acl: rename acl.Authorizer vars to authz

For consistency
This commit is contained in:
Daniel Nephin 2021-08-04 18:36:48 -04:00
parent 4f5477ccfa
commit c0100543d0
2 changed files with 16 additions and 16 deletions

View File

@ -227,7 +227,7 @@ func (c *Catalog) Register(args *structs.RegisterRequest, reply *struct{}) error
// worst let a service update revert a recent node update, so it doesn't open up // worst let a service update revert a recent node update, so it doesn't open up
// too much abuse). // too much abuse).
func vetRegisterWithACL( func vetRegisterWithACL(
rule acl.Authorizer, authz acl.Authorizer,
subj *structs.RegisterRequest, subj *structs.RegisterRequest,
ns *structs.NodeServices, ns *structs.NodeServices,
) error { ) error {
@ -239,7 +239,7 @@ func vetRegisterWithACL(
// privileges. // privileges.
needsNode := ns == nil || subj.ChangesNode(ns.Node) needsNode := ns == nil || subj.ChangesNode(ns.Node)
if needsNode && rule.NodeWrite(subj.Node, &authzContext) != acl.Allow { if needsNode && authz.NodeWrite(subj.Node, &authzContext) != acl.Allow {
return acl.ErrPermissionDenied return acl.ErrPermissionDenied
} }
@ -247,7 +247,7 @@ func vetRegisterWithACL(
// the given service, and that we can write to any existing service that // the given service, and that we can write to any existing service that
// is being modified by id (if any). // is being modified by id (if any).
if subj.Service != nil { if subj.Service != nil {
if rule.ServiceWrite(subj.Service.Service, &authzContext) != acl.Allow { if authz.ServiceWrite(subj.Service.Service, &authzContext) != acl.Allow {
return acl.ErrPermissionDenied return acl.ErrPermissionDenied
} }
@ -261,7 +261,7 @@ func vetRegisterWithACL(
var secondaryCtx acl.AuthorizerContext var secondaryCtx acl.AuthorizerContext
other.FillAuthzContext(&secondaryCtx) other.FillAuthzContext(&secondaryCtx)
if rule.ServiceWrite(other.Service, &secondaryCtx) != acl.Allow { if authz.ServiceWrite(other.Service, &secondaryCtx) != acl.Allow {
return acl.ErrPermissionDenied return acl.ErrPermissionDenied
} }
} }
@ -291,7 +291,7 @@ func vetRegisterWithACL(
// Node-level check. // Node-level check.
if check.ServiceID == "" { if check.ServiceID == "" {
if rule.NodeWrite(subj.Node, &authzContext) != acl.Allow { if authz.NodeWrite(subj.Node, &authzContext) != acl.Allow {
return acl.ErrPermissionDenied return acl.ErrPermissionDenied
} }
continue continue
@ -322,7 +322,7 @@ func vetRegisterWithACL(
var secondaryCtx acl.AuthorizerContext var secondaryCtx acl.AuthorizerContext
other.FillAuthzContext(&secondaryCtx) other.FillAuthzContext(&secondaryCtx)
if rule.ServiceWrite(other.Service, &secondaryCtx) != acl.Allow { if authz.ServiceWrite(other.Service, &secondaryCtx) != acl.Allow {
return acl.ErrPermissionDenied return acl.ErrPermissionDenied
} }
} }
@ -385,7 +385,7 @@ func (c *Catalog) Deregister(args *structs.DeregisterRequest, reply *struct{}) e
// endpoint. The NodeService for the referenced service must be supplied, and can // endpoint. The NodeService for the referenced service must be supplied, and can
// be nil; similar for the HealthCheck for the referenced health check. // be nil; similar for the HealthCheck for the referenced health check.
func vetDeregisterWithACL( func vetDeregisterWithACL(
rule acl.Authorizer, authz acl.Authorizer,
subj *structs.DeregisterRequest, subj *structs.DeregisterRequest,
ns *structs.NodeService, ns *structs.NodeService,
nc *structs.HealthCheck, nc *structs.HealthCheck,
@ -400,7 +400,7 @@ func vetDeregisterWithACL(
// Allow service deregistration if the token has write permission for the node. // Allow service deregistration if the token has write permission for the node.
// This accounts for cases where the agent no longer has a token with write permission // This accounts for cases where the agent no longer has a token with write permission
// on the service to deregister it. // on the service to deregister it.
if rule.NodeWrite(subj.Node, &authzContext) == acl.Allow { if authz.NodeWrite(subj.Node, &authzContext) == acl.Allow {
return nil return nil
} }
@ -415,7 +415,7 @@ func vetDeregisterWithACL(
ns.FillAuthzContext(&authzContext) ns.FillAuthzContext(&authzContext)
if rule.ServiceWrite(ns.Service, &authzContext) != acl.Allow { if authz.ServiceWrite(ns.Service, &authzContext) != acl.Allow {
return acl.ErrPermissionDenied return acl.ErrPermissionDenied
} }
} else if subj.CheckID != "" { } else if subj.CheckID != "" {
@ -426,11 +426,11 @@ func vetDeregisterWithACL(
nc.FillAuthzContext(&authzContext) nc.FillAuthzContext(&authzContext)
if nc.ServiceID != "" { if nc.ServiceID != "" {
if rule.ServiceWrite(nc.ServiceName, &authzContext) != acl.Allow { if authz.ServiceWrite(nc.ServiceName, &authzContext) != acl.Allow {
return acl.ErrPermissionDenied return acl.ErrPermissionDenied
} }
} else { } else {
if rule.NodeWrite(subj.Node, &authzContext) != acl.Allow { if authz.NodeWrite(subj.Node, &authzContext) != acl.Allow {
return acl.ErrPermissionDenied return acl.ErrPermissionDenied
} }
} }

