-
-
Notifications
You must be signed in to change notification settings - Fork 13
/
internal-functions
executable file
·175 lines (140 loc) · 5.08 KB
/
internal-functions
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
#!/usr/bin/env bash
source "$PLUGIN_CORE_AVAILABLE_PATH/common/functions"
set -eo pipefail
[[ $DOKKU_TRACE ]] && set -x
cmd-acl-report-all() {
declare desc="displays a acl report for one or more apps"
local cmd="acl:report"
local APP="$1" INFO_FLAG="$2"
local INSTALLED_APPS
if [[ -n "$APP" ]] && [[ "$APP" == --* ]]; then
INFO_FLAG="$APP"
APP=""
fi
if [[ -z "$APP" ]] && [[ -z "$INFO_FLAG" ]]; then
INFO_FLAG="true"
fi
if [[ -z "$APP" ]]; then
INSTALLED_APPS=$(dokku_apps)
for app in $INSTALLED_APPS; do
cmd-acl-report-single "$app" "$INFO_FLAG" | tee || true
done
else
cmd-acl-report-single "$APP" "$INFO_FLAG"
fi
}
cmd-acl-report-single() {
declare APP="$1" INFO_FLAG="$2"
if [[ "$INFO_FLAG" == "true" ]]; then
INFO_FLAG=""
fi
verify_app_name "$APP"
local flag_map=(
"--acl-allowed-users: $(ls -1 "$DOKKU_ROOT/$APP/acl" >&2 2>/dev/null || true)"
"--acl-global-allow-command-line: $DOKKU_ACL_ALLOW_COMMAND_LINE"
"--acl-global-super-user: $DOKKU_SUPER_USER"
"--acl-global-user-commands: $DOKKU_ACL_USER_COMMANDS"
"--acl-global-per-app-commands: $DOKKU_ACL_PER_APP_COMMANDS"
)
if [[ -z "$INFO_FLAG" ]]; then
dokku_log_info2_quiet "${APP} acl information"
for flag in "${flag_map[@]}"; do
key="$(echo "${flag#--}" | cut -f1 -d' ' | tr - ' ')"
dokku_log_verbose "$(printf "%-30s %-25s" "${key^}" "${flag#*: }")"
done
else
local match=false
local value_exists=false
for flag in "${flag_map[@]}"; do
valid_flags="${valid_flags} $(echo "$flag" | cut -d':' -f1)"
if [[ "$flag" == "${INFO_FLAG}:"* ]]; then
value=${flag#*: }
size="${#value}"
if [[ "$size" -ne 0 ]]; then
echo "$value" && match=true && value_exists=true
else
match=true
fi
fi
done
[[ "$match" == "true" ]] || dokku_log_fail "Invalid flag passed, valid flags:${valid_flags}"
[[ "$value_exists" == "true" ]] || dokku_log_fail "not deployed"
fi
}
fn-acl-check-app() {
declare APP="$1"
verify_app_name "$APP"
if [[ -n "${NAME:-}" ]]; then
dokku_log_fail "You can only modify ACL using local dokku command on target host"
fi
}
fn-acl-check-service() {
declare SERVICE_TYPE="$1" SERVICE="$2"
local SERVICE_PATH="$DOKKU_LIB_ROOT/services/$SERVICE_TYPE/$SERVICE"
if ! [[ -d $SERVICE_PATH ]]; then
dokku_log_fail "Service $SERVICE of type $SERVICE_TYPE does not exist"
fi
if [[ -n "${NAME:-}" ]]; then
dokku_log_fail "You can only modify ACL using local dokku command on target host"
fi
}
fn-check-app-acl() {
declare desc="Checks if the current user has an ACL entry for the app"
declare APP="$1" SSH_NAME="$2"
local ACL_FILE="$DOKKU_ROOT/$APP/acl/$SSH_NAME"
if ! (verify_app_name "$APP" 2>/dev/null); then
dokku_log_fail "User $SSH_NAME does not have permissions to run $CMD on $APP, or $APP does not exist"
fi
[[ -f "$ACL_FILE" ]] && return 0
dokku_log_fail "User $SSH_NAME does not have permissions to run $CMD on $APP, or $APP does not exist"
}
fn-check-service-acl() {
declare desc="Checks if the current user has an ACL entry for the service"
declare CMD="$1" SERVICE="$2" SSH_NAME="$3"
local SERVICE_TYPE="${CMD%%:*}"
local SERVICE_PATH="$DOKKU_LIB_ROOT/services/$SERVICE_TYPE/$SERVICE"
local ACL_FILE="$SERVICE_PATH/acl/$SSH_NAME"
if ! [[ -d $SERVICE_PATH ]]; then
dokku_log_fail "User $SSH_NAME does not have permissions to run $CMD on $SERVICE, or $SERVICE does not exist"
fi
[[ -f "$ACL_FILE" ]] && return 0
dokku_log_fail "User $SSH_NAME does not have permissions to run $CMD on $SERVICE, or $SERVICE does not exist"
}
fn-check-modify-app-acl() {
declare desc="Checks if the current dokku user is allowed to modify the given app"
declare APP="$1"
local ACL="$DOKKU_ROOT/$APP/acl"
local DOKKU_SUPER_USER="${DOKKU_SUPER_USER:-}"
local DOKKU_ACL_ALLOW_COMMAND_LINE="${DOKKU_ACL_ALLOW_COMMAND_LINE:-}"
if [[ -z "$NAME" ]]; then
# Command line usage doesn't set $NAME.
if [[ -z "$DOKKU_ACL_ALLOW_COMMAND_LINE" ]]; then
# Preserve legacy behaviour by default for safety, even though it's weird.
[[ -z "$DOKKU_SUPER_USER" ]] && exit 0
dokku_log_fail "It appears that you're running this command from the command" \
"line. The \"dokku-acl\" plugin disables this by default for" \
"safety. Please check the \"dokku-acl\" documentation for how" \
"to enable command line usage."
fi
exit 0
fi
if [[ ! -d "$ACL" ]]; then
if [[ -n "$DOKKU_SUPER_USER" ]] && [[ "$NAME" != "$DOKKU_SUPER_USER" ]]; then
dokku_log_fail "Only $DOKKU_SUPER_USER can modify a repository if the ACL is empty"
fi
exit 0 # all good, there are no restrictions
fi
local ACL_FILE="$ACL/$NAME"
if [[ ! -f "$ACL_FILE" ]] && [[ "$NAME" != "$DOKKU_SUPER_USER" ]]; then
echo "User $NAME does not have permissions to modify this repository" >&2
exit 2
fi
}
fn-acl-is-super-user() {
declare desc="check if the specified user is a super user"
declare USERNAME="$1"
if [[ "$USERNAME" == "$DOKKU_SUPER_USER" ]]; then
return
fi
return 1
}