vault: Special case root policy

2015-03-24 11:27:21 -07:00 · 2015-03-24 11:27:21 -07:00 · 43a99aec93
parent cb563b881c
commit 43a99aec93
2 changed files with 38 additions and 0 deletions
--- a/vault/policy_store.go
+++ b/vault/policy_store.go
@ -67,6 +67,13 @@ func (ps *PolicyStore) SetPolicy(p *Policy) error {
 // GetPolicy is used to fetch the named policy
 func (ps *PolicyStore) GetPolicy(name string) (*Policy, error) {
 	// TODO: Cache policy
+
+	// Special case the root policy
+	if name == "root" {
+		p := &Policy{Name: "root"}
+		return p, nil
+	}
+
 	// Load the policy in
 	out, err := ps.view.Get(name)
 	if err != nil {
@ -93,6 +100,9 @@ func (ps *PolicyStore) ListPolicies() ([]string, error) {

 // DeletePolicy is used to delete the named policy
 func (ps *PolicyStore) DeletePolicy(name string) error {
+	if name == "root" {
+		return fmt.Errorf("cannot delete root policy")
+	}
 	if err := ps.view.Delete(name); err != nil {
 		return fmt.Errorf("failed to delete policy: %v", err)
 	}
--- a/vault/policy_store_test.go
+++ b/vault/policy_store_test.go
@ -12,6 +12,34 @@ func mockPolicyStore(t *testing.T) *PolicyStore {
 	return p
 }

+func TestPolicyStore_Root(t *testing.T) {
+	ps := mockPolicyStore(t)
+
+	// Get should return a special policy
+	p, err := ps.GetPolicy("root")
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if p == nil {
+		t.Fatalf("bad: %v", p)
+	}
+	if p.Name != "root" {
+		t.Fatalf("bad: %v", p)
+	}
+
+	// Set should fail
+	err = ps.SetPolicy(p)
+	if err.Error() != "cannot update root policy" {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Delete should fail
+	err = ps.DeletePolicy("root")
+	if err.Error() != "cannot delete root policy" {
+		t.Fatalf("err: %v", err)
+	}
+}
+
 func TestPolicyStore_CRUD(t *testing.T) {
 	ps := mockPolicyStore(t)