Google Git
Sign in
upspin / gcp / 49a7aa4dba2ef913837f9d323874698b121be9dd / . / vendor / upspin.io / access / access.go
blob: e30ec84405beac6997440f2db606c0cda3ef877b [file] [log] [blame]
// Copyright 2016 The Upspin Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// Package access parses Access and Group files.
//
// If a '#' character is present in a Group or Access file
// the remainder of that line is ignored.
//
// Each line of an Access file specifies a set of rights
// and the users and/or groups to be granted those rights:
// <right>[, <right>]: <user/group>[, <user/group>, ...]
// Example:
// Read,List: user@domain,com, friends
// Write: user@domain.com, joe@domain.com
// Delete: user@domain.com # This is a comment.
//
// Each line of a Group file specifies a user or group
// to be included in the group:
// <user/group>
// Example:
// anne@domain.com # A user.
// joe@domain.com
// admins # A group defined in this user's tree.
//
package access // import "upspin.io/access"
import (
"bufio"
"bytes"
"encoding/json"
"sort"
"strconv"
"strings"
"sync"
"unicode/utf8"
"upspin.io/errors"
"upspin.io/path"
"upspin.io/upspin"
"upspin.io/user"
)
const (
// AccessFile is the base name of an access control file.
AccessFile = "Access"
// GroupDir is the base name of the directory of group files in the user root.
GroupDir = "Group"
)
const (
// All is a shorthand for AllUsers. Its appearance in a user list
// grants access to everyone who can authenticate to the Upspin system.
// This constant can be used in Access files, but will always be expanded
// to the full name ("all@upspin.io") when returned from Access.Users
// and such.
// If it is present with the Read or "*" rights, it must be the only read write
// explicitly granted. (Another user can have "*" rights.)
// All is not allowed to be present in Group files.
All = "all" // Case is ignored, so "All", "ALL", etc. also work.
// AllUsers is a reserved Upspin name and is not valid in the text of an
// Access file. It is the user name that is substituted for the
// shorthand "all" in a user list. See the comment about All for more
// details. Its appearance in a user list grants access to everyone who
// can authenticate to the Upspin system.
AllUsers upspin.UserName = "all@upspin.io"
)
var (
allBytes = []byte(All)
allUsersBytes = []byte(AllUsers)
allUsersParsed path.Parsed
)
func init() {
var err error
allUsersParsed, err = path.Parse(upspin.PathName(AllUsers))
if err != nil {
panic(err)
}
}
// ErrPermissionDenied is a predeclared error reporting that a permission check has failed.
// It is not used in this package but is commonly used in its clients.
var ErrPermissionDenied = errors.E(errors.Permission)
// A Right represents a particular access permission: reading, writing, etc.
type Right int
// All the Rights constants.
const (
Invalid Right = iota - 1
Read
Write
List
Create
Delete
numRights
AllRights // The superset of rights, written as '*'.
AnyRight // All users holding any right, used from WhichAccess.
)
// rightNames are the names of the rights, in order (and missing invalid).
var rightNames = [][]byte{
[]byte("read"),
[]byte("write"),
[]byte("list"),
[]byte("create"),
[]byte("delete"),
}
// String returns a textual representation of the right.
func (r Right) String() string {
if r == AnyRight {
return "any"
}
if r < 0 || numRights <= r {
return "invalidRight"
}
return string(rightNames[r])
}
var (
// mu controls access to the groups map
mu sync.RWMutex
// groups holds the parsed list of all known groups,
// indexed by group name (joe@blow.com/Group/nerds).
// It is global so multiple Access files can share
// group definitions.
groups = make(map[upspin.PathName][]path.Parsed)
)
// Access represents a parsed Access file.
type Access struct {
// path is parsed path name of the file.
parsed path.Parsed
// owner is the user@domain.com name of the path of the file.
owner upspin.UserName
// domain is the domain.com part of the user name of the path of the file.
domain string
// worldReadable states whether the file is world-readable, that is, has read:all
worldReadable bool
// list holds the lists of parsed user and group names.
// It is indexed by a right.
// Each list is stored in sorted order.
list [numRights][]path.Parsed
// All the lists are concatenated into this single slice, for easy evaluation of the
// "Any" right. That is, the lists above are all subslices of this list.
