Rename auth package to user; add extendToken feature
This commit is contained in:
binwiederhier
parent
3aac1b2715
commit
d4c7ad4beb
14 changed files with 368 additions and 276 deletions
|
|
@ -6,7 +6,7 @@ import (
|
|||
"errors"
|
||||
"fmt"
|
||||
"github.com/urfave/cli/v2"
|
||||
"heckel.io/ntfy/auth"
|
||||
"heckel.io/ntfy/user"
|
||||
"heckel.io/ntfy/util"
|
||||
)
|
||||
|
||||
|
|
@ -77,7 +77,7 @@ func execUserAccess(c *cli.Context) error {
|
|||
}
|
||||
username := c.Args().Get(0)
|
||||
if username == userEveryone {
|
||||
username = auth.Everyone
|
||||
username = user.Everyone
|
||||
}
|
||||
topic := c.Args().Get(1)
|
||||
perms := c.Args().Get(2)
|
||||
|
|
@ -96,16 +96,16 @@ func execUserAccess(c *cli.Context) error {
|
|||
return changeAccess(c, manager, username, topic, perms)
|
||||
}
|
||||
|
||||
func changeAccess(c *cli.Context, manager auth.Manager, username string, topic string, perms string) error {
|
||||
func changeAccess(c *cli.Context, manager user.Manager, username string, topic string, perms string) error {
|
||||
if !util.Contains([]string{"", "read-write", "rw", "read-only", "read", "ro", "write-only", "write", "wo", "none", "deny"}, perms) {
|
||||
return errors.New("permission must be one of: read-write, read-only, write-only, or deny (or the aliases: read, ro, write, wo, none)")
|
||||
}
|
||||
read := util.Contains([]string{"read-write", "rw", "read-only", "read", "ro"}, perms)
|
||||
write := util.Contains([]string{"read-write", "rw", "write-only", "write", "wo"}, perms)
|
||||
user, err := manager.User(username)
|
||||
if err == auth.ErrNotFound {
|
||||
u, err := manager.User(username)
|
||||
if err == user.ErrNotFound {
|
||||
return fmt.Errorf("user %s does not exist", username)
|
||||
} else if user.Role == auth.RoleAdmin {
|
||||
} else if u.Role == user.RoleAdmin {
|
||||
return fmt.Errorf("user %s is an admin user, access control entries have no effect", username)
|
||||
}
|
||||
if err := manager.AllowAccess(username, topic, read, write); err != nil {
|
||||
|
|
@ -123,7 +123,7 @@ func changeAccess(c *cli.Context, manager auth.Manager, username string, topic s
|
|||
return showUserAccess(c, manager, username)
|
||||
}
|
||||
|
||||
func resetAccess(c *cli.Context, manager auth.Manager, username, topic string) error {
|
||||
func resetAccess(c *cli.Context, manager user.Manager, username, topic string) error {
|
||||
if username == "" {
|
||||
return resetAllAccess(c, manager)
|
||||
} else if topic == "" {
|
||||
|
|
@ -132,7 +132,7 @@ func resetAccess(c *cli.Context, manager auth.Manager, username, topic string) e
|
|||
return resetUserTopicAccess(c, manager, username, topic)
|
||||
}
|
||||
|
||||
func resetAllAccess(c *cli.Context, manager auth.Manager) error {
|
||||
func resetAllAccess(c *cli.Context, manager user.Manager) error {
|
||||
if err := manager.ResetAccess("", ""); err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
@ -140,7 +140,7 @@ func resetAllAccess(c *cli.Context, manager auth.Manager) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func resetUserAccess(c *cli.Context, manager auth.Manager, username string) error {
|
||||
func resetUserAccess(c *cli.Context, manager user.Manager, username string) error {
|
||||
if err := manager.ResetAccess(username, ""); err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
@ -148,7 +148,7 @@ func resetUserAccess(c *cli.Context, manager auth.Manager, username string) erro
|
|||
return showUserAccess(c, manager, username)
|
||||
}
|
||||
|
||||
func resetUserTopicAccess(c *cli.Context, manager auth.Manager, username string, topic string) error {
|
||||
func resetUserTopicAccess(c *cli.Context, manager user.Manager, username string, topic string) error {
|
||||
