Allow the /v1/internal/acl/authorize endpoint to authorize the “peering” resource (#13646)

Currently this just checks for operator read. In the near future it will check for peering specific rules once those are implemented.

acl/authorizer.go

@@ -49,6 +49,7 @@ const (
 	ResourceQuery     Resource = "query"
 	ResourceService   Resource = "service"
 	ResourceSession   Resource = "session"
+	ResourcePeering   Resource = "peering"
 )
 
 // Authorizer is the interface for policy enforcement.
@@ -540,6 +541,14 @@ func Enforce(authz Authorizer, rsc Resource, segment string, access string, ctx
 		case "write":
 			return authz.SessionWrite(segment, ctx), nil
 		}
+	case ResourcePeering:
+		// TODO (peering) switch this over to using PeeringRead & PeeringWrite methods once implemented
+		switch lowerAccess {
+		case "read":
+			return authz.OperatorRead(ctx), nil
+		case "write":
+			return authz.OperatorWrite(ctx), nil
+		}
 	default:
 		if processed, decision, err := enforceEnterprise(authz, rsc, segment, lowerAccess, ctx); processed {
 			return decision, err

acl/authorizer_test.go

@@ -462,6 +462,34 @@ func TestACL_Enforce(t *testing.T) {
 			ret:      Deny,
 			err:      "Invalid access level",
 		},
+		{
+			// TODO (peering) Update to use PeeringRead
+			method:   "OperatorRead",
+			resource: ResourcePeering,
+			access:   "read",
+			ret:      Allow,
+		},
+		{
+			// TODO (peering) Update to use PeeringRead
+			method:   "OperatorRead",
+			resource: ResourcePeering,
+			access:   "read",
+			ret:      Deny,
+		},
+		{
+			// TODO (peering) Update to use PeeringWrite
+			method:   "OperatorWrite",
+			resource: ResourcePeering,
+			access:   "write",
+			ret:      Allow,
+		},
+		{
+			// TODO (peering) Update to use PeeringWrite
+			method:   "OperatorWrite",
+			resource: ResourcePeering,
+			access:   "write",
+			ret:      Deny,
+		},
 		{
 			method:   "PreparedQueryRead",
 			resource: ResourceQuery,