Sorts all the ACl policy handlers for easier navigation (no functional changes).

This commit is contained in:
James Phillips 2016-12-01 20:31:50 -08:00
parent 8ae9e17dff
commit 9b4f316b21
No known key found for this signature in database
GPG Key ID: 77183E682AC5FC11
3 changed files with 333 additions and 333 deletions

View File

@ -35,6 +35,18 @@ func init() {
// ACL is the interface for policy enforcement. // ACL is the interface for policy enforcement.
type ACL interface { type ACL interface {
// ACLList checks for permission to list all the ACLs
ACLList() bool
// ACLModify checks for permission to manipulate ACLs
ACLModify() bool
// EventRead determines if a specific event can be queried.
EventRead(string) bool
// EventWrite determines if a specific event may be fired.
EventWrite(string) bool
// KeyRead checks for permission to read a given key // KeyRead checks for permission to read a given key
KeyRead(string) bool KeyRead(string) bool
@ -46,26 +58,6 @@ type ACL interface {
// that deny a write. // that deny a write.
KeyWritePrefix(string) bool KeyWritePrefix(string) bool
// ServiceWrite checks for permission to read a given service
ServiceWrite(string) bool
// ServiceRead checks for permission to read a given service
ServiceRead(string) bool
// EventRead determines if a specific event can be queried.
EventRead(string) bool
// EventWrite determines if a specific event may be fired.
EventWrite(string) bool
// PrepardQueryRead determines if a specific prepared query can be read
// to show its contents (this is not used for execution).
PreparedQueryRead(string) bool
// PreparedQueryWrite determines if a specific prepared query can be
// created, modified, or deleted.
PreparedQueryWrite(string) bool
// KeyringRead determines if the encryption keyring used in // KeyringRead determines if the encryption keyring used in
// the gossip layer can be read. // the gossip layer can be read.
KeyringRead() bool KeyringRead() bool
@ -81,11 +73,19 @@ type ACL interface {
// functions can be used. // functions can be used.
OperatorWrite() bool OperatorWrite() bool
// ACLList checks for permission to list all the ACLs // PrepardQueryRead determines if a specific prepared query can be read
ACLList() bool // to show its contents (this is not used for execution).
PreparedQueryRead(string) bool
// ACLModify checks for permission to manipulate ACLs // PreparedQueryWrite determines if a specific prepared query can be
ACLModify() bool // created, modified, or deleted.
PreparedQueryWrite(string) bool
// ServiceRead checks for permission to read a given service
ServiceRead(string) bool
// ServiceWrite checks for permission to read a given service
ServiceWrite(string) bool
// Snapshot checks for permission to take and restore snapshots. // Snapshot checks for permission to take and restore snapshots.
Snapshot() bool Snapshot() bool
@ -99,24 +99,12 @@ type StaticACL struct {
defaultAllow bool defaultAllow bool
} }
func (s *StaticACL) KeyRead(string) bool { func (s *StaticACL) ACLList() bool {
return s.defaultAllow return s.allowManage
} }
func (s *StaticACL) KeyWrite(string) bool { func (s *StaticACL) ACLModify() bool {
return s.defaultAllow return s.allowManage
}
func (s *StaticACL) KeyWritePrefix(string) bool {
return s.defaultAllow
}
func (s *StaticACL) ServiceRead(string) bool {
return s.defaultAllow
}
func (s *StaticACL) ServiceWrite(string) bool {
return s.defaultAllow
} }
func (s *StaticACL) EventRead(string) bool { func (s *StaticACL) EventRead(string) bool {
@ -127,11 +115,15 @@ func (s *StaticACL) EventWrite(string) bool {
return s.defaultAllow return s.defaultAllow
} }
func (s *StaticACL) PreparedQueryRead(string) bool { func (s *StaticACL) KeyRead(string) bool {
return s.defaultAllow return s.defaultAllow
} }
func (s *StaticACL) PreparedQueryWrite(string) bool { func (s *StaticACL) KeyWrite(string) bool {
return s.defaultAllow
}
func (s *StaticACL) KeyWritePrefix(string) bool {
return s.defaultAllow return s.defaultAllow
} }
@ -151,12 +143,20 @@ func (s *StaticACL) OperatorWrite() bool {
return s.defaultAllow return s.defaultAllow
} }
func (s *StaticACL) ACLList() bool { func (s *StaticACL) PreparedQueryRead(string) bool {
return s.allowManage return s.defaultAllow
} }
func (s *StaticACL) ACLModify() bool { func (s *StaticACL) PreparedQueryWrite(string) bool {
return s.allowManage return s.defaultAllow
}
func (s *StaticACL) ServiceRead(string) bool {
return s.defaultAllow
}
func (s *StaticACL) ServiceWrite(string) bool {
return s.defaultAllow
} }
func (s *StaticACL) Snapshot() bool { func (s *StaticACL) Snapshot() bool {
@ -260,6 +260,50 @@ func New(parent ACL, policy *Policy) (*PolicyACL, error) {
return p, nil return p, nil
} }
// ACLList checks if listing of ACLs is allowed
func (p *PolicyACL) ACLList() bool {
return p.parent.ACLList()
}
// ACLModify checks if modification of ACLs is allowed
func (p *PolicyACL) ACLModify() bool {
return p.parent.ACLModify()
}
// Snapshot checks if taking and restoring snapshots is allowed.
