OliveTin/internal/acl/acl.go

package acl

import (
	"context"
	config "github.com/OliveTin/OliveTin/internal/config"
	log "github.com/sirupsen/logrus"

	"golang.org/x/exp/slices"
	"google.golang.org/grpc/metadata"
)

// User respresents a person.
type AuthenticatedUser struct {
	Username  string
	Usergroup string

	acls []string
}

func logAclNotMatched(cfg *config.Config, aclFunction string, user *AuthenticatedUser, action *config.Action) {
	if cfg.LogDebugOptions.AclNotMatched {
		log.WithFields(log.Fields{
			"User":   user.Username,
			"Action": action.Title,
		}).Debugf("%v - No ACLs Matched", aclFunction)
	}
}

func logAclMatched(cfg *config.Config, aclFunction string, user *AuthenticatedUser, action *config.Action, acl *config.AccessControlList) {
	if cfg.LogDebugOptions.AclMatched {
		log.WithFields(log.Fields{
			"User":   user.Username,
			"Action": action.Title,
			"ACL":    acl.Name,
		}).Debugf("%v - Matched ACL", aclFunction)
	}
}

// IsAllowedLogs checks if a AuthenticatedUser is allowed to view an action's logs
func IsAllowedLogs(cfg *config.Config, user *AuthenticatedUser, action *config.Action) bool {
	for _, acl := range getRelevantAcls(cfg, action.Acls, user) {
		if acl.Permissions.Logs {
			logAclMatched(cfg, "isAllowedLogs", user, action, acl)

			return true
		}
	}

	logAclNotMatched(cfg, "isAllowedLogs", user, action)

	return cfg.DefaultPermissions.Logs
}

// IsAllowedExec checks if a AuthenticatedUser is allowed to execute an Action
func IsAllowedExec(cfg *config.Config, user *AuthenticatedUser, action *config.Action) bool {
	for _, acl := range getRelevantAcls(cfg, action.Acls, user) {
		if acl.Permissions.Exec {
			logAclMatched(cfg, "isAllowedExec", user, action, acl)

			return true
		}
	}

	logAclNotMatched(cfg, "isAllowedExec", user, action)

	return cfg.DefaultPermissions.Exec
}

// IsAllowedView checks if a User is allowed to view an Action
func IsAllowedView(cfg *config.Config, user *AuthenticatedUser, action *config.Action) bool {
	if action.Hidden {
		return false
	}

	for _, acl := range getRelevantAcls(cfg, action.Acls, user) {
		if acl.Permissions.View {
			logAclMatched(cfg, "isAllowedView", user, action, acl)

			return true
		}
	}

	logAclNotMatched(cfg, "isAllowedView", user, action)

	return cfg.DefaultPermissions.View
}

func getMetdataKeyOrEmpty(md metadata.MD, key string) string {
	mdValues := md.Get(key)

	if len(mdValues) > 0 {
		return mdValues[0]
	}

	return ""
}

// UserFromContext tries to find a user from a grpc context
func UserFromContext(ctx context.Context, cfg *config.Config) *AuthenticatedUser {
	md, ok := metadata.FromIncomingContext(ctx)

	ret := &AuthenticatedUser{
		Username:  "guest",
		Usergroup: "guest",
	}

	if ok {
		ret.Username = getMetdataKeyOrEmpty(md, "username")
		ret.Usergroup = getMetdataKeyOrEmpty(md, "usergroup")
	}

	buildUserAcls(cfg, ret)

	log.WithFields(log.Fields{
		"username":  ret.Username,
		"usergroup": ret.Usergroup,
	}).Debugf("UserFromContext")

	return ret
}

func buildUserAcls(cfg *config.Config, user *AuthenticatedUser) {
	for _, acl := range cfg.AccessControlLists {
		if slices.Contains(acl.MatchUsernames, user.Username) {
			user.acls = append(user.acls, acl.Name)
			continue
		}

		if slices.Contains(acl.MatchUsergroups, user.Usergroup) {
			user.acls = append(user.acls, acl.Name)
			continue

		}
	}
}

func isACLRelevantToAction(cfg *config.Config, actionAcls []string, acl *config.AccessControlList, user *AuthenticatedUser) bool {
	if !slices.Contains(user.acls, acl.Name) {
		// If the user does not have this ACL, then it is not relevant

		return false
	}

	if acl.AddToEveryAction {
		return true
	}

	if slices.Contains(actionAcls, acl.Name) {
		return true
	}

	return false
}

func getRelevantAcls(cfg *config.Config, actionAcls []string, user *AuthenticatedUser) []*config.AccessControlList {
	var ret []*config.AccessControlList

	for _, acl := range cfg.AccessControlLists {
		if isACLRelevantToAction(cfg, actionAcls, acl, user) {
			ret = append(ret, acl)
		}
	}

	return ret
}