Merge branch 'v0.10.0' into ee-v0.10.0

Author: YourTechBud

config/config.go

@@ -38,17 +38,28 @@ type Project struct {
 
 // Admin stores the admin credentials
 type Admin struct {
-	User   string `json:"user" yaml:"user"`
-	Pass   string `json:"pass" yaml:"pass"`
-	Role   string `json:"role" yaml:"role"`
-	Secret string `json:"secret" yaml:"secret"`
+	Secret    string          `json:"secret" yaml:"secret"`
+	Operation OperationConfig `json:"operatiop"`
+	Users     []AdminUser     `json:"users" yaml:"users"`
 }
 
-// ProjectAccess defines the access policy for a given project
-type ProjectAccess struct {
-	Name string
+// OperationConfig holds the operation mode config
+type OperationConfig struct {
+	Mode  int    `json:"mode" yaml:"mode"`
+	Email string `json:"email" yaml:"email"`
+	Key   string `json:"key" yaml:"key"`
 }
 
+// AdminUser holds the user credentials and scope
+type AdminUser struct {
+	User   string       `json:"user" yaml:"user"`
+	Pass   string       `json:"pass" yaml:"pass"`
+	Scopes ProjectScope `json:"scopes" yaml:"scopes"`
+}
+
+// ProjectScope contains the project level scope
+type ProjectScope map[string][]string // (project name -> []scopes)
+
 // SSL holds the certificate and key file locations
 type SSL struct {
 	Enabled bool   `json:"enabled" yaml:"enabled"`

config/generate.go

@@ -27,11 +27,19 @@ type input struct {
 func GenerateEmptyConfig() *Config {
 	return &Config{
 		SSL:      &SSL{Enabled: false},
-		Admin:    &Admin{User: "admin", Pass: "123", Role: "captain-cloud", Secret: "some-secret"},
+		Admin:    generateAdmin(),
 		Projects: []*Project{},
 	}
 }
 
+func generateAdmin() *Admin {
+	return &Admin{
+		Secret:    "some-secret",
+		Operation: OperationConfig{Mode: 0},
+		Users:     []AdminUser{{User: "admin", Pass: "123", Scopes: ProjectScope{"all": []string{"all"}}}},
+	}
+}
+
 // GenerateConfig started the interactive cli to generate config file
 func GenerateConfig(configFilePath string) error {
 	fmt.Println()

main.go

@@ -76,12 +76,6 @@ var essentialFlags = []cli.Flag{
 		EnvVar: "ADMIN_PASS",
 		Value:  "",
 	},
-	cli.StringFlag{
-		Name:   "admin-role",
-		Usage:  "Set the admin role",
-		EnvVar: "ADMIN_ROLE",
-		Value:  "",
-	},
 	cli.StringFlag{
 		Name:   "admin-sercret",
 		Usage:  "Set the admin secret",
@@ -132,7 +126,6 @@ func actionRun(c *cli.Context) error {
 	// Flags related to the admin details
 	adminUser := c.String("admin-user")
 	adminPass := c.String("admin-pass")
-	adminRole := c.String("admin-role")
 	adminSecret := c.String("admin-secret")
 
 	// Project and env cannot be changed once space cloud has started
@@ -156,13 +149,10 @@ func actionRun(c *cli.Context) error {
 
 	// Override the admin config if provided
 	if adminUser != "" {
-		conf.Admin.User = adminUser
+		conf.Admin.Users[0].User = adminUser
 	}
 	if adminPass != "" {
-		conf.Admin.Pass = adminPass
-	}
-	if adminRole != "" {
-		conf.Admin.Role = adminRole
+		conf.Admin.Users[0].Pass = adminPass
 	}
 	if adminSecret != "" {
 		conf.Admin.Secret = adminSecret

utils/admin/admin.go

@@ -3,13 +3,14 @@ package admin
 import (
 	"errors"
 	"net/http"
+	"sync"
 
-	"github.com/dgrijalva/jwt-go"
 	"github.com/spaceuptech/space-cloud/config"
 )
 
 // Manager manages all admin transactions
 type Manager struct {
+	lock  sync.RWMutex
 	admin *config.Admin
 }
 
@@ -20,87 +21,25 @@ func New() *Manager {
 
 // SetConfig sets the admin config
 func (m *Manager) SetConfig(admin *config.Admin) {
+	m.lock.Lock()
 	m.admin = admin
+	m.lock.Unlock()
 }
 