// Note that this list will be neither sorted nor deduplicated.
allUsers []path.Parsed
}
// Path returns the full path name of the file that was parsed.
func (a *Access) Path() upspin.PathName {
return a.parsed.Path()
}
// Parse parses the contents of the path name, in data, and returns the parsed Access.
func Parse(pathName upspin.PathName, data []byte) (*Access, error) {
const op errors.Op = "access.Parse"
a, parsed, err := newAccess(pathName)
if err != nil {
return nil, err
}
// Temporaries. Pre-allocate so they can be reused in the loop, saving allocations.
rights := make([][]byte, 10)
users := make([][]byte, 10)
s := bufio.NewScanner(bytes.NewReader(data))
numReaders := 0
var userAll []byte
for lineNum := 1; s.Scan(); lineNum++ {
line := clean(s.Bytes())
if len(line) == 0 {
continue
}
// A line is two non-empty comma-separated lists, separated by a colon.
colon := bytes.IndexByte(line, ':')
if colon < 0 {
return nil, errors.E(op, pathName, errors.Invalid, errors.Errorf("no colon on line %d: %q", lineNum, line))
}
// Parse rights and users lists.
rightsText := bytes.TrimSpace(line[:colon]) // TrimSpace for good error messages below.
rights = splitList(rights[:0], rightsText)
if rights == nil {
return nil, errors.E(op, pathName, errors.Invalid, errors.Errorf("invalid rights list on line %d: %q", lineNum, rightsText))
}
usersText := bytes.TrimSpace(line[colon+1:])
users = splitList(users[:0], usersText)
if users == nil {
return nil, errors.E(op, pathName, errors.Invalid, errors.Errorf("invalid users list on line %d: %q", lineNum, usersText))
}
var err error
var all []byte
for _, right := range rights {
switch r := which(right); r {
case AllRights:
for r := Right(0); r < numRights; r++ {
all, err = a.addRight(r, parsed.User(), users)
if all != nil && r == Read {
a.worldReadable = true
userAll = append([]byte(nil), all...)
numReaders++ // We count all as a reader if granted "*" rights.
}
}
case Read:
all, err = a.addRight(r, parsed.User(), users)
if all != nil {
a.worldReadable = true
userAll = append([]byte(nil), all...)
numReaders += len(users)
}
case Write, List, Create, Delete:
_, err = a.addRight(r, parsed.User(), users)
case Invalid:
err = errors.Errorf("invalid access rights on line %d: %q", lineNum, right)
}
if err != nil {
return nil, errors.E(op, pathName, errors.Invalid, err)
}
}
}
if s.Err() != nil {
return nil, s.Err()
}
// How many users in all? Allocate the a.allUsers list in one go.
numUsers := 0
for _, r := range a.list {
numUsers += len(r)
}
a.allUsers = make([]path.Parsed, 0, numUsers)
// Sort the lists, then repack them into the "all" users list.
// It does not remove duplicates.
for i, r := range a.list {
sort.Sort(sliceOfParsed(r))
a.list[i] = a.allUsers[len(a.allUsers) : len(a.allUsers)+len(r)]
a.allUsers = append(a.allUsers, r...)
}
if numReaders > 1 && a.worldReadable {
return nil, errors.E(op, pathName, errors.Invalid, errors.Errorf("%q cannot appear with other users", userAll))
}
return a, nil
}
func (a *Access) addRight(r Right, owner upspin.UserName, users [][]byte) ([]byte, error) {
// Save allocations by doing some pre-emptively.
if a.list[r] == nil {
a.list[r] = make([]path.Parsed, 0, preallocSize(len(users)))
}
var err error
var all []byte
a.list[r], all, err = parsedAppend(a.list[r], owner, users...)
return all, err
}
// New returns a new Access granting the owner of pathName all rights.
// It represents rights equivalent to the those granted to the owner if no Access
// files are present in the owner's tree.
func New(pathName upspin.PathName) (*Access, error) {
a, parsed, err := newAccess(pathName)
if err != nil {
return nil, err
}
// We're being clever here and not parsing a new path just to get the user name from it.
