NuKVM/xen-orchestra
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'xo-acl-resolver/master'

Browse Source
This commit is contained in:
Julien Fontanet 2017-01-10 18:11:47 +01:00
commit 7eee0f4341
8 changed files with 352 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
packages/xo-acl-resolver/.babelrc Normal file
View File

@ -0,0 +1,8 @@
{
"comments": false,
"compact": true,
"presets": [
"stage-0",
"es2015"
]
}

65
packages/xo-acl-resolver/.editorconfig Normal file
View File

@ -0,0 +1,65 @@
# http://EditorConfig.org
#
# Julien Fontanet's configuration
# https://gist.github.com/julien-f/8096213
# Top-most EditorConfig file.
root = true
# Common config.
[*]
charset = utf-8
end_of_line = lf
insert_final_newline = true
trim_trailing_whitespaces = true
# CoffeeScript
#
# https://github.com/polarmobile/coffeescript-style-guide/blob/master/README.md
[*.{,lit}coffee]
indent_size = 2
indent_style = space
# Markdown
[*.{md,mdwn,mdown,markdown}]
indent_size = 4
indent_style = space
# Package.json
#
# This indentation style is the one used by npm.
[/package.json]
indent_size = 2
indent_style = space
# Jade
[*.jade]
indent_size = 2
indent_style = space
# JavaScript
#
# Two spaces seems to be the standard most common style, at least in
# Node.js (http://nodeguide.com/style.html#tabs-vs-spaces).
[*.js]
indent_size = 2
indent_style = space
# Less
[*.less]
indent_size = 2
indent_style = space
# Sass
#
# Style used for http://libsass.com
[*.s[ac]ss]
indent_size = 2
indent_style = space
# YAML
#
# Only spaces are allowed.
[*.yaml]
indent_size = 2
indent_style = space

7
packages/xo-acl-resolver/.gitignore vendored Normal file
View File

@ -0,0 +1,7 @@
/dist/
/node_modules/
npm-debug.log
npm-debug.log.*
pnpm-debug.log
pnpm-debug.log.*

10
packages/xo-acl-resolver/.npmignore Normal file
View File

@ -0,0 +1,10 @@
/examples/
example.js
example.js.map
*.example.js
*.example.js.map
/test/
/tests/
*.spec.js
*.spec.js.map

9
packages/xo-acl-resolver/.travis.yml Normal file
View File

@ -0,0 +1,9 @@
language: node_js
node_js:
- 'stable'
- '4'
- '0.12'
# Use containers.
# http://docs.travis-ci.com/user/workers/container-based-infrastructure/
sudo: false

74
packages/xo-acl-resolver/README.md Normal file
View File

@ -0,0 +1,74 @@
# xo-acl-resolver [![Build Status](https://travis-ci.org/vatesfr/xo-acl-resolver.png?branch=master)](https://travis-ci.org/vatesfr/xo-acl-resolver)
> [Xen-Orchestra](http://xen-orchestra.com/) internal: do ACLs resolution.
## Install
Installation of the [npm package](https://npmjs.org/package/xo-acl-resolver):
```
> npm install --save xo-acl-resolver
```
## Usage
```js
import check from 'xo-acl-resolver'
// This object contains a list of permissions returned from
// xo-server's acl.getCurrentPermissions.
const permissions = { /* ... */ }
// This function should returns synchronously an object from an id.
const getObject = id => { /* ... */ }
// For a single object:
if (check(permissions, getObject, objectId, permission)) {
console.log(`${permission} set for object ${objectId}`)
}
// For multiple objects/permissions:
if (check(permissions, getObject, [
[ object1Id, permission1 ],
[ object12d, permission2 ],
])) {
console.log('all permissions checked')
}
```
## Development
### Installing dependencies
```
> npm install
```
### Compilation
The sources files are watched and automatically recompiled on changes.
```
> npm run dev
```
### Tests
```
> npm run test-dev
```
## Contributions
Contributions are *very* welcomed, either on the documentation or on
the code.
You may:
- report any [issue](https://github.com/vatesfr/xo-acl-resolver/issues)
you've encountered;
- fork and create a pull request.
## License
ISC © [Vates SAS](https://vates.fr)

