Home Explore Help
Register Sign In
publics
/
etcd-io__etcd
0
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: fcf94f3a59
Branches Tags
etcd-io__etcd
/
etcdserver
/
auth
/
auth.go

auth.go 17 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664 
  1. // Copyright 2015 CoreOS, Inc.
    2. 

  2. //
    3. 

  3. // Licensed under the Apache License, Version 2.0 (the "License");
    4. 

  4. // you may not use this file except in compliance with the License.
    5. 

  5. // You may obtain a copy of the License at
    6. 

  6. //
    7. 

  7. //     http://www.apache.org/licenses/LICENSE-2.0
    8. 

  8. //
    9. 

  9. // Unless required by applicable law or agreed to in writing, software
    10. 

  10. // distributed under the License is distributed on an "AS IS" BASIS,
    11. 

  11. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12. 

  12. // See the License for the specific language governing permissions and
    13. 

  13. // limitations under the License.
    14. 

  14. 

  15. // Package auth implements etcd authentication.
    16. 

  16. package auth
    17. 

  17. 

  18. import (
    19. 

  19. 	"encoding/json"
    20. 

  20. 	"fmt"
    21. 

  21. 	"net/http"
    22. 

  22. 	"path"
    23. 

  23. 	"reflect"
    24. 

  24. 	"sort"
    25. 

  25. 	"strings"
    26. 

  26. 	"sync"
    27. 

  27. 	"time"
    28. 

  28. 

  29. 	"github.com/coreos/etcd/Godeps/_workspace/src/github.com/coreos/pkg/capnslog"
    30. 

  30. 	"github.com/coreos/etcd/Godeps/_workspace/src/golang.org/x/crypto/bcrypt"
    31. 

  31. 	"github.com/coreos/etcd/Godeps/_workspace/src/golang.org/x/net/context"
    32. 

  32. 	etcderr "github.com/coreos/etcd/error"
    33. 

  33. 	"github.com/coreos/etcd/etcdserver"
    34. 

  34. 	"github.com/coreos/etcd/etcdserver/etcdserverpb"
    35. 

  35. 	"github.com/coreos/etcd/pkg/types"
    36. 

  36. )
    37. 

  37. 

  38. const (
    39. 

  39. 	// StorePermsPrefix is the internal prefix of the storage layer dedicated to storing user data.
    40. 

  40. 	StorePermsPrefix = "/2"
    41. 

  41. 

  42. 	// RootRoleName is the name of the ROOT role, with privileges to manage the cluster.
    43. 

  43. 	RootRoleName = "root"
    44. 

  44. 

  45. 	// GuestRoleName is the name of the role that defines the privileges of an unauthenticated user.
    46. 

  46. 	GuestRoleName = "guest"
    47. 

  47. )
    48. 

  48. 

  49. var (
    50. 

  50. 	plog = capnslog.NewPackageLogger("github.com/coreos/etcd/etcdserver", "auth")
    51. 

  51. )
    52. 

  52. 

  53. var rootRole = Role{
    54. 

  54. 	Role: RootRoleName,
    55. 

  55. 	Permissions: Permissions{
    56. 

  56. 		KV: RWPermission{
    57. 

  57. 			Read:  []string{"/*"},
    58. 

  58. 			Write: []string{"/*"},
    59. 

  59. 		},
    60. 

  60. 	},
    61. 

  61. }
    62. 

  62. 

  63. var guestRole = Role{
    64. 

  64. 	Role: GuestRoleName,
    65. 

  65. 	Permissions: Permissions{
    66. 

  66. 		KV: RWPermission{
    67. 

  67. 			Read:  []string{"/*"},
    68. 

  68. 			Write: []string{"/*"},
    69. 

  69. 		},
    70. 

  70. 	},
    71. 

  71. }
    72. 

  72. 

  73. type doer interface {
    74. 

  74. 	Do(context.Context, etcdserverpb.Request) (etcdserver.Response, error)
    75. 

  75. }
    76. 

  76. 

  77. type Store interface {
    78. 