func (p *PolicyACL) Snapshot() bool {
return p.parent.Snapshot()
}
// EventRead is used to determine if the policy allows for a
// specific user event to be read.
func (p *PolicyACL) EventRead(name string) bool {
// Longest-prefix match on event names
if _, rule, ok := p.eventRules.LongestPrefix(name); ok {
switch rule {
case PolicyRead, PolicyWrite:
return true
default:
return false
}
}
// Nothing matched, use parent
return p.parent.EventRead(name)
}
// EventWrite is used to determine if new events can be created
// (fired) by the policy.
func (p *PolicyACL) EventWrite(name string) bool {
// Longest-prefix match event names
if _, rule, ok := p.eventRules.LongestPrefix(name); ok {
return rule == PolicyWrite
}
// No match, use parent
return p.parent.EventWrite(name)
}
// KeyRead returns if a key is allowed to be read // KeyRead returns if a key is allowed to be read
func (p *PolicyACL) KeyRead(key string) bool { func (p *PolicyACL) KeyRead(key string) bool {
// Look for a matching rule // Look for a matching rule
@ -327,109 +371,6 @@ func (p *PolicyACL) KeyWritePrefix(prefix string) bool {
return p.parent.KeyWritePrefix(prefix) return p.parent.KeyWritePrefix(prefix)
} }
// ServiceRead checks if reading (discovery) of a service is allowed
func (p *PolicyACL) ServiceRead(name string) bool {
// Check for an exact rule or catch-all
_, rule, ok := p.serviceRules.LongestPrefix(name)
if ok {
switch rule {
case PolicyRead, PolicyWrite:
return true
default:
return false
}
}
// No matching rule, use the parent.
return p.parent.ServiceRead(name)
}
// ServiceWrite checks if writing (registering) a service is allowed
func (p *PolicyACL) ServiceWrite(name string) bool {
// Check for an exact rule or catch-all
_, rule, ok := p.serviceRules.LongestPrefix(name)
if ok {
switch rule {
case PolicyWrite:
return true
default:
return false
}
}
// No matching rule, use the parent.
return p.parent.ServiceWrite(name)
}
// EventRead is used to determine if the policy allows for a
// specific user event to be read.
func (p *PolicyACL) EventRead(name string) bool {
// Longest-prefix match on event names
if _, rule, ok := p.eventRules.LongestPrefix(name); ok {
switch rule {
case PolicyRead, PolicyWrite:
return true
default:
return false
}
}
// Nothing matched, use parent
return p.parent.EventRead(name)
}
// EventWrite is used to determine if new events can be created
// (fired) by the policy.
func (p *PolicyACL) EventWrite(name string) bool {
// Longest-prefix match event names
if _, rule, ok := p.eventRules.LongestPrefix(name); ok {
return rule == PolicyWrite
}
// No match, use parent
return p.parent.EventWrite(name)
}
// PreparedQueryRead checks if reading (listing) of a prepared query is
// allowed - this isn't execution, just listing its contents.
