forked from jshiffer/matterbridge
364 lines
9.6 KiB
Go
364 lines
9.6 KiB
Go
// Copyright (c) 2016-present Mattermost, Inc. All Rights Reserved.
|
|
// See License.txt for license information.
|
|
|
|
package model
|
|
|
|
import (
|
|
"encoding/json"
|
|
"io"
|
|
"strings"
|
|
)
|
|
|
|
const (
|
|
SYSTEM_USER_ROLE_ID = "system_user"
|
|
SYSTEM_ADMIN_ROLE_ID = "system_admin"
|
|
SYSTEM_POST_ALL_ROLE_ID = "system_post_all"
|
|
SYSTEM_POST_ALL_PUBLIC_ROLE_ID = "system_post_all_public"
|
|
SYSTEM_USER_ACCESS_TOKEN_ROLE_ID = "system_user_access_token"
|
|
|
|
TEAM_USER_ROLE_ID = "team_user"
|
|
TEAM_ADMIN_ROLE_ID = "team_admin"
|
|
TEAM_POST_ALL_ROLE_ID = "team_post_all"
|
|
TEAM_POST_ALL_PUBLIC_ROLE_ID = "team_post_all_public"
|
|
|
|
CHANNEL_USER_ROLE_ID = "channel_user"
|
|
CHANNEL_ADMIN_ROLE_ID = "channel_admin"
|
|
|
|
ROLE_NAME_MAX_LENGTH = 64
|
|
ROLE_DISPLAY_NAME_MAX_LENGTH = 128
|
|
ROLE_DESCRIPTION_MAX_LENGTH = 1024
|
|
)
|
|
|
|
type Role struct {
|
|
Id string `json:"id"`
|
|
Name string `json:"name"`
|
|
DisplayName string `json:"display_name"`
|
|
Description string `json:"description"`
|
|
CreateAt int64 `json:"create_at"`
|
|
UpdateAt int64 `json:"update_at"`
|
|
DeleteAt int64 `json:"delete_at"`
|
|
Permissions []string `json:"permissions"`
|
|
SchemeManaged bool `json:"scheme_managed"`
|
|
BuiltIn bool `json:"built_in"`
|
|
}
|
|
|
|
type RolePatch struct {
|
|
Permissions *[]string `json:"permissions"`
|
|
}
|
|
|
|
func (role *Role) ToJson() string {
|
|
b, _ := json.Marshal(role)
|
|
return string(b)
|
|
}
|
|
|
|
func RoleFromJson(data io.Reader) *Role {
|
|
var role *Role
|
|
json.NewDecoder(data).Decode(&role)
|
|
return role
|
|
}
|
|
|
|
func RoleListToJson(r []*Role) string {
|
|
b, _ := json.Marshal(r)
|
|
return string(b)
|
|
}
|
|
|
|
func RoleListFromJson(data io.Reader) []*Role {
|
|
var roles []*Role
|
|
json.NewDecoder(data).Decode(&roles)
|
|
return roles
|
|
}
|
|
|
|
func (r *RolePatch) ToJson() string {
|
|
b, _ := json.Marshal(r)
|
|
return string(b)
|
|
}
|
|
|
|
func RolePatchFromJson(data io.Reader) *RolePatch {
|
|
var rolePatch *RolePatch
|
|
json.NewDecoder(data).Decode(&rolePatch)
|
|
return rolePatch
|
|
}
|
|
|
|
func (o *Role) Patch(patch *RolePatch) {
|
|
if patch.Permissions != nil {
|
|
o.Permissions = *patch.Permissions
|
|
}
|
|
}
|
|
|
|
// Returns an array of permissions that are in either role.Permissions
|
|
// or patch.Permissions, but not both.
|
|
func PermissionsChangedByPatch(role *Role, patch *RolePatch) []string {
|
|
var result []string
|
|
|
|
if patch.Permissions == nil {
|
|
return result
|
|
}
|
|
|
|
roleMap := make(map[string]bool)
|
|
patchMap := make(map[string]bool)
|
|
|
|
for _, permission := range role.Permissions {
|
|
roleMap[permission] = true
|
|
}
|
|
|
|
for _, permission := range *patch.Permissions {
|
|
patchMap[permission] = true
|
|
}
|
|
|
|
for _, permission := range role.Permissions {
|
|
if !patchMap[permission] {
|
|
result = append(result, permission)
|
|
}
|
|
}
|
|
|
|
for _, permission := range *patch.Permissions {
|
|
if !roleMap[permission] {
|
|
result = append(result, permission)
|
|
}
|
|
}
|
|
|
|
return result
|
|
}
|
|
|
|
func (role *Role) IsValid() bool {
|
|
if len(role.Id) != 26 {
|
|
return false
|
|
}
|
|
|
|
return role.IsValidWithoutId()
|
|
}
|
|
|
|
func (role *Role) IsValidWithoutId() bool {
|
|
if !IsValidRoleName(role.Name) {
|
|
return false
|
|
}
|
|
|
|
if len(role.DisplayName) == 0 || len(role.DisplayName) > ROLE_DISPLAY_NAME_MAX_LENGTH {
|
|
return false
|
|
}
|
|
|
|
if len(role.Description) > ROLE_DESCRIPTION_MAX_LENGTH {
|
|
return false
|
|
}
|
|
|
|
for _, permission := range role.Permissions {
|
|
permissionValidated := false
|
|
for _, p := range ALL_PERMISSIONS {
|
|
if permission == p.Id {
|
|
permissionValidated = true
|
|
break
|
|
}
|
|
}
|
|
|
|
if !permissionValidated {
|
|
return false
|
|
}
|
|
}
|
|
|
|
return true
|
|
}
|
|
|
|
func IsValidRoleName(roleName string) bool {
|
|
if len(roleName) <= 0 || len(roleName) > ROLE_NAME_MAX_LENGTH {
|
|
return false
|
|
}
|
|
|
|
if strings.TrimLeft(roleName, "abcdefghijklmnopqrstuvwxyz0123456789_") != "" {
|
|
return false
|
|
}
|
|
|
|
return true
|
|
}
|
|
|
|
func MakeDefaultRoles() map[string]*Role {
|
|
roles := make(map[string]*Role)
|
|
|
|
roles[CHANNEL_USER_ROLE_ID] = &Role{
|
|
Name: "channel_user",
|
|
DisplayName: "authentication.roles.channel_user.name",
|
|
Description: "authentication.roles.channel_user.description",
|
|
Permissions: []string{
|
|
PERMISSION_READ_CHANNEL.Id,
|
|
PERMISSION_ADD_REACTION.Id,
|
|
PERMISSION_REMOVE_REACTION.Id,
|
|
PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id,
|
|
PERMISSION_UPLOAD_FILE.Id,
|
|
PERMISSION_GET_PUBLIC_LINK.Id,
|
|
PERMISSION_CREATE_POST.Id,
|
|
PERMISSION_USE_SLASH_COMMANDS.Id,
|
|
},
|
|
SchemeManaged: true,
|
|
BuiltIn: true,
|
|
}
|
|
|
|
roles[CHANNEL_ADMIN_ROLE_ID] = &Role{
|
|
Name: "channel_admin",
|
|
DisplayName: "authentication.roles.channel_admin.name",
|
|
Description: "authentication.roles.channel_admin.description",
|
|
Permissions: []string{
|
|
PERMISSION_MANAGE_CHANNEL_ROLES.Id,
|
|
},
|
|
SchemeManaged: true,
|
|
BuiltIn: true,
|
|
}
|
|
|
|
roles[TEAM_USER_ROLE_ID] = &Role{
|
|
Name: "team_user",
|
|
DisplayName: "authentication.roles.team_user.name",
|
|
Description: "authentication.roles.team_user.description",
|
|
Permissions: []string{
|
|
PERMISSION_LIST_TEAM_CHANNELS.Id,
|
|
PERMISSION_JOIN_PUBLIC_CHANNELS.Id,
|
|
PERMISSION_READ_PUBLIC_CHANNEL.Id,
|
|
PERMISSION_VIEW_TEAM.Id,
|
|
},
|
|
SchemeManaged: true,
|
|
BuiltIn: true,
|
|
}
|
|
|
|
roles[TEAM_POST_ALL_ROLE_ID] = &Role{
|
|
Name: "team_post_all",
|
|
DisplayName: "authentication.roles.team_post_all.name",
|
|
Description: "authentication.roles.team_post_all.description",
|
|
Permissions: []string{
|
|
PERMISSION_CREATE_POST.Id,
|
|
},
|
|
SchemeManaged: false,
|
|
BuiltIn: true,
|
|
}
|
|
|
|
roles[TEAM_POST_ALL_PUBLIC_ROLE_ID] = &Role{
|
|
Name: "team_post_all_public",
|
|
DisplayName: "authentication.roles.team_post_all_public.name",
|
|
Description: "authentication.roles.team_post_all_public.description",
|
|
Permissions: []string{
|
|
PERMISSION_CREATE_POST_PUBLIC.Id,
|
|
},
|
|
SchemeManaged: false,
|
|
BuiltIn: true,
|
|
}
|
|
|
|
roles[TEAM_ADMIN_ROLE_ID] = &Role{
|
|
Name: "team_admin",
|
|
DisplayName: "authentication.roles.team_admin.name",
|
|
Description: "authentication.roles.team_admin.description",
