2014-08-13 20:28:28 +04:00
|
|
|
// This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
// License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
|
//
|
|
|
|
// Contributor: Julien Vehent jvehent@mozilla.com [:ulfr]
|
2015-08-27 17:41:13 +03:00
|
|
|
|
2015-08-26 21:15:40 +03:00
|
|
|
package mig /* import "mig.ninja/mig" */
|
2014-04-09 19:27:22 +04:00
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"strings"
|
|
|
|
)
|
|
|
|
|
|
|
|
type ACL []Permission
|
|
|
|
|
|
|
|
type Permission map[string]struct {
|
2014-04-15 03:43:12 +04:00
|
|
|
MinimumWeight int
|
2014-04-03 19:42:01 +04:00
|
|
|
Investigators map[string]struct {
|
2014-04-15 03:43:12 +04:00
|
|
|
Fingerprint string
|
2014-04-03 19:42:01 +04:00
|
|
|
Weight int
|
2014-04-15 03:43:12 +04:00
|
|
|
}
|
2014-04-09 19:27:22 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
// verifyPermission controls that the PGP keys, identified by their fingerprints, that
|
|
|
|
// signed an operation are sufficient to allow this operation to run
|
2014-04-17 07:44:55 +04:00
|
|
|
func verifyPermission(operation Operation, permName string, perm Permission, fingerprints []string) (err error) {
|
2014-04-15 03:43:12 +04:00
|
|
|
if perm[permName].MinimumWeight < 1 {
|
2014-04-09 19:27:22 +04:00
|
|
|
return fmt.Errorf("Invalid permission '%s'. Must require at least 1 signature, has %d",
|
2014-04-15 03:43:12 +04:00
|
|
|
permName, perm[permName].MinimumWeight)
|
2014-04-09 19:27:22 +04:00
|
|
|
}
|
2016-09-25 04:42:24 +03:00
|
|
|
var seenFp []string
|
2014-04-15 03:43:12 +04:00
|
|
|
signaturesWeight := 0
|
2014-04-09 19:27:22 +04:00
|
|
|
for _, fp := range fingerprints {
|
2016-09-25 04:42:24 +03:00
|
|
|
// if the same key is used to sign multiple times, return an error
|
|
|
|
for _, seen := range seenFp {
|
|
|
|
if seen == fp {
|
|
|
|
return fmt.Errorf("Permission violation: key id '%s' used to sign multiple times.", fp)
|
|
|
|
}
|
|
|
|
}
|
2014-04-15 03:43:12 +04:00
|
|
|
for _, signer := range perm[permName].Investigators {
|
|
|
|
if strings.ToUpper(fp) == strings.ToUpper(signer.Fingerprint) {
|
|
|
|
signaturesWeight += signer.Weight
|
2014-04-09 19:27:22 +04:00
|
|
|
}
|
|
|
|
}
|
2016-09-25 04:42:24 +03:00
|
|
|
seenFp = append(seenFp, fp)
|
2014-04-09 19:27:22 +04:00
|
|
|
}
|
2014-04-15 03:43:12 +04:00
|
|
|
if signaturesWeight < perm[permName].MinimumWeight {
|
|
|
|
return fmt.Errorf("Permission denied for operation '%s'. Insufficient signatures weight. Need %d, got %d",
|
|
|
|
operation.Module, perm[permName].MinimumWeight, signaturesWeight)
|
2014-04-09 19:27:22 +04:00
|
|
|
}
|
|
|
|
return
|
|
|
|
}
|