@xen-orchestra/acl 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/actions/acl-privilege.d.mts +12 -0
- package/dist/actions/acl-privilege.mjs +11 -0
- package/dist/actions/acl-role.d.mts +12 -0
- package/dist/actions/acl-role.mjs +11 -0
- package/dist/actions/alarm.d.mts +4 -0
- package/dist/actions/alarm.mjs +3 -0
- package/dist/actions/backup-archive.d.mts +4 -0
- package/dist/actions/backup-archive.mjs +3 -0
- package/dist/actions/backup-job.d.mts +4 -0
- package/dist/actions/backup-job.mjs +3 -0
- package/dist/actions/backup-log.d.mts +4 -0
- package/dist/actions/backup-log.mjs +3 -0
- package/dist/actions/backup-repository.d.mts +4 -0
- package/dist/actions/backup-repository.mjs +3 -0
- package/dist/actions/gpuGroup.d.mts +4 -0
- package/dist/actions/gpuGroup.mjs +3 -0
- package/dist/actions/group.d.mts +10 -0
- package/dist/actions/group.mjs +9 -0
- package/dist/actions/host.d.mts +11 -0
- package/dist/actions/host.mjs +10 -0
- package/dist/actions/index.d.mts +225 -0
- package/dist/actions/index.mjs +79 -0
- package/dist/actions/message.d.mts +4 -0
- package/dist/actions/message.mjs +3 -0
- package/dist/actions/network.d.mts +9 -0
- package/dist/actions/network.mjs +8 -0
- package/dist/actions/pbd.d.mts +4 -0
- package/dist/actions/pbd.mjs +3 -0
- package/dist/actions/pci.d.mts +4 -0
- package/dist/actions/pci.mjs +3 -0
- package/dist/actions/pgpu.d.mts +4 -0
- package/dist/actions/pgpu.mjs +3 -0
- package/dist/actions/pif.d.mts +4 -0
- package/dist/actions/pif.mjs +3 -0
- package/dist/actions/pool.d.mts +14 -0
- package/dist/actions/pool.mjs +13 -0
- package/dist/actions/proxy.d.mts +4 -0
- package/dist/actions/proxy.mjs +3 -0
- package/dist/actions/restore-log.d.mts +4 -0
- package/dist/actions/restore-log.mjs +3 -0
- package/dist/actions/schedule.d.mts +5 -0
- package/dist/actions/schedule.mjs +4 -0
- package/dist/actions/server.d.mts +8 -0
- package/dist/actions/server.mjs +7 -0
- package/dist/actions/sm.d.mts +4 -0
- package/dist/actions/sm.mjs +3 -0
- package/dist/actions/sr.d.mts +11 -0
- package/dist/actions/sr.mjs +10 -0
- package/dist/actions/task.d.mts +6 -0
- package/dist/actions/task.mjs +5 -0
- package/dist/actions/user.d.mts +12 -0
- package/dist/actions/user.mjs +11 -0
- package/dist/actions/vbd.d.mts +4 -0
- package/dist/actions/vbd.mjs +3 -0
- package/dist/actions/vdi-snapshot.d.mts +4 -0
- package/dist/actions/vdi-snapshot.mjs +3 -0
- package/dist/actions/vdi-unmanaged.d.mts +4 -0
- package/dist/actions/vdi-unmanaged.mjs +3 -0
- package/dist/actions/vdi.d.mts +12 -0
- package/dist/actions/vdi.mjs +11 -0
- package/dist/actions/vgpu.d.mts +4 -0
- package/dist/actions/vgpu.mjs +3 -0
- package/dist/actions/vgpuType.d.mts +4 -0
- package/dist/actions/vgpuType.mjs +3 -0
- package/dist/actions/vif.d.mts +5 -0
- package/dist/actions/vif.mjs +4 -0
- package/dist/actions/vm-controller.d.mts +7 -0
- package/dist/actions/vm-controller.mjs +6 -0
- package/dist/actions/vm-snapshot.d.mts +9 -0
- package/dist/actions/vm-snapshot.mjs +8 -0
- package/dist/actions/vm-template.d.mts +10 -0
