mirror of https://github.com/status-im/consul.git
Rename EnterpriseAuthorizerContext -> AuthorizerContext
This commit is contained in:
parent
34e6e23d43
commit
0b346616e9
158
acl/acl_test.go
158
acl/acl_test.go
|
@ -36,315 +36,315 @@ func legacyPolicy(policy *Policy) *Policy {
|
|||
// nicer in the embedded struct within TestACL
|
||||
//
|
||||
|
||||
func checkAllowACLRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowACLRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.ACLRead(entCtx))
|
||||
}
|
||||
|
||||
func checkAllowACLWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowACLWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.ACLWrite(entCtx))
|
||||
}
|
||||
|
||||
func checkAllowAgentRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowAgentRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.AgentRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkAllowAgentWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowAgentWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.AgentWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkAllowEventRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowEventRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.EventRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkAllowEventWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowEventWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.EventWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkAllowIntentionDefaultAllow(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowIntentionDefaultAllow(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.IntentionDefaultAllow(entCtx))
|
||||
}
|
||||
|
||||
func checkAllowIntentionRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowIntentionRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.IntentionRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkAllowIntentionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowIntentionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.IntentionWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkAllowKeyRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowKeyRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.KeyRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkAllowKeyList(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowKeyList(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.KeyList(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkAllowKeyringRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowKeyringRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.KeyringRead(entCtx))
|
||||
}
|
||||
|
||||
func checkAllowKeyringWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowKeyringWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.KeyringWrite(entCtx))
|
||||
}
|
||||
|
||||
func checkAllowKeyWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowKeyWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.KeyWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkAllowKeyWritePrefix(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowKeyWritePrefix(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.KeyWritePrefix(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkAllowNodeRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowNodeRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.NodeRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkAllowNodeWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowNodeWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.NodeWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkAllowOperatorRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowOperatorRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.OperatorRead(entCtx))
|
||||
}
|
||||
|
||||
func checkAllowOperatorWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowOperatorWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.OperatorWrite(entCtx))
|
||||
}
|
||||
|
||||
func checkAllowPreparedQueryRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowPreparedQueryRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.PreparedQueryRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkAllowPreparedQueryWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowPreparedQueryWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.PreparedQueryWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkAllowServiceRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowServiceRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.ServiceRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkAllowServiceWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowServiceWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.ServiceWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkAllowSessionRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowSessionRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.SessionRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkAllowSessionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowSessionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.SessionWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkAllowSnapshot(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowSnapshot(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.Snapshot(entCtx))
|
||||
}
|
||||
|
||||
func checkDenyACLRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyACLRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.ACLRead(entCtx))
|
||||
}
|
||||
|
||||
func checkDenyACLWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyACLWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.ACLWrite(entCtx))
|
||||
}
|
||||
|
||||
func checkDenyAgentRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyAgentRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.AgentRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDenyAgentWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyAgentWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.AgentWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDenyEventRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyEventRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.EventRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDenyEventWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyEventWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.EventWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDenyIntentionDefaultAllow(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyIntentionDefaultAllow(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.IntentionDefaultAllow(entCtx))
|
||||
}
|
||||
|
||||
func checkDenyIntentionRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyIntentionRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.IntentionRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDenyIntentionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyIntentionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.IntentionWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDenyKeyRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyKeyRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.KeyRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDenyKeyList(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyKeyList(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.KeyList(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDenyKeyringRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyKeyringRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.KeyringRead(entCtx))
|
||||
}
|
||||
|
||||
func checkDenyKeyringWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyKeyringWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.KeyringWrite(entCtx))
|
||||
}
|
||||
|
||||
func checkDenyKeyWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyKeyWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.KeyWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDenyKeyWritePrefix(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyKeyWritePrefix(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.KeyWritePrefix(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDenyNodeRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyNodeRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.NodeRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDenyNodeWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyNodeWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.NodeWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDenyOperatorRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyOperatorRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.OperatorRead(entCtx))
|
||||
}
|
||||
|
||||
func checkDenyOperatorWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyOperatorWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.OperatorWrite(entCtx))
|
||||
}
|
||||
|
||||
func checkDenyPreparedQueryRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyPreparedQueryRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.PreparedQueryRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDenyPreparedQueryWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyPreparedQueryWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.PreparedQueryWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDenyServiceRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyServiceRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.ServiceRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDenyServiceWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyServiceWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.ServiceWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDenySessionRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenySessionRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.SessionRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDenySessionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenySessionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.SessionWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDenySnapshot(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenySnapshot(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.Snapshot(entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultACLRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultACLRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.ACLRead(entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultACLWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultACLWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.ACLWrite(entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultAgentRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultAgentRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.AgentRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultAgentWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultAgentWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.AgentWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultEventRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultEventRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.EventRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultEventWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultEventWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.EventWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultIntentionDefaultAllow(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultIntentionDefaultAllow(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.IntentionDefaultAllow(entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultIntentionRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultIntentionRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.IntentionRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultIntentionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultIntentionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.IntentionWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultKeyRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultKeyRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.KeyRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultKeyList(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultKeyList(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.KeyList(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultKeyringRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultKeyringRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.KeyringRead(entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultKeyringWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultKeyringWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.KeyringWrite(entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultKeyWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultKeyWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.KeyWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultKeyWritePrefix(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultKeyWritePrefix(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.KeyWritePrefix(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultNodeRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultNodeRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.NodeRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultNodeWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultNodeWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.NodeWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultOperatorRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultOperatorRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.OperatorRead(entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultOperatorWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultOperatorWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.OperatorWrite(entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultPreparedQueryRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultPreparedQueryRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.PreparedQueryRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultPreparedQueryWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultPreparedQueryWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.PreparedQueryWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultServiceRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultServiceRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.ServiceRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultServiceWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultServiceWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.ServiceWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultSessionRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultSessionRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.SessionRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultSessionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultSessionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.SessionWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultSnapshot(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultSnapshot(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.Snapshot(entCtx))
|
||||
}
|
||||
|
||||
|
@ -352,7 +352,7 @@ func TestACL(t *testing.T) {
|
|||
type aclCheck struct {
|
||||
name string
|
||||
prefix string
|
||||
check func(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext)
|
||||
check func(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext)
|
||||
}
|
||||
|
||||
type aclTest struct {
|
||||
|
|
|
@ -53,102 +53,102 @@ const (
|
|||
// Authorizer is the interface for policy enforcement.
|
||||
type Authorizer interface {
|
||||
// ACLRead checks for permission to list all the ACLs
|
||||
ACLRead(*EnterpriseAuthorizerContext) EnforcementDecision
|
||||
ACLRead(*AuthorizerContext) EnforcementDecision
|
||||
|
||||
// ACLWrite checks for permission to manipulate ACLs
|
||||
ACLWrite(*EnterpriseAuthorizerContext) EnforcementDecision
|
||||
ACLWrite(*AuthorizerContext) EnforcementDecision
|
||||
|
||||
// AgentRead checks for permission to read from agent endpoints for a
|
||||
// given node.
|
||||
AgentRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
|
||||
AgentRead(string, *AuthorizerContext) EnforcementDecision
|
||||
|
||||
// AgentWrite checks for permission to make changes via agent endpoints
|
||||
// for a given node.
|
||||
AgentWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
|
||||
AgentWrite(string, *AuthorizerContext) EnforcementDecision
|
||||
|
||||
// EventRead determines if a specific event can be queried.
|
||||
EventRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
|
||||
EventRead(string, *AuthorizerContext) EnforcementDecision
|
||||
|
||||
// EventWrite determines if a specific event may be fired.
|
||||
EventWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
|
||||
EventWrite(string, *AuthorizerContext) EnforcementDecision
|
||||
|
||||
// IntentionDefaultAllow determines the default authorized behavior
|
||||
// when no intentions match a Connect request.
|
||||
IntentionDefaultAllow(*EnterpriseAuthorizerContext) EnforcementDecision
|
||||
IntentionDefaultAllow(*AuthorizerContext) EnforcementDecision
|
||||
|
||||
// IntentionRead determines if a specific intention can be read.
|
||||
IntentionRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
|
||||
IntentionRead(string, *AuthorizerContext) EnforcementDecision
|
||||
|
||||
// IntentionWrite determines if a specific intention can be
|
||||
// created, modified, or deleted.
|
||||
IntentionWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
|
||||
IntentionWrite(string, *AuthorizerContext) EnforcementDecision
|
||||
|
||||
// KeyList checks for permission to list keys under a prefix
|
||||
KeyList(string, *EnterpriseAuthorizerContext) EnforcementDecision
|
||||
KeyList(string, *AuthorizerContext) EnforcementDecision
|
||||
|
||||
// KeyRead checks for permission to read a given key
|
||||
KeyRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
|
||||
KeyRead(string, *AuthorizerContext) EnforcementDecision
|
||||
|
||||
// KeyWrite checks for permission to write a given key
|
||||
KeyWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
|
||||
KeyWrite(string, *AuthorizerContext) EnforcementDecision
|
||||
|
||||
// KeyWritePrefix checks for permission to write to an
|
||||
// entire key prefix. This means there must be no sub-policies
|
||||
// that deny a write.
|
||||
KeyWritePrefix(string, *EnterpriseAuthorizerContext) EnforcementDecision
|
||||
KeyWritePrefix(string, *AuthorizerContext) EnforcementDecision
|
||||
|
||||
// KeyringRead determines if the encryption keyring used in
|
||||
// the gossip layer can be read.
