diff --git a/app/handler/account.go b/app/handler/account.go index 741fd2c..8423e02 100644 --- a/app/handler/account.go +++ b/app/handler/account.go @@ -12,7 +12,13 @@ import ( func (hand *Handler) CheckRight(ctx context.Context, accountID, right, subject string) (bool, error) { var err error var res bool - hand.logg.Debugf("CheckRight %s: %s %s", accountID, right, subject) + hand.logg.Debugf("Cop check your right %s: %s %s", accountID, right, subject) + // =[]= + // /------\ + // .---[-] [#] \--, + // >| [ ] [ ] | + // '--0-------0----' + // Bad news for you, baby.... # res = true return res, err @@ -28,23 +34,23 @@ func (hand *Handler) CreateAccount(rctx *router.Context) { hand.SendError(rctx, err) return } - + // Rigth checking operatorID, _ := rctx.GetString(userTag) - opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightWriteAccounts, params.Username) + opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightWriteAccounts, "") if err != nil { - err := fmt.Errorf("CreateAccount error: %v", err) + err := fmt.Errorf("Operation error: %v", err) hand.SendError(rctx, err) return } if !opEnable { - err := fmt.Errorf("CreateAccount not enabled for this user") + err := fmt.Errorf("Operation not enabled for this account") hand.SendError(rctx, err) return } - + // Execution of the operation res, err := hand.oper.CreateAccount(rctx.Ctx, operatorID, params) if err != nil { - hand.logg.Errorf("CreateAccount error: %v", err) + hand.logg.Errorf("Operation error: %v", err) hand.SendError(rctx, err) return } @@ -61,9 +67,23 @@ func (hand *Handler) GetAccount(rctx *router.Context) { hand.SendError(rctx, err) return } + // Rigth checking + operatorID, _ := rctx.GetString(userTag) + opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightWriteAccounts, "") + if err != nil { + err := fmt.Errorf("Operation error: %v", err) + hand.SendError(rctx, err) + return + } + if !opEnable { + err := fmt.Errorf("Operation not enabled for this account") + hand.SendError(rctx, err) + return + } + // Execution of the operation res, err := hand.oper.GetAccount(rctx.Ctx, params) if err != nil { - hand.logg.Errorf("CreateAccount error: %v", err) + hand.logg.Errorf("Operation error: %v", err) hand.SendError(rctx, err) return } @@ -80,6 +100,20 @@ func (hand *Handler) ListAccounts(rctx *router.Context) { hand.SendError(rctx, err) return } + // Rigth checking + operatorID, _ := rctx.GetString(userTag) + opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightWriteAccounts, "") + if err != nil { + err := fmt.Errorf("Operation error: %v", err) + hand.SendError(rctx, err) + return + } + if !opEnable { + err := fmt.Errorf("Operation not enabled for this account") + hand.SendError(rctx, err) + return + } + // Execution of the operation res, err := hand.oper.ListAccounts(rctx.Ctx, params) if err != nil { hand.logg.Errorf("ListAccounts error: %v", err) @@ -99,6 +133,20 @@ func (hand *Handler) UpdateAccount(rctx *router.Context) { hand.SendError(rctx, err) return } + // Rigth checking + operatorID, _ := rctx.GetString(userTag) + opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightWriteAccounts, "") + if err != nil { + err := fmt.Errorf("Operation error: %v", err) + hand.SendError(rctx, err) + return + } + if !opEnable { + err := fmt.Errorf("Operation not enabled for this account") + hand.SendError(rctx, err) + return + } + // Execution of the operation res, err := hand.oper.UpdateAccount(rctx.Ctx, params) if err != nil { hand.logg.Errorf("UpdateAccount error: %v", err) @@ -118,6 +166,20 @@ func (hand *Handler) DeleteAccount(rctx *router.Context) { hand.SendError(rctx, err) return } + // Rigth checking + operatorID, _ := rctx.GetString(userTag) + opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightWriteAccounts, params.Username) + if err != nil { + err := fmt.Errorf("Operation error: %v", err) + hand.SendError(rctx, err) + return + } + if !opEnable { + err := fmt.Errorf("Operation not enabled for this account") + hand.SendError(rctx, err) + return + } + // Execution of the operation res, err := hand.oper.DeleteAccount(rctx.Ctx, params) if err != nil { hand.logg.Errorf("DeleteAccount error: %v", err) diff --git a/app/handler/blob.go b/app/handler/blob.go index 56afb33..a32024a 100644 --- a/app/handler/blob.go +++ b/app/handler/blob.go @@ -11,9 +11,11 @@ package handler import ( + "fmt" "io" "net/http" + "mstore/app/descr" "mstore/app/operator" "mstore/app/router" ) @@ -29,6 +31,20 @@ func (hand *Handler) BlobExists(rctx *router.Context) { Name: name, Digest: digest, } + // Rigth checking + operatorID, _ := rctx.GetString(userTag) + opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightReadImages, "") + if err != nil { + err := fmt.Errorf("Operation error: %v", err) + hand.SendError(rctx, err) + return + } + if !opEnable { + err := fmt.Errorf("Operation not enabled for this account") + hand.SendError(rctx, err) + return + } + // Execution of the operation ctx := rctx.GetContext() res, code, err := hand.oper.BlobExists(ctx, params) if err != nil { @@ -57,6 +73,20 @@ func (hand *Handler) PostUpload(rctx *router.Context) { Mount: mount, From: from, } + // Rigth checking + operatorID, _ := rctx.GetString(userTag) + opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightWriteImages, "") + if err != nil { + err := fmt.Errorf("Operation error: %v", err) + hand.SendError(rctx, err) + return + } + if !opEnable { + err := fmt.Errorf("Operation not enabled for this account") + hand.SendError(rctx, err) + return + } + // Execution of the operation res, code, err := hand.oper.PostUpload(rctx.Ctx, params) if err != nil { hand.logg.Errorf("PostUpload error: %v", err) @@ -90,6 +120,20 @@ func (hand *Handler) PatchUpload(rctx *router.Context) { Reference: reference, Reader: reader, } + // Rigth checking + operatorID, _ := rctx.GetString(userTag) + opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightWriteImages, "") + if err != nil { + err := fmt.Errorf("Operation error: %v", err) + hand.SendError(rctx, err) + return + } + if !opEnable { + err := fmt.Errorf("Operation not enabled for this account") + hand.SendError(rctx, err) + return + } + // Execution of the operation ctx := rctx.GetContext() res, code, err := hand.oper.PatchUpload(ctx, params) if err != nil { @@ -122,6 +166,20 @@ func (hand *Handler) PutUpload(rctx *router.Context) { Reference: reference, Digest: digest, } + // Rigth checking + operatorID, _ := rctx.GetString(userTag) + opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightWriteImages, "") + if err != nil { + err := fmt.Errorf("Operation error: %v", err) + hand.SendError(rctx, err) + return + } + if !opEnable { + err := fmt.Errorf("Operation not enabled for this account") + hand.SendError(rctx, err) + return + } + // Execution of the operation res, code, err := hand.oper.PutUpload(rctx.Ctx, params) if err != nil { hand.logg.Errorf("PutUpload error: %v", err) @@ -140,6 +198,20 @@ func (hand *Handler) GetBlob(rctx *router.Context) { Name: name, Digest: digest, } + // Rigth checking + operatorID, _ := rctx.GetString(userTag) + opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightReadImages, "") + if err != nil { + err := fmt.Errorf("Operation error: %v", err) + hand.SendError(rctx, err) + return + } + if !opEnable { + err := fmt.Errorf("Operation not enabled for this account") + hand.SendError(rctx, err) + return + } + // Execution of the operation ctx := rctx.GetContext() res, code, err := hand.oper.GetBlob(ctx, params) if err != nil { @@ -174,6 +246,20 @@ func (hand *Handler) DeleteBlob(rctx *router.Context) { Name: name, Digest: digest, } + // Rigth checking + operatorID, _ := rctx.GetString(userTag) + opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightWriteImages, "") + if