feature: Permission and role system

Author: dogukanoksuz

app/middleware/permission/new.go

@@ -0,0 +1,60 @@
+package permission
+
+import (
+	"github.com/gofiber/fiber/v2"
+	"github.com/limanmys/render-engine/app/models"
+	"github.com/limanmys/render-engine/internal/liman"
+	"github.com/limanmys/render-engine/pkg/helpers"
+)
+
+func New() fiber.Handler {
+	return permission
+}
+
+func permission(c *fiber.Ctx) error {
+	if helpers.Env("LIMAN_RESTRICTED", "false") == "true" {
+		return c.Next()
+	}
+
+	user, err := liman.GetUser(&models.User{
+		ID: c.Locals("user_id").(string),
+	})
+	if err != nil {
+		return fiber.NewError(fiber.StatusInternalServerError, "error while getting the user")
+	}
+
+	if user.Status == 1 {
+		return c.Next()
+	}
+
+	perms, err := liman.GetObjectPermissions(user)
+	if err != nil {
+		return fiber.NewError(fiber.StatusInternalServerError, "error while getting the object permissions")
+	}
+
+	if len(c.FormValue("server_id")) > 0 {
+		if !helpers.Contains(perms, c.FormValue("server_id")) {
+			return fiber.NewError(fiber.StatusForbidden, "you have no permission to do this")
+		}
+	}
+
+	if len(c.FormValue("extension_id")) > 0 {
+		extensionID := c.FormValue("extension_id")
+		if !helpers.CheckUUID(extensionID) {
+			extension, err := liman.GetExtension(&models.Extension{Name: extensionID})
+			if err != nil {
+				return err
+			}
+
+			extensionID = extension.ID
+		}
+
+		if !helpers.Contains(perms, extensionID) || len(extensionID) < 1 {
+			return fiber.NewError(fiber.StatusForbidden, "you have no permission to do this")
+		}
+
+		c.Locals("extension_id", extensionID)
+	}
+
+	return c.Next()
+}

app/models/extension.go

@@ -5,14 +5,14 @@ type Extension struct {
 	ID         string `json:"id"`
 	Name       string `json:"name"`
 	Version    string `json:"version"`
-	Icon       string `json:"icon"`
+	Icon       string `json:"-"`
 	Service    string `json:"service"`
-	CreatedAt  string `json:"created_at"`
-	UpdatedAt  string `json:"updated_at"`
-	Order      int    `json:"order"`
+	CreatedAt  string `json:"-"`
+	UpdatedAt  string `json:"-"`
+	Order      int    `json:"-"`
 	SslPorts   string `json:"sslPorts" pg:"sslPorts"`
 	Issuer     string `json:"issuer"`
-	Language   string `json:"language"`
+	Language   string `json:"-"`
 	Support    string `json:"support"`
 	Displays   string `json:"displays"`
 	Status     string `json:"status"`

app/models/permission.go

@@ -0,0 +1,18 @@
+package models
+
+type Permission struct {
+	ID        string `json:"id"`
+	CreatedAt string `json:"created_at"`
+	UpdatedAt string `json:"updated_at"`
+	Type      string `json:"type"`
+	Key       string `json:"key"`
+	Value     string `json:"value"`
+	Extra     string `json:"extra"`
+	Blame     string `json:"blame"`
+	MorphID   string `json:"morph_id"`
+	MorphType string `json:"morph_type"`
+}
+
+func (Permission) TableName() string {
+	return "permissions"
+}

app/models/role_users.go

@@ -0,0 +1,14 @@
+package models
+
+type RoleUsers struct {
+	ID        string `json:"id"`
+	UserID    string `json:"user_id"`
+	RoleID    string `json:"role_id"`
+	CreatedAt string `json:"created_at"`
+	UpdatedAt string `json:"updated_at"`
+	Type      string `json:"type"`
+}
+
+func (RoleUsers) TableName() string {
+	return "role_users"
+}

app/models/server.go

@@ -6,11 +6,11 @@ type Server struct {
 	Name        string `json:"name"`
 	Type        string `json:"type"`
 	IPAddress   string `json:"ip_address"`
-	City        string `json:"city"`
+	City        string `json:"-"`
 	ControlPort string `json:"control_port"`
-	UserID      string `json:"user_id"`
-	CreatedAt   string `json:"created_at"`
-	UpdatedAt   string `json:"updated_at"`
+	UserID      string `json:"-"`
+	CreatedAt   string `json:"-"`
+	UpdatedAt   string `json:"-"`
 	Os          string `json:"os"`
 	Enabled     string `json:"enabled"`
 	KeyPort     int    `json:"key_port"`