48
packages/xo-acl-resolver/package.json Normal file
View File

@ -0,0 +1,48 @@
{
"name": "xo-acl-resolver",
"version": "0.2.3",
"license": "ISC",
"description": "Xen-Orchestra internal: do ACLs resolution",
"keywords": [],
"homepage": "https://github.com/vatesfr/xo-acl-resolver",
"bugs": "https://github.com/vatesfr/xo-acl-resolver/issues",
"repository": {
"type": "git",
"url": "https://github.com/vatesfr/xo-acl-resolver"
},
"author": {
"name": "Julien Fontanet",
"email": "julien.fontanet@vates.fr"
},
"preferGlobal": false,
"main": "dist/",
"bin": {},
"files": [
"dist/"
],
"engines": {
"node": ">=0.12"
},
"devDependencies": {
"babel-cli": "^6.4.5",
"babel-eslint": "^7.0.0",
"babel-preset-es2015": "^6.3.13",
"babel-preset-stage-0": "^6.3.13",
"dependency-check": "^2.5.1",
"standard": "^8.0.0"
},
"scripts": {
"build": "babel --source-maps --out-dir=dist/ src/",
"depcheck": "dependency-check ./package.json",
"dev": "babel --watch --source-maps --out-dir=dist/ src/",
"lint": "standard",
"posttest": "npm run lint && npm run depcheck",
"prepublish": "npm run build"
},
"standard": {
"ignore": [
"dist/**"
],
"parser": "babel-eslint"
}
}

131
packages/xo-acl-resolver/src/index.js Normal file
View File

@ -0,0 +1,131 @@
// These global variables are not a problem because the algorithm is
// synchronous.
let permissionsByObject
let getObject
// -------------------------------------------------------------------
const authorized = () => true // eslint-disable-line no-unused-vars
const forbiddden = () => false // eslint-disable-line no-unused-vars
const and = (...checkers) => (object, permission) => { // eslint-disable-line no-unused-vars
for (const checker of checkers) {
if (!checker(object, permission)) {
return false
}
}
return true
}
const or = (...checkers) => (object, permission) => { // eslint-disable-line no-unused-vars
for (const checker of checkers) {
if (checker(object, permission)) {
return true
}
}
return false
}
// -------------------------------------------------------------------
const checkMember = (memberName) => (object, permission) => {
const member = object[memberName]
return member !== object.id && checkAuthorization(member, permission)
}
const checkSelf = ({ id }, permission) => {
const permissionsForObject = permissionsByObject[id]
return (
permissionsForObject &&
permissionsForObject[permission]
)
}
// ===================================================================
const checkAuthorizationByTypes = {
host: or(checkSelf, checkMember('$pool')),
message: checkMember('$object'),
network: or(checkSelf, checkMember('$pool')),
SR: or(checkSelf, checkMember('$pool')),
task: checkMember('$host'),
VBD: checkMember('VDI'),
// Access to a VDI is granted if the user has access to the
// containing SR or to a linked VM.
VDI (vdi, permission) {
// Check authorization for the containing SR.
if (checkAuthorization(vdi.$SR, permission)) {
return true
}
// Check authorization for each of the connected VMs.
for (const vbdId of vdi.$VBDs) {
if (checkAuthorization(getObject(vbdId).VM, permission)) {
return true
}
}
return false
},
'VDI-snapshot': checkMember('$snapshot_of'),
VIF: or(checkMember('$network'), checkMember('$VM')),
VM: or(checkSelf, checkMember('$container')),
'VM-controller': checkMember('$container'),
'VM-snapshot': checkMember('$snapshot_of'),
'VM-template': or(checkSelf, checkMember('$pool'))
}
// Hoisting is important for this function.
function checkAuthorization (objectId, permission) {
const object = getObject(objectId)
if (!object) {
return false
}
const checker = checkAuthorizationByTypes[object.type] || checkSelf
return checker(object, permission)
}
// -------------------------------------------------------------------
export default (
permissionsByObject_,
getObject_,
permissions,
permission
) => {
// Assign global variables.
permissionsByObject = permissionsByObject_
getObject = getObject_
try {
if (permission) {
return checkAuthorization(permissions, permission)
} else {
for (const [objectId, permission] of permissions) {
if (!checkAuthorization(objectId, permission)) {
return false
}
}
}
return true
} finally {
// Free the global variables.
permissionsByObject = getObject = null
}
}