permissins (per instance)

2024-11-07 20:26:23 +00:00 · 2020-12-10 11:54:28 +01:00 · 2020-12-10 11:54:28 +01:00 · f993e82b0b
commit f993e82b0b
parent 698756b9d2
15 changed files with 114 additions and 29 deletions
--- a/packages/api/.covid-env
+++ b/packages/api/.covid-env
@ -8,3 +8,5 @@ PORT_mysql=3326
 ENGINE_mysql=mysql@dbgate-plugin-mysql
 SINGLE_CONNECTION=mysql
 SINGLE_DATABASE=covid
+
+PERMISSIONS=files/charts/read
--- a/packages/api/src/controllers/config.js
+++ b/packages/api/src/controllers/config.js
@ -11,17 +11,21 @@ module.exports = {
        }))
      : null;
    const startupPages = process.env.STARTUP_PAGES ? process.env.STARTUP_PAGES.split(',') : [];
+    const permissions = process.env.PERMISSIONS ? process.env.PERMISSIONS.split(',') : null;
+    const singleDatabase =
+      process.env.SINGLE_CONNECTION && process.env.SINGLE_DATABASE
+        ? {
+            conid: process.env.SINGLE_CONNECTION,
+            database: process.env.SINGLE_DATABASE,
+          }
+        : null;
+
    return {
      runAsPortal: !!process.env.CONNECTIONS,
      toolbar,
      startupPages,
-      singleDatabase:
-        process.env.SINGLE_CONNECTION && process.env.SINGLE_DATABASE
-          ? {
-              conid: process.env.SINGLE_CONNECTION,
-              database: process.env.SINGLE_DATABASE,
-            }
-          : null,
+      singleDatabase,
+      permissions,
    };
  },
 };
--- a/packages/api/src/controllers/files.js
+++ b/packages/api/src/controllers/files.js
@ -1,6 +1,7 @@
 const fs = require('fs-extra');
 const path = require('path');
 const { filesdir } = require('../utility/directories');
+const hasPermission = require('../utility/hasPermission');
 const socket = require('../utility/socket');
 const scheduler = require('./scheduler');

@ -19,6 +20,7 @@ function deserialize(format, text) {
 module.exports = {
  list_meta: 'get',
  async list({ folder }) {
+    if (!hasPermission(`files/${folder}/read`)) return [];
    const dir = path.join(filesdir(), folder);
    if (!(await fs.exists(dir))) return [];
    const files = (await fs.readdir(dir)).map((file) => ({ folder, file }));
@ -27,24 +29,28 @@ module.exports = {

  delete_meta: 'post',
  async delete({ folder, file }) {
+    if (!hasPermission(`files/${folder}/write`)) return;
    await fs.unlink(path.join(filesdir(), folder, file));
    socket.emitChanged(`files-changed-${folder}`);
  },

  rename_meta: 'post',
  async rename({ folder, file, newFile }) {
+    if (!hasPermission(`files/${folder}/write`)) return;
    await fs.rename(path.join(filesdir(), folder, file), path.join(filesdir(), folder, newFile));
    socket.emitChanged(`files-changed-${folder}`);
  },

  load_meta: 'post',
  async load({ folder, file, format }) {
+    if (!hasPermission(`files/${folder}/read`)) return null;
    const text = await fs.readFile(path.join(filesdir(), folder, file), { encoding: 'utf-8' });
    return deserialize(format, text);
  },

  save_meta: 'post',
  async save({ folder, file, data, format }) {
+    if (!hasPermission(`files/${folder}/write`)) return;
    const dir = path.join(filesdir(), folder);
    if (!(await fs.exists(dir))) {
      await fs.mkdir(dir);
--- a/packages/api/src/controllers/plugins.js
+++ b/packages/api/src/controllers/plugins.js
@ -5,6 +5,7 @@ const { pluginsdir, datadir } = require('../utility/directories');
 const socket = require('../utility/socket');
 const requirePlugin = require('../shell/requirePlugin');
 const downloadPackage = require('../utility/downloadPackage');
+const hasPermission = require('../utility/hasPermission');