- package/dist/actions/vm-template.mjs +9 -0
- package/dist/actions/vm.d.mts +24 -0
- package/dist/actions/vm.mjs +23 -0
- package/dist/actions/vtpm.d.mts +4 -0
- package/dist/actions/vtpm.mjs +3 -0
- package/dist/class/privilege.d.mts +25 -0
- package/dist/class/privilege.mjs +76 -0
- package/dist/generated/privilege-types.d.mts +378 -0
- package/dist/generated/privilege-types.mjs +5 -0
- package/dist/index.d.mts +40 -0
- package/dist/index.mjs +97 -0
- package/dist/tests/acl.test.d.mts +1 -0
- package/package.json +47 -0
- package/scripts/generate-types.mjs +55 -0
- package/tsconfig.json +19 -0
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
declare const _default: {
|
|
2
|
+
delete: boolean;
|
|
3
|
+
export: boolean;
|
|
4
|
+
pause: boolean;
|
|
5
|
+
read: boolean;
|
|
6
|
+
reboot: {
|
|
7
|
+
clean: boolean;
|
|
8
|
+
hard: boolean;
|
|
9
|
+
};
|
|
10
|
+
resume: boolean;
|
|
11
|
+
shutdown: {
|
|
12
|
+
clean: boolean;
|
|
13
|
+
hard: boolean;
|
|
14
|
+
};
|
|
15
|
+
snapshot: boolean;
|
|
16
|
+
start: boolean;
|
|
17
|
+
suspend: boolean;
|
|
18
|
+
unpause: boolean;
|
|
19
|
+
update: {
|
|
20
|
+
datasources: boolean;
|
|
21
|
+
tags: boolean;
|
|
22
|
+
};
|
|
23
|
+
};
|
|
24
|
+
export default _default;
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
export default {
|
|
2
|
+
delete: true,
|
|
3
|
+
export: true,
|
|
4
|
+
pause: true,
|
|
5
|
+
read: true,
|
|
6
|
+
reboot: {
|
|
7
|
+
clean: true,
|
|
8
|
+
hard: true,
|
|
9
|
+
},
|
|
10
|
+
resume: true,
|
|
11
|
+
shutdown: {
|
|
12
|
+
clean: true,
|
|
13
|
+
hard: true,
|
|
14
|
+
},
|
|
15
|
+
snapshot: true,
|
|
16
|
+
start: true,
|
|
17
|
+
suspend: true,
|
|
18
|
+
unpause: true,
|
|
19
|
+
update: {
|
|
20
|
+
datasources: true,
|
|
21
|
+
tags: true,
|
|
22
|
+
},
|
|
23
|
+
};
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
import type { XoAclPrivilege, XoAclSupportedActions, XoAclSupportedResource } from '@vates/types/lib/xen-orchestra/acl';
|
|
2
|
+
import { SUPPORTED_ACTIONS_BY_RESOURCE } from '../actions/index.mjs';
|
|
3
|
+
export type SupportedActionsByResource = typeof SUPPORTED_ACTIONS_BY_RESOURCE;
|
|
4
|
+
export type SupportedResource = XoAclSupportedResource<SupportedActionsByResource>;
|
|
5
|
+
export type SupportedActions<T extends SupportedResource> = XoAclSupportedActions<SupportedActionsByResource, T>;
|
|
6
|
+
export type TPrivilege<T extends SupportedResource> = XoAclPrivilege<SupportedActionsByResource, T>;
|
|
7
|
+
export declare class Privilege<T extends SupportedResource> {
|
|
8
|
+
#private;
|
|
9
|
+
constructor({ action, selector, resource, effect, }: {
|
|
10
|
+
action: TPrivilege<T>['action'];
|
|
11
|
+
selector?: TPrivilege<T>['selector'];
|
|
12
|
+
resource: TPrivilege<T>['resource'];
|
|
13
|
+
effect: TPrivilege<T>['effect'];
|
|
14
|
+
});
|
|
15
|
+
get effect(): "allow" | "deny";
|
|
16
|
+
match<Resource extends SupportedResource = T>(constraint: {
|
|
17
|
+
action: SupportedActions<Resource>;
|
|
18
|
+
resource: Resource;
|
|
19
|
+
object: object;
|
|
20
|
