acl: allow omitting keyring policy, add tests

This commit is contained in:
Ryan Uber 2015-07-07 11:07:37 -06:00
parent 47a33e3f1a
commit 7e50a457d9
4 changed files with 43 additions and 3 deletions

View File

@ -350,14 +350,19 @@ func (p *PolicyACL) KeyringRead() bool {
switch p.keyringRule {
case KeyringPolicyRead, KeyringPolicyWrite:
return true
default:
case KeyringPolicyDeny:
return false
default:
return p.parent.KeyringRead()
}
}
// KeyringWrite determines if the keyring can be manipulated.
func (p *PolicyACL) KeyringWrite() bool {
return p.keyringRule == KeyringPolicyWrite
if p.keyringRule == KeyringPolicyWrite {
return true
}
return p.parent.KeyringWrite()
}
// ACLList checks if listing of ACLs is allowed

View File

@ -47,6 +47,18 @@ func TestStaticACL(t *testing.T) {
if !all.ServiceWrite("foobar") {
t.Fatalf("should allow")
}
if !all.EventRead("foobar") {
t.Fatalf("should allow")
}
if !all.EventWrite("foobar") {
t.Fatalf("should allow")
}
if !all.KeyringRead() {
t.Fatalf("should allow")
}
if !all.KeyringWrite() {
t.Fatalf("should allow")
}
if all.ACLList() {
t.Fatalf("should not allow")
}
@ -78,6 +90,12 @@ func TestStaticACL(t *testing.T) {
if none.EventWrite("") {
t.Fatalf("should not allow")
}
if none.KeyringRead() {
t.Fatalf("should now allow")
}
if none.KeyringWrite() {
t.Fatalf("should not allow")
}
if none.ACLList() {
t.Fatalf("should not allow")
}
@ -97,6 +115,18 @@ func TestStaticACL(t *testing.T) {
if !manage.ServiceWrite("foobar") {
t.Fatalf("should allow")
}
if !manage.EventRead("foobar") {
t.Fatalf("should allow")
}
if !manage.EventWrite("foobar") {
t.Fatalf("should allow")
}
if !manage.KeyringRead() {
t.Fatalf("should allow")
}
if !manage.KeyringWrite() {
t.Fatalf("should allow")
}
if !manage.ACLList() {
t.Fatalf("should allow")
}

View File

@ -114,6 +114,7 @@ func Parse(rules string) (*Policy, error) {
case KeyringPolicyRead:
case KeyringPolicyWrite:
case KeyringPolicyDeny:
case "": // Special case to allow omitting the keyring policy
default:
return nil, fmt.Errorf("Invalid keyring policy: %#v", p.Keyring)
}

View File

@ -34,6 +34,7 @@ event "foo" {
event "bar" {
policy = "deny"
}
keyring = "deny"
`
exp := &Policy{
Keys: []*KeyPolicy{
@ -78,6 +79,7 @@ event "bar" {
Policy: EventPolicyDeny,
},
},
Keyring: KeyringPolicyDeny,
}
out, err := Parse(inp)
@ -124,7 +126,8 @@ func TestParse_JSON(t *testing.T) {
"bar": {
"policy": "deny"
}
}
},
"keyring": "deny"
}`
exp := &Policy{
Keys: []*KeyPolicy{
@ -169,6 +172,7 @@ func TestParse_JSON(t *testing.T) {
Policy: EventPolicyDeny,
},
},
Keyring: KeyringPolicyDeny,
}
out, err := Parse(inp)