mirror of
https://github.com/kopia/kopia.git
synced 2026-01-24 22:38:00 -05:00
cbcd59f18e
* nit: replaced harcoded string constants with named constants * acl: added management of ACL entries * auth: implemented DefaultAuthorizer which uses ACLs if any entries are found in the system and falls back to LegacyAuthorizer if not * cli: switch to DefaultAuthorizer when starting server * cli: added ACL management * server: refactored authenticator + added refresh Authenticator is now an interface which also supports Refresh. * authz: refactored authorizer to be an interface + added Refresh() * server: refresh authentication and authorizer * e2e tests for ACLs * server: handling of SIGHUP to refresh authn/authz caches * server: reorganized flags to specify auth options: - removed '--allow-repository-users' - it's always on - one of --without-password, --server-password or --random-password can be specified to specify password for the UI user - htpasswd-file - can be specified to provide password for UI or remote users * cli: moved 'kopia user' to 'kopia server user' * server: allow all UI actions if no authenticator is set * acl: removed priority until we have a better understood use case for it * acl: added validation of allowed labels when adding ACL entries * site: added docs for ACLs
67 lines
1.4 KiB
Go
67 lines
1.4 KiB
Go
package cli
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/pkg/errors"
|
|
|
|
"github.com/kopia/kopia/internal/acl"
|
|
"github.com/kopia/kopia/repo"
|
|
)
|
|
|
|
var (
|
|
aclRemoveCommand = aclCommands.Command("delete", "Delete ACL entry").Alias("rm").Alias("remove")
|
|
aclRemoveIDs = aclRemoveCommand.Arg("id", "Entry ID").Strings()
|
|
aclRemoveAll = aclRemoveCommand.Flag("all", "Remove all ACL entries").Bool()
|
|
aclRemoveConfirm = aclRemoveCommand.Flag("delete", "Really delete").Bool()
|
|
)
|
|
|
|
func dryRunDelete(ctx context.Context, e *acl.Entry) {
|
|
log(ctx).Infof("would delete entry %v, pass --delete to actually delete", e.ManifestID)
|
|
}
|
|
|
|
func shouldRemoveACLEntry(ctx context.Context, e *acl.Entry) bool {
|
|
if *aclRemoveAll {
|
|
if !*aclRemoveConfirm {
|
|
dryRunDelete(ctx, e)
|
|
return false
|
|
}
|
|
|
|
return true
|
|
}
|
|
|
|
for _, tr := range *aclRemoveIDs {
|
|
if tr == string(e.ManifestID) {
|
|
if !*aclRemoveConfirm {
|
|
dryRunDelete(ctx, e)
|
|
return false
|
|
}
|
|
|
|
return true
|
|
}
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
func runACLRemove(ctx context.Context, rep repo.RepositoryWriter) error {
|
|
entries, err := acl.LoadEntries(ctx, rep, nil)
|
|
if err != nil {
|
|
return errors.Wrap(err, "unable to load entries")
|
|
}
|
|
|
|
for _, e := range entries {
|
|
if shouldRemoveACLEntry(ctx, e) {
|
|
if err := rep.DeleteManifest(ctx, e.ManifestID); err != nil {
|
|
return errors.Wrap(err, "unable to delete manifest")
|
|
}
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func init() {
|
|
aclRemoveCommand.Action(repositoryWriterAction(runACLRemove))
|
|
}
|