Merge remote-tracking branch 'xo-acl-resolver/master'
This commit is contained in:
commit
7eee0f4341
8
packages/xo-acl-resolver/.babelrc
Normal file
8
packages/xo-acl-resolver/.babelrc
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
{
|
||||||
|
"comments": false,
|
||||||
|
"compact": true,
|
||||||
|
"presets": [
|
||||||
|
"stage-0",
|
||||||
|
"es2015"
|
||||||
|
]
|
||||||
|
}
|
65
packages/xo-acl-resolver/.editorconfig
Normal file
65
packages/xo-acl-resolver/.editorconfig
Normal file
@ -0,0 +1,65 @@
|
|||||||
|
# http://EditorConfig.org
|
||||||
|
#
|
||||||
|
# Julien Fontanet's configuration
|
||||||
|
# https://gist.github.com/julien-f/8096213
|
||||||
|
|
||||||
|
# Top-most EditorConfig file.
|
||||||
|
root = true
|
||||||
|
|
||||||
|
# Common config.
|
||||||
|
[*]
|
||||||
|
charset = utf-8
|
||||||
|
end_of_line = lf
|
||||||
|
insert_final_newline = true
|
||||||
|
trim_trailing_whitespaces = true
|
||||||
|
|
||||||
|
# CoffeeScript
|
||||||
|
#
|
||||||
|
# https://github.com/polarmobile/coffeescript-style-guide/blob/master/README.md
|
||||||
|
[*.{,lit}coffee]
|
||||||
|
indent_size = 2
|
||||||
|
indent_style = space
|
||||||
|
|
||||||
|
# Markdown
|
||||||
|
[*.{md,mdwn,mdown,markdown}]
|
||||||
|
indent_size = 4
|
||||||
|
indent_style = space
|
||||||
|
|
||||||
|
# Package.json
|
||||||
|
#
|
||||||
|
# This indentation style is the one used by npm.
|
||||||
|
[/package.json]
|
||||||
|
indent_size = 2
|
||||||
|
indent_style = space
|
||||||
|
|
||||||
|
# Jade
|
||||||
|
[*.jade]
|
||||||
|
indent_size = 2
|
||||||
|
indent_style = space
|
||||||
|
|
||||||
|
# JavaScript
|
||||||
|
#
|
||||||
|
# Two spaces seems to be the standard most common style, at least in
|
||||||
|
# Node.js (http://nodeguide.com/style.html#tabs-vs-spaces).
|
||||||
|
[*.js]
|
||||||
|
indent_size = 2
|
||||||
|
indent_style = space
|
||||||
|
|
||||||
|
# Less
|
||||||
|
[*.less]
|
||||||
|
indent_size = 2
|
||||||
|
indent_style = space
|
||||||
|
|
||||||
|
# Sass
|
||||||
|
#
|
||||||
|
# Style used for http://libsass.com
|
||||||
|
[*.s[ac]ss]
|
||||||
|
indent_size = 2
|
||||||
|
indent_style = space
|
||||||
|
|
||||||
|
# YAML
|
||||||
|
#
|
||||||
|
# Only spaces are allowed.
|
||||||
|
[*.yaml]
|
||||||
|
indent_size = 2
|
||||||
|
indent_style = space
|
7
packages/xo-acl-resolver/.gitignore
vendored
Normal file
7
packages/xo-acl-resolver/.gitignore
vendored
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
/dist/
|
||||||
|
/node_modules/
|
||||||
|
|
||||||
|
npm-debug.log
|
||||||
|
npm-debug.log.*
|
||||||
|
pnpm-debug.log
|
||||||
|
pnpm-debug.log.*
|
10
packages/xo-acl-resolver/.npmignore
Normal file
10
packages/xo-acl-resolver/.npmignore
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
/examples/
|
||||||
|
example.js
|
||||||
|
example.js.map
|
||||||
|
*.example.js
|
||||||
|
*.example.js.map
|
||||||
|
|
||||||
|
/test/
|
||||||
|
/tests/
|
||||||
|
*.spec.js
|
||||||
|
*.spec.js.map
|
9
packages/xo-acl-resolver/.travis.yml
Normal file
9
packages/xo-acl-resolver/.travis.yml
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
language: node_js
|
||||||
|
node_js:
|
||||||
|
- 'stable'
|
||||||
|
- '4'
|
||||||
|
- '0.12'
|
||||||
|
|
||||||
|
# Use containers.
|
||||||
|
# http://docs.travis-ci.com/user/workers/container-based-infrastructure/
|
||||||
|
sudo: false
|
74
packages/xo-acl-resolver/README.md
Normal file
74
packages/xo-acl-resolver/README.md
Normal file
@ -0,0 +1,74 @@
|
|||||||
|
# xo-acl-resolver [](https://travis-ci.org/vatesfr/xo-acl-resolver)
|
||||||
|
|
||||||
|
> [Xen-Orchestra](http://xen-orchestra.com/) internal: do ACLs resolution.
