Clean up IAM to allow relations w/o explicit definitions
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
parent
a7ed5d09f1
commit
5645e8fae1
@ -65,34 +65,65 @@ class PolicyModel extends Model {
|
||||
return user_denials.length > 0 || group_denials.length > 0
|
||||
}
|
||||
|
||||
static async get_all_related(target_id) {
|
||||
const all = [target_id]
|
||||
const Machine = this.prototype.models.get('ldap:Machine')
|
||||
const MachineGroup = this.prototype.models.get('ldap:MachineGroup')
|
||||
|
||||
const machine = await Machine.findById(target_id)
|
||||
if ( machine?.active ) {
|
||||
const groups = await MachineGroup.find({
|
||||
active: true,
|
||||
machine_ids: machine.id,
|
||||
})
|
||||
|
||||
groups.map(x => all.push(x.id))
|
||||
}
|
||||
|
||||
const group = await MachineGroup.findById(target_id)
|
||||
if ( group?.active ) {
|
||||
const machines = await Machine.find({
|
||||
active: true,
|
||||
_id: {
|
||||
$in: group.machine_ids.map(x => Machine.to_object_id(x)),
|
||||
}
|
||||
})
|
||||
|
||||
machines.map(x => all.push(x.id))
|
||||
}
|
||||
|
||||
return all
|
||||
}
|
||||
|
||||
static async check_user_access(user, target_id) {
|
||||
const groups = await user.groups()
|
||||
const group_ids = groups.map(x => x.id)
|
||||
const target_ids = await this.get_all_related(target_id)
|
||||
|
||||
const user_approvals = await this.find({
|
||||
entity_id: user.id,
|
||||
target_id,
|
||||
target_id: { $in: target_ids },
|
||||
access_type: 'allow',
|
||||
active: true,
|
||||
})
|
||||
|
||||
const user_denials = await this.find({
|
||||
entity_id: user.id,
|
||||
target_id,
|
||||
target_id: { $in: target_ids },
|
||||
access_type: 'deny',
|
||||
active: true,
|
||||
})
|
||||
|
||||
const group_approvals = await this.find({
|
||||
entity_id: { $in: group_ids },
|
||||
target_id,
|
||||
target_id: { $in: target_ids },
|
||||
access_type: 'allow',
|
||||
active: true,
|
||||
})
|
||||
|
||||
const group_denials = await this.find({
|
||||
entity_id: { $in: group_ids },
|
||||
target_id,
|
||||
target_id: { $in: target_ids },
|
||||
access_type: 'deny',
|
||||
active: true,
|
||||
})
|
||||
|
@ -20,12 +20,6 @@ class MachineModel extends Model {
|
||||
}
|
||||
|
||||
async to_api() {
|
||||
let iam_filter = `(|(iamTarget=${this.id})`
|
||||
for ( const group of (await this.groups()) ) {
|
||||
iam_filter += `(iamTarget=${group.id})`
|
||||
}
|
||||
iam_filter += ')'
|
||||
|
||||
return {
|
||||
id: this.id,
|
||||
name: this.name,
|
||||
@ -33,7 +27,7 @@ class MachineModel extends Model {
|
||||
host_name: this.host_name,
|
||||
location: this.location,
|
||||
ldap_visible: this.ldap_visible,
|
||||
iam_filter,
|
||||
iam_filter: `(|(iamTarget=${this.id}))`,
|
||||
}
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user