mirrors/puter
1
0
Fork 0
mirror of https://github.com/HeyPuter/puter synced 2024-11-14 22:06:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

dev: improve permission scan reading

Browse Source
This commit is contained in:
KernelDeimos 2024-07-23 18:47:04 -04:00 committed by Eric Dubé
parent 4a6055d239
commit a0f0151446
5 changed files with 48 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/backend/src/filesystem/FilesystemService.js
View File

@ -132,6 +132,7 @@ class FilesystemService extends BaseService {
},
}));
svc_permission.register_implicator(PermissionImplicator.create({
id: 'is-owner',
matcher: permission => {
return permission.startsWith('fs:');
},
@ -164,6 +165,7 @@ class FilesystemService extends BaseService {
},
}));
svc_permission.register_exploder(PermissionExploder.create({
id: 'fs-access-levels',
matcher: permission => {
return permission.startsWith('fs:') &&
PermissionUtil.split(permission).length >= 3;

1
src/backend/src/services/PuterSiteService.js
View File

@ -50,6 +50,7 @@ class PuterSiteService extends BaseService {
// Imply that sites can read their own files
svc_permission.register_implicator(PermissionImplicator.create({
id: 'in-site',
matcher: permission => {
return permission.startsWith('fs:');
},

19
src/backend/src/services/auth/PermissionService.js
View File

@ -185,26 +185,17 @@ class PermissionService extends BaseService {
});
}
async scan (actor, permission) {
async scan (actor, permission_options) {
const reading = [];
{
const old_perm = permission;
permission = await this._rewrite_permission(permission);
if ( permission !== old_perm ) {
reading.push({
$: 'rewrite',
from: old_perm,
to: permission,
});
}
if ( ! Array.isArray(permission_options) ) {
permission_options = [permission_options];
}
await require('../../structured/sequence/scan-user-permission')
await require('../../structured/sequence/scan-permission')
.call(this, {
actor,
permission,
permission_options,
reading,
});

34
src/backend/src/structured/sequence/scan-user-permission.js → src/backend/src/structured/sequence/scan-permission.js
View File

@ -16,6 +16,7 @@
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
const { permission } = require("process");
const { Sequence } = require("../../codex/Sequence");
const { get_user } = require("../../helpers");
const { Actor, UserActorType } = require("../../services/auth/Actor");
@ -31,22 +32,43 @@ module.exports = new Sequence([
if ( actor.type.user.username === 'system' ) {
reading.push({
$: 'option',
permission: '*',
source: 'implied',
by: 'system',
data: {}
})
return a.stop({});
}
},
async function rewrite_permission (a) {
let { permission } = a.values();
permission = await a.icall('_rewrite_permission', permission);
a.values({ permission });
let { reading, permission_options } = a.values();
for ( let i=0 ; i < permission_options.length ; i++ ) {
const old_perm = permission_options[i];
const permission = await a.icall('_rewrite_permission', old_perm);
if ( permission === old_perm ) continue;
permission_options[i] = permission;
reading.push({
$: 'rewrite',
from: old_perm,
to: permission,
});
}
},
async function explode_permission (a) {
const { permission } = a.values();
const permission_options =
const { reading, permission_options } = a.values();
for ( let i=0 ; i < permission_options.length ; i++ ) {
const permission = permission_options[i];
permission_options[i] =
await a.icall('get_higher_permissions', permission);
a.values({ permission_options });
if ( permission_options[i].length > 1 ) {
reading.push({
$: 'explode',
from: permission,
to: permission_options[i],
});
}
}
a.set('permission_options', permission_options.flat());
},
async function run_scanners (a) {
const scanners = PERMISSION_SCANNERS;

11
src/backend/src/unstructured/permission-scanners.js
View File

@ -10,9 +10,11 @@ const PERMISSION_SCANNERS = [
name: 'implied',
async scan (a) {
const reading = a.get('reading');
const { actor, permission } = a.values();
const { actor, permission_options } = a.values();
const _permission_implicators = a.iget('_permission_implicators');
for ( const permission of permission_options )
for ( const implicator of _permission_implicators ) {
if ( ! implicator.matches(permission) ) {
continue;
@ -24,8 +26,9 @@ const PERMISSION_SCANNERS = [
if ( implied ) {
reading.push({
$: 'option',
permission,
source: 'implied',
by: `implicator:${implicator.id}`,
by: implicator.id,
data: implied,
});
}
@ -74,6 +77,7 @@ const PERMISSION_SCANNERS = [
reading.push({
$: 'path',
via: 'user',
permission: row.permission,
// issuer: issuer_actor,
issuer_username: issuer_actor.type.user.username,
reading: issuer_reading,
@ -119,6 +123,7 @@ const PERMISSION_SCANNERS = [
$: 'path',
via: 'user-group',
// issuer: issuer_actor,
permission: row.permission,
issuer_username: issuer_actor.type.user.username,
reading: issuer_reading,
group_id: row.group_id,
@ -158,6 +163,7 @@ const PERMISSION_SCANNERS = [
if ( implicit_permissions[permission] ) {
reading.push({
$: 'option',
permission,
source: 'implied',
by: 'user-app-hc-2',
data: implicit_permissions[permission],
@ -189,6 +195,7 @@ const PERMISSION_SCANNERS = [
reading.push({
$: 'path',
via: 'user-app',
permission: row.permission,
issuer_username: actor.type.user.username,
reading: issuer_reading,
});