luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Simplify the merging of two policies

This commit is contained in:
Brian Kassouf 2017-02-16 16:30:08 -08:00
parent 7229bdfd38
commit 07799f665d
2 changed files with 9 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
vault/acl.go
View File

@ -81,47 +81,17 @@ func NewACL(policies []*Policy) (*ACL, error) {
pc.Permissions.AllowedParameters = make(map[string][]interface{}, len(existingPerms.AllowedParameters))
}
// If this policy allows everything skip to checking denied
if _, ok := pc.Permissions.AllowedParameters["*"]; ok {
goto CHECK_DENIED
}
// If the exising policy allows everything set this policy to
// allow everything and skip to check denied
if _, ok = existingPerms.AllowedParameters["*"]; ok {
pc.Permissions.AllowedParameters = map[string][]interface{}{
"*": []interface{}{},
}
goto CHECK_DENIED
}
// Merge the two maps, appending values on key conflict.
for key, value := range existingPerms.AllowedParameters {
pc.Permissions.AllowedParameters[key] = append(value, pc.Permissions.AllowedParameters[key]...)
}
}
CHECK_DENIED:
if len(existingPerms.DeniedParameters) > 0 {
if pc.Permissions.DeniedParameters == nil {
pc.Permissions.DeniedParameters = make(map[string][]interface{}, len(existingPerms.DeniedParameters))
}
// If this policy denies everything go to insert
if _, ok := pc.Permissions.DeniedParameters["*"]; ok {
goto INSERT
}
// If exising policy denies everything set this policy to
// deny everything and go to insert
if _, ok = existingPerms.DeniedParameters["*"]; ok {
pc.Permissions.DeniedParameters = map[string][]interface{}{
"*": []interface{}{},
}
goto INSERT
}
// Merge the two maps, appending values on key conflict.
for key, value := range existingPerms.DeniedParameters {
pc.Permissions.DeniedParameters[key] = append(value, pc.Permissions.DeniedParameters[key]...)

16
vault/acl_test.go
View File

@ -233,10 +233,10 @@ func TestACL_PolicyMerge(t *testing.T) {
tcases := []tcase{
{"foo/bar", nil, map[string][]interface{}{"zip": []interface{}{}, "baz": []interface{}{}}},
{"hello/universe", map[string][]interface{}{"foo": []interface{}{}, "bar": []interface{}{}}, nil},
{"allow/all", map[string][]interface{}{"*": []interface{}{}}, nil},
{"allow/all1", map[string][]interface{}{"*": []interface{}{}}, nil},
{"deny/all", nil, map[string][]interface{}{"*": []interface{}{}}},
{"deny/all1", nil, map[string][]interface{}{"*": []interface{}{}}},
{"allow/all", map[string][]interface{}{"*": []interface{}{}, "test": []interface{}{}, "test1": []interface{}{"foo"}}, nil},
{"allow/all1", map[string][]interface{}{"*": []interface{}{}, "test": []interface{}{}, "test1": []interface{}{"foo"}}, nil},
{"deny/all", nil, map[string][]interface{}{"*": []interface{}{}, "test": []interface{}{}}},
{"deny/all1", nil, map[string][]interface{}{"*": []interface{}{}, "test": []interface{}{}}},
{"value/merge", map[string][]interface{}{"test": []interface{}{1, 2, 3, 4}}, map[string][]interface{}{"test": []interface{}{1, 2, 3, 4}}},
}
@ -284,7 +284,7 @@ func TestACL_AllowOperation(t *testing.T) {
{"broken/phone", []string{"steve"}, false},
{"hello/world", []string{"one"}, false},
{"tree/fort", []string{"one"}, true},
{"tree/fort", []string{"beer"}, false},
{"tree/fort", []string{"foo"}, false},
{"fruit/apple", []string{"pear"}, false},
{"fruit/apple", []string{"one"}, false},
{"cold/weather", []string{"four"}, true},
@ -466,6 +466,7 @@ path "allow/all" {
policy = "write"
allowed_parameters = {
"test" = []
"test1" = ["foo"]
}
}
path "allow/all" {
@ -484,12 +485,13 @@ path "allow/all1" {
policy = "write"
allowed_parameters = {
"test" = []
"test1" = ["foo"]
}
}
path "deny/all" {
policy = "write"
denied_parameters = {
"frank" = []
"test" = []
}
}
path "deny/all" {
@ -579,7 +581,7 @@ path "tree/fort" {
"*" = []
}
denied_parameters = {
"beer" = []
"foo" = []
}
}
path "fruit/apple" {