Merge pull request #6765 from heww/rename-ram

Rename ram to rbac
This commit is contained in:
He Weiwei 2019-01-17 11:50:14 +08:00 committed by GitHub
commit 8dab10bbed
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
16 changed files with 62 additions and 62 deletions

View File

@ -12,7 +12,7 @@
// See the License for the specific language governing permissions and
// limitations under the License.
package ram
package rbac
import (
"errors"

View File

@ -12,7 +12,7 @@
// See the License for the specific language governing permissions and
// limitations under the License.
package ram
package rbac
import (
"fmt"

View File

@ -12,7 +12,7 @@
// See the License for the specific language governing permissions and
// limitations under the License.
package ram
package rbac
import (
"testing"

View File

@ -12,7 +12,7 @@
// See the License for the specific language governing permissions and
// limitations under the License.
package ram
package rbac
import (
"errors"

View File

@ -12,7 +12,7 @@
// See the License for the specific language governing permissions and
// limitations under the License.
package ram
package rbac
import (
"testing"

View File

@ -15,19 +15,19 @@
package project
import (
"github.com/goharbor/harbor/src/common/ram"
"github.com/goharbor/harbor/src/common/rbac"
)
// const action variables
const (
ActionAll = ram.Action("*")
ActionPull = ram.Action("pull")
ActionPush = ram.Action("push")
ActionPushPull = ram.Action("push+pull")
ActionAll = rbac.Action("*")
ActionPull = rbac.Action("pull")
ActionPush = rbac.Action("push")
ActionPushPull = rbac.Action("push+pull")
)
// const resource variables
const (
ResourceAll = ram.Resource("*")
ResourceImage = ram.Resource("image")
ResourceAll = rbac.Resource("*")
ResourceImage = rbac.Resource("image")
)

View File

@ -15,26 +15,26 @@
package project
import (
"github.com/goharbor/harbor/src/common/ram"
"github.com/goharbor/harbor/src/common/rbac"
)
var (
// subresource policies for public project
publicProjectPolicies = []*ram.Policy{
publicProjectPolicies = []*rbac.Policy{
{Resource: ResourceImage, Action: ActionPull},
}
// subresource policies for system admin visitor
systemAdminProjectPolicies = []*ram.Policy{
systemAdminProjectPolicies = []*rbac.Policy{
{Resource: ResourceAll, Action: ActionAll},
}
)
func policiesForPublicProject(namespace ram.Namespace) []*ram.Policy {
policies := []*ram.Policy{}
func policiesForPublicProject(namespace rbac.Namespace) []*rbac.Policy {
policies := []*rbac.Policy{}
for _, policy := range publicProjectPolicies {
policies = append(policies, &ram.Policy{
policies = append(policies, &rbac.Policy{
Resource: namespace.Resource(policy.Resource),
Action: policy.Action,
Effect: policy.Effect,
@ -44,11 +44,11 @@ func policiesForPublicProject(namespace ram.Namespace) []*ram.Policy {
return policies
}
func policiesForSystemAdmin(namespace ram.Namespace) []*ram.Policy {
policies := []*ram.Policy{}
func policiesForSystemAdmin(namespace rbac.Namespace) []*rbac.Policy {
policies := []*rbac.Policy{}
for _, policy := range systemAdminProjectPolicies {
policies = append(policies, &ram.Policy{
policies = append(policies, &rbac.Policy{
Resource: namespace.Resource(policy.Resource),
Action: policy.Action,
Effect: policy.Effect,