  78. 	AllUsers() ([]string, error)
    79. 

  79. 	GetUser(name string) (User, error)
    80. 

  80. 	CreateOrUpdateUser(user User) (out User, created bool, err error)
    81. 

  81. 	CreateUser(user User) (User, error)
    82. 

  82. 	DeleteUser(name string) error
    83. 

  83. 	UpdateUser(user User) (User, error)
    84. 

  84. 	AllRoles() ([]string, error)
    85. 

  85. 	GetRole(name string) (Role, error)
    86. 

  86. 	CreateRole(role Role) error
    87. 

  87. 	DeleteRole(name string) error
    88. 

  88. 	UpdateRole(role Role) (Role, error)
    89. 

  89. 	AuthEnabled() bool
    90. 

  90. 	EnableAuth() error
    91. 

  91. 	DisableAuth() error
    92. 

  92. 	PasswordStore
    93. 

  93. }
    94. 

  94. 

  95. type PasswordStore interface {
    96. 

  96. 	CheckPassword(user User, password string) bool
    97. 

  97. 	HashPassword(password string) (string, error)
    98. 

  98. }
    99. 

  99. 

  100. type store struct {
    101. 

  101. 	server      doer
    102. 

  102. 	timeout     time.Duration
    103. 

  103. 	ensuredOnce bool
    104. 

  104. 

  105. 	mu sync.Mutex // protect enabled
    106. 

  106. 

  107. 	PasswordStore
    108. 

  108. }
    109. 

  109. 

  110. type User struct {
    111. 

  111. 	User     string   `json:"user"`
    112. 

  112. 	Password string   `json:"password,omitempty"`
    113. 

  113. 	Roles    []string `json:"roles"`
    114. 

  114. 	Grant    []string `json:"grant,omitempty"`
    115. 

  115. 	Revoke   []string `json:"revoke,omitempty"`
    116. 

  116. }
    117. 

  117. 

  118. type Role struct {
    119. 

  119. 	Role        string       `json:"role"`
    120. 

  120. 	Permissions Permissions  `json:"permissions"`
    121. 

  121. 	Grant       *Permissions `json:"grant,omitempty"`
    122. 

  122. 	Revoke      *Permissions `json:"revoke,omitempty"`
    123. 

  123. }
    124. 

  124. 

  125. type Permissions struct {
    126. 

  126. 	KV RWPermission `json:"kv"`
    127. 

  127. }
    128. 

  128. 

  129. func (p *Permissions) IsEmpty() bool {
    130. 

  130. 	return p == nil || (len(p.KV.Read) == 0 && len(p.KV.Write) == 0)
    131. 

  131. }
    132. 

  132. 

  133. type RWPermission struct {
    134. 

  134. 	Read  []string `json:"read"`
    135. 

  135. 	Write []string `json:"write"`
    136. 

  136. }
    137. 

  137. 

  138. type Error struct {
    139. 

  139. 	Status int
    140. 

  140. 	Errmsg string
    141. 

  141. }
    142. 

  142. 

  143. func (ae Error) Error() string   { return ae.Errmsg }
    144. 

  144. func (ae Error) HTTPStatus() int { return ae.Status }
    145. 

  145. 

  146. func authErr(hs int, s string, v ...interface{}) Error {
    147. 

  147. 	return Error{Status: hs, Errmsg: fmt.Sprintf("auth: "+s, v...)}
    148. 

  148. }
    149. 

  149. 

  150. func NewStore(server doer, timeout time.Duration) Store {
    151. 

  151. 	s := &store{
    152. 

  152. 		server:        server,
    153. 

  153. 		timeout:       timeout,
    154. 

  154. 		PasswordStore: passwordStore{},
    155. 

  155. 	}
    156. 

  156. 	return s
    157. 

  157. }
    158. 

  158. 

  159. // passwordStore implements PasswordStore using bcrypt to hash user passwords
    160. 

  160. type passwordStore struct{}
    161. 

  161. 

  162. func (_ passwordStore) CheckPassword(user User, password string) bool {
    163. 

  163. 	err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password))
    164. 

  164. 	return err == nil
    165. 

  165. }
    166. 

  166. 

  167. func (_ passwordStore) HashPassword(password string) (string, error) {
    168. 

  168. 	hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
    169. 

  169. 	return string(hash), err
    170. 

  170. }
    171. 

  171. 

  172. func (s *store) AllUsers() ([]string, error) {
    173. 