// Just re-use the same one with just the user portion of it set.
userPath := parsed.First(0)
list := []path.Parsed{userPath}
for i := range a.list {
a.list[i] = list
}
return a, nil
}
func newAccess(pathName upspin.PathName) (*Access, path.Parsed, error) {
parsed, err := path.Parse(pathName)
if err != nil {
return nil, parsed, err
}
_, _, domain, err := user.Parse(parsed.User())
// We don't expect an error since it's been parsed, but check anyway.
if err != nil {
return nil, parsed, err
}
a := &Access{
parsed: parsed,
owner: parsed.User(),
domain: domain,
}
return a, parsed, nil
}
// For sorting the lists of paths.
type sliceOfParsed []path.Parsed
func (s sliceOfParsed) Len() int { return len(s) }
func (s sliceOfParsed) Less(i, j int) bool { return s[i].Compare(s[j]) < 0 }
func (s sliceOfParsed) Swap(i, j int) { s[i], s[j] = s[j], s[i] }
func isSpace(b byte) bool {
switch b {
case ' ', '\r', '\f', '\v', '\n', '\t':
return true
default:
return false
}
}
func isSeparator(b byte) bool {
return b == ',' || isSpace(b)
}
// clean takes a line of text and removes comments and starting and leading space.
// It returns an empty slice if nothing is left.
func clean(line []byte) []byte {
// Remove comments.
if index := bytes.IndexByte(line, '#'); index >= 0 {
line = line[:index]
}
// Ignore blank lines.
return bytes.TrimSpace(line)
}
// isAll is a case-insensitive check for "all".
func isAll(user []byte) bool {
// Check for length to be fast. Safe because "all" is ASCII.
return len(user) == len(allBytes) && bytes.EqualFold(user, allBytes)
}
// isAllUsers is a case-insensitive check "all@upspin.io".
func isAllUsers(user []byte) bool {
// Check for length to be fast. Safe because "all@upspin.io" is ASCII.
return len(user) == len(allUsersBytes) && bytes.EqualFold(user, allUsersBytes)
}
// parsedAppend parses the users (as path.Parse values) and appends them to the list.
// The returned byte slice is empty unless "all" is present, in which case the text of
// the provided user name is returned, for use in error messages.
// The check is case-insensitive.
func parsedAppend(list []path.Parsed, owner upspin.UserName, users ...[]byte) ([]path.Parsed, []byte, error) {
var all []byte
for _, user := range users {
// Reject "all@upspin.io" as user input.
if isAllUsers(user) {
return nil, nil, errors.Errorf("reserved user name %q", user)
}
// Case-insensitive check for "all" which we canonicalize to "all@upspin.io".
// We require it to be the only item on the line.
if isAll(user) {
all = user
user = allUsersBytes
}
p, err := path.Parse(upspin.PathName(user) + "/")
if err != nil {
if bytes.IndexByte(user, '@') >= 0 {
// Has user name but doesn't parse: Invalid path.
return nil, nil, err
}
// Is it a badly formed group file?
const groupElem = "/" + GroupDir + "/"
slash := bytes.IndexByte(user, '/')
if slash >= 0 && bytes.Index(user, []byte(groupElem)) == slash {
// Looks like a group file but is missing the user name.
return nil, nil, errors.Errorf("bad user name in group path %q", user)
}
// It has no user name, so it might be a path name for a group file.
p, err = path.Parse(upspin.PathName(owner) + groupElem + upspin.PathName(user))
if err != nil {
return nil, nil, err
}
if err := isValidGroup(p); err != nil {
return nil, nil, err
}
}
// Check group syntax.
if !p.IsRoot() {
if err := isValidGroup(p); err != nil {
return nil, nil, err
}
}
list = append(list, p)
}
return list, all, nil
}
func isValidGroup(p path.Parsed) error {
// First element must be group.
if p.Elem(0) != GroupDir {
return errors.Errorf("illegal group %q", p)
}
// Groups cannot be wild cards.
if strings.HasPrefix(p.String(), "*@") {
return errors.Errorf("cannot have wildcard for group name %q", p)
}
// All name elements must be well-behaved to avoid parsing problems.
for i := 1; i < p.NElem(); i++ { // Element 0 is "Group".
