github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Miscellaneous acl package cleanup 

• Renamed EnterpriseACLConfig to just Config
• Removed chained_authorizer_oss.go as it was empty
• Renamed acl.go to errors.go to more closely describe its contents
pull/6968/head
Matt Keeler 2019-12-18 13:44:32 -05:00
parent 0b346616e9
commit 80d13d500b
No known key found for this signature in database
GPG Key ID: 04DBAE1857E0081B
15 changed files with 58 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
acl/acl_oss.go
View File

@ -2,7 +2,7 @@
package acl package acl
// EnterpriseACLConfig stub // Config stub
type EnterpriseACLConfig struct{} type Config struct{}
func (_ *EnterpriseACLConfig) Close() {} func (_ *Config) Close() {}

4
acl/authorizer.go
View File

@ -145,7 +145,7 @@ type Authorizer interface {
Snapshot(*AuthorizerContext) EnforcementDecision Snapshot(*AuthorizerContext) EnforcementDecision
// Embedded Interface for Consul Enterprise specific ACL enforcement // Embedded Interface for Consul Enterprise specific ACL enforcement
EnterpriseAuthorizer enterpriseAuthorizer
} }
func Enforce(authz Authorizer, rsc Resource, segment string, access string, ctx *AuthorizerContext) (EnforcementDecision, error) { func Enforce(authz Authorizer, rsc Resource, segment string, access string, ctx *AuthorizerContext) (EnforcementDecision, error) {
@ -234,7 +234,7 @@ func Enforce(authz Authorizer, rsc Resource, segment string, access string, ctx
return authz.SessionWrite(segment, ctx), nil return authz.SessionWrite(segment, ctx), nil
} }
default: default:
if processed, decision, err := EnforceEnterprise(authz, rsc, segment, lowerAccess, ctx); processed { if processed, decision, err := enforceEnterprise(authz, rsc, segment, lowerAccess, ctx); processed {
return decision, err return decision, err
} }
return Deny, fmt.Errorf("Invalid ACL resource requested: %q", rsc) return Deny, fmt.Errorf("Invalid ACL resource requested: %q", rsc)

6
acl/authorizer_oss.go
View File

@ -5,9 +5,9 @@ package acl
// AuthorizerContext stub // AuthorizerContext stub
type AuthorizerContext struct{} type AuthorizerContext struct{}
// EnterpriseAuthorizer stub interface // enterpriseAuthorizer stub interface
type EnterpriseAuthorizer interface{} type enterpriseAuthorizer interface{}
func EnforceEnterprise(_ Authorizer, _ Resource, _ string, _ string, _ *AuthorizerContext) (bool, EnforcementDecision, error) { func enforceEnterprise(_ Authorizer, _ Resource, _ string, _ string, _ *AuthorizerContext) (bool, EnforcementDecision, error) {
return false, Deny, nil return false, Deny, nil
} }