View File

@ -15,7 +15,7 @@
package project
import (
"github.com/goharbor/harbor/src/common/ram"
"github.com/goharbor/harbor/src/common/rbac"
)
// visitorContext the context interface for the project visitor
@ -27,10 +27,10 @@ type visitorContext interface {
IsSysAdmin() bool
}
// visitor implement the ram.User interface for project visitor
// visitor implement the rbac.User interface for project visitor
type visitor struct {
ctx visitorContext
namespace ram.Namespace
namespace rbac.Namespace
projectRoles []int
}
@ -45,7 +45,7 @@ func (v *visitor) GetUserName() string {
}
// GetPolicies returns policies of the visitor
func (v *visitor) GetPolicies() []*ram.Policy {
func (v *visitor) GetPolicies() []*rbac.Policy {
if v.ctx.IsSysAdmin() {
return policiesForSystemAdmin(v.namespace)
}
@ -58,12 +58,12 @@ func (v *visitor) GetPolicies() []*ram.Policy {
}
// GetRoles returns roles of the visitor
func (v *visitor) GetRoles() []ram.Role {
func (v *visitor) GetRoles() []rbac.Role {
if !v.ctx.IsAuthenticated() {
return nil
}
roles := []ram.Role{}
roles := []rbac.Role{}
for _, roleID := range v.projectRoles {
roles = append(roles, &visitorRole{roleID: roleID, namespace: v.namespace})
@ -72,8 +72,8 @@ func (v *visitor) GetRoles() []ram.Role {
return roles
}
// NewUser returns ram.User interface for the project visitor
func NewUser(ctx visitorContext, namespace ram.Namespace, projectRoles ...int) ram.User {
// NewUser returns rbac.User interface for the project visitor
func NewUser(ctx visitorContext, namespace rbac.Namespace, projectRoles ...int) rbac.User {
return &visitor{
ctx: ctx,
namespace: namespace,

View File

@ -16,11 +16,11 @@ package project
import (
"github.com/goharbor/harbor/src/common"
"github.com/goharbor/harbor/src/common/ram"
"github.com/goharbor/harbor/src/common/rbac"
)
var (
rolePoliciesMap = map[string][]*ram.Policy{
rolePoliciesMap = map[string][]*rbac.Policy{
"projectAdmin": {
{Resource: ResourceImage, Action: ActionPushPull}, // compatible with security all perm of project
{Resource: ResourceImage, Action: ActionPush},
@ -38,9 +38,9 @@ var (
}
)
// visitorRole implement the ram.Role interface
// visitorRole implement the rbac.Role interface
type visitorRole struct {
namespace ram.Namespace
namespace rbac.Namespace
roleID int
}
@ -59,8 +59,8 @@ func (role *visitorRole) GetRoleName() string {
}
// GetPolicies returns policies for the visitor role
func (role *visitorRole) GetPolicies() []*ram.Policy {
policies := []*ram.Policy{}
func (role *visitorRole) GetPolicies() []*rbac.Policy {
policies := []*rbac.Policy{}
roleName := role.GetRoleName()
if roleName == "" {
@ -68,7 +68,7 @@ func (role *visitorRole) GetPolicies() []*ram.Policy {
}
for _, policy := range rolePoliciesMap[roleName] {
policies = append(policies, &ram.Policy{
policies = append(policies, &rbac.Policy{
Resource: role.namespace.Resource(policy.Resource),
Action: policy.Action,
Effect: policy.Effect,

View File

@ -18,7 +18,7 @@ import (
"testing"
"github.com/goharbor/harbor/src/common"
"github.com/goharbor/harbor/src/common/ram"
"github.com/goharbor/harbor/src/common/rbac"
"github.com/stretchr/testify/suite"
)
@ -50,8 +50,8 @@ type VisitorTestSuite struct {
}
func (suite *VisitorTestSuite) TestGetPolicies() {
namespace := ram.NewProjectNamespace("library", false)
publicNamespace := ram.NewProjectNamespace("library", true)
namespace := rbac.NewProjectNamespace("library", false)
publicNamespace := rbac.NewProjectNamespace("library", true)
anonymous := NewUser(anonymousCtx, namespace)
suite.Nil(anonymous.GetPolicies())
@ -73,7 +73,7 @@ func (suite *VisitorTestSuite) TestGetPolicies() {
}
func (suite *VisitorTestSuite) TestGetRoles() {
namespace := ram.NewProjectNamespace("library", false)
namespace := rbac.NewProjectNamespace("library", false)
anonymous := NewUser(anonymousCtx, namespace)
suite.Nil(anonymous.GetRoles())

