Consul prefix services ACLs
This commit is contained in:
Maciej Bryński
parent
efaed93b91
commit
79bae63dfe
18
acl/acl.go
18
acl/acl.go
|
|
@ -135,7 +135,7 @@ type PolicyACL struct {
|
||||||
keyRules *radix.Tree
|
keyRules *radix.Tree
|
||||||
|
|
||||||
// serviceRules contains the service policies
|
// serviceRules contains the service policies
|
||||||
serviceRules map[string]string
|
serviceRules *radix.Tree
|
||||||
}
|
}
|
||||||
|
|
||||||
// New is used to construct a policy based ACL from a set of policies
|
// New is used to construct a policy based ACL from a set of policies
|
||||||
|
|
@ -144,7 +144,7 @@ func New(parent ACL, policy *Policy) (*PolicyACL, error) {
|
||||||
p := &PolicyACL{
|
p := &PolicyACL{
|
||||||
parent: parent,
|
parent: parent,
|
||||||
keyRules: radix.New(),
|
keyRules: radix.New(),
|
||||||
serviceRules: make(map[string]string, len(policy.Services)),
|
serviceRules: radix.New(),
|
||||||
}
|
}
|
||||||
|
|
||||||
// Load the key policy
|
// Load the key policy
|
||||||
|
|
@ -154,7 +154,7 @@ func New(parent ACL, policy *Policy) (*PolicyACL, error) {
|
||||||
|
|
||||||
// Load the service policy
|
// Load the service policy
|
||||||
for _, sp := range policy.Services {
|
for _, sp := range policy.Services {
|
||||||
p.serviceRules[sp.Name] = sp.Policy
|
p.serviceRules.Insert(sp.Name, sp.Policy)
|
||||||
}
|
}
|
||||||
return p, nil
|
return p, nil
|
||||||
}
|
}
|
||||||
|
|
@ -231,10 +231,8 @@ func (p *PolicyACL) KeyWritePrefix(prefix string) bool {
|
||||||
// ServiceRead checks if reading (discovery) of a service is allowed
|
// ServiceRead checks if reading (discovery) of a service is allowed
|
||||||
func (p *PolicyACL) ServiceRead(name string) bool {
|
func (p *PolicyACL) ServiceRead(name string) bool {
|
||||||
// Check for an exact rule or catch-all
|
// Check for an exact rule or catch-all
|
||||||
rule, ok := p.serviceRules[name]
|
_, rule, ok := p.serviceRules.LongestPrefix(name)
|
||||||
if !ok {
|
|
||||||
rule, ok = p.serviceRules[""]
|
|
||||||
}
|
|
||||||
if ok {
|
if ok {
|
||||||
switch rule {
|
switch rule {
|
||||||
case ServicePolicyWrite:
|
case ServicePolicyWrite:
|
||||||
|
|
@ -253,10 +251,8 @@ func (p *PolicyACL) ServiceRead(name string) bool {
|
||||||
// ServiceWrite checks if writing (registering) a service is allowed
|
// ServiceWrite checks if writing (registering) a service is allowed
|
||||||
func (p *PolicyACL) ServiceWrite(name string) bool {
|
func (p *PolicyACL) ServiceWrite(name string) bool {
|
||||||
// Check for an exact rule or catch-all
|
// Check for an exact rule or catch-all
|
||||||
rule, ok := p.serviceRules[name]
|
_, rule, ok := p.serviceRules.LongestPrefix(name)
|
||||||
if !ok {
|
|
||||||
rule, ok = p.serviceRules[""]
|
|
||||||
}
|
|
||||||
if ok {
|
if ok {
|
||||||
switch rule {
|
switch rule {
|
||||||
case ServicePolicyWrite:
|
case ServicePolicyWrite:
|
||||||
|
|
|
||||||
|
|
@ -127,6 +127,10 @@ func TestPolicyACL(t *testing.T) {
|
||||||
Name: "bar",
|
Name: "bar",
|
||||||
Policy: ServicePolicyDeny,
|
Policy: ServicePolicyDeny,
|
||||||
},
|
},
|
||||||
|
&ServicePolicy{
|
||||||
|
Name: "barfoo",
|
||||||
|
Policy: ServicePolicyWrite,
|
||||||
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
acl, err := New(all, policy)
|
acl, err := New(all, policy)
|
||||||
|
|
@ -171,6 +175,10 @@ func TestPolicyACL(t *testing.T) {
|
||||||
{"other", true, true},
|
{"other", true, true},
|
||||||
{"foo", true, false},
|
{"foo", true, false},
|
||||||
{"bar", false, false},
|
{"bar", false, false},
|
||||||
|
{"foobar", true, false},
|
||||||
|
{"barfo", false, false},
|
||||||
|
{"barfoo", true, true},
|
||||||
|
{"barfoo2", true, true},
|
||||||
}
|
}
|
||||||
for _, c := range scases {
|
for _, c := range scases {
|
||||||
if c.read != acl.ServiceRead(c.inp) {
|
if c.read != acl.ServiceRead(c.inp) {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue