srv: cs token support

Author: nyiyui

cs/config.go

@@ -69,12 +69,15 @@ func (t *TokensConfig) UnmarshalYAML(value *yaml.Node) error {
 }
 
 type TokenConfig struct {
-	Name           string            `yaml:"name" json:"name"`
-	Hash           *util.TokenHash   `yaml:"hash" json:"hash"`
-	Networks       map[string]string `yaml:"networks" json:"networks"`
-	CanPull        bool              `yaml:"canPull"`
-	CanPush        *CanPush          `yaml:"canPush"`
-	CanAdminTokens *CanAdminTokens   `yaml:"canAdminTokens"`
+	Name             string                 `yaml:"name" json:"name"`
+	Hash             *util.TokenHash        `yaml:"hash" json:"hash"`
+	Networks         map[string]string      `yaml:"networks" json:"networks"`
+	CanPull          bool                   `yaml:"canPull"`
+	CanPush          *CanPush               `yaml:"canPush"`
+	CanAdminTokens   *CanAdminTokens        `yaml:"canAdminTokens"`
+	CanSRVUpdate     bool                   `yaml:"canSRVUpdate"`
+	SRVAllowances    []central.SRVAllowance `yaml:"srvAllowances"`
+	SRVAllowancesAny bool                   `yaml:"srvAllowancesAny"`
 }
 
 func convertTokens2(tokens []TokenConfig) ([]Token, error) {
@@ -83,11 +86,14 @@ func convertTokens2(tokens []TokenConfig) ([]Token, error) {
 		res[i] = Token{
 			Hash: *token.Hash,
 			Info: TokenInfo{
-				Name:           token.Name,
-				Networks:       token.Networks,
-				CanPull:        token.CanPull,
-				CanPush:        token.CanPush,
-				CanAdminTokens: token.CanAdminTokens,
+				Name:             token.Name,
+				Networks:         token.Networks,
+				CanPull:          token.CanPull,
+				CanPush:          token.CanPush,
+				CanAdminTokens:   token.CanAdminTokens,
+				CanSRVUpdate:     token.CanSRVUpdate,
+				SRVAllowances:    token.SRVAllowances,
+				SRVAllowancesAny: token.SRVAllowancesAny,
 			},
 		}
 	}

cs/tokencheck.go

@@ -53,6 +53,9 @@ func checkSrv(ti TokenInfo, cnn string) error {
 	if ti.CanPush == nil {
 		return newHttpError(403, errors.New("token: cannot push"))
 	}
+	if !ti.CanSRVUpdate {
+		return newHttpError(403, errors.New("token: cannot srvUpdate"))
+	}
 	if !ti.CanPush.Any {
 		_, ok := ti.CanPush.Networks[cnn]
 		if !ok {

nixos-modules.nix

@@ -374,6 +374,19 @@ args@{ self, system, nixpkgsFor, libFor, nixosLibFor, ldflags, packages, ...
                         description =
                           "Allow token to add more tokens, or remove any tokens.";
                       };
+                      allowedSRVs = mkOption {
+                        type = nullOr (listOf (submodule {
+                          options = {
+                            service = mkOption { type = str; };
+                            serviceAny = mkOption { type = bool; default = false; };
+                            priorityMin = mkOption { type = port; default = 0; };
+                            priorityMax = mkOption { type = port; default = 65535; };
+                            weightMin = mkOption { type = port; default = 0; };
+                            weightMax = mkOption { type = port; default = 65535; };
+                          };
+                        }));
+                        default = null;
+                      };
                     };
                   });
                 };