func (p *PolicyACL) PreparedQueryRead(prefix string) bool {
// Check for an exact rule or catch-all
_, rule, ok := p.preparedQueryRules.LongestPrefix(prefix)
if ok {
switch rule {
case PolicyRead, PolicyWrite:
return true
default:
return false
}
}
// No matching rule, use the parent.
return p.parent.PreparedQueryRead(prefix)
}
// PreparedQueryWrite checks if writing (creating, updating, or deleting) of a
// prepared query is allowed.
func (p *PolicyACL) PreparedQueryWrite(prefix string) bool {
// Check for an exact rule or catch-all
_, rule, ok := p.preparedQueryRules.LongestPrefix(prefix)
if ok {
switch rule {
case PolicyWrite:
return true
default:
return false
}
}
// No matching rule, use the parent.
return p.parent.PreparedQueryWrite(prefix)
}
// KeyringRead is used to determine if the keyring can be // KeyringRead is used to determine if the keyring can be
// read by the current ACL token. // read by the current ACL token.
func (p *PolicyACL) KeyringRead() bool { func (p *PolicyACL) KeyringRead() bool {
@ -472,17 +413,76 @@ func (p *PolicyACL) OperatorWrite() bool {
return p.parent.OperatorWrite() return p.parent.OperatorWrite()
} }
// ACLList checks if listing of ACLs is allowed // PreparedQueryRead checks if reading (listing) of a prepared query is
func (p *PolicyACL) ACLList() bool { // allowed - this isn't execution, just listing its contents.
return p.parent.ACLList() func (p *PolicyACL) PreparedQueryRead(prefix string) bool {
// Check for an exact rule or catch-all
_, rule, ok := p.preparedQueryRules.LongestPrefix(prefix)
if ok {
switch rule {
case PolicyRead, PolicyWrite:
return true
default:
return false
}
}
// No matching rule, use the parent.
return p.parent.PreparedQueryRead(prefix)
} }
// ACLModify checks if modification of ACLs is allowed // PreparedQueryWrite checks if writing (creating, updating, or deleting) of a
func (p *PolicyACL) ACLModify() bool { // prepared query is allowed.
return p.parent.ACLModify() func (p *PolicyACL) PreparedQueryWrite(prefix string) bool {
// Check for an exact rule or catch-all
_, rule, ok := p.preparedQueryRules.LongestPrefix(prefix)
if ok {
switch rule {
case PolicyWrite:
return true
default:
return false
}
}
// No matching rule, use the parent.
return p.parent.PreparedQueryWrite(prefix)
} }
// Snapshot checks if taking and restoring snapshots is allowed. // ServiceRead checks if reading (discovery) of a service is allowed
func (p *PolicyACL) Snapshot() bool { func (p *PolicyACL) ServiceRead(name string) bool {
return p.parent.Snapshot() // Check for an exact rule or catch-all
_, rule, ok := p.serviceRules.LongestPrefix(name)
if ok {
switch rule {
case PolicyRead, PolicyWrite:
return true
default:
return false
}
}
// No matching rule, use the parent.
return p.parent.ServiceRead(name)
}
// ServiceWrite checks if writing (registering) a service is allowed
func (p *PolicyACL) ServiceWrite(name string) bool {
// Check for an exact rule or catch-all
_, rule, ok := p.serviceRules.LongestPrefix(name)
if ok {
switch rule {
case PolicyWrite:
return true
default:
return false
}
}
// No matching rule, use the parent.
