access.go 7.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228
  1. //go:build !noserver
  2. package cmd
  3. import (
  4. "errors"
  5. "fmt"
  6. "github.com/urfave/cli/v2"
  7. "heckel.io/ntfy/user"
  8. "heckel.io/ntfy/util"
  9. )
  10. func init() {
  11. commands = append(commands, cmdAccess)
  12. }
  13. const (
  14. userEveryone = "everyone"
  15. )
  16. var flagsAccess = append(
  17. append([]cli.Flag{}, flagsUser...),
  18. &cli.BoolFlag{Name: "reset", Aliases: []string{"r"}, Usage: "reset access for user (and topic)"},
  19. )
  20. var cmdAccess = &cli.Command{
  21. Name: "access",
  22. Usage: "Grant/revoke access to a topic, or show access",
  23. UsageText: "ntfy access [USERNAME [TOPIC [PERMISSION]]]",
  24. Flags: flagsAccess,
  25. Before: initConfigFileInputSourceFunc("config", flagsAccess, initLogFunc),
  26. Action: execUserAccess,
  27. Category: categoryServer,
  28. Description: `Manage the access control list for the ntfy server.
  29. This is a server-only command. It directly manages the user.db as defined in the server config
  30. file server.yml. The command only works if 'auth-file' is properly defined. Please also refer
  31. to the related command 'ntfy user'.
  32. The command allows you to show the access control list, as well as change it, depending on how
  33. it is called.
  34. Usage:
  35. ntfy access # Shows access control list (alias: 'ntfy user list')
  36. ntfy access USERNAME # Shows access control entries for USERNAME
  37. ntfy access USERNAME TOPIC PERMISSION # Allow/deny access for USERNAME to TOPIC
  38. Arguments:
  39. USERNAME an existing user, as created with 'ntfy user add', or "everyone"/"*"
  40. to define access rules for anonymous/unauthenticated clients
  41. TOPIC name of a topic with optional wildcards, e.g. "mytopic*"
  42. PERMISSION one of the following:
  43. - read-write (alias: rw)
  44. - read-only (aliases: read, ro)
  45. - write-only (aliases: write, wo)
  46. - deny (alias: none)
  47. Examples:
  48. ntfy access # Shows access control list (alias: 'ntfy user list')
  49. ntfy access phil # Shows access for user phil
  50. ntfy access phil mytopic rw # Allow read-write access to mytopic for user phil
  51. ntfy access everyone mytopic rw # Allow anonymous read-write access to mytopic
  52. ntfy access everyone "up*" write # Allow anonymous write-only access to topics "up..."
  53. ntfy access --reset # Reset entire access control list
  54. ntfy access --reset phil # Reset all access for user phil
  55. ntfy access --reset phil mytopic # Reset access for user phil and topic mytopic
  56. `,
  57. }
  58. func execUserAccess(c *cli.Context) error {
  59. if c.NArg() > 3 {
  60. return errors.New("too many arguments, please check 'ntfy access --help' for usage details")
  61. }
  62. manager, err := createUserManager(c)
  63. if err != nil {
  64. return err
  65. }
  66. username := c.Args().Get(0)
  67. if username == userEveryone {
  68. username = user.Everyone
  69. }
  70. topic := c.Args().Get(1)
  71. perms := c.Args().Get(2)
  72. reset := c.Bool("reset")
  73. if reset {
  74. if perms != "" {
  75. return errors.New("too many arguments, please check 'ntfy access --help' for usage details")
  76. }
  77. return resetAccess(c, manager, username, topic)
  78. } else if perms == "" {
  79. if topic != "" {
  80. return errors.New("invalid syntax, please check 'ntfy access --help' for usage details")
  81. }
  82. return showAccess(c, manager, username)
  83. }
  84. return changeAccess(c, manager, username, topic, perms)
  85. }
  86. func changeAccess(c *cli.Context, manager *user.Manager, username string, topic string, perms string) error {
  87. if !util.Contains([]string{"", "read-write", "rw", "read-only", "read", "ro", "write-only", "write", "wo", "none", "deny"}, perms) {
  88. return errors.New("permission must be one of: read-write, read-only, write-only, or deny (or the aliases: read, ro, write, wo, none)")
  89. }
  90. permission, err := user.ParsePermission(perms)
  91. if err != nil {
  92. return err
  93. }
  94. u, err := manager.User(username)
  95. if err == user.ErrUserNotFound {
  96. return fmt.Errorf("user %s does not exist", username)
  97. } else if u.Role == user.RoleAdmin {
  98. return fmt.Errorf("user %s is an admin user, access control entries have no effect", username)
  99. }
  100. if err := manager.AllowAccess(username, topic, permission); err != nil {
