From a729d4e36fc847509bc701d684232a31058113f4 Mon Sep 17 00:00:00 2001
From: yeti <yeti@alps>
Date: Fri, 18 Apr 2025 04:46:00 +0100
Subject: [PATCH] feat: add access list for workspaces

---
 access.yml    | 15 +++++++++++++++
 ssh_router.sh | 34 ++++++++++++++++++++++++++++++++--
 2 files changed, 47 insertions(+), 2 deletions(-)
 create mode 100644 access.yml

diff --git a/access.yml b/access.yml
new file mode 100644
index 0000000..b2939a4
--- /dev/null
+++ b/access.yml
@@ -0,0 +1,15 @@
+pallav:
+  rw:
+    - darshan
+    - param
+
+darshan:
+  rw:
+    - param
+  ro:
+    - pallav
+
+param:
+  ro:
+    - pallav
+    - darshan
diff --git a/ssh_router.sh b/ssh_router.sh
index 5024c03..0559c7c 100755
--- a/ssh_router.sh
+++ b/ssh_router.sh
@@ -1,7 +1,6 @@
 #!/bin/bash
 
-MODE="$1" # 'rw' or 'readonly'
-PERSON="$2"
+PERSON="$1"
 WORKSPACE="$SSH_ORIGINAL_COMMAND"
 IMAGE="analytics-backend-workspace" # change to match your setup
 TMUX_SESSION="$WORKSPACE|analytics-backend"
@@ -51,8 +50,39 @@ check_devuser_attached() {
   fi
 }
 
+get_access_mode_and_session() {
+  local yaml_file="access.yml"
+  local workspace="$1"
+  local person="$2"
+
+  # Special case: user accessing their own workspace
+  if [[ "$workspace" == "$person" ]]; then
+    echo "access=rw"
+    return 0
+  fi
+
+  # Check rw
+  if yq '.["'"$person"'"].rw // []' "$yaml_file" | grep -q "\b$workspace\b"; then
+    echo "access=rw"
+    return 0
+  fi
+
+  # Check ro
+  if yq '.["'"$person"'"].ro // []' "$yaml_file" | grep -q "\b$workspace\b"; then
+    echo "access=ro"
+    return 0
+  fi
+
+  # No access → exit with error
+  log "❌ $person has no access to $workspace" >&2
+  exit 1
+}
+
 # === Main ===
 
+read -r access_line < <(get_access_mode_and_session "$WORKSPACE" "$PERSON") || exit 1
+MODE="${access_line#access=}"
+
 case "$MODE" in
 rw)
   start_container_if_needed