More polishing, more docs; the only thing left are tests for access.go
This commit is contained in:
parent
d714af43c9
commit
4972407145
3 changed files with 25 additions and 19 deletions
|
@ -96,17 +96,23 @@ func changeAccess(c *cli.Context, manager auth.Manager, username string, topic s
|
||||||
}
|
}
|
||||||
read := util.InStringList([]string{"read-write", "rw", "read-only", "read", "ro"}, perms)
|
read := util.InStringList([]string{"read-write", "rw", "read-only", "read", "ro"}, perms)
|
||||||
write := util.InStringList([]string{"read-write", "rw", "write-only", "write", "wo"}, perms)
|
write := util.InStringList([]string{"read-write", "rw", "write-only", "write", "wo"}, perms)
|
||||||
|
user, err := manager.User(username)
|
||||||
|
if err == auth.ErrNotFound {
|
||||||
|
return fmt.Errorf("user %s does not exist", username)
|
||||||
|
} else if user.Role == auth.RoleAdmin {
|
||||||
|
return fmt.Errorf("user %s is an admin user, access control entries have no effect", username)
|
||||||
|
}
|
||||||
if err := manager.AllowAccess(username, topic, read, write); err != nil {
|
if err := manager.AllowAccess(username, topic, read, write); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if read && write {
|
if read && write {
|
||||||
fmt.Fprintf(c.App.ErrWriter, "Granted read-write access to topic %s\n\n", topic)
|
fmt.Fprintf(c.App.ErrWriter, "granted read-write access to topic %s\n\n", topic)
|
||||||
} else if read {
|
} else if read {
|
||||||
fmt.Fprintf(c.App.ErrWriter, "Granted read-only access to topic %s\n\n", topic)
|
fmt.Fprintf(c.App.ErrWriter, "granted read-only access to topic %s\n\n", topic)
|
||||||
} else if write {
|
} else if write {
|
||||||
fmt.Fprintf(c.App.ErrWriter, "Granted write-only access to topic %s\n\n", topic)
|
fmt.Fprintf(c.App.ErrWriter, "granted write-only access to topic %s\n\n", topic)
|
||||||
} else {
|
} else {
|
||||||
fmt.Fprintf(c.App.ErrWriter, "Revoked all access to topic %s\n\n", topic)
|
fmt.Fprintf(c.App.ErrWriter, "revoked all access to topic %s\n\n", topic)
|
||||||
}
|
}
|
||||||
return showUserAccess(c, manager, username)
|
return showUserAccess(c, manager, username)
|
||||||
}
|
}
|
||||||
|
@ -124,7 +130,7 @@ func resetAllAccess(c *cli.Context, manager auth.Manager) error {
|
||||||
if err := manager.ResetAccess("", ""); err != nil {
|
if err := manager.ResetAccess("", ""); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
fmt.Fprintln(c.App.ErrWriter, "Reset access for all users")
|
fmt.Fprintln(c.App.ErrWriter, "reset access for all users")
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -132,7 +138,7 @@ func resetUserAccess(c *cli.Context, manager auth.Manager, username string) erro
|
||||||
if err := manager.ResetAccess(username, ""); err != nil {
|
if err := manager.ResetAccess(username, ""); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
fmt.Fprintf(c.App.ErrWriter, "Reset access for user %s\n\n", username)
|
fmt.Fprintf(c.App.ErrWriter, "reset access for user %s\n\n", username)
|
||||||
return showUserAccess(c, manager, username)
|
return showUserAccess(c, manager, username)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -140,7 +146,7 @@ func resetUserTopicAccess(c *cli.Context, manager auth.Manager, username string,
|
||||||
if err := manager.ResetAccess(username, topic); err != nil {
|
if err := manager.ResetAccess(username, topic); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
fmt.Fprintf(c.App.ErrWriter, "Reset access for user %s and topic %s\n\n", username, topic)
|
fmt.Fprintf(c.App.ErrWriter, "reset access for user %s and topic %s\n\n", username, topic)
|
||||||
return showUserAccess(c, manager, username)
|
return showUserAccess(c, manager, username)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -171,7 +177,7 @@ func showUserAccess(c *cli.Context, manager auth.Manager, username string) error
|
||||||
|
|
||||||
func showUsers(c *cli.Context, manager auth.Manager, users []*auth.User) error {
|
func showUsers(c *cli.Context, manager auth.Manager, users []*auth.User) error {
|
||||||
for _, user := range users {
|
for _, user := range users {
|
||||||
