mirror of https://github.com/status-im/consul.git
Sorts all the ACl policy handlers for easier navigation (no functional changes).
This commit is contained in:
parent
8ae9e17dff
commit
9b4f316b21
316
acl/acl.go
316
acl/acl.go
|
@ -35,6 +35,18 @@ func init() {
|
||||||
|
|
||||||
// ACL is the interface for policy enforcement.
|
// ACL is the interface for policy enforcement.
|
||||||
type ACL interface {
|
type ACL interface {
|
||||||
|
// ACLList checks for permission to list all the ACLs
|
||||||
|
ACLList() bool
|
||||||
|
|
||||||
|
// ACLModify checks for permission to manipulate ACLs
|
||||||
|
ACLModify() bool
|
||||||
|
|
||||||
|
// EventRead determines if a specific event can be queried.
|
||||||
|
EventRead(string) bool
|
||||||
|
|
||||||
|
// EventWrite determines if a specific event may be fired.
|
||||||
|
EventWrite(string) bool
|
||||||
|
|
||||||
// KeyRead checks for permission to read a given key
|
// KeyRead checks for permission to read a given key
|
||||||
KeyRead(string) bool
|
KeyRead(string) bool
|
||||||
|
|
||||||
|
@ -46,26 +58,6 @@ type ACL interface {
|
||||||
// that deny a write.
|
// that deny a write.
|
||||||
KeyWritePrefix(string) bool
|
KeyWritePrefix(string) bool
|
||||||
|
|
||||||
// ServiceWrite checks for permission to read a given service
|
|
||||||
ServiceWrite(string) bool
|
|
||||||
|
|
||||||
// ServiceRead checks for permission to read a given service
|
|
||||||
ServiceRead(string) bool
|
|
||||||
|
|
||||||
// EventRead determines if a specific event can be queried.
|
|
||||||
EventRead(string) bool
|
|
||||||
|
|
||||||
// EventWrite determines if a specific event may be fired.
|
|
||||||
EventWrite(string) bool
|
|
||||||
|
|
||||||
// PrepardQueryRead determines if a specific prepared query can be read
|
|
||||||
// to show its contents (this is not used for execution).
|
|
||||||
PreparedQueryRead(string) bool
|
|
||||||
|
|
||||||
// PreparedQueryWrite determines if a specific prepared query can be
|
|
||||||
// created, modified, or deleted.
|
|
||||||
PreparedQueryWrite(string) bool
|
|
||||||
|
|
||||||
// KeyringRead determines if the encryption keyring used in
|
// KeyringRead determines if the encryption keyring used in
|
||||||
// the gossip layer can be read.
|
// the gossip layer can be read.
|
||||||
KeyringRead() bool
|
KeyringRead() bool
|
||||||
|
@ -81,11 +73,19 @@ type ACL interface {
|
||||||
// functions can be used.
|
// functions can be used.
|
||||||
OperatorWrite() bool
|
OperatorWrite() bool
|
||||||
|
|
||||||
// ACLList checks for permission to list all the ACLs
|
// PrepardQueryRead determines if a specific prepared query can be read
|
||||||
ACLList() bool
|
// to show its contents (this is not used for execution).
|
||||||
|
PreparedQueryRead(string) bool
|
||||||
|
|
||||||
// ACLModify checks for permission to manipulate ACLs
|
// PreparedQueryWrite determines if a specific prepared query can be
|
||||||
ACLModify() bool
|
// created, modified, or deleted.
|
||||||
|
PreparedQueryWrite(string) bool
|
||||||
|
|
||||||
|
// ServiceRead checks for permission to read a given service
|
||||||
|
ServiceRead(string) bool
|
||||||
|
|
||||||
|
// ServiceWrite checks for permission to read a given service
|
||||||
|
ServiceWrite(string) bool
|
||||||
|
|
||||||
// Snapshot checks for permission to take and restore snapshots.
|
// Snapshot checks for permission to take and restore snapshots.
