working commit

app/handler/account.go

@@ -12,7 +12,13 @@ import (
 func (hand *Handler) CheckRight(ctx context.Context, accountID, right, subject string) (bool, error) {
 	var err error
 	var res bool
-	hand.logg.Debugf("CheckRight %s: %s %s", accountID, right, subject)
+	hand.logg.Debugf("Cop check your right %s: %s %s", accountID, right, subject)
+	//         =[]=
+	//        /------\
+	//   .---[-]  [#] \--,
+	//  >|   [ ]  [ ]    |
+	//   '--0-------0----'
+	//  Bad news for you, baby.... #
 
 	res = true
 	return res, err
@@ -28,23 +34,23 @@ func (hand *Handler) CreateAccount(rctx *router.Context) {
 		hand.SendError(rctx, err)
 		return
 	}
-
+	// Rigth checking
 	operatorID, _ := rctx.GetString(userTag)
-	opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightWriteAccounts, params.Username)
+	opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightWriteAccounts, "")
 	if err != nil {
-		err := fmt.Errorf("CreateAccount error: %v", err)
+		err := fmt.Errorf("Operation error: %v", err)
 		hand.SendError(rctx, err)
 		return
 	}
 	if !opEnable {
-		err := fmt.Errorf("CreateAccount not enabled for this user")
+		err := fmt.Errorf("Operation not enabled for this account")
 		hand.SendError(rctx, err)
 		return
 	}
-
+	// Execution of the operation
 	res, err := hand.oper.CreateAccount(rctx.Ctx, operatorID, params)
 	if err != nil {
-		hand.logg.Errorf("CreateAccount error: %v", err)
+		hand.logg.Errorf("Operation error: %v", err)
 		hand.SendError(rctx, err)
 		return
 	}
@@ -61,9 +67,23 @@ func (hand *Handler) GetAccount(rctx *router.Context) {
 		hand.SendError(rctx, err)
 		return
 	}
+	// Rigth checking
+	operatorID, _ := rctx.GetString(userTag)
+	opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightWriteAccounts, "")
+	if err != nil {
+		err := fmt.Errorf("Operation error: %v", err)
+		hand.SendError(rctx, err)
+		return
+	}
+	if !opEnable {
+		err := fmt.Errorf("Operation not enabled for this account")
+		hand.SendError(rctx, err)
+		return
+	}
+	// Execution of the operation
 	res, err := hand.oper.GetAccount(rctx.Ctx, params)
 	if err != nil {
-		hand.logg.Errorf("CreateAccount error: %v", err)
+		hand.logg.Errorf("Operation error: %v", err)
 		hand.SendError(rctx, err)
 		return
 	}
@@ -80,6 +100,20 @@ func (hand *Handler) ListAccounts(rctx *router.Context) {
 		hand.SendError(rctx, err)
 		return
 	}
+	// Rigth checking
+	operatorID, _ := rctx.GetString(userTag)
+	opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightWriteAccounts, "")
+	if err != nil {
+		err := fmt.Errorf("Operation error: %v", err)
+		hand.SendError(rctx, err)
+		return
+	}
+	if !opEnable {
+		err := fmt.Errorf("Operation not enabled for this account")
+		hand.SendError(rctx, err)
+		return
+	}
+	// Execution of the operation
 	res, err := hand.oper.ListAccounts(rctx.Ctx, params)
 	if err != nil {
 		hand.logg.Errorf("ListAccounts error: %v", err)
@@ -99,6 +133,20 @@ func (hand *Handler) UpdateAccount(rctx *router.Context) {
 		hand.SendError(rctx, err)
 		return
 	}
+	// Rigth checking
+	operatorID, _ := rctx.GetString(userTag)
+	opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightWriteAccounts, "")
+	if err != nil {
+		err := fmt.Errorf("Operation error: %v", err)
+		hand.SendError(rctx, err)
+		return
+	}
+	if !opEnable {
+		err := fmt.Errorf("Operation not enabled for this account")
+		hand.SendError(rctx, err)
+		return
+	}
+	// Execution of the operation
 	res, err := hand.oper.UpdateAccount(rctx.Ctx, params)
 	if err != nil {
 		hand.logg.Errorf("UpdateAccount error: %v", err)
@@ -118,6 +166,20 @@ func (hand *Handler) DeleteAccount(rctx *router.Context) {
 		hand.SendError(rctx, err)
 		return
 	}
+	// Rigth checking
+	operatorID, _ := rctx.GetString(userTag)
+	opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightWriteAccounts, params.Username)
+	if err != nil {
+		err := fmt.Errorf("Operation error: %v", err)
+		hand.SendError(rctx, err)
+		return
+	}
+	if !opEnable {
+		err := fmt.Errorf("Operation not enabled for this account")
+		hand.SendError(rctx, err)
+		return
+	}
+	// Execution of the operation
 	res, err := hand.oper.DeleteAccount(rctx.Ctx, params)
 	if err != nil {
 		hand.logg.Errorf("DeleteAccount error: %v", err)

app/handler/blob.go

@@ -11,9 +11,11 @@
 package handler
 
 import (
+	"fmt"
 	"io"
 	"net/http"
 