3
acl/chained_authorizer_oss.go
View File

@ -1,3 +0,0 @@
// +build !consulent
package acl

0
acl/acl.go → acl/errors.go
View File

8
acl/policy.go
View File

@ -161,7 +161,7 @@ func isPolicyValid(policy string, allowList bool) bool {
return true return true
} }
func (pr *PolicyRules) Validate(conf *EnterpriseACLConfig) error { func (pr *PolicyRules) Validate(conf *Config) error {
// Validate the acl policy - this one is allowed to be empty // Validate the acl policy - this one is allowed to be empty
if pr.ACL != "" && !isPolicyValid(pr.ACL, false) { if pr.ACL != "" && !isPolicyValid(pr.ACL, false) {
return fmt.Errorf("Invalid acl policy: %#v", pr.ACL) return fmt.Errorf("Invalid acl policy: %#v", pr.ACL)
@ -288,7 +288,7 @@ func (pr *PolicyRules) Validate(conf *EnterpriseACLConfig) error {
return nil return nil
} }
func parseCurrent(rules string, conf *EnterpriseACLConfig, meta *EnterprisePolicyMeta) (*Policy, error) { func parseCurrent(rules string, conf *Config, meta *EnterprisePolicyMeta) (*Policy, error) {
p, err := decodeRules(rules, conf, meta) p, err := decodeRules(rules, conf, meta)
if err != nil { if err != nil {
return nil, err return nil, err
@ -305,7 +305,7 @@ func parseCurrent(rules string, conf *EnterpriseACLConfig, meta *EnterprisePolic
return p, nil return p, nil
} }
func parseLegacy(rules string, conf *EnterpriseACLConfig) (*Policy, error) { func parseLegacy(rules string, conf *Config) (*Policy, error) {
p := &Policy{} p := &Policy{}
type LegacyPolicy struct { type LegacyPolicy struct {
@ -422,7 +422,7 @@ func parseLegacy(rules string, conf *EnterpriseACLConfig) (*Policy, error) {
// NewPolicyFromSource is used to parse the specified ACL rules into an // NewPolicyFromSource is used to parse the specified ACL rules into an
// intermediary set of policies, before being compiled into // intermediary set of policies, before being compiled into
// the ACL // the ACL
func NewPolicyFromSource(id string, revision uint64, rules string, syntax SyntaxVersion, conf *EnterpriseACLConfig, meta *EnterprisePolicyMeta) (*Policy, error) { func NewPolicyFromSource(id string, revision uint64, rules string, syntax SyntaxVersion, conf *Config, meta *EnterprisePolicyMeta) (*Policy, error) {
if rules == "" { if rules == "" {
// Hot path for empty source // Hot path for empty source
return &Policy{ID: id, Revision: revision}, nil return &Policy{ID: id, Revision: revision}, nil

4
acl/policy_authorizer.go
View File

@ -313,13 +313,13 @@ func (p *policyAuthorizer) loadRules(policy *PolicyRules) error {
return nil return nil
} }
func newPolicyAuthorizer(policies []*Policy, ent *EnterpriseACLConfig) (Authorizer, error) { func newPolicyAuthorizer(policies []*Policy, ent *Config) (Authorizer, error) {
policy := MergePolicies(policies) policy := MergePolicies(policies)
return newPolicyAuthorizerFromRules(&policy.PolicyRules, ent) return newPolicyAuthorizerFromRules(&policy.PolicyRules, ent)
} }
func newPolicyAuthorizerFromRules(rules *PolicyRules, ent *EnterpriseACLConfig) (Authorizer, error) { func newPolicyAuthorizerFromRules(rules *PolicyRules, ent *Config) (Authorizer, error) {
p := &policyAuthorizer{ p := &policyAuthorizer{
agentRules: radix.New(), agentRules: radix.New(),
intentionRules: radix.New(), intentionRules: radix.New(),

6
acl/policy_authorizer_oss.go
View File

@ -5,7 +5,7 @@ package acl
// enterprisePolicyAuthorizer stub // enterprisePolicyAuthorizer stub
type enterprisePolicyAuthorizer struct{} type enterprisePolicyAuthorizer struct{}
func (authz *enterprisePolicyAuthorizer) init(*EnterpriseACLConfig) { func (authz *enterprisePolicyAuthorizer) init(*Config) {
// nothing to do // nothing to do
} }
@ -14,13 +14,13 @@ func (authz *enterprisePolicyAuthorizer) enforce(_ *EnterpriseRule, _ *Authorize
} }
// NewPolicyAuthorizer merges the policies and returns an Authorizer that will enforce them // NewPolicyAuthorizer merges the policies and returns an Authorizer that will enforce them
func NewPolicyAuthorizer(policies []*Policy, entConfig *EnterpriseACLConfig) (Authorizer, error) { func NewPolicyAuthorizer(policies []*Policy, entConfig *Config) (Authorizer, error) {
return newPolicyAuthorizer(policies, entConfig) return newPolicyAuthorizer(policies, entConfig)
} }
// NewPolicyAuthorizerWithDefaults will actually created a ChainedAuthorizer with // NewPolicyAuthorizerWithDefaults will actually created a ChainedAuthorizer with
// the policies compiled into one Authorizer and the backup policy of the defaultAuthz // the policies compiled into one Authorizer and the backup policy of the defaultAuthz
func NewPolicyAuthorizerWithDefaults(defaultAuthz Authorizer, policies []*Policy, entConfig *EnterpriseACLConfig) (Authorizer, error) { func NewPolicyAuthorizerWithDefaults(defaultAuthz Authorizer, policies []*Policy, entConfig *Config) (Authorizer, error) {
authz, err := newPolicyAuthorizer(policies, entConfig) authz, err := newPolicyAuthorizer(policies, entConfig)
if err != nil { if err != nil {
return nil, err return nil, err

