2014-08-06 22:08:17 +00:00
|
|
|
package acl
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"github.com/armon/go-radix"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
var (
|
2014-08-12 22:09:01 +00:00
|
|
|
// allowAll is a singleton policy which allows all
|
|
|
|
|
// non-management actions
|
2014-08-06 22:08:17 +00:00
|
|
|
allowAll ACL
|
|
|
|
|
|
|
|
|
|
// denyAll is a singleton policy which denies all actions
|
|
|
|
|
denyAll ACL
|
2014-08-12 22:09:01 +00:00
|
|
|
|
|
|
|
|
// manageAll is a singleton policy which allows all
|
|
|
|
|
// actions, including management
|
|
|
|
|
manageAll ACL
|
2014-08-06 22:08:17 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func init() {
|
|
|
|
|
// Setup the singletons
|
2014-08-12 22:09:01 +00:00
|
|
|
allowAll = &StaticACL{
|
|
|
|
|
allowManage: false,
|
|
|
|
|
defaultAllow: true,
|
|
|
|
|
}
|
|
|
|
|
denyAll = &StaticACL{
|
|
|
|
|
allowManage: false,
|
|
|
|
|
defaultAllow: false,
|
|
|
|
|
}
|
|
|
|
|
manageAll = &StaticACL{
|
|
|
|
|
allowManage: true,
|
|
|
|
|
defaultAllow: true,
|
|
|
|
|
}
|
2014-08-06 22:08:17 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// ACL is the interface for policy enforcement.
|
|
|
|
|
type ACL interface {
|
|
|
|
|
KeyRead(string) bool
|
|
|
|
|
KeyWrite(string) bool
|
2014-08-12 22:09:01 +00:00
|
|
|
ACLList() bool
|
|
|
|
|
ACLModify() bool
|
2014-08-06 22:08:17 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// StaticACL is used to implement a base ACL policy. It either
|
|
|
|
|
// allows or denies all requests. This can be used as a parent
|
|
|
|
|
// ACL to act in a blacklist or whitelist mode.
|
|
|
|
|
type StaticACL struct {
|
2014-08-12 22:09:01 +00:00
|
|
|
allowManage bool
|
2014-08-06 22:08:17 +00:00
|
|
|
defaultAllow bool
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (s *StaticACL) KeyRead(string) bool {
|
|
|
|
|
return s.defaultAllow
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (s *StaticACL) KeyWrite(string) bool {
|
|
|
|
|
return s.defaultAllow
|
|
|
|
|
}
|
|
|
|
|
|
2014-08-12 22:09:01 +00:00
|
|
|
func (s *StaticACL) ACLList() bool {
|
|
|
|
|
return s.allowManage
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (s *StaticACL) ACLModify() bool {
|
|
|
|
|
return s.allowManage
|
|
|
|
|
}
|
|
|
|
|
|
2014-08-06 22:08:17 +00:00
|
|
|
// AllowAll returns an ACL rule that allows all operations
|
|
|
|
|
func AllowAll() ACL {
|
|
|
|
|
return allowAll
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// DenyAll returns an ACL rule that denies all operations
|
|
|
|
|
func DenyAll() ACL {
|
|
|
|
|
return denyAll
|
|
|
|
|
}
|
|
|
|
|
|
2014-08-12 22:09:01 +00:00
|
|
|
// ManageAll returns an ACL rule that can manage all resources
|
|
|
|
|
func ManageAll() ACL {
|
|
|
|
|
return manageAll
|
|
|
|
|
}
|
|
|
|
|
|
2014-08-12 17:35:27 +00:00
|
|
|
// RootACL returns a possible ACL if the ID matches a root policy
|
|
|
|
|
func RootACL(id string) ACL {
|
|
|
|
|
switch id {
|
|
|
|
|
case "allow":
|
|
|
|
|
return allowAll
|
|
|
|
|
case "deny":
|
|
|
|
|
return denyAll
|
2014-08-12 22:09:01 +00:00
|
|
|
case "manage":
|
|
|
|
|
return manageAll
|
2014-08-12 17:35:27 +00:00
|
|
|
default:
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2014-08-06 22:08:17 +00:00
|
|
|
// PolicyACL is used to wrap a set of ACL policies to provide
|
|
|
|
|
// the ACL interface.
|
|
|
|
|
type PolicyACL struct {
|
|
|
|
|
// parent is used to resolve policy if we have
|
|
|
|
|
// no matching rule.
|
|
|
|
|
parent ACL
|
|
|
|
|
|
2014-08-11 05:01:03 +00:00
|
|
|
// keyRules contains the key policies
|
|
|
|
|
keyRules *radix.Tree
|
2014-08-06 22:08:17 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// New is used to construct a policy based ACL from a set of policies
|
|
|
|
|
// and a parent policy to resolve missing cases.
|
|
|
|
|
func New(parent ACL, policy *Policy) (*PolicyACL, error) {
|
|
|
|
|
p := &PolicyACL{
|
|
|
|
|
parent: parent,
|
2014-08-11 05:01:03 +00:00
|
|
|
keyRules: radix.New(),
|
2014-08-06 22:08:17 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Load the key policy
|
|
|
|
|
for _, kp := range policy.Keys {
|
2014-08-11 05:01:03 +00:00
|
|
|
p.keyRules.Insert(kp.Prefix, kp.Policy)
|
2014-08-06 22:08:17 +00:00
|
|
|
}
|
|
|
|
|
return p, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// KeyRead returns if a key is allowed to be read
|
|
|
|
|
func (p *PolicyACL) KeyRead(key string) bool {
|
|
|
|
|
// Look for a matching rule
|
2014-08-11 05:01:03 +00:00
|
|
|
_, rule, ok := p.keyRules.LongestPrefix(key)
|
2014-08-06 22:08:17 +00:00
|
|
|
if ok {
|
2014-08-11 05:01:03 +00:00
|
|
|
switch rule.(string) {
|
|
|
|
|
case KeyPolicyRead:
|
|
|
|
|
return true
|
|
|
|
|
case KeyPolicyWrite:
|
|
|
|
|
return true
|
|
|
|
|
default:
|
|
|
|
|
return false
|
|
|
|
|
}
|
2014-08-06 22:08:17 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// No matching rule, use the parent.
|
|
|
|
|
return p.parent.KeyRead(key)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// KeyWrite returns if a key is allowed to be written
|
|
|
|
|
func (p *PolicyACL) KeyWrite(key string) bool {
|
|
|
|
|
// Look for a matching rule
|
2014-08-11 05:01:03 +00:00
|
|
|
_, rule, ok := p.keyRules.LongestPrefix(key)
|
2014-08-06 22:08:17 +00:00
|
|
|
if ok {
|
2014-08-11 05:01:03 +00:00
|
|
|
switch rule.(string) {
|
|
|
|
|
case KeyPolicyWrite:
|
|
|
|
|
return true
|
|
|
|
|
default:
|
|
|
|
|
return false
|
|
|
|
|
}
|
2014-08-06 22:08:17 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// No matching rule, use the parent.
|
|
|
|
|
return p.parent.KeyWrite(key)
|
|
|
|
|
}
|
2014-08-12 22:09:01 +00:00
|
|
|
|
|
|
|
|
// ACLList checks if listing of ACLs is allowed
|
|
|
|
|
func (p *PolicyACL) ACLList() bool {
|
2014-08-12 22:10:45 +00:00
|
|
|
return p.parent.ACLList()
|
2014-08-12 22:09:01 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// ACLModify checks if modification of ACLs is allowed
|
|
|
|
|
func (p *PolicyACL) ACLModify() bool {
|
2014-08-12 22:10:45 +00:00
|
|
|
return p.parent.ACLModify()
|
2014-08-12 22:09:01 +00:00
|
|
|
}
|