+	"mstore/app/descr"
 	"mstore/app/operator"
 	"mstore/app/router"
 )
@@ -29,6 +31,20 @@ func (hand *Handler) BlobExists(rctx *router.Context) {
 		Name:   name,
 		Digest: digest,
 	}
+	// Rigth checking
+	operatorID, _ := rctx.GetString(userTag)
+	opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightReadImages, "")
+	if err != nil {
+		err := fmt.Errorf("Operation error: %v", err)
+		hand.SendError(rctx, err)
+		return
+	}
+	if !opEnable {
+		err := fmt.Errorf("Operation not enabled for this account")
+		hand.SendError(rctx, err)
+		return
+	}
+	// Execution of the operation
 	ctx := rctx.GetContext()
 	res, code, err := hand.oper.BlobExists(ctx, params)
 	if err != nil {
@@ -57,6 +73,20 @@ func (hand *Handler) PostUpload(rctx *router.Context) {
 		Mount:  mount,
 		From:   from,
 	}
+	// Rigth checking
+	operatorID, _ := rctx.GetString(userTag)
+	opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightWriteImages, "")
+	if err != nil {
+		err := fmt.Errorf("Operation error: %v", err)
+		hand.SendError(rctx, err)
+		return
+	}
+	if !opEnable {
+		err := fmt.Errorf("Operation not enabled for this account")
+		hand.SendError(rctx, err)
+		return
+	}
+	// Execution of the operation
 	res, code, err := hand.oper.PostUpload(rctx.Ctx, params)
 	if err != nil {
 		hand.logg.Errorf("PostUpload error: %v", err)
@@ -90,6 +120,20 @@ func (hand *Handler) PatchUpload(rctx *router.Context) {
 		Reference:     reference,
 		Reader:        reader,
 	}
+	// Rigth checking
+	operatorID, _ := rctx.GetString(userTag)
+	opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightWriteImages, "")
+	if err != nil {
+		err := fmt.Errorf("Operation error: %v", err)
+		hand.SendError(rctx, err)
+		return
+	}
+	if !opEnable {
+		err := fmt.Errorf("Operation not enabled for this account")
+		hand.SendError(rctx, err)
+		return
+	}
+	// Execution of the operation
 	ctx := rctx.GetContext()
 	res, code, err := hand.oper.PatchUpload(ctx, params)
 	if err != nil {
@@ -122,6 +166,20 @@ func (hand *Handler) PutUpload(rctx *router.Context) {
 		Reference:     reference,
 		Digest:        digest,
 	}
+	// Rigth checking
+	operatorID, _ := rctx.GetString(userTag)
+	opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightWriteImages, "")
+	if err != nil {
+		err := fmt.Errorf("Operation error: %v", err)
+		hand.SendError(rctx, err)
+		return
+	}
+	if !opEnable {
+		err := fmt.Errorf("Operation not enabled for this account")
+		hand.SendError(rctx, err)
+		return
+	}
+	// Execution of the operation
 	res, code, err := hand.oper.PutUpload(rctx.Ctx, params)
 	if err != nil {
 		hand.logg.Errorf("PutUpload error: %v", err)
@@ -140,6 +198,20 @@ func (hand *Handler) GetBlob(rctx *router.Context) {
 		Name:   name,
 		Digest: digest,
 	}
+	// Rigth checking
+	operatorID, _ := rctx.GetString(userTag)
+	opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightReadImages, "")
+	if err != nil {
+		err := fmt.Errorf("Operation error: %v", err)
+		hand.SendError(rctx, err)
+		return
+	}
+	if !opEnable {
+		err := fmt.Errorf("Operation not enabled for this account")
+		hand.SendError(rctx, err)
+		return
+	}
+	// Execution of the operation
 	ctx := rctx.GetContext()
 	res, code, err := hand.oper.GetBlob(ctx, params)
 	if err != nil {
@@ -174,6 +246,20 @@ func (hand *Handler) DeleteBlob(rctx *router.Context) {
 		Name:   name,
 		Digest: digest,
 	}
+	// Rigth checking
+	operatorID, _ := rctx.GetString(userTag)
+	opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightWriteImages, "")
+	if err != nil {
+		err := fmt.Errorf("Operation error: %v", err)
+		hand.SendError(rctx, err)
+		return
+	}
+	if !opEnable {
+		err := fmt.Errorf("Operation not enabled for this account")
+		hand.SendError(rctx, err)
+		return
+	}
+	// Execution of the operation
 	ctx := rctx.GetContext()
 	_, code, err := hand.oper.DeleteBlob(ctx, params)
 	if err != nil {

app/handler/file.go

@@ -10,8 +10,10 @@
 package handler
 
 import (
+	"fmt"
 	"io"
 
