mirror of https://github.com/hashicorp/consul
Miscellaneous acl package cleanup
• Renamed EnterpriseACLConfig to just Config • Removed chained_authorizer_oss.go as it was empty • Renamed acl.go to errors.go to more closely describe its contentspull/6968/head
parent
0b346616e9
commit
80d13d500b
|
@ -2,7 +2,7 @@
|
|||
|
||||
package acl
|
||||
|
||||
// EnterpriseACLConfig stub
|
||||
type EnterpriseACLConfig struct{}
|
||||
// Config stub
|
||||
type Config struct{}
|
||||
|
||||
func (_ *EnterpriseACLConfig) Close() {}
|
||||
func (_ *Config) Close() {}
|
||||
|
|
|
@ -145,7 +145,7 @@ type Authorizer interface {
|
|||
Snapshot(*AuthorizerContext) EnforcementDecision
|
||||
|
||||
// Embedded Interface for Consul Enterprise specific ACL enforcement
|
||||
EnterpriseAuthorizer
|
||||
enterpriseAuthorizer
|
||||
}
|
||||
|
||||
func Enforce(authz Authorizer, rsc Resource, segment string, access string, ctx *AuthorizerContext) (EnforcementDecision, error) {
|
||||
|
@ -234,7 +234,7 @@ func Enforce(authz Authorizer, rsc Resource, segment string, access string, ctx
|
|||
return authz.SessionWrite(segment, ctx), nil
|
||||
}
|
||||
default:
|
||||
if processed, decision, err := EnforceEnterprise(authz, rsc, segment, lowerAccess, ctx); processed {
|
||||
if processed, decision, err := enforceEnterprise(authz, rsc, segment, lowerAccess, ctx); processed {
|
||||
return decision, err
|
||||
}
|
||||
return Deny, fmt.Errorf("Invalid ACL resource requested: %q", rsc)
|
||||
|
|
|
@ -5,9 +5,9 @@ package acl
|
|||
// AuthorizerContext stub
|
||||
type AuthorizerContext struct{}
|
||||
|
||||
// EnterpriseAuthorizer stub interface
|
||||
type EnterpriseAuthorizer interface{}
|
||||
// enterpriseAuthorizer stub interface
|
||||
type enterpriseAuthorizer interface{}
|
||||
|
||||
func EnforceEnterprise(_ Authorizer, _ Resource, _ string, _ string, _ *AuthorizerContext) (bool, EnforcementDecision, error) {
|
||||
func enforceEnterprise(_ Authorizer, _ Resource, _ string, _ string, _ *AuthorizerContext) (bool, EnforcementDecision, error) {
|
||||
return false, Deny, nil
|
||||
}
|
||||
|
|
|
@ -1,3 +0,0 @@
|
|||
// +build !consulent
|
||||
|
||||
package acl
|
|
@ -161,7 +161,7 @@ func isPolicyValid(policy string, allowList bool) bool {
|
|||
return true
|
||||
}
|
||||
|
||||
func (pr *PolicyRules) Validate(conf *EnterpriseACLConfig) error {
|
||||
func (pr *PolicyRules) Validate(conf *Config) error {
|
||||
// Validate the acl policy - this one is allowed to be empty
|
||||
if pr.ACL != "" && !isPolicyValid(pr.ACL, false) {
|
||||
return fmt.Errorf("Invalid acl policy: %#v", pr.ACL)
|
||||
|
@ -288,7 +288,7 @@ func (pr *PolicyRules) Validate(conf *EnterpriseACLConfig) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func parseCurrent(rules string, conf *EnterpriseACLConfig, meta *EnterprisePolicyMeta) (*Policy, error) {
|
||||
func parseCurrent(rules string, conf *Config, meta *EnterprisePolicyMeta) (*Policy, error) {
|
||||
p, err := decodeRules(rules, conf, meta)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
@ -305,7 +305,7 @@ func parseCurrent(rules string, conf *EnterpriseACLConfig, meta *EnterprisePolic
|
|||
return p, nil
|
||||
}
|
||||
|
||||
func parseLegacy(rules string, conf *EnterpriseACLConfig) (*Policy, error) {
|
||||
func parseLegacy(rules string, conf *Config) (*Policy, error) {
|
||||
p := &Policy{}
|
||||
|
||||
type LegacyPolicy struct {
|
||||
|
@ -422,7 +422,7 @@ func parseLegacy(rules string, conf *EnterpriseACLConfig) (*Policy, error) {
|
|||
// NewPolicyFromSource is used to parse the specified ACL rules into an
|
||||
// intermediary set of policies, before being compiled into
|
||||
// the ACL
|
||||
func NewPolicyFromSource(id string, revision uint64, rules string, syntax SyntaxVersion, conf *EnterpriseACLConfig, meta *EnterprisePolicyMeta) (*Policy, error) {
|
||||
func NewPolicyFromSource(id string, revision uint64, rules string, syntax SyntaxVersion, conf *Config, meta *EnterprisePolicyMeta) (*Policy, error) {
|
||||
if rules == "" {
|
||||
// Hot path for empty source
|
||||
return &Policy{ID: id, Revision: revision}, nil
|
||||
|
|
|
@ -313,13 +313,13 @@ func (p *policyAuthorizer) loadRules(policy *PolicyRules) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func newPolicyAuthorizer(policies []*Policy, ent *EnterpriseACLConfig) (Authorizer, error) {