 // async function loadPackageInfo(dir) {
 //   const readmeFile = path.join(dir, 'README.md');
@ -106,6 +107,7 @@ module.exports = {

  install_meta: 'post',
  async install({ packageName }) {
+    if (!hasPermission(`plugins/install`)) return;
    const dir = path.join(pluginsdir(), packageName);
    if (!(await fs.exists(dir))) {
      await downloadPackage(packageName, dir);
@ -115,6 +117,7 @@ module.exports = {

  uninstall_meta: 'post',
  async uninstall({ packageName }) {
+    if (!hasPermission(`plugins/install`)) return;
    const dir = path.join(pluginsdir(), packageName);
    await fs.rmdir(dir, { recursive: true });
    socket.emitChanged(`installed-plugins-changed`);
--- a/packages/api/src/controllers/scheduler.js
+++ b/packages/api/src/controllers/scheduler.js
@ -3,6 +3,7 @@ const fs = require('fs-extra');
 const path = require('path');
 const cron = require('node-cron');
 const runners = require('./runners');
+const hasPermission = require('../utility/hasPermission');

 const scheduleRegex = /\s*\/\/\s*@schedule\s+([^\n]+)\n/;

@ -26,6 +27,7 @@ module.exports = {
  },

  async reload() {
+    if (!hasPermission('files/shell/read')) return;
    const shellDir = path.join(filesdir(), 'shell');
    await this.unload();
    if (!(await fs.exists(shellDir))) return;
--- a/packages/api/src/utility/hasPermission.js
+++ b/packages/api/src/utility/hasPermission.js
@ -0,0 +1,12 @@
+const { compilePermissions, testPermission } = require('dbgate-tools');
+
+let compiled = undefined;
+
+function hasPermission(tested) {
+  if (compiled === undefined) {
+    compiled = compilePermissions(process.env.PERMISSIONS);
+  }
+  return testPermission(tested, compiled);
+}
+
+module.exports = hasPermission;
--- a/packages/tools/src/index.ts
+++ b/packages/tools/src/index.ts
@ -6,3 +6,4 @@ export * from './createBulkInsertStreamBase';
 export * from './DatabaseAnalyser';
 export * from './driverBase';
 export * from './SqlDumper';
+export * from './testPermission';
--- a/packages/tools/src/testPermission.ts
+++ b/packages/tools/src/testPermission.ts
@ -0,0 +1,16 @@
+import _escapeRegExp from 'lodash/escapeRegExp';
+import _isString from 'lodash/isString';
+
+export function compilePermissions(permissions: string[] | string) {
+  if (!permissions) return null;
+  if (_isString(permissions)) permissions = permissions.split(',');
+  return permissions.map((x) => new RegExp('^' + _escapeRegExp(x).replace(/\\\*/g, '.*') + '$'));
+}
+
+export function testPermission(tested: string, permissions: RegExp[]) {
+  if (!permissions) return true;
+  for (const permission of permissions) {
+    if (tested.match(permission)) return true;
+  }
+  return false;
+}
--- a/packages/web/src/appobj/SavedFileAppObject.js
+++ b/packages/web/src/appobj/SavedFileAppObject.js
@ -10,8 +10,10 @@ import ScriptWriter from '../impexp/ScriptWriter';
 import { extractPackageName } from 'dbgate-tools';
 import useShowModal from '../modals/showModal';
 import InputTextModal from '../modals/InputTextModal';
+import useHasPermission from '../utility/useHasPermission';

