consul/acl/acl.go

package acl

import (
	"github.com/armon/go-radix"
)

var (
	// allowAll is a singleton policy which allows all
	// non-management actions
	allowAll ACL

	// denyAll is a singleton policy which denies all actions
	denyAll ACL

	// manageAll is a singleton policy which allows all
	// actions, including management
	manageAll ACL
)

func init() {
	// Setup the singletons
	allowAll = &StaticACL{
		allowManage:  false,
		defaultAllow: true,
	}
	denyAll = &StaticACL{
		allowManage:  false,
		defaultAllow: false,
	}
	manageAll = &StaticACL{
		allowManage:  true,
		defaultAllow: true,
	}
}

// ACL is the interface for policy enforcement.
type ACL interface {
	// KeyRead checks for permission to read a given key
	KeyRead(string) bool

	// KeyWrite checks for permission to write a given key
	KeyWrite(string) bool

	// KeyWritePrefix checks for permission to write to an
	// entire key prefix. This means there must be no sub-policies
	// that deny a write.
	KeyWritePrefix(string) bool

	// ACLList checks for permission to list all the ACLs
	ACLList() bool

	// ACLModify checks for permission to manipulate ACLs
	ACLModify() bool
}

// StaticACL is used to implement a base ACL policy. It either
// allows or denies all requests. This can be used as a parent
// ACL to act in a blacklist or whitelist mode.
type StaticACL struct {
	allowManage  bool
	defaultAllow bool
}

func (s *StaticACL) KeyRead(string) bool {
	return s.defaultAllow
}

func (s *StaticACL) KeyWrite(string) bool {
	return s.defaultAllow
}

func (s *StaticACL) KeyWritePrefix(string) bool {
	return s.defaultAllow
}

func (s *StaticACL) ACLList() bool {
	return s.allowManage
}

func (s *StaticACL) ACLModify() bool {
	return s.allowManage
}

// AllowAll returns an ACL rule that allows all operations
func AllowAll() ACL {
	return allowAll
}

// DenyAll returns an ACL rule that denies all operations
func DenyAll() ACL {
	return denyAll
}

// ManageAll returns an ACL rule that can manage all resources
func ManageAll() ACL {
	return manageAll
}

// RootACL returns a possible ACL if the ID matches a root policy
func RootACL(id string) ACL {
	switch id {
	case "allow":
		return allowAll
	case "deny":
		return denyAll
	case "manage":
		return manageAll
	default:
		return nil
	}
}

// PolicyACL is used to wrap a set of ACL policies to provide
// the ACL interface.
type PolicyACL struct {
	// parent is used to resolve policy if we have
	// no matching rule.
	parent ACL

	// keyRules contains the key policies
	keyRules *radix.Tree
}

// New is used to construct a policy based ACL from a set of policies
// and a parent policy to resolve missing cases.
func New(parent ACL, policy *Policy) (*PolicyACL, error) {
	p := &PolicyACL{
		parent:   parent,
		keyRules: radix.New(),
	}

	// Load the key policy
	for _, kp := range policy.Keys {
		p.keyRules.Insert(kp.Prefix, kp.Policy)
	}
	return p, nil
}

// KeyRead returns if a key is allowed to be read
func (p *PolicyACL) KeyRead(key string) bool {
	// Look for a matching rule
	_, rule, ok := p.keyRules.LongestPrefix(key)
	if ok {
		switch rule.(string) {
		case KeyPolicyRead:
			return true
		case KeyPolicyWrite:
			return true
		default:
			return false
		}
	}

	// No matching rule, use the parent.
	return p.parent.KeyRead(key)
}

// KeyWrite returns if a key is allowed to be written
func (p *PolicyACL) KeyWrite(key string) bool {
	// Look for a matching rule
	_, rule, ok := p.keyRules.LongestPrefix(key)
	if ok {
		switch rule.(string) {
		case KeyPolicyWrite:
			return true
		default:
			return false
		}
	}

	// No matching rule, use the parent.
	return p.parent.KeyWrite(key)
}

// KeyWritePrefix returns if a prefix is allowed to be written
func (p *PolicyACL) KeyWritePrefix(prefix string) bool {
	// Look for a matching rule that denies
	_, rule, ok := p.keyRules.LongestPrefix(prefix)
	if ok && rule.(string) != KeyPolicyWrite {
		return false
	}

	// Look if any of our children have a deny policy
	deny := false
	p.keyRules.WalkPrefix(prefix, func(path string, rule interface{}) bool {
		// We have a rule to prevent a write in a sub-directory!
		if rule.(string) != KeyPolicyWrite {
			deny = true
			return true
		}
		return false
	})