|
||||
KeyringRead(*EnterpriseAuthorizerContext) EnforcementDecision
|
||||
KeyringRead(*AuthorizerContext) EnforcementDecision
|
||||
|
||||
// KeyringWrite determines if the keyring can be manipulated
|
||||
KeyringWrite(*EnterpriseAuthorizerContext) EnforcementDecision
|
||||
KeyringWrite(*AuthorizerContext) EnforcementDecision
|
||||
|
||||
// NodeRead checks for permission to read (discover) a given node.
|
||||
NodeRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
|
||||
NodeRead(string, *AuthorizerContext) EnforcementDecision
|
||||
|
||||
// NodeWrite checks for permission to create or update (register) a
|
||||
// given node.
|
||||
NodeWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
|
||||
NodeWrite(string, *AuthorizerContext) EnforcementDecision
|
||||
|
||||
// OperatorRead determines if the read-only Consul operator functions
|
||||
// can be used.
|
||||
OperatorRead(*EnterpriseAuthorizerContext) EnforcementDecision
|
||||
OperatorRead(*AuthorizerContext) EnforcementDecision
|
||||
|
||||
// OperatorWrite determines if the state-changing Consul operator
|
||||
// functions can be used.
|
||||
OperatorWrite(*EnterpriseAuthorizerContext) EnforcementDecision
|
||||
OperatorWrite(*AuthorizerContext) EnforcementDecision
|
||||
|
||||
// PreparedQueryRead determines if a specific prepared query can be read
|
||||
// to show its contents (this is not used for execution).
|
||||
PreparedQueryRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
|
||||
PreparedQueryRead(string, *AuthorizerContext) EnforcementDecision
|
||||
|
||||
// PreparedQueryWrite determines if a specific prepared query can be
|
||||
// created, modified, or deleted.
|
||||
PreparedQueryWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
|
||||
PreparedQueryWrite(string, *AuthorizerContext) EnforcementDecision
|
||||
|
||||
// ServiceRead checks for permission to read a given service
|
||||
ServiceRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
|
||||
ServiceRead(string, *AuthorizerContext) EnforcementDecision
|
||||
|
||||
// ServiceWrite checks for permission to create or update a given
|
||||
// service
|
||||
ServiceWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
|
||||
ServiceWrite(string, *AuthorizerContext) EnforcementDecision
|
||||
|
||||
// SessionRead checks for permission to read sessions for a given node.
|
||||
SessionRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
|
||||
SessionRead(string, *AuthorizerContext) EnforcementDecision
|
||||
|
||||
// SessionWrite checks for permission to create sessions for a given
|
||||
// node.
|
||||
SessionWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
|
||||
SessionWrite(string, *AuthorizerContext) EnforcementDecision
|
||||
|
||||
// Snapshot checks for permission to take and restore snapshots.
|
||||
Snapshot(*EnterpriseAuthorizerContext) EnforcementDecision
|
||||
Snapshot(*AuthorizerContext) EnforcementDecision
|
||||
|
||||
// Embedded Interface for Consul Enterprise specific ACL enforcement
|
||||
EnterpriseAuthorizer
|
||||
}
|
||||
|
||||
func Enforce(authz Authorizer, rsc Resource, segment string, access string, ctx *EnterpriseAuthorizerContext) (EnforcementDecision, error) {
|
||||
func Enforce(authz Authorizer, rsc Resource, segment string, access string, ctx *AuthorizerContext) (EnforcementDecision, error) {
|
||||
lowerAccess := strings.ToLower(access)
|
||||
|
||||
switch rsc {
|
||||
|
|
|
@ -2,12 +2,12 @@
|
|||
|
||||
package acl
|
||||
|
||||
// EnterpriseAuthorizerContext stub
|
||||
type EnterpriseAuthorizerContext struct{}
|
||||
// AuthorizerContext stub
|
||||
type AuthorizerContext struct{}
|
||||
|
||||
// EnterpriseAuthorizer stub interface
|
||||
type EnterpriseAuthorizer interface{}
|
||||
|
||||
func EnforceEnterprise(_ Authorizer, _ Resource, _ string, _ string, _ *EnterpriseAuthorizerContext) (bool, EnforcementDecision, error) {
|
||||
func EnforceEnterprise(_ Authorizer, _ Resource, _ string, _ string, _ *AuthorizerContext) (bool, EnforcementDecision, error) {
|
||||
return false, Deny, nil
|
||||
}
|
||||
|
|
|
@ -13,77 +13,77 @@ type mockAuthorizer struct {
|
|||
}
|
||||
|
||||
// ACLRead checks for permission to list all the ACLs
|
||||
func (m *mockAuthorizer) ACLRead(ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) ACLRead(ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// ACLWrite checks for permission to manipulate ACLs
|
||||
func (m *mockAuthorizer) ACLWrite(ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) ACLWrite(ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// AgentRead checks for permission to read from agent endpoints for a
|
||||
// given node.
|
||||
func (m *mockAuthorizer) AgentRead(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) AgentRead(segment string, ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(segment, ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// AgentWrite checks for permission to make changes via agent endpoints
|
||||
// for a given node.
|
||||
func (m *mockAuthorizer) AgentWrite(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) AgentWrite(segment string, ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(segment, ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// EventRead determines if a specific event can be queried.
|
||||
func (m *mockAuthorizer) EventRead(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) EventRead(segment string, ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(segment, ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// EventWrite determines if a specific event may be fired.
|
||||
func (m *mockAuthorizer) EventWrite(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) EventWrite(segment string, ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(segment, ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// IntentionDefaultAllow determines the default authorized behavior
|
||||
// when no intentions match a Connect request.
|
||||
func (m *mockAuthorizer) IntentionDefaultAllow(ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) IntentionDefaultAllow(ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// IntentionRead determines if a specific intention can be read.
|
||||
func (m *mockAuthorizer) IntentionRead(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) IntentionRead(segment string, ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(segment, ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// IntentionWrite determines if a specific intention can be
|
||||
// created, modified, or deleted.
|
||||
func (m *mockAuthorizer) IntentionWrite(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) IntentionWrite(segment string, ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(segment, ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// KeyList checks for permission to list keys under a prefix
|
||||
func (m *mockAuthorizer) KeyList(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) KeyList(segment string, ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(segment, ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// KeyRead checks for permission to read a given key
|
||||
func (m *mockAuthorizer) KeyRead(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) KeyRead(segment string, ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(segment, ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// KeyWrite checks for permission to write a given key
|
||||
func (m *mockAuthorizer) KeyWrite(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) KeyWrite(segment string, ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(segment, ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
@ -91,93 +91,93 @@ func (m *mockAuthorizer) KeyWrite(segment string, ctx *EnterpriseAuthorizerConte
|
|||
// KeyWritePrefix checks for permission to write to an
|
||||
// entire key prefix. This means there must be no sub-policies
|
||||
// that deny a write.
|
||||
func (m *mockAuthorizer) KeyWritePrefix(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) KeyWritePrefix(segment string, ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(segment, ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// KeyringRead determines if the encryption keyring used in
|
||||
// the gossip layer can be read.
|
||||
func (m *mockAuthorizer) KeyringRead(ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) KeyringRead(ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// KeyringWrite determines if the keyring can be manipulated
|
||||
func (m *mockAuthorizer) KeyringWrite(ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) KeyringWrite(ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// NodeRead checks for permission to read (discover) a given node.
|
||||
func (m *mockAuthorizer) NodeRead(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) NodeRead(segment string, ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(segment, ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// NodeWrite checks for permission to create or update (register) a
|
||||
// given node.
|
||||
func (m *mockAuthorizer) NodeWrite(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) NodeWrite(segment string, ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(segment, ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// OperatorRead determines if the read-only Consul operator functions
|
||||
// can be used. ret := m.Called(segment, ctx)
|
||||
func (m *mockAuthorizer) OperatorRead(ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) OperatorRead(ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// OperatorWrite determines if the state-changing Consul operator
|
||||
// functions can be used.
|
||||
func (m *mockAuthorizer) OperatorWrite(ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) OperatorWrite(ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// PreparedQueryRead determines if a specific prepared query can be read
|
||||
// to show its contents (this is not used for execution).
|
||||
func (m *mockAuthorizer) PreparedQueryRead(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) PreparedQueryRead(segment string, ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(segment, ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// PreparedQueryWrite determines if a specific prepared query can be
|
||||
// created, modified, or deleted.
|
||||
func (m *mockAuthorizer) PreparedQueryWrite(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) PreparedQueryWrite(segment string, ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(segment, ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// ServiceRead checks for permission to read a given service
|
||||
func (m *mockAuthorizer) ServiceRead(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) ServiceRead(segment string, ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(segment, ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// ServiceWrite checks for permission to create or update a given
|
||||
// service
|
||||
func (m *mockAuthorizer) ServiceWrite(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) ServiceWrite(segment string, ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(segment, ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// SessionRead checks for permission to read sessions for a given node.
|
||||
func (m *mockAuthorizer) SessionRead(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) SessionRead(segment string, ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(segment, ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// SessionWrite checks for permission to create sessions for a given
|
||||
// node.
|
||||
func (m *mockAuthorizer) SessionWrite(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) SessionWrite(segment string, ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(segment, ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// Snapshot checks for permission to take and restore snapshots.