|
||||||
Snapshot() bool
|
Snapshot() bool
|
||||||
|
@ -99,24 +99,12 @@ type StaticACL struct {
|
||||||
defaultAllow bool
|
defaultAllow bool
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *StaticACL) KeyRead(string) bool {
|
func (s *StaticACL) ACLList() bool {
|
||||||
return s.defaultAllow
|
return s.allowManage
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *StaticACL) KeyWrite(string) bool {
|
func (s *StaticACL) ACLModify() bool {
|
||||||
return s.defaultAllow
|
return s.allowManage
|
||||||
}
|
|
||||||
|
|
||||||
func (s *StaticACL) KeyWritePrefix(string) bool {
|
|
||||||
return s.defaultAllow
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *StaticACL) ServiceRead(string) bool {
|
|
||||||
return s.defaultAllow
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *StaticACL) ServiceWrite(string) bool {
|
|
||||||
return s.defaultAllow
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *StaticACL) EventRead(string) bool {
|
func (s *StaticACL) EventRead(string) bool {
|
||||||
|
@ -127,11 +115,15 @@ func (s *StaticACL) EventWrite(string) bool {
|
||||||
return s.defaultAllow
|
return s.defaultAllow
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *StaticACL) PreparedQueryRead(string) bool {
|
func (s *StaticACL) KeyRead(string) bool {
|
||||||
return s.defaultAllow
|
return s.defaultAllow
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *StaticACL) PreparedQueryWrite(string) bool {
|
func (s *StaticACL) KeyWrite(string) bool {
|
||||||
|
return s.defaultAllow
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *StaticACL) KeyWritePrefix(string) bool {
|
||||||
return s.defaultAllow
|
return s.defaultAllow
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -151,12 +143,20 @@ func (s *StaticACL) OperatorWrite() bool {
|
||||||
return s.defaultAllow
|
return s.defaultAllow
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *StaticACL) ACLList() bool {
|
func (s *StaticACL) PreparedQueryRead(string) bool {
|
||||||
return s.allowManage
|
return s.defaultAllow
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *StaticACL) ACLModify() bool {
|
func (s *StaticACL) PreparedQueryWrite(string) bool {
|
||||||
return s.allowManage
|
return s.defaultAllow
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *StaticACL) ServiceRead(string) bool {
|
||||||
|
return s.defaultAllow
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *StaticACL) ServiceWrite(string) bool {
|
||||||
|
return s.defaultAllow
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *StaticACL) Snapshot() bool {
|
func (s *StaticACL) Snapshot() bool {
|
||||||
|
@ -260,6 +260,50 @@ func New(parent ACL, policy *Policy) (*PolicyACL, error) {
|
||||||
return p, nil
|
return p, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// ACLList checks if listing of ACLs is allowed
|
||||||
|
func (p *PolicyACL) ACLList() bool {
|
||||||
|
return p.parent.ACLList()
|
||||||
|
}
|
||||||
|
|
||||||
|
// ACLModify checks if modification of ACLs is allowed
|
||||||
|
func (p *PolicyACL) ACLModify() bool {
|
||||||
|
return p.parent.ACLModify()
|
||||||
|
}
|
||||||
|
|
||||||
|
// Snapshot checks if taking and restoring snapshots is allowed.
|
||||||
|
func (p *PolicyACL) Snapshot() bool {
|
||||||
|
return p.parent.Snapshot()
|
||||||
|
}
|
||||||
|
|
||||||
|
// EventRead is used to determine if the policy allows for a
|
||||||
|
// specific user event to be read.
|
||||||
|
func (p *PolicyACL) EventRead(name string) bool {
|
||||||
|
// Longest-prefix match on event names
|
||||||
|
if _, rule, ok := p.eventRules.LongestPrefix(name); ok {
|
||||||
|
switch rule {
|
||||||
|
case PolicyRead, PolicyWrite:
|
||||||
|
return true
|
||||||
|
default:
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Nothing matched, use parent
|
||||||
|
return p.parent.EventRead(name)
|
||||||
|
}
|
||||||
|
|
||||||
|
// EventWrite is used to determine if new events can be created
|
||||||
|
// (fired) by the policy.
|
||||||
|
func (p *PolicyACL) EventWrite(name string) bool {
|
||||||
|
// Longest-prefix match event names
|
||||||
|
if _, rule, ok := p.eventRules.LongestPrefix(name); ok {
|
||||||
|
return rule == PolicyWrite
|
||||||
|
}
|
||||||
|
|
||||||
|
// No match, use parent
|
||||||
|
return p.parent.EventWrite(name)
|
||||||
|
}
|
||||||
|
|
||||||
// KeyRead returns if a key is allowed to be read
|
// KeyRead returns if a key is allowed to be read
|
||||||
func (p *PolicyACL) KeyRead(key string) bool {
|
func (p *PolicyACL) KeyRead(key string) bool {
|
||||||
// Look for a matching rule
|
// Look for a matching rule
|
||||||
|
@ -327,109 +371,6 @@ func (p *PolicyACL) KeyWritePrefix(prefix string) bool {
|
||||||
return p.parent.KeyWritePrefix(prefix)
|
return p.parent.KeyWritePrefix(prefix)
|
||||||
}
|
}
|
||||||
|
|
||||||
// ServiceRead checks if reading (discovery) of a service is allowed
|
|
||||||
func (p *PolicyACL) ServiceRead(name string) bool {
|
|
||||||
// Check for an exact rule or catch-all
|
|
||||||
_, rule, ok := p.serviceRules.LongestPrefix(name)
|
|
||||||
|
|
||||||
if ok {
|
|
||||||
switch rule {
|
|
||||||
case PolicyRead, PolicyWrite:
|
|
||||||
return true
|
|
||||||
default:
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// No matching rule, use the parent.
|
|
||||||
return p.parent.ServiceRead(name)
|
|
||||||
}
|
|
||||||
|
|
||||||
// ServiceWrite checks if writing (registering) a service is allowed
|
|
||||||
func (p *PolicyACL) ServiceWrite(name string) bool {
|
|
||||||
// Check for an exact rule or catch-all
|
|
||||||
_, rule, ok := p.serviceRules.LongestPrefix(name)
|
|
||||||
|
|
||||||
if ok {
|
|
||||||
switch rule {
|
|
||||||
case PolicyWrite:
|
|
||||||
return true
|
|
||||||
default:
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// No matching rule, use the parent.
|
|
||||||
return p.parent.ServiceWrite(name)
|
|
||||||
}
|
|
||||||
|
|
||||||
// EventRead is used to determine if the policy allows for a
|
|
||||||
// specific user event to be read.