	// Deny the write if any sub-rules may be violated
	if deny {
		return false
	}

	// If we had a matching rule, done
	if ok {
		return true
	}

	// No matching rule, use the parent.
	return p.parent.KeyWritePrefix(prefix)
}

// ACLList checks if listing of ACLs is allowed
func (p *PolicyACL) ACLList() bool {
	return p.parent.ACLList()
}

// ACLModify checks if modification of ACLs is allowed
func (p *PolicyACL) ACLModify() bool {
	return p.parent.ACLModify()
}
acl: First pass 10 years ago			`package acl`

			`import (`
			`"github.com/armon/go-radix"`
			`)`

			`var (`
acl: Support ACL checks, adding new root policy 10 years ago			`// allowAll is a singleton policy which allows all`
			`// non-management actions`
acl: First pass 10 years ago			`allowAll ACL`

			`// denyAll is a singleton policy which denies all actions`
			`denyAll ACL`
acl: Support ACL checks, adding new root policy 10 years ago
			`// manageAll is a singleton policy which allows all`
			`// actions, including management`
			`manageAll ACL`
acl: First pass 10 years ago			`)`

			`func init() {`
			`// Setup the singletons`
acl: Support ACL checks, adding new root policy 10 years ago			`allowAll = &StaticACL{`
			`allowManage: false,`
			`defaultAllow: true,`
			`}`
			`denyAll = &StaticACL{`
			`allowManage: false,`
			`defaultAllow: false,`
			`}`
			`manageAll = &StaticACL{`
			`allowManage: true,`
			`defaultAllow: true,`
			`}`
acl: First pass 10 years ago			`}`

			`// ACL is the interface for policy enforcement.`
			`type ACL interface {`
acl: Support checking write permissions on a prefix 10 years ago			`// KeyRead checks for permission to read a given key`
acl: First pass 10 years ago			`KeyRead(string) bool`
acl: Support checking write permissions on a prefix 10 years ago
			`// KeyWrite checks for permission to write a given key`
acl: First pass 10 years ago			`KeyWrite(string) bool`
acl: Support checking write permissions on a prefix 10 years ago
			`// KeyWritePrefix checks for permission to write to an`
			`// entire key prefix. This means there must be no sub-policies`
			`// that deny a write.`
			`KeyWritePrefix(string) bool`

			`// ACLList checks for permission to list all the ACLs`
acl: Support ACL checks, adding new root policy 10 years ago			`ACLList() bool`
acl: Support checking write permissions on a prefix 10 years ago
			`// ACLModify checks for permission to manipulate ACLs`
acl: Support ACL checks, adding new root policy 10 years ago			`ACLModify() bool`
acl: First pass 10 years ago			`}`

			`// StaticACL is used to implement a base ACL policy. It either`
			`// allows or denies all requests. This can be used as a parent`
			`// ACL to act in a blacklist or whitelist mode.`
			`type StaticACL struct {`
acl: Support ACL checks, adding new root policy 10 years ago			`allowManage bool`
acl: First pass 10 years ago			`defaultAllow bool`
			`}`

			`func (s *StaticACL) KeyRead(string) bool {`
			`return s.defaultAllow`
			`}`

			`func (s *StaticACL) KeyWrite(string) bool {`
			`return s.defaultAllow`
			`}`

acl: Support checking write permissions on a prefix 10 years ago			`func (s *StaticACL) KeyWritePrefix(string) bool {`
			`return s.defaultAllow`
			`}`

acl: Support ACL checks, adding new root policy 10 years ago			`func (s *StaticACL) ACLList() bool {`
			`return s.allowManage`
			`}`

			`func (s *StaticACL) ACLModify() bool {`
			`return s.allowManage`
			`}`

acl: First pass 10 years ago			`// AllowAll returns an ACL rule that allows all operations`
			`func AllowAll() ACL {`
			`return allowAll`
			`}`