|
||||||
|
|
||||||
|
## Install
|
||||||
|
|
||||||
|
Installation of the [npm package](https://npmjs.org/package/xo-acl-resolver):
|
||||||
|
|
||||||
|
```
|
||||||
|
> npm install --save xo-acl-resolver
|
||||||
|
```
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
```js
|
||||||
|
import check from 'xo-acl-resolver'
|
||||||
|
|
||||||
|
// This object contains a list of permissions returned from
|
||||||
|
// xo-server's acl.getCurrentPermissions.
|
||||||
|
const permissions = { /* ... */ }
|
||||||
|
|
||||||
|
// This function should returns synchronously an object from an id.
|
||||||
|
const getObject = id => { /* ... */ }
|
||||||
|
|
||||||
|
// For a single object:
|
||||||
|
if (check(permissions, getObject, objectId, permission)) {
|
||||||
|
console.log(`${permission} set for object ${objectId}`)
|
||||||
|
}
|
||||||
|
|
||||||
|
// For multiple objects/permissions:
|
||||||
|
if (check(permissions, getObject, [
|
||||||
|
[ object1Id, permission1 ],
|
||||||
|
[ object12d, permission2 ],
|
||||||
|
])) {
|
||||||
|
console.log('all permissions checked')
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
## Development
|
||||||
|
|
||||||
|
### Installing dependencies
|
||||||
|
|
||||||
|
```
|
||||||
|
> npm install
|
||||||
|
```
|
||||||
|
|
||||||
|
### Compilation
|
||||||
|
|
||||||
|
The sources files are watched and automatically recompiled on changes.
|
||||||
|
|
||||||
|
```
|
||||||
|
> npm run dev
|
||||||
|
```
|
||||||
|
|
||||||
|
### Tests
|
||||||
|
|
||||||
|
```
|
||||||
|
> npm run test-dev
|
||||||
|
```
|
||||||
|
|
||||||
|
## Contributions
|
||||||
|
|
||||||
|
Contributions are *very* welcomed, either on the documentation or on
|
||||||
|
the code.
|
||||||
|
|
||||||
|
You may:
|
||||||
|
|
||||||
|
- report any [issue](https://github.com/vatesfr/xo-acl-resolver/issues)
|
||||||
|
you've encountered;
|
||||||
|
- fork and create a pull request.
|
||||||
|
|
||||||
|
## License
|
||||||
|
|
||||||
|
ISC © [Vates SAS](https://vates.fr)
|
48
packages/xo-acl-resolver/package.json
Normal file
48
packages/xo-acl-resolver/package.json
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
{
|
||||||
|
"name": "xo-acl-resolver",
|
||||||
|
"version": "0.2.3",
|
||||||
|
"license": "ISC",
|
||||||
|
"description": "Xen-Orchestra internal: do ACLs resolution",
|
||||||
|
"keywords": [],
|
||||||
|
"homepage": "https://github.com/vatesfr/xo-acl-resolver",
|
||||||
|
"bugs": "https://github.com/vatesfr/xo-acl-resolver/issues",
|
||||||
|
"repository": {
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://github.com/vatesfr/xo-acl-resolver"
|
||||||
|
},
|
||||||
|
"author": {
|
||||||
|
"name": "Julien Fontanet",
|
||||||
|
"email": "julien.fontanet@vates.fr"
|
||||||
|
},
|
||||||
|
"preferGlobal": false,
|
||||||
|
"main": "dist/",
|
||||||
|
"bin": {},
|
||||||
|
"files": [
|
||||||
|
"dist/"
|
||||||
|
],
|
||||||
|
"engines": {
|
||||||
|
"node": ">=0.12"
|
||||||
|
},
|
||||||
|
"devDependencies": {
|
||||||
|
"babel-cli": "^6.4.5",
|
||||||
|
"babel-eslint": "^7.0.0",
|
||||||
|
"babel-preset-es2015": "^6.3.13",
|
||||||
|
"babel-preset-stage-0": "^6.3.13",
|
||||||
|
"dependency-check": "^2.5.1",
|
||||||
|
"standard": "^8.0.0"
|
||||||
|
},
|
||||||
|
"scripts": {
|
||||||
|
"build": "babel --source-maps --out-dir=dist/ src/",
|
||||||
|
"depcheck": "dependency-check ./package.json",
|
||||||
|
"dev": "babel --watch --source-maps --out-dir=dist/ src/",
|
||||||
|
"lint": "standard",
|
||||||
|
"posttest": "npm run lint && npm run depcheck",
|
||||||
|
"prepublish": "npm run build"
|
||||||
|
},
|
||||||
|
"standard": {
|
||||||
|
"ignore": [
|
||||||
|
"dist/**"
|
||||||
|
],
|
||||||
|
"parser": "babel-eslint"
|
||||||
|
}
|
||||||
|
}
|
131
packages/xo-acl-resolver/src/index.js
Normal file
131
packages/xo-acl-resolver/src/index.js
Normal file
@ -0,0 +1,131 @@
|
|||||||
|
// These global variables are not a problem because the algorithm is
|
||||||
|
// synchronous.
