moul/sshportal
1
1
Fork 0
mirror of https://github.com/moul/sshportal.git synced 2025-09-08 13:44:55 +08:00
Code Issues Projects Releases Packages Wiki Activity
sshportal/pkg/bastion/acl.go
Konstantin Bakaras 0c07ac790a
feat: ACL Check with inception and expiration 
Signed-off-by: Manfred Touron <94029+moul@users.noreply.github.com>
2020-07-23 18:50:35 +02:00

50 lines
1.3 KiB
Go
Raw Blame History

package bastion
import (
"sort"
"time"
"moul.io/sshportal/pkg/dbmodels"
)
type byWeight []*dbmodels.ACL
func (a byWeight) Len() int { return len(a) }
func (a byWeight) Swap(i, j int) { a[i], a[j] = a[j], a[i] }
func (a byWeight) Less(i, j int) bool { return a[i].Weight < a[j].Weight }
func checkACLs(user dbmodels.User, host dbmodels.Host) string {
currentTime := time.Now()
// shared ACLs between user and host
aclMap := map[uint]*dbmodels.ACL{}
for _, userGroup := range user.Groups {
for _, userGroupACL := range userGroup.ACLs {
for _, hostGroup := range host.Groups {
for _, hostGroupACL := range hostGroup.ACLs {
if userGroupACL.ID == hostGroupACL.ID {
if (userGroupACL.Inception == nil || currentTime.After(*userGroupACL.Inception)) &&
(userGroupACL.Expiration == nil || currentTime.Before(*userGroupACL.Expiration)) {
aclMap[userGroupACL.ID] = userGroupACL
}
}
}
}
}
}
// FIXME: add ACLs that match host pattern
// deny by default if no shared ACL
if len(aclMap) == 0 {
return string(dbmodels.ACLActionDeny) // default action
}
// transform map to slice and sort it
acls := make([]*dbmodels.ACL, 0, len(aclMap))
for _, acl := range aclMap {
acls = append(acls, acl)
}
sort.Sort(byWeight(acls))
return acls[0].Action
}
Reference in a new issue View git blame Copy permalink