nomad: adding policy subset check

2017-08-21 17:45:11 -07:00 · 2017-08-21 17:45:11 -07:00 · 387a8a923b
parent f31cd6a618
commit 387a8a923b
2 changed files with 43 additions and 0 deletions
--- a/nomad/structs/structs.go
+++ b/nomad/structs/structs.go
@ -5512,6 +5512,24 @@ func (a *ACLToken) Validate() error {
 	return mErr.ErrorOrNil()
 }

+// PolicySubset checks if a given set of policies is a subset of the token
+func (a *ACLToken) PolicySubset(policies []string) bool {
+	// Hot-path the management tokens, superset of all policies.
+	if a.Type == ACLManagementToken {
+		return true
+	}
+	associatedPolicies := make(map[string]struct{}, len(a.Policies))
+	for _, policy := range a.Policies {
+		associatedPolicies[policy] = struct{}{}
+	}
+	for _, policy := range policies {
+		if _, ok := associatedPolicies[policy]; !ok {
+			return false
+		}
+	}
+	return true
+}
+
 // ACLTokenListRequest is used to request a list of tokens
 type ACLTokenListRequest struct {
 	GlobalOnly bool
--- a/nomad/structs/structs_test.go
+++ b/nomad/structs/structs_test.go
@ -2307,3 +2307,28 @@ func TestACLTokenValidate(t *testing.T) {
 	err = tk.Validate()
 	assert.Nil(t, err)
 }
+
+func TestACLTokenPolicySubset(t *testing.T) {
+	tk := &ACLToken{
+		Type:     ACLClientToken,
+		Policies: []string{"foo", "bar", "baz"},
+	}
+
+	assert.Equal(t, true, tk.PolicySubset([]string{"foo", "bar", "baz"}))
+	assert.Equal(t, true, tk.PolicySubset([]string{"foo", "bar"}))
+	assert.Equal(t, true, tk.PolicySubset([]string{"foo"}))
+	assert.Equal(t, true, tk.PolicySubset([]string{}))
+	assert.Equal(t, false, tk.PolicySubset([]string{"foo", "bar", "new"}))
+	assert.Equal(t, false, tk.PolicySubset([]string{"new"}))
+
+	tk = &ACLToken{
+		Type: ACLManagementToken,
+	}
+
+	assert.Equal(t, true, tk.PolicySubset([]string{"foo", "bar", "baz"}))
+	assert.Equal(t, true, tk.PolicySubset([]string{"foo", "bar"}))
+	assert.Equal(t, true, tk.PolicySubset([]string{"foo"}))
+	assert.Equal(t, true, tk.PolicySubset([]string{}))
+	assert.Equal(t, true, tk.PolicySubset([]string{"foo", "bar", "new"}))
+	assert.Equal(t, true, tk.PolicySubset([]string{"new"}))
+}