|
|
||||||
func (p *PolicyACL) EventRead(name string) bool {
|
|
||||||
// Longest-prefix match on event names
|
|
||||||
if _, rule, ok := p.eventRules.LongestPrefix(name); ok {
|
|
||||||
switch rule {
|
|
||||||
case PolicyRead, PolicyWrite:
|
|
||||||
return true
|
|
||||||
default:
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Nothing matched, use parent
|
|
||||||
return p.parent.EventRead(name)
|
|
||||||
}
|
|
||||||
|
|
||||||
// EventWrite is used to determine if new events can be created
|
|
||||||
// (fired) by the policy.
|
|
||||||
func (p *PolicyACL) EventWrite(name string) bool {
|
|
||||||
// Longest-prefix match event names
|
|
||||||
if _, rule, ok := p.eventRules.LongestPrefix(name); ok {
|
|
||||||
return rule == PolicyWrite
|
|
||||||
}
|
|
||||||
|
|
||||||
// No match, use parent
|
|
||||||
return p.parent.EventWrite(name)
|
|
||||||
}
|
|
||||||
|
|
||||||
// PreparedQueryRead checks if reading (listing) of a prepared query is
|
|
||||||
// allowed - this isn't execution, just listing its contents.
|
|
||||||
func (p *PolicyACL) PreparedQueryRead(prefix string) bool {
|
|
||||||
// Check for an exact rule or catch-all
|
|
||||||
_, rule, ok := p.preparedQueryRules.LongestPrefix(prefix)
|
|
||||||
|
|
||||||
if ok {
|
|
||||||
switch rule {
|
|
||||||
case PolicyRead, PolicyWrite:
|
|
||||||
return true
|
|
||||||
default:
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// No matching rule, use the parent.
|
|
||||||
return p.parent.PreparedQueryRead(prefix)
|
|
||||||
}
|
|
||||||
|
|
||||||
// PreparedQueryWrite checks if writing (creating, updating, or deleting) of a
|
|
||||||
// prepared query is allowed.
|
|
||||||
func (p *PolicyACL) PreparedQueryWrite(prefix string) bool {
|
|
||||||
// Check for an exact rule or catch-all
|
|
||||||
_, rule, ok := p.preparedQueryRules.LongestPrefix(prefix)
|
|
||||||
|
|
||||||
if ok {
|
|
||||||
switch rule {
|
|
||||||
case PolicyWrite:
|
|
||||||
return true
|
|
||||||
default:
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// No matching rule, use the parent.
|
|
||||||
return p.parent.PreparedQueryWrite(prefix)
|
|
||||||
}
|
|
||||||
|
|
||||||
// KeyringRead is used to determine if the keyring can be
|
// KeyringRead is used to determine if the keyring can be
|
||||||
// read by the current ACL token.
|
// read by the current ACL token.
|
||||||
func (p *PolicyACL) KeyringRead() bool {
|
func (p *PolicyACL) KeyringRead() bool {
|
||||||
|
@ -472,17 +413,76 @@ func (p *PolicyACL) OperatorWrite() bool {
|
||||||
return p.parent.OperatorWrite()
|
return p.parent.OperatorWrite()
|
||||||
}
|
}
|
||||||
|
|
||||||
// ACLList checks if listing of ACLs is allowed
|
// PreparedQueryRead checks if reading (listing) of a prepared query is
|
||||||
func (p *PolicyACL) ACLList() bool {
|
// allowed - this isn't execution, just listing its contents.
|
||||||
return p.parent.ACLList()
|
func (p *PolicyACL) PreparedQueryRead(prefix string) bool {
|
||||||
|
// Check for an exact rule or catch-all
|
||||||
|
_, rule, ok := p.preparedQueryRules.LongestPrefix(prefix)
|
||||||
|
|
||||||
|
if ok {
|
||||||
|
switch rule {
|
||||||
|
case PolicyRead, PolicyWrite:
|
||||||
|
return true
|
||||||
|
default:
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// No matching rule, use the parent.
|
||||||
|
return p.parent.PreparedQueryRead(prefix)
|
||||||
}
|
}
|
||||||
|
|
||||||
// ACLModify checks if modification of ACLs is allowed
|
// PreparedQueryWrite checks if writing (creating, updating, or deleting) of a
|
||||||
func (p *PolicyACL) ACLModify() bool {
|
// prepared query is allowed.
|
||||||
return p.parent.ACLModify()
|
func (p *PolicyACL) PreparedQueryWrite(prefix string) bool {
|
||||||
|
// Check for an exact rule or catch-all
|
||||||
|
_, rule, ok := p.preparedQueryRules.LongestPrefix(prefix)
|
||||||
|
|
||||||
|
if ok {
|
||||||
|
switch rule {
|
||||||
|
case PolicyWrite:
|
||||||
|
return true
|
||||||
|
default:
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// No matching rule, use the parent.
|
||||||
|
return p.parent.PreparedQueryWrite(prefix)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Snapshot checks if taking and restoring snapshots is allowed.
|
// ServiceRead checks if reading (discovery) of a service is allowed
|
||||||
func (p *PolicyACL) Snapshot() bool {
|
func (p *PolicyACL) ServiceRead(name string) bool {
|
||||||
return p.parent.Snapshot()
|
// Check for an exact rule or catch-all
|
||||||
|
_, rule, ok := p.serviceRules.LongestPrefix(name)
|
||||||
|
|
||||||
|
if ok {
|
||||||
|
switch rule {
|
||||||
|
case PolicyRead, PolicyWrite:
|
||||||
|
return true
|
||||||
|
default:
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// No matching rule, use the parent.
