mirror of
https://github.com/kopia/kopia.git
synced 2026-01-25 14:58:00 -05:00
cbcd59f18e
* nit: replaced harcoded string constants with named constants * acl: added management of ACL entries * auth: implemented DefaultAuthorizer which uses ACLs if any entries are found in the system and falls back to LegacyAuthorizer if not * cli: switch to DefaultAuthorizer when starting server * cli: added ACL management * server: refactored authenticator + added refresh Authenticator is now an interface which also supports Refresh. * authz: refactored authorizer to be an interface + added Refresh() * server: refresh authentication and authorizer * e2e tests for ACLs * server: handling of SIGHUP to refresh authn/authz caches * server: reorganized flags to specify auth options: - removed '--allow-repository-users' - it's always on - one of --without-password, --server-password or --random-password can be specified to specify password for the UI user - htpasswd-file - can be specified to provide password for UI or remote users * cli: moved 'kopia user' to 'kopia server user' * server: allow all UI actions if no authenticator is set * acl: removed priority until we have a better understood use case for it * acl: added validation of allowed labels when adding ACL entries * site: added docs for ACLs
49 lines
1.2 KiB
Go
49 lines
1.2 KiB
Go
package cli
|
|
|
|
import (
|
|
"context"
|
|
"strings"
|
|
|
|
"github.com/pkg/errors"
|
|
|
|
"github.com/kopia/kopia/internal/acl"
|
|
"github.com/kopia/kopia/repo"
|
|
)
|
|
|
|
var (
|
|
aclAddCommand = aclCommands.Command("add", "Add ACL entry")
|
|
aclAddCommandUser = aclAddCommand.Flag("user", "User the ACL targets").Required().String()
|
|
aclAddCommandTarget = aclAddCommand.Flag("target", "Manifests targeted by the rule (type:T,key1:value1,...,keyN:valueN)").Required().String()
|
|
aclAddCommandAccessLevel = aclAddCommand.Flag("access", "Access the user gets to subject").Required().Enum(acl.SupportedAccessLevels()...)
|
|
)
|
|
|
|
func runACLAdd(ctx context.Context, rep repo.RepositoryWriter) error {
|
|
r := acl.TargetRule{}
|
|
|
|
for _, v := range strings.Split(*aclAddCommandTarget, ",") {
|
|
parts := strings.SplitN(v, "=", 2)
|
|
if len(parts) != 2 { //nolint:gomnd
|
|
return errors.Errorf("invalid target labels %q, must be key=value", v)
|
|
}
|
|
|
|
r[parts[0]] = parts[1]
|
|
}
|
|
|
|
al, err := acl.ParseAccessLevel(*aclAddCommandAccessLevel)
|
|
if err != nil {
|
|
return errors.Wrap(err, "invalid access level")
|
|
}
|
|
|
|
e := &acl.Entry{
|
|
User: *aclAddCommandUser,
|
|
Target: r,
|
|
Access: al,
|
|
}
|
|
|
|
return acl.AddACL(ctx, rep, e)
|
|
}
|
|
|
|
func init() {
|
|
aclAddCommand.Action(repositoryWriterAction(runACLAdd))
|
|
}
|