From 0a4ff4bb913797bfee6f9b4f852cf610625ca644 Mon Sep 17 00:00:00 2001 From: freddygv Date: Tue, 26 Oct 2021 19:21:31 -0600 Subject: [PATCH] Prefer concrete policyAuthorizer type There will only ever be policyAuthorizers embedded in namespaceAuthorizers, this commit swaps out the interface in favor of the concrete type. --- acl/authorizer.go | 3 --- acl/authorizer_test.go | 5 ----- acl/chained_authorizer.go | 6 ------ acl/chained_authorizer_test.go | 3 --- acl/policy_authorizer.go | 6 +++--- acl/static_authorizer.go | 7 ------- 6 files changed, 3 insertions(+), 27 deletions(-) diff --git a/acl/authorizer.go b/acl/authorizer.go index 427eb1a162..43d50544bf 100644 --- a/acl/authorizer.go +++ b/acl/authorizer.go @@ -149,9 +149,6 @@ type Authorizer interface { // service ServiceWrite(string, *AuthorizerContext) EnforcementDecision - // ServiceWriteAny checks for permission to read any service - ServiceWriteAny(*AuthorizerContext) EnforcementDecision - // SessionRead checks for permission to read sessions for a given node. SessionRead(string, *AuthorizerContext) EnforcementDecision diff --git a/acl/authorizer_test.go b/acl/authorizer_test.go index 7d32a78bf7..d74029f239 100644 --- a/acl/authorizer_test.go +++ b/acl/authorizer_test.go @@ -185,11 +185,6 @@ func (m *mockAuthorizer) ServiceWrite(segment string, ctx *AuthorizerContext) En return ret.Get(0).(EnforcementDecision) } -func (m *mockAuthorizer) ServiceWriteAny(ctx *AuthorizerContext) EnforcementDecision { - ret := m.Called(ctx) - return ret.Get(0).(EnforcementDecision) -} - // SessionRead checks for permission to read sessions for a given node. func (m *mockAuthorizer) SessionRead(segment string, ctx *AuthorizerContext) EnforcementDecision { ret := m.Called(segment, ctx) diff --git a/acl/chained_authorizer.go b/acl/chained_authorizer.go index 33a05f9f1e..1b3aed4978 100644 --- a/acl/chained_authorizer.go +++ b/acl/chained_authorizer.go @@ -235,12 +235,6 @@ func (c *ChainedAuthorizer) ServiceWrite(name string, entCtx *AuthorizerContext) }) } -func (c *ChainedAuthorizer) ServiceWriteAny(entCtx *AuthorizerContext) EnforcementDecision { - return c.executeChain(func(authz Authorizer) EnforcementDecision { - return authz.ServiceWriteAny(entCtx) - }) -} - // SessionRead checks for permission to read sessions for a given node. func (c *ChainedAuthorizer) SessionRead(node string, entCtx *AuthorizerContext) EnforcementDecision { return c.executeChain(func(authz Authorizer) EnforcementDecision { diff --git a/acl/chained_authorizer_test.go b/acl/chained_authorizer_test.go index ac4880ba09..7a1aba2396 100644 --- a/acl/chained_authorizer_test.go +++ b/acl/chained_authorizer_test.go @@ -89,9 +89,6 @@ func (authz testAuthorizer) ServiceReadAll(*AuthorizerContext) EnforcementDecisi func (authz testAuthorizer) ServiceWrite(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } -func (authz testAuthorizer) ServiceWriteAny(*AuthorizerContext) EnforcementDecision { - return EnforcementDecision(authz) -} func (authz testAuthorizer) SessionRead(string, *AuthorizerContext) EnforcementDecision { return EnforcementDecision(authz) } diff --git a/acl/policy_authorizer.go b/acl/policy_authorizer.go index 0e9496bf78..f5ef33e23b 100644 --- a/acl/policy_authorizer.go +++ b/acl/policy_authorizer.go @@ -325,13 +325,13 @@ func (p *policyAuthorizer) loadRules(policy *PolicyRules) error { return nil } -func newPolicyAuthorizer(policies []*Policy, ent *Config) (Authorizer, error) { +func newPolicyAuthorizer(policies []*Policy, ent *Config) (*policyAuthorizer, error) { policy := MergePolicies(policies) return newPolicyAuthorizerFromRules(&policy.PolicyRules, ent) } -func newPolicyAuthorizerFromRules(rules *PolicyRules, ent *Config) (Authorizer, error) { +func newPolicyAuthorizerFromRules(rules *PolicyRules, ent *Config) (*policyAuthorizer, error) { p := &policyAuthorizer{ agentRules: radix.New(), intentionRules: radix.New(), @@ -767,7 +767,7 @@ func (p *policyAuthorizer) ServiceWrite(name string, _ *AuthorizerContext) Enfor return Default } -func (p *policyAuthorizer) ServiceWriteAny(_ *AuthorizerContext) EnforcementDecision { +func (p *policyAuthorizer) serviceWriteAny(_ *AuthorizerContext) EnforcementDecision { return p.anyAllowed(p.serviceRules, AccessWrite) } diff --git a/acl/static_authorizer.go b/acl/static_authorizer.go index 2837b8f0ac..f257d6b68a 100644 --- a/acl/static_authorizer.go +++ b/acl/static_authorizer.go @@ -219,13 +219,6 @@ func (s *staticAuthorizer) ServiceWrite(string, *AuthorizerContext) EnforcementD return Deny } -func (s *staticAuthorizer) ServiceWriteAny(*AuthorizerContext) EnforcementDecision { - if s.defaultAllow { - return Allow - } - return Deny -} - func (s *staticAuthorizer) SessionRead(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow