IdP: extend ${u} with syntax to exclude by group
just like before, if vpath contains ${u} then
the IdP-volume is created unconditionally
but this is new:
${u%+foo} creates the vol only if user is member of group foo
${u%-foo} creates the vol if user is NOT member of group foo
			
			
This commit is contained in:
		
							parent
							
								
									999789c742
								
							
						
					
					
						commit
						9c2c423761
					
				| @ -72,6 +72,8 @@ SSEELOG = " ({})".format(SEE_LOG) | ||||
| BAD_CFG = "invalid config; {}".format(SEE_LOG) | ||||
| SBADCFG = " ({})".format(BAD_CFG) | ||||
| 
 | ||||
| PTN_U_GRP = re.compile(r"\$\{u%([+-])([^}]+)\}") | ||||
| 
 | ||||
| 
 | ||||
| class CfgEx(Exception): | ||||
|     pass | ||||
| @ -953,12 +955,24 @@ class AuthSrv(object): | ||||
|             un_gn = [("", "")] | ||||
| 
 | ||||
|         for un, gn in un_gn: | ||||
|             m = PTN_U_GRP.search(dst0) | ||||
|             if m: | ||||
|                 req, gnc = m.groups() | ||||
|                 hit = gnc in (un_gns.get(un) or []) | ||||
|                 if req == "+": | ||||
|                     if not hit: | ||||
|                         continue | ||||
|                 elif hit: | ||||
|                     continue | ||||
| 
 | ||||
|             # if ap/vp has a user/group placeholder, make sure to keep | ||||
|             # track so the same user/group is mapped when setting perms; | ||||
|             # otherwise clear un/gn to indicate it's a regular volume | ||||
| 
 | ||||
|             src1 = src0.replace("${u}", un or "\n") | ||||
|             dst1 = dst0.replace("${u}", un or "\n") | ||||
|             src1 = PTN_U_GRP.sub(un or "\n", src1) | ||||
|             dst1 = PTN_U_GRP.sub(un or "\n", dst1) | ||||
|             if src0 == src1 and dst0 == dst1: | ||||
|                 un = "" | ||||
| 
 | ||||
| @ -2312,7 +2326,7 @@ class AuthSrv(object): | ||||
|             idp_vn, _ = vfs.get(idp_vp, "*", False, False) | ||||
|             idp_vp0 = idp_vn.vpath0 | ||||
| 
 | ||||
|             sigils = set(re.findall(r"(\${[ug]})", idp_vp0)) | ||||
|             sigils = set(re.findall(r"(\${[ug][}%])", idp_vp0)) | ||||
|             if len(sigils) > 1: | ||||
|                 t = '\nWARNING: IdP-volume "/%s" created by "/%s" has multiple IdP placeholders: %s' | ||||
|                 self.idp_warn.append(t % (idp_vp, idp_vp0, list(sigils))) | ||||
| @ -2344,7 +2358,7 @@ class AuthSrv(object): | ||||
|                 elif oth_write: | ||||
|                     taxs = "WRITABLE BY %r" % (oth_write,) | ||||
|                 else: | ||||
|                     continue | ||||
|                     break  # no sigil; not idp; safe to stop | ||||
| 
 | ||||
|                 t = '\nWARNING: IdP-volume "/%s" created by "/%s" has parent/grandparent "/%s" and would be %s' | ||||
|                 self.idp_err.append(t % (idp_vp, idp_vp0, par_vn.vpath, taxs)) | ||||
|  | ||||
| @ -13,6 +13,8 @@ | ||||
| # because that is the data-volume in the docker containers, | ||||
| # because a deployment like this (with an IdP) is more commonly | ||||
| # seen in containerized environments -- but this is not required | ||||
| # | ||||
| # the example group "su" (super-user) is the admins group | ||||
| 
 | ||||
| 
 | ||||
| [global] | ||||
| @ -78,6 +80,18 @@ | ||||
|     rwmda: @${g}, @su  # read-write-move-delete-admin for that group + the "su" group | ||||
| 
 | ||||
| 
 | ||||
| [/sus/${u%+su}]  # users which ARE members of group "su" gets /sus/username | ||||
|   /w/tank1/${u}  # which will be "tank1/username" in the docker data volume | ||||
|   accs: | ||||
|     rwmda: ${u}  # read-write-move-delete-admin for that username | ||||
| 
 | ||||
| 
 | ||||
| [/m8s/${u%-su}]  # users which are NOT members of group "su" gets /m8s/username | ||||
|   /w/tank2/${u}  # which will be "tank2/username" in the docker data volume | ||||
|   accs: | ||||
|     rwmda: ${u}  # read-write-move-delete-admin for that username | ||||
| 
 | ||||
| 
 | ||||
| # and create some strategic volumes to prevent anyone from gaining | ||||
| # unintended access to priv folders if the users/groups db is lost | ||||
| [/u] | ||||
| @ -88,3 +102,7 @@ | ||||
|   /w/lounge | ||||
|   accs: | ||||
|     rwmda: @su | ||||
| [/sus] | ||||
|   /w/tank1 | ||||
| [/m8s] | ||||
|   /w/tank2 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user
	 ed
						ed