You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
401 lines
12 KiB
401 lines
12 KiB
//
|
|
// DISCLAIMER
|
|
//
|
|
// Copyright 2017 ArangoDB GmbH, Cologne, Germany
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
//
|
|
// Copyright holder is ArangoDB GmbH, Cologne, Germany
|
|
//
|
|
// Author Ewout Prangsma
|
|
//
|
|
|
|
package driver
|
|
|
|
import (
|
|
"context"
|
|
"path"
|
|
)
|
|
|
|
// newUser creates a new User implementation.
|
|
func newUser(data userData, conn Connection) (User, error) {
|
|
if data.Name == "" {
|
|
return nil, WithStack(InvalidArgumentError{Message: "data.Name is empty"})
|
|
}
|
|
if conn == nil {
|
|
return nil, WithStack(InvalidArgumentError{Message: "conn is nil"})
|
|
}
|
|
return &user{
|
|
data: data,
|
|
conn: conn,
|
|
}, nil
|
|
}
|
|
|
|
type user struct {
|
|
data userData
|
|
conn Connection
|
|
}
|
|
|
|
type userData struct {
|
|
Name string `json:"user,omitempty"`
|
|
Active bool `json:"active,omitempty"`
|
|
Extra *RawObject `json:"extra,omitempty"`
|
|
ChangePassword bool `json:"changePassword,omitempty"`
|
|
ArangoError
|
|
}
|
|
|
|
// relPath creates the relative path to this index (`_api/user/<name>`)
|
|
func (u *user) relPath() string {
|
|
escapedName := pathEscape(u.data.Name)
|
|
return path.Join("_api", "user", escapedName)
|
|
}
|
|
|
|
// Name returns the name of the user.
|
|
func (u *user) Name() string {
|
|
return u.data.Name
|
|
}
|
|
|
|
// Is this an active user?
|
|
func (u *user) IsActive() bool {
|
|
return u.data.Active
|
|
}
|
|
|
|
// Is a password change for this user needed?
|
|
func (u *user) IsPasswordChangeNeeded() bool {
|
|
return u.data.ChangePassword
|
|
}
|
|
|
|
// Get extra information about this user that was passed during its creation/update/replacement
|
|
func (u *user) Extra(result interface{}) error {
|
|
if u.data.Extra == nil {
|
|
return nil
|
|
}
|
|
if err := u.conn.Unmarshal(*u.data.Extra, result); err != nil {
|
|
return WithStack(err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// Remove removes the entire user.
|
|
// If the user does not exist, a NotFoundError is returned.
|
|
func (u *user) Remove(ctx context.Context) error {
|
|
req, err := u.conn.NewRequest("DELETE", u.relPath())
|
|
if err != nil {
|
|
return WithStack(err)
|
|
}
|
|
resp, err := u.conn.Do(ctx, req)
|
|
if err != nil {
|
|
return WithStack(err)
|
|
}
|
|
if err := resp.CheckStatus(202); err != nil {
|
|
return WithStack(err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// Update updates individual properties of the user.
|
|
// If the user does not exist, a NotFoundError is returned.
|
|
func (u *user) Update(ctx context.Context, options UserOptions) error {
|
|
req, err := u.conn.NewRequest("PATCH", u.relPath())
|
|
if err != nil {
|
|
return WithStack(err)
|
|
}
|
|
if _, err := req.SetBody(options); err != nil {
|
|
return WithStack(err)
|
|
}
|
|
resp, err := u.conn.Do(ctx, req)
|
|
if err != nil {
|
|
return WithStack(err)
|
|
}
|
|
if err := resp.CheckStatus(200); err != nil {
|
|
return WithStack(err)
|
|
}
|
|
var data userData
|
|
if err := resp.ParseBody("", &data); err != nil {
|
|
return WithStack(err)
|
|
}
|
|
u.data = data
|
|
return nil
|
|
}
|
|
|
|
// Replace replaces all properties of the user.
|
|
// If the user does not exist, a NotFoundError is returned.
|
|
func (u *user) Replace(ctx context.Context, options UserOptions) error {
|
|
req, err := u.conn.NewRequest("PUT", u.relPath())
|
|
if err != nil {
|
|
return WithStack(err)
|
|
}
|
|
if _, err := req.SetBody(options); err != nil {
|
|
return WithStack(err)
|
|
}
|
|
resp, err := u.conn.Do(ctx, req)
|
|
if err != nil {
|
|
return WithStack(err)
|
|
}
|
|
if err := resp.CheckStatus(200); err != nil {
|
|
return WithStack(err)
|
|
}
|
|
var data userData
|
|
if err := resp.ParseBody("", &data); err != nil {
|
|
return WithStack(err)
|
|
}
|
|
u.data = data
|
|
return nil
|
|
}
|
|
|
|
type userAccessibleDatabasesResponse struct {
|
|
Result map[string]string `json:"result"`
|
|
}
|
|
|
|
// AccessibleDatabases returns a list of all databases that can be accessed by this user.
|
|
func (u *user) AccessibleDatabases(ctx context.Context) ([]Database, error) {
|
|
req, err := u.conn.NewRequest("GET", path.Join(u.relPath(), "database"))
|
|
if err != nil {
|
|
return nil, WithStack(err)
|
|
}
|
|
resp, err := u.conn.Do(ctx, req)
|
|
if err != nil {
|
|
return nil, WithStack(err)
|
|
}
|
|
if err := resp.CheckStatus(200); err != nil {
|
|
return nil, WithStack(err)
|
|
}
|
|
var data userAccessibleDatabasesResponse
|
|
if err := resp.ParseBody("", &data); err != nil {
|
|
return nil, WithStack(err)
|
|
}
|
|
result := make([]Database, 0, len(data.Result))
|
|
for name := range data.Result {
|
|
db, err := newDatabase(name, u.conn)
|
|
if err != nil {
|
|
return nil, WithStack(err)
|
|
}
|
|
result = append(result, db)
|
|
}
|
|
return result, nil
|
|
}
|
|
|
|
// SetDatabaseAccess sets the access this user has to the given database.
|
|
// Pass a `nil` database to set the default access this user has to any new database.
|
|
// This function requires ArangoDB 3.2 and up for access value `GrantReadOnly`.
|
|
func (u *user) SetDatabaseAccess(ctx context.Context, db Database, access Grant) error {
|
|
dbName, _, err := getDatabaseAndCollectionName(db)
|
|
if err != nil {
|
|
return WithStack(err)
|
|
}
|
|
escapedDbName := pathEscape(dbName)
|
|
req, err := u.conn.NewRequest("PUT", path.Join(u.relPath(), "database", escapedDbName))
|
|
if err != nil {
|
|
return WithStack(err)
|
|
}
|
|
input := struct {
|
|
Grant Grant `json:"grant"`
|
|
}{
|
|
Grant: access,
|
|
}
|
|
if _, err := req.SetBody(input); err != nil {
|
|
return WithStack(err)
|
|
}
|
|
resp, err := u.conn.Do(ctx, req)
|
|
if err != nil {
|
|
return WithStack(err)
|
|
}
|
|
if err := resp.CheckStatus(200); err != nil {
|
|
return WithStack(err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
type getAccessResponse struct {
|
|
Result string `json:"result"`
|
|
}
|
|
|
|
// GetDatabaseAccess gets the access rights for this user to the given database.
|
|
// Pass a `nil` database to get the default access this user has to any new database.
|
|
// This function requires ArangoDB 3.2 and up.
|
|
func (u *user) GetDatabaseAccess(ctx context.Context, db Database) (Grant, error) {
|
|
dbName, _, err := getDatabaseAndCollectionName(db)
|
|
if err != nil {
|
|
return GrantNone, WithStack(err)
|
|
}
|
|
escapedDbName := pathEscape(dbName)
|
|
req, err := u.conn.NewRequest("GET", path.Join(u.relPath(), "database", escapedDbName))
|
|
if err != nil {
|
|
return GrantNone, WithStack(err)
|
|
}
|
|
applyContextSettings(ctx, req)
|
|
resp, err := u.conn.Do(ctx, req)
|
|
if err != nil {
|
|
return GrantNone, WithStack(err)
|
|
}
|
|
if err := resp.CheckStatus(200); err != nil {
|
|
return GrantNone, WithStack(err)
|
|
}
|
|
|
|
var data getAccessResponse
|
|
if err := resp.ParseBody("", &data); err != nil {
|
|
return GrantNone, WithStack(err)
|
|
}
|
|
return Grant(data.Result), nil
|
|
}
|
|
|
|
// RemoveDatabaseAccess removes the access this user has to the given database.
|
|
// As a result the users access falls back to its default access.
|
|
// If you remove default access (db==`nil`) for a user (and there are no specific access
|
|
// rules for a database), the user's access falls back to no-access.
|
|
// Pass a `nil` database to set the default access this user has to any new database.
|
|
// This function requires ArangoDB 3.2 and up.
|
|
func (u *user) RemoveDatabaseAccess(ctx context.Context, db Database) error {
|
|
dbName, _, err := getDatabaseAndCollectionName(db)
|
|
if err != nil {
|
|
return WithStack(err)
|
|
}
|
|
escapedDbName := pathEscape(dbName)
|
|
req, err := u.conn.NewRequest("DELETE", path.Join(u.relPath(), "database", escapedDbName))
|
|
if err != nil {
|
|
return WithStack(err)
|
|
}
|
|
resp, err := u.conn.Do(ctx, req)
|
|
if err != nil {
|
|
return WithStack(err)
|
|
}
|
|
if err := resp.CheckStatus(200, 202); err != nil {
|
|
return WithStack(err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// SetCollectionAccess sets the access this user has to a collection.
|
|
// If you pass a `Collection`, it will set access for that collection.
|
|
// If you pass a `Database`, it will set the default collection access for that database.
|
|
// If you pass `nil`, it will set the default collection access for the default database.
|
|
// This function requires ArangoDB 3.2 and up.