  173. 	resp, err := s.requestResource("/users/", false)
    174. 

  174. 	if err != nil {
    175. 

  175. 		if e, ok := err.(*etcderr.Error); ok {
    176. 

  176. 			if e.ErrorCode == etcderr.EcodeKeyNotFound {
    177. 

  177. 				return []string{}, nil
    178. 

  178. 			}
    179. 

  179. 		}
    180. 

  180. 		return nil, err
    181. 

  181. 	}
    182. 

  182. 	var nodes []string
    183. 

  183. 	for _, n := range resp.Event.Node.Nodes {
    184. 

  184. 		_, user := path.Split(n.Key)
    185. 

  185. 		nodes = append(nodes, user)
    186. 

  186. 	}
    187. 

  187. 	sort.Strings(nodes)
    188. 

  188. 	return nodes, nil
    189. 

  189. }
    190. 

  190. 

  191. func (s *store) GetUser(name string) (User, error) {
    192. 

  192. 	resp, err := s.requestResource("/users/"+name, false)
    193. 

  193. 	if err != nil {
    194. 

  194. 		if e, ok := err.(*etcderr.Error); ok {
    195. 

  195. 			if e.ErrorCode == etcderr.EcodeKeyNotFound {
    196. 

  196. 				return User{}, authErr(http.StatusNotFound, "User %s does not exist.", name)
    197. 

  197. 			}
    198. 

  198. 		}
    199. 

  199. 		return User{}, err
    200. 

  200. 	}
    201. 

  201. 	var u User
    202. 

  202. 	err = json.Unmarshal([]byte(*resp.Event.Node.Value), &u)
    203. 

  203. 	if err != nil {
    204. 

  204. 		return u, err
    205. 

  205. 	}
    206. 

  206. 	// Attach root role to root user.
    207. 

  207. 	if u.User == "root" {
    208. 

  208. 		u = attachRootRole(u)
    209. 

  209. 	}
    210. 

  210. 	return u, nil
    211. 

  211. }
    212. 

  212. 

  213. // CreateOrUpdateUser should be only used for creating the new user or when you are not
    214. 

  214. // sure if it is a create or update. (When only password is passed in, we are not sure
    215. 

  215. // if it is a update or create)
    216. 

  216. func (s *store) CreateOrUpdateUser(user User) (out User, created bool, err error) {
    217. 

  217. 	_, err = s.GetUser(user.User)
    218. 

  218. 	if err == nil {
    219. 

  219. 		out, err = s.UpdateUser(user)
    220. 

  220. 		return out, false, err
    221. 

  221. 	}
    222. 

  222. 	u, err := s.CreateUser(user)
    223. 

  223. 	return u, true, err
    224. 

  224. }
    225. 

  225. 

  226. func (s *store) CreateUser(user User) (User, error) {
    227. 

  227. 	// Attach root role to root user.
    228. 

  228. 	if user.User == "root" {
    229. 

  229. 		user = attachRootRole(user)
    230. 

  230. 	}
    231. 

  231. 	u, err := s.createUserInternal(user)
    232. 

  232. 	if err == nil {
    233. 

  233. 		plog.Noticef("created user %s", user.User)
    234. 

  234. 	}
    235. 

  235. 	return u, err
    236. 

  236. }
    237. 

  237. 

  238. func (s *store) createUserInternal(user User) (User, error) {
    239. 

  239. 	if user.Password == "" {
    240. 

  240. 		return user, authErr(http.StatusBadRequest, "Cannot create user %s with an empty password", user.User)
    241. 

  241. 	}
    242. 

  242. 	hash, err := s.HashPassword(user.Password)
    243. 

  243. 	if err != nil {
    244. 

  244. 		return user, err
    245. 

  245. 	}
    246. 

  246. 	user.Password = hash
    247. 

  247. 

  248. 	_, err = s.createResource("/users/"+user.User, user)
    249. 

  249. 	if err != nil {
    250. 

  250. 		if e, ok := err.(*etcderr.Error); ok {
    251. 

  251. 			if e.ErrorCode == etcderr.EcodeNodeExist {
    252. 

  252. 				return user, authErr(http.StatusConflict, "User %s already exists.", user.User)
    253. 

  253. 			}
    254. 