app/models/user.go

@@ -5,14 +5,14 @@ type User struct {
 	ID            string `json:"id"`
 	Name          string `json:"name"`
 	Email         string `json:"email"`
-	Password      string `json:"password" gorm:"-"`
+	Password      string `json:"-" gorm:"-"`
 	Status        int    `json:"status"`
-	LastLoginAt   string `json:"last_login_at" gorm:"-"`
-	RememberToken string `json:"remember_token" gorm:"-"`
-	LastLoginIP   string `json:"last_login_ip" gorm:"-"`
-	CreatedAt     string `json:"created_at"`
-	UpdatedAt     string `json:"updated_at"`
-	ForceChange   bool   `json:"forcechange" pg:"forceChange"`
+	LastLoginAt   string `json:"-" gorm:"-"`
+	RememberToken string `json:"-" gorm:"-"`
+	LastLoginIP   string `json:"-" gorm:"-"`
+	CreatedAt     string `json:"-"`
+	UpdatedAt     string `json:"-"`
+	ForceChange   bool   `json:"-" pg:"forceChange"`
 	ObjectGUID    string `json:"objectguid" pg:"objectguid"`
 	AuthType      string `json:"auth_type"`
 }

internal/liman/role_system.go

@@ -1 +1,113 @@
 package liman
+
+import (
+	"strings"
+
+	"github.com/gofiber/fiber/v2"
+	"github.com/limanmys/render-engine/app/models"
+	"github.com/limanmys/render-engine/internal/database"
+	"github.com/limanmys/render-engine/pkg/helpers"
+)
+
+func GetPermissions(user *models.User, extFilter string) ([]string, map[string]string, error) {
+	roles, err := getRoleMaps(user)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	permissions := []string{}
+	variables := make(map[string]string)
+	for _, role := range roles {
+		permission, variable, err := getPermissionsFromMorph(role, strings.ToLower(extFilter))
+		if err != nil {
+			return nil, nil, err
+		}
+
+		permissions = append(permissions, permission...)
+
+		variables = helpers.MergeStringMaps(variables, variable)
+	}
+
+	return permissions, variables, nil
+}
+
+func GetObjectPermissions(user *models.User) ([]string, error) {
+	roles, err := getRoleMaps(user)
+	if err != nil {
+		return nil, err
+	}
+
+	permissions := []string{}
+	for _, role := range roles {
+		permission, err := getObjectPermissionsFromMorph(role)
+		if err != nil {
+			return nil, err
+		}
+
+		permissions = append(permissions, permission...)
+	}
+
+	return permissions, nil
+}
+
+func getPermissionsFromMorph(morphID string, extFilter string) ([]string, map[string]string, error) {
+	permission := []*models.Permission{}
+
+	err := database.Connection().Find(&permission, "morph_id = ?", morphID).Error
+	if err != nil {
+		return nil, nil, fiber.NewError(fiber.StatusInternalServerError, "error while fetching the permissions")
+	}
+
+	funcPerms := []string{}
+	varPerms := make(map[string]string)
+
+	for _, item := range permission {
+		if item.Type == "function" {
+			if len(extFilter) > 0 {
+				if extFilter == item.Value {
+					funcPerms = append(funcPerms, item.Extra)
+				}
+			} else {
+				funcPerms = append(funcPerms, item.Extra)
+			}
+		}
+
+		if item.Type == "variable" {
+			varPerms[item.Key] = item.Value
+		}
+	}
+
+	return funcPerms, varPerms, nil
+}
+
+func getObjectPermissionsFromMorph(morphID string) ([]string, error) {
+	permissions := []*models.Permission{}
+
+	err := database.Connection().Find(&permissions, "morph_id = ? AND NOT type = 'function'", morphID).Error
+	if err != nil {
+		return nil, err
+	}
+
+	results := []string{}
+	for _, permission := range permissions {
+		results = append(results, permission.Value)
+	}
+
+	return results, nil
+}
+
+func getRoleMaps(user *models.User) ([]string, error) {
+	roles := []*models.RoleUsers{}
+
+	err := database.Connection().Find(&roles, "user_id = ?", user.ID).Error
+	if err != nil {
+		return nil, fiber.NewError(fiber.StatusInternalServerError, "error while fetching the roles")
+	}
+
+	roleID := []string{user.ID}
+	for _, item := range roles {
+		roleID = append(roleID, item.RoleID)
+	}
+
+	return roleID, nil
+}

internal/sandbox/command_generator.go

@@ -3,13 +3,13 @@ package sandbox
 import (
 	"fmt"
 	"io/ioutil"
-	"os"
 	"strings"
 
 	"github.com/alessio/shellescape"
 	"github.com/bytedance/sonic"
 	"github.com/gofiber/fiber/v2"
 	"github.com/limanmys/render-engine/app/models"
+	"github.com/limanmys/render-engine/internal/constants"
 	"github.com/limanmys/render-engine/internal/liman"
 	"github.com/limanmys/render-engine/pkg/helpers"
 	"github.com/mervick/aes-everywhere/go/aes256"
@@ -19,20 +19,15 @@ func GenerateCommand(extension *models.Extension, credentials *models.Credential
 	extension.Name = shellescape.StripUnsafe(extension.Name)
 
 	if !helpers.IsLetter(extension.Name) {
-		return "", fiber.NewError(fiber.StatusUnprocessableEntity, "Extension names can only contains letters")
+		return "", fiber.NewError(fiber.StatusUnprocessableEntity, "extension names can only contains letters")
 	}
 
