forked from grafana/grafana
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathfile_guardian.go
121 lines (95 loc) · 2.79 KB
/
file_guardian.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
package store
import (
"context"
"strings"
"github.com/grafana/grafana/pkg/infra/filestorage"
"github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/services/user"
)
const (
ActionFilesRead = "files:read"
ActionFilesWrite = "files:write"
ActionFilesDelete = "files:delete"
)
var (
denyAllPathFilter = filestorage.NewDenyAllPathFilter()
allowAllPathFilter = filestorage.NewAllowAllPathFilter()
)
func isValidAction(action string) bool {
return action == ActionFilesRead || action == ActionFilesWrite || action == ActionFilesDelete
}
type storageAuthService interface {
newGuardian(ctx context.Context, user *user.SignedInUser, prefix string) fileGuardian
}
type fileGuardian interface {
canView(path string) bool
canWrite(path string) bool
canDelete(path string) bool
can(action string, path string) bool
getPathFilter(action string) filestorage.PathFilter
}
type pathFilterFileGuardian struct {
ctx context.Context
user *user.SignedInUser
prefix string
pathFilterByAction map[string]filestorage.PathFilter
log log.Logger
}
func (a *pathFilterFileGuardian) getPathFilter(action string) filestorage.PathFilter {
if !isValidAction(action) {
a.log.Warn("Unsupported action", "action", action)
return denyAllPathFilter
}
if filter, ok := a.pathFilterByAction[action]; ok {
return filter
}
return denyAllPathFilter
}
func (a *pathFilterFileGuardian) canWrite(path string) bool {
return a.can(ActionFilesWrite, path)
}
func (a *pathFilterFileGuardian) canView(path string) bool {
return a.can(ActionFilesRead, path)
}
func (a *pathFilterFileGuardian) canDelete(path string) bool {
return a.can(ActionFilesDelete, path)
}
func (a *pathFilterFileGuardian) can(action string, path string) bool {
if path == a.prefix {
path = filestorage.Delimiter
} else {
path = strings.TrimPrefix(path, a.prefix)
}
allow := false
if !isValidAction(action) {
a.log.Warn("Unsupported action", "action", action, "path", path)
return false
}
pathFilter, ok := a.pathFilterByAction[action]
if !ok {
a.log.Warn("Missing path filter", "action", action, "path", path)
return false
}
allow = pathFilter.IsAllowed(path)
if !allow {
a.log.Warn("Denying", "action", action, "path", path)
}
return allow
}
type denyAllFileGuardian struct {
}
func (d denyAllFileGuardian) canView(path string) bool {
return d.can(ActionFilesRead, path)
}
func (d denyAllFileGuardian) canWrite(path string) bool {
return d.can(ActionFilesWrite, path)
}
func (d denyAllFileGuardian) canDelete(path string) bool {
return d.can(ActionFilesDelete, path)
}
func (d denyAllFileGuardian) can(action string, path string) bool {
return false
}
func (d denyAllFileGuardian) getPathFilter(action string) filestorage.PathFilter {
return denyAllPathFilter
}