216 lines
5.7 KiB
Go
216 lines
5.7 KiB
Go
package user
|
|
|
|
import (
|
|
"context"
|
|
"log"
|
|
|
|
"gitea.local/admin/hspguard/internal/repository"
|
|
)
|
|
|
|
func String(s string) *string {
|
|
return &s
|
|
}
|
|
|
|
type RolePermissions struct {
|
|
Permissions []string `json:"permissions"`
|
|
repository.Role
|
|
}
|
|
|
|
var (
|
|
SYSTEM_SCOPE string = "system"
|
|
SYSTEM_PERMISSIONS []repository.Permission = []repository.Permission{
|
|
{
|
|
Name: "log_into_guard",
|
|
Description: String("Allow users to log into their accounts"),
|
|
},
|
|
{
|
|
Name: "register",
|
|
Description: String("Allow users to register new accounts"),
|
|
},
|
|
{
|
|
Name: "edit_profile",
|
|
Description: String("Allow users to edit their profiles"),
|
|
},
|
|
{
|
|
Name: "recover_credentials",
|
|
Description: String("Allow users to recover their password/email"),
|
|
},
|
|
{
|
|
Name: "verify_profile",
|
|
Description: String("Allow users to verify their accounts"),
|
|
},
|
|
{
|
|
Name: "access_home_services",
|
|
Description: String("Allow users to access home services and tools"),
|
|
},
|
|
{
|
|
Name: "view_sessions",
|
|
Description: String("Allow users to view their active sessions"),
|
|
},
|
|
{
|
|
Name: "revoke_sessions",
|
|
Description: String("Allow users to revoke their active sessions"),
|
|
},
|
|
{
|
|
Name: "view_api_services",
|
|
Description: String("Allow users to view API Services (for admin)"),
|
|
},
|
|
{
|
|
Name: "add_api_services",
|
|
Description: String("Allow users to register new API Services (for admin)"),
|
|
},
|
|
{
|
|
Name: "edit_api_services",
|
|
Description: String("Allow users to edit API Services (for admin)"),
|
|
},
|
|
{
|
|
Name: "remove_api_services",
|
|
Description: String("Allow users to remove API Services (for admin)"),
|
|
},
|
|
{
|
|
Name: "view_users",
|
|
Description: String("Allow users to view other users (for admin)"),
|
|
},
|
|
{
|
|
Name: "add_users",
|
|
Description: String("Allow users to create new users (for admin)"),
|
|
},
|
|
// TODO: block, delete users
|
|
{
|
|
Name: "view_user_sessions",
|
|
Description: String("Allow users to view user sessions (for admin)"),
|
|
},
|
|
{
|
|
Name: "revoke_user_sessions",
|
|
Description: String("Allow users to revoke user sessions (for admin)"),
|
|
},
|
|
{
|
|
Name: "view_service_sessions",
|
|
Description: String("Allow users to view service sessions (for admin)"),
|
|
},
|
|
{
|
|
Name: "revoke_service_sessions",
|
|
Description: String("Allow users to revoke service sessions (for admin)"),
|
|
},
|
|
{
|
|
Name: "view_permissions",
|
|
Description: String("Allow users to view all permissions (for admin)"),
|
|
},
|
|
{
|
|
Name: "view_roles_groups",
|
|
Description: String("Allow users to view roles & groups (for admin)"),
|
|
},
|
|
}
|
|
SYSTEM_ROLES []RolePermissions = []RolePermissions{
|
|
{
|
|
Permissions: []string{
|
|
"system_log_into_guard",
|
|
"system_register",
|
|
"system_edit_profile",
|
|
"system_recover_credentials",
|
|
"system_verify_profile",
|
|
"system_access_home_services",
|
|
"system_view_sessions",
|
|
"system_revoke_sessions",
|
|
"system_view_api_services",
|
|
"system_add_api_services",
|
|
"system_edit_api_services",
|
|
"system_remove_api_services",
|
|
"system_view_users",
|
|
"system_add_users",
|
|
"system_view_user_sessions",
|
|
"system_revoke_user_sessions",
|
|
"system_view_service_sessions",
|
|
"system_revoke_service_sessions",
|
|
"system_view_permissions",
|
|
"system_view_roles_groups",
|
|
},
|
|
Role: repository.Role{
|
|
Name: "admin",
|
|
Description: String("User with full power"),
|
|
},
|
|
},
|
|
{
|
|
Permissions: []string{
|
|
"system_log_into_guard",
|
|
"system_register",
|
|
"system_edit_profile",
|
|
"system_recover_credentials",
|
|
"system_verify_profile",
|
|
"system_access_home_services",
|
|
"system_view_sessions",
|
|
"system_revoke_sessions",
|
|
},
|
|
Role: repository.Role{
|
|
Name: "member",
|
|
Description: String("User that is able to use home services"),
|
|
},
|
|
},
|
|
{
|
|
Permissions: []string{
|
|
"system_log_into_guard",
|
|
"system_register",
|
|
},
|
|
Role: repository.Role{
|
|
Name: "guest",
|
|
Description: String("New user that needs approve for everything from admin"),
|
|
},
|
|
},
|
|
}
|
|
)
|
|
|
|
func EnsureSystemPermissions(ctx context.Context, repo *repository.Queries) {
|
|
for _, permission := range SYSTEM_PERMISSIONS {
|
|
_, err := repo.FindPermission(ctx, repository.FindPermissionParams{
|
|
Name: permission.Name,
|
|
Scope: SYSTEM_SCOPE,
|
|
})
|
|
if err != nil {
|
|
log.Printf("INFO: Creating SYSTEM permission: '%s'\n", permission.Name)
|
|
_, err = repo.CreatePermission(ctx, repository.CreatePermissionParams{
|
|
Name: permission.Name,
|
|
Scope: SYSTEM_SCOPE,
|
|
Description: permission.Description,
|
|
})
|
|
if err != nil {
|
|
log.Fatalf("ERR: Failed to create SYSTEM permission: '%s'\n", permission.Name)
|
|
}
|
|
}
|
|
}
|
|
|
|
for _, role := range SYSTEM_ROLES {
|
|
var found repository.Role
|
|
var err error
|
|
|
|
found, err = repo.FindRole(ctx, repository.FindRoleParams{
|
|
Scope: SYSTEM_SCOPE,
|
|
Name: role.Name,
|
|
})
|
|
if err != nil {
|
|
log.Printf("INFO: Create new SYSTEM role '%s'\n", role.Name)
|
|
found, err = repo.CreateRole(ctx, repository.CreateRoleParams{
|
|
Name: role.Name,
|
|
Scope: SYSTEM_SCOPE,
|
|
Description: role.Description,
|
|
})
|
|
if err != nil {
|
|
log.Fatalf("ERR: Failed to create SYSTEM role '%s': %v\n", role.Name, err)
|
|
}
|
|
}
|
|
|
|
for _, perm := range role.Permissions {
|
|
if _, exists := repo.GetRoleAssignment(ctx, repository.GetRoleAssignmentParams{
|
|
RoleID: found.ID,
|
|
Key: perm,
|
|
}); exists != nil {
|
|
if err := repo.AssignRolePermission(ctx, repository.AssignRolePermissionParams{
|
|
RoleID: found.ID,
|
|
Key: perm,
|
|
}); err != nil {
|
|
log.Fatalf("ERR: Failed to assign permission '%s' to SYSTEM role %s: %v\n", perm, found.Name, err)
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|