feat: add access list for workspaces

2025-04-18 04:46:00 +01:00 · 2025-04-18 04:46:00 +01:00 · a729d4e36f
commit a729d4e36f
parent 833080739b
2 changed files with 47 additions and 2 deletions
--- a/access.yml
+++ b/access.yml
@ -0,0 +1,15 @@
+pallav:
+  rw:
+    - darshan
+    - param
+
+darshan:
+  rw:
+    - param
+  ro:
+    - pallav
+
+param:
+  ro:
+    - pallav
+    - darshan
--- a/ssh_router.sh
+++ b/ssh_router.sh
@ -1,7 +1,6 @@
 #!/bin/bash

-MODE="$1" # 'rw' or 'readonly'
-PERSON="$2"
+PERSON="$1"
 WORKSPACE="$SSH_ORIGINAL_COMMAND"
 IMAGE="analytics-backend-workspace" # change to match your setup
 TMUX_SESSION="$WORKSPACE|analytics-backend"
@ -51,8 +50,39 @@ check_devuser_attached() {
  fi
 }

+get_access_mode_and_session() {
+  local yaml_file="access.yml"
+  local workspace="$1"
+  local person="$2"
+
+  # Special case: user accessing their own workspace
+  if [[ "$workspace" == "$person" ]]; then
+    echo "access=rw"
+    return 0
+  fi
+
+  # Check rw
+  if yq '.["'"$person"'"].rw // []' "$yaml_file" | grep -q "\b$workspace\b"; then
+    echo "access=rw"
+    return 0
+  fi
+
+  # Check ro
+  if yq '.["'"$person"'"].ro // []' "$yaml_file" | grep -q "\b$workspace\b"; then
+    echo "access=ro"
+    return 0
+  fi
+
+  # No access → exit with error
+  log "❌ $person has no access to $workspace" >&2
+  exit 1
+}
+
 # === Main ===

+read -r access_line < <(get_access_mode_and_session "$WORKSPACE" "$PERSON") || exit 1
+MODE="${access_line#access=}"
+
 case "$MODE" in
 rw)
  start_container_if_needed