-	server, err := liman.GetServer(&models.Server{ID: params.Server})
+	server, user, settings, err := getParams(extension, credentials, params)
 	if err != nil {
 		return "", err
 	}
 
-	user, err := liman.GetUser(&models.User{ID: params.User})
-	if err != nil {
-		return "", err
-	}
-
-	settings, err := liman.GetSettings(user, server, extension)
+	permissions, variables, err := liman.GetPermissions(user, extension.Name)
 	if err != nil {
 		return "", err
 	}
@@ -53,52 +48,76 @@ func GenerateCommand(extension *models.Extension, credentials *models.Credential
 	settingsJson, _ := sonic.Marshal(settings)
 	userJson, _ := sonic.Marshal(user)
 	requestData, _ := sonic.Marshal(params.RequestData)
+	permissionsJson, _ := sonic.Marshal(permissions)
+	variablesJson, _ := sonic.Marshal(variables)
 
 	extensionData := map[string]string{
 		"server":          string(serverJson),
 		"extension":       string(extensionJson),
 		"settings":        string(settingsJson),
 		"user":            string(userJson),
+		"permissions":     string(permissionsJson),
+		"variables":       string(variablesJson),
+		"requestData":     string(requestData),
+		"publicPath":      fmt.Sprintf(constants.EXTENSION_PUBLIC_PATH, params.BaseURL, extension.ID),
+		"functionsPath":   fmt.Sprintf("%s/%s%s", constants.EXTENSIONS_PATH, strings.ToLower(extension.Name), constants.FUNCTIONS_FILE_PATH),
+		"navigationRoute": fmt.Sprintf(constants.NAVIGATION_ROUTE, extension.ID, server.City, server.ID),
 		"key_type":        credentials.Type,
-		"functionsPath":   fmt.Sprintf("/liman/extensions/%s/views/functions.php", strings.ToLower(extension.Name)),
 		"function":        params.TargetFunction,
-		"requestData":     string(requestData),
 		"license":         licenceData,
-		"apiRoute":        "/extensionRun",
-		"navigationRoute": fmt.Sprintf("/l/%s/%s/%s", extension.ID, server.City, server.ID),
 		"token":           params.Token,
 		"locale":          params.Locale,
 		"log_id":          "0000000", // TODO: add log handlers
 		"ajax":            "true",
-		"publicPath":      fmt.Sprintf("%s/eklenti/%s/public/", params.BaseURL, extension.ID),
-		"permissions":     "[]",
-		"variables":       "[]",
-		// TODO: Add role system
+		"apiRoute":        "/extensionRun",
 	}
 
-	secureKey, err := ioutil.ReadFile("/liman/keys/" + extension.ID)
+	secureKey, err := ioutil.ReadFile(constants.KEYS_PATH + "/" + extension.ID)
 	if err != nil {
-		return "", fiber.NewError(fiber.StatusNotFound, "Cannot found extension key file")
+		return "", fiber.NewError(fiber.StatusNotFound, "cannot found extension key file")
 	}
 
 	extensionDataJson, _ := sonic.Marshal(extensionData)
 	encryptedData := aes256.Encrypt(string(extensionDataJson), string(secureKey))
 
-	timeout := "30"
-	if len(os.Getenv("EXTENSION_TIMEOUT")) > 0 {
-		timeout = os.Getenv("EXTENSION_TIMEOUT")
-	}
+	// TODO: extJsonfile
+	// TODO: required param tester
+	// TODO: targetFunction and permission match check
+	// TODO: so file handler
 
 	command := fmt.Sprintf(
 		"runuser %s -c 'timeout %s /usr/bin/php -d display_errors=on %s %s %s'",
 		strings.Replace(extension.ID, "-", "", -1),
-		timeout,
-		"/liman/sandbox/php/index.php",
-		"/liman/keys/"+extension.ID,
+		helpers.Env("EXTENSION_TIMEOUT", "30"),
+		constants.SANDBOX_PATH,
+		constants.KEYS_PATH+"/"+extension.ID,
 		encryptedData,
 	)
 
 	// TODO: complete the command generator
 
 	return command, nil
 }
+
+func getParams(
+	extension *models.Extension,
+	credentials *models.Credentials,
+	params *models.CommandParams,
+) (*models.Server, *models.User, map[string]string, error) {
+	server, err := liman.GetServer(&models.Server{ID: params.Server})
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	user, err := liman.GetUser(&models.User{ID: params.User})
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	settings, err := liman.GetSettings(user, server, extension)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	return server, user, settings, nil
+}