mirrors/puter
1
0
Fork 0
mirror of https://github.com/HeyPuter/puter synced 2024-11-14 22:06:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

dev: improve permission scan reading

Browse Source
This commit is contained in:
KernelDeimos 2024-07-23 18:47:04 -04:00 committed by Eric Dubé
parent 4a6055d239
commit a0f0151446
5 changed files with 48 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/backend/src/filesystem/FilesystemService.js
View File

@ -132,6 +132,7 @@ class FilesystemService extends BaseService {
}, },
})); }));
svc_permission.register_implicator(PermissionImplicator.create({ svc_permission.register_implicator(PermissionImplicator.create({
id: 'is-owner',
matcher: permission => { matcher: permission => {
return permission.startsWith('fs:'); return permission.startsWith('fs:');
}, },
@ -164,6 +165,7 @@ class FilesystemService extends BaseService {
}, },
})); }));
svc_permission.register_exploder(PermissionExploder.create({ svc_permission.register_exploder(PermissionExploder.create({
id: 'fs-access-levels',
matcher: permission => { matcher: permission => {
return permission.startsWith('fs:') && return permission.startsWith('fs:') &&
PermissionUtil.split(permission).length >= 3; PermissionUtil.split(permission).length >= 3;

1
src/backend/src/services/PuterSiteService.js
View File

@ -50,6 +50,7 @@ class PuterSiteService extends BaseService {
// Imply that sites can read their own files // Imply that sites can read their own files
svc_permission.register_implicator(PermissionImplicator.create({ svc_permission.register_implicator(PermissionImplicator.create({
id: 'in-site',
matcher: permission => { matcher: permission => {
return permission.startsWith('fs:'); return permission.startsWith('fs:');
}, },

19
src/backend/src/services/auth/PermissionService.js
View File

@ -185,26 +185,17 @@ class PermissionService extends BaseService {
}); });
} }
async scan (actor, permission) { async scan (actor, permission_options) {
const reading = []; const reading = [];
{ if ( ! Array.isArray(permission_options) ) {
const old_perm = permission; permission_options = [permission_options];
permission = await this._rewrite_permission(permission);
if ( permission !== old_perm ) {
reading.push({
$: 'rewrite',
from: old_perm,
to: permission,
});
}
} }
await require('../../structured/sequence/scan-permission')
await require('../../structured/sequence/scan-user-permission')
.call(this, { .call(this, {
actor, actor,
permission, permission_options,
reading, reading,
}); });

34
src/backend/src/structured/sequence/scan-user-permission.js → src/backend/src/structured/sequence/scan-permission.js
View File

@ -16,6 +16,7 @@
* You should have received a copy of the GNU Affero General Public License * You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>. * along with this program. If not, see <https://www.gnu.org/licenses/>.
*/ */
const { permission } = require("process");
const { Sequence } = require("../../codex/Sequence"); const { Sequence } = require("../../codex/Sequence");
const { get_user } = require("../../helpers"); const { get_user } = require("../../helpers");
const { Actor, UserActorType } = require("../../services/auth/Actor"); const { Actor, UserActorType } = require("../../services/auth/Actor");
@ -31,22 +32,43 @@ module.exports = new Sequence([
if ( actor.type.user.username === 'system' ) { if ( actor.type.user.username === 'system' ) {
reading.push({ reading.push({
$: 'option', $: 'option',
permission: '*',
source: 'implied', source: 'implied',
by: 'system',
data: {} data: {}
}) })
return a.stop({}); return a.stop({});
} }
}, },
async function rewrite_permission (a) { async function rewrite_permission (a) {
let { permission } = a.values(); let { reading, permission_options } = a.values();
permission = await a.icall('_rewrite_permission', permission); for ( let i=0 ; i < permission_options.length ; i++ ) {
a.values({ permission }); const old_perm = permission_options[i];
const permission = await a.icall('_rewrite_permission', old_perm);
if ( permission === old_perm ) continue;
permission_options[i] = permission;
reading.push({
$: 'rewrite',
from: old_perm,
to: permission,
});
}
}, },
async function explode_permission (a) { async function explode_permission (a) {
const { permission } = a.values(); const { reading, permission_options } = a.values();
const permission_options = for ( let i=0 ; i < permission_options.length ; i++ ) {
const permission = permission_options[i];
permission_options[i] =
await a.icall('get_higher_permissions', permission); await a.icall('get_higher_permissions', permission);
a.values({ permission_options }); if ( permission_options[i].length > 1 ) {
reading.push({
$: 'explode',
from: permission,
to: permission_options[i],
});
}
}
a.set('permission_options', permission_options.flat());
}, },
async function run_scanners (a) { async function run_scanners (a) {
const scanners = PERMISSION_SCANNERS; const scanners = PERMISSION_SCANNERS;

11
src/backend/src/unstructured/permission-scanners.js
View File

@ -10,9 +10,11 @@ const PERMISSION_SCANNERS = [
name: 'implied', name: 'implied',
async scan (a) { async scan (a) {
const reading = a.get('reading'); const reading = a.get('reading');
const { actor, permission } = a.values(); const { actor, permission_options } = a.values();
const _permission_implicators = a.iget('_permission_implicators'); const _permission_implicators = a.iget('_permission_implicators');
for ( const permission of permission_options )
for ( const implicator of _permission_implicators ) { for ( const implicator of _permission_implicators ) {
if ( ! implicator.matches(permission) ) { if ( ! implicator.matches(permission) ) {
continue; continue;
@ -24,8 +26,9 @@ const PERMISSION_SCANNERS = [
if ( implied ) { if ( implied ) {
reading.push({ reading.push({
$: 'option', $: 'option',
permission,
source: 'implied', source: 'implied',
by: `implicator:${implicator.id}`, by: implicator.id,
data: implied, data: implied,
}); });
} }
@ -74,6 +77,7 @@ const PERMISSION_SCANNERS = [
reading.push({ reading.push({
$: 'path', $: 'path',
via: 'user', via: 'user',
permission: row.permission,
// issuer: issuer_actor, // issuer: issuer_actor,
issuer_username: issuer_actor.type.user.username, issuer_username: issuer_actor.type.user.username,
reading: issuer_reading, reading: issuer_reading,
@ -119,6 +123,7 @@ const PERMISSION_SCANNERS = [
$: 'path', $: 'path',
via: 'user-group', via: 'user-group',
// issuer: issuer_actor, // issuer: issuer_actor,
permission: row.permission,
issuer_username: issuer_actor.type.user.username, issuer_username: issuer_actor.type.user.username,
reading: issuer_reading, reading: issuer_reading,
group_id: row.group_id, group_id: row.group_id,
@ -158,6 +163,7 @@ const PERMISSION_SCANNERS = [
if ( implicit_permissions[permission] ) { if ( implicit_permissions[permission] ) {
reading.push({ reading.push({
$: 'option', $: 'option',
permission,
source: 'implied', source: 'implied',
by: 'user-app-hc-2', by: 'user-app-hc-2',
data: implicit_permissions[permission], data: implicit_permissions[permission],
@ -189,6 +195,7 @@ const PERMISSION_SCANNERS = [
reading.push({ reading.push({
$: 'path', $: 'path',
via: 'user-app', via: 'user-app',
permission: row.permission,
issuer_username: actor.type.user.username, issuer_username: actor.type.user.username,
reading: issuer_reading, reading: issuer_reading,
}); });