Auth: Add "instance" and "service" roles, fix entity/auth_client.go #98

Signed-off-by: Michael Mayer <[email protected]>

Author: lastzero

internal/auth/acl/const.go

@@ -2,16 +2,17 @@ package acl
 
 // Roles that can be granted Permissions to use a Resource.
 const (
-	RoleDefault Role = "default"
-	RoleAdmin   Role = "admin"
-	RoleUser    Role = "user"
-	RoleViewer  Role = "viewer"
-	RoleGuest   Role = "guest"
-	RoleVisitor Role = "visitor"
-	RoleNode    Role = "node"
-	RolePortal  Role = "portal"
-	RoleClient  Role = "client"
-	RoleNone    Role = ""
+	RoleDefault  Role = "default"
+	RoleAdmin    Role = "admin"
+	RoleUser     Role = "user"
+	RoleViewer   Role = "viewer"
+	RoleGuest    Role = "guest"
+	RoleVisitor  Role = "visitor"
+	RoleInstance Role = "instance"
+	RoleService  Role = "service"
+	RolePortal   Role = "portal"
+	RoleClient   Role = "client"
+	RoleNone     Role = ""
 )
 
 // Permissions to use a Resource that can be granted to a Role.

internal/auth/acl/grant.go

@@ -154,12 +154,13 @@ var (
 
 // GrantDefaults defines default grants for all supported roles.
 var GrantDefaults = Roles{
-	RoleAdmin:   GrantFullAccess,
-	RoleGuest:   GrantReactShared,
-	RoleVisitor: GrantViewShared,
-	RoleNode:    GrantSearchShared,
-	RolePortal:  GrantFullAccess,
-	RoleClient:  GrantFullAccess,
+	RoleAdmin:    GrantFullAccess,
+	RoleGuest:    GrantReactShared,
+	RoleVisitor:  GrantViewShared,
+	RoleInstance: GrantSearchShared,
+	RoleService:  GrantSearchShared,
+	RolePortal:   GrantFullAccess,
+	RoleClient:   GrantFullAccess,
 }
 
 // Allow checks if this Grant includes the specified Permission.

internal/auth/acl/roles.go

@@ -18,11 +18,12 @@ var UserRoles = RoleStrings{
 
 // ClientRoles maps valid API client roles.
 var ClientRoles = RoleStrings{
-	string(RoleAdmin):  RoleAdmin,
-	string(RoleNode):   RoleNode,
-	string(RolePortal): RolePortal,
-	string(RoleClient): RoleClient,
-	string(RoleNone):   RoleNone,
+	string(RoleAdmin):    RoleAdmin,
+	string(RoleInstance): RoleInstance,
+	string(RoleService):  RoleService,
+	string(RolePortal):   RolePortal,
+	string(RoleClient):   RoleClient,
+	string(RoleNone):     RoleNone,
 }
 
 // Strings returns the roles as string slice.

