From c128865c4c7411c29a59fca9a3a2f95537686d7b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Paul=20B=C3=BCtow?= Date: Mon, 20 Jan 2020 18:41:05 +0000 Subject: Move commands to cmd/ and move internal dependencies to internal/ --- server/user/user.go | 131 ---------------------------------------------------- 1 file changed, 131 deletions(-) delete mode 100644 server/user/user.go (limited to 'server/user') diff --git a/server/user/user.go b/server/user/user.go deleted file mode 100644 index 405dc55..0000000 --- a/server/user/user.go +++ /dev/null @@ -1,131 +0,0 @@ -package user - -import ( - "dtail/config" - "dtail/fs/permissions" - "dtail/logger" - "fmt" - "os" - "path/filepath" - "regexp" - "strings" -) - -const maxLinkDepth int = 100 - -// User represents an end-user which connected to the server via the DTail client. -type User struct { - // The user name. - Name string - // The remote address connected from. - remoteAddress string - // The permissions the user has. - permissions []string -} - -// New returns a new user. -func New(name, remoteAddress string) *User { - return &User{ - Name: name, - remoteAddress: remoteAddress, - } -} - -// String representation of the user. -func (u *User) String() string { - return fmt.Sprintf("%s@%s", u.Name, u.remoteAddress) -} - -// HasFilePermission is used to determine whether user is alowed to read a file. -func (u *User) HasFilePermission(filePath string) (hasPermission bool) { - cleanPath, err := filepath.EvalSymlinks(filePath) - if err != nil { - logger.Error(u, filePath, "Unable to evaluate symlinks", err) - hasPermission = false - return - } - - cleanPath, err = filepath.Abs(cleanPath) - if err != nil { - logger.Error(u, cleanPath, "Unable to make file path absolute", err) - hasPermission = false - return - } - - if cleanPath != filePath { - logger.Info(u, filePath, cleanPath, "Calculated new clean path from original file path (possibly symlink)") - } - - hasPermission, err = u.hasFilePermission(cleanPath) - if err != nil { - logger.Warn(u, cleanPath, err) - } - - return -} - -func (u *User) hasFilePermission(cleanPath string) (bool, error) { - // First check file system Linux/UNIX permission. - if _, err := permissions.ToRead(u.Name, cleanPath); err != nil { - return false, fmt.Errorf("User without OS file system permissions to read file: '%v'", err) - } - logger.Info(u, cleanPath, "User has OS file system permissions to read file") - - // If file system permission is given, also check permissions - // as configured in DTail config file. - if len(u.permissions) == 0 { - p, err := config.ServerUserPermissions(u.Name) - if err != nil { - return false, err - } - u.permissions = p - } - - var hasPermission bool - var err error - - if hasPermission, err = u.iteratePaths(cleanPath); err != nil { - return false, err - } - - // Only allow to follow regular files or symlinks. - info, err := os.Lstat(cleanPath) - if err != nil { - return false, fmt.Errorf("Unable to determine file type: '%v'", err) - } - - if !info.Mode().IsRegular() { - return false, fmt.Errorf("Can only open regular files or follow symlinks") - } - - return hasPermission, nil -} - -func (u *User) iteratePaths(cleanPath string) (bool, error) { - for _, permission := range u.permissions { - var regexStr string - var negate bool - - if strings.HasPrefix(permission, "!") { - regexStr = permission[1:] - negate = true - } - regexStr = permission - negate = false - - re, err := regexp.Compile(regexStr) - if err != nil { - return false, fmt.Errorf("Permission test failed, can't compile regex '%s': '%v'", regexStr, err) - } - - if negate && re.MatchString(cleanPath) { - return false, fmt.Errorf("Permission test failed, matching negative pattern '%s'", permission) - } - - if !negate && re.MatchString(cleanPath) { - logger.Info(u, cleanPath, "Permission test passed partially, matching positive pattern", permission) - } - } - - return true, nil -} -- cgit v1.2.3