acl: keyring policy uses a flat string
This commit is contained in:
Ryan Uber
parent
e764eb62bd
commit
177b5b434e
29
acl/acl.go
29
acl/acl.go
|
|
@ -172,7 +172,7 @@ type PolicyACL struct {
|
|||
// keyringRules contains the keyring policies. The keyring has
|
||||
// a very simple yes/no without prefix mathing, so here we
|
||||
// don't need to use a radix tree.
|
||||
keyringRules map[string]struct{}
|
||||
keyringRule string
|
||||
}
|
||||
|
||||
// New is used to construct a policy based ACL from a set of policies
|
||||
|
|
@ -183,7 +183,6 @@ func New(parent ACL, policy *Policy) (*PolicyACL, error) {
|
|||
keyRules: radix.New(),
|
||||
serviceRules: radix.New(),
|
||||
eventRules: radix.New(),
|
||||
keyringRules: make(map[string]struct{}),
|
||||
}
|
||||
|
||||
// Load the key policy
|
||||
|
|
@ -202,9 +201,7 @@ func New(parent ACL, policy *Policy) (*PolicyACL, error) {
|
|||
}
|
||||
|
||||
// Load the keyring policy
|
||||
for _, krp := range policy.Keyring {
|
||||
p.keyringRules[krp.Policy] = struct{}{}
|
||||
}
|
||||
p.keyringRule = policy.Keyring
|
||||
|
||||
return p, nil
|
||||
}
|
||||
|
|
@ -350,29 +347,17 @@ func (p *PolicyACL) EventWrite(name string) bool {
|
|||
// KeyringRead is used to determine if the keyring can be
|
||||
// read by the current ACL token.
|
||||
func (p *PolicyACL) KeyringRead() bool {
|
||||
// First check for an explicit deny
|
||||
if _, ok := p.keyringRules[KeyringPolicyDeny]; ok {
|
||||
switch p.keyringRule {
|
||||
case KeyringPolicyRead, KeyringPolicyWrite:
|
||||
return true
|
||||
default:
|
||||
return false
|
||||
}
|
||||
|
||||
// Now check for read or write. Write implies read.
|
||||
_, ok := p.keyringRules[KeyringPolicyRead]
|
||||
if !ok {
|
||||
_, ok = p.keyringRules[KeyringPolicyWrite]
|
||||
}
|
||||
return ok
|
||||
}
|
||||
|
||||
// KeyringWrite determines if the keyring can be manipulated.
|
||||
func (p *PolicyACL) KeyringWrite() bool {
|
||||
// First check for an explicit deny
|
||||
if _, ok := p.keyringRules[KeyringPolicyDeny]; ok {
|
||||
return false
|
||||
}
|
||||
|
||||
// Check for read permission
|
||||
_, ok := p.keyringRules[KeyringPolicyWrite]
|
||||
return ok
|
||||
return p.keyringRule == KeyringPolicyWrite
|
||||
}
|
||||
|
||||
// ACLList checks if listing of ACLs is allowed
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ type Policy struct {
|
|||
Keys []*KeyPolicy `hcl:"key,expand"`
|
||||
Services []*ServicePolicy `hcl:"service,expand"`
|
||||
Events []*EventPolicy `hcl:"event,expand"`
|
||||
Keyring []*KeyringPolicy `hcl:"keyring"`
|
||||
Keyring string `hcl:"keyring"`
|
||||
}
|
||||
|
||||
// KeyPolicy represents a policy for a key
|
||||
|
|
@ -61,17 +61,6 @@ func (e *EventPolicy) GoString() string {
|
|||
return fmt.Sprintf("%#v", *e)
|
||||
}
|
||||
|
||||
// KeyringPolicy represents a policy for the encryption keyring.
|
||||
type KeyringPolicy struct {
|
||||
// We only need a single field for the keyring, since access
|
||||
// is binary (allowed or disallowed) and no prefix is respected.
|
||||
Policy string
|
||||
}
|
||||
|
||||
func (k *KeyringPolicy) GoString() string {
|
||||
return fmt.Sprintf("%#v", *k)
|
||||
}
|
||||
|
||||
// Parse is used to parse the specified ACL rules into an
|
||||
// intermediary set of policies, before being compiled into
|
||||
// the ACL
|
||||
|
|
@ -121,14 +110,12 @@ func Parse(rules string) (*Policy, error) {
|
|||
}
|
||||
|
||||
// Validate the keyring policy
|
||||
for _, krp := range p.Keyring {
|
||||
switch krp.Policy {
|
||||
case KeyringPolicyRead:
|
||||
case KeyringPolicyWrite:
|
||||
case KeyringPolicyDeny:
|
||||
default:
|
||||
return nil, fmt.Errorf("Invalid keyring policy: %#v", krp)
|
||||
}
|
||||
switch p.Keyring {
|
||||
case KeyringPolicyRead:
|
||||
case KeyringPolicyWrite:
|
||||
case KeyringPolicyDeny:
|
||||
default:
|
||||
return nil, fmt.Errorf("Invalid keyring policy: %#v", p.Keyring)
|
||||
}
|
||||
|
||||
return p, nil
|
||||
|
|
|
|||
Loading…
Reference in New Issue