From 5105835cb2efcb2116913fae1b370a9575f04049 Mon Sep 17 00:00:00 2001
From: Matt Keeler <mkeeler@users.noreply.github.com>
Date: Wed, 29 Jun 2022 16:38:17 -0400
Subject: [PATCH] =?UTF-8?q?Allow=20the=20/v1/internal/acl/authorize=20endp?=
 =?UTF-8?q?oint=20to=20authorize=20the=20=E2=80=9Cpeering=E2=80=9D=20resou?=
 =?UTF-8?q?rce=20(#13646)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Currently this just checks for operator read. In the near future it will check for peering specific rules once those are implemented.
---
 acl/authorizer.go      |  9 +++++++++
 acl/authorizer_test.go | 28 ++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+)

diff --git a/acl/authorizer.go b/acl/authorizer.go
index dfe2eda1db..fe28c05ed6 100644
--- a/acl/authorizer.go
+++ b/acl/authorizer.go
@@ -49,6 +49,7 @@ const (
 	ResourceQuery     Resource = "query"
 	ResourceService   Resource = "service"
 	ResourceSession   Resource = "session"
+	ResourcePeering   Resource = "peering"
 )
 
 // Authorizer is the interface for policy enforcement.
@@ -540,6 +541,14 @@ func Enforce(authz Authorizer, rsc Resource, segment string, access string, ctx
 		case "write":
 			return authz.SessionWrite(segment, ctx), nil
 		}
+	case ResourcePeering:
+		// TODO (peering) switch this over to using PeeringRead & PeeringWrite methods once implemented
+		switch lowerAccess {
+		case "read":
+			return authz.OperatorRead(ctx), nil
+		case "write":
+			return authz.OperatorWrite(ctx), nil
+		}
 	default:
 		if processed, decision, err := enforceEnterprise(authz, rsc, segment, lowerAccess, ctx); processed {
 			return decision, err
diff --git a/acl/authorizer_test.go b/acl/authorizer_test.go
index b8f4d21c1d..f8aeda3d42 100644
--- a/acl/authorizer_test.go
+++ b/acl/authorizer_test.go
@@ -462,6 +462,34 @@ func TestACL_Enforce(t *testing.T) {
 			ret:      Deny,
 			err:      "Invalid access level",
 		},
+		{
+			// TODO (peering) Update to use PeeringRead
+			method:   "OperatorRead",
+			resource: ResourcePeering,
+			access:   "read",
+			ret:      Allow,
+		},
+		{
+			// TODO (peering) Update to use PeeringRead
+			method:   "OperatorRead",
+			resource: ResourcePeering,
+			access:   "read",
+			ret:      Deny,
+		},
+		{
+			// TODO (peering) Update to use PeeringWrite
+			method:   "OperatorWrite",
+			resource: ResourcePeering,
+			access:   "write",
+			ret:      Allow,
+		},
+		{
+			// TODO (peering) Update to use PeeringWrite
+			method:   "OperatorWrite",
+			resource: ResourcePeering,
+			access:   "write",
+			ret:      Deny,
+		},
 		{
 			method:   "PreparedQueryRead",
 			resource: ResourceQuery,