Do not forward messages to Firebase if topic is not world-readable

pull/114/head
Philipp Heckel 2022-01-31 19:33:22 -05:00
parent 936e95fd9e
commit 198e2cfd90
5 changed files with 53 additions and 37 deletions

View File

@ -64,8 +64,8 @@ type User struct {
// Grant is a struct that represents an access control entry to a topic // Grant is a struct that represents an access control entry to a topic
type Grant struct { type Grant struct {
TopicPattern string // May include wildcard (*) TopicPattern string // May include wildcard (*)
Read bool AllowRead bool
Write bool AllowWrite bool
} }
// Permission represents a read or write permission to a topic // Permission represents a read or write permission to a topic

View File

@ -281,8 +281,8 @@ func (a *SQLiteAuth) readGrants(username string) ([]Grant, error) {
} }
grants = append(grants, Grant{ grants = append(grants, Grant{
TopicPattern: fromSQLWildcard(topic), TopicPattern: fromSQLWildcard(topic),
Read: read, AllowRead: read,
Write: write, AllowWrite: write,
}) })
} }
return grants, nil return grants, nil

View File

@ -144,11 +144,11 @@ func showUsers(c *cli.Context, manager auth.Manager, users []*auth.User) error {
fmt.Fprintf(c.App.ErrWriter, "- read-write access to all topics (admin role)\n") fmt.Fprintf(c.App.ErrWriter, "- read-write access to all topics (admin role)\n")
} else if len(user.Grants) > 0 { } else if len(user.Grants) > 0 {
for _, grant := range user.Grants { for _, grant := range user.Grants {
if grant.Read && grant.Write { if grant.AllowRead && grant.AllowWrite {
fmt.Fprintf(c.App.ErrWriter, "- read-write access to topic %s\n", grant.TopicPattern) fmt.Fprintf(c.App.ErrWriter, "- read-write access to topic %s\n", grant.TopicPattern)
} else if grant.Read { } else if grant.AllowRead {
fmt.Fprintf(c.App.ErrWriter, "- read-only access to topic %s\n", grant.TopicPattern) fmt.Fprintf(c.App.ErrWriter, "- read-only access to topic %s\n", grant.TopicPattern)
} else if grant.Write { } else if grant.AllowWrite {
fmt.Fprintf(c.App.ErrWriter, "- write-only access to topic %s\n", grant.TopicPattern) fmt.Fprintf(c.App.ErrWriter, "- write-only access to topic %s\n", grant.TopicPattern)
} else { } else {
fmt.Fprintf(c.App.ErrWriter, "- no access to topic %s\n", grant.TopicPattern) fmt.Fprintf(c.App.ErrWriter, "- no access to topic %s\n", grant.TopicPattern)

View File

@ -117,14 +117,6 @@ const (
// New instantiates a new Server. It creates the cache and adds a Firebase // New instantiates a new Server. It creates the cache and adds a Firebase
// subscriber (if configured). // subscriber (if configured).
func New(conf *Config) (*Server, error) { func New(conf *Config) (*Server, error) {
var firebaseSubscriber subscriber
if conf.FirebaseKeyFile != "" {
var err error
firebaseSubscriber, err = createFirebaseSubscriber(conf)
if err != nil {
return nil, err
}
}
var mailer mailer var mailer mailer
if conf.SMTPSenderAddr != "" { if conf.SMTPSenderAddr != "" {
mailer = &smtpSender{config: conf} mailer = &smtpSender{config: conf}
@ -151,6 +143,14 @@ func New(conf *Config) (*Server, error) {
return nil, err return nil, err
} }
} }
var firebaseSubscriber subscriber
if conf.FirebaseKeyFile != "" {
var err error
firebaseSubscriber, err = createFirebaseSubscriber(conf, auther)
if err != nil {
return nil, err
}
}
return &Server{ return &Server{
config: conf, config: conf,
cache: cache, cache: cache,
@ -172,7 +172,7 @@ func createCache(conf *Config) (cache, error) {
return newMemCache(), nil return newMemCache(), nil
} }
func createFirebaseSubscriber(conf *Config) (subscriber, error) { func createFirebaseSubscriber(conf *Config, auther auth.Auther) (subscriber, error) {
fb, err := firebase.NewApp(context.Background(), nil, option.WithCredentialsFile(conf.FirebaseKeyFile)) fb, err := firebase.NewApp(context.Background(), nil, option.WithCredentialsFile(conf.FirebaseKeyFile))
if err != nil { if err != nil {
return nil, err return nil, err
@ -182,7 +182,7 @@ func createFirebaseSubscriber(conf *Config) (subscriber, error) {
return nil, err return nil, err
} }
return func(m *message) error { return func(m *message) error {
var data map[string]string // Matches https://ntfy.sh/docs/subscribe/api/#json-message-format var data map[string]string // Mostly matches https://ntfy.sh/docs/subscribe/api/#json-message-format
switch m.Event { switch m.Event {
case keepaliveEvent, openEvent: case keepaliveEvent, openEvent:
data = map[string]string{ data = map[string]string{
@ -192,24 +192,39 @@ func createFirebaseSubscriber(conf *Config) (subscriber, error) {
"topic": m.Topic, "topic": m.Topic,
} }
case messageEvent: case messageEvent:
data = map[string]string{ allowForward := true
"id": m.ID, if auther != nil {
"time": fmt.Sprintf("%d", m.Time), allowForward = auther.Authorize(nil, m.Topic, auth.PermissionRead) == nil
"event": m.Event,
"topic": m.Topic,
"priority": fmt.Sprintf("%d", m.Priority),
"tags": strings.Join(m.Tags, ","),
"click": m.Click,
"title": m.Title,
"message": m.Message,
"encoding": m.Encoding,
} }
if m.Attachment != nil { if allowForward {
data["attachment_name"] = m.Attachment.Name data = map[string]string{
data["attachment_type"] = m.Attachment.Type "id": m.ID,
data["attachment_size"] = fmt.Sprintf("%d", m.Attachment.Size) "time": fmt.Sprintf("%d", m.Time),
data["attachment_expires"] = fmt.Sprintf("%d", m.Attachment.Expires) "event": m.Event,
data["attachment_url"] = m.Attachment.URL "topic": m.Topic,
"priority": fmt.Sprintf("%d", m.Priority),
"tags": strings.Join(m.Tags, ","),
"click": m.Click,
"title": m.Title,
"message": m.Message,
"encoding": m.Encoding,
}
if m.Attachment != nil {
data["attachment_name"] = m.Attachment.Name
data["attachment_type"] = m.Attachment.Type
data["attachment_size"] = fmt.Sprintf("%d", m.Attachment.Size)
data["attachment_expires"] = fmt.Sprintf("%d", m.Attachment.Expires)
data["attachment_url"] = m.Attachment.URL
}
} else {
// If anonymous read for a topic is not allowed, we cannot send the message along
// via Firebase. Instead, we send a "poll_request" message, asking the client to poll.
data = map[string]string{
"id": m.ID,
"time": fmt.Sprintf("%d", m.Time),
"event": pollRequestEvent,
"topic": m.Topic,
}
} }
} }
var androidConfig *messaging.AndroidConfig var androidConfig *messaging.AndroidConfig

View File

@ -8,9 +8,10 @@ import (
// List of possible events // List of possible events
const ( const (
openEvent = "open" openEvent = "open"
keepaliveEvent = "keepalive" keepaliveEvent = "keepalive"
messageEvent = "message" messageEvent = "message"
pollRequestEvent = "poll_request"
) )
const ( const (