|
|
Permissions: []string{
|
|
PERMISSION_REMOVE_USER_FROM_TEAM.Id,
|
|
PERMISSION_MANAGE_TEAM.Id,
|
|
PERMISSION_IMPORT_TEAM.Id,
|
|
PERMISSION_MANAGE_TEAM_ROLES.Id,
|
|
PERMISSION_MANAGE_CHANNEL_ROLES.Id,
|
|
PERMISSION_MANAGE_OTHERS_WEBHOOKS.Id,
|
|
PERMISSION_MANAGE_SLASH_COMMANDS.Id,
|
|
PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS.Id,
|
|
PERMISSION_MANAGE_WEBHOOKS.Id,
|
|
},
|
|
SchemeManaged: true,
|
|
BuiltIn: true,
|
|
}
|
|
|
|
roles[SYSTEM_USER_ROLE_ID] = &Role{
|
|
Name: "system_user",
|
|
DisplayName: "authentication.roles.global_user.name",
|
|
Description: "authentication.roles.global_user.description",
|
|
Permissions: []string{
|
|
PERMISSION_CREATE_DIRECT_CHANNEL.Id,
|
|
PERMISSION_CREATE_GROUP_CHANNEL.Id,
|
|
PERMISSION_PERMANENT_DELETE_USER.Id,
|
|
},
|
|
SchemeManaged: true,
|
|
BuiltIn: true,
|
|
}
|
|
|
|
roles[SYSTEM_POST_ALL_ROLE_ID] = &Role{
|
|
Name: "system_post_all",
|
|
DisplayName: "authentication.roles.system_post_all.name",
|
|
Description: "authentication.roles.system_post_all.description",
|
|
Permissions: []string{
|
|
PERMISSION_CREATE_POST.Id,
|
|
},
|
|
SchemeManaged: false,
|
|
BuiltIn: true,
|
|
}
|
|
|
|
roles[SYSTEM_POST_ALL_PUBLIC_ROLE_ID] = &Role{
|
|
Name: "system_post_all_public",
|
|
DisplayName: "authentication.roles.system_post_all_public.name",
|
|
Description: "authentication.roles.system_post_all_public.description",
|
|
Permissions: []string{
|
|
PERMISSION_CREATE_POST_PUBLIC.Id,
|
|
},
|
|
SchemeManaged: false,
|
|
BuiltIn: true,
|
|
}
|
|
|
|
roles[SYSTEM_USER_ACCESS_TOKEN_ROLE_ID] = &Role{
|
|
Name: "system_user_access_token",
|
|
DisplayName: "authentication.roles.system_user_access_token.name",
|
|
Description: "authentication.roles.system_user_access_token.description",
|
|
Permissions: []string{
|
|
PERMISSION_CREATE_USER_ACCESS_TOKEN.Id,
|
|
PERMISSION_READ_USER_ACCESS_TOKEN.Id,
|
|
PERMISSION_REVOKE_USER_ACCESS_TOKEN.Id,
|
|
},
|
|
SchemeManaged: false,
|
|
BuiltIn: true,
|
|
}
|
|
|
|
roles[SYSTEM_ADMIN_ROLE_ID] = &Role{
|
|
Name: "system_admin",
|
|
DisplayName: "authentication.roles.global_admin.name",
|
|
Description: "authentication.roles.global_admin.description",
|
|
// System admins can do anything channel and team admins can do
|
|
// plus everything members of teams and channels can do to all teams
|
|
// and channels on the system
|
|
Permissions: append(
|
|
append(
|
|
append(
|
|
append(
|
|
[]string{
|
|
PERMISSION_ASSIGN_SYSTEM_ADMIN_ROLE.Id,
|
|
PERMISSION_MANAGE_SYSTEM.Id,
|
|
PERMISSION_MANAGE_ROLES.Id,
|
|
PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
|
|
PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id,
|
|
PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
|
|
PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
|
|
PERMISSION_CREATE_PUBLIC_CHANNEL.Id,
|
|
PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
|
|
PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
|
|
PERMISSION_CREATE_PRIVATE_CHANNEL.Id,
|
|
PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH.Id,
|
|
PERMISSION_MANAGE_OTHERS_WEBHOOKS.Id,
|
|
PERMISSION_EDIT_OTHER_USERS.Id,
|
|
PERMISSION_EDIT_OTHERS_POSTS.Id,
|
|
PERMISSION_MANAGE_OAUTH.Id,
|
|
PERMISSION_INVITE_USER.Id,
|
|
PERMISSION_DELETE_POST.Id,
|
|
PERMISSION_DELETE_OTHERS_POSTS.Id,
|
|
PERMISSION_CREATE_TEAM.Id,
|
|
PERMISSION_ADD_USER_TO_TEAM.Id,
|
|
PERMISSION_LIST_USERS_WITHOUT_TEAM.Id,
|
|
PERMISSION_MANAGE_JOBS.Id,
|
|
PERMISSION_CREATE_POST_PUBLIC.Id,
|
|
PERMISSION_CREATE_POST_EPHEMERAL.Id,
|
|
PERMISSION_CREATE_USER_ACCESS_TOKEN.Id,
|
|
PERMISSION_READ_USER_ACCESS_TOKEN.Id,
|
|
PERMISSION_REVOKE_USER_ACCESS_TOKEN.Id,
|
|
PERMISSION_REMOVE_OTHERS_REACTIONS.Id,
|
|
},
|
|
roles[TEAM_USER_ROLE_ID].Permissions...,
|
|
),
|
|
roles[CHANNEL_USER_ROLE_ID].Permissions...,
|
|
),
|
|
roles[TEAM_ADMIN_ROLE_ID].Permissions...,
|
|
),
|
|
roles[CHANNEL_ADMIN_ROLE_ID].Permissions...,
|
|
),
|
|
SchemeManaged: true,
|
|
BuiltIn: true,
|
|
}
|
|
|
|
return roles
|
|
}
|