175 lines
5.8 KiB
Go
175 lines
5.8 KiB
Go
|
package cmd
|
||
|
|
||
|
import (
|
||
|
"errors"
|
||
|
"fmt"
|
||
|
"github.com/urfave/cli/v2"
|
||
|
"heckel.io/ntfy/auth"
|
||
|
"heckel.io/ntfy/util"
|
||
|
)
|
||
|
|
||
|
/*
|
||
|
|
||
|
ntfy access # Shows access control list
|
||
|
ntfy access phil # Shows access for user phil
|
||
|
ntfy access phil mytopic # Shows access for user phil and topic mytopic
|
||
|
ntfy access phil mytopic rw # Allow read-write access to mytopic for user phil
|
||
|
ntfy access everyone mytopic rw # Allow anonymous read-write access to mytopic
|
||
|
ntfy access --reset # Reset entire access control list
|
||
|
ntfy access --reset phil # Reset all access for user phil
|
||
|
ntfy access --reset phil mytopic # Reset access for user phil and topic mytopic
|
||
|
|
||
|
*/
|
||
|
|
||
|
const (
|
||
|
userEveryone = "everyone"
|
||
|
)
|
||
|
|
||
|
var flagsAccess = append(
|
||
|
userCommandFlags(),
|
||
|
&cli.BoolFlag{Name: "reset", Aliases: []string{"r"}, Usage: "reset access for user (and topic)"},
|
||
|
)
|
||
|
|
||
|
var cmdAccess = &cli.Command{
|
||
|
Name: "access",
|
||
|
Usage: "Grant/revoke access to a topic, or show access",
|
||
|
UsageText: "ntfy access [USERNAME [TOPIC [PERMISSION]]]",
|
||
|
Flags: flagsAccess,
|
||
|
Before: initConfigFileInputSource("config", flagsAccess),
|
||
|
Action: execUserAccess,
|
||
|
Category: categoryServer,
|
||
|
}
|
||
|
|
||
|
func execUserAccess(c *cli.Context) error {
|
||
|
manager, err := createAuthManager(c)
|
||
|
if err != nil {
|
||
|
return err
|
||
|
}
|
||
|
username := c.Args().Get(0)
|
||
|
if username == userEveryone {
|
||
|
username = auth.Everyone
|
||
|
}
|
||
|
topic := c.Args().Get(1)
|
||
|
perms := c.Args().Get(2)
|
||
|
reset := c.Bool("reset")
|
||
|
if reset {
|
||
|
return resetAccess(c, manager, username, topic)
|
||
|
} else if perms == "" {
|
||
|
return showAccess(c, manager, username)
|
||
|
}
|
||
|
return changeAccess(c, manager, username, topic, perms)
|
||
|
}
|
||
|
|
||
|
func changeAccess(c *cli.Context, manager auth.Manager, username string, topic string, perms string) error {
|
||
|
if !util.InStringList([]string{"", "read-write", "rw", "read-only", "read", "ro", "write-only", "write", "wo", "none", "deny"}, perms) {
|
||
|
return errors.New("permission must be one of: read-write, read-only, write-only, or deny (or the aliases: read, ro, write, wo, none)")
|
||
|
}
|
||
|
read := util.InStringList([]string{"read-write", "rw", "read-only", "read", "ro"}, perms)
|
||
|
write := util.InStringList([]string{"read-write", "rw", "write-only", "write", "wo"}, perms)
|
||
|
if err := manager.AllowAccess(username, topic, read, write); err != nil {
|
||
|
return err
|
||
|
}
|
||
|
if read && write {
|
||
|
fmt.Fprintf(c.App.Writer, "Granted read-write access to topic %s\n\n", topic)
|
||
|
} else if read {
|
||
|
fmt.Fprintf(c.App.Writer, "Granted read-only access to topic %s\n\n", topic)
|
||
|
} else if write {
|
||
|
fmt.Fprintf(c.App.Writer, "Granted write-only access to topic %s\n\n", topic)
|
||
|
} else {
|
||
|
fmt.Fprintf(c.App.Writer, "Revoked all access to topic %s\n\n", topic)
|
||
|
}
|
||
|
return showUserAccess(c, manager, username)
|
||
|
}
|
||
|
|
||
|
func resetAccess(c *cli.Context, manager auth.Manager, username, topic string) error {
|
||
|
if username == "" {
|
||
|
return resetAllAccess(c, manager)
|
||
|
} else if topic == "" {
|
||
|