|
||||
func newPolicyAuthorizer(policies []*Policy, ent *Config) (Authorizer, error) {
|
||||
policy := MergePolicies(policies)
|
||||
|
||||
return newPolicyAuthorizerFromRules(&policy.PolicyRules, ent)
|
||||
}
|
||||
|
||||
func newPolicyAuthorizerFromRules(rules *PolicyRules, ent *EnterpriseACLConfig) (Authorizer, error) {
|
||||
func newPolicyAuthorizerFromRules(rules *PolicyRules, ent *Config) (Authorizer, error) {
|
||||
p := &policyAuthorizer{
|
||||
agentRules: radix.New(),
|
||||
intentionRules: radix.New(),
|
||||
|
|
|
@ -5,7 +5,7 @@ package acl
|
|||
// enterprisePolicyAuthorizer stub
|
||||
type enterprisePolicyAuthorizer struct{}
|
||||
|
||||
func (authz *enterprisePolicyAuthorizer) init(*EnterpriseACLConfig) {
|
||||
func (authz *enterprisePolicyAuthorizer) init(*Config) {
|
||||
// nothing to do
|
||||
}
|
||||
|
||||
|
@ -14,13 +14,13 @@ func (authz *enterprisePolicyAuthorizer) enforce(_ *EnterpriseRule, _ *Authorize
|
|||
}
|
||||
|
||||
// NewPolicyAuthorizer merges the policies and returns an Authorizer that will enforce them
|
||||
func NewPolicyAuthorizer(policies []*Policy, entConfig *EnterpriseACLConfig) (Authorizer, error) {
|
||||
func NewPolicyAuthorizer(policies []*Policy, entConfig *Config) (Authorizer, error) {
|
||||
return newPolicyAuthorizer(policies, entConfig)
|
||||
}
|
||||
|
||||
// NewPolicyAuthorizerWithDefaults will actually created a ChainedAuthorizer with
|
||||
// the policies compiled into one Authorizer and the backup policy of the defaultAuthz
|
||||
func NewPolicyAuthorizerWithDefaults(defaultAuthz Authorizer, policies []*Policy, entConfig *EnterpriseACLConfig) (Authorizer, error) {
|
||||
func NewPolicyAuthorizerWithDefaults(defaultAuthz Authorizer, policies []*Policy, entConfig *Config) (Authorizer, error) {
|
||||
authz, err := newPolicyAuthorizer(policies, entConfig)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
|
|
@ -14,7 +14,7 @@ type EnterprisePolicyMeta struct{}
|
|||
// EnterpriseRule stub
|
||||
type EnterpriseRule struct{}
|
||||
|
||||
func (r *EnterpriseRule) Validate(string, *EnterpriseACLConfig) error {
|
||||
func (r *EnterpriseRule) Validate(string, *Config) error {
|
||||
// nothing to validate
|
||||
return nil
|
||||
}
|
||||
|
@ -22,12 +22,12 @@ func (r *EnterpriseRule) Validate(string, *EnterpriseACLConfig) error {
|
|||
// EnterprisePolicyRules stub
|
||||
type EnterprisePolicyRules struct{}
|
||||
|
||||
func (r *EnterprisePolicyRules) Validate(*EnterpriseACLConfig) error {
|
||||
func (r *EnterprisePolicyRules) Validate(*Config) error {
|
||||
// nothing to validate
|
||||
return nil
|
||||
}
|
||||
|
||||
func decodeRules(rules string, _ *EnterpriseACLConfig, _ *EnterprisePolicyMeta) (*Policy, error) {
|
||||
func decodeRules(rules string, _ *Config, _ *EnterprisePolicyMeta) (*Policy, error) {
|
||||
p := &Policy{}
|
||||
|
||||
if err := hcl.Decode(p, rules); err != nil {
|
||||
|
|
|
@ -3,13 +3,13 @@ package acl
|
|||
var (
|
||||
// allowAll is a singleton policy which allows all
|
||||
// non-management actions
|
||||
allowAll Authorizer = &StaticAuthorizer{
|
||||
allowAll Authorizer = &staticAuthorizer{
|
||||
allowManage: false,
|
||||
defaultAllow: true,
|
||||
}
|
||||
|
||||
// denyAll is a singleton policy which denies all actions
|
||||
denyAll Authorizer = &StaticAuthorizer{
|
||||
denyAll Authorizer = &staticAuthorizer{
|
||||
allowManage: false,
|
||||
defaultAllow: false,
|
||||
}
|
||||
|
@ -18,7 +18,7 @@ var (
|
|||
// actions, including management
|
||||
// TODO (acls) - Do we need to keep this around? Our config parsing doesn't allow
|
||||
// specifying a default "manage" policy so I believe nothing will every use this.
|
||||
manageAll Authorizer = &StaticAuthorizer{
|
||||
manageAll Authorizer = &staticAuthorizer{
|
||||
allowManage: true,
|
||||
defaultAllow: true,
|
||||
}
|
||||
|
@ -27,187 +27,187 @@ var (
|
|||
// StaticAuthorizer is used to implement a base ACL policy. It either
|
||||
// allows or denies all requests. This can be used as a parent
|
||||
// ACL to act in a blacklist or whitelist mode.
|
||||
type StaticAuthorizer struct {
|
||||
type staticAuthorizer struct {
|
||||
allowManage bool
|
||||
defaultAllow bool
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) ACLRead(*AuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) ACLRead(*AuthorizerContext) EnforcementDecision {
