2
0
mirror of https://github.com/status-im/consul.git synced 2025-01-24 04:31:12 +00:00

178 lines
3.9 KiB
Go
Raw Normal View History

2014-08-08 14:36:09 -07:00
package acl
import (
"crypto/md5"
"fmt"
"github.com/hashicorp/golang-lru"
)
// FaultFunc is a function used to fault in the parent,
2016-08-03 17:01:32 -07:00
// rules for an ACL given its ID
type FaultFunc func(id string) (string, string, error)
2014-08-08 14:36:09 -07:00
// aclEntry allows us to store the ACL with it's policy ID
type aclEntry struct {
ACL ACL
Parent string
RuleID string
}
2014-08-08 14:36:09 -07:00
// Cache is used to implement policy and ACL caching
type Cache struct {
faultfn FaultFunc
2016-08-09 11:00:22 -07:00
aclCache *lru.TwoQueueCache // Cache id -> acl
policyCache *lru.TwoQueueCache // Cache policy -> acl
ruleCache *lru.TwoQueueCache // Cache rules -> policy
2014-08-08 14:36:09 -07:00
}
// NewCache constructs a new policy and ACL cache of a given size
func NewCache(size int, faultfn FaultFunc) (*Cache, error) {
2014-08-08 14:36:09 -07:00
if size <= 0 {
return nil, fmt.Errorf("Must provide positive cache size")
}
2016-08-09 11:00:22 -07:00
rc, err := lru.New2Q(size)
if err != nil {
return nil, err
}
pc, err := lru.New2Q(size)
if err != nil {
return nil, err
}
ac, err := lru.New2Q(size)
if err != nil {
return nil, err
}
2014-08-08 14:36:09 -07:00
c := &Cache{
faultfn: faultfn,
aclCache: ac,
2014-08-08 14:36:09 -07:00
policyCache: pc,
2014-08-08 17:37:13 -07:00
ruleCache: rc,
2014-08-08 14:36:09 -07:00
}
return c, nil
}
// GetPolicy is used to get a potentially cached policy set.
// If not cached, it will be parsed, and then cached.
func (c *Cache) GetPolicy(rules string) (*Policy, error) {
2016-08-03 17:01:32 -07:00
return c.getPolicy(RuleID(rules), rules)
}
// getPolicy is an internal method to get a cached policy,
// but it assumes a pre-computed ID
func (c *Cache) getPolicy(id, rules string) (*Policy, error) {
2014-08-08 17:37:13 -07:00
raw, ok := c.ruleCache.Get(id)
2014-08-08 14:36:09 -07:00
if ok {
return raw.(*Policy), nil
}
policy, err := Parse(rules)
if err != nil {
return nil, err
}
2014-08-08 16:51:19 -07:00
policy.ID = id
2014-08-08 17:37:13 -07:00
c.ruleCache.Add(id, policy)
2014-08-08 14:36:09 -07:00
return policy, nil
}
2016-08-03 17:01:32 -07:00
// RuleID is used to generate an ID for a rule
func RuleID(rules string) string {
return fmt.Sprintf("%x", md5.Sum([]byte(rules)))
}
// policyID returns the cache ID for a policy
func (c *Cache) policyID(parent, ruleID string) string {
return parent + ":" + ruleID
}
// GetACLPolicy is used to get the potentially cached ACL
// policy. If not cached, it will be generated and then cached.
func (c *Cache) GetACLPolicy(id string) (string, *Policy, error) {
// Check for a cached acl
if raw, ok := c.aclCache.Get(id); ok {
cached := raw.(aclEntry)
if raw, ok := c.ruleCache.Get(cached.RuleID); ok {
return cached.Parent, raw.(*Policy), nil
}
}
// Fault in the rules
parent, rules, err := c.faultfn(id)
if err != nil {
return "", nil, err
}
// Get cached
policy, err := c.GetPolicy(rules)
return parent, policy, err
2014-08-08 14:36:09 -07:00
}
// GetACL is used to get a potentially cached ACL policy.
// If not cached, it will be generated and then cached.
func (c *Cache) GetACL(id string) (ACL, error) {
// Look for the ACL directly
raw, ok := c.aclCache.Get(id)
if ok {
return raw.(aclEntry).ACL, nil
2014-08-08 14:36:09 -07:00
}
// Get the rules
parentID, rules, err := c.faultfn(id)
2014-08-08 14:36:09 -07:00
if err != nil {
return nil, err
}
2016-08-03 17:01:32 -07:00
ruleID := RuleID(rules)
2014-08-08 14:36:09 -07:00
2014-08-08 17:37:13 -07:00
// Check for a compiled ACL
policyID := c.policyID(parentID, ruleID)
2014-08-08 17:37:13 -07:00
var compiled ACL
if raw, ok := c.policyCache.Get(policyID); ok {
2014-08-08 17:37:13 -07:00
compiled = raw.(ACL)
} else {
// Get the policy
policy, err := c.getPolicy(ruleID, rules)
if err != nil {
return nil, err
}
2014-08-08 14:36:09 -07:00
// Get the parent ACL
parent := RootACL(parentID)
if parent == nil {
parent, err = c.GetACL(parentID)
if err != nil {
return nil, err
}
}
2014-08-08 17:37:13 -07:00
// Compile the ACL
acl, err := New(parent, policy)
2014-08-08 17:37:13 -07:00
if err != nil {
return nil, err
}
// Cache the compiled ACL
c.policyCache.Add(policyID, acl)
2014-08-08 17:37:13 -07:00
compiled = acl
2014-08-08 14:36:09 -07:00
}
// Cache and return the ACL
c.aclCache.Add(id, aclEntry{compiled, parentID, ruleID})
2014-08-08 17:37:13 -07:00
return compiled, nil
2014-08-08 14:36:09 -07:00
}
// ClearACL is used to clear the ACL cache if any
func (c *Cache) ClearACL(id string) {
c.aclCache.Remove(id)
}
2014-08-08 17:44:23 -07:00
// Purge is used to clear all the ACL caches. The
// rule and policy caches are not purged, since they
// are content-hashed anyways.
func (c *Cache) Purge() {
c.aclCache.Purge()
}