  254. 		}
    255. 

  255. 	}
    256. 

  256. 	return user, err
    257. 

  257. }
    258. 

  258. 

  259. func (s *store) DeleteUser(name string) error {
    260. 

  260. 	if s.AuthEnabled() && name == "root" {
    261. 

  261. 		return authErr(http.StatusForbidden, "Cannot delete root user while auth is enabled.")
    262. 

  262. 	}
    263. 

  263. 	_, err := s.deleteResource("/users/" + name)
    264. 

  264. 	if err != nil {
    265. 

  265. 		if e, ok := err.(*etcderr.Error); ok {
    266. 

  266. 			if e.ErrorCode == etcderr.EcodeKeyNotFound {
    267. 

  267. 				return authErr(http.StatusNotFound, "User %s does not exist", name)
    268. 

  268. 			}
    269. 

  269. 		}
    270. 

  270. 		return err
    271. 

  271. 	}
    272. 

  272. 	plog.Noticef("deleted user %s", name)
    273. 

  273. 	return nil
    274. 

  274. }
    275. 

  275. 

  276. func (s *store) UpdateUser(user User) (User, error) {
    277. 

  277. 	old, err := s.GetUser(user.User)
    278. 

  278. 	if err != nil {
    279. 

  279. 		if e, ok := err.(*etcderr.Error); ok {
    280. 

  280. 			if e.ErrorCode == etcderr.EcodeKeyNotFound {
    281. 

  281. 				return user, authErr(http.StatusNotFound, "User %s doesn't exist.", user.User)
    282. 

  282. 			}
    283. 

  283. 		}
    284. 

  284. 		return old, err
    285. 

  285. 	}
    286. 

  286. 

  287. 	hash, err := s.HashPassword(user.Password)
    288. 

  288. 	if err != nil {
    289. 

  289. 		return old, err
    290. 

  290. 	}
    291. 

  291. 	user.Password = hash
    292. 

  292. 

  293. 	newUser, err := old.merge(user)
    294. 

  294. 	if err != nil {
    295. 

  295. 		return old, err
    296. 

  296. 	}
    297. 

  297. 	if reflect.DeepEqual(old, newUser) {
    298. 

  298. 		return old, authErr(http.StatusBadRequest, "User not updated. Use grant/revoke/password to update the user.")
    299. 

  299. 	}
    300. 

  300. 	_, err = s.updateResource("/users/"+user.User, newUser)
    301. 

  301. 	if err == nil {
    302. 

  302. 		plog.Noticef("updated user %s", user.User)
    303. 

  303. 	}
    304. 

  304. 	return newUser, err
    305. 

  305. }
    306. 

  306. 

  307. func (s *store) AllRoles() ([]string, error) {
    308. 

  308. 	nodes := []string{RootRoleName}
    309. 

  309. 	resp, err := s.requestResource("/roles/", false)
    310. 

  310. 	if err != nil {
    311. 

  311. 		if e, ok := err.(*etcderr.Error); ok {
    312. 

  312. 			if e.ErrorCode == etcderr.EcodeKeyNotFound {
    313. 

  313. 				return nodes, nil
    314. 

  314. 			}
    315. 

  315. 		}
    316. 

  316. 		return nil, err
    317. 

  317. 	}
    318. 

  318. 	for _, n := range resp.Event.Node.Nodes {
    319. 

  319. 		_, role := path.Split(n.Key)
    320. 

  320. 		nodes = append(nodes, role)
    321. 

  321. 	}
    322. 

  322. 	sort.Strings(nodes)
    323. 

  323. 	return nodes, nil
    324. 

  324. }
    325. 

  325. 

  326. func (s *store) GetRole(name string) (Role, error) {
    327. 

  327. 	if name == RootRoleName {
    328. 

  328. 		return rootRole, nil
    329. 

  329. 	}
    330. 

  330. 	resp, err := s.requestResource("/roles/"+name, false)
    331. 

  331. 	if err != nil {
    332. 

  332. 		if e, ok := err.(*etcderr.Error); ok {
    333. 

  333. 			if e.ErrorCode == etcderr.EcodeKeyNotFound {
    334. 

  334. 				return Role{}, authErr(http.StatusNotFound, "Role %s does not exist.", name)
    335. 