|
||||||
|
return p.parent.ServiceRead(name)
|
||||||
|
}
|
||||||
|
|
||||||
|
// ServiceWrite checks if writing (registering) a service is allowed
|
||||||
|
func (p *PolicyACL) ServiceWrite(name string) bool {
|
||||||
|
// Check for an exact rule or catch-all
|
||||||
|
_, rule, ok := p.serviceRules.LongestPrefix(name)
|
||||||
|
|
||||||
|
if ok {
|
||||||
|
switch rule {
|
||||||
|
case PolicyWrite:
|
||||||
|
return true
|
||||||
|
default:
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// No matching rule, use the parent.
|
||||||
|
return p.parent.ServiceWrite(name)
|
||||||
}
|
}
|
||||||
|
|
176
acl/acl_test.go
176
acl/acl_test.go
|
@ -35,17 +35,11 @@ func TestStaticACL(t *testing.T) {
|
||||||
t.Fatalf("expected static")
|
t.Fatalf("expected static")
|
||||||
}
|
}
|
||||||
|
|
||||||
if !all.KeyRead("foobar") {
|
if all.ACLList() {
|
||||||
t.Fatalf("should allow")
|
t.Fatalf("should not allow")
|
||||||
}
|
}
|
||||||
if !all.KeyWrite("foobar") {
|
if all.ACLModify() {
|
||||||
t.Fatalf("should allow")
|
t.Fatalf("should not allow")
|
||||||
}
|
|
||||||
if !all.ServiceRead("foobar") {
|
|
||||||
t.Fatalf("should allow")
|
|
||||||
}
|
|
||||||
if !all.ServiceWrite("foobar") {
|
|
||||||
t.Fatalf("should allow")
|
|
||||||
}
|
}
|
||||||
if !all.EventRead("foobar") {
|
if !all.EventRead("foobar") {
|
||||||
t.Fatalf("should allow")
|
t.Fatalf("should allow")
|
||||||
|
@ -53,10 +47,10 @@ func TestStaticACL(t *testing.T) {
|
||||||
if !all.EventWrite("foobar") {
|
if !all.EventWrite("foobar") {
|
||||||
t.Fatalf("should allow")
|
t.Fatalf("should allow")
|
||||||
}
|
}
|
||||||
if !all.PreparedQueryRead("foobar") {
|
if !all.KeyRead("foobar") {
|
||||||
t.Fatalf("should allow")
|
t.Fatalf("should allow")
|
||||||
}
|
}
|
||||||
if !all.PreparedQueryWrite("foobar") {
|
if !all.KeyWrite("foobar") {
|
||||||
t.Fatalf("should allow")
|
t.Fatalf("should allow")
|
||||||
}
|
}
|
||||||
if !all.KeyringRead() {
|
if !all.KeyringRead() {
|
||||||
|
@ -71,26 +65,26 @@ func TestStaticACL(t *testing.T) {
|
||||||
if !all.OperatorWrite() {
|
if !all.OperatorWrite() {
|
||||||
t.Fatalf("should allow")
|
t.Fatalf("should allow")
|
||||||
}
|
}
|
||||||
if all.ACLList() {
|
if !all.PreparedQueryRead("foobar") {
|
||||||
t.Fatalf("should not allow")
|
t.Fatalf("should allow")
|
||||||
}
|
}
|
||||||
if all.ACLModify() {
|
if !all.PreparedQueryWrite("foobar") {
|
||||||
t.Fatalf("should not allow")
|
t.Fatalf("should allow")
|
||||||
|
}
|
||||||
|
if !all.ServiceRead("foobar") {
|
||||||
|
t.Fatalf("should allow")
|
||||||
|
}
|
||||||
|
if !all.ServiceWrite("foobar") {
|
||||||
|
t.Fatalf("should allow")
|
||||||
}
|
}
|
||||||
if all.Snapshot() {
|
if all.Snapshot() {
|
||||||
t.Fatalf("should not allow")
|
t.Fatalf("should not allow")
|
||||||
}
|
}
|
||||||
|
|
||||||
if none.KeyRead("foobar") {
|
if none.ACLList() {
|
||||||
t.Fatalf("should not allow")
|
t.Fatalf("should not allow")
|
||||||
}
|
}
|
||||||
if none.KeyWrite("foobar") {
|
if none.ACLModify() {
|
||||||
t.Fatalf("should not allow")
|
|
||||||
}
|
|
||||||
if none.ServiceRead("foobar") {
|
|
||||||
t.Fatalf("should not allow")
|
|
||||||
}
|
|
||||||
if none.ServiceWrite("foobar") {
|
|
||||||
t.Fatalf("should not allow")
|
t.Fatalf("should not allow")
|
||||||
}
|
}
|
||||||
if none.EventRead("foobar") {
|
if none.EventRead("foobar") {
|
||||||
|
@ -105,10 +99,10 @@ func TestStaticACL(t *testing.T) {
|
||||||
if none.EventWrite("") {
|
if none.EventWrite("") {
|
||||||
t.Fatalf("should not allow")
|
t.Fatalf("should not allow")
|
||||||
}
|
}
|
||||||
if none.PreparedQueryRead("foobar") {
|
if none.KeyRead("foobar") {
|
||||||
t.Fatalf("should not allow")
|
t.Fatalf("should not allow")
|
||||||
}
|
}
|
||||||
if none.PreparedQueryWrite("foobar") {
|
if none.KeyWrite("foobar") {
|
||||||
t.Fatalf("should not allow")