if _, _, err := user.ParseUser(p.Elem(i)); err != nil {
return err
}
}
return nil
}
// splitList parses a comma- or space-separated list, skipping other
// white space. It returns nil
// if the list is badly formed. We avoid bytes.Split because it allocates.
func splitList(list [][]byte, text []byte) [][]byte {
// One comma-, space- or EOF-terminated element per iteration.
for i, j := 0, 0; i < len(text); i = j {
for j = i; j != len(text) && !isSeparator(text[j]); j++ {
}
list = append(list, text[i:j])
// Skip separators, but allow only one comma.
for sawComma := false; j < len(text) && isSeparator(text[j]); j++ {
if text[j] == ',' {
if sawComma {
return nil
}
sawComma = true
}
}
}
if len(list) == 0 {
return nil
}
for i, elem := range list {
elem = bytes.TrimSpace(elem)
if !isPlausibleUserOrGroupName(elem) {
return nil
}
list[i] = elem
}
return list
}
// isPlausibleUserOrGroupName reports whether the name is sane enough to
// possibly be a user name or a group name. Group names can be just a single
// path element, so lacking any better definition we force it to be printable,
// and also free of space, comma, or colon to avoid parsing ambiguities, just
// to be safe. The argument is a byte slice, not a string, which keeps us away
// from the string-based valid and user packages, which could do a better
// job, but they are invoked higher up once we have a string. This function
// is mostly about validating the syntax of Access and Group files.
func isPlausibleUserOrGroupName(name []byte) bool {
if len(name) == 0 {
return false
}
// Need to UTF-8 decode by hand, as name is []byte not string. Don't allocate.
for i, width := 0, 0; i < len(name); i += width {
var r rune
r, width = utf8.DecodeRune(name[i:])
switch {
case r == ':':
return false // Bad syntax: spurious colon in user list.
case width == 1 && isSeparator(byte(r)):
return false // More bad syntax. Shouldn't happen but be careful.
case width == 1 && r == utf8.RuneError:
return false // Bad UTF-8.
case !strconv.IsPrint(r):
return false // Bad character for name.
}
}
return true
}
// toLower lower cases a single character.
func toLower(b byte) byte {
// An old trick: In ASCII the characters line up bitwise so this changes any letter to lower case.
return b | ('a' - 'A')
}
// which reports which right the text represents. Case is ignored and a right may be
// specified by its first letter only. We know that the text is not empty.
func which(right []byte) Right {
if bytes.Equal(right, []byte{'*'}) {
return AllRights
}
for i, c := range right {
right[i] = toLower(c)
}
for r, name := range rightNames {
// Match either a single letter or the exact name.
if len(right) == 1 && right[0] == name[0] || bytes.Equal(right, name) {
return Right(r)
}
}
return Invalid
}
// IsAccessFile reports whether the pathName ends in a file named Access, which is special.
func IsAccessFile(pathName upspin.PathName) bool {
parsed, err := path.Parse(pathName)
if err != nil {
return false
}
// Must end "/Access".
return parsed.NElem() >= 1 && parsed.Elem(parsed.NElem()-1) == AccessFile
}
// IsGroupFile reports whether the pathName contains a directory in the root named Group, which is special.
func IsGroupFile(pathName upspin.PathName) bool {
parsed, err := path.Parse(pathName)
if err != nil {
return false
}
// Need "a@b.c/Group/file", but file can't be Access.
return parsed.NElem() >= 2 && parsed.Elem(0) == GroupDir && parsed.Elem(parsed.NElem()-1) != AccessFile
}
// IsAccessControlFile reports whether the pathName represents a file used for
// access control. At the moment that means either an Access or a Group file.
func IsAccessControlFile(pathName upspin.PathName) bool {
parsed, err := path.Parse(pathName)
if err != nil {
return false
}
nElem := parsed.NElem()
// To be an Access file, must end "/Access".
if nElem >= 1 && parsed.Elem(nElem-1) == AccessFile {
return true
}
// To be a Group file, need "a@b.c/Group/file". Don't worry about Access file; that's already done.
if nElem >= 2 && parsed.Elem(0) == GroupDir {
return true
}
return false
}
// AddGroup installs a group with the specified name and textual contents,
// which should have been read from the group file with that name.