6
acl/policy_oss.go
View File

@ -14,7 +14,7 @@ type EnterprisePolicyMeta struct{}
// EnterpriseRule stub // EnterpriseRule stub
type EnterpriseRule struct{} type EnterpriseRule struct{}
func (r *EnterpriseRule) Validate(string, *EnterpriseACLConfig) error { func (r *EnterpriseRule) Validate(string, *Config) error {
// nothing to validate // nothing to validate
return nil return nil
} }
@ -22,12 +22,12 @@ func (r *EnterpriseRule) Validate(string, *EnterpriseACLConfig) error {
// EnterprisePolicyRules stub // EnterprisePolicyRules stub
type EnterprisePolicyRules struct{} type EnterprisePolicyRules struct{}
func (r *EnterprisePolicyRules) Validate(*EnterpriseACLConfig) error { func (r *EnterprisePolicyRules) Validate(*Config) error {
// nothing to validate // nothing to validate
return nil return nil
} }
func decodeRules(rules string, _ *EnterpriseACLConfig, _ *EnterprisePolicyMeta) (*Policy, error) { func decodeRules(rules string, _ *Config, _ *EnterprisePolicyMeta) (*Policy, error) {
p := &Policy{} p := &Policy{}
if err := hcl.Decode(p, rules); err != nil { if err := hcl.Decode(p, rules); err != nil {