|
t.Fatalf("should not allow")
|
||||||
}
|
}
|
||||||
if none.KeyringRead() {
|
if none.KeyringRead() {
|
||||||
|
@ -123,26 +117,26 @@ func TestStaticACL(t *testing.T) {
|
||||||
if none.OperatorWrite() {
|
if none.OperatorWrite() {
|
||||||
t.Fatalf("should not allow")
|
t.Fatalf("should not allow")
|
||||||
}
|
}
|
||||||
if none.ACLList() {
|
if none.PreparedQueryRead("foobar") {
|
||||||
t.Fatalf("should not allow")
|
t.Fatalf("should not allow")
|
||||||
}
|
}
|
||||||
if none.ACLModify() {
|
if none.PreparedQueryWrite("foobar") {
|
||||||
|
t.Fatalf("should not allow")
|
||||||
|
}
|
||||||
|
if none.ServiceRead("foobar") {
|
||||||
|
t.Fatalf("should not allow")
|
||||||
|
}
|
||||||
|
if none.ServiceWrite("foobar") {
|
||||||
t.Fatalf("should not allow")
|
t.Fatalf("should not allow")
|
||||||
}
|
}
|
||||||
if none.Snapshot() {
|
if none.Snapshot() {
|
||||||
t.Fatalf("should not allow")
|
t.Fatalf("should not allow")
|
||||||
}
|
}
|
||||||
|
|
||||||
if !manage.KeyRead("foobar") {
|
if !manage.ACLList() {
|
||||||
t.Fatalf("should allow")
|
t.Fatalf("should allow")
|
||||||
}
|
}
|
||||||
if !manage.KeyWrite("foobar") {
|
if !manage.ACLModify() {
|
||||||
t.Fatalf("should allow")
|
|
||||||
}
|
|
||||||
if !manage.ServiceRead("foobar") {
|
|
||||||
t.Fatalf("should allow")
|
|
||||||
}
|
|
||||||
if !manage.ServiceWrite("foobar") {
|
|
||||||
t.Fatalf("should allow")
|
t.Fatalf("should allow")
|
||||||
}
|
}
|
||||||
if !manage.EventRead("foobar") {
|
if !manage.EventRead("foobar") {
|
||||||
|
@ -151,10 +145,10 @@ func TestStaticACL(t *testing.T) {
|
||||||
if !manage.EventWrite("foobar") {
|
if !manage.EventWrite("foobar") {
|
||||||
t.Fatalf("should allow")
|
t.Fatalf("should allow")
|
||||||
}
|
}
|
||||||
if !manage.PreparedQueryRead("foobar") {
|
if !manage.KeyRead("foobar") {
|
||||||
t.Fatalf("should allow")
|
t.Fatalf("should allow")
|
||||||
}
|
}
|
||||||
if !manage.PreparedQueryWrite("foobar") {
|
if !manage.KeyWrite("foobar") {
|
||||||
t.Fatalf("should allow")
|
t.Fatalf("should allow")
|
||||||
}
|
}
|
||||||
if !manage.KeyringRead() {
|
if !manage.KeyringRead() {
|
||||||
|
@ -169,10 +163,16 @@ func TestStaticACL(t *testing.T) {
|
||||||
if !manage.OperatorWrite() {
|
if !manage.OperatorWrite() {
|
||||||
t.Fatalf("should allow")
|
t.Fatalf("should allow")
|
||||||
}
|
}
|
||||||
if !manage.ACLList() {
|
if !manage.PreparedQueryRead("foobar") {
|
||||||
t.Fatalf("should allow")
|
t.Fatalf("should allow")
|
||||||
}
|
}
|
||||||
if !manage.ACLModify() {
|
if !manage.PreparedQueryWrite("foobar") {
|
||||||
|
t.Fatalf("should allow")
|
||||||
|
}
|
||||||
|
if !manage.ServiceRead("foobar") {
|
||||||
|
t.Fatalf("should allow")
|
||||||
|
}
|
||||||
|
if !manage.ServiceWrite("foobar") {
|
||||||
t.Fatalf("should allow")
|
t.Fatalf("should allow")
|
||||||
}
|
}
|
||||||
if !manage.Snapshot() {
|
if !manage.Snapshot() {
|
||||||
|
@ -183,6 +183,20 @@ func TestStaticACL(t *testing.T) {
|
||||||
func TestPolicyACL(t *testing.T) {
|
func TestPolicyACL(t *testing.T) {
|
||||||
all := AllowAll()
|
all := AllowAll()
|
||||||
policy := &Policy{
|
policy := &Policy{
|
||||||
|
Events: []*EventPolicy{
|
||||||
|
&EventPolicy{
|
||||||
|
Event: "",
|
||||||
|
Policy: PolicyRead,
|
||||||
|
},
|
||||||
|
&EventPolicy{
|
||||||
|
Event: "foo",
|
||||||
|
Policy: PolicyWrite,
|
||||||
|
},
|
||||||
|
&EventPolicy{
|
||||||
|
Event: "bar",
|
||||||
|
Policy: PolicyDeny,
|
||||||
|
},
|
||||||
|
},
|
||||||
Keys: []*KeyPolicy{
|
Keys: []*KeyPolicy{
|
||||||
&KeyPolicy{
|
&KeyPolicy{
|
||||||
Prefix: "foo/",
|
Prefix: "foo/",
|
||||||
|
@ -201,38 +215,6 @@ func TestPolicyACL(t *testing.T) {
|
||||||
Policy: PolicyRead,
|
Policy: PolicyRead,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Services: []*ServicePolicy{
|
|
||||||
&ServicePolicy{
|
|
||||||
