Starship/CoreID
1
0
Fork 0
Code Issues 8 Pull Requests Releases 34 Wiki Activity

Clean up IAM to allow relations w/o explicit definitions
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Garrett Mills
2021-04-15 09:55:25 -05:00
parent a7ed5d09f1
commit 5645e8fae1
2 changed files with 36 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
app/models/iam/Policy.model.js
View File

@@ -65,34 +65,65 @@ class PolicyModel extends Model {
return user_denials.length > 0 || group_denials.length > 0
}
static async get_all_related(target_id) {
const all = [target_id]
const Machine = this.prototype.models.get('ldap:Machine')
const MachineGroup = this.prototype.models.get('ldap:MachineGroup')
const machine = await Machine.findById(target_id)
if ( machine?.active ) {
const groups = await MachineGroup.find({
active: true,
machine_ids: machine.id,
})
groups.map(x => all.push(x.id))
}
const group = await MachineGroup.findById(target_id)
if ( group?.active ) {
const machines = await Machine.find({
active: true,
_id: {
$in: group.machine_ids.map(x => Machine.to_object_id(x)),
}
})
machines.map(x => all.push(x.id))
}
return all
}
static async check_user_access(user, target_id) {
const groups = await user.groups()
const group_ids = groups.map(x => x.id)
const target_ids = await this.get_all_related(target_id)
const user_approvals = await this.find({
entity_id: user.id,
target_id,
target_id: { $in: target_ids },
access_type: 'allow',
active: true,
})
const user_denials = await this.find({
entity_id: user.id,
target_id,
target_id: { $in: target_ids },
access_type: 'deny',
active: true,
})
const group_approvals = await this.find({
entity_id: { $in: group_ids },
target_id,
target_id: { $in: target_ids },
access_type: 'allow',
active: true,
})
const group_denials = await this.find({
entity_id: { $in: group_ids },
target_id,
target_id: { $in: target_ids },
access_type: 'deny',
active: true,
})