+	"mstore/app/descr"
 	"mstore/app/operator"
 	"mstore/app/router"
 )
@@ -24,6 +26,20 @@ func (hand *Handler) FileInfo(rctx *router.Context) {
 	params := &operator.FileInfoParams{
 		Filepath: filepath,
 	}
+	// Rigth checking
+	operatorID, _ := rctx.GetString(userTag)
+	opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightReadFiles, "")
+	if err != nil {
+		err := fmt.Errorf("Operation error: %v", err)
+		hand.SendError(rctx, err)
+		return
+	}
+	if !opEnable {
+		err := fmt.Errorf("Operation not enabled for this account")
+		hand.SendError(rctx, err)
+		return
+	}
+	// Execution of the operation
 	ctx := rctx.GetContext()
 	code, res, err := hand.oper.FileInfo(ctx, params)
 	if err != nil {
@@ -52,8 +68,21 @@ func (hand *Handler) PutFile(rctx *router.Context) {
 		ContentSize: contentSize,
 		Source:      rctx.Request.Body,
 	}
+	// Rigth checking
+	operatorID, _ := rctx.GetString(userTag)
+	opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightWriteFiles, "")
+	if err != nil {
+		err := fmt.Errorf("Operation error: %v", err)
+		hand.SendError(rctx, err)
+		return
+	}
+	if !opEnable {
+		err := fmt.Errorf("Operation not enabled for this account")
+		hand.SendError(rctx, err)
+		return
+	}
+	// Execution of the operation
 	ctx := rctx.GetContext()
-
 	code, _, err := hand.oper.PutFile(ctx, params)
 	if err != nil {
 		hand.logg.Errorf("PutFile error: %v", err)
@@ -69,6 +98,20 @@ func (hand *Handler) GetFile(rctx *router.Context) {
 	params := &operator.GetFileParams{
 		Filepath: filepath,
 	}
+	// Rigth checking
+	operatorID, _ := rctx.GetString(userTag)
+	opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightReadFiles, "")
+	if err != nil {
+		err := fmt.Errorf("Operation error: %v", err)
+		hand.SendError(rctx, err)
+		return
+	}
+	if !opEnable {
+		err := fmt.Errorf("Operation not enabled for this account")
+		hand.SendError(rctx, err)
+		return
+	}
+	// Execution of the operation
 	ctx := rctx.GetContext()
 	code, res, err := hand.oper.GetFile(ctx, params)
 	if err != nil {
@@ -99,6 +142,20 @@ func (hand *Handler) DeleteFile(rctx *router.Context) {
 	params := &operator.DeleteFileParams{
 		Filepath: filepath,
 	}
+	// Rigth checking
+	operatorID, _ := rctx.GetString(userTag)
+	opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightWriteFiles, "")
+	if err != nil {
+		err := fmt.Errorf("Operation error: %v", err)
+		hand.SendError(rctx, err)
+		return
+	}
+	if !opEnable {
+		err := fmt.Errorf("Operation not enabled for this account")
+		hand.SendError(rctx, err)
+		return
+	}
+	// Execution of the operation
 	ctx := rctx.GetContext()
 	code, _, err := hand.oper.DeleteFile(ctx, params)
 	if err != nil {
@@ -117,8 +174,21 @@ func (hand *Handler) ListFiles(rctx *router.Context) {
 	params := &operator.ListFilesParams{
 		Filepath: filepath,
 	}
+	// Rigth checking
+	operatorID, _ := rctx.GetString(userTag)
+	opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightReadFiles, "")
+	if err != nil {
+		err := fmt.Errorf("Operation error: %v", err)
+		hand.SendError(rctx, err)
+		return
+	}
+	if !opEnable {
+		err := fmt.Errorf("Operation not enabled for this account")
+		hand.SendError(rctx, err)
+		return
+	}
+	// Execution of the operation
 	ctx := rctx.GetContext()
-
 	code, res, err := hand.oper.ListFiles(ctx, params)
 	if err != nil {
 		hand.logg.Errorf("ListFiles error: %v", err)