  335. 			}
    336. 

  336. 		}
    337. 

  337. 		return Role{}, err
    338. 

  338. 	}
    339. 

  339. 	var r Role
    340. 

  340. 	err = json.Unmarshal([]byte(*resp.Event.Node.Value), &r)
    341. 

  341. 	if err != nil {
    342. 

  342. 		return r, err
    343. 

  343. 	}
    344. 

  344. 

  345. 	return r, nil
    346. 

  346. }
    347. 

  347. 

  348. func (s *store) CreateRole(role Role) error {
    349. 

  349. 	if role.Role == RootRoleName {
    350. 

  350. 		return authErr(http.StatusForbidden, "Cannot modify role %s: is root role.", role.Role)
    351. 

  351. 	}
    352. 

  352. 	_, err := s.createResource("/roles/"+role.Role, role)
    353. 

  353. 	if err != nil {
    354. 

  354. 		if e, ok := err.(*etcderr.Error); ok {
    355. 

  355. 			if e.ErrorCode == etcderr.EcodeNodeExist {
    356. 

  356. 				return authErr(http.StatusConflict, "Role %s already exists.", role.Role)
    357. 

  357. 			}
    358. 

  358. 		}
    359. 

  359. 	}
    360. 

  360. 	if err == nil {
    361. 

  361. 		plog.Noticef("created new role %s", role.Role)
    362. 

  362. 	}
    363. 

  363. 	return err
    364. 

  364. }
    365. 

  365. 

  366. func (s *store) DeleteRole(name string) error {
    367. 

  367. 	if name == RootRoleName {
    368. 

  368. 		return authErr(http.StatusForbidden, "Cannot modify role %s: is root role.", name)
    369. 

  369. 	}
    370. 

  370. 	_, err := s.deleteResource("/roles/" + name)
    371. 

  371. 	if err != nil {
    372. 

  372. 		if e, ok := err.(*etcderr.Error); ok {
    373. 

  373. 			if e.ErrorCode == etcderr.EcodeKeyNotFound {
    374. 

  374. 				return authErr(http.StatusNotFound, "Role %s doesn't exist.", name)
    375. 

  375. 			}
    376. 

  376. 		}
    377. 

  377. 	}
    378. 

  378. 	if err == nil {
    379. 

  379. 		plog.Noticef("deleted role %s", name)
    380. 

  380. 	}
    381. 

  381. 	return err
    382. 

  382. }
    383. 

  383. 

  384. func (s *store) UpdateRole(role Role) (Role, error) {
    385. 

  385. 	if role.Role == RootRoleName {
    386. 

  386. 		return Role{}, authErr(http.StatusForbidden, "Cannot modify role %s: is root role.", role.Role)
    387. 

  387. 	}
    388. 

  388. 	old, err := s.GetRole(role.Role)
    389. 

  389. 	if err != nil {
    390. 

  390. 		if e, ok := err.(*etcderr.Error); ok {
    391. 

  391. 			if e.ErrorCode == etcderr.EcodeKeyNotFound {
    392. 

  392. 				return role, authErr(http.StatusNotFound, "Role %s doesn't exist.", role.Role)
    393. 

  393. 			}
    394. 

  394. 		}
    395. 

  395. 		return old, err
    396. 

  396. 	}
    397. 

  397. 	newRole, err := old.merge(role)
    398. 

  398. 	if err != nil {
    399. 

  399. 		return old, err
    400. 

  400. 	}
    401. 

  401. 	if reflect.DeepEqual(old, newRole) {
    402. 

  402. 		return old, authErr(http.StatusBadRequest, "Role not updated. Use grant/revoke to update the role.")
    403. 

  403. 	}
    404. 

  404. 	_, err = s.updateResource("/roles/"+role.Role, newRole)
    405. 

  405. 	if err == nil {
    406. 

  406. 		plog.Noticef("updated role %s", role.Role)
    407. 

  407. 	}
    408. 

  408. 	return newRole, err
    409. 

  409. }
    410. 

  410. 

  411. func (s *store) AuthEnabled() bool {
    412. 

  412. 	s.mu.Lock()
    413. 

  413. 	defer s.mu.Unlock()
    414. 

  414. 

