lywsvip/cloudpods
1
0
Fork 0
mirror of https://github.com/yunionio/cloudpods.git synced 2026-05-09 07:02:06 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
7cf461e8b771ac8e8fef7bf052d5bf68a64e4e26
cloudpods/pkg/util/rbacutils/results.go
屈轩 f5303d35c9 fix(keystone): policy result (#18284)
2023-10-13 07:30:19 +08:00

109 lines
2.9 KiB
Go
Raw Blame History

// Copyright 2019 Yunion
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package rbacutils
import (
"fmt"
"yunion.io/x/jsonutils"
"yunion.io/x/onecloud/pkg/util/tagutils"
)
type SPolicyMatch struct {
Rule SRbacRule
DomainTags tagutils.TTagSet
ProjectTags tagutils.TTagSet
ObjectTags tagutils.TTagSet
}
type SPolicyResult struct {
Result TRbacResult
DomainTags tagutils.TTagSetList
ProjectTags tagutils.TTagSetList
ObjectTags tagutils.TTagSetList
}
var (
PolicyDeny = SPolicyResult{
Result: Deny,
}
PolicyAllow = SPolicyResult{
Result: Allow,
}
)
type TPolicyMatches []SPolicyMatch
func (matches TPolicyMatches) GetResult() SPolicyResult {
result := SPolicyResult{
Result: Deny,
}
isWideDomainTag, isWideProjectTag, isWideObjectTag := false, false, false
for _, match := range matches {
if match.Rule.Result == Allow {
result.Result = Allow
result.DomainTags = append(result.DomainTags, match.DomainTags)
result.ProjectTags = append(result.ProjectTags, match.ProjectTags)
result.ObjectTags = append(result.ObjectTags, match.ObjectTags)
if len(match.DomainTags) == 0 {
isWideDomainTag = true
}
if len(match.ProjectTags) == 0 {
isWideProjectTag = true
}
if len(match.ObjectTags) == 0 {
isWideObjectTag = true
}
}
}
if isWideDomainTag {
result.DomainTags = tagutils.TTagSetList{}
}
if isWideProjectTag {
result.ProjectTags = tagutils.TTagSetList{}
}
if isWideObjectTag {
result.ObjectTags = tagutils.TTagSetList{}
}
return result
}
func (result SPolicyResult) String() string {
return fmt.Sprintf("[%s] domain:%s project:%s object:%s", result.Result, result.DomainTags.String(), result.ProjectTags.String(), result.ObjectTags.String())
}
func (result SPolicyResult) Json() jsonutils.JSONObject {
ret := jsonutils.NewDict()
ret.Add(jsonutils.Marshal(result.ObjectTags), "policy_object_tags")
ret.Add(jsonutils.Marshal(result.ProjectTags), "policy_project_tags")
ret.Add(jsonutils.Marshal(result.DomainTags), "policy_domain_tags")
return ret
}
func mergeTagList(t1, t2 tagutils.TTagSetList) tagutils.TTagSetList {
return t1.IntersectList(t2)
}
func (r1 SPolicyResult) Merge(r2 SPolicyResult) SPolicyResult {
if r1.Result.IsDeny() || r2.Result.IsDeny() {
return SPolicyResult{Result: Deny}
}
r1.ProjectTags = mergeTagList(r1.ProjectTags, r2.ProjectTags)
r1.DomainTags = mergeTagList(r1.DomainTags, r2.DomainTags)
r1.ObjectTags = mergeTagList(r1.ObjectTags, r2.ObjectTags)
return r1
}
Reference in New Issue View Git Blame Copy Permalink