return p.parent.ServiceWrite(name)
} }

View File

@ -35,17 +35,11 @@ func TestStaticACL(t *testing.T) {
t.Fatalf("expected static") t.Fatalf("expected static")
} }
if !all.KeyRead("foobar") { if all.ACLList() {
t.Fatalf("should allow") t.Fatalf("should not allow")
} }
if !all.KeyWrite("foobar") { if all.ACLModify() {
t.Fatalf("should allow") t.Fatalf("should not allow")
}
if !all.ServiceRead("foobar") {
t.Fatalf("should allow")
}
if !all.ServiceWrite("foobar") {
t.Fatalf("should allow")
} }
if !all.EventRead("foobar") { if !all.EventRead("foobar") {
t.Fatalf("should allow") t.Fatalf("should allow")
@ -53,10 +47,10 @@ func TestStaticACL(t *testing.T) {
if !all.EventWrite("foobar") { if !all.EventWrite("foobar") {
t.Fatalf("should allow") t.Fatalf("should allow")
} }
if !all.PreparedQueryRead("foobar") { if !all.KeyRead("foobar") {
t.Fatalf("should allow") t.Fatalf("should allow")
} }
if !all.PreparedQueryWrite("foobar") { if !all.KeyWrite("foobar") {
t.Fatalf("should allow") t.Fatalf("should allow")
} }
if !all.KeyringRead() { if !all.KeyringRead() {
@ -71,26 +65,26 @@ func TestStaticACL(t *testing.T) {
if !all.OperatorWrite() { if !all.OperatorWrite() {
t.Fatalf("should allow") t.Fatalf("should allow")
} }
if all.ACLList() { if !all.PreparedQueryRead("foobar") {
t.Fatalf("should not allow") t.Fatalf("should allow")
} }
if all.ACLModify() { if !all.PreparedQueryWrite("foobar") {
t.Fatalf("should not allow") t.Fatalf("should allow")
}
if !all.ServiceRead("foobar") {
t.Fatalf("should allow")
}
if !all.ServiceWrite("foobar") {
t.Fatalf("should allow")
} }
if all.Snapshot() { if all.Snapshot() {
t.Fatalf("should not allow") t.Fatalf("should not allow")
} }
if none.KeyRead("foobar") { if none.ACLList() {
t.Fatalf("should not allow") t.Fatalf("should not allow")
} }
if none.KeyWrite("foobar") { if none.ACLModify() {
t.Fatalf("should not allow")
}
if none.ServiceRead("foobar") {
t.Fatalf("should not allow")
}
if none.ServiceWrite("foobar") {
t.Fatalf("should not allow") t.Fatalf("should not allow")
} }
if none.EventRead("foobar") { if none.EventRead("foobar") {
@ -105,10 +99,10 @@ func TestStaticACL(t *testing.T) {
if none.EventWrite("") { if none.EventWrite("") {
t.Fatalf("should not allow") t.Fatalf("should not allow")
} }
if none.PreparedQueryRead("foobar") { if none.KeyRead("foobar") {
t.Fatalf("should not allow") t.Fatalf("should not allow")
} }
if none.PreparedQueryWrite("foobar") { if none.KeyWrite("foobar") {
t.Fatalf("should not allow") t.Fatalf("should not allow")
} }
if none.KeyringRead() { if none.KeyringRead() {
@ -123,26 +117,26 @@ func TestStaticACL(t *testing.T) {
if none.OperatorWrite() { if none.OperatorWrite() {
t.Fatalf("should not allow") t.Fatalf("should not allow")
} }
if none.ACLList() { if none.PreparedQueryRead("foobar") {
t.Fatalf("should not allow") t.Fatalf("should not allow")
} }
if none.ACLModify() { if none.PreparedQueryWrite("foobar") {
t.Fatalf("should not allow")
}
if none.ServiceRead("foobar") {
t.Fatalf("should not allow")
}
if none.ServiceWrite("foobar") {
t.Fatalf("should not allow") t.Fatalf("should not allow")
} }