Name: "",
|
|
||||||
Policy: PolicyWrite,
|
|
||||||
},
|
|
||||||
&ServicePolicy{
|
|
||||||
Name: "foo",
|
|
||||||
Policy: PolicyRead,
|
|
||||||
},
|
|
||||||
&ServicePolicy{
|
|
||||||
Name: "bar",
|
|
||||||
Policy: PolicyDeny,
|
|
||||||
},
|
|
||||||
&ServicePolicy{
|
|
||||||
Name: "barfoo",
|
|
||||||
Policy: PolicyWrite,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
Events: []*EventPolicy{
|
|
||||||
&EventPolicy{
|
|
||||||
Event: "",
|
|
||||||
Policy: PolicyRead,
|
|
||||||
},
|
|
||||||
&EventPolicy{
|
|
||||||
Event: "foo",
|
|
||||||
Policy: PolicyWrite,
|
|
||||||
},
|
|
||||||
&EventPolicy{
|
|
||||||
Event: "bar",
|
|
||||||
Policy: PolicyDeny,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
PreparedQueries: []*PreparedQueryPolicy{
|
PreparedQueries: []*PreparedQueryPolicy{
|
||||||
&PreparedQueryPolicy{
|
&PreparedQueryPolicy{
|
||||||
Prefix: "",
|
Prefix: "",
|
||||||
|
@ -251,6 +233,24 @@ func TestPolicyACL(t *testing.T) {
|
||||||
Policy: PolicyWrite,
|
Policy: PolicyWrite,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
Services: []*ServicePolicy{
|
||||||
|
&ServicePolicy{
|
||||||
|
Name: "",
|
||||||
|
Policy: PolicyWrite,
|
||||||
|
},
|
||||||
|
&ServicePolicy{
|
||||||
|
Name: "foo",
|
||||||
|
Policy: PolicyRead,
|
||||||
|
},
|
||||||
|
&ServicePolicy{
|
||||||
|
Name: "bar",
|
||||||
|
Policy: PolicyDeny,
|
||||||
|
},
|
||||||
|
&ServicePolicy{
|
||||||
|
Name: "barfoo",
|
||||||
|
Policy: PolicyWrite,
|
||||||
|
},
|
||||||
|
},
|
||||||
}
|
}
|
||||||
acl, err := New(all, policy)
|
acl, err := New(all, policy)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -369,16 +369,6 @@ func TestPolicyACL_Parent(t *testing.T) {
|
||||||
Policy: PolicyRead,
|
Policy: PolicyRead,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Services: []*ServicePolicy{
|
|
||||||
&ServicePolicy{
|
|
||||||
Name: "other",
|
|
||||||
Policy: PolicyWrite,
|
|
||||||
},
|
|
||||||
&ServicePolicy{
|
|
||||||
Name: "foo",
|
|
||||||
Policy: PolicyRead,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
PreparedQueries: []*PreparedQueryPolicy{
|
PreparedQueries: []*PreparedQueryPolicy{
|
||||||
&PreparedQueryPolicy{
|
&PreparedQueryPolicy{
|
||||||
Prefix: "other",
|
Prefix: "other",
|
||||||
|
@ -389,6 +379,16 @@ func TestPolicyACL_Parent(t *testing.T) {
|
||||||
Policy: PolicyRead,
|
Policy: PolicyRead,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
Services: []*ServicePolicy{
|
||||||
|
&ServicePolicy{
|
||||||
|
Name: "other",
|
||||||
|
Policy: PolicyWrite,
|
||||||
|
},
|
||||||
|
&ServicePolicy{
|
||||||
|
Name: "foo",
|
||||||
|
Policy: PolicyRead,
|
||||||
|
},
|
||||||
|
},
|
||||||
}
|
}
|
||||||
root, err := New(deny, policyRoot)
|
root, err := New(deny, policyRoot)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -410,18 +410,18 @@ func TestPolicyACL_Parent(t *testing.T) {
|
||||||
Policy: PolicyRead,
|
Policy: PolicyRead,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Services: []*ServicePolicy{
|
|
||||||
&ServicePolicy{
|
|
||||||
Name: "bar",
|
|
||||||
Policy: PolicyDeny,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
PreparedQueries: []*PreparedQueryPolicy{
|
PreparedQueries: []*PreparedQueryPolicy{
|
||||||
&PreparedQueryPolicy{
|
&PreparedQueryPolicy{
|
||||||
Prefix: "bar",
|
Prefix: "bar",
|
||||||
Policy: PolicyDeny,
|
Policy: PolicyDeny,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
Services: []*ServicePolicy{
|
||||||
|
&ServicePolicy{
|
||||||
|
Name: "bar",
|
||||||
|
Policy: PolicyDeny,
|
||||||
|
},
|
||||||
|
},
|
||||||
}
|
}
|
||||||
acl, err := New(root, policy)
|
acl, err := New(root, policy)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
@ -8,6 +8,15 @@ import (
|
||||||
|
|
||||||
func TestACLPolicy_Parse_HCL(t *testing.T) {
|
func TestACLPolicy_Parse_HCL(t *testing.T) {
|