|
|
func (u *user) SetCollectionAccess(ctx context.Context, col AccessTarget, access Grant) error {
|
|
dbName, colName, err := getDatabaseAndCollectionName(col)
|
|
if err != nil {
|
|
return WithStack(err)
|
|
}
|
|
escapedDbName := pathEscape(dbName)
|
|
escapedColName := pathEscape(colName)
|
|
req, err := u.conn.NewRequest("PUT", path.Join(u.relPath(), "database", escapedDbName, escapedColName))
|
|
if err != nil {
|
|
return WithStack(err)
|
|
}
|
|
input := struct {
|
|
Grant Grant `json:"grant"`
|
|
}{
|
|
Grant: access,
|
|
}
|
|
if _, err := req.SetBody(input); err != nil {
|
|
return WithStack(err)
|
|
}
|
|
resp, err := u.conn.Do(ctx, req)
|
|
if err != nil {
|
|
return WithStack(err)
|
|
}
|
|
if err := resp.CheckStatus(200); err != nil {
|
|
return WithStack(err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// GetCollectionAccess gets the access rights for this user to the given collection.
|
|
// If you pass a `Collection`, it will get access for that collection.
|
|
// If you pass a `Database`, it will get the default collection access for that database.
|
|
// If you pass `nil`, it will get the default collection access for the default database.
|
|
func (u *user) GetCollectionAccess(ctx context.Context, col AccessTarget) (Grant, error) {
|
|
dbName, colName, err := getDatabaseAndCollectionName(col)
|
|
if err != nil {
|
|
return GrantNone, WithStack(err)
|
|
}
|
|
escapedDbName := pathEscape(dbName)
|
|
escapedColName := pathEscape(colName)
|
|
req, err := u.conn.NewRequest("GET", path.Join(u.relPath(), "database", escapedDbName, escapedColName))
|
|
if err != nil {
|
|
return GrantNone, WithStack(err)
|
|
}
|
|
applyContextSettings(ctx, req)
|
|
resp, err := u.conn.Do(ctx, req)
|
|
if err != nil {
|
|
return GrantNone, WithStack(err)
|
|
}
|
|
if err := resp.CheckStatus(200); err != nil {
|
|
return GrantNone, WithStack(err)
|
|
}
|
|
|
|
var data getAccessResponse
|
|
if err := resp.ParseBody("", &data); err != nil {
|
|
return GrantNone, WithStack(err)
|
|
}
|
|
return Grant(data.Result), nil
|
|
}
|
|
|
|
// RemoveCollectionAccess removes the access this user has to a collection.
|
|
// If you pass a `Collection`, it will removes access for that collection.
|
|
// If you pass a `Database`, it will removes the default collection access for that database.
|
|
// If you pass `nil`, it will removes the default collection access for the default database.
|
|
// This function requires ArangoDB 3.2 and up.
|
|
func (u *user) RemoveCollectionAccess(ctx context.Context, col AccessTarget) error {
|
|
dbName, colName, err := getDatabaseAndCollectionName(col)
|
|
if err != nil {
|
|
return WithStack(err)
|
|
}
|
|
escapedDbName := pathEscape(dbName)
|
|
escapedColName := pathEscape(colName)
|
|
req, err := u.conn.NewRequest("DELETE", path.Join(u.relPath(), "database", escapedDbName, escapedColName))
|
|
if err != nil {
|
|
return WithStack(err)
|
|
}
|
|
resp, err := u.conn.Do(ctx, req)
|
|
if err != nil {
|
|
return WithStack(err)
|
|
}
|
|
if err := resp.CheckStatus(200, 202); err != nil {
|
|
return WithStack(err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// getDatabaseAndCollectionName returns database-name, collection-name from given access target.
|
|
func getDatabaseAndCollectionName(col AccessTarget) (string, string, error) {
|
|
if col == nil {
|
|
return "*", "*", nil
|
|
}
|
|
if x, ok := col.(Collection); ok {
|
|
return x.Database().Name(), x.Name(), nil
|
|
}
|
|
if x, ok := col.(Database); ok {
|
|
return x.Name(), "*", nil
|
|
}
|
|
return "", "", WithStack(InvalidArgumentError{"Need Collection or Database or nil"})
|
|
}
|
|
|
|
// GrantReadWriteAccess grants this user read/write access to the given database.
|
|
//
|
|
// Deprecated: use GrantDatabaseReadWriteAccess instead.
|
|
func (u *user) GrantReadWriteAccess(ctx context.Context, db Database) error {
|
|
if err := u.SetDatabaseAccess(ctx, db, GrantReadWrite); err != nil {
|
|
return WithStack(err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// RevokeAccess revokes this user access to the given database.
|
|
//
|
|
// Deprecated: use `SetDatabaseAccess(ctx, db, GrantNone)` instead.
|
|
func (u *user) RevokeAccess(ctx context.Context, db Database) error {
|
|
if err := u.SetDatabaseAccess(ctx, db, GrantNone); err != nil {
|
|
return WithStack(err)
|
|
}
|
|
return nil
|
|
}
|
|
|