 function Menu({ data, menuExt = null }) {
+  const hasPermission = useHasPermission();
  const showModal = useShowModal();
  const handleDelete = () => {
    axios.post('files/delete', data);
@ -31,8 +33,12 @@ function Menu({ data, menuExt = null }) {
  };
  return (
    <>
-      <DropDownMenuItem onClick={handleDelete}>Delete</DropDownMenuItem>
-      <DropDownMenuItem onClick={handleRename}>Rename</DropDownMenuItem>
+      {hasPermission(`files/${data.folder}/write`) && (
+        <DropDownMenuItem onClick={handleDelete}>Delete</DropDownMenuItem>
+      )}
+      {hasPermission(`files/${data.folder}/write`) && (
+        <DropDownMenuItem onClick={handleRename}>Rename</DropDownMenuItem>
+      )}
      {menuExt}
    </>
  );
--- a/packages/web/src/charts/ChartToolbar.js
+++ b/packages/web/src/charts/ChartToolbar.js
@ -1,12 +1,17 @@
 import React from 'react';
+import useHasPermission from '../utility/useHasPermission';
 import ToolbarButton from '../widgets/ToolbarButton';

 export default function ChartToolbar({ save }) {
+  const hasPermission = useHasPermission();
+
  return (
    <>
-      <ToolbarButton onClick={save} icon="icon save">
-        Save
-      </ToolbarButton>
+      {hasPermission('files/charts/write') && (
+        <ToolbarButton onClick={save} icon="icon save">
+          Save
+        </ToolbarButton>
+      )}
    </>
  );
 }
--- a/packages/web/src/query/QueryToolbar.js
+++ b/packages/web/src/query/QueryToolbar.js
@ -1,7 +1,9 @@
 import React from 'react';
+import useHasPermission from '../utility/useHasPermission';
 import ToolbarButton from '../widgets/ToolbarButton';

 export default function QueryToolbar({ execute, cancel, isDatabaseDefined, busy, save, format, isConnected, kill }) {
+  const hasPermission = useHasPermission();
  return (
    <>
      <ToolbarButton disabled={!isDatabaseDefined || busy} onClick={execute} icon="icon run">
@ -13,9 +15,11 @@ export default function QueryToolbar({ execute, cancel, isDatabaseDefined, busy,
      <ToolbarButton disabled={!isConnected} onClick={kill} icon="icon close">
        Kill
      </ToolbarButton>
-      <ToolbarButton onClick={save} icon="icon save">
-        Save
-      </ToolbarButton>
+      {hasPermission('files/sql/write') && (
+        <ToolbarButton onClick={save} icon="icon save">
+          Save
+        </ToolbarButton>
+      )}
      <ToolbarButton onClick={format} icon="icon format-code">
        Format
      </ToolbarButton>
--- a/packages/web/src/query/ShellToolbar.js
+++ b/packages/web/src/query/ShellToolbar.js
@ -1,7 +1,9 @@
 import React from 'react';
+import useHasPermission from '../utility/useHasPermission';
 import ToolbarButton from '../widgets/ToolbarButton';

 export default function ShellToolbar({ execute, cancel, busy, edit, save, editAvailable }) {
+  const hasPermission = useHasPermission();
  return (
    <>
      <ToolbarButton disabled={busy} onClick={execute} icon="icon run">
@ -13,9 +15,11 @@ export default function ShellToolbar({ execute, cancel, busy, edit, save, editAv
      <ToolbarButton disabled={!editAvailable} onClick={edit} icon="icon show-wizard">
        Show wizard
      </ToolbarButton>
-      <ToolbarButton onClick={save} icon="icon save">
-        Save
-      </ToolbarButton>
+      {hasPermission('files/shell/write') && (
+        <ToolbarButton onClick={save} icon="icon save">
+          Save
+        </ToolbarButton>
+      )}
    </>
  );
 }
--- a/packages/web/src/tabs/PluginTab.js
+++ b/packages/web/src/tabs/PluginTab.js
@ -9,6 +9,7 @@ import { extractPluginIcon, extractPluginAuthor } from '../plugins/manifestExtra
 import FormStyledButton from '../widgets/FormStyledButton';
 import axios from '../utility/axios';
 import { useInstalledPlugins } from '../utility/metadataLoaders';
+import useHasPermission from '../utility/useHasPermission';