|
||||
func (m *mockAuthorizer) Snapshot(ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) Snapshot(ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
@ -599,7 +599,7 @@ func TestACL_Enforce(t *testing.T) {
|
|||
m := &mockAuthorizer{}
|
||||
|
||||
if tcase.err == "" {
|
||||
var nilCtx *EnterpriseAuthorizerContext
|
||||
var nilCtx *AuthorizerContext
|
||||
if tcase.segment != "" {
|
||||
m.On(tcase.method, tcase.segment, nilCtx).Return(tcase.ret)
|
||||
} else {
|
||||
|
|
|
@ -34,14 +34,14 @@ func (c *ChainedAuthorizer) executeChain(enforce func(authz Authorizer) Enforcem
|
|||
}
|
||||
|
||||
// ACLRead checks for permission to list all the ACLs
|
||||
func (c *ChainedAuthorizer) ACLRead(entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) ACLRead(entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.ACLRead(entCtx)
|
||||
})
|
||||
}
|
||||
|
||||
// ACLWrite checks for permission to manipulate ACLs
|
||||
func (c *ChainedAuthorizer) ACLWrite(entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) ACLWrite(entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.ACLWrite(entCtx)
|
||||
})
|
||||
|
@ -49,7 +49,7 @@ func (c *ChainedAuthorizer) ACLWrite(entCtx *EnterpriseAuthorizerContext) Enforc
|
|||
|
||||
// AgentRead checks for permission to read from agent endpoints for a
|
||||
// given node.
|
||||
func (c *ChainedAuthorizer) AgentRead(node string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) AgentRead(node string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.AgentRead(node, entCtx)
|
||||
})
|
||||
|
@ -57,21 +57,21 @@ func (c *ChainedAuthorizer) AgentRead(node string, entCtx *EnterpriseAuthorizerC
|
|||
|
||||
// AgentWrite checks for permission to make changes via agent endpoints
|
||||
// for a given node.
|
||||
func (c *ChainedAuthorizer) AgentWrite(node string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) AgentWrite(node string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.AgentWrite(node, entCtx)
|
||||
})
|
||||
}
|
||||
|
||||
// EventRead determines if a specific event can be queried.
|
||||
func (c *ChainedAuthorizer) EventRead(name string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) EventRead(name string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.EventRead(name, entCtx)
|
||||
})
|
||||
}
|
||||
|
||||
// EventWrite determines if a specific event may be fired.
|
||||
func (c *ChainedAuthorizer) EventWrite(name string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) EventWrite(name string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.EventWrite(name, entCtx)
|
||||
})
|
||||
|
@ -79,14 +79,14 @@ func (c *ChainedAuthorizer) EventWrite(name string, entCtx *EnterpriseAuthorizer
|
|||
|
||||
// IntentionDefaultAllow determines the default authorized behavior
|
||||
// when no intentions match a Connect request.
|
||||
func (c *ChainedAuthorizer) IntentionDefaultAllow(entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) IntentionDefaultAllow(entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.IntentionDefaultAllow(entCtx)
|
||||
})
|
||||
}
|
||||
|
||||
// IntentionRead determines if a specific intention can be read.
|
||||
func (c *ChainedAuthorizer) IntentionRead(prefix string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) IntentionRead(prefix string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.IntentionRead(prefix, entCtx)
|
||||
})
|
||||
|
@ -94,28 +94,28 @@ func (c *ChainedAuthorizer) IntentionRead(prefix string, entCtx *EnterpriseAutho
|
|||
|
||||
// IntentionWrite determines if a specific intention can be
|
||||
// created, modified, or deleted.
|
||||
func (c *ChainedAuthorizer) IntentionWrite(prefix string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) IntentionWrite(prefix string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.IntentionWrite(prefix, entCtx)
|
||||
})
|
||||
}
|
||||
|
||||
// KeyList checks for permission to list keys under a prefix
|
||||
func (c *ChainedAuthorizer) KeyList(keyPrefix string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) KeyList(keyPrefix string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.KeyList(keyPrefix, entCtx)
|
||||
})
|
||||
}
|
||||
|
||||
// KeyRead checks for permission to read a given key
|
||||
func (c *ChainedAuthorizer) KeyRead(key string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) KeyRead(key string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.KeyRead(key, entCtx)
|
||||
})
|
||||
}
|
||||
|
||||
// KeyWrite checks for permission to write a given key
|
||||
func (c *ChainedAuthorizer) KeyWrite(key string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) KeyWrite(key string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.KeyWrite(key, entCtx)
|
||||
})
|
||||
|
@ -124,7 +124,7 @@ func (c *ChainedAuthorizer) KeyWrite(key string, entCtx *EnterpriseAuthorizerCon
|
|||
// KeyWritePrefix checks for permission to write to an
|
||||
// entire key prefix. This means there must be no sub-policies
|
||||
// that deny a write.
|
||||
func (c *ChainedAuthorizer) KeyWritePrefix(keyPrefix string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) KeyWritePrefix(keyPrefix string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.KeyWritePrefix(keyPrefix, entCtx)
|
||||
})
|
||||
|
@ -132,21 +132,21 @@ func (c *ChainedAuthorizer) KeyWritePrefix(keyPrefix string, entCtx *EnterpriseA
|
|||
|
||||
// KeyringRead determines if the encryption keyring used in
|
||||
// the gossip layer can be read.
|
||||
func (c *ChainedAuthorizer) KeyringRead(entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) KeyringRead(entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.KeyringRead(entCtx)
|
||||
})
|
||||
}
|
||||
|
||||
// KeyringWrite determines if the keyring can be manipulated
|
||||
func (c *ChainedAuthorizer) KeyringWrite(entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) KeyringWrite(entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.KeyringWrite(entCtx)
|
||||
})
|
||||
}
|
||||
|
||||
// NodeRead checks for permission to read (discover) a given node.
|
||||
func (c *ChainedAuthorizer) NodeRead(node string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) NodeRead(node string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.NodeRead(node, entCtx)
|
||||
})
|
||||
|
@ -154,7 +154,7 @@ func (c *ChainedAuthorizer) NodeRead(node string, entCtx *EnterpriseAuthorizerCo
|
|||
|
||||
// NodeWrite checks for permission to create or update (register) a
|
||||
// given node.
|
||||
func (c *ChainedAuthorizer) NodeWrite(node string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) NodeWrite(node string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.NodeWrite(node, entCtx)
|
||||
})
|
||||
|
@ -162,7 +162,7 @@ func (c *ChainedAuthorizer) NodeWrite(node string, entCtx *EnterpriseAuthorizerC
|
|||
|
||||
// OperatorRead determines if the read-only Consul operator functions
|
||||
// can be used.
|
||||
func (c *ChainedAuthorizer) OperatorRead(entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) OperatorRead(entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.OperatorRead(entCtx)
|
||||
})
|
||||
|
@ -170,7 +170,7 @@ func (c *ChainedAuthorizer) OperatorRead(entCtx *EnterpriseAuthorizerContext) En
|
|||
|
||||
// OperatorWrite determines if the state-changing Consul operator
|
||||
// functions can be used.
|
||||
func (c *ChainedAuthorizer) OperatorWrite(entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) OperatorWrite(entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.OperatorWrite(entCtx)
|
||||
})
|
||||
|
@ -178,7 +178,7 @@ func (c *ChainedAuthorizer) OperatorWrite(entCtx *EnterpriseAuthorizerContext) E
|
|||
|
||||
// PreparedQueryRead determines if a specific prepared query can be read
|
||||
// to show its contents (this is not used for execution).
|
||||
func (c *ChainedAuthorizer) PreparedQueryRead(query string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) PreparedQueryRead(query string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.PreparedQueryRead(query, entCtx)
|
||||
})
|
||||
|
@ -186,14 +186,14 @@ func (c *ChainedAuthorizer) PreparedQueryRead(query string, entCtx *EnterpriseAu
|
|||
|
||||
// PreparedQueryWrite determines if a specific prepared query can be
|
||||
// created, modified, or deleted.
|
||||
func (c *ChainedAuthorizer) PreparedQueryWrite(query string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) PreparedQueryWrite(query string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.PreparedQueryWrite(query, entCtx)
|
||||
})
|
||||
}
|
||||
|
||||
// ServiceRead checks for permission to read a given service
|
||||
func (c *ChainedAuthorizer) ServiceRead(name string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) ServiceRead(name string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.ServiceRead(name, entCtx)
|
||||
})
|
||||
|
@ -201,14 +201,14 @@ func (c *ChainedAuthorizer) ServiceRead(name string, entCtx *EnterpriseAuthorize
|
|||
|
||||
// ServiceWrite checks for permission to create or update a given
|
||||
// service
|
||||
func (c *ChainedAuthorizer) ServiceWrite(name string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) ServiceWrite(name string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.ServiceWrite(name, entCtx)
|
||||
})
|
||||
}
|
||||
|
||||
// SessionRead checks for permission to read sessions for a given node.
|
||||
func (c *ChainedAuthorizer) SessionRead(node string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) SessionRead(node string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.SessionRead(node, entCtx)
|
||||
})
|
||||
|
@ -216,14 +216,14 @@ func (c *ChainedAuthorizer) SessionRead(node string, entCtx *EnterpriseAuthorize
|
|||
|
||||
// SessionWrite checks for permission to create sessions for a given
|
||||
// node.
|
||||
func (c *ChainedAuthorizer) SessionWrite(node string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) SessionWrite(node string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.SessionWrite(node, entCtx)
|
||||
})
|
||||
}
|
||||
|
||||
// Snapshot checks for permission to take and restore snapshots.