if err := manager.ResetAccess(username, topic); err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
@ -156,14 +156,14 @@ func resetUserTopicAccess(c *cli.Context, manager auth.Manager, username string,
|
|||
return showUserAccess(c, manager, username)
|
||||
}
|
||||
|
||||
func showAccess(c *cli.Context, manager auth.Manager, username string) error {
|
||||
func showAccess(c *cli.Context, manager user.Manager, username string) error {
|
||||
if username == "" {
|
||||
return showAllAccess(c, manager)
|
||||
}
|
||||
return showUserAccess(c, manager, username)
|
||||
}
|
||||
|
||||
func showAllAccess(c *cli.Context, manager auth.Manager) error {
|
||||
func showAllAccess(c *cli.Context, manager user.Manager) error {
|
||||
users, err := manager.Users()
|
||||
if err != nil {
|
||||
return err
|
||||
|
|
@ -171,23 +171,23 @@ func showAllAccess(c *cli.Context, manager auth.Manager) error {
|
|||
return showUsers(c, manager, users)
|
||||
}
|
||||
|
||||
func showUserAccess(c *cli.Context, manager auth.Manager, username string) error {
|
||||
func showUserAccess(c *cli.Context, manager user.Manager, username string) error {
|
||||
users, err := manager.User(username)
|
||||
if err == auth.ErrNotFound {
|
||||
if err == user.ErrNotFound {
|
||||
return fmt.Errorf("user %s does not exist", username)
|
||||
} else if err != nil {
|
||||
return err
|
||||
}
|
||||
return showUsers(c, manager, []*auth.User{users})
|
||||
return showUsers(c, manager, []*user.User{users})
|
||||
}
|
||||
|
||||
func showUsers(c *cli.Context, manager auth.Manager, users []*auth.User) error {
|
||||
for _, user := range users {
|
||||
fmt.Fprintf(c.App.ErrWriter, "user %s (%s)\n", user.Name, user.Role)
|
||||
if user.Role == auth.RoleAdmin {
|
||||
func showUsers(c *cli.Context, manager user.Manager, users []*user.User) error {
|
||||
for _, u := range users {
|
||||
fmt.Fprintf(c.App.ErrWriter, "user %s (%s)\n", u.Name, u.Role)
|
||||
if u.Role == user.RoleAdmin {
|
||||
fmt.Fprintf(c.App.ErrWriter, "- read-write access to all topics (admin role)\n")
|
||||
} else if len(user.Grants) > 0 {
|
||||
for _, grant := range user.Grants {
|
||||
} else if len(u.Grants) > 0 {
|
||||
for _, grant := range u.Grants {
|
||||
if grant.AllowRead && grant.AllowWrite {
|
||||
fmt.Fprintf(c.App.ErrWriter, "- read-write access to topic %s\n", grant.TopicPattern)
|
||||
} else if grant.AllowRead {
|
||||
|
|
@ -201,7 +201,7 @@ func showUsers(c *cli.Context, manager auth.Manager, users []*auth.User) error {
|
|||
} else {
|
||||
fmt.Fprintf(c.App.ErrWriter, "- no topic-specific permissions\n")
|
||||
}
|
||||
if user.Name == auth.Everyone {
|
||||
if u.Name == user.Everyone {
|
||||
defaultRead, defaultWrite := manager.DefaultAccess()
|
||||
if defaultRead && defaultWrite {
|
||||
fmt.Fprintln(c.App.ErrWriter, "- read-write access to all (other) topics (server config)")
|
||||
|
|
|
|||
22
cmd/user.go
22
cmd/user.go
|
|
@ -6,12 +6,12 @@ import (
|
|||
"crypto/subtle"
|
||||
"errors"
|
||||
"fmt"
|
||||
"heckel.io/ntfy/user"
|
||||
"os"
|
||||
"strings"
|
||||
|
||||
"github.com/urfave/cli/v2"
|
||||
"github.com/urfave/cli/v2/altsrc"
|
||||
"heckel.io/ntfy/auth"
|
||||
"heckel.io/ntfy/util"
|
||||
)
|
||||
|
||||
|
|
@ -41,7 +41,7 @@ var cmdUser = &cli.Command{
|
|||
UsageText: "ntfy user add [--role=admin|user] USERNAME\nNTFY_PASSWORD=... ntfy user add [--role=admin|user] USERNAME",
|
||||
Action: execUserAdd,
|
||||
Flags: []cli.Flag{
|
||||
&cli.StringFlag{Name: "role", Aliases: []string{"r"}, Value: string(auth.RoleUser), Usage: "user role"},
|
||||
&cli.StringFlag{Name: "role", Aliases: []string{"r"}, Value: string(user.RoleUser), Usage: "user role"},
|
||||
},
|
||||
Description: `Add a new user to the ntfy user database.
