acl: allow omitting keyring policy, add tests

2015-07-07 11:07:37 -06:00 · 2015-07-07 11:07:37 -06:00 · 2dab8a5ddd
parent 177b5b434e
commit 2dab8a5ddd
4 changed files with 43 additions and 3 deletions
--- a/acl/acl.go
+++ b/acl/acl.go
@ -350,14 +350,19 @@ func (p *PolicyACL) KeyringRead() bool {
 	switch p.keyringRule {
 	case KeyringPolicyRead, KeyringPolicyWrite:
 		return true
-	default:
+	case KeyringPolicyDeny:
 		return false
+	default:
+		return p.parent.KeyringRead()
 	}
 }

 // KeyringWrite determines if the keyring can be manipulated.
 func (p *PolicyACL) KeyringWrite() bool {
-	return p.keyringRule == KeyringPolicyWrite
+	if p.keyringRule == KeyringPolicyWrite {
+		return true
+	}
+	return p.parent.KeyringWrite()
 }

 // ACLList checks if listing of ACLs is allowed
--- a/acl/acl_test.go
+++ b/acl/acl_test.go
@ -47,6 +47,18 @@ func TestStaticACL(t *testing.T) {
 	if !all.ServiceWrite("foobar") {
 		t.Fatalf("should allow")
 	}
+	if !all.EventRead("foobar") {
+		t.Fatalf("should allow")
+	}
+	if !all.EventWrite("foobar") {
+		t.Fatalf("should allow")
+	}
+	if !all.KeyringRead() {
+		t.Fatalf("should allow")
+	}
+	if !all.KeyringWrite() {
+		t.Fatalf("should allow")
+	}
 	if all.ACLList() {
 		t.Fatalf("should not allow")
 	}
@ -78,6 +90,12 @@ func TestStaticACL(t *testing.T) {
 	if none.EventWrite("") {
 		t.Fatalf("should not allow")
 	}
+	if none.KeyringRead() {
+		t.Fatalf("should now allow")
+	}
+	if none.KeyringWrite() {
+		t.Fatalf("should not allow")
+	}
 	if none.ACLList() {
 		t.Fatalf("should not allow")
 	}
@ -97,6 +115,18 @@ func TestStaticACL(t *testing.T) {
 	if !manage.ServiceWrite("foobar") {
 		t.Fatalf("should allow")
 	}
+	if !manage.EventRead("foobar") {
+		t.Fatalf("should allow")
+	}
+	if !manage.EventWrite("foobar") {
+		t.Fatalf("should allow")
+	}
+	if !manage.KeyringRead() {
+		t.Fatalf("should allow")
+	}
+	if !manage.KeyringWrite() {
+		t.Fatalf("should allow")
+	}
 	if !manage.ACLList() {
 		t.Fatalf("should allow")
 	}
--- a/acl/policy.go
+++ b/acl/policy.go
@ -114,6 +114,7 @@ func Parse(rules string) (*Policy, error) {
 	case KeyringPolicyRead:
 	case KeyringPolicyWrite:
 	case KeyringPolicyDeny:
+	case "": // Special case to allow omitting the keyring policy
 	default:
 		return nil, fmt.Errorf("Invalid keyring policy: %#v", p.Keyring)
 	}
--- a/acl/policy_test.go
+++ b/acl/policy_test.go
@ -34,6 +34,7 @@ event "foo" {
 event "bar" {
 	policy = "deny"
 }
+keyring = "deny"
 	`
 	exp := &Policy{
 		Keys: []*KeyPolicy{
@ -78,6 +79,7 @@ event "bar" {
 				Policy: EventPolicyDeny,
 			},
 		},
+		Keyring: KeyringPolicyDeny,
 	}

 	out, err := Parse(inp)
@ -124,7 +126,8 @@ func TestParse_JSON(t *testing.T) {
 		"bar": {
 			"policy": "deny"
 		}
-	}
+	},
+	"keyring": "deny"
 }`
 	exp := &Policy{
 		Keys: []*KeyPolicy{
@ -169,6 +172,7 @@ func TestParse_JSON(t *testing.T) {
 				Policy: EventPolicyDeny,
 			},
 		},
+		Keyring: KeyringPolicyDeny,
 	}

 	out, err := Parse(inp)