mirror of
https://github.com/aptly-dev/aptly.git
synced 2026-05-06 22:18:28 +00:00
Uploaders rules facility: controlling who can upload .changes. #71
This commit is contained in:
Andrey Smirnov
@@ -0,0 +1,74 @@
|
||||
package deb
|
||||
|
||||
import (
|
||||
"github.com/smira/aptly/utils"
|
||||
)
|
||||
|
||||
// UploadersRule is single rule of format: what packages can group or key upload
|
||||
type UploadersRule struct {
|
||||
Condition string `json:"condition"`
|
||||
Allow []string `json:"allow"`
|
||||
Deny []string `json:"deny"`
|
||||
CompiledCondition PackageQuery `json:"-"`
|
||||
}
|
||||
|
||||
// Uploaders is configuration of restrictions for .changes file importing
|
||||
type Uploaders struct {
|
||||
Groups map[string][]string `json:"groups"`
|
||||
Rules []UploadersRule `json:"rules"`
|
||||
}
|
||||
|
||||
func (u *Uploaders) expandGroupsInternal(items []string, trail []string) []string {
|
||||
result := []string{}
|
||||
|
||||
for _, item := range items {
|
||||
// stop infinite recursion
|
||||
if utils.StrSliceHasItem(trail, item) {
|
||||
continue
|
||||
}
|
||||
|
||||
group, ok := u.Groups[item]
|
||||
if !ok {
|
||||
result = append(result, item)
|
||||
} else {
|
||||
newTrail := append([]string(nil), trail...)
|
||||
result = append(result, u.expandGroupsInternal(group, append(newTrail, item))...)
|
||||
}
|
||||
}
|
||||
|
||||
return result
|
||||
}
|
||||
|
||||
// ExpandGroups expands list of keys/groups into list of keys
|
||||
func (u *Uploaders) ExpandGroups(items []string) []string {
|
||||
result := u.expandGroupsInternal(items, []string{})
|
||||
|
||||
return utils.StrSliceDeduplicate(result)
|
||||
}
|
||||
|
||||
// IsAllowed checks whether listed keys are allowed to upload given .changes file
|
||||
func (u *Uploaders) IsAllowed(keys []utils.GpgKey, changes *Changes) bool {
|
||||
for _, rule := range u.Rules {
|
||||
if rule.CompiledCondition.Matches(changes) {
|
||||
deny := u.ExpandGroups(rule.Deny)
|
||||
for _, key := range keys {
|
||||
for _, item := range deny {
|
||||
if item == "*" || key.Matches(utils.GpgKey(item)) {
|
||||
return false
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
allow := u.ExpandGroups(rule.Allow)
|
||||
for _, key := range keys {
|
||||
for _, item := range allow {
|
||||
if item == "*" || key.Matches(utils.GpgKey(item)) {
|
||||
return true
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
Reference in New Issue
Block a user