Merge pull request #905 from maver1ck/master

Consul prefix services ACLs
This commit is contained in:
Armon Dadgar 2015-05-06 12:02:28 -07:00
commit 0acc857cbe
2 changed files with 15 additions and 11 deletions

View File

@ -135,7 +135,7 @@ type PolicyACL struct {
keyRules *radix.Tree keyRules *radix.Tree
// serviceRules contains the service policies // serviceRules contains the service policies
serviceRules map[string]string serviceRules *radix.Tree
} }
// New is used to construct a policy based ACL from a set of policies // New is used to construct a policy based ACL from a set of policies
@ -144,7 +144,7 @@ func New(parent ACL, policy *Policy) (*PolicyACL, error) {
p := &PolicyACL{ p := &PolicyACL{
parent: parent, parent: parent,
keyRules: radix.New(), keyRules: radix.New(),
serviceRules: make(map[string]string, len(policy.Services)), serviceRules: radix.New(),
} }
// Load the key policy // Load the key policy
@ -154,7 +154,7 @@ func New(parent ACL, policy *Policy) (*PolicyACL, error) {
// Load the service policy // Load the service policy
for _, sp := range policy.Services { for _, sp := range policy.Services {
p.serviceRules[sp.Name] = sp.Policy p.serviceRules.Insert(sp.Name, sp.Policy)
} }
return p, nil return p, nil
} }
@ -231,10 +231,8 @@ func (p *PolicyACL) KeyWritePrefix(prefix string) bool {
// ServiceRead checks if reading (discovery) of a service is allowed // ServiceRead checks if reading (discovery) of a service is allowed
func (p *PolicyACL) ServiceRead(name string) bool { func (p *PolicyACL) ServiceRead(name string) bool {
// Check for an exact rule or catch-all // Check for an exact rule or catch-all
rule, ok := p.serviceRules[name] _, rule, ok := p.serviceRules.LongestPrefix(name)
if !ok {
rule, ok = p.serviceRules[""]
}
if ok { if ok {
switch rule { switch rule {
case ServicePolicyWrite: case ServicePolicyWrite:
@ -253,10 +251,8 @@ func (p *PolicyACL) ServiceRead(name string) bool {
// ServiceWrite checks if writing (registering) a service is allowed // ServiceWrite checks if writing (registering) a service is allowed
func (p *PolicyACL) ServiceWrite(name string) bool { func (p *PolicyACL) ServiceWrite(name string) bool {
// Check for an exact rule or catch-all // Check for an exact rule or catch-all
rule, ok := p.serviceRules[name] _, rule, ok := p.serviceRules.LongestPrefix(name)
if !ok {
rule, ok = p.serviceRules[""]
}
if ok { if ok {
switch rule { switch rule {
case ServicePolicyWrite: case ServicePolicyWrite:

View File

@ -127,6 +127,10 @@ func TestPolicyACL(t *testing.T) {
Name: "bar", Name: "bar",
Policy: ServicePolicyDeny, Policy: ServicePolicyDeny,
}, },
&ServicePolicy{
Name: "barfoo",
Policy: ServicePolicyWrite,
},
}, },
} }
acl, err := New(all, policy) acl, err := New(all, policy)
@ -171,6 +175,10 @@ func TestPolicyACL(t *testing.T) {
{"other", true, true}, {"other", true, true},
{"foo", true, false}, {"foo", true, false},
{"bar", false, false}, {"bar", false, false},
{"foobar", true, false},
{"barfo", false, false},
{"barfoo", true, true},
{"barfoo2", true, true},
} }
for _, c := range scases { for _, c := range scases {
if c.read != acl.ServiceRead(c.inp) { if c.read != acl.ServiceRead(c.inp) {