+
}): boolean;
|
|
21
|
+
/**
|
|
22
|
+
* Throw if action not supported
|
|
23
|
+
*/
|
|
24
|
+
static checkActionIsValid<T extends SupportedResource>(resource: T, action: SupportedActions<T>): void;
|
|
25
|
+
}
|
|
@@ -0,0 +1,76 @@
|
|
|
1
|
+
import * as CM from 'complex-matcher';
|
|
2
|
+
import { SUPPORTED_ACTIONS_BY_RESOURCE } from '../actions/index.mjs';
|
|
3
|
+
export class Privilege {
|
|
4
|
+
#action;
|
|
5
|
+
#selector;
|
|
6
|
+
#resource;
|
|
7
|
+
#effect;
|
|
8
|
+
constructor({ action, selector, resource, effect, }) {
|
|
9
|
+
Privilege.checkActionIsValid(resource, action);
|
|
10
|
+
this.#action = action;
|
|
11
|
+
this.#selector = selector !== undefined ? CM.parse(selector).createPredicate() : undefined;
|
|
12
|
+
this.#resource = resource;
|
|
13
|
+
this.#effect = effect;
|
|
14
|
+
}
|
|
15
|
+
get effect() {
|
|
16
|
+
return this.#effect;
|
|
17
|
+
}
|
|
18
|
+
#matchAction(action) {
|
|
19
|
+
// read:name_label - read:name_label
|
|
20
|
+
if (this.#action === action) {
|
|
21
|
+
return true;
|
|
22
|
+
}
|
|
23
|
+
const [namespaceToMatch, actionToMatch] = action.split(':');
|
|
24
|
+
const [thisNamespace, thisAction] = this.#action.split(':');
|
|
25
|
+
if (thisNamespace === '*') {
|
|
26
|
+
return true;
|
|
27
|
+
}
|
|
28
|
+
// update:vm - read:name_label
|
|
29
|
+
if (thisNamespace !== namespaceToMatch) {
|
|
30
|
+
return false;
|
|
31
|
+
}
|
|
32
|
+
// read - read:name_label
|
|
33
|
+
if (thisAction === undefined) {
|
|
34
|
+
return true;
|
|
35
|
+
}
|
|
36
|
+
// read:name_decription - read:name_label
|
|
37
|
+
if (thisAction !== actionToMatch) {
|
|
38
|
+
return false;
|
|
39
|
+
}
|
|
40
|
+
throw new Error(`Unable to verify if ${this.#action} match ${action} `);
|
|
41
|
+
}
|
|
42
|
+
#matchSelector(object) {
|
|
43
|
+
if (this.#selector === undefined) {
|
|
44
|
+
return true;
|
|
45
|
+
}
|
|
46
|
+
return this.#selector(object);
|
|
47
|
+
}
|
|
48
|
+
#matchResource(resource) {
|
|
49
|
+
return resource === this.#resource;
|
|
50
|
+
}
|
|
51
|
+
match(constraint) {
|
|
52
|
+
return (this.#matchResource(constraint.resource) &&
|
|
53
|
+
this.#matchAction(constraint.action) &&
|
|
54
|
+
this.#matchSelector(constraint.object));
|
|
55
|
+
}
|
|
56
|
+
/**
|
|
57
|
+
* Throw if action not supported
|
|
58
|
+
*/
|
|
59
|
+
static checkActionIsValid(resource, action) {
|
|
60
|
+
const supportedActions = SUPPORTED_ACTIONS_BY_RESOURCE[resource];
|
|
61
|
+
if (supportedActions === undefined) {
|
|
62
|
+
throw new Error(`${resource} resource not supported`);
|
|
63
|
+
}
|
|
64
|
+
if (action === '*') {
|
|
65
|
+
return;
|
|
66
|
+
}
|
|
67
|
+
const segments = action.split(':');
|
|
68
|
+
let _action = undefined;
|
|
69
|
+
segments.forEach(segment => {
|
|
70
|
+
_action = (_action ?? supportedActions)[segment];
|
|
71
|
+
if (_action === undefined) {
|
|
72
|
+
throw new Error(`${action} action not supported for the resource: ${resource}. See ${JSON.stringify(supportedActions)}`);
|
|
73
|
+
}
|
|
74
|
+
});
|
|
75
|
+
}
|
|
76
|
+
}
|