View File

@ -109,29 +109,29 @@ func (t *Txn) preCheck(authorizer acl.Authorizer, ops structs.TxnOps) structs.Tx
} }
// vetNodeTxnOp applies the given ACL policy to a node transaction operation. // vetNodeTxnOp applies the given ACL policy to a node transaction operation.
func vetNodeTxnOp(op *structs.TxnNodeOp, rule acl.Authorizer) error { func vetNodeTxnOp(op *structs.TxnNodeOp, authz acl.Authorizer) error {
var authzContext acl.AuthorizerContext var authzContext acl.AuthorizerContext
op.FillAuthzContext(&authzContext) op.FillAuthzContext(&authzContext)
if rule.NodeWrite(op.Node.Node, &authzContext) != acl.Allow { if authz.NodeWrite(op.Node.Node, &authzContext) != acl.Allow {
return acl.ErrPermissionDenied return acl.ErrPermissionDenied
} }
return nil return nil
} }
// vetCheckTxnOp applies the given ACL policy to a check transaction operation. // vetCheckTxnOp applies the given ACL policy to a check transaction operation.
func vetCheckTxnOp(op *structs.TxnCheckOp, rule acl.Authorizer) error { func vetCheckTxnOp(op *structs.TxnCheckOp, authz acl.Authorizer) error {
var authzContext acl.AuthorizerContext var authzContext acl.AuthorizerContext
op.FillAuthzContext(&authzContext) op.FillAuthzContext(&authzContext)
if op.Check.ServiceID == "" { if op.Check.ServiceID == "" {
// Node-level check. // Node-level check.
if rule.NodeWrite(op.Check.Node, &authzContext) != acl.Allow { if authz.NodeWrite(op.Check.Node, &authzContext) != acl.Allow {
return acl.ErrPermissionDenied return acl.ErrPermissionDenied
} }
} else { } else {
// Service-level check. // Service-level check.
if rule.ServiceWrite(op.Check.ServiceName, &authzContext) != acl.Allow { if authz.ServiceWrite(op.Check.ServiceName, &authzContext) != acl.Allow {
return acl.ErrPermissionDenied return acl.ErrPermissionDenied
} }
} }