  101. return err
  102. }
  103. if permission.IsReadWrite() {
  104. fmt.Fprintf(c.App.ErrWriter, "granted read-write access to topic %s\n\n", topic)
  105. } else if permission.IsRead() {
  106. fmt.Fprintf(c.App.ErrWriter, "granted read-only access to topic %s\n\n", topic)
  107. } else if permission.IsWrite() {
  108. fmt.Fprintf(c.App.ErrWriter, "granted write-only access to topic %s\n\n", topic)
  109. } else {
  110. fmt.Fprintf(c.App.ErrWriter, "revoked all access to topic %s\n\n", topic)
  111. }
  112. return showUserAccess(c, manager, username)
  113. }
  114. func resetAccess(c *cli.Context, manager *user.Manager, username, topic string) error {
  115. if username == "" {
  116. return resetAllAccess(c, manager)
  117. } else if topic == "" {
  118. return resetUserAccess(c, manager, username)
  119. }
  120. return resetUserTopicAccess(c, manager, username, topic)
  121. }
  122. func resetAllAccess(c *cli.Context, manager *user.Manager) error {
  123. if err := manager.ResetAccess("", ""); err != nil {
  124. return err
  125. }
  126. fmt.Fprintln(c.App.ErrWriter, "reset access for all users")
  127. return nil
  128. }
  129. func resetUserAccess(c *cli.Context, manager *user.Manager, username string) error {
  130. if err := manager.ResetAccess(username, ""); err != nil {
  131. return err
  132. }
  133. fmt.Fprintf(c.App.ErrWriter, "reset access for user %s\n\n", username)
  134. return showUserAccess(c, manager, username)
  135. }
  136. func resetUserTopicAccess(c *cli.Context, manager *user.Manager, username string, topic string) error {
  137. if err := manager.ResetAccess(username, topic); err != nil {
  138. return err
  139. }
  140. fmt.Fprintf(c.App.ErrWriter, "reset access for user %s and topic %s\n\n", username, topic)
  141. return showUserAccess(c, manager, username)
  142. }
  143. func showAccess(c *cli.Context, manager *user.Manager, username string) error {
  144. if username == "" {
  145. return showAllAccess(c, manager)
  146. }
  147. return showUserAccess(c, manager, username)
  148. }
  149. func showAllAccess(c *cli.Context, manager *user.Manager) error {
  150. users, err := manager.Users()
  151. if err != nil {
  152. return err
  153. }
  154. return showUsers(c, manager, users)
  155. }
  156. func showUserAccess(c *cli.Context, manager *user.Manager, username string) error {
  157. users, err := manager.User(username)
  158. if err == user.ErrUserNotFound {
  159. return fmt.Errorf("user %s does not exist", username)
  160. } else if err != nil {
  161. return err
  162. }
  163. return showUsers(c, manager, []*user.User{users})
  164. }
  165. func showUsers(c *cli.Context, manager *user.Manager, users []*user.User) error {
  166. for _, u := range users {
  167. grants, err := manager.Grants(u.Name)
  168. if err != nil {
  169. return err
  170. }
  171. tier := "none"
  172. if u.Tier != nil {
  173. tier = u.Tier.Name
  174. }
  175. fmt.Fprintf(c.App.ErrWriter, "user %s (role: %s, tier: %s)\n", u.Name, u.Role, tier)
  176. if u.Role == user.RoleAdmin {
  177. fmt.Fprintf(c.App.ErrWriter, "- read-write access to all topics (admin role)\n")
  178. } else if len(grants) > 0 {
  179. for _, grant := range grants {
  180. if grant.Allow.IsReadWrite() {
  181. fmt.Fprintf(c.App.ErrWriter, "- read-write access to topic %s\n", grant.TopicPattern)
  182. } else if grant.Allow.IsRead() {
  183. fmt.Fprintf(c.App.ErrWriter, "- read-only access to topic %s\n", grant.TopicPattern)
  184. } else if grant.Allow.IsWrite() {
  185. fmt.Fprintf(c.App.ErrWriter, "- write-only access to topic %s\n", grant.TopicPattern)
  186. } else {
  187. fmt.Fprintf(c.App.ErrWriter, "- no access to topic %s\n", grant.TopicPattern)
  188. }
  189. }
  190. } else {
  191. fmt.Fprintf(c.App.ErrWriter, "- no topic-specific permissions\n")
  192. }
  193. if u.Name == user.Everyone {
  194. access := manager.DefaultAccess()
  195. if access.IsReadWrite() {
  196. fmt.Fprintln(c.App.ErrWriter, "- read-write access to all (other) topics (server config)")
  197. } else if access.IsRead() {
  198. fmt.Fprintln(c.App.ErrWriter, "- read-only access to all (other) topics (server config)")
  199. } else if access.IsWrite() {
  200. fmt.Fprintln(c.App.ErrWriter, "- write-only access to all (other) topics (server config)")
  201. } else {
  202. fmt.Fprintln(c.App.ErrWriter, "- no access to any (other) topics (server config)")
  203. }
  204. }
  205. }
  206. return nil
  207. }