			`// DenyAll returns an ACL rule that denies all operations`
			`func DenyAll() ACL {`
			`return denyAll`
			`}`

acl: Support ACL checks, adding new root policy 10 years ago			`// ManageAll returns an ACL rule that can manage all resources`
			`func ManageAll() ACL {`
			`return manageAll`
			`}`

acl: Simplify parent ACL, adding root policies 10 years ago			`// RootACL returns a possible ACL if the ID matches a root policy`
			`func RootACL(id string) ACL {`
			`switch id {`
			`case "allow":`
			`return allowAll`
			`case "deny":`
			`return denyAll`
acl: Support ACL checks, adding new root policy 10 years ago			`case "manage":`
			`return manageAll`
acl: Simplify parent ACL, adding root policies 10 years ago			`default:`
			`return nil`
			`}`
			`}`

acl: First pass 10 years ago			`// PolicyACL is used to wrap a set of ACL policies to provide`
			`// the ACL interface.`
			`type PolicyACL struct {`
			`// parent is used to resolve policy if we have`
			`// no matching rule.`
			`parent ACL`

acl: Use only a single Radix tree per ACL 10 years ago			`// keyRules contains the key policies`
			`keyRules *radix.Tree`
acl: First pass 10 years ago			`}`

			`// New is used to construct a policy based ACL from a set of policies`
			`// and a parent policy to resolve missing cases.`
			`func New(parent ACL, policy Policy) (PolicyACL, error) {`
			`p := &PolicyACL{`
			`parent: parent,`
acl: Use only a single Radix tree per ACL 10 years ago			`keyRules: radix.New(),`
acl: First pass 10 years ago			`}`

			`// Load the key policy`
			`for _, kp := range policy.Keys {`
acl: Use only a single Radix tree per ACL 10 years ago			`p.keyRules.Insert(kp.Prefix, kp.Policy)`
acl: First pass 10 years ago			`}`
			`return p, nil`
			`}`

			`// KeyRead returns if a key is allowed to be read`
			`func (p *PolicyACL) KeyRead(key string) bool {`
			`// Look for a matching rule`
acl: Use only a single Radix tree per ACL 10 years ago			`_, rule, ok := p.keyRules.LongestPrefix(key)`
acl: First pass 10 years ago			`if ok {`
acl: Use only a single Radix tree per ACL 10 years ago			`switch rule.(string) {`
			`case KeyPolicyRead:`
			`return true`
			`case KeyPolicyWrite:`
			`return true`
			`default:`
			`return false`
			`}`
acl: First pass 10 years ago			`}`

			`// No matching rule, use the parent.`
			`return p.parent.KeyRead(key)`
			`}`

			`// KeyWrite returns if a key is allowed to be written`
			`func (p *PolicyACL) KeyWrite(key string) bool {`
			`// Look for a matching rule`
acl: Use only a single Radix tree per ACL 10 years ago			`_, rule, ok := p.keyRules.LongestPrefix(key)`
acl: First pass 10 years ago			`if ok {`
acl: Use only a single Radix tree per ACL 10 years ago			`switch rule.(string) {`
			`case KeyPolicyWrite:`
			`return true`
			`default:`
			`return false`
			`}`
acl: First pass 10 years ago			`}`

			`// No matching rule, use the parent.`
			`return p.parent.KeyWrite(key)`
			`}`
acl: Support ACL checks, adding new root policy 10 years ago
acl: Support checking write permissions on a prefix 10 years ago			`// KeyWritePrefix returns if a prefix is allowed to be written`
			`func (p *PolicyACL) KeyWritePrefix(prefix string) bool {`
			`// Look for a matching rule that denies`
			`_, rule, ok := p.keyRules.LongestPrefix(prefix)`
			`if ok && rule.(string) != KeyPolicyWrite {`
			`return false`
			`}`

			`// Look if any of our children have a deny policy`
			`deny := false`
			`p.keyRules.WalkPrefix(prefix, func(path string, rule interface{}) bool {`
			`// We have a rule to prevent a write in a sub-directory!`
			`if rule.(string) != KeyPolicyWrite {`
			`deny = true`
			`return true`
			`}`
			`return false`
			`})`

			`// Deny the write if any sub-rules may be violated`
			`if deny {`
			`return false`
			`}`

			`// If we had a matching rule, done`
			`if ok {`
			`return true`
			`}`

			`// No matching rule, use the parent.`
			`return p.parent.KeyWritePrefix(prefix)`
			`}`

acl: Support ACL checks, adding new root policy 10 years ago			`// ACLList checks if listing of ACLs is allowed`
			`func (p *PolicyACL) ACLList() bool {`
acl: Avoid infinite recursion... 10 years ago			`return p.parent.ACLList()`
acl: Support ACL checks, adding new root policy 10 years ago			`}`

			`// ACLModify checks if modification of ACLs is allowed`
			`func (p *PolicyACL) ACLModify() bool {`
acl: Avoid infinite recursion... 10 years ago			`return p.parent.ACLModify()`
acl: Support ACL checks, adding new root policy 10 years ago			`}`