Clean up IAM to allow relations w/o explicit definitions
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
parent
a7ed5d09f1
commit
5645e8fae1
GPG Key ID:
D2BF5FBA8298F246
@ -65,34 +65,65 @@ class PolicyModel extends Model {
|
|||||||
return user_denials.length > 0 || group_denials.length > 0
|
return user_denials.length > 0 || group_denials.length > 0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static async get_all_related(target_id) {
|
||||||
|
const all = [target_id]
|
||||||
|
const Machine = this.prototype.models.get('ldap:Machine')
|
||||||
|
const MachineGroup = this.prototype.models.get('ldap:MachineGroup')
|
||||||
|
|
||||||
|
const machine = await Machine.findById(target_id)
|
||||||
|
if ( machine?.active ) {
|
||||||
|
const groups = await MachineGroup.find({
|
||||||
|
active: true,
|
||||||
|
machine_ids: machine.id,
|
||||||
|
})
|
||||||
|
|
||||||
|
groups.map(x => all.push(x.id))
|
||||||
|
}
|
||||||
|
|
||||||
|
const group = await MachineGroup.findById(target_id)
|
||||||
|
if ( group?.active ) {
|
||||||
|
const machines = await Machine.find({
|
||||||
|
active: true,
|
||||||
|
_id: {
|
||||||
|
$in: group.machine_ids.map(x => Machine.to_object_id(x)),
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
|
machines.map(x => all.push(x.id))
|
||||||
|
}
|
||||||
|
|
||||||
|
return all
|
||||||
|
}
|
||||||
|
|
||||||
static async check_user_access(user, target_id) {
|
static async check_user_access(user, target_id) {
|
||||||
const groups = await user.groups()
|
const groups = await user.groups()
|
||||||
const group_ids = groups.map(x => x.id)
|
const group_ids = groups.map(x => x.id)
|
||||||
|
const target_ids = await this.get_all_related(target_id)
|
||||||
|
|
||||||
const user_approvals = await this.find({
|
const user_approvals = await this.find({
|
||||||
entity_id: user.id,
|
entity_id: user.id,
|
||||||
target_id,
|
target_id: { $in: target_ids },
|
||||||
access_type: 'allow',
|
access_type: 'allow',
|
||||||
active: true,
|
active: true,
|
||||||
})
|
})
|
||||||
|
|
||||||
const user_denials = await this.find({
|
const user_denials = await this.find({
|
||||||
entity_id: user.id,
|
entity_id: user.id,
|
||||||
target_id,
|
target_id: { $in: target_ids },
|
||||||
access_type: 'deny',
|
access_type: 'deny',
|
||||||
active: true,
|
active: true,
|
||||||
})
|
})
|
||||||
|
|
||||||
const group_approvals = await this.find({
|
const group_approvals = await this.find({
|
||||||
entity_id: { $in: group_ids },
|
entity_id: { $in: group_ids },
|
||||||
target_id,
|
target_id: { $in: target_ids },
|
||||||
access_type: 'allow',
|
access_type: 'allow',
|
||||||
active: true,
|
active: true,
|
||||||
})
|
})
|
||||||
|
|
||||||
const group_denials = await this.find({
|
const group_denials = await this.find({
|
||||||
entity_id: { $in: group_ids },
|
entity_id: { $in: group_ids },
|
||||||
target_id,
|
target_id: { $in: target_ids },
|
||||||
access_type: 'deny',
|
access_type: 'deny',
|
||||||
active: true,
|
active: true,
|
||||||
})
|
})
|
||||||
|
|||||||
@ -20,12 +20,6 @@ class MachineModel extends Model {
|
|||||||
}
|
}
|
||||||
|
|
||||||
async to_api() {
|
async to_api() {
|
||||||
let iam_filter = `(|(iamTarget=${this.id})`
|
|
||||||
for ( const group of (await this.groups()) ) {
|
|
||||||
iam_filter += `(iamTarget=${group.id})`
|
|
||||||
}
|
|
||||||
iam_filter += ')'
|
|
||||||
|
|
||||||
return {
|
return {
|
||||||
id: this.id,
|
id: this.id,
|
||||||
name: this.name,
|
name: this.name,
|
||||||
@ -33,7 +27,7 @@ class MachineModel extends Model {
|
|||||||
host_name: this.host_name,
|
host_name: this.host_name,
|
||||||
location: this.location,
|
location: this.location,
|
||||||
ldap_visible: this.ldap_visible,
|
ldap_visible: this.ldap_visible,
|
||||||
iam_filter,
|
iam_filter: `(|(iamTarget=${this.id}))`,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user