consul: Filter keys, refactor to interface

This commit is contained in:
Armon Dadgar 2014-08-13 11:31:23 -07:00
parent 614b0a1414
commit f49d34d0e3
2 changed files with 99 additions and 18 deletions

View File

@ -5,35 +5,85 @@ import (
"github.com/hashicorp/consul/consul/structs"
)
func FilterDirEnt(acl acl.ACL, ent structs.DirEntries) structs.DirEntries {
// Remove any keys blocked by ACLs
removed := 0
for i := 0; i < len(ent); i++ {
if !acl.KeyRead(ent[i].Key) {
ent[i] = nil
removed++
}
}
type dirEntFilter struct {
acl acl.ACL
ent structs.DirEntries
}
func (d *dirEntFilter) Len() int {
return len(d.ent)
}
func (d *dirEntFilter) Filter(i int) bool {
return !d.acl.KeyRead(d.ent[i].Key)
}
func (d *dirEntFilter) Move(dst, src, span int) {
copy(d.ent[dst:dst+span], d.ent[src:src+span])
}
// FilterDirEnt is used to filter a list of directory entries
// by applying an ACL policy
func FilterDirEnt(acl acl.ACL, ent structs.DirEntries) structs.DirEntries {
df := dirEntFilter{acl: acl, ent: ent}
return ent[:FilterEntries(&df)]
}
type keyFilter struct {
acl acl.ACL
keys []string
}
func (k *keyFilter) Len() int {
return len(k.keys)
}
func (k *keyFilter) Filter(i int) bool {
return !k.acl.KeyRead(k.keys[i])
}
func (k *keyFilter) Move(dst, src, span int) {
copy(k.keys[dst:dst+span], k.keys[src:src+span])
}
// FilterKeys is used to filter a list of keys by
// applying an ACL policy
func FilterKeys(acl acl.ACL, keys []string) []string {
kf := keyFilter{acl: acl, keys: keys}
return keys[:FilterEntries(&kf)]
}
// Filter interfae is used with FilterEntries to do an
// in-place filter of a slice.
type Filter interface {
Len() int
Filter(int) bool
Move(dst, src, span int)
}
// FilterEntries is used to do an inplace filter of
// a slice. This has cost proportional to the list length.
func FilterEntries(f Filter) int {
// Compact the list
dst := 0
src := 0
n := len(ent) - removed
n := f.Len()
for dst < n {
for ent[src] == nil && src < n {
for src < n && f.Filter(src) {
src++
}
if src == n {
break
}
end := src + 1
for ent[end] != nil && end < n {
for end < n && !f.Filter(end) {
end++
}
span := end - src
copy(ent[dst:dst+span], ent[src:src+span])
dst += span
src += span
if span > 0 {
f.Move(dst, src, span)
dst += span
src += span
}
}
// Trim the entries
ent = ent[:n]
return ent
// Return the size of the slice
return dst
}

View File

@ -49,6 +49,37 @@ func TestFilterDirEnt(t *testing.T) {
}
}
func TestKeys(t *testing.T) {
policy, _ := acl.Parse(testFilterRules)
aclR, _ := acl.New(acl.DenyAll(), policy)
type tcase struct {
in []string
out []string
}
cases := []tcase{
tcase{
in: []string{"foo/test", "foo/priv/nope", "foo/other", "zoo"},
out: []string{"foo/test", "foo/other"},
},
tcase{
in: []string{"abe", "lincoln"},
out: nil,
},
tcase{
in: []string{"abe", "foo/1", "foo/2", "foo/3", "nope"},
out: []string{"foo/1", "foo/2", "foo/3"},
},
}
for _, tc := range cases {
out := FilterKeys(aclR, tc.in)
if !reflect.DeepEqual(out, tc.out) {
t.Fatalf("bad: %#v %#v", out, tc.out)
}
}
}
var testFilterRules = `
key "" {
policy = "deny"