||||||
inp := `
|
inp := `
|
||||||
|
event "" {
|
||||||
|
policy = "read"
|
||||||
|
}
|
||||||
|
event "foo" {
|
||||||
|
policy = "write"
|
||||||
|
}
|
||||||
|
event "bar" {
|
||||||
|
policy = "deny"
|
||||||
|
}
|
||||||
key "" {
|
key "" {
|
||||||
policy = "read"
|
policy = "read"
|
||||||
}
|
}
|
||||||
|
@ -20,21 +29,14 @@ key "foo/bar/" {
|
||||||
key "foo/bar/baz" {
|
key "foo/bar/baz" {
|
||||||
policy = "deny"
|
policy = "deny"
|
||||||
}
|
}
|
||||||
|
keyring = "deny"
|
||||||
|
operator = "deny"
|
||||||
service "" {
|
service "" {
|
||||||
policy = "write"
|
policy = "write"
|
||||||
}
|
}
|
||||||
service "foo" {
|
service "foo" {
|
||||||
policy = "read"
|
policy = "read"
|
||||||
}
|
}
|
||||||
event "" {
|
|
||||||
policy = "read"
|
|
||||||
}
|
|
||||||
event "foo" {
|
|
||||||
policy = "write"
|
|
||||||
}
|
|
||||||
event "bar" {
|
|
||||||
policy = "deny"
|
|
||||||
}
|
|
||||||
query "" {
|
query "" {
|
||||||
policy = "read"
|
policy = "read"
|
||||||
}
|
}
|
||||||
|
@ -44,10 +46,23 @@ query "foo" {
|
||||||
query "bar" {
|
query "bar" {
|
||||||
policy = "deny"
|
policy = "deny"
|
||||||
}
|
}
|
||||||
keyring = "deny"
|
|
||||||
operator = "deny"
|
|
||||||
`
|
`
|
||||||
exp := &Policy{
|
exp := &Policy{
|
||||||
|
Events: []*EventPolicy{
|
||||||
|
&EventPolicy{
|
||||||
|
Event: "",
|
||||||
|
Policy: PolicyRead,
|
||||||
|
},
|
||||||
|
&EventPolicy{
|
||||||
|
Event: "foo",
|
||||||
|
Policy: PolicyWrite,
|
||||||
|
},
|
||||||
|
&EventPolicy{
|
||||||
|
Event: "bar",
|
||||||
|
Policy: PolicyDeny,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
Keyring: PolicyDeny,
|
||||||
Keys: []*KeyPolicy{
|
Keys: []*KeyPolicy{
|
||||||
&KeyPolicy{
|
&KeyPolicy{
|
||||||
Prefix: "",
|
Prefix: "",
|
||||||
|
@ -66,30 +81,7 @@ operator = "deny"
|
||||||
Policy: PolicyDeny,
|
Policy: PolicyDeny,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Services: []*ServicePolicy{
|
Operator: PolicyDeny,
|
||||||
&ServicePolicy{
|
|
||||||
Name: "",
|
|
||||||
Policy: PolicyWrite,
|
|
||||||
},
|
|
||||||
&ServicePolicy{
|
|
||||||
Name: "foo",
|
|
||||||
Policy: PolicyRead,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
Events: []*EventPolicy{
|
|
||||||
&EventPolicy{
|
|
||||||
Event: "",
|
|
||||||
Policy: PolicyRead,
|
|
||||||
},
|
|
||||||
&EventPolicy{
|
|
||||||
Event: "foo",
|
|
||||||
Policy: PolicyWrite,
|
|
||||||
},
|
|
||||||
&EventPolicy{
|
|
||||||
Event: "bar",
|
|
||||||
Policy: PolicyDeny,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
PreparedQueries: []*PreparedQueryPolicy{
|
PreparedQueries: []*PreparedQueryPolicy{
|
||||||
&PreparedQueryPolicy{
|
&PreparedQueryPolicy{
|
||||||
Prefix: "",
|
Prefix: "",
|
||||||
|
@ -104,8 +96,16 @@ operator = "deny"
|
||||||
Policy: PolicyDeny,
|
Policy: PolicyDeny,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Keyring: PolicyDeny,
|
Services: []*ServicePolicy{
|
||||||
Operator: PolicyDeny,
|
&ServicePolicy{
|
||||||
|
Name: "",
|
||||||
|
Policy: PolicyWrite,
|
||||||
|
},
|
||||||
|
&ServicePolicy{
|
||||||
|
Name: "foo",
|
||||||
|
Policy: PolicyRead,
|
||||||
|
},
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
out, err := Parse(inp)
|
out, err := Parse(inp)
|
||||||
|
@ -120,6 +120,17 @@ operator = "deny"
|
||||||
|
|
||||||
func TestACLPolicy_Parse_JSON(t *testing.T) {
|
func TestACLPolicy_Parse_JSON(t *testing.T) {
|
||||||
inp := `{
|
inp := `{
|
||||||
|
"event": {
|
||||||
|
"": {
|
||||||
|
"policy": "read"
|
||||||
|
},
|
||||||
|
"foo": {
|
||||||
|
"policy": "write"
|
||||||
|
},
|
||||||
|
"bar": {
|
||||||
|
"policy": "deny"
|
||||||
|
}
|
||||||
|
},
|
||||||
"key": {
|
"key": {
|
||||||
"": {
|
"": {
|
||||||
"policy": "read"
|
"policy": "read"
|
||||||
|
@ -134,25 +145,8 @@ func TestACLPolicy_Parse_JSON(t *testing.T) {
|
||||||
"policy": "deny"
|