// If the group is already known, its definition is replaced.
func AddGroup(pathName upspin.PathName, contents []byte) error {
parsed, err := path.Parse(pathName)
if err != nil {
return err
}
group, err := ParseGroup(parsed, contents)
if err != nil {
return err
}
mu.Lock()
groups[parsed.Path()] = group
mu.Unlock()
return nil
}
// RemoveGroup undoes the installation of a group added by AddGroup.
// It returns an error if the path is bad or the group is not present.
func RemoveGroup(pathName upspin.PathName) error {
const op errors.Op = "access.RemoveGroup"
parsed, err := path.Parse(pathName)
if err != nil {
return err
}
mu.Lock()
defer mu.Unlock()
if _, found := groups[parsed.Path()]; !found {
return errors.E(op, errors.NotExist, "group does not exist")
}
delete(groups, parsed.Path())
return nil
}
// ParseGroup parses a group file but does not call AddGroup to install it.
func ParseGroup(parsed path.Parsed, contents []byte) (group []path.Parsed, err error) {
const op errors.Op = "access.ParseGroup"
// Temporary. Pre-allocate so it can be reused in the loop, saving allocations.
users := make([][]byte, 10)
s := bufio.NewScanner(bytes.NewReader(contents))
for lineNum := 1; s.Scan(); lineNum++ {
line := clean(s.Bytes())
if len(line) == 0 {
continue
}
users = splitList(users[:0], line)
if users == nil {
return nil, errors.E(op, parsed.Path(), errors.Invalid,
errors.Errorf("syntax error in group file on line %d", lineNum))
}
if group == nil {
group = make([]path.Parsed, 0, preallocSize(len(users)))
}
var all []byte
group, all, err = parsedAppend(group, parsed.User(), users...)
if all != nil {
return nil, errors.E(op, parsed.Path(), errors.Invalid,
errors.Errorf("cannot use user %q in group file on line %d", all, lineNum))
}
if err != nil {
return nil, errors.E(op, parsed.Path(), errors.Invalid,
errors.Errorf("bad group users list on line %d: %v", lineNum, err))
}
}
if s.Err() != nil {
return nil, errors.E(op, errors.IO, s.Err())
}
return group, nil
}
// preallocSize returns a sensible preallocation size for a list that will contain
// at least n users, providing a little headroom.
func preallocSize(n int) int {
switch {
case n > 100:
return n + 20
case n > 10:
return 2 * n
default:
return 16
}
}
// rightGranted returns whether the requester is granted the
// right for the path given the rules of the Access file, and if the answer
// isn't immediately known, the access list to traverse.
func (a *Access) rightGranted(requester upspin.UserName, right Right, pathName upspin.PathName) (bool, []path.Parsed, error) {
isOwner := requester == a.owner
// If user is the owner and the request is for read, list, or any access, access is granted.
if isOwner {
switch right {
case Read, List, AnyRight:
// Owner can always read or list anything in the owner's tree.
return true, nil, nil
}
}
// If the file is an Access or Group file, the owner has full rights always; no one else
// can write it.
if IsAccessControlFile(pathName) {
switch right {
case Write, Create, Delete:
return isOwner, nil, nil
}
}
group, err := a.getListFor(right)
return false, group, err
}
// Can reports whether the requesting user can access the file
// using the specified right according to the rules of the Access
// file. It also interprets the rules that the owner can always
// Read and List, and only the owner can create or modify
// Access and Group files.
//
// The rights are applied to the path itself. For instance, for Create
// the question is whether the user can create the named file, not
// whether the user has Create rights in the directory with that name.
// Similarly, for List the question is whether the user can list the
// status of this file, or if it is a directory, list the contents
// of that directory. It is the caller's responsibility to apply the
// correct Access file to the question, and separately to verify
// issues such as attempts to write to a directory rather than a file.
//
// The method loads Group files as needed by
// calling the provided function to read each file's contents.