return resetUserAccess(c, manager, username)
|
||
|
}
|
||
|
return resetUserTopicAccess(c, manager, username, topic)
|
||
|
}
|
||
|
|
||
|
func resetAllAccess(c *cli.Context, manager auth.Manager) error {
|
||
|
if err := manager.ResetAccess("", ""); err != nil {
|
||
|
return err
|
||
|
}
|
||
|
fmt.Fprintln(c.App.Writer, "Reset access for all users")
|
||
|
return nil
|
||
|
}
|
||
|
|
||
|
func resetUserAccess(c *cli.Context, manager auth.Manager, username string) error {
|
||
|
if err := manager.ResetAccess(username, ""); err != nil {
|
||
|
return err
|
||
|
}
|
||
|
fmt.Fprintf(c.App.Writer, "Reset access for user %s\n\n", username)
|
||
|
return showUserAccess(c, manager, username)
|
||
|
}
|
||
|
|
||
|
func resetUserTopicAccess(c *cli.Context, manager auth.Manager, username string, topic string) error {
|
||
|
if err := manager.ResetAccess(username, topic); err != nil {
|
||
|
return err
|
||
|
}
|
||
|
fmt.Fprintf(c.App.Writer, "Reset access for user %s and topic %s\n\n", username, topic)
|
||
|
return showUserAccess(c, manager, username)
|
||
|
}
|
||
|
|
||
|
func showAccess(c *cli.Context, manager auth.Manager, username string) error {
|
||
|
if username == "" {
|
||
|
return showAllAccess(c, manager)
|
||
|
}
|
||
|
return showUserAccess(c, manager, username)
|
||
|
}
|
||
|
|
||
|
func showAllAccess(c *cli.Context, manager auth.Manager) error {
|
||
|
users, err := manager.Users()
|
||
|
if err != nil {
|
||
|
return err
|
||
|
}
|
||
|
return showUsers(c, manager, users)
|
||
|
}
|
||
|
|
||
|
func showUserAccess(c *cli.Context, manager auth.Manager, username string) error {
|
||
|
users, err := manager.User(username)
|
||
|
if err != nil {
|
||
|
return err
|
||
|
}
|
||
|
return showUsers(c, manager, []*auth.User{users})
|
||
|
}
|
||
|
|
||
|
func showUsers(c *cli.Context, manager auth.Manager, users []*auth.User) error {
|
||
|
for _, user := range users {
|
||
|
fmt.Fprintf(c.App.Writer, "User %s (%s)\n", user.Name, user.Role)
|
||
|
if user.Role == auth.RoleAdmin {
|
||
|
fmt.Fprintf(c.App.ErrWriter, "- read-write access to all topics (admin role)\n")
|
||
|
} else if len(user.Grants) > 0 {
|
||
|
for _, grant := range user.Grants {
|
||
|
if grant.Read && grant.Write {
|
||
|
fmt.Fprintf(c.App.ErrWriter, "- read-write access to topic %s\n", grant.Topic)
|
||
|
} else if grant.Read {
|
||
|
fmt.Fprintf(c.App.ErrWriter, "- read-only access to topic %s\n", grant.Topic)
|
||
|
} else if grant.Write {
|
||
|
fmt.Fprintf(c.App.ErrWriter, "- write-only access to topic %s\n", grant.Topic)
|
||
|
} else {
|
||
|
fmt.Fprintf(c.App.ErrWriter, "- no access to topic %s\n", grant.Topic)
|
||
|
}
|
||
|
}
|
||
|
} else {
|
||
|
fmt.Fprintf(c.App.ErrWriter, "- no topic-specific permissions\n")
|
||
|
}
|
||
|
if user.Name == auth.Everyone {
|
||
|
defaultRead, defaultWrite := manager.DefaultAccess()
|
||
|
if defaultRead && defaultWrite {
|
||
|
fmt.Fprintln(c.App.ErrWriter, "- read-write access to all (other) topics (server config)")
|
||
|
} else if defaultRead {
|
||
|
fmt.Fprintln(c.App.ErrWriter, "- read-only access to all (other) topics (server config)")
|
||
|
} else if defaultWrite {
|
||
|
fmt.Fprintln(c.App.ErrWriter, "- write-only access to all (other) topics (server config)")
|
||
|
} else {
|
||
|
fmt.Fprintln(c.App.ErrWriter, "- no access to any (other) topics (server config)")
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
return nil
|
||
|
}
|