|
||||
func (c *ChainedAuthorizer) Snapshot(entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) Snapshot(entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.Snapshot(entCtx)
|
||||
})
|
||||
|
|
|
@ -6,82 +6,82 @@ import (
|
|||
|
||||
type testAuthorizer EnforcementDecision
|
||||
|
||||
func (authz testAuthorizer) ACLRead(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) ACLRead(*AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) ACLWrite(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) ACLWrite(*AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) AgentRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) AgentRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) AgentWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) AgentWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) EventRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) EventRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) EventWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) EventWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) IntentionDefaultAllow(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) IntentionDefaultAllow(*AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) IntentionRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) IntentionRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) IntentionWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) IntentionWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) KeyList(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) KeyList(string, *AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) KeyRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) KeyRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) KeyWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) KeyWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) KeyWritePrefix(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) KeyWritePrefix(string, *AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) KeyringRead(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) KeyringRead(*AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) KeyringWrite(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) KeyringWrite(*AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) NodeRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) NodeRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) NodeWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) NodeWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) OperatorRead(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) OperatorRead(*AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) OperatorWrite(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) OperatorWrite(*AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) PreparedQueryRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) PreparedQueryRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) PreparedQueryWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) PreparedQueryWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) ServiceRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) ServiceRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) ServiceWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) ServiceWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) SessionRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) SessionRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) SessionWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) SessionWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) Snapshot(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) Snapshot(*AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
|
||||
|
|
|
@ -341,7 +341,7 @@ func newPolicyAuthorizerFromRules(rules *PolicyRules, ent *EnterpriseACLConfig)
|
|||
}
|
||||
|
||||
// ACLRead checks if listing of ACLs is allowed
|
||||
func (p *policyAuthorizer) ACLRead(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) ACLRead(*AuthorizerContext) EnforcementDecision {
|
||||
if p.aclRule != nil {
|
||||
return enforce(p.aclRule.access, AccessRead)
|
||||
}
|
||||
|
@ -349,7 +349,7 @@ func (p *policyAuthorizer) ACLRead(*EnterpriseAuthorizerContext) EnforcementDeci
|
|||
}
|
||||
|
||||
// ACLWrite checks if modification of ACLs is allowed
|
||||
func (p *policyAuthorizer) ACLWrite(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) ACLWrite(*AuthorizerContext) EnforcementDecision {
|
||||
if p.aclRule != nil {
|
||||
return enforce(p.aclRule.access, AccessWrite)
|
||||
}
|
||||
|
@ -358,7 +358,7 @@ func (p *policyAuthorizer) ACLWrite(*EnterpriseAuthorizerContext) EnforcementDec
|
|||
|
||||
// AgentRead checks for permission to read from agent endpoints for a given
|
||||
// node.
|
||||
func (p *policyAuthorizer) AgentRead(node string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) AgentRead(node string, _ *AuthorizerContext) EnforcementDecision {
|
||||
if rule, ok := getPolicy(node, p.agentRules); ok {
|
||||
return enforce(rule.access, AccessRead)
|
||||
}
|
||||
|
@ -367,7 +367,7 @@ func (p *policyAuthorizer) AgentRead(node string, _ *EnterpriseAuthorizerContext
|
|||
|
||||
// AgentWrite checks for permission to make changes via agent endpoints for a
|
||||
// given node.
|
||||
func (p *policyAuthorizer) AgentWrite(node string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) AgentWrite(node string, _ *AuthorizerContext) EnforcementDecision {
|
||||
if rule, ok := getPolicy(node, p.agentRules); ok {
|
||||
return enforce(rule.access, AccessWrite)
|
||||
}
|
||||
|
@ -375,7 +375,7 @@ func (p *policyAuthorizer) AgentWrite(node string, _ *EnterpriseAuthorizerContex
|
|||
}
|
||||
|
||||
// Snapshot checks if taking and restoring snapshots is allowed.
|
||||
func (p *policyAuthorizer) Snapshot(_ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) Snapshot(_ *AuthorizerContext) EnforcementDecision {
|
||||
if p.aclRule != nil {
|
||||
return enforce(p.aclRule.access, AccessWrite)
|
||||
}
|
||||
|
@ -384,7 +384,7 @@ func (p *policyAuthorizer) Snapshot(_ *EnterpriseAuthorizerContext) EnforcementD
|
|||
|
||||
// EventRead is used to determine if the policy allows for a
|
||||
// specific user event to be read.
|
||||
func (p *policyAuthorizer) EventRead(name string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) EventRead(name string, _ *AuthorizerContext) EnforcementDecision {
|
||||
if rule, ok := getPolicy(name, p.eventRules); ok {
|
||||
return enforce(rule.access, AccessRead)
|
||||
}
|
||||
|
@ -393,7 +393,7 @@ func (p *policyAuthorizer) EventRead(name string, _ *EnterpriseAuthorizerContext
|
|||
|
||||
// EventWrite is used to determine if new events can be created
|
||||
// (fired) by the policy.
|
||||
func (p *policyAuthorizer) EventWrite(name string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) EventWrite(name string, _ *AuthorizerContext) EnforcementDecision {
|
||||
if rule, ok := getPolicy(name, p.eventRules); ok {
|
||||
return enforce(rule.access, AccessWrite)
|
||||
}
|
||||
|
@ -402,14 +402,14 @@ func (p *policyAuthorizer) EventWrite(name string, _ *EnterpriseAuthorizerContex
|
|||
|
||||
// IntentionDefaultAllow returns whether the default behavior when there are
|
||||
// no matching intentions is to allow or deny.
|
||||
func (p *policyAuthorizer) IntentionDefaultAllow(_ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) IntentionDefaultAllow(_ *AuthorizerContext) EnforcementDecision {
|
||||
// We always go up, this can't be determined by a policy.
|
||||
return Default
|
||||
}
|
||||
|
||||
// IntentionRead checks if writing (creating, updating, or deleting) of an
|
||||
// intention is allowed.
|
||||
func (p *policyAuthorizer) IntentionRead(prefix string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) IntentionRead(prefix string, _ *AuthorizerContext) EnforcementDecision {
|
||||
if rule, ok := getPolicy(prefix, p.intentionRules); ok {
|
||||
return enforce(rule.access, AccessRead)
|
||||
}
|
||||
|
@ -418,7 +418,7 @@ func (p *policyAuthorizer) IntentionRead(prefix string, _ *EnterpriseAuthorizerC
|
|||
|
||||
// IntentionWrite checks if writing (creating, updating, or deleting) of an
|
||||
// intention is allowed.
|
||||
func (p *policyAuthorizer) IntentionWrite(prefix string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) IntentionWrite(prefix string, _ *AuthorizerContext) EnforcementDecision {
|
||||
if rule, ok := getPolicy(prefix, p.intentionRules); ok {
|
||||
return enforce(rule.access, AccessWrite)
|
||||
}
|
||||
|
@ -426,7 +426,7 @@ func (p *policyAuthorizer) IntentionWrite(prefix string, _ *EnterpriseAuthorizer
|
|||
}
|
||||
|
||||
// KeyRead returns if a key is allowed to be read
|
||||
func (p *policyAuthorizer) KeyRead(key string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) KeyRead(key string, _ *AuthorizerContext) EnforcementDecision {
|
||||
if rule, ok := getPolicy(key, p.keyRules); ok {
|
||||
return enforce(rule.access, AccessRead)
|
||||
}
|
||||
|
@ -434,7 +434,7 @@ func (p *policyAuthorizer) KeyRead(key string, _ *EnterpriseAuthorizerContext) E
|
|||
}
|
||||
|
||||
// KeyList returns if a key is allowed to be listed
|
||||
func (p *policyAuthorizer) KeyList(key string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) KeyList(key string, _ *AuthorizerContext) EnforcementDecision {
|
||||
if rule, ok := getPolicy(key, p.keyRules); ok {
|
||||
return enforce(rule.access, AccessList)
|
||||
}
|
||||
|
@ -442,7 +442,7 @@ func (p *policyAuthorizer) KeyList(key string, _ *EnterpriseAuthorizerContext) E
|
|||
}
|
||||
|
||||
// KeyWrite returns if a key is allowed to be written
|
||||
func (p *policyAuthorizer) KeyWrite(key string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) KeyWrite(key string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
if rule, ok := getPolicy(key, p.keyRules); ok {
|
||||
decision := enforce(rule.access, AccessWrite)
|
||||
if decision == Allow {
|
||||
|
@ -459,7 +459,7 @@ func (p *policyAuthorizer) KeyWrite(key string, entCtx *EnterpriseAuthorizerCont
|
|||
// the KV can be removed. For that reason we must be able to
|
||||
// delete everything under the prefix. First we must have "write"
|
||||
// on the prefix itself
|
||||
func (p *policyAuthorizer) KeyWritePrefix(prefix string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) KeyWritePrefix(prefix string, _ *AuthorizerContext) EnforcementDecision {
|
||||
// Conditions for Allow:
|
||||
// * The longest prefix match rule that would apply to the given prefix
|
||||
// grants AccessWrite
|
||||
|
@ -537,7 +537,7 @@ func (p *policyAuthorizer) KeyWritePrefix(prefix string, _ *EnterpriseAuthorizer
|
|||
|
||||
// KeyringRead is used to determine if the keyring can be
|
||||
// read by the current ACL token.
|
||||
func (p *policyAuthorizer) KeyringRead(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) KeyringRead(*AuthorizerContext) EnforcementDecision {
|
||||
if p.keyringRule != nil {
|
||||
return enforce(p.keyringRule.access, AccessRead)
|
||||
}
|
||||
|
@ -545,7 +545,7 @@ func (p *policyAuthorizer) KeyringRead(*EnterpriseAuthorizerContext) Enforcement
|
|||
}
|
||||
|
||||
// KeyringWrite determines if the keyring can be manipulated.