View File

@ -12,7 +12,7 @@
// See the License for the specific language governing permissions and
// limitations under the License.
package ram
package rbac
import (
"fmt"
@ -87,14 +87,14 @@ func (p *Policy) GetEffect() string {
return eft.String()
}
// Role the interface of ram role
// Role the interface of rbac role
type Role interface {
// GetRoleName returns the role identity, if empty string role's policies will be ignore
GetRoleName() string
GetPolicies() []*Policy
}
// User the interface of ram user
// User the interface of rbac user
type User interface {
// GetUserName returns the user identity, if empty string user's all policies will be ignore
GetUserName() string

View File

@ -12,7 +12,7 @@
// See the License for the specific language governing permissions and
// limitations under the License.
package ram
package rbac
import (
"reflect"

View File

@ -16,8 +16,8 @@ package admiral
import (
"github.com/goharbor/harbor/src/common/models"
"github.com/goharbor/harbor/src/common/ram"
"github.com/goharbor/harbor/src/common/ram/project"
"github.com/goharbor/harbor/src/common/rbac"
"github.com/goharbor/harbor/src/common/rbac/project"
"github.com/goharbor/harbor/src/common/security/admiral/authcontext"
"github.com/goharbor/harbor/src/core/promgr"
)
@ -72,32 +72,32 @@ func (s *SecurityContext) IsSolutionUser() bool {
// HasReadPerm returns whether the user has read permission to the project
func (s *SecurityContext) HasReadPerm(projectIDOrName interface{}) bool {
isPublicProject, _ := s.pm.IsPublic(projectIDOrName)
return s.Can(project.ActionPull, ram.NewProjectNamespace(projectIDOrName, isPublicProject).Resource(project.ResourceImage))
return s.Can(project.ActionPull, rbac.NewProjectNamespace(projectIDOrName, isPublicProject).Resource(project.ResourceImage))
}
// HasWritePerm returns whether the user has write permission to the project
func (s *SecurityContext) HasWritePerm(projectIDOrName interface{}) bool {
isPublicProject, _ := s.pm.IsPublic(projectIDOrName)
return s.Can(project.ActionPush, ram.NewProjectNamespace(projectIDOrName, isPublicProject).Resource(project.ResourceImage))
return s.Can(project.ActionPush, rbac.NewProjectNamespace(projectIDOrName, isPublicProject).Resource(project.ResourceImage))
}
// HasAllPerm returns whether the user has all permissions to the project
func (s *SecurityContext) HasAllPerm(projectIDOrName interface{}) bool {
isPublicProject, _ := s.pm.IsPublic(projectIDOrName)
return s.Can(project.ActionPushPull, ram.NewProjectNamespace(projectIDOrName, isPublicProject).Resource(project.ResourceImage))
return s.Can(project.ActionPushPull, rbac.NewProjectNamespace(projectIDOrName, isPublicProject).Resource(project.ResourceImage))
}
// Can returns whether the user can do action on resource
func (s *SecurityContext) Can(action ram.Action, resource ram.Resource) bool {
func (s *SecurityContext) Can(action rbac.Action, resource rbac.Resource) bool {
ns, err := resource.GetNamespace()
if err == nil {
switch ns.Kind() {
case "project":
projectIDOrName := ns.Identity()
isPublicProject, _ := s.pm.IsPublic(projectIDOrName)
projectNamespace := ram.NewProjectNamespace(projectIDOrName, isPublicProject)
projectNamespace := rbac.NewProjectNamespace(projectIDOrName, isPublicProject)
user := project.NewUser(s, projectNamespace, s.GetProjectRoles(projectIDOrName)...)
return ram.HasPermission(user, resource, action)
return rbac.HasPermission(user, resource, action)
}
}