app/handler/grant.go

@@ -10,6 +10,9 @@
 package handler
 
 import (
+	"fmt"
+
+	"mstore/app/descr"
 	"mstore/app/operator"
 	"mstore/app/router"
 )
@@ -24,6 +27,20 @@ func (hand *Handler) CreateGrant(rctx *router.Context) {
 		hand.SendError(rctx, err)
 		return
 	}
+	// Rigth checking
+	operatorID, _ := rctx.GetString(userTag)
+	opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightWriteGrants, "")
+	if err != nil {
+		err := fmt.Errorf("Operation error: %v", err)
+		hand.SendError(rctx, err)
+		return
+	}
+	if !opEnable {
+		err := fmt.Errorf("Operation not enabled for this account")
+		hand.SendError(rctx, err)
+		return
+	}
+	// Execution of the operation
 	res, err := hand.oper.CreateGrant(rctx.Ctx, params)
 	if err != nil {
 		hand.logg.Errorf("CreateGrant error: %v", err)
@@ -43,6 +60,20 @@ func (hand *Handler) GetGrant(rctx *router.Context) {
 		hand.SendError(rctx, err)
 		return
 	}
+	// Rigth checking
+	operatorID, _ := rctx.GetString(userTag)
+	opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightReadGrants, "")
+	if err != nil {
+		err := fmt.Errorf("Operation error: %v", err)
+		hand.SendError(rctx, err)
+		return
+	}
+	if !opEnable {
+		err := fmt.Errorf("Operation not enabled for this account")
+		hand.SendError(rctx, err)
+		return
+	}
+	// Execution of the operation
 	res, err := hand.oper.GetGrant(rctx.Ctx, params)
 	if err != nil {
 		hand.logg.Errorf("CreateGrant error: %v", err)
@@ -62,6 +93,20 @@ func (hand *Handler) ListGrants(rctx *router.Context) {
 		hand.SendError(rctx, err)
 		return
 	}
+	// Rigth checking
+	operatorID, _ := rctx.GetString(userTag)
+	opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightReadGrants, "")
+	if err != nil {
+		err := fmt.Errorf("Operation error: %v", err)
+		hand.SendError(rctx, err)
+		return
+	}
+	if !opEnable {
+		err := fmt.Errorf("Operation not enabled for this account")
+		hand.SendError(rctx, err)
+		return
+	}
+	// Execution of the operation
 	res, err := hand.oper.ListGrants(rctx.Ctx, params)
 	if err != nil {
 		hand.logg.Errorf("ListGrants error: %v", err)
@@ -81,6 +126,20 @@ func (hand *Handler) UpdateGrant(rctx *router.Context) {
 		hand.SendError(rctx, err)
 		return
 	}
+	// Rigth checking
+	operatorID, _ := rctx.GetString(userTag)
+	opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightWriteGrants, "")
+	if err != nil {
+		err := fmt.Errorf("Operation error: %v", err)
+		hand.SendError(rctx, err)
+		return
+	}
+	if !opEnable {
+		err := fmt.Errorf("Operation not enabled for this account")
+		hand.SendError(rctx, err)
+		return
+	}
+	// Execution of the operation
 	res, err := hand.oper.UpdateGrant(rctx.Ctx, params)
 	if err != nil {
 		hand.logg.Errorf("UpdateGrant error: %v", err)
@@ -100,6 +159,20 @@ func (hand *Handler) DeleteGrant(rctx *router.Context) {
 		hand.SendError(rctx, err)
 		return
 	}
+	// Rigth checking
+	operatorID, _ := rctx.GetString(userTag)
+	opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightWriteGrants, "")
+	if err != nil {
+		err := fmt.Errorf("Operation error: %v", err)
+		hand.SendError(rctx, err)
+		return
+	}
+	if !opEnable {
+		err := fmt.Errorf("Operation not enabled for this account")
+		hand.SendError(rctx, err)
+		return
+	}
+	// Execution of the operation
 	res, err := hand.oper.DeleteGrant(rctx.Ctx, params)
 	if err != nil {
 		hand.logg.Errorf("DeleteGrant error: %v", err)

app/handler/manifest.go

@@ -10,8 +10,10 @@
 package handler
 
 import (
+	"fmt"
 	"net/http"
 
