From 95eb648411d4afe71460d86f3f64cdc7b2207281 Mon Sep 17 00:00:00 2001 From: sigoden Date: Wed, 17 Jan 2024 11:31:26 +0800 Subject: [PATCH] feat: revert supporting for forbidden permission (#352) --- README.md | 6 +++--- src/auth.rs | 29 +++++++++-------------------- src/server.rs | 4 ++-- tests/auth.rs | 17 ----------------- 4 files changed, 14 insertions(+), 42 deletions(-) diff --git a/README.md b/README.md index 1a0c734..dc91502 100644 --- a/README.md +++ b/README.md @@ -222,17 +222,17 @@ Dufs supports account based access control. You can control who can do what on w ``` dufs -a admin:admin@/:rw -a guest:guest@/ -dufs -a user:pass@/:rw,/dir1,/dir2:- -a @/ +dufs -a user:pass@/:rw,/dir1 -a @/ ``` 1. Use `@` to separate the account and paths. No account means anonymous user. 2. Use `:` to separate the username and password of the account. 3. Use `,` to separate paths. -4. Use path suffix `:rw`, `:ro`, `:-` to set permissions: `read-write`, `read-only`, `forbidden`. `:ro` can be omitted. +4. Use path suffix `:rw`/`:ro` set permissions: `read-write`/`read-only`. `:ro` can be omitted. - `-a admin:admin@/:rw`: `admin` has complete permissions for all paths. - `-a guest:guest@/`: `guest` has read-only permissions for all paths. -- `-a user:pass@/:rw,/dir1,/dir2:-`: `user` has read-write permissions for `/*`, has read-only permissions for `/dir1/*`, but is fordden for `/dir2/*`. +- `-a user:pass@/:rw,/dir1`: `user` has read-write permissions for `/*`, has read-only permissions for `/dir1/*`. - `-a @/`: All paths is publicly accessible, everyone can view/download it. > There are no restrictions on using ':' and '@' characters in a password. For example, `user:pa:ss@1@/:rw` is valid, the password is `pa:ss@1`. diff --git a/src/auth.rs b/src/auth.rs index 937dc3e..44dc345 100644 --- a/src/auth.rs +++ b/src/auth.rs @@ -147,7 +147,7 @@ impl AccessPaths { } pub fn set_perm(&mut self, perm: AccessPerm) { - if !perm.inherit() { + if !perm.indexonly() { self.perm = perm; } } @@ -158,7 +158,6 @@ impl AccessPaths { None => (item, AccessPerm::ReadOnly), Some((path, "ro")) => (path, AccessPerm::ReadOnly), Some((path, "rw")) => (path, AccessPerm::ReadWrite), - Some((path, "-")) => (path, AccessPerm::Forbidden), _ => return None, }; self.add(path, perm); @@ -193,9 +192,6 @@ impl AccessPaths { .filter(|v| !v.is_empty()) .collect(); let target = self.find_impl(&parts, self.perm)?; - if target.perm().forbidden() { - return None; - } if writable && !target.perm().readwrite() { return None; } @@ -203,13 +199,13 @@ impl AccessPaths { } fn find_impl(&self, parts: &[&str], perm: AccessPerm) -> Option { - let perm = if !self.perm.inherit() { + let perm = if !self.perm.indexonly() { self.perm } else { perm }; if parts.is_empty() { - if perm.inherit() { + if perm.indexonly() { return Some(self.clone()); } else { return Some(AccessPaths::new(perm)); @@ -218,7 +214,7 @@ impl AccessPaths { let child = match self.children.get(parts[0]) { Some(v) => v, None => { - if perm.inherit() { + if perm.indexonly() { return None; } else { return Some(AccessPaths::new(perm)); @@ -233,7 +229,7 @@ impl AccessPaths { } pub fn child_paths(&self, base: &Path) -> Vec { - if !self.perm().inherit() { + if !self.perm().indexonly() { return vec![base.to_path_buf()]; } let mut output = vec![]; @@ -244,7 +240,7 @@ impl AccessPaths { fn child_paths_impl(&self, output: &mut Vec, base: &Path) { for (name, child) in self.children.iter() { let base = base.join(name); - if child.perm().inherit() { + if child.perm().indexonly() { child.child_paths_impl(output, &base); } else { output.push(base) @@ -256,24 +252,19 @@ impl AccessPaths { #[derive(Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Default)] pub enum AccessPerm { #[default] - Inherit, + IndexOnly, ReadOnly, ReadWrite, - Forbidden, } impl AccessPerm { - pub fn inherit(&self) -> bool { - self == &AccessPerm::Inherit + pub fn indexonly(&self) -> bool { + self == &AccessPerm::IndexOnly } pub fn readwrite(&self) -> bool { self == &AccessPerm::ReadWrite } - - pub fn forbidden(&self) -> bool { - self == &AccessPerm::Forbidden - } } pub fn www_authenticate(res: &mut Response, args: &Args) -> Result<()> { @@ -576,7 +567,6 @@ mod tests { paths.add("/dir1", AccessPerm::ReadWrite); paths.add("/dir2/dir21", AccessPerm::ReadWrite); paths.add("/dir2/dir21/dir211", AccessPerm::ReadOnly); - paths.add("/dir2/dir21/dir212", AccessPerm::Forbidden); paths.add("/dir2/dir22", AccessPerm::ReadOnly); paths.add("/dir2/dir22/dir221", AccessPerm::ReadWrite); paths.add("/dir2/dir23/dir231", AccessPerm::ReadWrite); @@ -621,6 +611,5 @@ mod tests { Some(AccessPaths::new(AccessPerm::ReadOnly)) ); assert_eq!(paths.find("dir2/dir21/dir211/file", true), None); - assert_eq!(paths.find("dir2/dir21/dir212", false), None); } } diff --git a/src/server.rs b/src/server.rs index 72d8cef..965da88 100644 --- a/src/server.rs +++ b/src/server.rs @@ -375,7 +375,7 @@ impl Server { "PROPFIND" => { if is_dir { let access_paths = - if access_paths.perm().inherit() && authorization.is_none() { + if access_paths.perm().indexonly() && authorization.is_none() { // see https://github.com/sigoden/dufs/issues/229 AccessPaths::new(AccessPerm::ReadOnly) } else { @@ -1230,7 +1230,7 @@ impl Server { access_paths: AccessPaths, ) -> Result> { let mut paths: Vec = vec![]; - if access_paths.perm().inherit() { + if access_paths.perm().indexonly() { for name in access_paths.child_names() { let entry_path = entry_path.join(name); self.add_pathitem(&mut paths, base_path, &entry_path).await; diff --git a/tests/auth.rs b/tests/auth.rs index 97a4d12..4b0750a 100644 --- a/tests/auth.rs +++ b/tests/auth.rs @@ -144,23 +144,6 @@ fn auth_readonly( Ok(()) } -#[rstest] -fn auth_forbidden( - #[with(&["--auth", "user:pass@/:rw,/dir1:-", "-A"])] server: TestServer, -) -> Result<(), Error> { - let url = format!("{}file1", server.url()); - let resp = fetch!(b"PUT", &url) - .body(b"abc".to_vec()) - .send_with_digest_auth("user", "pass")?; - assert_eq!(resp.status(), 201); - let url = format!("{}dir1/file1", server.url()); - let resp = fetch!(b"PUT", &url) - .body(b"abc".to_vec()) - .send_with_digest_auth("user", "pass")?; - assert_eq!(resp.status(), 403); - Ok(()) -} - #[rstest] fn auth_nest( #[with(&["--auth", "user:pass@/:rw", "--auth", "user2:pass2@/", "--auth", "user3:pass3@/dir1:rw", "-A"])]