luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

acl: allow omitting keyring policy, add tests

This commit is contained in:
Ryan Uber 2015-07-07 11:07:37 -06:00
parent 177b5b434e
commit 2dab8a5ddd
4 changed files with 43 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
acl/acl.go
View File

@ -350,14 +350,19 @@ func (p *PolicyACL) KeyringRead() bool {
switch p.keyringRule { switch p.keyringRule {
case KeyringPolicyRead, KeyringPolicyWrite: case KeyringPolicyRead, KeyringPolicyWrite:
return true return true
default: case KeyringPolicyDeny:
return false return false
default:
return p.parent.KeyringRead()
} }
} }
// KeyringWrite determines if the keyring can be manipulated. // KeyringWrite determines if the keyring can be manipulated.
func (p *PolicyACL) KeyringWrite() bool { func (p *PolicyACL) KeyringWrite() bool {
return p.keyringRule == KeyringPolicyWrite if p.keyringRule == KeyringPolicyWrite {
return true
}
return p.parent.KeyringWrite()
} }
// ACLList checks if listing of ACLs is allowed // ACLList checks if listing of ACLs is allowed

30
acl/acl_test.go
View File

@ -47,6 +47,18 @@ func TestStaticACL(t *testing.T) {
if !all.ServiceWrite("foobar") { if !all.ServiceWrite("foobar") {
t.Fatalf("should allow") t.Fatalf("should allow")
} }
if !all.EventRead("foobar") {
t.Fatalf("should allow")
}
if !all.EventWrite("foobar") {
t.Fatalf("should allow")
}
if !all.KeyringRead() {
t.Fatalf("should allow")
}
if !all.KeyringWrite() {
t.Fatalf("should allow")
}
if all.ACLList() { if all.ACLList() {
t.Fatalf("should not allow") t.Fatalf("should not allow")
} }
@ -78,6 +90,12 @@ func TestStaticACL(t *testing.T) {
if none.EventWrite("") { if none.EventWrite("") {
t.Fatalf("should not allow") t.Fatalf("should not allow")
} }
if none.KeyringRead() {
t.Fatalf("should now allow")
}
if none.KeyringWrite() {
t.Fatalf("should not allow")
}
if none.ACLList() { if none.ACLList() {
t.Fatalf("should not allow") t.Fatalf("should not allow")
} }
@ -97,6 +115,18 @@ func TestStaticACL(t *testing.T) {
if !manage.ServiceWrite("foobar") { if !manage.ServiceWrite("foobar") {
t.Fatalf("should allow") t.Fatalf("should allow")
} }
if !manage.EventRead("foobar") {
t.Fatalf("should allow")
}
if !manage.EventWrite("foobar") {
t.Fatalf("should allow")
}
if !manage.KeyringRead() {
t.Fatalf("should allow")
}
if !manage.KeyringWrite() {
t.Fatalf("should allow")
}
if !manage.ACLList() { if !manage.ACLList() {
t.Fatalf("should allow") t.Fatalf("should allow")
} }

1
acl/policy.go
View File

@ -114,6 +114,7 @@ func Parse(rules string) (*Policy, error) {
case KeyringPolicyRead: case KeyringPolicyRead:
case KeyringPolicyWrite: case KeyringPolicyWrite:
case KeyringPolicyDeny: case KeyringPolicyDeny:
case "": // Special case to allow omitting the keyring policy
default: default:
return nil, fmt.Errorf("Invalid keyring policy: %#v", p.Keyring) return nil, fmt.Errorf("Invalid keyring policy: %#v", p.Keyring)
} }

6
acl/policy_test.go
View File

@ -34,6 +34,7 @@ event "foo" {
event "bar" { event "bar" {
policy = "deny" policy = "deny"
} }
keyring = "deny"
` `
exp := &Policy{ exp := &Policy{
Keys: []*KeyPolicy{ Keys: []*KeyPolicy{
@ -78,6 +79,7 @@ event "bar" {
Policy: EventPolicyDeny, Policy: EventPolicyDeny,
}, },
}, },
Keyring: KeyringPolicyDeny,
} }
out, err := Parse(inp) out, err := Parse(inp)
@ -124,7 +126,8 @@ func TestParse_JSON(t *testing.T) {
"bar": { "bar": {
"policy": "deny" "policy": "deny"
} }
} },
"keyring": "deny"
}` }`
exp := &Policy{ exp := &Policy{
Keys: []*KeyPolicy{ Keys: []*KeyPolicy{
@ -169,6 +172,7 @@ func TestParse_JSON(t *testing.T) {
Policy: EventPolicyDeny, Policy: EventPolicyDeny,
}, },
}, },
Keyring: KeyringPolicyDeny,
} }
out, err := Parse(inp) out, err := Parse(inp)