if none.Snapshot() { if none.Snapshot() {
t.Fatalf("should not allow") t.Fatalf("should not allow")
} }
if !manage.KeyRead("foobar") { if !manage.ACLList() {
t.Fatalf("should allow") t.Fatalf("should allow")
} }
if !manage.KeyWrite("foobar") { if !manage.ACLModify() {
t.Fatalf("should allow")
}
if !manage.ServiceRead("foobar") {
t.Fatalf("should allow")
}
if !manage.ServiceWrite("foobar") {
t.Fatalf("should allow") t.Fatalf("should allow")
} }
if !manage.EventRead("foobar") { if !manage.EventRead("foobar") {
@ -151,10 +145,10 @@ func TestStaticACL(t *testing.T) {
if !manage.EventWrite("foobar") { if !manage.EventWrite("foobar") {
t.Fatalf("should allow") t.Fatalf("should allow")
} }
if !manage.PreparedQueryRead("foobar") { if !manage.KeyRead("foobar") {
t.Fatalf("should allow") t.Fatalf("should allow")
} }
if !manage.PreparedQueryWrite("foobar") { if !manage.KeyWrite("foobar") {
t.Fatalf("should allow") t.Fatalf("should allow")
} }
if !manage.KeyringRead() { if !manage.KeyringRead() {
@ -169,10 +163,16 @@ func TestStaticACL(t *testing.T) {
if !manage.OperatorWrite() { if !manage.OperatorWrite() {
t.Fatalf("should allow") t.Fatalf("should allow")
} }
if !manage.ACLList() { if !manage.PreparedQueryRead("foobar") {
t.Fatalf("should allow") t.Fatalf("should allow")
} }
if !manage.ACLModify() { if !manage.PreparedQueryWrite("foobar") {
t.Fatalf("should allow")
}
if !manage.ServiceRead("foobar") {
t.Fatalf("should allow")
}
if !manage.ServiceWrite("foobar") {
t.Fatalf("should allow") t.Fatalf("should allow")
} }
if !manage.Snapshot() { if !manage.Snapshot() {
@ -183,6 +183,20 @@ func TestStaticACL(t *testing.T) {
func TestPolicyACL(t *testing.T) { func TestPolicyACL(t *testing.T) {
all := AllowAll() all := AllowAll()
policy := &Policy{ policy := &Policy{
Events: []*EventPolicy{
&EventPolicy{
Event: "",
Policy: PolicyRead,
},
&EventPolicy{
Event: "foo",
Policy: PolicyWrite,
},
&EventPolicy{
Event: "bar",
Policy: PolicyDeny,
},
},
Keys: []*KeyPolicy{ Keys: []*KeyPolicy{
&KeyPolicy{ &KeyPolicy{
Prefix: "foo/", Prefix: "foo/",
@ -201,38 +215,6 @@ func TestPolicyACL(t *testing.T) {
Policy: PolicyRead, Policy: PolicyRead,
}, },
}, },
Services: []*ServicePolicy{
&ServicePolicy{
Name: "",
Policy: PolicyWrite,
},
&ServicePolicy{
Name: "foo",
Policy: PolicyRead,
},
&ServicePolicy{
Name: "bar",
Policy: PolicyDeny,
},
&ServicePolicy{
Name: "barfoo",
Policy: PolicyWrite,
},
},
Events: []*EventPolicy{
&EventPolicy{
Event: "",
Policy: PolicyRead,
},
&EventPolicy{
Event: "foo",
Policy: PolicyWrite,
},
&EventPolicy{
Event: "bar",
Policy: PolicyDeny,
},
},
PreparedQueries: []*PreparedQueryPolicy{ PreparedQueries: []*PreparedQueryPolicy{
&PreparedQueryPolicy{ &PreparedQueryPolicy{
Prefix: "", Prefix: "",
@ -251,6 +233,24 @@ func TestPolicyACL(t *testing.T) {
Policy: PolicyWrite, Policy: PolicyWrite,
}, },
}, },
Services: []*ServicePolicy{
&ServicePolicy{
Name: "",
Policy: PolicyWrite,
},
&ServicePolicy{
Name: "foo",
Policy: PolicyRead,
},
&ServicePolicy{
Name: "bar",
Policy: PolicyDeny,
},
&ServicePolicy{
Name: "barfoo",
Policy: PolicyWrite,
},
},
} }
acl, err := New(all, policy) acl, err := New(all, policy)