  415. 	return s.detectAuth()
    416. 

  416. }
    417. 

  417. 

  418. func (s *store) EnableAuth() error {
    419. 

  419. 	if s.AuthEnabled() {
    420. 

  420. 		return authErr(http.StatusConflict, "already enabled")
    421. 

  421. 	}
    422. 

  422. 

  423. 	s.mu.Lock()
    424. 

  424. 	defer s.mu.Unlock()
    425. 

  425. 

  426. 	if _, err := s.GetUser("root"); err != nil {
    427. 

  427. 		return authErr(http.StatusConflict, "No root user available, please create one")
    428. 

  428. 	}
    429. 

  429. 	if _, err := s.GetRole(GuestRoleName); err != nil {
    430. 

  430. 		plog.Printf("no guest role access found, creating default")
    431. 

  431. 		if err := s.CreateRole(guestRole); err != nil {
    432. 

  432. 			plog.Errorf("error creating guest role. aborting auth enable.")
    433. 

  433. 			return err
    434. 

  434. 		}
    435. 

  435. 	}
    436. 

  436. 

  437. 	if err := s.enableAuth(); err != nil {
    438. 

  438. 		plog.Errorf("error enabling auth (%v)", err)
    439. 

  439. 		return err
    440. 

  440. 	}
    441. 

  441. 

  442. 	plog.Noticef("auth: enabled auth")
    443. 

  443. 	return nil
    444. 

  444. }
    445. 

  445. 

  446. func (s *store) DisableAuth() error {
    447. 

  447. 	if !s.AuthEnabled() {
    448. 

  448. 		return authErr(http.StatusConflict, "already disabled")
    449. 

  449. 	}
    450. 

  450. 

  451. 	s.mu.Lock()
    452. 

  452. 	defer s.mu.Unlock()
    453. 

  453. 

  454. 	err := s.disableAuth()
    455. 

  455. 	if err == nil {
    456. 

  456. 		plog.Noticef("auth: disabled auth")
    457. 

  457. 	} else {
    458. 

  458. 		plog.Errorf("error disabling auth (%v)", err)
    459. 

  459. 	}
    460. 

  460. 	return err
    461. 

  461. }
    462. 

  462. 

  463. // merge applies the properties of the passed-in User to the User on which it
    464. 

  464. // is called and returns a new User with these modifications applied. Think of
    465. 

  465. // all Users as immutable sets of data. Merge allows you to perform the set
    466. 

  466. // operations (desired grants and revokes) atomically
    467. 

  467. func (u User) merge(n User) (User, error) {
    468. 

  468. 	var out User
    469. 

  469. 	if u.User != n.User {
    470. 

  470. 		return out, authErr(http.StatusConflict, "Merging user data with conflicting usernames: %s %s", u.User, n.User)
    471. 

  471. 	}
    472. 

  472. 	out.User = u.User
    473. 

  473. 	if n.Password != "" {
    474. 

  474. 		out.Password = n.Password
    475. 

  475. 	} else {
    476. 

  476. 		out.Password = u.Password
    477. 

  477. 	}
    478. 

  478. 	currentRoles := types.NewUnsafeSet(u.Roles...)
    479. 

  479. 	for _, g := range n.Grant {
    480. 

  480. 		if currentRoles.Contains(g) {
    481. 

  481. 			plog.Noticef("granting duplicate role %s for user %s", g, n.User)
    482. 

  482. 			return User{}, authErr(http.StatusConflict, fmt.Sprintf("Granting duplicate role %s for user %s", g, n.User))
    483. 

  483. 		}
    484. 

  484. 		currentRoles.Add(g)
    485. 

  485. 	}
    486. 

  486. 	for _, r := range n.Revoke {
    487. 

  487. 		if !currentRoles.Contains(r) {
    488. 

  488. 			plog.Noticef("revoking ungranted role %s for user %s", r, n.User)
    489. 

  489. 			return User{}, authErr(http.StatusConflict, fmt.Sprintf("Revoking ungranted role %s for user %s", r, n.User))
    490. 

  490. 		}
    491. 

  491. 		currentRoles.Remove(r)
    492. 

  492. 	}
    493. 

  493. 	out.Roles = currentRoles.Values()
    494. 

