Skip to content

Commit

Permalink
feat: app's default policy follows system's policy
Browse files Browse the repository at this point in the history
  • Loading branch information
liuyu committed Aug 14, 2024
1 parent b3f4b90 commit 988a34a
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 2 deletions.
4 changes: 4 additions & 0 deletions internal/authorization/const.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,9 @@ const (

// Denied denied level.
Denied

// System follow system's level
System
)

const (
Expand All @@ -32,6 +35,7 @@ const (
twoFactor = "two_factor"
deny = "deny"
public = "public"
system = "system"
)

const (
Expand Down
16 changes: 14 additions & 2 deletions internal/authorization/ts_app_authorizer.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -346,6 +346,9 @@ func (t *TsAuthorizer) addDesktopRules(ctx context.Context, username, domain str
userAuth.desktopPolicy = NewLevel(policy)
}

// apps follow system level
userAuth.appDefaultPolicy = userAuth.defaultPolicy

position := len(rules)

// if !userAuth.userIsIniting {
Expand Down Expand Up @@ -513,6 +516,15 @@ func (t *TsAuthorizer) getAppRules(position int, app *application.Application,
continue
}

getLevel := func(policy string) Level {
switch policy {
case system:
return userAuth.appDefaultPolicy
default:
return NewLevel(policy)
}
}

if policy.SubPolicies != nil {
for _, sp := range policy.SubPolicies {
// t.log.Debugf("add app %s rules %s on resource %s", app.Spec.Name, sp.Policy, sp.URI)
Expand All @@ -527,7 +539,7 @@ func (t *TsAuthorizer) getAppRules(position int, app *application.Application,

rule := &AccessControlRule{
Position: position,
Policy: NewLevel(sp.Policy),
Policy: getLevel(sp.Policy),
OneTimeValid: sp.OneTime,
ValidDuration: time.Duration(sp.Duration) * time.Second,
}
Expand All @@ -545,7 +557,7 @@ func (t *TsAuthorizer) getAppRules(position int, app *application.Application,
othersResources := []regexp.Regexp{*othersExp}

if entrance.AuthLevel != "public" {
defaulPolicy = NewLevel(policy.DefaultPolicy)
defaulPolicy = getLevel(policy.DefaultPolicy)
}

ruleOthers := &AccessControlRule{
Expand Down
2 changes: 2 additions & 0 deletions internal/authorization/util.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ func NewLevel(policy string) Level {
return TwoFactor
case deny:
return Denied
case system:
return System
}
// By default the deny policy applies.
return Denied
Expand Down

0 comments on commit 988a34a

Please sign in to comment.