+	"mstore/app/descr"
 	"mstore/app/operator"
 	"mstore/app/router"
 )
@@ -24,6 +26,20 @@ func (hand *Handler) ManifestExists(rctx *router.Context) {
 		Name:      name,
 		Reference: reference,
 	}
+	// Rigth checking
+	operatorID, _ := rctx.GetString(userTag)
+	opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightReadImages, "")
+	if err != nil {
+		err := fmt.Errorf("Operation error: %v", err)
+		hand.SendError(rctx, err)
+		return
+	}
+	if !opEnable {
+		err := fmt.Errorf("Operation not enabled for this account")
+		hand.SendError(rctx, err)
+		return
+	}
+	// Execution of the operation
 	ctx := rctx.GetContext()
 	res, code, err := hand.oper.ManifestExists(ctx, params)
 	if err != nil {
@@ -54,6 +70,20 @@ func (hand *Handler) PutManifest(rctx *router.Context) {
 		Reference:     reference,
 		Reader:        rctx.Request.Body,
 	}
+	// Rigth checking
+	operatorID, _ := rctx.GetString(userTag)
+	opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightWriteImages, "")
+	if err != nil {
+		err := fmt.Errorf("Operation error: %v", err)
+		hand.SendError(rctx, err)
+		return
+	}
+	if !opEnable {
+		err := fmt.Errorf("Operation not enabled for this account")
+		hand.SendError(rctx, err)
+		return
+	}
+	// Execution of the operation
 	ctx := rctx.GetContext()
 	res, code, err := hand.oper.PutManifest(ctx, params)
 	if err != nil {
@@ -73,6 +103,20 @@ func (hand *Handler) GetManifest(rctx *router.Context) {
 		Name:      name,
 		Reference: reference,
 	}
+	// Rigth checking
+	operatorID, _ := rctx.GetString(userTag)
+	opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightReadImages, "")
+	if err != nil {
+		err := fmt.Errorf("Operation error: %v", err)
+		hand.SendError(rctx, err)
+		return
+	}
+	if !opEnable {
+		err := fmt.Errorf("Operation not enabled for this account")
+		hand.SendError(rctx, err)
+		return
+	}
+	// Execution of the operation
 	ctx := rctx.GetContext()
 	res, code, err := hand.oper.GetManifest(ctx, params)
 	if err != nil {
@@ -99,6 +143,20 @@ func (hand *Handler) DeleteManifest(rctx *router.Context) {
 		Name:      name,
 		Reference: reference,
 	}
+	// Rigth checking
+	operatorID, _ := rctx.GetString(userTag)
+	opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightWriteImages, "")
+	if err != nil {
+		err := fmt.Errorf("Operation error: %v", err)
+		hand.SendError(rctx, err)
+		return
+	}
+	if !opEnable {
+		err := fmt.Errorf("Operation not enabled for this account")
+		hand.SendError(rctx, err)
+		return
+	}
+	// Execution of the operation
 	ctx := rctx.GetContext()
 	_, code, err := hand.oper.DeleteManifest(ctx, params)
 	if err != nil {
@@ -116,6 +174,20 @@ func (hand *Handler) GetReferer(rctx *router.Context) {
 		Name:   name,
 		Digest: digest,
 	}
+	// Rigth checking
+	operatorID, _ := rctx.GetString(userTag)
+	opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightReadImages, "")
+	if err != nil {
+		err := fmt.Errorf("Operation error: %v", err)
+		hand.SendError(rctx, err)
+		return
+	}
+	if !opEnable {
+		err := fmt.Errorf("Operation not enabled for this account")
+		hand.SendError(rctx, err)
+		return
+	}
+	// Execution of the operation
 	res, code, err := hand.oper.GetReferer(rctx.Ctx, params)
 	if err != nil {
 		hand.logg.Errorf("GetReferer error: %v", err)
@@ -130,6 +202,20 @@ func (hand *Handler) GetTags(rctx *router.Context) {
 	params := &operator.GetTagsParams{
 		Name: name,
 	}
+	// Rigth checking
+	operatorID, _ := rctx.GetString(userTag)
+	opEnable, err := hand.CheckRight(rctx.Ctx, operatorID, descr.RightReadImages, "")
+	if err != nil {
+		err := fmt.Errorf("Operation error: %v", err)
+		hand.SendError(rctx, err)
+		return
+	}
+	if !opEnable {
+		err := fmt.Errorf("Operation not enabled for this account")
+		hand.SendError(rctx, err)
+		return
+	}
+	// Execution of the operation
 	ctx := rctx.GetContext()
 	res, code, err := hand.oper.GetTags(ctx, params)
 	if err != nil {

pkg/client/account_test.go

@@ -115,7 +115,6 @@ func TestAccountLife(t *testing.T) {
 		fmt.Printf("accounts:\n%s\n", string(accountsYAML))
 
 	}
-
 	{
 		// DeleteAccount
 		fmt.Printf("=== DeleteAccount ===\n")