internal/auth/acl/rules.go

@@ -44,12 +44,13 @@ var Rules = ACL{
 		RoleClient: GrantFullAccess,
 	},
 	ResourcePlaces: Roles{
-		RoleAdmin:   GrantFullAccess,
-		RoleGuest:   GrantReactShared,
-		RoleVisitor: GrantViewShared,
-		RoleNode:    GrantUseOwn,
-		RolePortal:  GrantUseOwn,
-		RoleClient:  GrantFullAccess,
+		RoleAdmin:    GrantFullAccess,
+		RoleGuest:    GrantReactShared,
+		RoleVisitor:  GrantViewShared,
+		RoleInstance: GrantUseOwn,
+		RoleService:  GrantUseOwn,
+		RolePortal:   GrantUseOwn,
+		RoleClient:   GrantFullAccess,
 	},
 	ResourceLabels: Roles{
 		RoleAdmin:  GrantFullAccess,
@@ -82,11 +83,12 @@ var Rules = ACL{
 		RoleGuest:  GrantUpdateOwn,
 	},
 	ResourceUsers: Roles{
-		RoleAdmin:  GrantManageOwn,
-		RoleGuest:  GrantViewUpdateOwn,
-		RoleNode:   GrantViewOwn,
-		RolePortal: GrantFullAccess,
-		RoleClient: GrantViewOwn,
+		RoleAdmin:    GrantManageOwn,
+		RoleGuest:    GrantViewUpdateOwn,
+		RoleInstance: GrantViewOwn,
+		RoleService:  GrantViewOwn,
+		RolePortal:   GrantFullAccess,
+		RoleClient:   GrantViewOwn,
 	},
 	ResourceSessions: Roles{
 		RoleAdmin:   GrantManageOwn,
@@ -112,30 +114,34 @@ var Rules = ACL{
 		RoleClient: GrantPublishOwn,
 	},
 	ResourceMetrics: Roles{
-		RoleAdmin:  GrantFullAccess,
-		RoleNode:   GrantNone,
-		RolePortal: GrantViewAll,
-		RoleClient: GrantViewAll,
+		RoleAdmin:    GrantFullAccess,
+		RoleInstance: GrantNone,
+		RoleService:  GrantViewAll,
+		RolePortal:   GrantViewAll,
+		RoleClient:   GrantViewAll,
 	},
 	ResourceVision: Roles{
-		RoleAdmin:  GrantFullAccess,
-		RoleNode:   GrantUseOwn,
-		RolePortal: GrantUseOwn,
-		RoleClient: GrantUseOwn,
+		RoleAdmin:    GrantFullAccess,
+		RoleInstance: GrantUseOwn,
+		RoleService:  GrantUseOwn,
+		RolePortal:   GrantUseOwn,
+		RoleClient:   GrantUseOwn,
 	},
 	ResourceCluster: Roles{
-		RoleAdmin:  GrantFullAccess,
-		RoleNode:   GrantSearchDownloadUpdateOwn,
-		RolePortal: GrantFullAccess,
-		RoleClient: GrantSearchDownloadUpdateOwn,
+		RoleAdmin:    GrantFullAccess,
+		RoleInstance: GrantSearchDownloadUpdateOwn,
+		RoleService:  GrantSearchDownloadUpdateOwn,
+		RolePortal:   GrantFullAccess,
+		RoleClient:   GrantSearchDownloadUpdateOwn,
 	},
 	ResourceFeedback: Roles{
 		RoleAdmin: GrantFullAccess,
 	},
 	ResourceDefault: Roles{
-		RoleAdmin:  GrantFullAccess,
-		RoleNode:   GrantNone,
-		RolePortal: GrantNone,
-		RoleClient: GrantNone,
+		RoleAdmin:    GrantFullAccess,
+		RoleInstance: GrantNone,
+		RoleService:  GrantNone,
+		RolePortal:   GrantNone,
+		RoleClient:   GrantNone,
 	},
 }

internal/commands/clients.go

@@ -23,7 +23,7 @@ const (
 	ClientRegenerateSecret = "set a new randomly generated client secret"
 	ClientEnable           = "enable client authentication if disabled"
 	ClientDisable          = "disable client authentication"
-	ClientSecretInfo       = "\nPLEASE WRITE DOWN THE %s CLIENT SECRET, AS YOU WILL NOT BE ABLE TO SEE IT AGAIN:\n"
+	ClientSecretInfo       = "\nPLEASE WRITE DOWN THE %s CLIENT SECRET, AS YOU WILL NOT BE ABLE TO SEE IT AGAIN:"
 )
 
 var (

internal/entity/auth_client.go

@@ -540,6 +540,7 @@ func (m *Client) SetFormValues(frm form.Client) *Client {
 
 	// Set values from form.
 	m.SetName(frm.Name())
+	m.SetRole(frm.Role())
 	m.SetProvider(frm.Provider())
 	m.SetMethod(frm.Method())
 	m.SetScope(frm.Scope())