|
||||
func (p *policyAuthorizer) KeyringWrite(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) KeyringWrite(*AuthorizerContext) EnforcementDecision {
|
||||
if p.keyringRule != nil {
|
||||
return enforce(p.keyringRule.access, AccessWrite)
|
||||
}
|
||||
|
@ -553,7 +553,7 @@ func (p *policyAuthorizer) KeyringWrite(*EnterpriseAuthorizerContext) Enforcemen
|
|||
}
|
||||
|
||||
// OperatorRead determines if the read-only operator functions are allowed.
|
||||
func (p *policyAuthorizer) OperatorRead(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) OperatorRead(*AuthorizerContext) EnforcementDecision {
|
||||
if p.operatorRule != nil {
|
||||
return enforce(p.operatorRule.access, AccessRead)
|
||||
}
|
||||
|
@ -562,7 +562,7 @@ func (p *policyAuthorizer) OperatorRead(*EnterpriseAuthorizerContext) Enforcemen
|
|||
|
||||
// OperatorWrite determines if the state-changing operator functions are
|
||||
// allowed.
|
||||
func (p *policyAuthorizer) OperatorWrite(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) OperatorWrite(*AuthorizerContext) EnforcementDecision {
|
||||
if p.operatorRule != nil {
|
||||
return enforce(p.operatorRule.access, AccessWrite)
|
||||
}
|
||||
|
@ -570,7 +570,7 @@ func (p *policyAuthorizer) OperatorWrite(*EnterpriseAuthorizerContext) Enforceme
|
|||
}
|
||||
|
||||
// NodeRead checks if reading (discovery) of a node is allowed
|
||||
func (p *policyAuthorizer) NodeRead(name string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) NodeRead(name string, _ *AuthorizerContext) EnforcementDecision {
|
||||
if rule, ok := getPolicy(name, p.nodeRules); ok {
|
||||
return enforce(rule.access, AccessRead)
|
||||
}
|
||||
|
@ -578,7 +578,7 @@ func (p *policyAuthorizer) NodeRead(name string, _ *EnterpriseAuthorizerContext)
|
|||
}
|
||||
|
||||
// NodeWrite checks if writing (registering) a node is allowed
|
||||
func (p *policyAuthorizer) NodeWrite(name string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) NodeWrite(name string, _ *AuthorizerContext) EnforcementDecision {
|
||||
if rule, ok := getPolicy(name, p.nodeRules); ok {
|
||||
return enforce(rule.access, AccessWrite)
|
||||
}
|
||||
|
@ -587,7 +587,7 @@ func (p *policyAuthorizer) NodeWrite(name string, _ *EnterpriseAuthorizerContext
|
|||
|
||||
// PreparedQueryRead checks if reading (listing) of a prepared query is
|
||||
// allowed - this isn't execution, just listing its contents.
|
||||
func (p *policyAuthorizer) PreparedQueryRead(prefix string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) PreparedQueryRead(prefix string, _ *AuthorizerContext) EnforcementDecision {
|
||||
if rule, ok := getPolicy(prefix, p.preparedQueryRules); ok {
|
||||
return enforce(rule.access, AccessRead)
|
||||
}
|
||||
|
@ -596,7 +596,7 @@ func (p *policyAuthorizer) PreparedQueryRead(prefix string, _ *EnterpriseAuthori
|
|||
|
||||
// PreparedQueryWrite checks if writing (creating, updating, or deleting) of a
|
||||
// prepared query is allowed.
|
||||
func (p *policyAuthorizer) PreparedQueryWrite(prefix string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) PreparedQueryWrite(prefix string, _ *AuthorizerContext) EnforcementDecision {
|
||||
if rule, ok := getPolicy(prefix, p.preparedQueryRules); ok {
|
||||
return enforce(rule.access, AccessWrite)
|
||||
}
|
||||
|
@ -604,7 +604,7 @@ func (p *policyAuthorizer) PreparedQueryWrite(prefix string, _ *EnterpriseAuthor
|
|||
}
|
||||
|
||||
// ServiceRead checks if reading (discovery) of a service is allowed
|
||||
func (p *policyAuthorizer) ServiceRead(name string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) ServiceRead(name string, _ *AuthorizerContext) EnforcementDecision {
|
||||
if rule, ok := getPolicy(name, p.serviceRules); ok {
|
||||
return enforce(rule.access, AccessRead)
|
||||
}
|
||||
|
@ -612,7 +612,7 @@ func (p *policyAuthorizer) ServiceRead(name string, _ *EnterpriseAuthorizerConte
|
|||
}
|
||||
|
||||
// ServiceWrite checks if writing (registering) a service is allowed
|
||||
func (p *policyAuthorizer) ServiceWrite(name string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) ServiceWrite(name string, _ *AuthorizerContext) EnforcementDecision {
|
||||
if rule, ok := getPolicy(name, p.serviceRules); ok {
|
||||
return enforce(rule.access, AccessWrite)
|
||||
}
|
||||
|
@ -620,7 +620,7 @@ func (p *policyAuthorizer) ServiceWrite(name string, _ *EnterpriseAuthorizerCont
|
|||
}
|
||||
|
||||
// SessionRead checks for permission to read sessions for a given node.
|
||||
func (p *policyAuthorizer) SessionRead(node string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) SessionRead(node string, _ *AuthorizerContext) EnforcementDecision {
|
||||
if rule, ok := getPolicy(node, p.sessionRules); ok {
|
||||
return enforce(rule.access, AccessRead)
|
||||
}
|
||||
|
@ -628,7 +628,7 @@ func (p *policyAuthorizer) SessionRead(node string, _ *EnterpriseAuthorizerConte
|
|||
}
|
||||
|
||||
// SessionWrite checks for permission to create sessions for a given node.
|
||||
func (p *policyAuthorizer) SessionWrite(node string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) SessionWrite(node string, _ *AuthorizerContext) EnforcementDecision {
|
||||
// Check for an exact rule or catch-all
|
||||
if rule, ok := getPolicy(node, p.sessionRules); ok {
|
||||
return enforce(rule.access, AccessWrite)
|
||||
|
|
|
@ -9,7 +9,7 @@ func (authz *enterprisePolicyAuthorizer) init(*EnterpriseACLConfig) {
|
|||
// nothing to do
|
||||
}
|
||||
|
||||
func (authz *enterprisePolicyAuthorizer) enforce(_ *EnterpriseRule, _ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz *enterprisePolicyAuthorizer) enforce(_ *EnterpriseRule, _ *AuthorizerContext) EnforcementDecision {
|
||||
return Default
|
||||
}
|
||||
|
||||
|
|
|
@ -17,7 +17,7 @@ func TestPolicyAuthorizer(t *testing.T) {
|
|||
type aclCheck struct {
|
||||
name string
|
||||
prefix string
|
||||
check func(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext)
|
||||
check func(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext)
|
||||
}
|
||||
|
||||
type aclTest struct {
|
||||
|
|
|
@ -32,182 +32,182 @@ type StaticAuthorizer struct {
|
|||
defaultAllow bool
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) ACLRead(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *StaticAuthorizer) ACLRead(*AuthorizerContext) EnforcementDecision {
|
||||
if s.allowManage {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) ACLWrite(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *StaticAuthorizer) ACLWrite(*AuthorizerContext) EnforcementDecision {
|
||||
if s.allowManage {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) AgentRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *StaticAuthorizer) AgentRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) AgentWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *StaticAuthorizer) AgentWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) EventRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *StaticAuthorizer) EventRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) EventWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *StaticAuthorizer) EventWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) IntentionDefaultAllow(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *StaticAuthorizer) IntentionDefaultAllow(*AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) IntentionRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *StaticAuthorizer) IntentionRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) IntentionWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *StaticAuthorizer) IntentionWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) KeyRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *StaticAuthorizer) KeyRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) KeyList(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *StaticAuthorizer) KeyList(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) KeyWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *StaticAuthorizer) KeyWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) KeyWritePrefix(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *StaticAuthorizer) KeyWritePrefix(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) KeyringRead(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *StaticAuthorizer) KeyringRead(*AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) KeyringWrite(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *StaticAuthorizer) KeyringWrite(*AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) NodeRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *StaticAuthorizer) NodeRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) NodeWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *StaticAuthorizer) NodeWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) OperatorRead(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *StaticAuthorizer) OperatorRead(*AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) OperatorWrite(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *StaticAuthorizer) OperatorWrite(*AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) PreparedQueryRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *StaticAuthorizer) PreparedQueryRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) PreparedQueryWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *StaticAuthorizer) PreparedQueryWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) ServiceRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *StaticAuthorizer) ServiceRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) ServiceWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *StaticAuthorizer) ServiceWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) SessionRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *StaticAuthorizer) SessionRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) SessionWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *StaticAuthorizer) SessionWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) Snapshot(_ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *StaticAuthorizer) Snapshot(_ *AuthorizerContext) EnforcementDecision {
|
||||
if s.allowManage {
|
||||
return Allow
|
||||
}
|
||||
|
|
14
agent/acl.go
14
agent/acl.go
|
@ -75,7 +75,7 @@ func (a *Agent) vetServiceRegister(token string, service *structs.NodeService) e
|
|||
return nil
|
||||
}
|
||||
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
service.FillAuthzContext(&authzContext)
|
||||
// Vet the service itself.
|
||||
if rule.ServiceWrite(service.Service, &authzContext) != acl.Allow {
|
||||
|
@ -114,7 +114,7 @@ func (a *Agent) vetServiceUpdate(token string, serviceID structs.ServiceID) erro
|
|||
return nil
|
||||
}
|
||||
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
|
||||
// Vet any changes based on the existing services's info.
