go-pkg/mercury/app/default-rules.go

package app

import (
	"context"
	"strings"

	"go.sour.is/pkg/mercury"
	"go.sour.is/pkg/ident"
)

type mercuryDefault struct {
	name string
	cfg mercury.SpaceMap
}

var (
	_ mercury.GetRules = (*mercuryDefault)(nil)

	_ mercury.GetIndex  = (*mercuryEnviron)(nil)
	_ mercury.GetConfig = (*mercuryEnviron)(nil)
	_ mercury.GetRules  = (*mercuryEnviron)(nil)
)

// GetRules returns default rules for user role.
func (app *mercuryDefault) GetRules(ctx context.Context, id ident.Ident) (lis mercury.Rules, err error) {
	identity := id.Identity()

	lis = append(lis,
		mercury.Rule{
			Role:  "write",
			Type:  "NS",
			Match: "mercury.@" + identity,
		},
		mercury.Rule{
			Role:  "write",
			Type:  "NS",
			Match: "mercury.@" + identity + ".*",
		},
	)

	groups := groups(identity, &app.cfg)

	if s, ok := app.cfg.Space("mercury.policy."+app.name); ok {
		for _, p := range s.List {
			if groups.Has(p.Name) {
				for _, r := range p.Values {
					fds := strings.Fields(r)
					if len(fds) < 3 {
						continue
					}
					lis = append(lis, mercury.Rule{
						Role:  fds[0],
						Type:  fds[1],
						Match: fds[2],
					})
				}
			}
		}
	}

	if u, ok := id.(hasRole); groups.Has("admin") || ok && u.HasRole("admin") {
		lis = append(lis,
			mercury.Rule{
				Role:  "admin",
				Type:  "NS",
				Match: "*",
			},
			mercury.Rule{
				Role:  "write",
				Type:  "NS",
				Match: "*",
			},
			mercury.Rule{
				Role:  "admin",
				Type:  "GR",
				Match: "*",
			},
		)
	} else if u.HasRole("write") {
		lis = append(lis,
			mercury.Rule{
				Role:  "write",
				Type:  "NS",
				Match: "*",
			},
		)
	} else if u.HasRole("read") {
		lis = append(lis,
			mercury.Rule{
				Role:  "read",
				Type:  "NS",
				Match: "*",
			},
		)
	}

	return lis, nil
}
chore: add mercury 2024-01-22 16:00:58 -07:00			`package app`

			`import (`
			`"context"`
			`"strings"`

			`"go.sour.is/pkg/mercury"`
			`"go.sour.is/pkg/ident"`
			`)`

			`type mercuryDefault struct {`
			`name string`
			`cfg mercury.SpaceMap`
			`}`

			`var (`
			`_ mercury.GetRules = (*mercuryDefault)(nil)`

			`_ mercury.GetIndex = (*mercuryEnviron)(nil)`
			`_ mercury.GetConfig = (*mercuryEnviron)(nil)`
			`_ mercury.GetRules = (*mercuryEnviron)(nil)`
			`)`

			`// GetRules returns default rules for user role.`
			`func (app *mercuryDefault) GetRules(ctx context.Context, id ident.Ident) (lis mercury.Rules, err error) {`
			`identity := id.Identity()`

			`lis = append(lis,`
			`mercury.Rule{`
			`Role: "write",`
			`Type: "NS",`
			`Match: "mercury.@" + identity,`
			`},`
			`mercury.Rule{`
			`Role: "write",`
			`Type: "NS",`
			`Match: "mercury.@" + identity + ".*",`
			`},`
			`)`

			`groups := groups(identity, &app.cfg)`

			`if s, ok := app.cfg.Space("mercury.policy."+app.name); ok {`
			`for _, p := range s.List {`
			`if groups.Has(p.Name) {`
			`for _, r := range p.Values {`
			`fds := strings.Fields(r)`
			`if len(fds) < 3 {`
			`continue`
			`}`
			`lis = append(lis, mercury.Rule{`
			`Role: fds[0],`
			`Type: fds[1],`
			`Match: fds[2],`
			`})`
			`}`
			`}`
			`}`
			`}`

			`if u, ok := id.(hasRole); groups.Has("admin") \|\| ok && u.HasRole("admin") {`
			`lis = append(lis,`
			`mercury.Rule{`
			`Role: "admin",`
			`Type: "NS",`
			`Match: "*",`
			`},`
			`mercury.Rule{`
			`Role: "write",`
			`Type: "NS",`
			`Match: "*",`
			`},`
			`mercury.Rule{`
			`Role: "admin",`
			`Type: "GR",`
			`Match: "*",`
			`},`
			`)`
			`} else if u.HasRole("write") {`
			`lis = append(lis,`
			`mercury.Rule{`
			`Role: "write",`
			`Type: "NS",`
			`Match: "*",`
			`},`
			`)`
			`} else if u.HasRole("read") {`
			`lis = append(lis,`
			`mercury.Rule{`
			`Role: "read",`
			`Type: "NS",`
			`Match: "*",`
			`},`
			`)`
			`}`

			`return lis, nil`
			`}`