mirror of
https://github.com/ClusterCockpit/cc-backend
synced 2025-07-23 12:51:40 +02:00
Add 'project' to user table, add 'manager' role, conditional web render
- Addresses issues #40 #45 #82 - Reworked Navigation Header for all roles - 'Manager' role added, can be assigned a project-id in config by admins - BREAKING! -> Added 'project' column in SQLite3 table 'user' - Manager-Assigned project will be added to all graphql filters: Only show Jobs and Users of given project - 'My Jobs' Tab for all Roles - Switched from Bool "isAdmin" to integer authLevels - Removed critical data frontend logging - Reworked repo.query.SecurityCheck()
This commit is contained in:
Christoph Kluge
@@ -21,12 +21,12 @@ import (
|
||||
const (
|
||||
RoleAdmin string = "admin"
|
||||
RoleSupport string = "support"
|
||||
RoleApi string = "api"
|
||||
RoleManager string = "manager"
|
||||
RoleUser string = "user"
|
||||
RoleProject string = "project"
|
||||
RoleApi string = "api"
|
||||
)
|
||||
|
||||
var validRoles = [5]string{RoleAdmin, RoleSupport, RoleApi, RoleUser, RoleProject}
|
||||
var validRoles = [5]string{RoleUser, RoleManager, RoleSupport, RoleAdmin, RoleApi}
|
||||
|
||||
const (
|
||||
AuthViaLocalPassword int8 = 0
|
||||
@@ -105,6 +105,31 @@ func (u *User) HasNotRoles(queryroles []string) bool {
|
||||
}
|
||||
}
|
||||
|
||||
// Find highest role, returns integer
|
||||
func (u *User) GetAuthLevel() int {
|
||||
if (u.HasRole(RoleAdmin)) {
|
||||
return 5
|
||||
} else if (u.HasRole(RoleSupport)) {
|
||||
return 4
|
||||
} else if (u.HasRole(RoleManager)) {
|
||||
return 3
|
||||
} else if (u.HasRole(RoleUser)) {
|
||||
return 2
|
||||
} else if (u.HasRole(RoleApi)) {
|
||||
return 1
|
||||
} else {
|
||||
return 0
|
||||
}
|
||||
}
|
||||
|
||||
func (u *User) HasProject(project string) bool {
|
||||
if (u.Project != "" && u.Project == project) {
|
||||
return true
|
||||
} else {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
func IsValidRole(role string) bool {
|
||||
for _, r := range validRoles {
|
||||
if r == role {
|
||||
@@ -156,7 +181,8 @@ func Init(db *sqlx.DB,
|
||||
ldap tinyint NOT NULL DEFAULT 0, /* col called "ldap" for historic reasons, fills the "AuthSource" */
|
||||
name varchar(255) DEFAULT NULL,
|
||||
roles varchar(255) NOT NULL DEFAULT "[]",
|
||||
email varchar(255) DEFAULT NULL);`)
|
||||
email varchar(255) DEFAULT NULL,
|
||||
project varchar(255) DEFAULT NULL);`)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@@ -214,9 +240,11 @@ func (auth *Authentication) AuthViaSession(
|
||||
}
|
||||
|
||||
username, _ := session.Values["username"].(string)
|
||||
project, _ := session.Values["project"].(string)
|
||||
roles, _ := session.Values["roles"].([]string)
|
||||
return &User{
|
||||
Username: username,
|
||||
Project: project,
|
||||
Roles: roles,
|
||||
AuthSource: -1,
|
||||
}, nil
|
||||
@@ -261,6 +289,7 @@ func (auth *Authentication) Login(
|
||||
session.Options.MaxAge = int(auth.SessionMaxAge.Seconds())
|
||||
}
|
||||
session.Values["username"] = user.Username
|
||||
session.Values["project"] = user.Project
|
||||
session.Values["roles"] = user.Roles
|
||||
if err := auth.sessionStore.Save(r, rw, session); err != nil {
|
||||
log.Errorf("session save failed: %s", err.Error())
|
||||
@@ -268,7 +297,7 @@ func (auth *Authentication) Login(
|
||||
return
|
||||
}
|
||||
|
||||
log.Infof("login successfull: user: %#v (roles: %v)", user.Username, user.Roles)
|
||||
log.Infof("login successfull: user: %#v (roles: %v, project: %v)", user.Username, user.Roles, user.Project)
|
||||
ctx := context.WithValue(r.Context(), ContextUserKey, user)
|
||||
onsuccess.ServeHTTP(rw, r.WithContext(ctx))
|
||||
return
|
||||
|
||||
@@ -21,16 +21,17 @@ import (
|
||||
func (auth *Authentication) GetUser(username string) (*User, error) {
|
||||
|
||||
user := &User{Username: username}
|
||||
var hashedPassword, name, rawRoles, email sql.NullString
|
||||
if err := sq.Select("password", "ldap", "name", "roles", "email").From("user").
|
||||
var hashedPassword, name, rawRoles, email, project sql.NullString
|
||||
if err := sq.Select("password", "ldap", "name", "roles", "email", "project").From("user").
|
||||
Where("user.username = ?", username).RunWith(auth.db).
|
||||
QueryRow().Scan(&hashedPassword, &user.AuthSource, &name, &rawRoles, &email); err != nil {
|
||||
QueryRow().Scan(&hashedPassword, &user.AuthSource, &name, &rawRoles, &email, &project); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
user.Password = hashedPassword.String
|
||||
user.Name = name.String
|
||||
user.Email = email.String
|
||||
user.Project = project.String
|
||||
if rawRoles.Valid {
|
||||
if err := json.Unmarshal([]byte(rawRoles.String), &user.Roles); err != nil {
|
||||
return nil, err
|
||||
@@ -54,6 +55,10 @@ func (auth *Authentication) AddUser(user *User) error {
|
||||
cols = append(cols, "email")
|
||||
vals = append(vals, user.Email)
|
||||
}
|
||||
if user.Project != "" {
|
||||
cols = append(cols, "project")
|
||||
vals = append(vals, user.Project)
|
||||
}
|
||||
if user.Password != "" {
|
||||
password, err := bcrypt.GenerateFromPassword([]byte(user.Password), bcrypt.DefaultCost)
|
||||
if err != nil {
|
||||
@@ -67,7 +72,7 @@ func (auth *Authentication) AddUser(user *User) error {
|
||||
return err
|
||||
}
|
||||
|
||||
log.Infof("new user %#v created (roles: %s, auth-source: %d)", user.Username, rolesJson, user.AuthSource)
|
||||
log.Infof("new user %#v created (roles: %s, auth-source: %d, project: %s)", user.Username, rolesJson, user.AuthSource, user.Project)
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -79,7 +84,7 @@ func (auth *Authentication) DelUser(username string) error {
|
||||
|
||||
func (auth *Authentication) ListUsers(specialsOnly bool) ([]*User, error) {
|
||||
|
||||
q := sq.Select("username", "name", "email", "roles").From("user")
|
||||
q := sq.Select("username", "name", "email", "roles", "project").From("user")
|
||||
if specialsOnly {
|
||||
q = q.Where("(roles != '[\"user\"]' AND roles != '[]')")
|
||||
}
|
||||
@@ -94,8 +99,8 @@ func (auth *Authentication) ListUsers(specialsOnly bool) ([]*User, error) {
|
||||
for rows.Next() {
|
||||
rawroles := ""
|
||||
user := &User{}
|
||||
var name, email sql.NullString
|
||||
if err := rows.Scan(&user.Username, &name, &email, &rawroles); err != nil {
|
||||
var name, email, project sql.NullString
|
||||
if err := rows.Scan(&user.Username, &name, &email, &rawroles, &project); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
@@ -105,6 +110,7 @@ func (auth *Authentication) ListUsers(specialsOnly bool) ([]*User, error) {
|
||||
|
||||
user.Name = name.String
|
||||
user.Email = email.String
|
||||
user.Project = project.String
|
||||
users = append(users, user)
|
||||
}
|
||||
return users, nil
|
||||
@@ -145,6 +151,10 @@ func (auth *Authentication) RemoveRole(ctx context.Context, username string, rol
|
||||
return fmt.Errorf("invalid user role: %#v", role)
|
||||
}
|
||||
|
||||
if (role == RoleManager && len(user.Project) != 0) {
|
||||
return fmt.Errorf("Cannot remove role 'manager' while user %#v still has an assigned project!", username)
|
||||
}
|
||||
|
||||
var exists bool
|
||||
var newroles []string
|
||||
for _, r := range user.Roles {
|
||||
@@ -166,9 +176,53 @@ func (auth *Authentication) RemoveRole(ctx context.Context, username string, rol
|
||||
}
|
||||
}
|
||||
|
||||
func (auth *Authentication) AddProject(
|
||||
ctx context.Context,
|
||||
username string,
|
||||
project string) error {
|
||||
|
||||
user, err := auth.GetUser(username)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if !user.HasRole(RoleManager) {
|
||||
return fmt.Errorf("user '%#v' is not a manager!", username)
|
||||
}
|
||||
|
||||
if user.HasProject(project) {
|
||||
return fmt.Errorf("user '%#v' already manages project '%#v'", username, project)
|
||||
}
|
||||
|
||||
if _, err := sq.Update("user").Set("project", project).Where("user.username = ?", username).RunWith(auth.db).Exec(); err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (auth *Authentication) RemoveProject(ctx context.Context, username string, project string) error {
|
||||
user, err := auth.GetUser(username)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if !user.HasRole(RoleManager) {
|
||||
return fmt.Errorf("user '%#v' is not a manager!", username)
|
||||
}
|
||||
|
||||
if !user.HasProject(project) {
|
||||
return fmt.Errorf("user '%#v': Cannot remove project '%#v' - Does not match!", username, project)
|
||||
}
|
||||
|
||||
if _, err := sq.Update("user").Set("project", "").Where("user.username = ?", username).Where("user.project = ?", project).RunWith(auth.db).Exec(); err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func FetchUser(ctx context.Context, db *sqlx.DB, username string) (*model.User, error) {
|
||||
me := GetUser(ctx)
|
||||
if me != nil && me.Username != username && me.HasNotRoles([]string{RoleAdmin, RoleSupport}) {
|
||||
if me != nil && me.Username != username && me.HasNotRoles([]string{RoleAdmin, RoleSupport, RoleManager}) {
|
||||
return nil, errors.New("forbidden")
|
||||
}
|
||||
|
||||
@@ -185,5 +239,6 @@ func FetchUser(ctx context.Context, db *sqlx.DB, username string) (*model.User,
|
||||
|
||||
user.Name = name.String
|
||||
user.Email = email.String
|
||||
// user.Project = project.String
|
||||
return user, nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user