if err != nil { if err != nil {
@ -369,16 +369,6 @@ func TestPolicyACL_Parent(t *testing.T) {
Policy: PolicyRead, Policy: PolicyRead,
}, },
}, },
Services: []*ServicePolicy{
&ServicePolicy{
Name: "other",
Policy: PolicyWrite,
},
&ServicePolicy{
Name: "foo",
Policy: PolicyRead,
},
},
PreparedQueries: []*PreparedQueryPolicy{ PreparedQueries: []*PreparedQueryPolicy{
&PreparedQueryPolicy{ &PreparedQueryPolicy{
Prefix: "other", Prefix: "other",
@ -389,6 +379,16 @@ func TestPolicyACL_Parent(t *testing.T) {
Policy: PolicyRead, Policy: PolicyRead,
}, },
}, },
Services: []*ServicePolicy{
&ServicePolicy{
Name: "other",
Policy: PolicyWrite,
},
&ServicePolicy{
Name: "foo",
Policy: PolicyRead,
},
},
} }
root, err := New(deny, policyRoot) root, err := New(deny, policyRoot)
if err != nil { if err != nil {
@ -410,18 +410,18 @@ func TestPolicyACL_Parent(t *testing.T) {
Policy: PolicyRead, Policy: PolicyRead,
}, },
}, },
Services: []*ServicePolicy{
&ServicePolicy{
Name: "bar",
Policy: PolicyDeny,
},
},
PreparedQueries: []*PreparedQueryPolicy{ PreparedQueries: []*PreparedQueryPolicy{
&PreparedQueryPolicy{ &PreparedQueryPolicy{
Prefix: "bar", Prefix: "bar",
Policy: PolicyDeny, Policy: PolicyDeny,
}, },
}, },
Services: []*ServicePolicy{
&ServicePolicy{
Name: "bar",
Policy: PolicyDeny,
},
},
} }
acl, err := New(root, policy) acl, err := New(root, policy)
if err != nil { if err != nil {

View File

@ -8,6 +8,15 @@ import (
func TestACLPolicy_Parse_HCL(t *testing.T) { func TestACLPolicy_Parse_HCL(t *testing.T) {
inp := ` inp := `
event "" {
policy = "read"
}
event "foo" {
policy = "write"
}
event "bar" {
policy = "deny"
}
key "" { key "" {
policy = "read" policy = "read"
} }
@ -20,21 +29,14 @@ key "foo/bar/" {
key "foo/bar/baz" { key "foo/bar/baz" {
policy = "deny" policy = "deny"
} }
keyring = "deny"
operator = "deny"
service "" { service "" {
policy = "write" policy = "write"
} }
service "foo" { service "foo" {
policy = "read" policy = "read"
} }
event "" {
policy = "read"
}
event "foo" {
policy = "write"
}
event "bar" {
policy = "deny"
}
query "" { query "" {
policy = "read" policy = "read"
} }
@ -44,10 +46,23 @@ query "foo" {
query "bar" { query "bar" {
policy = "deny" policy = "deny"
} }
keyring = "deny"
operator = "deny"
` `
exp := &Policy{ exp := &Policy{
Events: []*EventPolicy{
&EventPolicy{
Event: "",
Policy: PolicyRead,
},
&EventPolicy{
Event: "foo",
Policy: PolicyWrite,
},
&EventPolicy{
Event: "bar",
Policy: PolicyDeny,
},
},
Keyring: PolicyDeny,
Keys: []*KeyPolicy{ Keys: []*KeyPolicy{
&KeyPolicy{ &KeyPolicy{
Prefix: "", Prefix: "",
@ -66,30 +81,7 @@ operator = "deny"
Policy: PolicyDeny, Policy: PolicyDeny,
}, },
}, },
Services: []*ServicePolicy{ Operator: PolicyDeny,
&ServicePolicy{
Name: "",
Policy: PolicyWrite,
},
&ServicePolicy{
Name: "foo",
Policy: PolicyRead,
},
},
Events: []*EventPolicy{
&EventPolicy{
Event: "",
Policy: PolicyRead,
},
&EventPolicy{
Event: "foo",
Policy: PolicyWrite,
},
&EventPolicy{
Event: "bar",
Policy: PolicyDeny,
},
},
PreparedQueries: []*PreparedQueryPolicy{ PreparedQueries: []*PreparedQueryPolicy{
&PreparedQueryPolicy{ &PreparedQueryPolicy{