View File

@ -19,8 +19,8 @@ import (
"github.com/goharbor/harbor/src/common/dao"
"github.com/goharbor/harbor/src/common/dao/group"
"github.com/goharbor/harbor/src/common/models"
"github.com/goharbor/harbor/src/common/ram"
"github.com/goharbor/harbor/src/common/ram/project"
"github.com/goharbor/harbor/src/common/rbac"
"github.com/goharbor/harbor/src/common/rbac/project"
"github.com/goharbor/harbor/src/common/utils/log"
"github.com/goharbor/harbor/src/core/promgr"
)
@ -70,32 +70,32 @@ func (s *SecurityContext) IsSolutionUser() bool {
// HasReadPerm returns whether the user has read permission to the project
func (s *SecurityContext) HasReadPerm(projectIDOrName interface{}) bool {
isPublicProject, _ := s.pm.IsPublic(projectIDOrName)
return s.Can(project.ActionPull, ram.NewProjectNamespace(projectIDOrName, isPublicProject).Resource(project.ResourceImage))
return s.Can(project.ActionPull, rbac.NewProjectNamespace(projectIDOrName, isPublicProject).Resource(project.ResourceImage))
}
// HasWritePerm returns whether the user has write permission to the project
func (s *SecurityContext) HasWritePerm(projectIDOrName interface{}) bool {
isPublicProject, _ := s.pm.IsPublic(projectIDOrName)
return s.Can(project.ActionPush, ram.NewProjectNamespace(projectIDOrName, isPublicProject).Resource(project.ResourceImage))
return s.Can(project.ActionPush, rbac.NewProjectNamespace(projectIDOrName, isPublicProject).Resource(project.ResourceImage))
}
// HasAllPerm returns whether the user has all permissions to the project
func (s *SecurityContext) HasAllPerm(projectIDOrName interface{}) bool {
isPublicProject, _ := s.pm.IsPublic(projectIDOrName)
return s.Can(project.ActionPushPull, ram.NewProjectNamespace(projectIDOrName, isPublicProject).Resource(project.ResourceImage))
return s.Can(project.ActionPushPull, rbac.NewProjectNamespace(projectIDOrName, isPublicProject).Resource(project.ResourceImage))
}
// Can returns whether the user can do action on resource
func (s *SecurityContext) Can(action ram.Action, resource ram.Resource) bool {
func (s *SecurityContext) Can(action rbac.Action, resource rbac.Resource) bool {
ns, err := resource.GetNamespace()
if err == nil {
switch ns.Kind() {
case "project":
projectIDOrName := ns.Identity()
isPublicProject, _ := s.pm.IsPublic(projectIDOrName)
projectNamespace := ram.NewProjectNamespace(projectIDOrName, isPublicProject)
projectNamespace := rbac.NewProjectNamespace(projectIDOrName, isPublicProject)
user := project.NewUser(s, projectNamespace, s.GetProjectRoles(projectIDOrName)...)
return ram.HasPermission(user, resource, action)
return rbac.HasPermission(user, resource, action)
}
}

View File

@ -19,7 +19,7 @@ import (
"github.com/goharbor/harbor/src/common"
"github.com/goharbor/harbor/src/common/models"
"github.com/goharbor/harbor/src/common/ram"
"github.com/goharbor/harbor/src/common/rbac"
"github.com/goharbor/harbor/src/common/secret"
"github.com/goharbor/harbor/src/common/utils/log"
)
@ -99,7 +99,7 @@ func (s *SecurityContext) HasAllPerm(projectIDOrName interface{}) bool {
}
// Can returns whether the user can do action on resource
func (s *SecurityContext) Can(action ram.Action, resource ram.Resource) bool {
func (s *SecurityContext) Can(action rbac.Action, resource rbac.Resource) bool {
if s.store == nil {
return false
}