1
// Copyright 2015 Canonical Ltd.
2
// Licensed under the LGPLv3, see LICENCE file for details.
12
// PermChecker provides a way to query ACLs using the identity client.
13
type PermChecker struct {
17
// NewPermChecker returns a permission checker
18
// that uses the given identity client to check permissions.
20
// It will cache results for at most cacheTime.
21
func NewPermChecker(c *Client, cacheTime time.Duration) *PermChecker {
23
cache: NewGroupCache(c, cacheTime),
27
// NewPermCheckerWithCache returns a new PermChecker using
28
// the given cache for its group queries.
29
func NewPermCheckerWithCache(cache *GroupCache) *PermChecker {
35
// Allow reports whether the given ACL admits the user with the given
36
// name. If the user does not exist and the ACL does not allow username
37
// or everyone, it will return (false, nil).
38
func (c *PermChecker) Allow(username string, acl []string) (bool, error) {
42
for _, name := range acl {
43
if name == "everyone" || name == username {
47
groups, err := c.cache.groupMap(username)
49
return false, errgo.Mask(err)
51
for _, a := range acl {
59
// CacheEvict evicts username from the cache.
60
func (c *PermChecker) CacheEvict(username string) {
61
c.cache.CacheEvict(username)
64
// CacheEvictAll evicts everything from the cache.
65
func (c *PermChecker) CacheEvictAll() {
66
c.cache.CacheEvictAll()