 const WhitePage = styled.div`
  position: absolute;
@ -56,6 +57,7 @@ function Delimiter() {
 }

 function PluginTabCore({ packageName }) {
+  const hasPermission = useHasPermission();
  const theme = useTheme();
  const installed = useInstalledPlugins();
  const info = useFetch({
@ -98,10 +100,10 @@ function PluginTabCore({ packageName }) {
            <Version>{manifest.version && manifest.version}</Version>
          </HeaderLine>
          <HeaderLine>
-            {!installed.find((x) => x.name == packageName) && (
+            {hasPermission('plugins/install') && !installed.find((x) => x.name == packageName) && (
              <FormStyledButton type="button" value="Install" onClick={handleInstall} />
            )}
-            {!!installed.find((x) => x.name == packageName) && (
+            {hasPermission('plugins/install') && !!installed.find((x) => x.name == packageName) && (
              <FormStyledButton type="button" value="Uninstall" onClick={handleUninstall} />
            )}
          </HeaderLine>
--- a/packages/web/src/utility/useHasPermission.js
+++ b/packages/web/src/utility/useHasPermission.js
@ -0,0 +1,10 @@
+import React from 'react';
+import { useConfig } from './metadataLoaders';
+import { compilePermissions, testPermission } from 'dbgate-tools';
+
+export default function useHasPermission() {
+  const config = useConfig();
+  const compiled = React.useMemo(() => compilePermissions(config.permissions), [config]);
+  const hasPermission = (tested) => testPermission(tested, compiled);
+  return hasPermission;
+}
--- a/packages/web/src/widgets/FilesWidget.js
+++ b/packages/web/src/widgets/FilesWidget.js
@ -8,6 +8,7 @@ import { WidgetsInnerContainer } from './WidgetStyles';
 import { SavedSqlFileAppObject, SavedShellFileAppObject, SavedChartFileAppObject } from '../appobj/SavedFileAppObject';
 import WidgetColumnBar, { WidgetColumnBarItem } from './WidgetColumnBar';
 import { useFiles } from '../utility/metadataLoaders';
+import useHasPermission from '../utility/useHasPermission';

 function ClosedTabsList() {
  const tabs = useOpenedTabs();
@ -64,20 +65,27 @@ function SavedChartFilesList() {
 }

 export default function FilesWidget() {
+  const hasPermission = useHasPermission();
  return (
    <WidgetColumnBar>
      <WidgetColumnBarItem title="Recently closed tabs" name="closedTabs" height="20%">
        <ClosedTabsList />
      </WidgetColumnBarItem>
-      <WidgetColumnBarItem title="Saved SQL files" name="sqlFiles" height="20%">
-        <SavedSqlFilesList />
-      </WidgetColumnBarItem>
-      <WidgetColumnBarItem title="Saved shell files" name="shellFiles" height="20%">
-        <SavedShellFilesList />
-      </WidgetColumnBarItem>
-      <WidgetColumnBarItem title="Saved charts" name="charts" height="20%">
-        <SavedChartFilesList />
-      </WidgetColumnBarItem>
+      {hasPermission('files/sql/read') && (
+        <WidgetColumnBarItem title="Saved SQL files" name="sqlFiles" height="20%">
+          <SavedSqlFilesList />
+        </WidgetColumnBarItem>
+      )}
+      {hasPermission('files/shell/read') && (
+        <WidgetColumnBarItem title="Saved shell files" name="shellFiles" height="20%">
+          <SavedShellFilesList />
+        </WidgetColumnBarItem>
+      )}
+      {hasPermission('files/charts/read') && (
+        <WidgetColumnBarItem title="Saved charts" name="charts" height="20%">
+          <SavedChartFilesList />
+        </WidgetColumnBarItem>
+      )}
    </WidgetColumnBar>
  );
 }