|
||||
if existing := a.State.Service(serviceID); existing != nil {
|
||||
|
@ -141,7 +141,7 @@ func (a *Agent) vetCheckRegister(token string, check *structs.HealthCheck) error
|
|||
return nil
|
||||
}
|
||||
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
check.FillAuthzContext(&authzContext)
|
||||
// Vet the check itself.
|
||||
if len(check.ServiceName) > 0 {
|
||||
|
@ -181,7 +181,7 @@ func (a *Agent) vetCheckUpdate(token string, checkID structs.CheckID) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
checkID.FillAuthzContext(&authzContext)
|
||||
|
||||
// Vet any changes based on the existing check's info.
|
||||
|
@ -213,7 +213,7 @@ func (a *Agent) filterMembers(token string, members *[]serf.Member) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
structs.DefaultEnterpriseMeta().FillAuthzContext(&authzContext)
|
||||
// Filter out members based on the node policy.
|
||||
m := *members
|
||||
|
@ -241,7 +241,7 @@ func (a *Agent) filterServices(token string, services *map[structs.ServiceID]*st
|
|||
return nil
|
||||
}
|
||||
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
// Filter out services based on the service policy.
|
||||
for id, service := range *services {
|
||||
service.FillAuthzContext(&authzContext)
|
||||
|
@ -265,7 +265,7 @@ func (a *Agent) filterChecks(token string, checks *map[structs.CheckID]*structs.
|
|||
return nil
|
||||
}
|
||||
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
// Filter out checks based on the node or service policy.
|
||||
for id, check := range *checks {
|
||||
if len(check.ServiceName) > 0 {
|
||||
|
|
|
@ -295,7 +295,7 @@ func (s *HTTPServer) AgentService(resp http.ResponseWriter, req *http.Request) (
|
|||
if err != nil {
|
||||
return "", nil, err
|
||||
}
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
svc.FillAuthzContext(&authzContext)
|
||||
if rule != nil && rule.ServiceRead(svc.Service, &authzContext) != acl.Allow {
|
||||
return "", nil, acl.ErrPermissionDenied
|
||||
|
|
|
@ -1092,7 +1092,7 @@ func newACLFilter(authorizer acl.Authorizer, logger *log.Logger, enforceVersion8
|
|||
}
|
||||
|
||||
// allowNode is used to determine if a node is accessible for an ACL.
|
||||
func (f *aclFilter) allowNode(node string, ent *acl.EnterpriseAuthorizerContext) bool {
|
||||
func (f *aclFilter) allowNode(node string, ent *acl.AuthorizerContext) bool {
|
||||
if !f.enforceVersion8 {
|
||||
return true
|
||||
}
|
||||
|
@ -1101,7 +1101,7 @@ func (f *aclFilter) allowNode(node string, ent *acl.EnterpriseAuthorizerContext)
|
|||
}
|
||||
|
||||
// allowService is used to determine if a service is accessible for an ACL.
|
||||
func (f *aclFilter) allowService(service string, ent *acl.EnterpriseAuthorizerContext) bool {
|
||||
func (f *aclFilter) allowService(service string, ent *acl.AuthorizerContext) bool {
|
||||
if service == "" {
|
||||
return true
|
||||
}
|
||||
|
@ -1114,7 +1114,7 @@ func (f *aclFilter) allowService(service string, ent *acl.EnterpriseAuthorizerCo
|
|||
|
||||
// allowSession is used to determine if a session for a node is accessible for
|
||||
// an ACL.
|
||||
func (f *aclFilter) allowSession(node string, ent *acl.EnterpriseAuthorizerContext) bool {
|
||||
func (f *aclFilter) allowSession(node string, ent *acl.AuthorizerContext) bool {
|
||||
if !f.enforceVersion8 {
|
||||
return true
|
||||
}
|
||||
|
@ -1125,7 +1125,7 @@ func (f *aclFilter) allowSession(node string, ent *acl.EnterpriseAuthorizerConte
|
|||
// the configured ACL rules for a token.
|
||||
func (f *aclFilter) filterHealthChecks(checks *structs.HealthChecks) {
|
||||
hc := *checks
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
|
||||
for i := 0; i < len(hc); i++ {
|
||||
check := hc[i]
|
||||
|
@ -1143,7 +1143,7 @@ func (f *aclFilter) filterHealthChecks(checks *structs.HealthChecks) {
|
|||
|
||||
// filterServices is used to filter a set of services based on ACLs.
|
||||
func (f *aclFilter) filterServices(services structs.Services, entMeta *structs.EnterpriseMeta) {
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
entMeta.FillAuthzContext(&authzContext)
|
||||
|
||||
for svc := range services {
|
||||
|
@ -1159,7 +1159,7 @@ func (f *aclFilter) filterServices(services structs.Services, entMeta *structs.E
|
|||
// based on the configured ACL rules.
|
||||
func (f *aclFilter) filterServiceNodes(nodes *structs.ServiceNodes) {
|
||||
sn := *nodes
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
|
||||
for i := 0; i < len(sn); i++ {
|
||||
node := sn[i]
|
||||
|
@ -1181,7 +1181,7 @@ func (f *aclFilter) filterNodeServices(services **structs.NodeServices) {
|
|||
return
|
||||
}
|
||||
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
structs.WildcardEnterpriseMeta().FillAuthzContext(&authzContext)
|
||||
if !f.allowNode((*services).Node.Node, &authzContext) {
|
||||
*services = nil
|
||||
|
@ -1205,7 +1205,7 @@ func (f *aclFilter) filterNodeServiceList(services **structs.NodeServiceList) {
|
|||
return
|
||||
}
|
||||
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
structs.WildcardEnterpriseMeta().FillAuthzContext(&authzContext)
|
||||
if !f.allowNode((*services).Node.Node, &authzContext) {
|
||||
*services = nil
|
||||
|
@ -1238,7 +1238,7 @@ func (f *aclFilter) filterNodeServiceList(services **structs.NodeServiceList) {
|
|||
// filterCheckServiceNodes is used to filter nodes based on ACL rules.
|
||||
func (f *aclFilter) filterCheckServiceNodes(nodes *structs.CheckServiceNodes) {
|
||||
csn := *nodes
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
|
||||
for i := 0; i < len(csn); i++ {
|
||||
node := csn[i]
|
||||
|
@ -1259,7 +1259,7 @@ func (f *aclFilter) filterSessions(sessions *structs.Sessions) {
|
|||
for i := 0; i < len(s); i++ {
|
||||
session := s[i]
|
||||
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
session.FillAuthzContext(&entCtx)
|
||||
|
||||
if f.allowSession(session.Node, &entCtx) {
|
||||
|
@ -1276,7 +1276,7 @@ func (f *aclFilter) filterSessions(sessions *structs.Sessions) {
|
|||
// rules.
|
||||
func (f *aclFilter) filterCoordinates(coords *structs.Coordinates) {
|
||||
c := *coords
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
structs.WildcardEnterpriseMeta().FillAuthzContext(&authzContext)
|
||||
|
||||
for i := 0; i < len(c); i++ {
|
||||
|
@ -1325,7 +1325,7 @@ func (f *aclFilter) filterIntentions(ixns *structs.Intentions) {
|
|||
func (f *aclFilter) filterNodeDump(dump *structs.NodeDump) {
|
||||
nd := *dump
|
||||
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
for i := 0; i < len(nd); i++ {
|
||||
info := nd[i]
|
||||
|
||||
|
@ -1370,7 +1370,7 @@ func (f *aclFilter) filterNodeDump(dump *structs.NodeDump) {
|
|||
func (f *aclFilter) filterNodes(nodes *structs.Nodes) {
|
||||
n := *nodes
|
||||
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
structs.WildcardEnterpriseMeta().FillAuthzContext(&authzContext)
|
||||
|
||||
for i := 0; i < len(n); i++ {
|
||||
|
@ -1393,7 +1393,7 @@ func (f *aclFilter) filterNodes(nodes *structs.Nodes) {
|
|||
// captured tokens, but they can at least see whether or not a token is set.
|
||||
func (f *aclFilter) redactPreparedQueryTokens(query **structs.PreparedQuery) {
|
||||
// Management tokens can see everything with no filtering.
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
structs.DefaultEnterpriseMeta().FillAuthzContext(&authzContext)
|
||||
if f.authorizer.ACLWrite(&authzContext) == acl.Allow {
|
||||
return
|
||||
|
@ -1419,7 +1419,7 @@ func (f *aclFilter) redactPreparedQueryTokens(query **structs.PreparedQuery) {
|
|||
// We prune entries the user doesn't have access to, and we redact any tokens
|
||||
// if the user doesn't have a management token.
|
||||
func (f *aclFilter) filterPreparedQueries(queries *structs.PreparedQueries) {
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
structs.DefaultEnterpriseMeta().FillAuthzContext(&authzContext)
|
||||
// Management tokens can see everything with no filtering.
