forked from evergreen-ci/gimlet
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathauth_basic.go
More file actions
118 lines (91 loc) · 2.22 KB
/
auth_basic.go
File metadata and controls
118 lines (91 loc) · 2.22 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
package gimlet
import (
"sync"
)
type simpleAuthenticator struct {
mu sync.RWMutex
users map[string]User
groups map[string][]string
}
// NewSimpleAuthenticator constructs a minimum viable authenticate
// implementation, backed by access lists and user tables passed to
// the constructor. The Authenicator is, therefore, functionally
// immutable after construction.
func NewSimpleAuthenticator(users []User, groups map[string][]string) Authenticator {
if groups == nil {
groups = map[string][]string{}
}
a := &simpleAuthenticator{
groups: groups,
users: map[string]User{},
}
for _, u := range users {
if u != nil {
a.users[u.Username()] = u
}
}
return a
}
func (a *simpleAuthenticator) CheckResourceAccess(u User, resource string) bool {
if !a.CheckAuthenticated(u) {
return false
}
return userHasRole(u, resource)
}
func (a *simpleAuthenticator) CheckGroupAccess(u User, group string) bool {
a.mu.RLock()
defer a.mu.RUnlock()
ur, ok := a.users[u.Username()]
if !ok {
return false
}
if u.GetAPIKey() != ur.GetAPIKey() {
return false
}
return userInSlice(u, a.groups[group])
}
func (a *simpleAuthenticator) CheckAuthenticated(u User) bool {
a.mu.RLock()
defer a.mu.RUnlock()
ur, ok := a.users[u.Username()]
if !ok {
return false
}
return u.GetAPIKey() == ur.GetAPIKey()
}
type basicAuthenticator struct {
mu sync.RWMutex
groups map[string][]string
resources map[string][]string
}
func NewBasicAuthenticator(groups, resources map[string][]string) Authenticator {
if groups == nil {
groups = map[string][]string{}
}
if resources == nil {
resources = map[string][]string{}
}
return &basicAuthenticator{
groups: groups,
resources: resources,
}
}
func (a *basicAuthenticator) CheckResourceAccess(u User, resource string) bool {
if !a.CheckAuthenticated(u) {
return false
}
a.mu.RLock()
defer a.mu.RUnlock()
return userInSlice(u, a.resources[resource])
}
func (a *basicAuthenticator) CheckGroupAccess(u User, group string) bool {
if !a.CheckAuthenticated(u) {
return false
}
a.mu.RLock()
defer a.mu.RUnlock()
return userInSlice(u, a.groups[group])
}
func (a *basicAuthenticator) CheckAuthenticated(u User) bool {
return u != nil && u.Username() != ""
}