 // Login handles the admin login operation
 func (m *Manager) Login(user, pass string) (int, string, error) {
-	u, p, r := m.admin.User, m.admin.Pass, m.admin.Role
-
-	if u != user || p != pass {
-		return http.StatusUnauthorized, "", errors.New("invalid credentials provided")
-	}
-
-	token, err := m.createToken(map[string]interface{}{"id": r, "role": r})
-	if err != nil {
-		return http.StatusInternalServerError, "", err
-	}
-
-	return http.StatusOK, token, nil
-}
-
-// IsAdminOpAuthorised checks if the admin operation is authorised
-func (m *Manager) IsAdminOpAuthorised(token string) (int, error) {
-
-	auth, err := m.parseToken(token)
-	if err != nil {
-		return http.StatusUnauthorized, err
-	}
-
-	roleTemp, p := auth["role"]
-	if !p {
-		return http.StatusUnauthorized, errors.New("Invalid Token")
-	}
-
-	role := roleTemp.(string)
-
-	if role != m.admin.Role {
-		return http.StatusForbidden, errors.New("You are not authorized to make this request")
-	}
-
-	return http.StatusOK, nil
-}
-
-// CreateToken generates a new JWT Token with the token claims
-func (m *Manager) createToken(tokenClaims map[string]interface{}) (string, error) {
-
-	claims := jwt.MapClaims{}
-	for k, v := range tokenClaims {
-		claims[k] = v
-	}
-
-	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
-	tokenString, err := token.SignedString([]byte(m.admin.Secret))
-	if err != nil {
-		return "", err
-	}
-
-	return tokenString, nil
-}
-
-func (m *Manager) parseToken(token string) (map[string]interface{}, error) {
-	// Parse the JWT token
-	tokenObj, err := jwt.Parse(token, func(token *jwt.Token) (interface{}, error) {
-		// Don't forget to validate the alg is what you expect:
-		if token.Method.Alg() != jwt.SigningMethodHS256.Alg() {
-			return nil, errors.New("invalid signing method type")
+	m.lock.RLock()
+	defer m.lock.RUnlock()
+
+	for _, u := range m.admin.Users {
+		if u.User == user && u.Pass == pass {
+			token, err := m.createToken(map[string]interface{}{"id": user, "role": user})
+			if err != nil {
+				return http.StatusInternalServerError, "", err
+			}
+			return http.StatusOK, token, nil
 		}
-
-		return []byte(m.admin.Secret), nil
-	})
-	if err != nil {
-		return nil, err
-	}
-
-	// Get the claims
-	if claims, ok := tokenObj.Claims.(jwt.MapClaims); ok && tokenObj.Valid {
-		obj := make(map[string]interface{}, len(claims))
-		for key, val := range claims {
-			obj[key] = val
-		}
-
-		return obj, nil
 	}
 
-	return nil, errors.New("Admin: JWT token could not be verified")
+	return http.StatusUnauthorized, "", errors.New("invalid credentials provided")
 }

utils/admin/helpers.go

@@ -0,0 +1,50 @@
+package admin
+
+import (
+	"errors"
+
+	"github.com/dgrijalva/jwt-go"
+)
+
+func (m *Manager) createToken(tokenClaims map[string]interface{}) (string, error) {
+
+	claims := jwt.MapClaims{}
+	for k, v := range tokenClaims {
+		claims[k] = v
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	tokenString, err := token.SignedString([]byte(m.admin.Secret))
+	if err != nil {
+		return "", err
+	}
+
+	return tokenString, nil
+}
+
+func (m *Manager) parseToken(token string) (map[string]interface{}, error) {
+	// Parse the JWT token
+	tokenObj, err := jwt.Parse(token, func(token *jwt.Token) (interface{}, error) {
+		// Don't forget to validate the alg is what you expect:
+		if token.Method.Alg() != jwt.SigningMethodHS256.Alg() {
+			return nil, errors.New("invalid signing method type")
+		}
+
+		return []byte(m.admin.Secret), nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	// Get the claims
+	if claims, ok := tokenObj.Claims.(jwt.MapClaims); ok && tokenObj.Valid {
+		obj := make(map[string]interface{}, len(claims))
+		for key, val := range claims {
+			obj[key] = val
+		}
+
+		return obj, nil
+	}
+
+	return nil, errors.New("Admin: JWT token could not be verified")
+}

utils/admin/operations.go

@@ -0,0 +1,85 @@
+package admin
+
+import (
+	"errors"
+	"net/http"
+
+	"github.com/spaceuptech/space-cloud/config"
+	"github.com/spaceuptech/space-cloud/utils"
+)
+
+// IsTokenValid checks if the token is valid
+func (m *Manager) IsTokenValid(token string) error {
+	m.lock.RLock()
+	defer m.lock.RUnlock()
+
+	_, err := m.parseToken(token)
+	return err
+}
+
+// ValidateSyncOperation validates if an operation is permitted based on the mode
+func (m *Manager) ValidateSyncOperation(c *config.Config, project *config.Project) bool {
+	m.lock.RLock()
+	defer m.lock.RUnlock()
+
+	for _, p := range c.Projects {
+		if p.ID == project.ID {
+			return true
+		}
+	}
+
+	maxProjects := 1
+	if m.admin.Operation.Mode == 1 {
+		maxProjects = 3
+	} else if m.admin.Operation.Mode == 2 {
+		maxProjects = 5
+	}
+
+	if len(c.Projects) == (maxProjects - 1) {
+		return true
+	}
+
+	return false
+}
+
+// IsAdminOpAuthorised checks if the admin operation is authorised.
+// TODO add scope level restrictions as well
+func (m *Manager) IsAdminOpAuthorised(token, scope string) (int, error) {
+	m.lock.RLock()
+	defer m.lock.RUnlock()
+
+	if scope == utils.ScopeDeploy {
+		if m.admin.Operation.Mode < 1 {
+			return http.StatusForbidden, errors.New("Operation not supported. Upgrade to avail this feature")
+		}
+	}
+
+	auth, err := m.parseToken(token)
+	if err != nil {
+		return http.StatusUnauthorized, err
+	}
+
+	user, p := auth["id"]
+	if !p {
+		return http.StatusUnauthorized, errors.New("Invalid Token")
+	}
+
+	for _, u := range m.admin.Users {
+		if u.User == user {
+
+			// Allow full access for scope name `all`
+			if _, p := u.Scopes["all"]; p {
+				return http.StatusOK, nil
+			}
+
+			// Check if scope is present
+			if _, p := u.Scopes[scope]; p {
+				return http.StatusOK, nil
+			}
+
+			break
+		}
+	}
+
+	return http.StatusForbidden, errors.New("You are not authorized to make this request")
+}

utils/constants.go

@@ -179,3 +179,8 @@ const (
 	// Kubernetes is the type used for a kubernetes deployement
 	Kubernetes OrchestratorType = "kubernetes"
 )
+
+const (
+	// ScopeDeploy is te scope used for the deploy module
+	ScopeDeploy string = "deploy"
+)