//
// If a Group file cannot be loaded or parsed that failure is
// reported only if the requester does not match any names that
// can be found in the Access file or other Group files.
func (a *Access) Can(requester upspin.UserName, right Right, pathName upspin.PathName, load func(upspin.PathName) ([]byte, error)) (bool, error) {
parsedRequester, err := path.Parse(upspin.PathName(requester + "/"))
if err != nil {
return false, err
}
requesterUserName := parsedRequester.User()
_, _, domain, err := user.Parse(requesterUserName)
// We don't expect an error since it's been parsed, but check anyway.
if err != nil {
return false, err
}
granted, group, err := a.rightGranted(requester, right, pathName)
if granted || err != nil {
return granted, err
}
// The groups graph is traversed depth-first, always preferring to check
// loaded groups first.
var groupsToCheck iter
var missing []path.Parsed
var groupErr error
for len(group) > 0 {
// The loop searches lists to find whether the requester is represented
// in the group graph.
granted = inGroup(requesterUserName, domain, group, &groupsToCheck)
if granted {
return true, nil
}
// Until a non-empty group is found, iterate through groupsToCheck,
// checking groups already loaded and deferring the rest.
group = nil
for len(group) == 0 && !groupsToCheck.done() {
parsed := groupsToCheck.next()
var found bool
mu.RLock()
group, found = groups[parsed.Path()]
mu.RUnlock()
if !found {
// Defer check.
missing = append(missing, parsed)
}
}
// If necessary and possible, load another group.
for len(group) == 0 && len(missing) > 0 {
var parsed path.Parsed
parsed, missing = missing[len(missing)-1], missing[:len(missing)-1]
group, err = loadAndAdd(parsed, load)
// TODO issue #489, change to groupErr == nil, so we actually
// return an error. Leaving like this for now, to mimic the
// previous behavior, so the tests in ../dir/server and ../test
// pass.
if err != nil && groupErr != nil {
// Remember first load or parse error.
groupErr = err
}
}
}
return false, groupErr
}
// inGroup reports whether the requester is present in the group, either
// directly, by wildcard, by being the owner of a nested group, or virtually by
// finding the allUsersParsed id in the list. Any nested groups encountered
// before ascertaining an answer get included in the set of groupsToCheck.
func inGroup(requesterUserName upspin.UserName, domain string, group []path.Parsed, groupsToCheck *iter) bool {
for _, member := range group {
memberUserName := member.User()
if member.IsRoot() {
// A user id
// Simple test for AllUsers, granting universal access.
if member == allUsersParsed {
return true
}
if memberUserName == requesterUserName {
return true
}
// Wildcard: The path name *@domain.com matches anyone in domain.
if strings.HasPrefix(string(memberUserName), "*@") && string(memberUserName[2:]) == domain {
return true
}
} else {
// A nested group
if memberUserName == requesterUserName {
// The owner of a group is automatically a member of the group.
// No need to see that the group can even be loaded.
return true
}
groupsToCheck.add(member)
}
}
return false
}
// loadAndAdd returns the group having loaded the file and calling AddGroup on the result.
func loadAndAdd(parsed path.Parsed, load func(upspin.PathName) ([]byte, error)) (group []path.Parsed, err error) {
var data []byte
data, err = load(parsed.Path())
if err == nil {
err = AddGroup(parsed.Path(), data)
if err == nil {
mu.RLock()
group = groups[parsed.Path()]
mu.RUnlock()
}
}
return
}
func (a *Access) getListFor(right Right) ([]path.Parsed, error) {
switch right {
case Read, Write, List, Create, Delete:
return a.list[right], nil
case AnyRight:
return a.allUsers, nil
default:
return nil, errors.Errorf("unrecognized right value %d", right)
}
}
// For sorting the lists of UserNames.
type sliceOfUserName []upspin.UserName
func (s sliceOfUserName) Len() int { return len(s) }
func (s sliceOfUserName) Less(i, j int) bool { return s[i] < s[j] }
func (s sliceOfUserName) Swap(i, j int) { s[i], s[j] = s[j], s[i] }
// List returns the list of users and groups granted the specified right. Unlike
// the Users method, List returns the original unexpanded members from the Access
// file. In particular, groups appear as their original group names rather than as
// the users they represent. The returned values are parsed path names. If they are
// roots, they represent users; otherwise they represent groups. List is useful
// mainly for diagnosing permission problems; the Users method has more quotidian
// uses.
func (a *Access) List(right Right) []path.Parsed {
// Make a copy to avoid the caller modifying the Access struct.