|
||||||
|
let permissionsByObject
|
||||||
|
let getObject
|
||||||
|
|
||||||
|
// -------------------------------------------------------------------
|
||||||
|
|
||||||
|
const authorized = () => true // eslint-disable-line no-unused-vars
|
||||||
|
const forbiddden = () => false // eslint-disable-line no-unused-vars
|
||||||
|
|
||||||
|
const and = (...checkers) => (object, permission) => { // eslint-disable-line no-unused-vars
|
||||||
|
for (const checker of checkers) {
|
||||||
|
if (!checker(object, permission)) {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
|
const or = (...checkers) => (object, permission) => { // eslint-disable-line no-unused-vars
|
||||||
|
for (const checker of checkers) {
|
||||||
|
if (checker(object, permission)) {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
// -------------------------------------------------------------------
|
||||||
|
|
||||||
|
const checkMember = (memberName) => (object, permission) => {
|
||||||
|
const member = object[memberName]
|
||||||
|
return member !== object.id && checkAuthorization(member, permission)
|
||||||
|
}
|
||||||
|
|
||||||
|
const checkSelf = ({ id }, permission) => {
|
||||||
|
const permissionsForObject = permissionsByObject[id]
|
||||||
|
|
||||||
|
return (
|
||||||
|
permissionsForObject &&
|
||||||
|
permissionsForObject[permission]
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
// ===================================================================
|
||||||
|
|
||||||
|
const checkAuthorizationByTypes = {
|
||||||
|
host: or(checkSelf, checkMember('$pool')),
|
||||||
|
|
||||||
|
message: checkMember('$object'),
|
||||||
|
|
||||||
|
network: or(checkSelf, checkMember('$pool')),
|
||||||
|
|
||||||
|
SR: or(checkSelf, checkMember('$pool')),
|
||||||
|
|
||||||
|
task: checkMember('$host'),
|
||||||
|
|
||||||
|
VBD: checkMember('VDI'),
|
||||||
|
|
||||||
|
// Access to a VDI is granted if the user has access to the
|
||||||
|
// containing SR or to a linked VM.
|
||||||
|
VDI (vdi, permission) {
|
||||||
|
// Check authorization for the containing SR.
|
||||||
|
if (checkAuthorization(vdi.$SR, permission)) {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check authorization for each of the connected VMs.
|
||||||
|
for (const vbdId of vdi.$VBDs) {
|
||||||
|
if (checkAuthorization(getObject(vbdId).VM, permission)) {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return false
|
||||||
|
},
|
||||||
|
|
||||||
|
'VDI-snapshot': checkMember('$snapshot_of'),
|
||||||
|
|
||||||
|
VIF: or(checkMember('$network'), checkMember('$VM')),
|
||||||
|
|
||||||
|
VM: or(checkSelf, checkMember('$container')),
|
||||||
|
|
||||||
|
'VM-controller': checkMember('$container'),
|
||||||
|
|
||||||
|
'VM-snapshot': checkMember('$snapshot_of'),
|
||||||
|
|
||||||
|
'VM-template': or(checkSelf, checkMember('$pool'))
|
||||||
|
}
|
||||||
|
|
||||||
|
// Hoisting is important for this function.
|
||||||
|
function checkAuthorization (objectId, permission) {
|
||||||
|
const object = getObject(objectId)
|
||||||
|
if (!object) {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
const checker = checkAuthorizationByTypes[object.type] || checkSelf
|
||||||
|
|
||||||
|
return checker(object, permission)
|
||||||
|
}
|
||||||
|
|
||||||
|
// -------------------------------------------------------------------
|
||||||
|
|
||||||
|
export default (
|
||||||
|
permissionsByObject_,
|
||||||
|
getObject_,
|
||||||
|
permissions,
|
||||||
|
permission
|
||||||
|
) => {
|
||||||
|
// Assign global variables.
|
||||||
|
permissionsByObject = permissionsByObject_
|
||||||
|
getObject = getObject_
|
||||||
|
|
||||||
|
try {
|
||||||
|
if (permission) {
|
||||||
|
return checkAuthorization(permissions, permission)
|
||||||
|
} else {
|
||||||
|
for (const [objectId, permission] of permissions) {
|
||||||
|
if (!checkAuthorization(objectId, permission)) {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return true
|
||||||
|
} finally {
|
||||||
|
// Free the global variables.
|
||||||
|
permissionsByObject = getObject = null
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user