err != nil { + err := fmt.Errorf("Operation error: %v", err) + hand.SendError(rctx, err) + return + } + if !opEnable { + err := fmt.Errorf("Operation not enabled for this account") + hand.SendError(rctx, err) + return + } + // Execution of the operation ctx := rctx.GetContext() _, code, err := hand.oper.DeleteBlob(ctx, params) if err != nil { diff --git a/app/handler/file.go b/app/handler/file.go index 09b7d49..6eaf1e4 100644 --- a/app/handler/file.go +++ b/app/handler/file.go @@ -10,8 +10,10 @@ package handler import ( + "fmt" "io" + "mstore/app/descr" "mstore/app/operator" "mstore/app/router" ) @@ -24,6 +26,20 @@ func (hand *Handler) FileInfo(rctx *router.Context) { params := &operator.FileInfoParams{ Filepath: filepath, } + // Rigth checking + operatorID, _ := rctx.GetString(userTag) + opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightReadFiles, "") + if err != nil { + err := fmt.Errorf("Operation error: %v", err) + hand.SendError(rctx, err) + return + } + if !opEnable { + err := fmt.Errorf("Operation not enabled for this account") + hand.SendError(rctx, err) + return + } + // Execution of the operation ctx := rctx.GetContext() code, res, err := hand.oper.FileInfo(ctx, params) if err != nil { @@ -52,8 +68,21 @@ func (hand *Handler) PutFile(rctx *router.Context) { ContentSize: contentSize, Source: rctx.Request.Body, } + // Rigth checking + operatorID, _ := rctx.GetString(userTag) + opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightWriteFiles, "") + if err != nil { + err := fmt.Errorf("Operation error: %v", err) + hand.SendError(rctx, err) + return + } + if !opEnable { + err := fmt.Errorf("Operation not enabled for this account") + hand.SendError(rctx, err) + return + } + // Execution of the operation ctx := rctx.GetContext() - code, _, err := hand.oper.PutFile(ctx, params) if err != nil { hand.logg.Errorf("PutFile error: %v", err) @@ -69,6 +98,20 @@ func (hand *Handler) GetFile(rctx *router.Context) { params := &operator.GetFileParams{ Filepath: filepath, } + // Rigth checking + operatorID, _ := rctx.GetString(userTag) + opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightReadFiles, "") + if err != nil { + err := fmt.Errorf("Operation error: %v", err) + hand.SendError(rctx, err) + return + } + if !opEnable { + err := fmt.Errorf("Operation not enabled for this account") + hand.SendError(rctx, err) + return + } + // Execution of the operation ctx := rctx.GetContext() code, res, err := hand.oper.GetFile(ctx, params) if err != nil { @@ -99,6 +142,20 @@ func (hand *Handler) DeleteFile(rctx *router.Context) { params := &operator.DeleteFileParams{ Filepath: filepath, } + // Rigth checking + operatorID, _ := rctx.GetString(userTag) + opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightWriteFiles, "") + if err != nil { + err := fmt.Errorf("Operation error: %v", err) + hand.SendError(rctx, err) + return + } + if !opEnable { + err := fmt.Errorf("Operation not enabled for this account") + hand.SendError(rctx, err) + return + } + // Execution of the operation ctx := rctx.GetContext() code, _, err := hand.oper.DeleteFile(ctx, params) if err != nil { @@ -117,8 +174,21 @@ func (hand *Handler) ListFiles(rctx *router.Context) { params := &operator.ListFilesParams{ Filepath: filepath, } + // Rigth checking + operatorID, _ := rctx.GetString(userTag) + opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightReadFiles, "") + if err != nil { + err := fmt.Errorf("Operation error: %v", err) + hand.SendError(rctx, err) + return + } + if !opEnable { + err := fmt.Errorf("Operation not enabled for this account") + hand.SendError(rctx, err) + return + } + // Execution of the operation ctx := rctx.GetContext() - code, res, err := hand.oper.ListFiles(ctx, params) if err != nil { hand.logg.Errorf("ListFiles error: %v", err) diff --git a/app/handler/grant.go b/app/handler/grant.go index 68389d7..44c8ac4 100644 --- a/app/handler/grant.go +++ b/app/handler/grant.go @@ -10,6 +10,9 @@ package handler import ( + "fmt" + + "mstore/app/descr" "mstore/app/operator" "mstore/app/router" ) @@ -24,6 +27,20 @@ func (hand *Handler) CreateGrant(rctx *router.Context) { hand.SendError(rctx, err) return } + // Rigth checking + operatorID, _ := rctx.GetString(userTag) + opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightWriteGrants, "") + if err != nil { + err := fmt.Errorf("Operation error: %v", err) + hand.SendError(rctx, err) + return + } + if !opEnable { + err := fmt.Errorf("Operation not enabled for this account") + hand.SendError(rctx, err) + return + } + // Execution of the operation res, err := hand.oper.CreateGrant(rctx.Ctx, params) if err != nil { hand.logg.Errorf("CreateGrant error: %v", err) @@ -43,6 +60,20 @@ func (hand *Handler) GetGrant(rctx *router.Context) { hand.SendError(rctx, err) return } + // Rigth checking + operatorID, _ := rctx.GetString(userTag) + opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightReadGrants, "") + if err != nil { + err := fmt.Errorf("Operation error: %v", err) + hand.SendError(rctx, err) + return + } + if !opEnable { + err := fmt.Errorf("Operation not enabled for this account") + hand.SendError(rctx, err) + return + } + // Execution of the operation res, err := hand.oper.GetGrant(rctx.Ctx, params) if err != nil { hand.logg.Errorf("CreateGrant error: %v", err) @@ -62,6 +93,20 @@ func (hand *Handler) ListGrants(rctx *router.Context) { hand.SendError(rctx, err) return } + // Rigth checking + operatorID, _ := rctx.GetString(userTag) + opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightReadGrants, "") + if err != nil { + err := fmt.Errorf("Operation error: %v", err) + hand.SendError(rctx, err) + return + } + if !opEnable { + err := fmt.Errorf("Operation not enabled for this account") + hand.SendError(rctx, err) + return + } + // Execution of the operation res, err := hand.oper.ListGrants(rctx.Ctx, params) if err != nil { hand.logg.Errorf("ListGrants error: %v", err) @@ -81,6 +126,20 @@ func (hand *Handler) UpdateGrant(rctx *router.Context) { hand.SendError(rctx, err) return } + // Rigth checking + operatorID, _ := rctx.GetString(userTag) + opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightWriteGrants, "") + if err != nil { + err := fmt.Errorf("Operation error: %v", err) + hand.SendError(rctx, err) + return + } + if !opEnable { + err := fmt.Errorf("Operation not enabled for this account") + hand.SendError(rctx, err) + return + } + // Execution of the operation res, err := hand.oper.UpdateGrant(rctx.Ctx, params) if err != nil { hand.logg.Errorf("UpdateGrant error: %v", err) @@ -100,6 +159,20 @@ func (hand *Handler) DeleteGrant(rctx *router.Context) { hand.SendError(rctx, err) return } + // Rigth checking + operatorID, _ := rctx.GetString(userTag) + opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightWriteGrants, "") + if err != nil { + err := fmt.Errorf("Operation error: %v", err) + hand.SendError(rctx, err) + return + } + if !opEnable { + err := fmt.Errorf("Operation not enabled for this account") + hand.SendError(rctx, err) + return + } + // Execution of the operation res, err := hand.oper.DeleteGrant(rctx.Ctx, params) if err != nil { hand.logg.Errorf("DeleteGrant error: %v", err) diff --git a/app/handler/manifest.go b/app/handler/manifest.go index 5738472..18c1038 100644 --- a/app/handler/manifest.go +++ b/app/handler/manifest.go @@ -10,8 +10,10 @@ package handler import ( + "fmt" "net/http" + "mstore/app/descr" "mstore/app/operator" "mstore/app/router" ) @@ -24,6 +26,20 @@ func (hand *Handler) ManifestExists(rctx *router.Context) { Name: name, Reference: reference, } + // Rigth checking + operatorID, _ := rctx.GetString(userTag) + opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightReadImages, "") + if err != nil { + err := fmt.Errorf("Operation error: %v", err) + hand.SendError(rctx, err) + return + } + if !opEnable { + err := fmt.Errorf("Operation not enabled for this account") + hand.SendError(rctx, err) + return + } + // Execution of the operation ctx := rctx.GetContext() res, code, err := hand.oper.ManifestExists(ctx, params) if err != nil { @@ -54,6 +70,20 @@ func (hand *Handler) PutManifest(rctx *router.Context) { Reference: reference, Reader: rctx.Request.Body, } + // Rigth checking + operatorID, _ := rctx.GetString(userTag) + opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightWriteImages, "") + if err != nil { + err := fmt.Errorf("Operation error: %v", err) + hand.SendError(rctx, err) + return + } + if !opEnable { + err := fmt.Errorf("Operation not enabled for this account") + hand.SendError(rctx, err) + return + } + // Execution of the operation ctx := rctx.GetContext() res, code, err := hand.oper.PutManifest(ctx, params) if err != nil { @@ -73,6 +103,20 @@ func (hand *Handler) GetManifest(rctx *router.Context) { Name: name, Reference: reference, } + // Rigth checking + operatorID, _ := rctx.GetString(userTag) + opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightReadImages, "") + if err != nil { + err := fmt.Errorf("Operation error: %v", err) + hand.SendError(rctx, err) + return + } + if !opEnable { + err := fmt.Errorf("Operation not enabled for this account") + hand.SendError(rctx, err) + return + } + // Execution of the operation ctx := rctx.GetContext() res, code, err := hand.oper.GetManifest(ctx, params) if err != nil { @@ -99,6 +143,20 @@ func (hand *Handler) DeleteManifest(rctx *router.Context) { Name: name, Reference: reference, } + // Rigth checking + operatorID, _ := rctx.GetString(userTag) + opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightWriteImages, "") + if err != nil { + err := fmt.Errorf("Operation error: %v", err) + hand.SendError(rctx, err) + return + } + if !opEnable { + err := fmt.Errorf("Operation not enabled for this account") + hand.SendError(rctx, err) + return + } + // Execution of the operation ctx := rctx.GetContext() _, code, err := hand.oper.DeleteManifest(ctx, params) if err != nil { @@ -116,6 +174,20 @@ func (hand *Handler) GetReferer(rctx *router.Context) { Name: name, Digest: digest, } + // Rigth checking + operatorID, _ := rctx.GetString(userTag) + opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightReadImages, "") + if err != nil { + err := fmt.Errorf("Operation error: %v", err) + hand.SendError(rctx, err) + return + } + if !opEnable { + err := fmt.Errorf("Operation not enabled for this account") + hand.SendError(rctx, err) + return + } + // Execution of the operation res, code, err := hand.oper.GetReferer(rctx.Ctx, params) if err != nil { hand.logg.Errorf("GetReferer error: %v", err) @@ -130,6 +202,20 @@ func (hand *Handler) GetTags(rctx *router.Context) { params := &operator.GetTagsParams{ Name: name, } + // Rigth checking + operatorID, _ := rctx.GetString(userTag) + opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightReadImages, "") + if err != nil { + err := fmt.Errorf("Operation error: %v", err) + hand.SendError(rctx, err) + return + } + if !opEnable { + err := fmt.Errorf("Operation not enabled for this account") + hand.SendError(rctx, err) + return + } + // Execution of the operation ctx := rctx.GetContext() res, code, err := hand.oper.GetTags(ctx, params) if err != nil { diff --git a/pkg/client/account_test.go b/pkg/client/account_test.go index 5927ec8..63464bc 100644 --- a/pkg/client/account_test.go +++ b/pkg/client/account_test.go @@ -115,7 +115,6 @@ func TestAccountLife(t *testing.T) { fmt.Printf("accounts:\n%s\n", string(accountsYAML)) } - { // DeleteAccount fmt.Printf("=== DeleteAccount ===\n")