  494. 	sort.Strings(out.Roles)
    495. 

  495. 	return out, nil
    496. 

  496. }
    497. 

  497. 

  498. // merge for a role works the same as User above -- atomic Role application to
    499. 

  499. // each of the substructures.
    500. 

  500. func (r Role) merge(n Role) (Role, error) {
    501. 

  501. 	var out Role
    502. 

  502. 	var err error
    503. 

  503. 	if r.Role != n.Role {
    504. 

  504. 		return out, authErr(http.StatusConflict, "Merging role with conflicting names: %s %s", r.Role, n.Role)
    505. 

  505. 	}
    506. 

  506. 	out.Role = r.Role
    507. 

  507. 	out.Permissions, err = r.Permissions.Grant(n.Grant)
    508. 

  508. 	if err != nil {
    509. 

  509. 		return out, err
    510. 

  510. 	}
    511. 

  511. 	out.Permissions, err = out.Permissions.Revoke(n.Revoke)
    512. 

  512. 	if err != nil {
    513. 

  513. 		return out, err
    514. 

  514. 	}
    515. 

  515. 	return out, nil
    516. 

  516. }
    517. 

  517. 

  518. func (r Role) HasKeyAccess(key string, write bool) bool {
    519. 

  519. 	if r.Role == RootRoleName {
    520. 

  520. 		return true
    521. 

  521. 	}
    522. 

  522. 	return r.Permissions.KV.HasAccess(key, write)
    523. 

  523. }
    524. 

  524. 

  525. func (r Role) HasRecursiveAccess(key string, write bool) bool {
    526. 

  526. 	if r.Role == RootRoleName {
    527. 

  527. 		return true
    528. 

  528. 	}
    529. 

  529. 	return r.Permissions.KV.HasRecursiveAccess(key, write)
    530. 

  530. }
    531. 

  531. 

  532. // Grant adds a set of permissions to the permission object on which it is called,
    533. 

  533. // returning a new permission object.
    534. 

  534. func (p Permissions) Grant(n *Permissions) (Permissions, error) {
    535. 

  535. 	var out Permissions
    536. 

  536. 	var err error
    537. 

  537. 	if n == nil {
    538. 

  538. 		return p, nil
    539. 

  539. 	}
    540. 

  540. 	out.KV, err = p.KV.Grant(n.KV)
    541. 

  541. 	return out, err
    542. 

  542. }
    543. 

  543. 

  544. // Revoke removes a set of permissions to the permission object on which it is called,
    545. 

  545. // returning a new permission object.
    546. 

  546. func (p Permissions) Revoke(n *Permissions) (Permissions, error) {
    547. 

  547. 	var out Permissions
    548. 

  548. 	var err error
    549. 

  549. 	if n == nil {
    550. 

  550. 		return p, nil
    551. 

  551. 	}
    552. 

  552. 	out.KV, err = p.KV.Revoke(n.KV)
    553. 

  553. 	return out, err
    554. 

  554. }
    555. 

  555. 

  556. // Grant adds a set of permissions to the permission object on which it is called,
    557. 

  557. // returning a new permission object.
    558. 

  558. func (rw RWPermission) Grant(n RWPermission) (RWPermission, error) {
    559. 

  559. 	var out RWPermission
    560. 

  560. 	currentRead := types.NewUnsafeSet(rw.Read...)
    561. 

  561. 	for _, r := range n.Read {
    562. 

  562. 		if currentRead.Contains(r) {
    563. 

  563. 			return out, authErr(http.StatusConflict, "Granting duplicate read permission %s", r)
    564. 

  564. 		}
    565. 

  565. 		currentRead.Add(r)
    566. 

  566. 	}
    567. 

  567. 	currentWrite := types.NewUnsafeSet(rw.Write...)
    568. 

  568. 	for _, w := range n.Write {
    569. 

  569. 		if currentWrite.Contains(w) {
    570. 

  570. 			return out, authErr(http.StatusConflict, "Granting duplicate write permission %s", w)
    571. 

  571. 		}
    572. 

  572. 		currentWrite.Add(w)
    573. 

  573. 	}
    574. 

  574. 	out.Read = currentRead.Values()
    575. 

  575. 	out.Write = currentWrite.Values()
    576. 

