-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathserver_policy.go
123 lines (111 loc) · 3.01 KB
/
server_policy.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
package caskin
import (
"github.com/ahmetb/go-linq/v3"
)
// GetPolicy
// get all policies
// 1. current user has role and object's read permission in current domain
func (s *server) GetPolicy(user User, domain Domain) ([]*Policy, error) {
roles, err := s.GetRole(user, domain)
if err != nil {
return nil, err
}
objects, err := s.GetObject(user, domain, Manage)
if err != nil {
return nil, err
}
om := IDMap(objects)
var list []*Policy
for _, v := range roles {
policy := s.Enforcer.GetPoliciesForRoleInDomain(v, domain)
for _, p := range policy {
if object, ok := om[p.Object.GetID()]; ok {
list = append(list, &Policy{
Role: v,
Object: object,
Domain: domain,
Action: p.Action,
})
}
}
}
return list, nil
}
// GetPolicyByRole
// 1. get policy which current user has role and object's read permission in current domain
// 2. get role to object 's p as Policy in current domain
func (s *server) GetPolicyByRole(user User, domain Domain, byRole Role) ([]*Policy, error) {
if err := s.CheckGetObjectData(user, domain, byRole); err != nil {
return nil, err
}
objects, err := s.GetObject(user, domain, Read)
if err != nil {
return nil, err
}
om := IDMap(objects)
var list []*Policy
policy := s.Enforcer.GetPoliciesForRoleInDomain(byRole, domain)
for _, p := range policy {
if object, ok := om[p.Object.GetID()]; ok {
list = append(list, &Policy{
Role: byRole,
Object: object,
Domain: domain,
Action: p.Action,
})
}
}
return list, nil
}
// ModifyPolicyPerRole
// if current user has role and object's write permission
// 1. modify role to object 's p in current domain
// 2. policy required object and action
func (s *server) ModifyPolicyPerRole(user User, domain Domain, perRole Role, input []*Policy) error {
if err := s.CheckModifyObjectData(user, domain, perRole); err != nil {
return err
}
policy := s.Enforcer.GetPoliciesForRoleInDomain(perRole, domain)
var oid, oid1, oid2 []uint64
for _, v := range policy {
oid1 = append(oid1, v.Object.GetID())
}
for _, v := range input {
oid2 = append(oid2, v.Object.GetID())
}
oid = append(oid, oid1...)
oid = append(oid, oid2...)
linq.From(oid).Distinct().ToSlice(&oid)
objects, err := s.DB.GetObjectByID(oid)
if err != nil {
return err
}
objects = Filter(s.Enforcer, user, domain, Manage, objects)
om := IDMap(objects)
// make source and target role id list
var source, target []*Policy
for _, v := range policy {
if _, ok := om[v.Object.GetID()]; ok {
source = append(source, v)
}
}
for _, v := range input {
v.Role, v.Domain = perRole, domain
if _, ok := om[v.Object.GetID()]; ok {
target = append(target, v)
}
}
// get diff to add and remove
add, remove := DiffPolicy(source, target)
for _, v := range add {
if err = s.Enforcer.AddPolicyInDomain(v.Role, v.Object, v.Domain, v.Action); err != nil {
return err
}
}
for _, v := range remove {
if err = s.Enforcer.RemovePolicyInDomain(v.Role, v.Object, v.Domain, v.Action); err != nil {
return err
}
}
return nil
}