This repository has been archived by the owner on Sep 14, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 234
/
acl.go
66 lines (62 loc) · 2.32 KB
/
acl.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
//
// Contributor: Julien Vehent [email protected] [:ulfr]
package mig /* import "github.com/mozilla/mig" */
import (
"fmt"
"strings"
)
// ACL defines an access control list used by the agent to determine what investigators
// can call a given module. The key in this map is the module name, and can be "default" in
// which case this element will be used if no key for a given module exists.
//
// The value includes a minimum weight to authorize the request, and a map of investigators
// with the key of the map being the name of the investigator, and the value storing the PGP
// fingerprint of the investigators key and the weight that investigator has.
type ACL map[string]struct {
MinimumWeight int
Investigators map[string]struct {
Fingerprint string
Weight int
}
}
// verifyPermission validates that the fingerprints are permitted to execute an operation by
// comparing the fingerprints to the fingerprints and weight specifications in ACL acl.
func verifyPermission(moduleName string, acl ACL, fingerprints []string) error {
aclname := moduleName
aclent, ok := acl[moduleName]
if !ok {
// No ACL entry found for this module name, see if we can find a default
aclent, ok = acl["default"]
if !ok {
return fmt.Errorf("no ACL entry found for %v, and no default present", moduleName)
}
aclname = "default"
}
if aclent.MinimumWeight < 1 {
return fmt.Errorf("invalid ACL %v, weight must be > 0", aclname)
}
var seenFp []string
signaturesWeight := 0
for _, fp := range fingerprints {
// if the same key is used to sign multiple times, return an error
for _, seen := range seenFp {
if seen == fp {
return fmt.Errorf("permission violation: key %v used to sign multiple times", fp)
}
}
for _, signer := range aclent.Investigators {
if strings.ToUpper(fp) == strings.ToUpper(signer.Fingerprint) {
signaturesWeight += signer.Weight
}
}
seenFp = append(seenFp, fp)
}
if signaturesWeight < aclent.MinimumWeight {
return fmt.Errorf("permission denied for operation %v, insufficient signatures weight"+
" (need %v, got %v)", moduleName, aclent.MinimumWeight, signaturesWeight)
}
return nil
}