1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
// Copyright 2017 Canonical Ltd.
// Licensed under the LGPLv3, see LICENCE file for details.
package candidtest
import (
"context"
"github.com/go-macaroon-bakery/macaroon-bakery/v3/bakery/checkers"
"github.com/go-macaroon-bakery/macaroon-bakery/v3/bakery/identchecker"
errgo "gopkg.in/errgo.v1"
"github.com/canonical/candid/candidclient"
)
// identityClient implement identchecker.IdentityClient. This is used because
// the candidtest server cannot use candidclient.Client because that uses the
// groups endpoint, which cannot be used because that would lead to an
// infinite recursion.
type identityClient struct {
srv *Server
}
func (i identityClient) IdentityFromContext(ctx context.Context) (identchecker.Identity, []checkers.Caveat, error) {
return nil, candidclient.IdentityCaveats(i.srv.URL.String()), nil
}
func (i identityClient) DeclaredIdentity(ctx context.Context, declared map[string]string) (identchecker.Identity, error) {
username := declared["username"]
if username == "" {
return nil, errgo.Newf("no declared user name in %q", declared)
}
return &identity{
srv: i.srv,
id: username,
}, nil
}
type identity struct {
srv *Server
id string
}
func (i identity) Id() string {
return i.id
}
func (i identity) Domain() string {
return ""
}
// Allow implements identchecker.ACLIdentity.Allow.
func (i identity) Allow(_ context.Context, acl []string) (bool, error) {
groups := []string{i.id}
u := i.srv.users[i.id]
if u != nil {
groups = append(groups, u.groups...)
}
for _, g1 := range groups {
for _, g2 := range acl {
if g1 == g2 {
return true, nil
}
}
}
return false, nil
}
|
