mirror of https://github.com/status-im/consul.git
Allow the /v1/internal/acl/authorize endpoint to authorize the “peering” resource (#13646)
Currently this just checks for operator read. In the near future it will check for peering specific rules once those are implemented.
This commit is contained in:
parent
d8b7940e40
commit
5105835cb2
|
@ -49,6 +49,7 @@ const (
|
|||
ResourceQuery Resource = "query"
|
||||
ResourceService Resource = "service"
|
||||
ResourceSession Resource = "session"
|
||||
ResourcePeering Resource = "peering"
|
||||
)
|
||||
|
||||
// Authorizer is the interface for policy enforcement.
|
||||
|
@ -540,6 +541,14 @@ func Enforce(authz Authorizer, rsc Resource, segment string, access string, ctx
|
|||
case "write":
|
||||
return authz.SessionWrite(segment, ctx), nil
|
||||
}
|
||||
case ResourcePeering:
|
||||
// TODO (peering) switch this over to using PeeringRead & PeeringWrite methods once implemented
|
||||
switch lowerAccess {
|
||||
case "read":
|
||||
return authz.OperatorRead(ctx), nil
|
||||
case "write":
|
||||
return authz.OperatorWrite(ctx), nil
|
||||
}
|
||||
default:
|
||||
if processed, decision, err := enforceEnterprise(authz, rsc, segment, lowerAccess, ctx); processed {
|
||||
return decision, err
|
||||
|
|
|
@ -462,6 +462,34 @@ func TestACL_Enforce(t *testing.T) {
|
|||
ret: Deny,
|
||||
err: "Invalid access level",
|
||||
},
|
||||
{
|
||||
// TODO (peering) Update to use PeeringRead
|
||||
method: "OperatorRead",
|
||||
resource: ResourcePeering,
|
||||
access: "read",
|
||||
ret: Allow,
|
||||
},
|
||||
{
|
||||
// TODO (peering) Update to use PeeringRead
|
||||
method: "OperatorRead",
|
||||
resource: ResourcePeering,
|
||||
access: "read",
|
||||
ret: Deny,
|
||||
},
|
||||
{
|
||||
// TODO (peering) Update to use PeeringWrite
|
||||
method: "OperatorWrite",
|
||||
resource: ResourcePeering,
|
||||
access: "write",
|
||||
ret: Allow,
|
||||
},
|
||||
{
|
||||
// TODO (peering) Update to use PeeringWrite
|
||||
method: "OperatorWrite",
|
||||
resource: ResourcePeering,
|
||||
access: "write",
|
||||
ret: Deny,
|
||||
},
|
||||
{
|
||||
method: "PreparedQueryRead",
|
||||
resource: ResourceQuery,
|
||||
|
|
Loading…
Reference in New Issue