|
||||
if s.allowManage {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) ACLWrite(*AuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) ACLWrite(*AuthorizerContext) EnforcementDecision {
|
||||
if s.allowManage {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) AgentRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) AgentRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) AgentWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) AgentWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) EventRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) EventRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) EventWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) EventWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) IntentionDefaultAllow(*AuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) IntentionDefaultAllow(*AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) IntentionRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) IntentionRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) IntentionWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) IntentionWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) KeyRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) KeyRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) KeyList(string, *AuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) KeyList(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) KeyWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) KeyWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) KeyWritePrefix(string, *AuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) KeyWritePrefix(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) KeyringRead(*AuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) KeyringRead(*AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) KeyringWrite(*AuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) KeyringWrite(*AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) NodeRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) NodeRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) NodeWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) NodeWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) OperatorRead(*AuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) OperatorRead(*AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) OperatorWrite(*AuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) OperatorWrite(*AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) PreparedQueryRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) PreparedQueryRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) PreparedQueryWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) PreparedQueryWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) ServiceRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) ServiceRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) ServiceWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) ServiceWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) SessionRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) SessionRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) SessionWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) SessionWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) Snapshot(_ *AuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) Snapshot(_ *AuthorizerContext) EnforcementDecision {
|
||||
if s.allowManage {
|
||||
return Allow
|
||||
}
|
||||
|
|
|
@ -223,7 +223,7 @@ func TestACL_RootAuthorizersDenied(t *testing.T) {
|
|||
require.True(t, acl.IsErrRootDenied(err))
|
||||
}
|
||||
|
||||
func authzFromPolicy(policy *acl.Policy, cfg *acl.EnterpriseACLConfig) (acl.Authorizer, error) {
|
||||
func authzFromPolicy(policy *acl.Policy, cfg *acl.Config) (acl.Authorizer, error) {
|
||||
return acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, cfg)
|
||||
}
|
||||
|
||||
|
|
|
@ -130,7 +130,7 @@ type ACLResolverConfig struct {
|
|||
AutoDisable bool
|
||||
|
||||
// EnterpriseACLConfig contains Consul Enterprise specific ACL configuration
|
||||
EnterpriseConfig *acl.EnterpriseACLConfig
|
||||
EnterpriseConfig *acl.Config
|
||||
}
|
||||
|
||||
// ACLResolver is the type to handle all your token and policy resolution needs.