Prefix: "", Prefix: "",
@ -104,8 +96,16 @@ operator = "deny"
Policy: PolicyDeny, Policy: PolicyDeny,
}, },
}, },
Keyring: PolicyDeny, Services: []*ServicePolicy{
Operator: PolicyDeny, &ServicePolicy{
Name: "",
Policy: PolicyWrite,
},
&ServicePolicy{
Name: "foo",
Policy: PolicyRead,
},
},
} }
out, err := Parse(inp) out, err := Parse(inp)
@ -120,6 +120,17 @@ operator = "deny"
func TestACLPolicy_Parse_JSON(t *testing.T) { func TestACLPolicy_Parse_JSON(t *testing.T) {
inp := `{ inp := `{
"event": {
"": {
"policy": "read"
},
"foo": {
"policy": "write"
},
"bar": {
"policy": "deny"
}
},
"key": { "key": {
"": { "": {
"policy": "read" "policy": "read"
@ -134,25 +145,8 @@ func TestACLPolicy_Parse_JSON(t *testing.T) {
"policy": "deny" "policy": "deny"
} }
}, },
"service": { "keyring": "deny",
"": { "operator": "deny",
"policy": "write"
},
"foo": {
"policy": "read"
}
},
"event": {
"": {
"policy": "read"
},
"foo": {
"policy": "write"
},
"bar": {
"policy": "deny"
}
},
"query": { "query": {
"": { "": {
"policy": "read" "policy": "read"
@ -164,10 +158,31 @@ func TestACLPolicy_Parse_JSON(t *testing.T) {
"policy": "deny" "policy": "deny"
} }
}, },
"keyring": "deny", "service": {
"operator": "deny" "": {
"policy": "write"
},
"foo": {
"policy": "read"
}
}
}` }`
exp := &Policy{ exp := &Policy{
Events: []*EventPolicy{
&EventPolicy{
Event: "",
Policy: PolicyRead,
},
&EventPolicy{
Event: "foo",
Policy: PolicyWrite,
},
&EventPolicy{
Event: "bar",
Policy: PolicyDeny,
},
},
Keyring: PolicyDeny,
Keys: []*KeyPolicy{ Keys: []*KeyPolicy{
&KeyPolicy{ &KeyPolicy{
Prefix: "", Prefix: "",
@ -186,30 +201,7 @@ func TestACLPolicy_Parse_JSON(t *testing.T) {
Policy: PolicyDeny, Policy: PolicyDeny,
}, },
}, },
Services: []*ServicePolicy{ Operator: PolicyDeny,
&ServicePolicy{
Name: "",
Policy: PolicyWrite,
},
&ServicePolicy{
Name: "foo",
Policy: PolicyRead,
},
},
Events: []*EventPolicy{
&EventPolicy{
Event: "",
Policy: PolicyRead,
},
&EventPolicy{
Event: "foo",
Policy: PolicyWrite,
},
&EventPolicy{
Event: "bar",
Policy: PolicyDeny,
},
},
PreparedQueries: []*PreparedQueryPolicy{ PreparedQueries: []*PreparedQueryPolicy{
&PreparedQueryPolicy{ &PreparedQueryPolicy{
Prefix: "", Prefix: "",
@ -224,8 +216,16 @@ func TestACLPolicy_Parse_JSON(t *testing.T) {
Policy: PolicyDeny, Policy: PolicyDeny,
}, },
}, },
Keyring: PolicyDeny, Services: []*ServicePolicy{
Operator: PolicyDeny, &ServicePolicy{
Name: "",
Policy: PolicyWrite,
},
&ServicePolicy{
Name: "foo",
Policy: PolicyRead,
},
},
} }
out, err := Parse(inp) out, err := Parse(inp)
@ -276,12 +276,12 @@ operator = ""
func TestACLPolicy_Bad_Policy(t *testing.T) { func TestACLPolicy_Bad_Policy(t *testing.T) {
cases := []string{ cases := []string{
`key "" { policy = "nope" }`,
`service "" { policy = "nope" }`,
`event "" { policy = "nope" }`, `event "" { policy = "nope" }`,
`query "" { policy = "nope" }`, `key "" { policy = "nope" }`,
`keyring = "nope"`, `keyring = "nope"`,
`operator = "nope"`, `operator = "nope"`,
`query "" { policy = "nope" }`,
`service "" { policy = "nope" }`,
} }
for _, c := range cases { for _, c := range cases {
_, err := Parse(c) _, err := Parse(c)