|
|
|
@ -65,34 +65,65 @@ class PolicyModel extends Model {
|
|
|
|
|
return user_denials.length > 0 || group_denials.length > 0
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static async get_all_related(target_id) {
|
|
|
|
|
const all = [target_id]
|
|
|
|
|
const Machine = this.prototype.models.get('ldap:Machine')
|
|
|
|
|
const MachineGroup = this.prototype.models.get('ldap:MachineGroup')
|
|
|
|
|
|
|
|
|
|
const machine = await Machine.findById(target_id)
|
|
|
|
|
if ( machine?.active ) {
|
|
|
|
|
const groups = await MachineGroup.find({
|
|
|
|
|
active: true,
|
|
|
|
|
machine_ids: machine.id,
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
groups.map(x => all.push(x.id))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const group = await MachineGroup.findById(target_id)
|
|
|
|
|
if ( group?.active ) {
|
|
|
|
|
const machines = await Machine.find({
|
|
|
|
|
active: true,
|
|
|
|
|
_id: {
|
|
|
|
|
$in: group.machine_ids.map(x => Machine.to_object_id(x)),
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
machines.map(x => all.push(x.id))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return all
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static async check_user_access(user, target_id) {
|
|
|
|
|
const groups = await user.groups()
|
|
|
|
|
const group_ids = groups.map(x => x.id)
|
|
|
|
|
const target_ids = await this.get_all_related(target_id)
|
|
|
|
|
|
|
|
|
|
const user_approvals = await this.find({
|
|
|
|
|
entity_id: user.id,
|
|
|
|
|
target_id,
|
|
|
|
|
target_id: { $in: target_ids },
|
|
|
|
|
access_type: 'allow',
|
|
|
|
|
active: true,
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
const user_denials = await this.find({
|
|
|
|
|
entity_id: user.id,
|
|
|
|
|
target_id,
|
|
|
|
|
target_id: { $in: target_ids },
|
|
|
|
|
access_type: 'deny',
|
|
|
|
|
active: true,
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
const group_approvals = await this.find({
|
|
|
|
|
entity_id: { $in: group_ids },
|
|
|
|
|
target_id,
|
|
|
|
|
target_id: { $in: target_ids },
|
|
|
|
|
access_type: 'allow',
|
|
|
|
|
active: true,
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
const group_denials = await this.find({
|
|
|
|
|
entity_id: { $in: group_ids },
|
|
|
|
|
target_id,
|
|
|
|
|
target_id: { $in: target_ids },
|
|
|
|
|
access_type: 'deny',
|
|
|
|
|
active: true,
|
|
|
|
|
})
|
|
|
|
|