|
||||
|
||||
|
|
@ -152,13 +152,13 @@ variable to pass the new password. This is useful if you are creating/updating u
|
|||
|
||||
func execUserAdd(c *cli.Context) error {
|
||||
username := c.Args().Get(0)
|
||||
role := auth.Role(c.String("role"))
|
||||
role := user.Role(c.String("role"))
|
||||
password := os.Getenv("NTFY_PASSWORD")
|
||||
if username == "" {
|
||||
return errors.New("username expected, type 'ntfy user add --help' for help")
|
||||
} else if username == userEveryone {
|
||||
return errors.New("username not allowed")
|
||||
} else if !auth.AllowedRole(role) {
|
||||
} else if !user.AllowedRole(role) {
|
||||
return errors.New("role must be either 'user' or 'admin'")
|
||||
}
|
||||
manager, err := createAuthManager(c)
|
||||
|
|
@ -194,7 +194,7 @@ func execUserDel(c *cli.Context) error {
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if _, err := manager.User(username); err == auth.ErrNotFound {
|
||||
if _, err := manager.User(username); err == user.ErrNotFound {
|
||||
return fmt.Errorf("user %s does not exist", username)
|
||||
}
|
||||
if err := manager.RemoveUser(username); err != nil {
|
||||
|
|
@ -216,7 +216,7 @@ func execUserChangePass(c *cli.Context) error {
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if _, err := manager.User(username); err == auth.ErrNotFound {
|
||||
if _, err := manager.User(username); err == user.ErrNotFound {
|
||||
return fmt.Errorf("user %s does not exist", username)
|
||||
}
|
||||
if password == "" {
|
||||
|
|
@ -234,8 +234,8 @@ func execUserChangePass(c *cli.Context) error {
|
|||
|
||||
func execUserChangeRole(c *cli.Context) error {
|
||||
username := c.Args().Get(0)
|
||||
role := auth.Role(c.Args().Get(1))
|
||||
if username == "" || !auth.AllowedRole(role) {
|
||||
role := user.Role(c.Args().Get(1))
|
||||
if username == "" || !user.AllowedRole(role) {
|
||||
return errors.New("username and new role expected, type 'ntfy user change-role --help' for help")
|
||||
} else if username == userEveryone {
|
||||
return errors.New("username not allowed")
|
||||
|
|
@ -244,7 +244,7 @@ func execUserChangeRole(c *cli.Context) error {
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if _, err := manager.User(username); err == auth.ErrNotFound {
|
||||
if _, err := manager.User(username); err == user.ErrNotFound {
|
||||
return fmt.Errorf("user %s does not exist", username)
|
||||
}
|
||||
if err := manager.ChangeRole(username, role); err != nil {
|
||||
|
|
@ -266,7 +266,7 @@ func execUserList(c *cli.Context) error {
|
|||
return showUsers(c, manager, users)
|
||||
}
|
||||
|
||||
func createAuthManager(c *cli.Context) (auth.Manager, error) {
|
||||
func createAuthManager(c *cli.Context) (user.Manager, error) {
|
||||
authFile := c.String("auth-file")
|
||||
authDefaultAccess := c.String("auth-default-access")
|
||||
if authFile == "" {
|
||||
|
|
@ -278,7 +278,7 @@ func createAuthManager(c *cli.Context) (auth.Manager, error) {
|
|||
}
|
||||
authDefaultRead := authDefaultAccess == "read-write" || authDefaultAccess == "read-only"
|
||||
authDefaultWrite := authDefaultAccess == "read-write" || authDefaultAccess == "write-only"
|
||||
return auth.NewSQLiteAuthManager(authFile, authDefaultRead, authDefaultWrite)
|
||||
return user.NewSQLiteAuthManager(authFile, authDefaultRead, authDefaultWrite)
|
||||
}
|
||||
|
||||
func readPasswordAndConfirm(c *cli.Context) (string, error) {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue