From bdf025a758cf87648b764f30610c1ac8235e3a6b Mon Sep 17 00:00:00 2001 From: Matt Keeler Date: Wed, 18 Dec 2019 13:43:24 -0500 Subject: [PATCH] Rename EnterpriseAuthorizerContext -> AuthorizerContext --- acl/acl_test.go | 158 +++++++++++++++---------------- acl/authorizer.go | 54 +++++------ acl/authorizer_oss.go | 6 +- acl/authorizer_test.go | 54 +++++------ acl/chained_authorizer.go | 52 +++++----- acl/chained_authorizer_test.go | 52 +++++----- acl/policy_authorizer.go | 52 +++++----- acl/policy_authorizer_oss.go | 2 +- acl/policy_authorizer_test.go | 2 +- acl/static_authorizer.go | 52 +++++----- agent/acl.go | 14 +-- agent/agent_endpoint.go | 2 +- agent/consul/acl.go | 56 +++++------ agent/consul/acl_endpoint.go | 42 ++++---- agent/consul/catalog_endpoint.go | 4 +- agent/consul/filter.go | 2 +- agent/consul/kvs_endpoint.go | 12 +-- agent/consul/session_endpoint.go | 10 +- agent/structs/acl.go | 2 +- agent/structs/structs_oss.go | 12 +-- 20 files changed, 320 insertions(+), 320 deletions(-) diff --git a/acl/acl_test.go b/acl/acl_test.go index 815c86916..2dacb6f88 100644 --- a/acl/acl_test.go +++ b/acl/acl_test.go @@ -36,315 +36,315 @@ func legacyPolicy(policy *Policy) *Policy { // nicer in the embedded struct within TestACL // -func checkAllowACLRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkAllowACLRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Allow, authz.ACLRead(entCtx)) } -func checkAllowACLWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkAllowACLWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Allow, authz.ACLWrite(entCtx)) } -func checkAllowAgentRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkAllowAgentRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Allow, authz.AgentRead(prefix, entCtx)) } -func checkAllowAgentWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkAllowAgentWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Allow, authz.AgentWrite(prefix, entCtx)) } -func checkAllowEventRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkAllowEventRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Allow, authz.EventRead(prefix, entCtx)) } -func checkAllowEventWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkAllowEventWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Allow, authz.EventWrite(prefix, entCtx)) } -func checkAllowIntentionDefaultAllow(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkAllowIntentionDefaultAllow(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Allow, authz.IntentionDefaultAllow(entCtx)) } -func checkAllowIntentionRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkAllowIntentionRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Allow, authz.IntentionRead(prefix, entCtx)) } -func checkAllowIntentionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkAllowIntentionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Allow, authz.IntentionWrite(prefix, entCtx)) } -func checkAllowKeyRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkAllowKeyRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Allow, authz.KeyRead(prefix, entCtx)) } -func checkAllowKeyList(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkAllowKeyList(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Allow, authz.KeyList(prefix, entCtx)) } -func checkAllowKeyringRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkAllowKeyringRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Allow, authz.KeyringRead(entCtx)) } -func checkAllowKeyringWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkAllowKeyringWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Allow, authz.KeyringWrite(entCtx)) } -func checkAllowKeyWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkAllowKeyWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Allow, authz.KeyWrite(prefix, entCtx)) } -func checkAllowKeyWritePrefix(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkAllowKeyWritePrefix(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Allow, authz.KeyWritePrefix(prefix, entCtx)) } -func checkAllowNodeRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkAllowNodeRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Allow, authz.NodeRead(prefix, entCtx)) } -func checkAllowNodeWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkAllowNodeWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Allow, authz.NodeWrite(prefix, entCtx)) } -func checkAllowOperatorRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkAllowOperatorRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Allow, authz.OperatorRead(entCtx)) } -func checkAllowOperatorWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkAllowOperatorWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Allow, authz.OperatorWrite(entCtx)) } -func checkAllowPreparedQueryRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkAllowPreparedQueryRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Allow, authz.PreparedQueryRead(prefix, entCtx)) } -func checkAllowPreparedQueryWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkAllowPreparedQueryWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Allow, authz.PreparedQueryWrite(prefix, entCtx)) } -func checkAllowServiceRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkAllowServiceRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Allow, authz.ServiceRead(prefix, entCtx)) } -func checkAllowServiceWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkAllowServiceWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Allow, authz.ServiceWrite(prefix, entCtx)) } -func checkAllowSessionRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkAllowSessionRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Allow, authz.SessionRead(prefix, entCtx)) } -func checkAllowSessionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkAllowSessionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Allow, authz.SessionWrite(prefix, entCtx)) } -func checkAllowSnapshot(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkAllowSnapshot(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Allow, authz.Snapshot(entCtx)) } -func checkDenyACLRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDenyACLRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Deny, authz.ACLRead(entCtx)) } -func checkDenyACLWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDenyACLWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Deny, authz.ACLWrite(entCtx)) } -func checkDenyAgentRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDenyAgentRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Deny, authz.AgentRead(prefix, entCtx)) } -func checkDenyAgentWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDenyAgentWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Deny, authz.AgentWrite(prefix, entCtx)) } -func checkDenyEventRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDenyEventRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Deny, authz.EventRead(prefix, entCtx)) } -func checkDenyEventWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDenyEventWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Deny, authz.EventWrite(prefix, entCtx)) } -func checkDenyIntentionDefaultAllow(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDenyIntentionDefaultAllow(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Deny, authz.IntentionDefaultAllow(entCtx)) } -func checkDenyIntentionRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDenyIntentionRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Deny, authz.IntentionRead(prefix, entCtx)) } -func checkDenyIntentionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDenyIntentionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Deny, authz.IntentionWrite(prefix, entCtx)) } -func checkDenyKeyRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDenyKeyRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Deny, authz.KeyRead(prefix, entCtx)) } -func checkDenyKeyList(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDenyKeyList(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Deny, authz.KeyList(prefix, entCtx)) } -func checkDenyKeyringRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDenyKeyringRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Deny, authz.KeyringRead(entCtx)) } -func checkDenyKeyringWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDenyKeyringWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Deny, authz.KeyringWrite(entCtx)) } -func checkDenyKeyWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDenyKeyWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Deny, authz.KeyWrite(prefix, entCtx)) } -func checkDenyKeyWritePrefix(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDenyKeyWritePrefix(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Deny, authz.KeyWritePrefix(prefix, entCtx)) } -func checkDenyNodeRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDenyNodeRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Deny, authz.NodeRead(prefix, entCtx)) } -func checkDenyNodeWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDenyNodeWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Deny, authz.NodeWrite(prefix, entCtx)) } -func checkDenyOperatorRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDenyOperatorRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Deny, authz.OperatorRead(entCtx)) } -func checkDenyOperatorWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDenyOperatorWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Deny, authz.OperatorWrite(entCtx)) } -func checkDenyPreparedQueryRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDenyPreparedQueryRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Deny, authz.PreparedQueryRead(prefix, entCtx)) } -func checkDenyPreparedQueryWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDenyPreparedQueryWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Deny, authz.PreparedQueryWrite(prefix, entCtx)) } -func checkDenyServiceRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDenyServiceRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Deny, authz.ServiceRead(prefix, entCtx)) } -func checkDenyServiceWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDenyServiceWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Deny, authz.ServiceWrite(prefix, entCtx)) } -func checkDenySessionRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDenySessionRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Deny, authz.SessionRead(prefix, entCtx)) } -func checkDenySessionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDenySessionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Deny, authz.SessionWrite(prefix, entCtx)) } -func checkDenySnapshot(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDenySnapshot(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Deny, authz.Snapshot(entCtx)) } -func checkDefaultACLRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDefaultACLRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Default, authz.ACLRead(entCtx)) } -func checkDefaultACLWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDefaultACLWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Default, authz.ACLWrite(entCtx)) } -func checkDefaultAgentRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDefaultAgentRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Default, authz.AgentRead(prefix, entCtx)) } -func checkDefaultAgentWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDefaultAgentWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Default, authz.AgentWrite(prefix, entCtx)) } -func checkDefaultEventRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDefaultEventRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Default, authz.EventRead(prefix, entCtx)) } -func checkDefaultEventWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDefaultEventWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Default, authz.EventWrite(prefix, entCtx)) } -func checkDefaultIntentionDefaultAllow(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDefaultIntentionDefaultAllow(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Default, authz.IntentionDefaultAllow(entCtx)) } -func checkDefaultIntentionRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDefaultIntentionRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Default, authz.IntentionRead(prefix, entCtx)) } -func checkDefaultIntentionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDefaultIntentionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Default, authz.IntentionWrite(prefix, entCtx)) } -func checkDefaultKeyRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDefaultKeyRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Default, authz.KeyRead(prefix, entCtx)) } -func checkDefaultKeyList(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDefaultKeyList(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Default, authz.KeyList(prefix, entCtx)) } -func checkDefaultKeyringRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDefaultKeyringRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Default, authz.KeyringRead(entCtx)) } -func checkDefaultKeyringWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDefaultKeyringWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Default, authz.KeyringWrite(entCtx)) } -func checkDefaultKeyWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDefaultKeyWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Default, authz.KeyWrite(prefix, entCtx)) } -func checkDefaultKeyWritePrefix(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDefaultKeyWritePrefix(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Default, authz.KeyWritePrefix(prefix, entCtx)) } -func checkDefaultNodeRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDefaultNodeRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Default, authz.NodeRead(prefix, entCtx)) } -func checkDefaultNodeWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDefaultNodeWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Default, authz.NodeWrite(prefix, entCtx)) } -func checkDefaultOperatorRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDefaultOperatorRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Default, authz.OperatorRead(entCtx)) } -func checkDefaultOperatorWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDefaultOperatorWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Default, authz.OperatorWrite(entCtx)) } -func checkDefaultPreparedQueryRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDefaultPreparedQueryRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Default, authz.PreparedQueryRead(prefix, entCtx)) } -func checkDefaultPreparedQueryWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDefaultPreparedQueryWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Default, authz.PreparedQueryWrite(prefix, entCtx)) } -func checkDefaultServiceRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDefaultServiceRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Default, authz.ServiceRead(prefix, entCtx)) } -func checkDefaultServiceWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDefaultServiceWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Default, authz.ServiceWrite(prefix, entCtx)) } -func checkDefaultSessionRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDefaultSessionRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Default, authz.SessionRead(prefix, entCtx)) } -func checkDefaultSessionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDefaultSessionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Default, authz.SessionWrite(prefix, entCtx)) } -func checkDefaultSnapshot(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) { +func checkDefaultSnapshot(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) { require.Equal(t, Default, authz.Snapshot(entCtx)) } @@ -352,7 +352,7 @@ func TestACL(t *testing.T) { type aclCheck struct { name string prefix string - check func(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) + check func(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) } type aclTest struct { diff --git a/acl/authorizer.go b/acl/authorizer.go index 9591aa1f1..9c25f09d2 100644 --- a/acl/authorizer.go +++ b/acl/authorizer.go @@ -53,102 +53,102 @@ const ( // Authorizer is the interface for policy enforcement. type Authorizer interface { // ACLRead checks for permission to list all the ACLs - ACLRead(*EnterpriseAuthorizerContext) EnforcementDecision + ACLRead(*AuthorizerContext) EnforcementDecision // ACLWrite checks for permission to manipulate ACLs - ACLWrite(*EnterpriseAuthorizerContext) EnforcementDecision + ACLWrite(*AuthorizerContext) EnforcementDecision // AgentRead checks for permission to read from agent endpoints for a // given node. - AgentRead(string, *EnterpriseAuthorizerContext) EnforcementDecision + AgentRead(string, *AuthorizerContext) EnforcementDecision // AgentWrite checks for permission to make changes via agent endpoints // for a given node. - AgentWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision + AgentWrite(string, *AuthorizerContext) EnforcementDecision // EventRead determines if a specific event can be queried. - EventRead(string, *EnterpriseAuthorizerContext) EnforcementDecision + EventRead(string, *AuthorizerContext) EnforcementDecision // EventWrite determines if a specific event may be fired. - EventWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision + EventWrite(string, *AuthorizerContext) EnforcementDecision // IntentionDefaultAllow determines the default authorized behavior // when no intentions match a Connect request. - IntentionDefaultAllow(*EnterpriseAuthorizerContext) EnforcementDecision + IntentionDefaultAllow(*AuthorizerContext) EnforcementDecision // IntentionRead determines if a specific intention can be read. - IntentionRead(string, *EnterpriseAuthorizerContext) EnforcementDecision + IntentionRead(string, *AuthorizerContext) EnforcementDecision // IntentionWrite determines if a specific intention can be // created, modified, or deleted. - IntentionWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision + IntentionWrite(string, *AuthorizerContext) EnforcementDecision // KeyList checks for permission to list keys under a prefix - KeyList(string, *EnterpriseAuthorizerContext) EnforcementDecision + KeyList(string, *AuthorizerContext) EnforcementDecision // KeyRead checks for permission to read a given key - KeyRead(string, *EnterpriseAuthorizerContext) EnforcementDecision + KeyRead(string, *AuthorizerContext) EnforcementDecision // KeyWrite checks for permission to write a given key - KeyWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision + KeyWrite(string, *AuthorizerContext) EnforcementDecision // KeyWritePrefix checks for permission to write to an // entire key prefix. This means there must be no sub-policies // that deny a write. - KeyWritePrefix(string, *EnterpriseAuthorizerContext) EnforcementDecision + KeyWritePrefix(string, *AuthorizerContext) EnforcementDecision // KeyringRead determines if the encryption keyring used in // the gossip layer can be read. - KeyringRead(*EnterpriseAuthorizerContext) EnforcementDecision + KeyringRead(*AuthorizerContext) EnforcementDecision // KeyringWrite determines if the keyring can be manipulated - KeyringWrite(*EnterpriseAuthorizerContext) EnforcementDecision + KeyringWrite(*AuthorizerContext) EnforcementDecision // NodeRead checks for permission to read (discover) a given node. - NodeRead(string, *EnterpriseAuthorizerContext) EnforcementDecision + NodeRead(string, *AuthorizerContext) EnforcementDecision // NodeWrite checks for permission to create or update (register) a // given node. - NodeWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision + NodeWrite(string, *AuthorizerContext) EnforcementDecision // OperatorRead determines if the read-only Consul operator functions // can be used. - OperatorRead(*EnterpriseAuthorizerContext) EnforcementDecision + OperatorRead(*AuthorizerContext) EnforcementDecision // OperatorWrite determines if the state-changing Consul operator // functions can be used. - OperatorWrite(*EnterpriseAuthorizerContext) EnforcementDecision + OperatorWrite(*AuthorizerContext) EnforcementDecision // PreparedQueryRead determines if a specific prepared query can be read // to show its contents (this is not used for execution). - PreparedQueryRead(string, *EnterpriseAuthorizerContext) EnforcementDecision + PreparedQueryRead(string, *AuthorizerContext) EnforcementDecision // PreparedQueryWrite determines if a specific prepared query can be // created, modified, or deleted. - PreparedQueryWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision + PreparedQueryWrite(string, *AuthorizerContext) EnforcementDecision // ServiceRead checks for permission to read a given service - ServiceRead(string, *EnterpriseAuthorizerContext) EnforcementDecision + ServiceRead(string, *AuthorizerContext) EnforcementDecision // ServiceWrite checks for permission to create or update a given // service - ServiceWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision + ServiceWrite(string, *AuthorizerContext) EnforcementDecision // SessionRead checks for permission to read sessions for a given node. - SessionRead(string, *EnterpriseAuthorizerContext) EnforcementDecision + SessionRead(string, *AuthorizerContext) EnforcementDecision // SessionWrite checks for permission to create sessions for a given // node. - SessionWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision + SessionWrite(string, *AuthorizerContext) EnforcementDecision // Snapshot checks for permission to take and restore snapshots. - Snapshot(*EnterpriseAuthorizerContext) EnforcementDecision + Snapshot(*AuthorizerContext) EnforcementDecision // Embedded Interface for Consul Enterprise specific ACL enforcement EnterpriseAuthorizer } -func Enforce(authz Authorizer, rsc Resource, segment string, access string, ctx *EnterpriseAuthorizerContext) (EnforcementDecision, error) { +func Enforce(authz Authorizer, rsc Resource, segment string, access string, ctx *AuthorizerContext) (EnforcementDecision, error) { lowerAccess := strings.ToLower(access) switch rsc { diff --git a/acl/authorizer_oss.go b/acl/authorizer_oss.go index 499f797f1..c2e977530 100644 --- a/acl/authorizer_oss.go +++ b/acl/authorizer_oss.go @@ -2,12 +2,12 @@ package acl -// EnterpriseAuthorizerContext stub -type EnterpriseAuthorizerContext struct{} +// AuthorizerContext stub +type AuthorizerContext struct{} // EnterpriseAuthorizer stub interface type EnterpriseAuthorizer interface{} -func EnforceEnterprise(_ Authorizer, _ Resource, _ string, _ string, _ *EnterpriseAuthorizerContext) (bool, EnforcementDecision, error) { +func EnforceEnterprise(_ Authorizer, _ Resource, _ string, _ string, _ *AuthorizerContext) (bool, EnforcementDecision, error) { return false, Deny, nil } diff --git a/acl/authorizer_test.go b/acl/authorizer_test.go index 1a01e4dbb..f5227769d 100644 --- a/acl/authorizer_test.go +++ b/acl/authorizer_test.go @@ -13,77 +13,77 @@ type mockAuthorizer struct { } // ACLRead checks for permission to list all the ACLs -func (m *mockAuthorizer) ACLRead(ctx *EnterpriseAuthorizerContext) EnforcementDecision { +func (m *mockAuthorizer) ACLRead(ctx *AuthorizerContext) EnforcementDecision { ret := m.Called(ctx) return ret.Get(0).(EnforcementDecision) } // ACLWrite checks for permission to manipulate ACLs -func (m *mockAuthorizer) ACLWrite(ctx *EnterpriseAuthorizerContext) EnforcementDecision { +func (m *mockAuthorizer) ACLWrite(ctx *AuthorizerContext) EnforcementDecision { ret := m.Called(ctx) return ret.Get(0).(EnforcementDecision) } // AgentRead checks for permission to read from agent endpoints for a // given node. -func (m *mockAuthorizer) AgentRead(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision { +func (m *mockAuthorizer) AgentRead(segment string, ctx *AuthorizerContext) EnforcementDecision { ret := m.Called(segment, ctx) return ret.Get(0).(EnforcementDecision) } // AgentWrite checks for permission to make changes via agent endpoints // for a given node. -func (m *mockAuthorizer) AgentWrite(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision { +func (m *mockAuthorizer) AgentWrite(segment string, ctx *AuthorizerContext) EnforcementDecision { ret := m.Called(segment, ctx) return ret.Get(0).(EnforcementDecision) } // EventRead determines if a specific event can be queried. -func (m *mockAuthorizer) EventRead(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision { +func (m *mockAuthorizer) EventRead(segment string, ctx *AuthorizerContext) EnforcementDecision { ret := m.Called(segment, ctx) return ret.Get(0).(EnforcementDecision) } // EventWrite determines if a specific event may be fired. -func (m *mockAuthorizer) EventWrite(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision { +func (m *mockAuthorizer) EventWrite(segment string, ctx *AuthorizerContext) EnforcementDecision { ret := m.Called(segment, ctx) return ret.Get(0).(EnforcementDecision) } // IntentionDefaultAllow determines the default authorized behavior // when no intentions match a Connect request. -func (m *mockAuthorizer) IntentionDefaultAllow(ctx *EnterpriseAuthorizerContext) EnforcementDecision { +func (m *mockAuthorizer) IntentionDefaultAllow(ctx *AuthorizerContext) EnforcementDecision { ret := m.Called(ctx) return ret.Get(0).(EnforcementDecision) } // IntentionRead determines if a specific intention can be read. -func (m *mockAuthorizer) IntentionRead(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision { +func (m *mockAuthorizer) IntentionRead(segment string, ctx *AuthorizerContext) EnforcementDecision { ret := m.Called(segment, ctx) return ret.Get(0).(EnforcementDecision) } // IntentionWrite determines if a specific intention can be // created, modified, or deleted. -func (m *mockAuthorizer) IntentionWrite(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision { +func (m *mockAuthorizer) IntentionWrite(segment string, ctx *AuthorizerContext) EnforcementDecision { ret := m.Called(segment, ctx) return ret.Get(0).(EnforcementDecision) } // KeyList checks for permission to list keys under a prefix -func (m *mockAuthorizer) KeyList(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision { +func (m *mockAuthorizer) KeyList(segment string, ctx *AuthorizerContext) EnforcementDecision { ret := m.Called(segment, ctx) return ret.Get(0).(EnforcementDecision) } // KeyRead checks for permission to read a given key -func (m *mockAuthorizer) KeyRead(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision { +func (m *mockAuthorizer) KeyRead(segment string, ctx *AuthorizerContext) EnforcementDecision { ret := m.Called(segment, ctx) return ret.Get(0).(EnforcementDecision) } // KeyWrite checks for permission to write a given key -func (m *mockAuthorizer) KeyWrite(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision { +func (m *mockAuthorizer) KeyWrite(segment string, ctx *AuthorizerContext) EnforcementDecision { ret := m.Called(segment, ctx) return ret.Get(0).(EnforcementDecision) } @@ -91,93 +91,93 @@ func (m *mockAuthorizer) KeyWrite(segment string, ctx *EnterpriseAuthorizerConte // KeyWritePrefix checks for permission to write to an // entire key prefix. This means there must be no sub-policies // that deny a write. -func (m *mockAuthorizer) KeyWritePrefix(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision { +func (m *mockAuthorizer) KeyWritePrefix(segment string, ctx *AuthorizerContext) EnforcementDecision { ret := m.Called(segment, ctx) return ret.Get(0).(EnforcementDecision) } // KeyringRead determines if the encryption keyring used in // the gossip layer can be read. -func (m *mockAuthorizer) KeyringRead(ctx *EnterpriseAuthorizerContext) EnforcementDecision { +func (m *mockAuthorizer) KeyringRead(ctx *AuthorizerContext) EnforcementDecision { ret := m.Called(ctx) return ret.Get(0).(EnforcementDecision) } // KeyringWrite determines if the keyring can be manipulated -func (m *mockAuthorizer) KeyringWrite(ctx *EnterpriseAuthorizerContext) EnforcementDecision { +func (m *mockAuthorizer) KeyringWrite(ctx *AuthorizerContext) EnforcementDecision { ret := m.Called(ctx) return ret.Get(0).(EnforcementDecision) } // NodeRead checks for permission to read (discover) a given node. -func (m *mockAuthorizer) NodeRead(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision { +func (m *mockAuthorizer) NodeRead(segment string, ctx *AuthorizerContext) EnforcementDecision { ret := m.Called(segment, ctx) return ret.Get(0).(EnforcementDecision) } // NodeWrite checks for permission to create or update (register) a // given node. -func (m *mockAuthorizer) NodeWrite(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision { +func (m *mockAuthorizer) NodeWrite(segment string, ctx *AuthorizerContext) EnforcementDecision { ret := m.Called(segment, ctx) return ret.Get(0).(EnforcementDecision) } // OperatorRead determines if the read-only Consul operator functions // can be used. ret := m.Called(segment, ctx) -func (m *mockAuthorizer) OperatorRead(ctx *EnterpriseAuthorizerContext) EnforcementDecision { +func (m *mockAuthorizer) OperatorRead(ctx *AuthorizerContext) EnforcementDecision { ret := m.Called(ctx) return ret.Get(0).(EnforcementDecision) } // OperatorWrite determines if the state-changing Consul operator // functions can be used. -func (m *mockAuthorizer) OperatorWrite(ctx *EnterpriseAuthorizerContext) EnforcementDecision { +func (m *mockAuthorizer) OperatorWrite(ctx *AuthorizerContext) EnforcementDecision { ret := m.Called(ctx) return ret.Get(0).(EnforcementDecision) } // PreparedQueryRead determines if a specific prepared query can be read // to show its contents (this is not used for execution). -func (m *mockAuthorizer) PreparedQueryRead(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision { +func (m *mockAuthorizer) PreparedQueryRead(segment string, ctx *AuthorizerContext) EnforcementDecision { ret := m.Called(segment, ctx) return ret.Get(0).(EnforcementDecision) } // PreparedQueryWrite determines if a specific prepared query can be // created, modified, or deleted. -func (m *mockAuthorizer) PreparedQueryWrite(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision { +func (m *mockAuthorizer) PreparedQueryWrite(segment string, ctx *AuthorizerContext) EnforcementDecision { ret := m.Called(segment, ctx) return ret.Get(0).(EnforcementDecision) } // ServiceRead checks for permission to read a given service -func (m *mockAuthorizer) ServiceRead(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision { +func (m *mockAuthorizer) ServiceRead(segment string, ctx *AuthorizerContext) EnforcementDecision { ret := m.Called(segment, ctx) return ret.Get(0).(EnforcementDecision) } // ServiceWrite checks for permission to create or update a given // service -func (m *mockAuthorizer) ServiceWrite(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision { +func (m *mockAuthorizer) ServiceWrite(segment string, ctx *AuthorizerContext) EnforcementDecision { ret := m.Called(segment, ctx) return ret.Get(0).(EnforcementDecision) } // SessionRead checks for permission to read sessions for a given node. -func (m *mockAuthorizer) SessionRead(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision { +func (m *mockAuthorizer) SessionRead(segment string, ctx *AuthorizerContext) EnforcementDecision { ret := m.Called(segment, ctx) return ret.Get(0).(EnforcementDecision) } // SessionWrite checks for permission to create sessions for a given // node. -func (m *mockAuthorizer) SessionWrite(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision { +func (m *mockAuthorizer) SessionWrite(segment string, ctx *AuthorizerContext) EnforcementDecision { ret := m.Called(segment, ctx) return ret.Get(0).(EnforcementDecision) } // Snapshot checks for permission to take and restore snapshots. -func (m *mockAuthorizer) Snapshot(ctx *EnterpriseAuthorizerContext) EnforcementDecision { +func (m *mockAuthorizer) Snapshot(ctx *AuthorizerContext) EnforcementDecision { ret := m.Called(ctx) return ret.Get(0).(EnforcementDecision) } @@ -599,7 +599,7 @@ func TestACL_Enforce(t *testing.T) { m := &mockAuthorizer{} if tcase.err == "" { - var nilCtx *EnterpriseAuthorizerContext + var nilCtx *AuthorizerContext if tcase.segment != "" { m.On(tcase.method, tcase.segment, nilCtx).Return(tcase.ret) } else { diff --git a/acl/chained_authorizer.go b/acl/chained_authorizer.go index e43e60552..66ab18cd3 100644 --- a/acl/chained_authorizer.go +++ b/acl/chained_authorizer.go @@ -34,14 +34,14 @@ func (c *ChainedAuthorizer) executeChain(enforce func(authz Authorizer) Enforcem } // ACLRead checks for permission to list all the ACLs -func (c *ChainedAuthorizer) ACLRead(entCtx *EnterpriseAuthorizerContext) EnforcementDecision { +func (c *ChainedAuthorizer) ACLRead(entCtx *AuthorizerContext) EnforcementDecision { return c.executeChain(func(authz Authorizer) EnforcementDecision { return authz.ACLRead(entCtx) }) } // ACLWrite checks for permission to manipulate ACLs -func (c *ChainedAuthorizer) ACLWrite(entCtx *EnterpriseAuthorizerContext) EnforcementDecision { +func (c *ChainedAuthorizer) ACLWrite(entCtx *AuthorizerContext) EnforcementDecision { return c.executeChain(func(authz Authorizer) EnforcementDecision { return authz.ACLWrite(entCtx) }) @@ -49,7 +49,7 @@ func (c *ChainedAuthorizer) ACLWrite(entCtx *EnterpriseAuthorizerContext) Enforc // AgentRead checks for permission to read from agent endpoints for a // given node. -func (c *ChainedAuthorizer) AgentRead(node string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision { +func (c *ChainedAuthorizer) AgentRead(node string, entCtx *AuthorizerContext) EnforcementDecision { return c.executeChain(func(authz Authorizer) EnforcementDecision { return authz.AgentRead(node, entCtx) }) @@ -57,21 +57,21 @@ func (c *ChainedAuthorizer) AgentRead(node string, entCtx *EnterpriseAuthorizerC // AgentWrite checks for permission to make changes via agent endpoints // for a given node. -func (c *ChainedAuthorizer) AgentWrite(node string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision { +func (c *ChainedAuthorizer) AgentWrite(node string, entCtx *AuthorizerContext) EnforcementDecision { return c.executeChain(func(authz Authorizer) EnforcementDecision { return authz.AgentWrite(node, entCtx) }) } // EventRead determines if a specific event can be queried. -func (c *ChainedAuthorizer) EventRead(name string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision { +func (c *ChainedAuthorizer) EventRead(name string, entCtx *AuthorizerContext) EnforcementDecision { return c.executeChain(func(authz Authorizer) EnforcementDecision { return authz.EventRead(name, entCtx) }) } // EventWrite determines if a specific event may be fired. -func (c *ChainedAuthorizer) EventWrite(name string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision { +func (c *ChainedAuthorizer) EventWrite(name string, entCtx *AuthorizerContext) EnforcementDecision { return c.executeChain(func(authz Authorizer) EnforcementDecision { return authz.EventWrite(name, entCtx) }) @@ -79,14 +79,14 @@ func (c *ChainedAuthorizer) EventWrite(name string, entCtx *EnterpriseAuthorizer // IntentionDefaultAllow determines the default authorized behavior // when no intentions match a Connect request. -func (c *ChainedAuthorizer) IntentionDefaultAllow(entCtx *EnterpriseAuthorizerContext) EnforcementDecision { +func (c *ChainedAuthorizer) IntentionDefaultAllow(entCtx *AuthorizerContext) EnforcementDecision { return c.executeChain(func(authz Authorizer) EnforcementDecision { return authz.IntentionDefaultAllow(entCtx) }) } // IntentionRead determines if a specific intention can be read. -func (c *ChainedAuthorizer) IntentionRead(prefix string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision { +func (c *ChainedAuthorizer) IntentionRead(prefix string, entCtx *AuthorizerContext) EnforcementDecision { return c.executeChain(func(authz Authorizer) EnforcementDecision { return authz.IntentionRead(prefix, entCtx) }) @@ -94,28 +94,28 @@ func (c *ChainedAuthorizer) IntentionRead(prefix string, entCtx *EnterpriseAutho // IntentionWrite determines if a specific intention can be // created, modified, or deleted. -func (c *ChainedAuthorizer) IntentionWrite(prefix string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision { +func (c *ChainedAuthorizer) IntentionWrite(prefix string, entCtx *AuthorizerContext) EnforcementDecision { return c.executeChain(func(authz Authorizer) EnforcementDecision { return authz.IntentionWrite(prefix, entCtx) }) } // KeyList checks for permission to list keys under a prefix -func (c *ChainedAuthorizer) KeyList(keyPrefix string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision { +func (c *ChainedAuthorizer) KeyList(keyPrefix string, entCtx *AuthorizerContext) EnforcementDecision { return c.executeChain(func(authz Authorizer) EnforcementDecision { return authz.KeyList(keyPrefix, entCtx) }) } // KeyRead checks for permission to read a given key -func (c *ChainedAuthorizer) KeyRead(key string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision { +func (c *ChainedAuthorizer) KeyRead(key string, entCtx *AuthorizerContext) EnforcementDecision { return c.executeChain(func(authz Authorizer) EnforcementDecision { return authz.KeyRead(key, entCtx) }) } // KeyWrite checks for permission to write a given key -func (c *ChainedAuthorizer) KeyWrite(key string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision { +func (c *ChainedAuthorizer) KeyWrite(key string, entCtx *AuthorizerContext) EnforcementDecision { return c.executeChain(func(authz Authorizer) EnforcementDecision { return authz.KeyWrite(key, entCtx) }) @@ -124,7 +124,7 @@ func (c *ChainedAuthorizer) KeyWrite(key string, entCtx *EnterpriseAuthorizerCon // KeyWritePrefix checks for permission to write to an // entire key prefix. This means there must be no sub-policies // that deny a write. -func (c *ChainedAuthorizer) KeyWritePrefix(keyPrefix string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision { +func (c *ChainedAuthorizer) KeyWritePrefix(keyPrefix string, entCtx *AuthorizerContext) EnforcementDecision { return c.executeChain(func(authz Authorizer) EnforcementDecision { return authz.KeyWritePrefix(keyPrefix, entCtx) }) @@ -132,21 +132,21 @@ func (c *ChainedAuthorizer) KeyWritePrefix(keyPrefix string, entCtx *EnterpriseA // KeyringRead determines if the encryption keyring used in // the gossip layer can be read. -func (c *ChainedAuthorizer) KeyringRead(entCtx *EnterpriseAuthorizerContext) EnforcementDecision { +func (c *ChainedAuthorizer) KeyringRead(entCtx *AuthorizerContext) EnforcementDecision { return c.executeChain(func(authz Authorizer) EnforcementDecision { return authz.KeyringRead(entCtx) }) } // KeyringWrite determines if the keyring can be manipulated -func (c *ChainedAuthorizer) KeyringWrite(entCtx *EnterpriseAuthorizerContext) EnforcementDecision { +func (c *ChainedAuthorizer) KeyringWrite(entCtx *AuthorizerContext) EnforcementDecision { return c.executeChain(func(authz Authorizer) EnforcementDecision { return authz.KeyringWrite(entCtx) }) } // NodeRead checks for permission to read (discover) a given node. -func (c *ChainedAuthorizer) NodeRead(node string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision { +func (c *ChainedAuthorizer) NodeRead(node string, entCtx *AuthorizerContext) EnforcementDecision { return c.executeChain(func(authz Authorizer) EnforcementDecision { return authz.NodeRead(node, entCtx) }) @@ -154,7 +154,7 @@ func (c *ChainedAuthorizer) NodeRead(node string, entCtx *EnterpriseAuthorizerCo // NodeWrite checks for permission to create or update (register) a // given node. -func (c *ChainedAuthorizer) NodeWrite(node string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision { +func (c *ChainedAuthorizer) NodeWrite(node string, entCtx *AuthorizerContext) EnforcementDecision { return c.executeChain(func(authz Authorizer) EnforcementDecision { return authz.NodeWrite(node, entCtx) }) @@ -162,7 +162,7 @@ func (c *ChainedAuthorizer) NodeWrite(node string, entCtx *EnterpriseAuthorizerC // OperatorRead determines if the read-only Consul operator functions // can be used. -func (c *ChainedAuthorizer) OperatorRead(entCtx *EnterpriseAuthorizerContext) EnforcementDecision { +func (c *ChainedAuthorizer) OperatorRead(entCtx *AuthorizerContext) EnforcementDecision { return c.executeChain(func(authz Authorizer) EnforcementDecision { return authz.OperatorRead(entCtx) }) @@ -170,7 +170,7 @@ func (c *ChainedAuthorizer) OperatorRead(entCtx *EnterpriseAuthorizerContext) En // OperatorWrite determines if the state-changing Consul operator // functions can be used. -func (c *ChainedAuthorizer) OperatorWrite(entCtx *EnterpriseAuthorizerContext) EnforcementDecision { +func (c *ChainedAuthorizer) OperatorWrite(entCtx *AuthorizerContext) EnforcementDecision { return c.executeChain(func(authz Authorizer) EnforcementDecision { return authz.OperatorWrite(entCtx) }) @@ -178,7 +178,7 @@ func (c *ChainedAuthorizer) OperatorWrite(entCtx *EnterpriseAuthorizerContext) E // PreparedQueryRead determines if a specific prepared query can be read // to show its contents (this is not used for execution). -func (c *ChainedAuthorizer) PreparedQueryRead(query string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision { +func (c *ChainedAuthorizer) PreparedQueryRead(query string, entCtx *AuthorizerContext) EnforcementDecision { return c.executeChain(func(authz Authorizer) EnforcementDecision { return authz.PreparedQueryRead(query, entCtx) }) @@ -186,14 +186,14 @@ func (c *ChainedAuthorizer) PreparedQueryRead(query string, entCtx *EnterpriseAu // PreparedQueryWrite determines if a specific prepared query can be // created, modified, or deleted. -func (c *ChainedAuthorizer) PreparedQueryWrite(query string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision { +func (c *ChainedAuthorizer) PreparedQueryWrite(query string, entCtx *AuthorizerContext) EnforcementDecision { return c.executeChain(func(authz Authorizer) EnforcementDecision { return authz.PreparedQueryWrite(query, entCtx) }) } // ServiceRead checks for permission to read a given service -func (c *ChainedAuthorizer) ServiceRead(name string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision { +func (c *ChainedAuthorizer) ServiceRead(name string, entCtx *AuthorizerContext) EnforcementDecision { return c.executeChain(func(authz Authorizer) EnforcementDecision { return authz.ServiceRead(name, entCtx) }) @@ -201,14 +201,14 @@ func (c *ChainedAuthorizer) ServiceRead(name string, entCtx *EnterpriseAuthorize // ServiceWrite checks for permission to create or update a given // service -func (c *ChainedAuthorizer) ServiceWrite(name string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision { +func (c *ChainedAuthorizer) ServiceWrite(name string, entCtx *AuthorizerContext) EnforcementDecision { return c.executeChain(func(authz Authorizer) EnforcementDecision { return authz.ServiceWrite(name, entCtx) }) } // SessionRead checks for permission to read sessions for a given node. -func (c *ChainedAuthorizer) SessionRead(node string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision { +func (c *ChainedAuthorizer) SessionRead(node string, entCtx *AuthorizerContext) EnforcementDecision { return c.executeChain(func(authz Authorizer) EnforcementDecision { return authz.SessionRead(node, entCtx) }) @@ -216,14 +216,14 @@ func (c *ChainedAuthorizer) SessionRead(node string, entCtx *EnterpriseAuthorize // SessionWrite checks for permission to create sessions for a given // node. -func (c *ChainedAuthorizer) SessionWrite(node string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision { +func (c *ChainedAuthorizer) SessionWrite(node string, entCtx *AuthorizerContext) EnforcementDecision { return c.executeChain(func(authz Authorizer) EnforcementDecision { return authz.SessionWrite(node, entCtx) }) } // Snapshot checks for permission to take and restore snapshots. -func (c *ChainedAuthorizer) Snapshot(entCtx *EnterpriseAuthorizerContext) EnforcementDecision { +func (c *ChainedAuthorizer) Snapshot(entCtx *AuthorizerContext) EnforcementDecision { return c.executeChain(func(authz Authorizer) EnforcementDecision { return authz.Snapshot(entCtx) }) diff --git a/acl/chained_authorizer_test.go b/acl/chained_authorizer_test.go index f6473fbe9..155d9d808 100644 --- a/acl/chained_authorizer_test.go +++ b/acl/chained_authorizer_test.go @@ -6,82 +6,82 @@ import ( type testAuthorizer EnforcementDecision -func (authz testAuthorizer) ACLRead(*EnterpriseAuthorizerContext) EnforcementDecision { +func (authz testAuthorizer) ACLRead(*AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } -func (authz testAuthorizer) ACLWrite(*EnterpriseAuthorizerContext) EnforcementDecision { +func (authz testAuthorizer) ACLWrite(*AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } -func (authz testAuthorizer) AgentRead(string, *EnterpriseAuthorizerContext) EnforcementDecision { +func (authz testAuthorizer) AgentRead(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } -func (authz testAuthorizer) AgentWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision { +func (authz testAuthorizer) AgentWrite(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } -func (authz testAuthorizer) EventRead(string, *EnterpriseAuthorizerContext) EnforcementDecision { +func (authz testAuthorizer) EventRead(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } -func (authz testAuthorizer) EventWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision { +func (authz testAuthorizer) EventWrite(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } -func (authz testAuthorizer) IntentionDefaultAllow(*EnterpriseAuthorizerContext) EnforcementDecision { +func (authz testAuthorizer) IntentionDefaultAllow(*AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } -func (authz testAuthorizer) IntentionRead(string, *EnterpriseAuthorizerContext) EnforcementDecision { +func (authz testAuthorizer) IntentionRead(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } -func (authz testAuthorizer) IntentionWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision { +func (authz testAuthorizer) IntentionWrite(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } -func (authz testAuthorizer) KeyList(string, *EnterpriseAuthorizerContext) EnforcementDecision { +func (authz testAuthorizer) KeyList(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } -func (authz testAuthorizer) KeyRead(string, *EnterpriseAuthorizerContext) EnforcementDecision { +func (authz testAuthorizer) KeyRead(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } -func (authz testAuthorizer) KeyWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision { +func (authz testAuthorizer) KeyWrite(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } -func (authz testAuthorizer) KeyWritePrefix(string, *EnterpriseAuthorizerContext) EnforcementDecision { +func (authz testAuthorizer) KeyWritePrefix(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } -func (authz testAuthorizer) KeyringRead(*EnterpriseAuthorizerContext) EnforcementDecision { +func (authz testAuthorizer) KeyringRead(*AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } -func (authz testAuthorizer) KeyringWrite(*EnterpriseAuthorizerContext) EnforcementDecision { +func (authz testAuthorizer) KeyringWrite(*AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } -func (authz testAuthorizer) NodeRead(string, *EnterpriseAuthorizerContext) EnforcementDecision { +func (authz testAuthorizer) NodeRead(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } -func (authz testAuthorizer) NodeWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision { +func (authz testAuthorizer) NodeWrite(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } -func (authz testAuthorizer) OperatorRead(*EnterpriseAuthorizerContext) EnforcementDecision { +func (authz testAuthorizer) OperatorRead(*AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } -func (authz testAuthorizer) OperatorWrite(*EnterpriseAuthorizerContext) EnforcementDecision { +func (authz testAuthorizer) OperatorWrite(*AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } -func (authz testAuthorizer) PreparedQueryRead(string, *EnterpriseAuthorizerContext) EnforcementDecision { +func (authz testAuthorizer) PreparedQueryRead(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } -func (authz testAuthorizer) PreparedQueryWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision { +func (authz testAuthorizer) PreparedQueryWrite(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } -func (authz testAuthorizer) ServiceRead(string, *EnterpriseAuthorizerContext) EnforcementDecision { +func (authz testAuthorizer) ServiceRead(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } -func (authz testAuthorizer) ServiceWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision { +func (authz testAuthorizer) ServiceWrite(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } -func (authz testAuthorizer) SessionRead(string, *EnterpriseAuthorizerContext) EnforcementDecision { +func (authz testAuthorizer) SessionRead(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } -func (authz testAuthorizer) SessionWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision { +func (authz testAuthorizer) SessionWrite(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } -func (authz testAuthorizer) Snapshot(*EnterpriseAuthorizerContext) EnforcementDecision { +func (authz testAuthorizer) Snapshot(*AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } diff --git a/acl/policy_authorizer.go b/acl/policy_authorizer.go index 0ce500b00..4aeec2c78 100644 --- a/acl/policy_authorizer.go +++ b/acl/policy_authorizer.go @@ -341,7 +341,7 @@ func newPolicyAuthorizerFromRules(rules *PolicyRules, ent *EnterpriseACLConfig) } // ACLRead checks if listing of ACLs is allowed -func (p *policyAuthorizer) ACLRead(*EnterpriseAuthorizerContext) EnforcementDecision { +func (p *policyAuthorizer) ACLRead(*AuthorizerContext) EnforcementDecision { if p.aclRule != nil { return enforce(p.aclRule.access, AccessRead) } @@ -349,7 +349,7 @@ func (p *policyAuthorizer) ACLRead(*EnterpriseAuthorizerContext) EnforcementDeci } // ACLWrite checks if modification of ACLs is allowed -func (p *policyAuthorizer) ACLWrite(*EnterpriseAuthorizerContext) EnforcementDecision { +func (p *policyAuthorizer) ACLWrite(*AuthorizerContext) EnforcementDecision { if p.aclRule != nil { return enforce(p.aclRule.access, AccessWrite) } @@ -358,7 +358,7 @@ func (p *policyAuthorizer) ACLWrite(*EnterpriseAuthorizerContext) EnforcementDec // AgentRead checks for permission to read from agent endpoints for a given // node. -func (p *policyAuthorizer) AgentRead(node string, _ *EnterpriseAuthorizerContext) EnforcementDecision { +func (p *policyAuthorizer) AgentRead(node string, _ *AuthorizerContext) EnforcementDecision { if rule, ok := getPolicy(node, p.agentRules); ok { return enforce(rule.access, AccessRead) } @@ -367,7 +367,7 @@ func (p *policyAuthorizer) AgentRead(node string, _ *EnterpriseAuthorizerContext // AgentWrite checks for permission to make changes via agent endpoints for a // given node. -func (p *policyAuthorizer) AgentWrite(node string, _ *EnterpriseAuthorizerContext) EnforcementDecision { +func (p *policyAuthorizer) AgentWrite(node string, _ *AuthorizerContext) EnforcementDecision { if rule, ok := getPolicy(node, p.agentRules); ok { return enforce(rule.access, AccessWrite) } @@ -375,7 +375,7 @@ func (p *policyAuthorizer) AgentWrite(node string, _ *EnterpriseAuthorizerContex } // Snapshot checks if taking and restoring snapshots is allowed. -func (p *policyAuthorizer) Snapshot(_ *EnterpriseAuthorizerContext) EnforcementDecision { +func (p *policyAuthorizer) Snapshot(_ *AuthorizerContext) EnforcementDecision { if p.aclRule != nil { return enforce(p.aclRule.access, AccessWrite) } @@ -384,7 +384,7 @@ func (p *policyAuthorizer) Snapshot(_ *EnterpriseAuthorizerContext) EnforcementD // EventRead is used to determine if the policy allows for a // specific user event to be read. -func (p *policyAuthorizer) EventRead(name string, _ *EnterpriseAuthorizerContext) EnforcementDecision { +func (p *policyAuthorizer) EventRead(name string, _ *AuthorizerContext) EnforcementDecision { if rule, ok := getPolicy(name, p.eventRules); ok { return enforce(rule.access, AccessRead) } @@ -393,7 +393,7 @@ func (p *policyAuthorizer) EventRead(name string, _ *EnterpriseAuthorizerContext // EventWrite is used to determine if new events can be created // (fired) by the policy. -func (p *policyAuthorizer) EventWrite(name string, _ *EnterpriseAuthorizerContext) EnforcementDecision { +func (p *policyAuthorizer) EventWrite(name string, _ *AuthorizerContext) EnforcementDecision { if rule, ok := getPolicy(name, p.eventRules); ok { return enforce(rule.access, AccessWrite) } @@ -402,14 +402,14 @@ func (p *policyAuthorizer) EventWrite(name string, _ *EnterpriseAuthorizerContex // IntentionDefaultAllow returns whether the default behavior when there are // no matching intentions is to allow or deny. -func (p *policyAuthorizer) IntentionDefaultAllow(_ *EnterpriseAuthorizerContext) EnforcementDecision { +func (p *policyAuthorizer) IntentionDefaultAllow(_ *AuthorizerContext) EnforcementDecision { // We always go up, this can't be determined by a policy. return Default } // IntentionRead checks if writing (creating, updating, or deleting) of an // intention is allowed. -func (p *policyAuthorizer) IntentionRead(prefix string, _ *EnterpriseAuthorizerContext) EnforcementDecision { +func (p *policyAuthorizer) IntentionRead(prefix string, _ *AuthorizerContext) EnforcementDecision { if rule, ok := getPolicy(prefix, p.intentionRules); ok { return enforce(rule.access, AccessRead) } @@ -418,7 +418,7 @@ func (p *policyAuthorizer) IntentionRead(prefix string, _ *EnterpriseAuthorizerC // IntentionWrite checks if writing (creating, updating, or deleting) of an // intention is allowed. -func (p *policyAuthorizer) IntentionWrite(prefix string, _ *EnterpriseAuthorizerContext) EnforcementDecision { +func (p *policyAuthorizer) IntentionWrite(prefix string, _ *AuthorizerContext) EnforcementDecision { if rule, ok := getPolicy(prefix, p.intentionRules); ok { return enforce(rule.access, AccessWrite) } @@ -426,7 +426,7 @@ func (p *policyAuthorizer) IntentionWrite(prefix string, _ *EnterpriseAuthorizer } // KeyRead returns if a key is allowed to be read -func (p *policyAuthorizer) KeyRead(key string, _ *EnterpriseAuthorizerContext) EnforcementDecision { +func (p *policyAuthorizer) KeyRead(key string, _ *AuthorizerContext) EnforcementDecision { if rule, ok := getPolicy(key, p.keyRules); ok { return enforce(rule.access, AccessRead) } @@ -434,7 +434,7 @@ func (p *policyAuthorizer) KeyRead(key string, _ *EnterpriseAuthorizerContext) E } // KeyList returns if a key is allowed to be listed -func (p *policyAuthorizer) KeyList(key string, _ *EnterpriseAuthorizerContext) EnforcementDecision { +func (p *policyAuthorizer) KeyList(key string, _ *AuthorizerContext) EnforcementDecision { if rule, ok := getPolicy(key, p.keyRules); ok { return enforce(rule.access, AccessList) } @@ -442,7 +442,7 @@ func (p *policyAuthorizer) KeyList(key string, _ *EnterpriseAuthorizerContext) E } // KeyWrite returns if a key is allowed to be written -func (p *policyAuthorizer) KeyWrite(key string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision { +func (p *policyAuthorizer) KeyWrite(key string, entCtx *AuthorizerContext) EnforcementDecision { if rule, ok := getPolicy(key, p.keyRules); ok { decision := enforce(rule.access, AccessWrite) if decision == Allow { @@ -459,7 +459,7 @@ func (p *policyAuthorizer) KeyWrite(key string, entCtx *EnterpriseAuthorizerCont // the KV can be removed. For that reason we must be able to // delete everything under the prefix. First we must have "write" // on the prefix itself -func (p *policyAuthorizer) KeyWritePrefix(prefix string, _ *EnterpriseAuthorizerContext) EnforcementDecision { +func (p *policyAuthorizer) KeyWritePrefix(prefix string, _ *AuthorizerContext) EnforcementDecision { // Conditions for Allow: // * The longest prefix match rule that would apply to the given prefix // grants AccessWrite @@ -537,7 +537,7 @@ func (p *policyAuthorizer) KeyWritePrefix(prefix string, _ *EnterpriseAuthorizer // KeyringRead is used to determine if the keyring can be // read by the current ACL token. -func (p *policyAuthorizer) KeyringRead(*EnterpriseAuthorizerContext) EnforcementDecision { +func (p *policyAuthorizer) KeyringRead(*AuthorizerContext) EnforcementDecision { if p.keyringRule != nil { return enforce(p.keyringRule.access, AccessRead) } @@ -545,7 +545,7 @@ func (p *policyAuthorizer) KeyringRead(*EnterpriseAuthorizerContext) Enforcement } // KeyringWrite determines if the keyring can be manipulated. -func (p *policyAuthorizer) KeyringWrite(*EnterpriseAuthorizerContext) EnforcementDecision { +func (p *policyAuthorizer) KeyringWrite(*AuthorizerContext) EnforcementDecision { if p.keyringRule != nil { return enforce(p.keyringRule.access, AccessWrite) } @@ -553,7 +553,7 @@ func (p *policyAuthorizer) KeyringWrite(*EnterpriseAuthorizerContext) Enforcemen } // OperatorRead determines if the read-only operator functions are allowed. -func (p *policyAuthorizer) OperatorRead(*EnterpriseAuthorizerContext) EnforcementDecision { +func (p *policyAuthorizer) OperatorRead(*AuthorizerContext) EnforcementDecision { if p.operatorRule != nil { return enforce(p.operatorRule.access, AccessRead) } @@ -562,7 +562,7 @@ func (p *policyAuthorizer) OperatorRead(*EnterpriseAuthorizerContext) Enforcemen // OperatorWrite determines if the state-changing operator functions are // allowed. -func (p *policyAuthorizer) OperatorWrite(*EnterpriseAuthorizerContext) EnforcementDecision { +func (p *policyAuthorizer) OperatorWrite(*AuthorizerContext) EnforcementDecision { if p.operatorRule != nil { return enforce(p.operatorRule.access, AccessWrite) } @@ -570,7 +570,7 @@ func (p *policyAuthorizer) OperatorWrite(*EnterpriseAuthorizerContext) Enforceme } // NodeRead checks if reading (discovery) of a node is allowed -func (p *policyAuthorizer) NodeRead(name string, _ *EnterpriseAuthorizerContext) EnforcementDecision { +func (p *policyAuthorizer) NodeRead(name string, _ *AuthorizerContext) EnforcementDecision { if rule, ok := getPolicy(name, p.nodeRules); ok { return enforce(rule.access, AccessRead) } @@ -578,7 +578,7 @@ func (p *policyAuthorizer) NodeRead(name string, _ *EnterpriseAuthorizerContext) } // NodeWrite checks if writing (registering) a node is allowed -func (p *policyAuthorizer) NodeWrite(name string, _ *EnterpriseAuthorizerContext) EnforcementDecision { +func (p *policyAuthorizer) NodeWrite(name string, _ *AuthorizerContext) EnforcementDecision { if rule, ok := getPolicy(name, p.nodeRules); ok { return enforce(rule.access, AccessWrite) } @@ -587,7 +587,7 @@ func (p *policyAuthorizer) NodeWrite(name string, _ *EnterpriseAuthorizerContext // PreparedQueryRead checks if reading (listing) of a prepared query is // allowed - this isn't execution, just listing its contents. -func (p *policyAuthorizer) PreparedQueryRead(prefix string, _ *EnterpriseAuthorizerContext) EnforcementDecision { +func (p *policyAuthorizer) PreparedQueryRead(prefix string, _ *AuthorizerContext) EnforcementDecision { if rule, ok := getPolicy(prefix, p.preparedQueryRules); ok { return enforce(rule.access, AccessRead) } @@ -596,7 +596,7 @@ func (p *policyAuthorizer) PreparedQueryRead(prefix string, _ *EnterpriseAuthori // PreparedQueryWrite checks if writing (creating, updating, or deleting) of a // prepared query is allowed. -func (p *policyAuthorizer) PreparedQueryWrite(prefix string, _ *EnterpriseAuthorizerContext) EnforcementDecision { +func (p *policyAuthorizer) PreparedQueryWrite(prefix string, _ *AuthorizerContext) EnforcementDecision { if rule, ok := getPolicy(prefix, p.preparedQueryRules); ok { return enforce(rule.access, AccessWrite) } @@ -604,7 +604,7 @@ func (p *policyAuthorizer) PreparedQueryWrite(prefix string, _ *EnterpriseAuthor } // ServiceRead checks if reading (discovery) of a service is allowed -func (p *policyAuthorizer) ServiceRead(name string, _ *EnterpriseAuthorizerContext) EnforcementDecision { +func (p *policyAuthorizer) ServiceRead(name string, _ *AuthorizerContext) EnforcementDecision { if rule, ok := getPolicy(name, p.serviceRules); ok { return enforce(rule.access, AccessRead) } @@ -612,7 +612,7 @@ func (p *policyAuthorizer) ServiceRead(name string, _ *EnterpriseAuthorizerConte } // ServiceWrite checks if writing (registering) a service is allowed -func (p *policyAuthorizer) ServiceWrite(name string, _ *EnterpriseAuthorizerContext) EnforcementDecision { +func (p *policyAuthorizer) ServiceWrite(name string, _ *AuthorizerContext) EnforcementDecision { if rule, ok := getPolicy(name, p.serviceRules); ok { return enforce(rule.access, AccessWrite) } @@ -620,7 +620,7 @@ func (p *policyAuthorizer) ServiceWrite(name string, _ *EnterpriseAuthorizerCont } // SessionRead checks for permission to read sessions for a given node. -func (p *policyAuthorizer) SessionRead(node string, _ *EnterpriseAuthorizerContext) EnforcementDecision { +func (p *policyAuthorizer) SessionRead(node string, _ *AuthorizerContext) EnforcementDecision { if rule, ok := getPolicy(node, p.sessionRules); ok { return enforce(rule.access, AccessRead) } @@ -628,7 +628,7 @@ func (p *policyAuthorizer) SessionRead(node string, _ *EnterpriseAuthorizerConte } // SessionWrite checks for permission to create sessions for a given node. -func (p *policyAuthorizer) SessionWrite(node string, _ *EnterpriseAuthorizerContext) EnforcementDecision { +func (p *policyAuthorizer) SessionWrite(node string, _ *AuthorizerContext) EnforcementDecision { // Check for an exact rule or catch-all if rule, ok := getPolicy(node, p.sessionRules); ok { return enforce(rule.access, AccessWrite) diff --git a/acl/policy_authorizer_oss.go b/acl/policy_authorizer_oss.go index 15ac4eec6..44e36fc9d 100644 --- a/acl/policy_authorizer_oss.go +++ b/acl/policy_authorizer_oss.go @@ -9,7 +9,7 @@ func (authz *enterprisePolicyAuthorizer) init(*EnterpriseACLConfig) { // nothing to do } -func (authz *enterprisePolicyAuthorizer) enforce(_ *EnterpriseRule, _ *EnterpriseAuthorizerContext) EnforcementDecision { +func (authz *enterprisePolicyAuthorizer) enforce(_ *EnterpriseRule, _ *AuthorizerContext) EnforcementDecision { return Default } diff --git a/acl/policy_authorizer_test.go b/acl/policy_authorizer_test.go index 9ca84367f..ab8f1c91d 100644 --- a/acl/policy_authorizer_test.go +++ b/acl/policy_authorizer_test.go @@ -17,7 +17,7 @@ func TestPolicyAuthorizer(t *testing.T) { type aclCheck struct { name string prefix string - check func(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) + check func(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) } type aclTest struct { diff --git a/acl/static_authorizer.go b/acl/static_authorizer.go index aaf708941..0befd7c8e 100644 --- a/acl/static_authorizer.go +++ b/acl/static_authorizer.go @@ -32,182 +32,182 @@ type StaticAuthorizer struct { defaultAllow bool } -func (s *StaticAuthorizer) ACLRead(*EnterpriseAuthorizerContext) EnforcementDecision { +func (s *StaticAuthorizer) ACLRead(*AuthorizerContext) EnforcementDecision { if s.allowManage { return Allow } return Deny } -func (s *StaticAuthorizer) ACLWrite(*EnterpriseAuthorizerContext) EnforcementDecision { +func (s *StaticAuthorizer) ACLWrite(*AuthorizerContext) EnforcementDecision { if s.allowManage { return Allow } return Deny } -func (s *StaticAuthorizer) AgentRead(string, *EnterpriseAuthorizerContext) EnforcementDecision { +func (s *StaticAuthorizer) AgentRead(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) AgentWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision { +func (s *StaticAuthorizer) AgentWrite(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) EventRead(string, *EnterpriseAuthorizerContext) EnforcementDecision { +func (s *StaticAuthorizer) EventRead(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) EventWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision { +func (s *StaticAuthorizer) EventWrite(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) IntentionDefaultAllow(*EnterpriseAuthorizerContext) EnforcementDecision { +func (s *StaticAuthorizer) IntentionDefaultAllow(*AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) IntentionRead(string, *EnterpriseAuthorizerContext) EnforcementDecision { +func (s *StaticAuthorizer) IntentionRead(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) IntentionWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision { +func (s *StaticAuthorizer) IntentionWrite(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) KeyRead(string, *EnterpriseAuthorizerContext) EnforcementDecision { +func (s *StaticAuthorizer) KeyRead(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) KeyList(string, *EnterpriseAuthorizerContext) EnforcementDecision { +func (s *StaticAuthorizer) KeyList(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) KeyWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision { +func (s *StaticAuthorizer) KeyWrite(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) KeyWritePrefix(string, *EnterpriseAuthorizerContext) EnforcementDecision { +func (s *StaticAuthorizer) KeyWritePrefix(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) KeyringRead(*EnterpriseAuthorizerContext) EnforcementDecision { +func (s *StaticAuthorizer) KeyringRead(*AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) KeyringWrite(*EnterpriseAuthorizerContext) EnforcementDecision { +func (s *StaticAuthorizer) KeyringWrite(*AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) NodeRead(string, *EnterpriseAuthorizerContext) EnforcementDecision { +func (s *StaticAuthorizer) NodeRead(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) NodeWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision { +func (s *StaticAuthorizer) NodeWrite(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) OperatorRead(*EnterpriseAuthorizerContext) EnforcementDecision { +func (s *StaticAuthorizer) OperatorRead(*AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) OperatorWrite(*EnterpriseAuthorizerContext) EnforcementDecision { +func (s *StaticAuthorizer) OperatorWrite(*AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) PreparedQueryRead(string, *EnterpriseAuthorizerContext) EnforcementDecision { +func (s *StaticAuthorizer) PreparedQueryRead(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) PreparedQueryWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision { +func (s *StaticAuthorizer) PreparedQueryWrite(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) ServiceRead(string, *EnterpriseAuthorizerContext) EnforcementDecision { +func (s *StaticAuthorizer) ServiceRead(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) ServiceWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision { +func (s *StaticAuthorizer) ServiceWrite(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) SessionRead(string, *EnterpriseAuthorizerContext) EnforcementDecision { +func (s *StaticAuthorizer) SessionRead(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) SessionWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision { +func (s *StaticAuthorizer) SessionWrite(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) Snapshot(_ *EnterpriseAuthorizerContext) EnforcementDecision { +func (s *StaticAuthorizer) Snapshot(_ *AuthorizerContext) EnforcementDecision { if s.allowManage { return Allow } diff --git a/agent/acl.go b/agent/acl.go index f5b0addd1..0491cff93 100644 --- a/agent/acl.go +++ b/agent/acl.go @@ -75,7 +75,7 @@ func (a *Agent) vetServiceRegister(token string, service *structs.NodeService) e return nil } - var authzContext acl.EnterpriseAuthorizerContext + var authzContext acl.AuthorizerContext service.FillAuthzContext(&authzContext) // Vet the service itself. if rule.ServiceWrite(service.Service, &authzContext) != acl.Allow { @@ -114,7 +114,7 @@ func (a *Agent) vetServiceUpdate(token string, serviceID structs.ServiceID) erro return nil } - var authzContext acl.EnterpriseAuthorizerContext + var authzContext acl.AuthorizerContext // Vet any changes based on the existing services's info. if existing := a.State.Service(serviceID); existing != nil { @@ -141,7 +141,7 @@ func (a *Agent) vetCheckRegister(token string, check *structs.HealthCheck) error return nil } - var authzContext acl.EnterpriseAuthorizerContext + var authzContext acl.AuthorizerContext check.FillAuthzContext(&authzContext) // Vet the check itself. if len(check.ServiceName) > 0 { @@ -181,7 +181,7 @@ func (a *Agent) vetCheckUpdate(token string, checkID structs.CheckID) error { return nil } - var authzContext acl.EnterpriseAuthorizerContext + var authzContext acl.AuthorizerContext checkID.FillAuthzContext(&authzContext) // Vet any changes based on the existing check's info. @@ -213,7 +213,7 @@ func (a *Agent) filterMembers(token string, members *[]serf.Member) error { return nil } - var authzContext acl.EnterpriseAuthorizerContext + var authzContext acl.AuthorizerContext structs.DefaultEnterpriseMeta().FillAuthzContext(&authzContext) // Filter out members based on the node policy. m := *members @@ -241,7 +241,7 @@ func (a *Agent) filterServices(token string, services *map[structs.ServiceID]*st return nil } - var authzContext acl.EnterpriseAuthorizerContext + var authzContext acl.AuthorizerContext // Filter out services based on the service policy. for id, service := range *services { service.FillAuthzContext(&authzContext) @@ -265,7 +265,7 @@ func (a *Agent) filterChecks(token string, checks *map[structs.CheckID]*structs. return nil } - var authzContext acl.EnterpriseAuthorizerContext + var authzContext acl.AuthorizerContext // Filter out checks based on the node or service policy. for id, check := range *checks { if len(check.ServiceName) > 0 { diff --git a/agent/agent_endpoint.go b/agent/agent_endpoint.go index acb48979f..ade9ee7ca 100644 --- a/agent/agent_endpoint.go +++ b/agent/agent_endpoint.go @@ -295,7 +295,7 @@ func (s *HTTPServer) AgentService(resp http.ResponseWriter, req *http.Request) ( if err != nil { return "", nil, err } - var authzContext acl.EnterpriseAuthorizerContext + var authzContext acl.AuthorizerContext svc.FillAuthzContext(&authzContext) if rule != nil && rule.ServiceRead(svc.Service, &authzContext) != acl.Allow { return "", nil, acl.ErrPermissionDenied diff --git a/agent/consul/acl.go b/agent/consul/acl.go index 7a249a9f3..f1fdf46f4 100644 --- a/agent/consul/acl.go +++ b/agent/consul/acl.go @@ -1092,7 +1092,7 @@ func newACLFilter(authorizer acl.Authorizer, logger *log.Logger, enforceVersion8 } // allowNode is used to determine if a node is accessible for an ACL. -func (f *aclFilter) allowNode(node string, ent *acl.EnterpriseAuthorizerContext) bool { +func (f *aclFilter) allowNode(node string, ent *acl.AuthorizerContext) bool { if !f.enforceVersion8 { return true } @@ -1101,7 +1101,7 @@ func (f *aclFilter) allowNode(node string, ent *acl.EnterpriseAuthorizerContext) } // allowService is used to determine if a service is accessible for an ACL. -func (f *aclFilter) allowService(service string, ent *acl.EnterpriseAuthorizerContext) bool { +func (f *aclFilter) allowService(service string, ent *acl.AuthorizerContext) bool { if service == "" { return true } @@ -1114,7 +1114,7 @@ func (f *aclFilter) allowService(service string, ent *acl.EnterpriseAuthorizerCo // allowSession is used to determine if a session for a node is accessible for // an ACL. -func (f *aclFilter) allowSession(node string, ent *acl.EnterpriseAuthorizerContext) bool { +func (f *aclFilter) allowSession(node string, ent *acl.AuthorizerContext) bool { if !f.enforceVersion8 { return true } @@ -1125,7 +1125,7 @@ func (f *aclFilter) allowSession(node string, ent *acl.EnterpriseAuthorizerConte // the configured ACL rules for a token. func (f *aclFilter) filterHealthChecks(checks *structs.HealthChecks) { hc := *checks - var authzContext acl.EnterpriseAuthorizerContext + var authzContext acl.AuthorizerContext for i := 0; i < len(hc); i++ { check := hc[i] @@ -1143,7 +1143,7 @@ func (f *aclFilter) filterHealthChecks(checks *structs.HealthChecks) { // filterServices is used to filter a set of services based on ACLs. func (f *aclFilter) filterServices(services structs.Services, entMeta *structs.EnterpriseMeta) { - var authzContext acl.EnterpriseAuthorizerContext + var authzContext acl.AuthorizerContext entMeta.FillAuthzContext(&authzContext) for svc := range services { @@ -1159,7 +1159,7 @@ func (f *aclFilter) filterServices(services structs.Services, entMeta *structs.E // based on the configured ACL rules. func (f *aclFilter) filterServiceNodes(nodes *structs.ServiceNodes) { sn := *nodes - var authzContext acl.EnterpriseAuthorizerContext + var authzContext acl.AuthorizerContext for i := 0; i < len(sn); i++ { node := sn[i] @@ -1181,7 +1181,7 @@ func (f *aclFilter) filterNodeServices(services **structs.NodeServices) { return } - var authzContext acl.EnterpriseAuthorizerContext + var authzContext acl.AuthorizerContext structs.WildcardEnterpriseMeta().FillAuthzContext(&authzContext) if !f.allowNode((*services).Node.Node, &authzContext) { *services = nil @@ -1205,7 +1205,7 @@ func (f *aclFilter) filterNodeServiceList(services **structs.NodeServiceList) { return } - var authzContext acl.EnterpriseAuthorizerContext + var authzContext acl.AuthorizerContext structs.WildcardEnterpriseMeta().FillAuthzContext(&authzContext) if !f.allowNode((*services).Node.Node, &authzContext) { *services = nil @@ -1238,7 +1238,7 @@ func (f *aclFilter) filterNodeServiceList(services **structs.NodeServiceList) { // filterCheckServiceNodes is used to filter nodes based on ACL rules. func (f *aclFilter) filterCheckServiceNodes(nodes *structs.CheckServiceNodes) { csn := *nodes - var authzContext acl.EnterpriseAuthorizerContext + var authzContext acl.AuthorizerContext for i := 0; i < len(csn); i++ { node := csn[i] @@ -1259,7 +1259,7 @@ func (f *aclFilter) filterSessions(sessions *structs.Sessions) { for i := 0; i < len(s); i++ { session := s[i] - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext session.FillAuthzContext(&entCtx) if f.allowSession(session.Node, &entCtx) { @@ -1276,7 +1276,7 @@ func (f *aclFilter) filterSessions(sessions *structs.Sessions) { // rules. func (f *aclFilter) filterCoordinates(coords *structs.Coordinates) { c := *coords - var authzContext acl.EnterpriseAuthorizerContext + var authzContext acl.AuthorizerContext structs.WildcardEnterpriseMeta().FillAuthzContext(&authzContext) for i := 0; i < len(c); i++ { @@ -1325,7 +1325,7 @@ func (f *aclFilter) filterIntentions(ixns *structs.Intentions) { func (f *aclFilter) filterNodeDump(dump *structs.NodeDump) { nd := *dump - var authzContext acl.EnterpriseAuthorizerContext + var authzContext acl.AuthorizerContext for i := 0; i < len(nd); i++ { info := nd[i] @@ -1370,7 +1370,7 @@ func (f *aclFilter) filterNodeDump(dump *structs.NodeDump) { func (f *aclFilter) filterNodes(nodes *structs.Nodes) { n := *nodes - var authzContext acl.EnterpriseAuthorizerContext + var authzContext acl.AuthorizerContext structs.WildcardEnterpriseMeta().FillAuthzContext(&authzContext) for i := 0; i < len(n); i++ { @@ -1393,7 +1393,7 @@ func (f *aclFilter) filterNodes(nodes *structs.Nodes) { // captured tokens, but they can at least see whether or not a token is set. func (f *aclFilter) redactPreparedQueryTokens(query **structs.PreparedQuery) { // Management tokens can see everything with no filtering. - var authzContext acl.EnterpriseAuthorizerContext + var authzContext acl.AuthorizerContext structs.DefaultEnterpriseMeta().FillAuthzContext(&authzContext) if f.authorizer.ACLWrite(&authzContext) == acl.Allow { return @@ -1419,7 +1419,7 @@ func (f *aclFilter) redactPreparedQueryTokens(query **structs.PreparedQuery) { // We prune entries the user doesn't have access to, and we redact any tokens // if the user doesn't have a management token. func (f *aclFilter) filterPreparedQueries(queries *structs.PreparedQueries) { - var authzContext acl.EnterpriseAuthorizerContext + var authzContext acl.AuthorizerContext structs.DefaultEnterpriseMeta().FillAuthzContext(&authzContext) // Management tokens can see everything with no filtering. // TODO is this check even necessary - this looks like a search replace from @@ -1451,7 +1451,7 @@ func (f *aclFilter) filterPreparedQueries(queries *structs.PreparedQueries) { } func (f *aclFilter) filterToken(token **structs.ACLToken) { - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext if token == nil || *token == nil || f == nil { return } @@ -1482,7 +1482,7 @@ func (f *aclFilter) filterTokens(tokens *structs.ACLTokens) { } func (f *aclFilter) filterTokenStub(token **structs.ACLTokenListStub) { - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext if token == nil || *token == nil || f == nil { return } @@ -1507,7 +1507,7 @@ func (f *aclFilter) filterTokenStubs(tokens *[]*structs.ACLTokenListStub) { } func (f *aclFilter) filterPolicy(policy **structs.ACLPolicy) { - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext if policy == nil || *policy == nil || f == nil { return } @@ -1533,7 +1533,7 @@ func (f *aclFilter) filterPolicies(policies *structs.ACLPolicies) { } func (f *aclFilter) filterRole(role **structs.ACLRole) { - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext if role == nil || *role == nil || f == nil { return } @@ -1559,7 +1559,7 @@ func (f *aclFilter) filterRoles(roles *structs.ACLRoles) { } func (f *aclFilter) filterBindingRule(rule **structs.ACLBindingRule) { - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext if rule == nil || *rule == nil || f == nil { return } @@ -1585,7 +1585,7 @@ func (f *aclFilter) filterBindingRules(rules *structs.ACLBindingRules) { } func (f *aclFilter) filterAuthMethod(method **structs.ACLAuthMethod) { - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext if method == nil || *method == nil || f == nil { return } @@ -1734,7 +1734,7 @@ func vetRegisterWithACL(rule acl.Authorizer, subj *structs.RegisterRequest, return nil } - var authzContext acl.EnterpriseAuthorizerContext + var authzContext acl.AuthorizerContext subj.FillAuthzContext(&authzContext) // Vet the node info. This allows service updates to re-post the required @@ -1761,7 +1761,7 @@ func vetRegisterWithACL(rule acl.Authorizer, subj *structs.RegisterRequest, // This is effectively a delete, so we DO NOT apply the // sentinel scope to the service we are overwriting, just // the regular ACL policy. - var secondaryCtx acl.EnterpriseAuthorizerContext + var secondaryCtx acl.AuthorizerContext other.FillAuthzContext(&secondaryCtx) if rule.ServiceWrite(other.Service, &secondaryCtx) != acl.Allow { @@ -1822,7 +1822,7 @@ func vetRegisterWithACL(rule acl.Authorizer, subj *structs.RegisterRequest, // We are only adding a check here, so we don't add the scope, // since the sentinel policy doesn't apply to adding checks at // this time. - var secondaryCtx acl.EnterpriseAuthorizerContext + var secondaryCtx acl.AuthorizerContext other.FillAuthzContext(&secondaryCtx) if rule.ServiceWrite(other.Service, &secondaryCtx) != acl.Allow { @@ -1849,7 +1849,7 @@ func vetDeregisterWithACL(rule acl.Authorizer, subj *structs.DeregisterRequest, // We don't apply sentinel in this path, since at this time sentinel // only applies to create and update operations. - var authzContext acl.EnterpriseAuthorizerContext + var authzContext acl.AuthorizerContext // fill with the defaults for use with the NodeWrite check subj.FillAuthzContext(&authzContext) @@ -1906,7 +1906,7 @@ func vetNodeTxnOp(op *structs.TxnNodeOp, rule acl.Authorizer) error { return nil } - var authzContext acl.EnterpriseAuthorizerContext + var authzContext acl.AuthorizerContext op.FillAuthzContext(&authzContext) if rule != nil && rule.NodeWrite(op.Node.Node, &authzContext) != acl.Allow { @@ -1923,7 +1923,7 @@ func vetServiceTxnOp(op *structs.TxnServiceOp, rule acl.Authorizer) error { return nil } - var authzContext acl.EnterpriseAuthorizerContext + var authzContext acl.AuthorizerContext op.FillAuthzContext(&authzContext) if rule.ServiceWrite(op.Service.Service, &authzContext) != acl.Allow { @@ -1940,7 +1940,7 @@ func vetCheckTxnOp(op *structs.TxnCheckOp, rule acl.Authorizer) error { return nil } - var authzContext acl.EnterpriseAuthorizerContext + var authzContext acl.AuthorizerContext op.FillAuthzContext(&authzContext) if op.Check.ServiceID == "" { diff --git a/agent/consul/acl_endpoint.go b/agent/consul/acl_endpoint.go index 77c76ee9b..efe83783b 100644 --- a/agent/consul/acl_endpoint.go +++ b/agent/consul/acl_endpoint.go @@ -208,7 +208,7 @@ func (a *ACL) TokenRead(args *structs.ACLTokenGetRequest, reply *structs.ACLToke var rule acl.Authorizer if args.TokenIDType == structs.ACLTokenAccessor { - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext args.FillAuthzContext(&entCtx) var err error @@ -277,7 +277,7 @@ func (a *ACL) TokenClone(args *structs.ACLTokenSetRequest, reply *structs.ACLTok defer metrics.MeasureSince([]string{"acl", "token", "clone"}, time.Now()) - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext args.ACLToken.FillAuthzContext(&entCtx) if rule, err := a.srv.ResolveToken(args.Token); err != nil { @@ -348,7 +348,7 @@ func (a *ACL) TokenSet(args *structs.ACLTokenSetRequest, reply *structs.ACLToken defer metrics.MeasureSince([]string{"acl", "token", "upsert"}, time.Now()) // Verify token is permitted to modify ACLs - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext args.ACLToken.FillAuthzContext(&entCtx) if rule, err := a.srv.ResolveToken(args.Token); err != nil { return err @@ -737,7 +737,7 @@ func (a *ACL) TokenDelete(args *structs.ACLTokenDeleteRequest, reply *string) er defer metrics.MeasureSince([]string{"acl", "token", "delete"}, time.Now()) // Verify token is permitted to modify ACLs - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext args.FillAuthzContext(&entCtx) if rule, err := a.srv.ResolveToken(args.Token); err != nil { @@ -826,7 +826,7 @@ func (a *ACL) TokenList(args *structs.ACLTokenListRequest, reply *structs.ACLTok return err } - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext args.FillAuthzContext(&entCtx) rule, err := a.srv.ResolveToken(args.Token) @@ -930,7 +930,7 @@ func (a *ACL) PolicyRead(args *structs.ACLPolicyGetRequest, reply *structs.ACLPo return err } - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext args.FillAuthzContext(&entCtx) if rule, err := a.srv.ResolveToken(args.Token); err != nil { @@ -1002,7 +1002,7 @@ func (a *ACL) PolicySet(args *structs.ACLPolicySetRequest, reply *structs.ACLPol defer metrics.MeasureSince([]string{"acl", "policy", "upsert"}, time.Now()) // Verify token is permitted to modify ACLs - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext args.Policy.FillAuthzContext(&entCtx) if rule, err := a.srv.ResolveToken(args.Token); err != nil { @@ -1138,7 +1138,7 @@ func (a *ACL) PolicyDelete(args *structs.ACLPolicyDeleteRequest, reply *string) defer metrics.MeasureSince([]string{"acl", "policy", "delete"}, time.Now()) // Verify token is permitted to modify ACLs - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext args.FillAuthzContext(&entCtx) if rule, err := a.srv.ResolveToken(args.Token); err != nil { @@ -1195,7 +1195,7 @@ func (a *ACL) PolicyList(args *structs.ACLPolicyListRequest, reply *structs.ACLP return err } - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext args.FillAuthzContext(&entCtx) rule, err := a.srv.ResolveToken(args.Token) @@ -1351,7 +1351,7 @@ func (a *ACL) RoleRead(args *structs.ACLRoleGetRequest, reply *structs.ACLRoleRe return err } - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext args.FillAuthzContext(&entCtx) if rule, err := a.srv.ResolveToken(args.Token); err != nil { @@ -1432,7 +1432,7 @@ func (a *ACL) RoleSet(args *structs.ACLRoleSetRequest, reply *structs.ACLRole) e defer metrics.MeasureSince([]string{"acl", "role", "upsert"}, time.Now()) // Verify token is permitted to modify ACLs - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext args.Role.FillAuthzContext(&entCtx) if rule, err := a.srv.ResolveToken(args.Token); err != nil { @@ -1582,7 +1582,7 @@ func (a *ACL) RoleDelete(args *structs.ACLRoleDeleteRequest, reply *string) erro defer metrics.MeasureSince([]string{"acl", "role", "delete"}, time.Now()) // Verify token is permitted to modify ACLs - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext args.FillAuthzContext(&entCtx) if rule, err := a.srv.ResolveToken(args.Token); err != nil { @@ -1635,7 +1635,7 @@ func (a *ACL) RoleList(args *structs.ACLRoleListRequest, reply *structs.ACLRoleL return err } - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext args.FillAuthzContext(&entCtx) rule, err := a.srv.ResolveToken(args.Token) @@ -1721,7 +1721,7 @@ func (a *ACL) BindingRuleRead(args *structs.ACLBindingRuleGetRequest, reply *str return err } - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext args.FillAuthzContext(&entCtx) rule, err := a.srv.ResolveToken(args.Token) @@ -1763,7 +1763,7 @@ func (a *ACL) BindingRuleSet(args *structs.ACLBindingRuleSetRequest, reply *stru defer metrics.MeasureSince([]string{"acl", "bindingrule", "upsert"}, time.Now()) - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext args.BindingRule.FillAuthzContext(&entCtx) // Verify token is permitted to modify ACLs @@ -1894,7 +1894,7 @@ func (a *ACL) BindingRuleDelete(args *structs.ACLBindingRuleDeleteRequest, reply defer metrics.MeasureSince([]string{"acl", "bindingrule", "delete"}, time.Now()) - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext args.FillAuthzContext(&entCtx) // Verify token is permitted to modify ACLs @@ -1948,7 +1948,7 @@ func (a *ACL) BindingRuleList(args *structs.ACLBindingRuleListRequest, reply *st return err } - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext args.FillAuthzContext(&entCtx) rule, err := a.srv.ResolveToken(args.Token) @@ -1989,7 +1989,7 @@ func (a *ACL) AuthMethodRead(args *structs.ACLAuthMethodGetRequest, reply *struc return err } - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext args.FillAuthzContext(&entCtx) if rule, err := a.srv.ResolveToken(args.Token); err != nil { @@ -2031,7 +2031,7 @@ func (a *ACL) AuthMethodSet(args *structs.ACLAuthMethodSetRequest, reply *struct defer metrics.MeasureSince([]string{"acl", "authmethod", "upsert"}, time.Now()) // Verify token is permitted to modify ACLs - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext args.AuthMethod.FillAuthzContext(&entCtx) if rule, err := a.srv.ResolveToken(args.Token); err != nil { @@ -2119,7 +2119,7 @@ func (a *ACL) AuthMethodDelete(args *structs.ACLAuthMethodDeleteRequest, reply * defer metrics.MeasureSince([]string{"acl", "authmethod", "delete"}, time.Now()) // Verify token is permitted to modify ACLs - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext args.FillAuthzContext(&entCtx) if rule, err := a.srv.ResolveToken(args.Token); err != nil { @@ -2173,7 +2173,7 @@ func (a *ACL) AuthMethodList(args *structs.ACLAuthMethodListRequest, reply *stru return err } - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext args.FillAuthzContext(&entCtx) rule, err := a.srv.ResolveToken(args.Token) diff --git a/agent/consul/catalog_endpoint.go b/agent/consul/catalog_endpoint.go index c0fbae419..9251851cb 100644 --- a/agent/consul/catalog_endpoint.go +++ b/agent/consul/catalog_endpoint.go @@ -59,7 +59,7 @@ func servicePreApply(service *structs.NodeService, rule acl.Authorizer) error { return fmt.Errorf("Invalid service address") } - var authzContext acl.EnterpriseAuthorizerContext + var authzContext acl.AuthorizerContext service.FillAuthzContext(&authzContext) // Apply the ACL policy if any. The 'consul' service is excluded @@ -359,7 +359,7 @@ func (c *Catalog) ServiceNodes(args *structs.ServiceSpecificRequest, reply *stru } } - var authzContext acl.EnterpriseAuthorizerContext + var authzContext acl.AuthorizerContext args.FillAuthzContext(&authzContext) // If we're doing a connect query, we need read access to the service // we're trying to find proxies for, so check that. diff --git a/agent/consul/filter.go b/agent/consul/filter.go index 10e584af5..7b66913ce 100644 --- a/agent/consul/filter.go +++ b/agent/consul/filter.go @@ -14,7 +14,7 @@ func (d *dirEntFilter) Len() int { return len(d.ent) } func (d *dirEntFilter) Filter(i int) bool { - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext d.ent[i].FillAuthzContext(&entCtx) return d.authorizer.KeyRead(d.ent[i].Key, &entCtx) != acl.Allow diff --git a/agent/consul/kvs_endpoint.go b/agent/consul/kvs_endpoint.go index b7900fec0..4ff6fd751 100644 --- a/agent/consul/kvs_endpoint.go +++ b/agent/consul/kvs_endpoint.go @@ -31,7 +31,7 @@ func kvsPreApply(srv *Server, rule acl.Authorizer, op api.KVOp, dirEnt *structs. if rule != nil { switch op { case api.KVDeleteTree: - var authzContext acl.EnterpriseAuthorizerContext + var authzContext acl.AuthorizerContext dirEnt.FillAuthzContext(&authzContext) if rule.KeyWritePrefix(dirEnt.Key, &authzContext) != acl.Allow { @@ -45,7 +45,7 @@ func kvsPreApply(srv *Server, rule acl.Authorizer, op api.KVOp, dirEnt *structs. // These could reveal information based on the outcome // of the transaction, and they operate on individual // keys so we check them here. - var authzContext acl.EnterpriseAuthorizerContext + var authzContext acl.AuthorizerContext dirEnt.FillAuthzContext(&authzContext) if rule.KeyRead(dirEnt.Key, &authzContext) != acl.Allow { @@ -53,7 +53,7 @@ func kvsPreApply(srv *Server, rule acl.Authorizer, op api.KVOp, dirEnt *structs. } default: - var authzContext acl.EnterpriseAuthorizerContext + var authzContext acl.AuthorizerContext dirEnt.FillAuthzContext(&authzContext) if rule.KeyWrite(dirEnt.Key, &authzContext) != acl.Allow { @@ -132,7 +132,7 @@ func (k *KVS) Get(args *structs.KeyRequest, reply *structs.IndexedDirEntries) er return err } - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext args.FillAuthzContext(&entCtx) rule, err := k.srv.ResolveToken(args.Token) @@ -178,7 +178,7 @@ func (k *KVS) List(args *structs.KeyRequest, reply *structs.IndexedDirEntries) e return err } - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext args.FillAuthzContext(&entCtx) rule, err := k.srv.ResolveToken(args.Token) @@ -230,7 +230,7 @@ func (k *KVS) ListKeys(args *structs.KeyListRequest, reply *structs.IndexedKeyLi return err } - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext args.FillAuthzContext(&entCtx) rule, err := k.srv.ResolveToken(args.Token) diff --git a/agent/consul/session_endpoint.go b/agent/consul/session_endpoint.go index fe7489a52..311fc4e21 100644 --- a/agent/consul/session_endpoint.go +++ b/agent/consul/session_endpoint.go @@ -41,7 +41,7 @@ func (s *Session) Apply(args *structs.SessionRequest, reply *string) error { // The entMeta to populate is the one in the Session struct, not SessionRequest // This is because the Session is what is passed to downstream functions like raftApply - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext args.Session.FillAuthzContext(&entCtx) // Fetch the ACL token, if any, and apply the policy. @@ -162,7 +162,7 @@ func (s *Session) Get(args *structs.SessionSpecificRequest, } // TODO (namespaces) TODO (acls) infer args.entmeta if not provided - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext args.FillAuthzContext(&entCtx) rule, err := s.srv.ResolveToken(args.Token) @@ -204,7 +204,7 @@ func (s *Session) List(args *structs.SessionSpecificRequest, } // TODO (namespaces) TODO (acls) infer args.entmeta if not provided - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext args.FillAuthzContext(&entCtx) rule, err := s.srv.ResolveToken(args.Token) @@ -241,7 +241,7 @@ func (s *Session) NodeSessions(args *structs.NodeSpecificRequest, } // TODO (namespaces) TODO (acls) infer args.entmeta if not provided - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext args.FillAuthzContext(&entCtx) rule, err := s.srv.ResolveToken(args.Token) @@ -292,7 +292,7 @@ func (s *Session) Renew(args *structs.SessionSpecificRequest, // TODO (namespaces) (freddy):infer args.entmeta if not provided // Fetch the ACL token, if any, and apply the policy. - var entCtx acl.EnterpriseAuthorizerContext + var entCtx acl.AuthorizerContext args.FillAuthzContext(&entCtx) rule, err := s.srv.ResolveToken(args.Token) diff --git a/agent/structs/acl.go b/agent/structs/acl.go index fe8cb5c14..7dfae6753 100644 --- a/agent/structs/acl.go +++ b/agent/structs/acl.go @@ -1590,7 +1590,7 @@ func (r *RemoteACLAuthorizationRequest) RequestDatacenter() string { func CreateACLAuthorizationResponses(authz acl.Authorizer, requests []ACLAuthorizationRequest) ([]ACLAuthorizationResponse, error) { responses := make([]ACLAuthorizationResponse, len(requests)) - var ctx acl.EnterpriseAuthorizerContext + var ctx acl.AuthorizerContext for idx, req := range requests { req.FillAuthzContext(&ctx) diff --git a/agent/structs/structs_oss.go b/agent/structs/structs_oss.go index c28c90375..2524c3e63 100644 --- a/agent/structs/structs_oss.go +++ b/agent/structs/structs_oss.go @@ -49,28 +49,28 @@ func WildcardEnterpriseMeta() *EnterpriseMeta { } // FillAuthzContext stub -func (_ *EnterpriseMeta) FillAuthzContext(_ *acl.EnterpriseAuthorizerContext) {} +func (_ *EnterpriseMeta) FillAuthzContext(_ *acl.AuthorizerContext) {} func (_ *EnterpriseMeta) Normalize() {} // FillAuthzContext stub -func (_ *DirEntry) FillAuthzContext(_ *acl.EnterpriseAuthorizerContext) {} +func (_ *DirEntry) FillAuthzContext(_ *acl.AuthorizerContext) {} // FillAuthzContext stub -func (_ *RegisterRequest) FillAuthzContext(_ *acl.EnterpriseAuthorizerContext) {} +func (_ *RegisterRequest) FillAuthzContext(_ *acl.AuthorizerContext) {} func (_ *RegisterRequest) GetEnterpriseMeta() *EnterpriseMeta { return nil } // OSS Stub -func (op *TxnNodeOp) FillAuthzContext(ctx *acl.EnterpriseAuthorizerContext) {} +func (op *TxnNodeOp) FillAuthzContext(ctx *acl.AuthorizerContext) {} // OSS Stub -func (_ *TxnServiceOp) FillAuthzContext(_ *acl.EnterpriseAuthorizerContext) {} +func (_ *TxnServiceOp) FillAuthzContext(_ *acl.AuthorizerContext) {} // OSS Stub -func (_ *TxnCheckOp) FillAuthzContext(_ *acl.EnterpriseAuthorizerContext) {} +func (_ *TxnCheckOp) FillAuthzContext(_ *acl.AuthorizerContext) {} func ServiceIDString(id string, _ *EnterpriseMeta) string { return id