Add permissions to proxy

Author: LMG

josh-proxy/src/bin/josh-proxy.rs

@@ -46,6 +46,7 @@ struct JoshProxyService {
     fetch_permits: Arc<tokio::sync::Semaphore>,
     filter_permits: Arc<tokio::sync::Semaphore>,
     poll: Polls,
+    acl: Option<(String, String)>,
 }
 
 impl std::fmt::Debug for JoshProxyService {
@@ -244,9 +245,11 @@ async fn do_filter(
     temp_ns: Arc<josh_proxy::TmpGitNamespace>,
     filter_spec: String,
     headref: String,
+    user: String,
 ) -> josh::JoshResult<()> {
     let permit = service.filter_permits.acquire().await;
     let heads_map = service.heads_map.clone();
+    let acl = service.acl.clone();
 
     let s = tracing::span!(tracing::Level::TRACE, "do_filter worker");
     let r = tokio::task::spawn_blocking(move || {
@@ -295,7 +298,28 @@ async fn do_filter(
 
         let mut headref = headref;
 
-        josh::filter_refs(&transaction, filter, &from_to, josh::filter::empty())?;
+        let permissions_filter = if let Some(acl) = acl {
+            let users = &acl.0;
+            let groups = &acl.1;
+            tracing::info!("User: {:?}, Repo: {:?}", user, upstream_repo);
+            let acl = match josh::get_acl(&users, &groups, &user, &upstream_repo) {
+                Ok(acl) => acl,
+                Err(e) => {
+                    tracing::error!("Failed to read ACL file: {:?}", e);
+                    (josh::filter::empty(), josh::filter::nop())
+                }
+            };
+            let whitelist = acl.0;
+            let blacklist = acl.1;
+            tracing::info!("Whitelist: {:?}, Blacklist: {:?}", whitelist, blacklist);
+            josh::filter::make_permissions_filter(filter, whitelist, blacklist)
+        } else {
+            josh::filter::empty()
+        };
+
+        tracing::info!("Permissions: {:?}", permissions_filter);
+
+        josh::filter_refs(&transaction, filter, &from_to, permissions_filter)?;
         if headref == "HEAD" {
             headref = heads_map
                 .read()?
@@ -517,6 +541,7 @@ async fn call_service(
         &parsed_url.upstream_repo,
         &parsed_url.filter,
         &headref,
+        &username,
     )
     .in_current_span()
     .await?;
@@ -598,6 +623,7 @@ async fn prepare_namespace(
     upstream_repo: &str,
     filter_spec: &str,
     headref: &str,
+    user: &str,
 ) -> josh::JoshResult<std::sync::Arc<josh_proxy::TmpGitNamespace>> {
     let temp_ns = Arc::new(josh_proxy::TmpGitNamespace::new(
         &serv.repo_path,
@@ -606,13 +632,16 @@ async fn prepare_namespace(
 
     let serv = serv.clone();
 
+    let user = if user == "" { "anonymous" } else { user };
+
     do_filter(
         serv.repo_path.clone(),
         serv.clone(),
         upstream_repo.to_owned(),
         temp_ns.to_owned(),
         filter_spec.to_owned(),
         headref.to_string(),
+        user.to_string(),
     )
     .await?;
 
@@ -635,6 +664,20 @@ async fn run_proxy() -> josh::JoshResult<i32> {
     josh_proxy::create_repo(&local)?;
     josh::cache::load(&local)?;
 
+    let acl = if ARGS.is_present("users") && ARGS.is_present("groups") {
+        println!(
+            "{}, {}",
+            ARGS.value_of("users").unwrap().to_string(),
+            ARGS.value_of("groups").unwrap().to_string()
+        );
+        Some((
+            ARGS.value_of("users").unwrap().to_string(),
+            ARGS.value_of("groups").unwrap().to_string(),
+        ))
+    } else {
+        None
+    };
+
     let proxy_service = Arc::new(JoshProxyService {
         port,
         repo_path: local.to_owned(),
@@ -646,6 +689,7 @@ async fn run_proxy() -> josh::JoshResult<i32> {
             ARGS.value_of("n").unwrap_or("1").parse()?,
         )),
         filter_permits: Arc::new(tokio::sync::Semaphore::new(10)),
+        acl,
     });
 
     let ps = proxy_service.clone();
@@ -800,6 +844,18 @@ fn parse_args() -> clap::ArgMatches<'static> {
                 .help("Duration between forced cache refresh")
                 .takes_value(true),
         )
+        .arg(
+            clap::Arg::with_name("users")
+                .long("users")
+                .takes_value(true)
+                .help("YAML file listing the groups of the users"),
+        )
+        .arg(
+            clap::Arg::with_name("groups")
+                .long("groups")
+                .takes_value(true)
+                .help("YAML file listing the access rights of the groups"),
+        )
         .get_matches_from(args)
 }
 

josh-proxy/src/lib.rs

@@ -422,6 +422,7 @@ impl TmpGitNamespace {
     pub fn new(repo_path: &std::path::Path, span: tracing::Span) -> TmpGitNamespace {
         let n = format!("request_{}", uuid::Uuid::new_v4());
         let n2 = n.clone();
+
         TmpGitNamespace {
             name: n,
             repo_path: repo_path.to_owned(),

src/lib.rs

@@ -331,34 +331,42 @@ pub fn get_acl(
     let groups: Groups = serde_yaml::from_str(&groups)
         .map_err(|err| josh_error(format!("failed to parse groups file: {}", err).as_str()))?;
 
-    return users
-        .get(user)
-        .and_then(|u| {
-            let mut whitelist = filter::empty();
-            let mut blacklist = filter::empty();
-            for g in &u.groups {
-                let lists = groups.get(repo).and_then(|repo| {
-                    repo.get(g.as_str()?).and_then(|group| {
-                        let w = filter::parse(&group.whitelist);
-                        let b = filter::parse(&group.blacklist);
-                        Some((w, b))
-                    })
-                })?;
-                if let Err(e) = lists.0 {
-                    return Some(Err(JoshError(format!("Error parsing whitelist: {}", e))));
-                }
-                if let Err(e) = lists.1 {
-                    return Some(Err(JoshError(format!("Error parsing blacklist: {}", e))));
-                }
-                if let Ok(w) = lists.0 {
-                    whitelist = filter::compose(whitelist, w);
-                }
-                if let Ok(b) = lists.1 {
-                    blacklist = filter::compose(blacklist, b);
-                }
+    let res = users.get(user).and_then(|u| {
+        let mut whitelist = filter::empty();
+        let mut blacklist = filter::empty();
+        for g in &u.groups {
+            let lists = groups.get(repo).and_then(|repo| {
+                repo.get(g.as_str()?).and_then(|group| {
+                    let w = filter::parse(&group.whitelist);
+                    let b = filter::parse(&group.blacklist);
+                    Some((w, b))
+                })
+            })?;
+            if let Err(e) = lists.0 {
+                return Some(Err(JoshError(format!("Error parsing whitelist: {}", e))));
+            }
+            if let Err(e) = lists.1 {
+                return Some(Err(JoshError(format!("Error parsing blacklist: {}", e))));
+            }
+            if let Ok(w) = lists.0 {
+                whitelist = filter::compose(whitelist, w);
             }
-            println!("w: {:?}, b: {:?}", whitelist, blacklist);
-            Some(Ok((whitelist, blacklist)))
-        })
-        .unwrap_or(Ok((filter::empty(), filter::nop())));
+            if let Ok(b) = lists.1 {
+                blacklist = filter::compose(blacklist, b);
+            }
+        }
+        println!("w: {:?}, b: {:?}", whitelist, blacklist);
+        Some(Ok((whitelist, blacklist)))
+    });
+    return match res {
+        Some(Ok(res)) => Ok(res),
+        Some(Err(e)) => {
+            tracing::warn!("ACL error: {:?}", e);
+            Ok((filter::empty(), filter::nop()))
+        }
+        None => {
+            tracing::warn!("ACL: none");
+            Ok((filter::empty(), filter::nop()))
+        }
+    };
 }