var list []path.Parsed
if right == AnyRight {
list = a.allUsers
} else {
list = a.list[right]
}
if list == nil {
return nil
}
out := make([]path.Parsed, len(list))
copy(out, list)
return out
}
// Users returns the user names granted a given right according to the rules of
// the Access file. It also interprets the rule that the owner can always Read
// and List. Users loads group files as needed by calling the provided function
// to read each file's contents.
func (a *Access) Users(right Right, load func(upspin.PathName) ([]byte, error)) ([]upspin.UserName, error) {
group, err := a.getListFor(right)
if err != nil {
return nil, err
}
userNameSet := make(map[upspin.UserName]struct{})
var groupsToCheck iter
switch right {
case Read, List:
userNameSet[a.owner] = struct{}{}
}
// Loop over all the group lists reachable by traversing the graph rooted
// with the access right given. Every group list can include parsed user
// ids and nested groups. User ids and groups are uniquely tracked. The
// traversal is done when no more new groups are found.
for {
for _, parsed := range group {
// Be it a user or a nested group owner, the group member user is granted the right.
userNameSet[parsed.User()] = struct{}{}
// A nested group bears traversal too.
if !parsed.IsRoot() {
groupsToCheck.add(parsed)
}
}
// Loop done when the transitive closure of group membership has been
// exhausted, that is, when all groups encountered have been expanded.
if groupsToCheck.done() {
break
}
parsed := groupsToCheck.next()
var found bool
mu.RLock()
group, found = groups[parsed.Path()]
mu.RUnlock()
if !found {
group, err = loadAndAdd(parsed, load)
if err != nil {
return nil, err
}
}
}
if len(userNameSet) == 0 {
return nil, nil
}
// Build a slice and then sort it.
userNames := make([]upspin.UserName, 0, len(userNameSet))
for k := range userNameSet {
userNames = append(userNames, k)
}
sort.Sort(sliceOfUserName(userNames))
return userNames, nil
}
// MarshalJSON returns a JSON-encoded representation of this Access struct.
func (a *Access) MarshalJSON() ([]byte, error) {
const op errors.Op = "access.MarshalJSON"
// We need to export a field of Access but we don't want to make it public,
// so we encode it separately.
var buf bytes.Buffer
enc := json.NewEncoder(&buf)
if err := enc.Encode(a.list); err != nil {
return nil, errors.E(op, err)
}
return buf.Bytes(), nil
}
// UnmarshalJSON returns an Access given its path name and its JSON encoding.
func UnmarshalJSON(name upspin.PathName, jsonAccess []byte) (*Access, error) {
const op errors.Op = "access.UnmarshalJSON"
var list [numRights][]path.Parsed
err := json.Unmarshal(jsonAccess, &list)
if err != nil {
return nil, errors.E(op, err)
}
access := &Access{
list: list,
}
access.parsed, err = path.Parse(name)
if err != nil {
return nil, errors.E(op, err)
}
access.owner = access.parsed.User()
_, _, access.domain, err = user.Parse(access.parsed.User())
if err != nil {
return nil, errors.E(op, err)
}
return access, nil
}
// IsReadableByAll reports whether the Access file has read:all or read:all@upspin.io
func (a *Access) IsReadableByAll() bool {
return a.worldReadable
}
// iter implements an iterator over path.Parsed items.
// The iterator allows items to be added during iteration. Duplicate items
// may be added but duplicates are not returned by method next.
type iter struct {
set map[path.Parsed]struct{}
posted []path.Parsed
}
// add will add the path.Parsed item to iterator if it hadn't already been added,
// irrespective of whether the item has already been iterated over.
func (i *iter) add(p path.Parsed) {
if i.set == nil {
i.set = make(map[path.Parsed]struct{})
}
if _, found := i.set[p]; !found {
i.set[p] = struct{}{}
i.posted = append(i.posted, p)
}
}
// done reports when iteration is complete.
func (i *iter) done() bool {
return len(i.posted) == 0
}
// next returns another iteration item.
// Caller should test against being done first.
func (i *iter) next() path.Parsed {
var p path.Parsed
p, i.posted = i.posted[len(i.posted)-1], i.posted[:len(i.posted)-1]
return p
}