|
||||
// TODO is this check even necessary - this looks like a search replace from
|
||||
|
@ -1451,7 +1451,7 @@ func (f *aclFilter) filterPreparedQueries(queries *structs.PreparedQueries) {
|
|||
}
|
||||
|
||||
func (f *aclFilter) filterToken(token **structs.ACLToken) {
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
if token == nil || *token == nil || f == nil {
|
||||
return
|
||||
}
|
||||
|
@ -1482,7 +1482,7 @@ func (f *aclFilter) filterTokens(tokens *structs.ACLTokens) {
|
|||
}
|
||||
|
||||
func (f *aclFilter) filterTokenStub(token **structs.ACLTokenListStub) {
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
if token == nil || *token == nil || f == nil {
|
||||
return
|
||||
}
|
||||
|
@ -1507,7 +1507,7 @@ func (f *aclFilter) filterTokenStubs(tokens *[]*structs.ACLTokenListStub) {
|
|||
}
|
||||
|
||||
func (f *aclFilter) filterPolicy(policy **structs.ACLPolicy) {
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
if policy == nil || *policy == nil || f == nil {
|
||||
return
|
||||
}
|
||||
|
@ -1533,7 +1533,7 @@ func (f *aclFilter) filterPolicies(policies *structs.ACLPolicies) {
|
|||
}
|
||||
|
||||
func (f *aclFilter) filterRole(role **structs.ACLRole) {
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
if role == nil || *role == nil || f == nil {
|
||||
return
|
||||
}
|
||||
|
@ -1559,7 +1559,7 @@ func (f *aclFilter) filterRoles(roles *structs.ACLRoles) {
|
|||
}
|
||||
|
||||
func (f *aclFilter) filterBindingRule(rule **structs.ACLBindingRule) {
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
if rule == nil || *rule == nil || f == nil {
|
||||
return
|
||||
}
|
||||
|
@ -1585,7 +1585,7 @@ func (f *aclFilter) filterBindingRules(rules *structs.ACLBindingRules) {
|
|||
}
|
||||
|
||||
func (f *aclFilter) filterAuthMethod(method **structs.ACLAuthMethod) {
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
if method == nil || *method == nil || f == nil {
|
||||
return
|
||||
}
|
||||
|
@ -1734,7 +1734,7 @@ func vetRegisterWithACL(rule acl.Authorizer, subj *structs.RegisterRequest,
|
|||
return nil
|
||||
}
|
||||
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
subj.FillAuthzContext(&authzContext)
|
||||
|
||||
// Vet the node info. This allows service updates to re-post the required
|
||||
|
@ -1761,7 +1761,7 @@ func vetRegisterWithACL(rule acl.Authorizer, subj *structs.RegisterRequest,
|
|||
// This is effectively a delete, so we DO NOT apply the
|
||||
// sentinel scope to the service we are overwriting, just
|
||||
// the regular ACL policy.
|
||||
var secondaryCtx acl.EnterpriseAuthorizerContext
|
||||
var secondaryCtx acl.AuthorizerContext
|
||||
other.FillAuthzContext(&secondaryCtx)
|
||||
|
||||
if rule.ServiceWrite(other.Service, &secondaryCtx) != acl.Allow {
|
||||
|
@ -1822,7 +1822,7 @@ func vetRegisterWithACL(rule acl.Authorizer, subj *structs.RegisterRequest,
|
|||
// We are only adding a check here, so we don't add the scope,
|
||||
// since the sentinel policy doesn't apply to adding checks at
|
||||
// this time.
|
||||
var secondaryCtx acl.EnterpriseAuthorizerContext
|
||||
var secondaryCtx acl.AuthorizerContext
|
||||
other.FillAuthzContext(&secondaryCtx)
|
||||
|
||||
if rule.ServiceWrite(other.Service, &secondaryCtx) != acl.Allow {
|
||||
|
@ -1849,7 +1849,7 @@ func vetDeregisterWithACL(rule acl.Authorizer, subj *structs.DeregisterRequest,
|
|||
// We don't apply sentinel in this path, since at this time sentinel
|
||||
// only applies to create and update operations.
|
||||
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
// fill with the defaults for use with the NodeWrite check
|
||||
subj.FillAuthzContext(&authzContext)
|
||||
|
||||
|
@ -1906,7 +1906,7 @@ func vetNodeTxnOp(op *structs.TxnNodeOp, rule acl.Authorizer) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
op.FillAuthzContext(&authzContext)
|
||||
|
||||
if rule != nil && rule.NodeWrite(op.Node.Node, &authzContext) != acl.Allow {
|
||||
|
@ -1923,7 +1923,7 @@ func vetServiceTxnOp(op *structs.TxnServiceOp, rule acl.Authorizer) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
op.FillAuthzContext(&authzContext)
|
||||
|
||||
if rule.ServiceWrite(op.Service.Service, &authzContext) != acl.Allow {
|
||||
|
@ -1940,7 +1940,7 @@ func vetCheckTxnOp(op *structs.TxnCheckOp, rule acl.Authorizer) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
op.FillAuthzContext(&authzContext)
|
||||
|
||||
if op.Check.ServiceID == "" {
|
||||
|
|
|
@ -208,7 +208,7 @@ func (a *ACL) TokenRead(args *structs.ACLTokenGetRequest, reply *structs.ACLToke
|
|||
var rule acl.Authorizer
|
||||
|
||||
if args.TokenIDType == structs.ACLTokenAccessor {
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
|
||||
var err error
|
||||
|
@ -277,7 +277,7 @@ func (a *ACL) TokenClone(args *structs.ACLTokenSetRequest, reply *structs.ACLTok
|
|||
|
||||
defer metrics.MeasureSince([]string{"acl", "token", "clone"}, time.Now())
|
||||
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
args.ACLToken.FillAuthzContext(&entCtx)
|
||||
|
||||
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
|
||||
|
@ -348,7 +348,7 @@ func (a *ACL) TokenSet(args *structs.ACLTokenSetRequest, reply *structs.ACLToken
|
|||
defer metrics.MeasureSince([]string{"acl", "token", "upsert"}, time.Now())
|
||||
|
||||
// Verify token is permitted to modify ACLs
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
args.ACLToken.FillAuthzContext(&entCtx)
|
||||
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
|
||||
return err
|
||||
|
@ -737,7 +737,7 @@ func (a *ACL) TokenDelete(args *structs.ACLTokenDeleteRequest, reply *string) er
|
|||
defer metrics.MeasureSince([]string{"acl", "token", "delete"}, time.Now())
|
||||
|
||||
// Verify token is permitted to modify ACLs
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
|
||||
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
|
||||
|
@ -826,7 +826,7 @@ func (a *ACL) TokenList(args *structs.ACLTokenListRequest, reply *structs.ACLTok
|
|||
return err
|
||||
}
|
||||
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
|
||||
rule, err := a.srv.ResolveToken(args.Token)
|
||||
|
@ -930,7 +930,7 @@ func (a *ACL) PolicyRead(args *structs.ACLPolicyGetRequest, reply *structs.ACLPo
|
|||
return err
|
||||
}
|
||||
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
|
||||
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
|
||||
|
@ -1002,7 +1002,7 @@ func (a *ACL) PolicySet(args *structs.ACLPolicySetRequest, reply *structs.ACLPol
|
|||
defer metrics.MeasureSince([]string{"acl", "policy", "upsert"}, time.Now())
|
||||
|
||||
// Verify token is permitted to modify ACLs
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
args.Policy.FillAuthzContext(&entCtx)
|
||||
|
||||
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
|
||||
|
@ -1138,7 +1138,7 @@ func (a *ACL) PolicyDelete(args *structs.ACLPolicyDeleteRequest, reply *string)
|
|||
defer metrics.MeasureSince([]string{"acl", "policy", "delete"}, time.Now())
|
||||
|
||||
// Verify token is permitted to modify ACLs
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
|
||||
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
|
||||
|
@ -1195,7 +1195,7 @@ func (a *ACL) PolicyList(args *structs.ACLPolicyListRequest, reply *structs.ACLP
|
|||
return err
|
||||
}
|
||||
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
|
||||
rule, err := a.srv.ResolveToken(args.Token)
|
||||
|
@ -1351,7 +1351,7 @@ func (a *ACL) RoleRead(args *structs.ACLRoleGetRequest, reply *structs.ACLRoleRe
|
|||
return err
|
||||
}
|
||||
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
|
||||
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
|
||||
|
@ -1432,7 +1432,7 @@ func (a *ACL) RoleSet(args *structs.ACLRoleSetRequest, reply *structs.ACLRole) e
|
|||
defer metrics.MeasureSince([]string{"acl", "role", "upsert"}, time.Now())
|
||||
|
||||
// Verify token is permitted to modify ACLs
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
args.Role.FillAuthzContext(&entCtx)
|
||||
|
||||
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
|
||||
|
@ -1582,7 +1582,7 @@ func (a *ACL) RoleDelete(args *structs.ACLRoleDeleteRequest, reply *string) erro
|
|||
defer metrics.MeasureSince([]string{"acl", "role", "delete"}, time.Now())
|
||||
|
||||
// Verify token is permitted to modify ACLs
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
|
||||
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
|
||||
|
@ -1635,7 +1635,7 @@ func (a *ACL) RoleList(args *structs.ACLRoleListRequest, reply *structs.ACLRoleL
|
|||
return err
|
||||
}
|
||||
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
|
||||
rule, err := a.srv.ResolveToken(args.Token)
|
||||
|
@ -1721,7 +1721,7 @@ func (a *ACL) BindingRuleRead(args *structs.ACLBindingRuleGetRequest, reply *str
|
|||
return err
|
||||
}
|
||||
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
|
||||
rule, err := a.srv.ResolveToken(args.Token)
|
||||
|
@ -1763,7 +1763,7 @@ func (a *ACL) BindingRuleSet(args *structs.ACLBindingRuleSetRequest, reply *stru
|
|||
|
||||
defer metrics.MeasureSince([]string{"acl", "bindingrule", "upsert"}, time.Now())
|
||||
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
args.BindingRule.FillAuthzContext(&entCtx)
|
||||
|
||||
// Verify token is permitted to modify ACLs
|
||||
|
@ -1894,7 +1894,7 @@ func (a *ACL) BindingRuleDelete(args *structs.ACLBindingRuleDeleteRequest, reply
|
|||
|
||||
defer metrics.MeasureSince([]string{"acl", "bindingrule", "delete"}, time.Now())
|
||||
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
|
||||
// Verify token is permitted to modify ACLs
|
||||
|
@ -1948,7 +1948,7 @@ func (a *ACL) BindingRuleList(args *structs.ACLBindingRuleListRequest, reply *st
|
|||
return err
|
||||
}
|
||||
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
|
||||
rule, err := a.srv.ResolveToken(args.Token)
|
||||
|
@ -1989,7 +1989,7 @@ func (a *ACL) AuthMethodRead(args *structs.ACLAuthMethodGetRequest, reply *struc
|
|||
return err
|
||||
}
|
||||
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
|
||||
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
|
||||
|
@ -2031,7 +2031,7 @@ func (a *ACL) AuthMethodSet(args *structs.ACLAuthMethodSetRequest, reply *struct
|
|||
defer metrics.MeasureSince([]string{"acl", "authmethod", "upsert"}, time.Now())
|
||||
|
||||
// Verify token is permitted to modify ACLs
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
args.AuthMethod.FillAuthzContext(&entCtx)
|
||||
|
||||
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
|
||||
|
@ -2119,7 +2119,7 @@ func (a *ACL) AuthMethodDelete(args *structs.ACLAuthMethodDeleteRequest, reply *
|
|||
defer metrics.MeasureSince([]string{"acl", "authmethod", "delete"}, time.Now())
|
||||
|
||||
// Verify token is permitted to modify ACLs
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
|
||||
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
|
||||
|
@ -2173,7 +2173,7 @@ func (a *ACL) AuthMethodList(args *structs.ACLAuthMethodListRequest, reply *stru
|
|||
return err
|
||||
}
|
||||
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
|
||||
rule, err := a.srv.ResolveToken(args.Token)
|
||||
|
|
|
@ -59,7 +59,7 @@ func servicePreApply(service *structs.NodeService, rule acl.Authorizer) error {
|
|||
return fmt.Errorf("Invalid service address")
|
||||
}
|
||||
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
service.FillAuthzContext(&authzContext)
|
||||
|
||||
// Apply the ACL policy if any. The 'consul' service is excluded
|
||||
|
@ -359,7 +359,7 @@ func (c *Catalog) ServiceNodes(args *structs.ServiceSpecificRequest, reply *stru
|
|||
}
|
||||
}
|
||||
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
args.FillAuthzContext(&authzContext)
|
||||
// If we're doing a connect query, we need read access to the service
|
||||
// we're trying to find proxies for, so check that.