fmt.Fprintf(c.App.ErrWriter, "User %s (%s)\n", user.Name, user.Role)
|
fmt.Fprintf(c.App.ErrWriter, "user %s (%s)\n", user.Name, user.Role)
|
||||||
if user.Role == auth.RoleAdmin {
|
if user.Role == auth.RoleAdmin {
|
||||||
fmt.Fprintf(c.App.ErrWriter, "- read-write access to all topics (admin role)\n")
|
fmt.Fprintf(c.App.ErrWriter, "- read-write access to all topics (admin role)\n")
|
||||||
} else if len(user.Grants) > 0 {
|
} else if len(user.Grants) > 0 {
|
||||||
|
|
10
cmd/user.go
10
cmd/user.go
|
@ -144,7 +144,7 @@ func execUserAdd(c *cli.Context) error {
|
||||||
if user, _ := manager.User(username); user != nil {
|
if user, _ := manager.User(username); user != nil {
|
||||||
return fmt.Errorf("user %s already exists", username)
|
return fmt.Errorf("user %s already exists", username)
|
||||||
}
|
}
|
||||||
password, err := readPassword(c)
|
password, err := readPasswordAndConfirm(c)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -190,7 +190,7 @@ func execUserChangePass(c *cli.Context) error {
|
||||||
if _, err := manager.User(username); err == auth.ErrNotFound {
|
if _, err := manager.User(username); err == auth.ErrNotFound {
|
||||||
return fmt.Errorf("user %s does not exist", username)
|
return fmt.Errorf("user %s does not exist", username)
|
||||||
}
|
}
|
||||||
password, err := readPassword(c)
|
password, err := readPasswordAndConfirm(c)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -250,13 +250,13 @@ func createAuthManager(c *cli.Context) (auth.Manager, error) {
|
||||||
return auth.NewSQLiteAuth(authFile, authDefaultRead, authDefaultWrite)
|
return auth.NewSQLiteAuth(authFile, authDefaultRead, authDefaultWrite)
|
||||||
}
|
}
|
||||||
|
|
||||||
func readPassword(c *cli.Context) (string, error) {
|
func readPasswordAndConfirm(c *cli.Context) (string, error) {
|
||||||
fmt.Fprint(c.App.ErrWriter, "Enter Password: ")
|
fmt.Fprint(c.App.ErrWriter, "password: ")
|
||||||
password, err := util.ReadPassword(c.App.Reader)
|
password, err := util.ReadPassword(c.App.Reader)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err
|
return "", err
|
||||||
}
|
}
|
||||||
fmt.Fprintf(c.App.ErrWriter, "\r%s\rConfirm: ", strings.Repeat(" ", 25))
|
fmt.Fprintf(c.App.ErrWriter, "\r%s\rconfirm: ", strings.Repeat(" ", 25))
|
||||||
confirm, err := util.ReadPassword(c.App.Reader)
|
confirm, err := util.ReadPassword(c.App.Reader)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err
|
return "", err
|
||||||
|
|
|
@ -205,13 +205,13 @@ ntfy access --reset phil mytopic # Reset access for user phil and topic mytopi
|
||||||
**Example ACL:**
|
**Example ACL:**
|
||||||
```
|
```
|
||||||
$ ntfy access
|
$ ntfy access
|
||||||
User phil (admin)
|
user phil (admin)
|
||||||
- read-write access to all topics (admin role)
|
- read-write access to all topics (admin role)
|
||||||
User ben (user)
|
user ben (user)
|
||||||
- read-write access to topic garagedoor
|
- read-write access to topic garagedoor
|
||||||
- read-write access to topic alerts*
|
- read-write access to topic alerts*
|
||||||
- read-only access to topic furnace
|
- read-only access to topic furnace
|
||||||
User * (anonymous)
|
user * (anonymous)
|
||||||
- read-only access to topic announcements
|
- read-only access to topic announcements
|
||||||
- read-only access to topic server-stats
|
- read-only access to topic server-stats
|
||||||
- no access to any (other) topics (server config)
|
- no access to any (other) topics (server config)
|
||||||
|
@ -235,9 +235,9 @@ After that, simply create an `admin` user:
|
||||||
|
|
||||||
```
|
```
|
||||||
$ ntfy user add --role=admin phil
|
$ ntfy user add --role=admin phil
|
||||||
Password: mypass
|
password: mypass
|
||||||
Confirm: mypass
|
confirm: mypass
|
||||||
User phil added with role admin
|
user phil added with role admin
|
||||||
```
|
```
|
||||||
|
|
||||||
Once you've done that, you can publish and subscribe using [Basic Auth](https://en.wikipedia.org/wiki/Basic_access_authentication)
|
Once you've done that, you can publish and subscribe using [Basic Auth](https://en.wikipedia.org/wiki/Basic_access_authentication)
|
||||||
|
|
Loading…
Reference in a new issue