mirror of
https://github.com/HeyPuter/puter.git
synced 2026-01-09 14:41:50 -06:00
dev: add access token permission scanner
This commit is contained in:
KernelDeimos
@@ -23,7 +23,7 @@ const {
|
||||
hardcoded_user_group_permissions,
|
||||
} = require("../data/hardcoded-permissions");
|
||||
const { get_user } = require("../helpers");
|
||||
const { Actor, UserActorType, AppUnderUserActorType } = require("../services/auth/Actor");
|
||||
const { Actor, UserActorType, AppUnderUserActorType, AccessTokenActorType } = require("../services/auth/Actor");
|
||||
const { reading_has_terminal } = require("./permission-scan-lib");
|
||||
|
||||
/*
|
||||
@@ -89,6 +89,46 @@ const PERMISSION_SCANNERS = [
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
name: 'access-token',
|
||||
documentation: `
|
||||
Permissoins for access tokens
|
||||
`,
|
||||
async scan (a) {
|
||||
const { reading, actor, permission_options, state } = a.values();
|
||||
|
||||
if ( !(actor.type instanceof AccessTokenActorType) ) return;
|
||||
|
||||
const { authorizer: issuer_actor, token } = actor.type;
|
||||
|
||||
for ( const permission of permission_options ) {
|
||||
const issuer_reading =
|
||||
await a.icall('scan', issuer_actor, permission)
|
||||
const has_terminal = reading_has_terminal({ reading: issuer_reading });
|
||||
|
||||
const db = a.iget('db');
|
||||
const rows = await db.read(
|
||||
'SELECT * FROM `access_token_permissions` ' +
|
||||
'WHERE `token_uid` = ? AND `permission` = ?',
|
||||
[
|
||||
token,
|
||||
permission,
|
||||
]
|
||||
);
|
||||
|
||||
// Token must have permission
|
||||
if ( ! rows[0] ) continue;
|
||||
|
||||
reading.push({
|
||||
$: 'path',
|
||||
via: 'access-token',
|
||||
has_terminal,
|
||||
permission,
|
||||
reading: issuer_reading,
|
||||
});
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
name: 'user-user',
|
||||
documentation: `
|
||||
|
||||
Reference in New Issue
Block a user