|
||||
|
|
|
@ -14,7 +14,7 @@ func (d *dirEntFilter) Len() int {
|
|||
return len(d.ent)
|
||||
}
|
||||
func (d *dirEntFilter) Filter(i int) bool {
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
d.ent[i].FillAuthzContext(&entCtx)
|
||||
|
||||
return d.authorizer.KeyRead(d.ent[i].Key, &entCtx) != acl.Allow
|
||||
|
|
|
@ -31,7 +31,7 @@ func kvsPreApply(srv *Server, rule acl.Authorizer, op api.KVOp, dirEnt *structs.
|
|||
if rule != nil {
|
||||
switch op {
|
||||
case api.KVDeleteTree:
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
dirEnt.FillAuthzContext(&authzContext)
|
||||
|
||||
if rule.KeyWritePrefix(dirEnt.Key, &authzContext) != acl.Allow {
|
||||
|
@ -45,7 +45,7 @@ func kvsPreApply(srv *Server, rule acl.Authorizer, op api.KVOp, dirEnt *structs.
|
|||
// These could reveal information based on the outcome
|
||||
// of the transaction, and they operate on individual
|
||||
// keys so we check them here.
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
dirEnt.FillAuthzContext(&authzContext)
|
||||
|
||||
if rule.KeyRead(dirEnt.Key, &authzContext) != acl.Allow {
|
||||
|
@ -53,7 +53,7 @@ func kvsPreApply(srv *Server, rule acl.Authorizer, op api.KVOp, dirEnt *structs.
|
|||
}
|
||||
|
||||
default:
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
dirEnt.FillAuthzContext(&authzContext)
|
||||
|
||||
if rule.KeyWrite(dirEnt.Key, &authzContext) != acl.Allow {
|
||||
|
@ -132,7 +132,7 @@ func (k *KVS) Get(args *structs.KeyRequest, reply *structs.IndexedDirEntries) er
|
|||
return err
|
||||
}
|
||||
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
|
||||
rule, err := k.srv.ResolveToken(args.Token)
|
||||
|
@ -178,7 +178,7 @@ func (k *KVS) List(args *structs.KeyRequest, reply *structs.IndexedDirEntries) e
|
|||
return err
|
||||
}
|
||||
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
|
||||
rule, err := k.srv.ResolveToken(args.Token)
|
||||
|
@ -230,7 +230,7 @@ func (k *KVS) ListKeys(args *structs.KeyListRequest, reply *structs.IndexedKeyLi
|
|||
return err
|
||||
}
|
||||
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
|
||||
rule, err := k.srv.ResolveToken(args.Token)
|
||||
|
|
|
@ -41,7 +41,7 @@ func (s *Session) Apply(args *structs.SessionRequest, reply *string) error {
|
|||
|
||||
// The entMeta to populate is the one in the Session struct, not SessionRequest
|
||||
// This is because the Session is what is passed to downstream functions like raftApply
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
args.Session.FillAuthzContext(&entCtx)
|
||||
|
||||
// Fetch the ACL token, if any, and apply the policy.
|
||||
|
@ -162,7 +162,7 @@ func (s *Session) Get(args *structs.SessionSpecificRequest,
|
|||
}
|
||||
|
||||
// TODO (namespaces) TODO (acls) infer args.entmeta if not provided
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
|
||||
rule, err := s.srv.ResolveToken(args.Token)
|
||||
|
@ -204,7 +204,7 @@ func (s *Session) List(args *structs.SessionSpecificRequest,
|
|||
}
|
||||
|
||||
// TODO (namespaces) TODO (acls) infer args.entmeta if not provided
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
|
||||
rule, err := s.srv.ResolveToken(args.Token)
|
||||
|
@ -241,7 +241,7 @@ func (s *Session) NodeSessions(args *structs.NodeSpecificRequest,
|
|||
}
|
||||
|
||||
// TODO (namespaces) TODO (acls) infer args.entmeta if not provided
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
|
||||
rule, err := s.srv.ResolveToken(args.Token)
|
||||
|
@ -292,7 +292,7 @@ func (s *Session) Renew(args *structs.SessionSpecificRequest,
|
|||
|
||||
// TODO (namespaces) (freddy):infer args.entmeta if not provided
|
||||
// Fetch the ACL token, if any, and apply the policy.
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
|
||||
rule, err := s.srv.ResolveToken(args.Token)
|
||||
|
|
|
@ -1590,7 +1590,7 @@ func (r *RemoteACLAuthorizationRequest) RequestDatacenter() string {
|
|||
|
||||
func CreateACLAuthorizationResponses(authz acl.Authorizer, requests []ACLAuthorizationRequest) ([]ACLAuthorizationResponse, error) {
|
||||
responses := make([]ACLAuthorizationResponse, len(requests))
|
||||
var ctx acl.EnterpriseAuthorizerContext
|
||||
var ctx acl.AuthorizerContext
|
||||
|
||||
for idx, req := range requests {
|
||||
req.FillAuthzContext(&ctx)
|
||||
|
|
|
@ -49,28 +49,28 @@ func WildcardEnterpriseMeta() *EnterpriseMeta {
|
|||
}
|
||||
|
||||
// FillAuthzContext stub
|
||||
func (_ *EnterpriseMeta) FillAuthzContext(_ *acl.EnterpriseAuthorizerContext) {}
|
||||
func (_ *EnterpriseMeta) FillAuthzContext(_ *acl.AuthorizerContext) {}
|
||||
|
||||
func (_ *EnterpriseMeta) Normalize() {}
|
||||
|
||||
// FillAuthzContext stub
|
||||
func (_ *DirEntry) FillAuthzContext(_ *acl.EnterpriseAuthorizerContext) {}
|
||||
func (_ *DirEntry) FillAuthzContext(_ *acl.AuthorizerContext) {}
|
||||
|
||||
// FillAuthzContext stub
|
||||
func (_ *RegisterRequest) FillAuthzContext(_ *acl.EnterpriseAuthorizerContext) {}
|
||||
func (_ *RegisterRequest) FillAuthzContext(_ *acl.AuthorizerContext) {}
|
||||
|
||||
func (_ *RegisterRequest) GetEnterpriseMeta() *EnterpriseMeta {
|
||||
return nil
|
||||
}
|
||||
|
||||
// OSS Stub
|
||||
func (op *TxnNodeOp) FillAuthzContext(ctx *acl.EnterpriseAuthorizerContext) {}
|
||||
func (op *TxnNodeOp) FillAuthzContext(ctx *acl.AuthorizerContext) {}
|
||||
|
||||
// OSS Stub
|
||||
func (_ *TxnServiceOp) FillAuthzContext(_ *acl.EnterpriseAuthorizerContext) {}
|
||||
func (_ *TxnServiceOp) FillAuthzContext(_ *acl.AuthorizerContext) {}
|
||||
|
||||
// OSS Stub
|
||||
func (_ *TxnCheckOp) FillAuthzContext(_ *acl.EnterpriseAuthorizerContext) {}
|
||||
func (_ *TxnCheckOp) FillAuthzContext(_ *acl.AuthorizerContext) {}
|
||||
|
||||
func ServiceIDString(id string, _ *EnterpriseMeta) string {
|
||||
return id
|
||||
|
|
Loading…
Reference in New Issue