2019-01-01 01:39:45 +08:00
|
|
|
package bastion // import "moul.io/sshportal/pkg/bastion"
|
2017-11-13 17:13:17 +08:00
|
|
|
|
2019-01-01 01:39:45 +08:00
|
|
|
import (
|
|
|
|
|
"moul.io/sshportal/pkg/dbmodels"
|
|
|
|
|
"sort"
|
|
|
|
|
)
|
2017-11-13 17:13:17 +08:00
|
|
|
|
2019-01-01 01:39:45 +08:00
|
|
|
type byWeight []*dbmodels.ACL
|
2017-11-13 17:13:17 +08:00
|
|
|
|
2019-01-01 01:39:45 +08:00
|
|
|
func (a byWeight) Len() int { return len(a) }
|
|
|
|
|
func (a byWeight) Swap(i, j int) { a[i], a[j] = a[j], a[i] }
|
|
|
|
|
func (a byWeight) Less(i, j int) bool { return a[i].Weight < a[j].Weight }
|
2017-11-13 17:13:17 +08:00
|
|
|
|
2019-01-01 01:39:45 +08:00
|
|
|
func checkACLs(user dbmodels.User, host dbmodels.Host) (string, error) {
|
2017-11-13 17:13:17 +08:00
|
|
|
// shared ACLs between user and host
|
2019-01-01 01:39:45 +08:00
|
|
|
aclMap := map[uint]*dbmodels.ACL{}
|
2017-11-13 17:13:17 +08:00
|
|
|
for _, userGroup := range user.Groups {
|
|
|
|
|
for _, userGroupACL := range userGroup.ACLs {
|
|
|
|
|
for _, hostGroup := range host.Groups {
|
|
|
|
|
for _, hostGroupACL := range hostGroup.ACLs {
|
|
|
|
|
if userGroupACL.ID == hostGroupACL.ID {
|
|
|
|
|
aclMap[userGroupACL.ID] = userGroupACL
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
// FIXME: add ACLs that match host pattern
|
|
|
|
|
|
|
|
|
|
// deny by default if no shared ACL
|
|
|
|
|
if len(aclMap) == 0 {
|
2019-01-01 01:39:45 +08:00
|
|
|
return string(dbmodels.ACLActionDeny), nil // default action
|
2017-11-13 17:13:17 +08:00
|
|
|
}
|
|
|
|
|
|
2017-12-04 01:18:17 +08:00
|
|
|
// transform map to slice and sort it
|
2019-01-01 01:39:45 +08:00
|
|
|
acls := make([]*dbmodels.ACL, 0, len(aclMap))
|
2017-11-13 17:13:17 +08:00
|
|
|
for _, acl := range aclMap {
|
|
|
|
|
acls = append(acls, acl)
|
|
|
|
|
}
|
2019-01-01 01:39:45 +08:00
|
|
|
sort.Sort(byWeight(acls))
|
2017-11-13 17:13:17 +08:00
|
|
|
|
|
|
|
|
return acls[0].Action, nil
|
|
|
|
|
}
|