|
||||
|
@ -163,7 +163,7 @@ type ACLResolver struct {
|
|||
logger *log.Logger
|
||||
|
||||
delegate ACLResolverDelegate
|
||||
entConf *acl.EnterpriseACLConfig
|
||||
entConf *acl.Config
|
||||
|
||||
cache *structs.ACLCaches
|
||||
identityGroup singleflight.Group
|
||||
|
|
|
@ -16,7 +16,7 @@ func (s *Server) replicationEnterpriseMeta() *structs.EnterpriseMeta {
|
|||
return structs.ReplicationEnterpriseMeta()
|
||||
}
|
||||
|
||||
func newEnterpriseACLConfig(*log.Logger) *acl.EnterpriseACLConfig {
|
||||
func newEnterpriseACLConfig(*log.Logger) *acl.Config {
|
||||
return nil
|
||||
}
|
||||
|
||||
|
|
|
@ -110,7 +110,7 @@ var (
|
|||
type Server struct {
|
||||
// enterpriseACLConfig is the Consul Enterprise specific items
|
||||
// necessary for ACLs
|
||||
enterpriseACLConfig *acl.EnterpriseACLConfig
|
||||
enterpriseACLConfig *acl.Config
|
||||
|
||||
// acls is used to resolve tokens to effective policies
|
||||
acls *ACLResolver
|
||||
|
|
|
@ -696,7 +696,7 @@ func (policies ACLPolicyListStubs) Sort() {
|
|||
})
|
||||
}
|
||||
|
||||
func (policies ACLPolicies) resolveWithCache(cache *ACLCaches, entConf *acl.EnterpriseACLConfig) ([]*acl.Policy, error) {
|
||||
func (policies ACLPolicies) resolveWithCache(cache *ACLCaches, entConf *acl.Config) ([]*acl.Policy, error) {
|
||||
// Parse the policies
|
||||
parsed := make([]*acl.Policy, 0, len(policies))
|
||||
for _, policy := range policies {
|
||||
|
@ -721,7 +721,7 @@ func (policies ACLPolicies) resolveWithCache(cache *ACLCaches, entConf *acl.Ente
|
|||
return parsed, nil
|
||||
}
|
||||
|
||||
func (policies ACLPolicies) Compile(cache *ACLCaches, entConf *acl.EnterpriseACLConfig) (acl.Authorizer, error) {
|
||||
func (policies ACLPolicies) Compile(cache *ACLCaches, entConf *acl.Config) (acl.Authorizer, error) {
|
||||
// Determine the cache key
|
||||
cacheKey := policies.HashKey()
|
||||
entry := cache.GetAuthorizer(cacheKey)
|
||||
|
@ -746,7 +746,7 @@ func (policies ACLPolicies) Compile(cache *ACLCaches, entConf *acl.EnterpriseACL
|
|||
return authorizer, nil
|
||||
}
|
||||
|
||||
func (policies ACLPolicies) Merge(cache *ACLCaches, entConf *acl.EnterpriseACLConfig) (*acl.Policy, error) {
|
||||
func (policies ACLPolicies) Merge(cache *ACLCaches, entConf *acl.Config) (*acl.Policy, error) {
|
||||
parsed, err := policies.resolveWithCache(cache, entConf)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
|
Loading…
Reference in New Issue