  576. 	sort.Strings(out.Read)
    577. 

  577. 	sort.Strings(out.Write)
    578. 

  578. 	return out, nil
    579. 

  579. }
    580. 

  580. 

  581. // Revoke removes a set of permissions to the permission object on which it is called,
    582. 

  582. // returning a new permission object.
    583. 

  583. func (rw RWPermission) Revoke(n RWPermission) (RWPermission, error) {
    584. 

  584. 	var out RWPermission
    585. 

  585. 	currentRead := types.NewUnsafeSet(rw.Read...)
    586. 

  586. 	for _, r := range n.Read {
    587. 

  587. 		if !currentRead.Contains(r) {
    588. 

  588. 			plog.Noticef("revoking ungranted read permission %s", r)
    589. 

  589. 			continue
    590. 

  590. 		}
    591. 

  591. 		currentRead.Remove(r)
    592. 

  592. 	}
    593. 

  593. 	currentWrite := types.NewUnsafeSet(rw.Write...)
    594. 

  594. 	for _, w := range n.Write {
    595. 

  595. 		if !currentWrite.Contains(w) {
    596. 

  596. 			plog.Noticef("revoking ungranted write permission %s", w)
    597. 

  597. 			continue
    598. 

  598. 		}
    599. 

  599. 		currentWrite.Remove(w)
    600. 

  600. 	}
    601. 

  601. 	out.Read = currentRead.Values()
    602. 

  602. 	out.Write = currentWrite.Values()
    603. 

  603. 	sort.Strings(out.Read)
    604. 

  604. 	sort.Strings(out.Write)
    605. 

  605. 	return out, nil
    606. 

  606. }
    607. 

  607. 

  608. func (rw RWPermission) HasAccess(key string, write bool) bool {
    609. 

  609. 	var list []string
    610. 

  610. 	if write {
    611. 

  611. 		list = rw.Write
    612. 

  612. 	} else {
    613. 

  613. 		list = rw.Read
    614. 

  614. 	}
    615. 

  615. 	for _, pat := range list {
    616. 

  616. 		match, err := simpleMatch(pat, key)
    617. 

  617. 		if err == nil && match {
    618. 

  618. 			return true
    619. 

  619. 		}
    620. 

  620. 	}
    621. 

  621. 	return false
    622. 

  622. }
    623. 

  623. 

  624. func (rw RWPermission) HasRecursiveAccess(key string, write bool) bool {
    625. 

  625. 	list := rw.Read
    626. 

  626. 	if write {
    627. 

  627. 		list = rw.Write
    628. 

  628. 	}
    629. 

  629. 	for _, pat := range list {
    630. 

  630. 		match, err := prefixMatch(pat, key)
    631. 

  631. 		if err == nil && match {
    632. 

  632. 			return true
    633. 

  633. 		}
    634. 

  634. 	}
    635. 

  635. 	return false
    636. 

  636. }
    637. 

  637. 

  638. func simpleMatch(pattern string, key string) (match bool, err error) {
    639. 

  639. 	if pattern[len(pattern)-1] == '*' {
    640. 

  640. 		return strings.HasPrefix(key, pattern[:len(pattern)-1]), nil
    641. 

  641. 	}
    642. 

  642. 	return key == pattern, nil
    643. 

  643. }
    644. 

  644. 

  645. func prefixMatch(pattern string, key string) (match bool, err error) {
    646. 

  646. 	if pattern[len(pattern)-1] != '*' {
    647. 

  647. 		return false, nil
    648. 

  648. 	}
    649. 

  649. 	return strings.HasPrefix(key, pattern[:len(pattern)-1]), nil
    650. 

  650. }
    651. 

  651. 

  652. func attachRootRole(u User) User {
    653. 

  653. 	inRoles := false
    654. 

  654. 	for _, r := range u.Roles {
    655. 

  655. 		if r == RootRoleName {
    656. 

  656. 			inRoles = true
    657. 

  657. 			break
    658. 

  658. 		}
    659. 

  659. 	}
    660. 

  660. 	if !inRoles {
    661. 

  661. 		u.Roles = append(u.Roles, RootRoleName)
    662. 

  662. 	}
    663. 

  663. 	return u
    664. 

  664. }
    665.