"policy": "deny"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"service": {
|
"keyring": "deny",
|
||||||
"": {
|
"operator": "deny",
|
||||||
"policy": "write"
|
|
||||||
},
|
|
||||||
"foo": {
|
|
||||||
"policy": "read"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"event": {
|
|
||||||
"": {
|
|
||||||
"policy": "read"
|
|
||||||
},
|
|
||||||
"foo": {
|
|
||||||
"policy": "write"
|
|
||||||
},
|
|
||||||
"bar": {
|
|
||||||
"policy": "deny"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"query": {
|
"query": {
|
||||||
"": {
|
"": {
|
||||||
"policy": "read"
|
"policy": "read"
|
||||||
|
@ -164,10 +158,31 @@ func TestACLPolicy_Parse_JSON(t *testing.T) {
|
||||||
"policy": "deny"
|
"policy": "deny"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"keyring": "deny",
|
"service": {
|
||||||
"operator": "deny"
|
"": {
|
||||||
|
"policy": "write"
|
||||||
|
},
|
||||||
|
"foo": {
|
||||||
|
"policy": "read"
|
||||||
|
}
|
||||||
|
}
|
||||||
}`
|
}`
|
||||||
exp := &Policy{
|
exp := &Policy{
|
||||||
|
Events: []*EventPolicy{
|
||||||
|
&EventPolicy{
|
||||||
|
Event: "",
|
||||||
|
Policy: PolicyRead,
|
||||||
|
},
|
||||||
|
&EventPolicy{
|
||||||
|
Event: "foo",
|
||||||
|
Policy: PolicyWrite,
|
||||||
|
},
|
||||||
|
&EventPolicy{
|
||||||
|
Event: "bar",
|
||||||
|
Policy: PolicyDeny,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
Keyring: PolicyDeny,
|
||||||
Keys: []*KeyPolicy{
|
Keys: []*KeyPolicy{
|
||||||
&KeyPolicy{
|
&KeyPolicy{
|
||||||
Prefix: "",
|
Prefix: "",
|
||||||
|
@ -186,30 +201,7 @@ func TestACLPolicy_Parse_JSON(t *testing.T) {
|
||||||
Policy: PolicyDeny,
|
Policy: PolicyDeny,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Services: []*ServicePolicy{
|
Operator: PolicyDeny,
|
||||||
&ServicePolicy{
|
|
||||||
Name: "",
|
|
||||||
Policy: PolicyWrite,
|
|
||||||
},
|
|
||||||
&ServicePolicy{
|
|
||||||
Name: "foo",
|
|
||||||
Policy: PolicyRead,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
Events: []*EventPolicy{
|
|
||||||
&EventPolicy{
|
|
||||||
Event: "",
|
|
||||||
Policy: PolicyRead,
|
|
||||||
},
|
|
||||||
&EventPolicy{
|
|
||||||
Event: "foo",
|
|
||||||
Policy: PolicyWrite,
|
|
||||||
},
|
|
||||||
&EventPolicy{
|
|
||||||
Event: "bar",
|
|
||||||
Policy: PolicyDeny,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
PreparedQueries: []*PreparedQueryPolicy{
|
PreparedQueries: []*PreparedQueryPolicy{
|
||||||
&PreparedQueryPolicy{
|
&PreparedQueryPolicy{
|
||||||
Prefix: "",
|
Prefix: "",
|
||||||
|
@ -224,8 +216,16 @@ func TestACLPolicy_Parse_JSON(t *testing.T) {
|
||||||
Policy: PolicyDeny,
|
Policy: PolicyDeny,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Keyring: PolicyDeny,
|
Services: []*ServicePolicy{
|
||||||
Operator: PolicyDeny,
|
&ServicePolicy{
|
||||||
|
Name: "",
|
||||||
|
Policy: PolicyWrite,
|
||||||
|
},
|
||||||
|
&ServicePolicy{
|
||||||
|
Name: "foo",
|
||||||
|
Policy: PolicyRead,
|
||||||
|
},
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
out, err := Parse(inp)
|
out, err := Parse(inp)
|
||||||
|
@ -276,12 +276,12 @@ operator = ""
|
||||||
|
|
||||||
func TestACLPolicy_Bad_Policy(t *testing.T) {
|
func TestACLPolicy_Bad_Policy(t *testing.T) {
|
||||||
cases := []string{
|
cases := []string{
|
||||||
`key "" { policy = "nope" }`,
|
|
||||||
`service "" { policy = "nope" }`,
|
|
||||||
`event "" { policy = "nope" }`,
|
`event "" { policy = "nope" }`,
|
||||||
`query "" { policy = "nope" }`,
|
`key "" { policy = "nope" }`,
|
||||||
`keyring = "nope"`,
|
`keyring = "nope"`,
|
||||||
`operator = "nope"`,
|
`operator = "nope"`,
|
||||||
|
`query "" { policy = "nope" }`,
|
||||||
|
`service "" { policy = "nope" }`,
|
||||||
}
|
}
|
||||||
for _, c := range cases {
|
for _, c := range cases {
|
||||||
_, err := Parse(c)
|
_, err := Parse(c)
|
||||||
|
|
Loading…
Reference in New Issue