status-im
/
consul
mirror of https://github.com/status-im/consul.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Adds a new management ACL for prepared queries.

This commit is contained in:
James Phillips 2015-11-04 15:16:21 -08:00
parent ff351b289a
commit ce0881a99a
2 changed files with 56 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
acl/acl.go
View File

@ -70,6 +70,12 @@ type ACL interface {
// ACLModify checks for permission to manipulate ACLs // ACLModify checks for permission to manipulate ACLs
ACLModify() bool ACLModify() bool
// QueryList checks for permission to list all the prepared queries.
QueryList() bool
// QueryModify checks for permission to modify any prepared query.
QueryModify() bool
} }
// StaticACL is used to implement a base ACL policy. It either // StaticACL is used to implement a base ACL policy. It either
@ -124,6 +130,14 @@ func (s *StaticACL) ACLModify() bool {
return s.allowManage return s.allowManage
} }
func (s *StaticACL) QueryList() bool {
return s.allowManage
}
func (s *StaticACL) QueryModify() bool {
return s.allowManage
}
// AllowAll returns an ACL rule that allows all operations // AllowAll returns an ACL rule that allows all operations
func AllowAll() ACL { func AllowAll() ACL {
return allowAll return allowAll
@ -374,3 +388,13 @@ func (p *PolicyACL) ACLList() bool {
func (p *PolicyACL) ACLModify() bool { func (p *PolicyACL) ACLModify() bool {
return p.parent.ACLModify() return p.parent.ACLModify()
} }
// QueryList checks if listing of all prepared queries is allowed.
func (p *PolicyACL) QueryList() bool {
return p.parent.QueryList()
}
// QueryModify checks if modifying of any prepared query is allowed.
func (p *PolicyACL) QueryModify() bool {
return p.parent.QueryModify()
}

32
acl/acl_test.go
View File

@ -65,6 +65,12 @@ func TestStaticACL(t *testing.T) {
if all.ACLModify() { if all.ACLModify() {
t.Fatalf("should not allow") t.Fatalf("should not allow")
} }
if all.QueryList() {
t.Fatalf("should not allow")
}
if all.QueryModify() {
t.Fatalf("should not allow")
}
if none.KeyRead("foobar") { if none.KeyRead("foobar") {
t.Fatalf("should not allow") t.Fatalf("should not allow")
@ -102,6 +108,12 @@ func TestStaticACL(t *testing.T) {
if none.ACLModify() { if none.ACLModify() {
t.Fatalf("should not allow") t.Fatalf("should not allow")
} }
if none.QueryList() {
t.Fatalf("should not allow")
}
if none.QueryModify() {
t.Fatalf("should not allow")
}
if !manage.KeyRead("foobar") { if !manage.KeyRead("foobar") {
t.Fatalf("should allow") t.Fatalf("should allow")
@ -133,6 +145,12 @@ func TestStaticACL(t *testing.T) {
if !manage.ACLModify() { if !manage.ACLModify() {
t.Fatalf("should allow") t.Fatalf("should allow")
} }
if !manage.QueryList() {
t.Fatalf("should allow")
}
if !manage.QueryModify() {
t.Fatalf("should allow")
}
} }
func TestPolicyACL(t *testing.T) { func TestPolicyACL(t *testing.T) {
@ -369,6 +387,20 @@ func TestPolicyACL_Parent(t *testing.T) {
t.Fatalf("Write fail: %#v", c) t.Fatalf("Write fail: %#v", c)
} }
} }
// Check some management functions that chain up
if acl.ACLList() {
t.Fatalf("should not allow")
}
if acl.ACLModify() {
t.Fatalf("should not allow")
}
if acl.QueryList() {
t.Fatalf("should not allow")
}
if acl.QueryModify() {
t.Fatalf("should not allow")
}
} }
func TestPolicyACL_Keyring(t *testing.T) { func TestPolicyACL_Keyring(t *testing.T) {