range n.Write {
    548. 

  548. 		if currentWrite.Contains(w) {
    549. 

  549. 			return out, authErr(http.StatusConflict, "Granting duplicate write permission %s", w)
    550. 

  550. 		}
    551. 

  551. 		currentWrite.Add(w)
    552. 

  552. 	}
    553. 

  553. 	out.Read = currentRead.Values()
    554. 

  554. 	out.Write = currentWrite.Values()
    555. 

  555. 	sort.Strings(out.Read)
    556. 

  556. 	sort.Strings(out.Write)
    557. 

  557. 	return out, nil
    558. 

  558. }
    559. 

  559. 

  560. // Revoke removes a set of permissions to the permission object on which it is called,
    561. 

  561. // returning a new permission object.
    562. 

  562. func (rw RWPermission) Revoke(n RWPermission) (RWPermission, error) {
    563. 

  563. 	var out RWPermission
    564. 

  564. 	currentRead := types.NewUnsafeSet(rw.Read...)
    565. 

  565. 	for _, r := range n.Read {
    566. 

  566. 		if !currentRead.Contains(r) {
    567. 

  567. 			plog.Noticef("revoking ungranted read permission %s", r)
    568. 

  568. 			continue
    569. 

  569. 		}
    570. 

  570. 		currentRead.Remove(r)
    571. 

  571. 	}
    572. 

  572. 	currentWrite := types.NewUnsafeSet(rw.Write...)
    573. 

  573. 	for _, w := range n.Write {
    574. 

  574. 		if !currentWrite.Contains(w) {
    575. 

  575. 			plog.Noticef("revoking ungranted write permission %s", w)
    576. 

  576. 			continue
    577. 

  577. 		}
    578. 

  578. 		currentWrite.Remove(w)
    579. 

  579. 	}
    580. 

  580. 	out.Read = currentRead.Values()
    581. 

  581. 	out.Write = currentWrite.Values()
    582. 

  582. 	sort.Strings(out.Read)
    583. 

  583. 	sort.Strings(out.Write)
    584. 

  584. 	return out, nil
    585. 

  585. }
    586. 

  586. 

  587. func (rw RWPermission) HasAccess(key string, write bool) bool {
    588. 

  588. 	var list []string
    589. 

  589. 	if write {
    590. 

  590. 		list = rw.Write
    591. 

  591. 	} else {
    592. 

  592. 		list = rw.Read
    593. 

  593. 	}
    594. 

  594. 	for _, pat := range list {
    595. 

  595. 		match, err := simpleMatch(pat, key)
    596. 

  596. 		if err == nil && match {
    597. 

  597. 			return true
    598. 

  598. 		}
    599. 

  599. 	}
    600. 

  600. 	return false
    601. 

  601. }
    602. 

  602. 

  603. func (rw RWPermission) HasRecursiveAccess(key string, write bool) bool {
    604. 

  604. 	list := rw.Read
    605. 

  605. 	if write {
    606. 

  606. 		list = rw.Write
    607. 

  607. 	}
    608. 

  608. 	for _, pat := range list {
    609. 

  609. 		match, err := prefixMatch(pat, key)
    610. 

  610. 		if err == nil && match {
    611. 

  611. 			return true
    612. 

  612. 		}
    613. 

  613. 	}
    614. 

  614. 	return false
    615. 

  615. }
    616. 

  616. 

  617. func simpleMatch(pattern string, key string) (match bool, err error) {
    618. 

  618. 	if pattern[len(pattern)-1] == '*' {
    619. 

  619. 		return strings.HasPrefix(key, pattern[:len(pattern)-1]), nil
    620. 

  620. 	}
    621. 

  621. 	return key == pattern, nil
    622. 

  622. }
    623. 

  623. 

  624. func prefixMatch(pattern string, key string) (match bool, err error) {
    625. 

  625. 	if pattern[len(pattern)-1] != '*' {
    626. 

  626. 		return false, nil
    627. 

  627. 	}
    628. 

  628. 	return strings.HasPrefix(key, pattern[:len(pattern)-1]), nil
    629. 

  629. }
    630. 

  630. 

  631. func attachRootRole(u User) User {
    632. 

  632. 	inRoles := false
    633. 

  633. 	for _, r := range u.Roles {
    634. 

  634. 		if r == RootRoleName {
    635. 

  635. 			inRoles = true
    636. 

  636. 			break
    637. 

  637. 		}
    638. 

  638. 	}
    639. 

  639. 	if !inRoles {
    640. 

  640. 		u.Roles = append(u.Roles, RootRoleName)
    641. 

  641. 	}
    642. 

  642. 	return u
    643. 

  643. }
    644.