Allow the /v1/internal/acl/authorize endpoint to authorize the “peering” resource (#13646)

Currently this just checks for operator read. In the near future it will check for peering specific rules once those are implemented.
This commit is contained in:
Matt Keeler 2022-06-29 16:38:17 -04:00 committed by GitHub
parent d8b7940e40
commit 5105835cb2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 37 additions and 0 deletions

View File

@ -49,6 +49,7 @@ const (
ResourceQuery Resource = "query" ResourceQuery Resource = "query"
ResourceService Resource = "service" ResourceService Resource = "service"
ResourceSession Resource = "session" ResourceSession Resource = "session"
ResourcePeering Resource = "peering"
) )
// Authorizer is the interface for policy enforcement. // Authorizer is the interface for policy enforcement.
@ -540,6 +541,14 @@ func Enforce(authz Authorizer, rsc Resource, segment string, access string, ctx
case "write": case "write":
return authz.SessionWrite(segment, ctx), nil return authz.SessionWrite(segment, ctx), nil
} }
case ResourcePeering:
// TODO (peering) switch this over to using PeeringRead & PeeringWrite methods once implemented
switch lowerAccess {
case "read":
return authz.OperatorRead(ctx), nil
case "write":
return authz.OperatorWrite(ctx), nil
}
default: default:
if processed, decision, err := enforceEnterprise(authz, rsc, segment, lowerAccess, ctx); processed { if processed, decision, err := enforceEnterprise(authz, rsc, segment, lowerAccess, ctx); processed {
return decision, err return decision, err

View File

@ -462,6 +462,34 @@ func TestACL_Enforce(t *testing.T) {
ret: Deny, ret: Deny,
err: "Invalid access level", err: "Invalid access level",
}, },
{
// TODO (peering) Update to use PeeringRead
method: "OperatorRead",
resource: ResourcePeering,
access: "read",
ret: Allow,
},
{
// TODO (peering) Update to use PeeringRead
method: "OperatorRead",
resource: ResourcePeering,
access: "read",
ret: Deny,
},
{
// TODO (peering) Update to use PeeringWrite
method: "OperatorWrite",
resource: ResourcePeering,
access: "write",
ret: Allow,
},
{
// TODO (peering) Update to use PeeringWrite
method: "OperatorWrite",
resource: ResourcePeering,
access: "write",
ret: Deny,
},
{ {
method: "PreparedQueryRead", method: "PreparedQueryRead",
resource: ResourceQuery, resource: ResourceQuery,