60
acl/static_authorizer.go
View File

@ -3,13 +3,13 @@ package acl
var ( var (
// allowAll is a singleton policy which allows all // allowAll is a singleton policy which allows all
// non-management actions // non-management actions
allowAll Authorizer = &StaticAuthorizer{ allowAll Authorizer = &staticAuthorizer{
allowManage: false, allowManage: false,
defaultAllow: true, defaultAllow: true,
} }
// denyAll is a singleton policy which denies all actions // denyAll is a singleton policy which denies all actions
denyAll Authorizer = &StaticAuthorizer{ denyAll Authorizer = &staticAuthorizer{
allowManage: false, allowManage: false,
defaultAllow: false, defaultAllow: false,
} }
@ -18,7 +18,7 @@ var (
// actions, including management // actions, including management
// TODO (acls) - Do we need to keep this around? Our config parsing doesn't allow // TODO (acls) - Do we need to keep this around? Our config parsing doesn't allow
// specifying a default "manage" policy so I believe nothing will every use this. // specifying a default "manage" policy so I believe nothing will every use this.
manageAll Authorizer = &StaticAuthorizer{ manageAll Authorizer = &staticAuthorizer{
allowManage: true, allowManage: true,
defaultAllow: true, defaultAllow: true,
} }
@ -27,187 +27,187 @@ var (
// StaticAuthorizer is used to implement a base ACL policy. It either // StaticAuthorizer is used to implement a base ACL policy. It either
// allows or denies all requests. This can be used as a parent // allows or denies all requests. This can be used as a parent
// ACL to act in a blacklist or whitelist mode. // ACL to act in a blacklist or whitelist mode.
type StaticAuthorizer struct { type staticAuthorizer struct {
allowManage bool allowManage bool
defaultAllow bool defaultAllow bool
} }
func (s *StaticAuthorizer) ACLRead(*AuthorizerContext) EnforcementDecision { func (s *staticAuthorizer) ACLRead(*AuthorizerContext) EnforcementDecision {
if s.allowManage { if s.allowManage {
return Allow return Allow
} }
return Deny return Deny
} }
func (s *StaticAuthorizer) ACLWrite(*AuthorizerContext) EnforcementDecision { func (s *staticAuthorizer) ACLWrite(*AuthorizerContext) EnforcementDecision {
if s.allowManage { if s.allowManage {
return Allow return Allow
} }
return Deny return Deny
} }
func (s *StaticAuthorizer) AgentRead(string, *AuthorizerContext) EnforcementDecision { func (s *staticAuthorizer) AgentRead(string, *AuthorizerContext) EnforcementDecision {
if s.defaultAllow { if s.defaultAllow {
return Allow return Allow
} }
return Deny return Deny
} }
func (s *StaticAuthorizer) AgentWrite(string, *AuthorizerContext) EnforcementDecision { func (s *staticAuthorizer) AgentWrite(string, *AuthorizerContext) EnforcementDecision {
if s.defaultAllow { if s.defaultAllow {
return Allow return Allow
} }
return Deny return Deny
} }
func (s *StaticAuthorizer) EventRead(string, *AuthorizerContext) EnforcementDecision { func (s *staticAuthorizer) EventRead(string, *AuthorizerContext) EnforcementDecision {
if s.defaultAllow { if s.defaultAllow {
return Allow return Allow
} }
return Deny return Deny
} }
func (s *StaticAuthorizer) EventWrite(string, *AuthorizerContext) EnforcementDecision { func (s *staticAuthorizer) EventWrite(string, *AuthorizerContext) EnforcementDecision {
if s.defaultAllow { if s.defaultAllow {
return Allow return Allow
} }
return Deny return Deny
} }
func (s *StaticAuthorizer) IntentionDefaultAllow(*AuthorizerContext) EnforcementDecision { func (s *staticAuthorizer) IntentionDefaultAllow(*AuthorizerContext) EnforcementDecision {
if s.defaultAllow { if s.defaultAllow {
return Allow return Allow
} }
return Deny return Deny
} }
func (s *StaticAuthorizer) IntentionRead(string, *AuthorizerContext) EnforcementDecision { func (s *staticAuthorizer) IntentionRead(string, *AuthorizerContext) EnforcementDecision {
if s.defaultAllow { if s.defaultAllow {
return Allow return Allow
} }
return Deny return Deny
} }
func (s *StaticAuthorizer) IntentionWrite(string, *AuthorizerContext) EnforcementDecision { func (s *staticAuthorizer) IntentionWrite(string, *AuthorizerContext) EnforcementDecision {
if s.defaultAllow { if s.defaultAllow {
return Allow return Allow
} }
return Deny return Deny
} }
func (s *StaticAuthorizer) KeyRead(string, *AuthorizerContext) EnforcementDecision { func (s *staticAuthorizer) KeyRead(string, *AuthorizerContext) EnforcementDecision {
if s.defaultAllow { if s.defaultAllow {
return Allow return Allow
} }
return Deny return Deny
} }
func (s *StaticAuthorizer) KeyList(string, *AuthorizerContext) EnforcementDecision { func (s *staticAuthorizer) KeyList(string, *AuthorizerContext) EnforcementDecision {
if s.defaultAllow { if s.defaultAllow {
return Allow return Allow
} }
return Deny return Deny
} }
func (s *StaticAuthorizer) KeyWrite(string, *AuthorizerContext) EnforcementDecision { func (s *staticAuthorizer) KeyWrite(string, *AuthorizerContext) EnforcementDecision {
if s.defaultAllow { if s.defaultAllow {
return Allow return Allow
} }
return Deny return Deny
} }
func (s *StaticAuthorizer) KeyWritePrefix(string, *AuthorizerContext) EnforcementDecision { func (s *staticAuthorizer) KeyWritePrefix(string, *AuthorizerContext) EnforcementDecision {
if s.defaultAllow { if s.defaultAllow {
return Allow return Allow
} }
return Deny return Deny
} }
func (s *StaticAuthorizer) KeyringRead(*AuthorizerContext) EnforcementDecision { func (s *staticAuthorizer) KeyringRead(*AuthorizerContext) EnforcementDecision {
if s.defaultAllow { if s.defaultAllow {
return Allow return Allow
} }
return Deny return Deny
} }
func (s *StaticAuthorizer) KeyringWrite(*AuthorizerContext) EnforcementDecision { func (s *staticAuthorizer) KeyringWrite(*AuthorizerContext) EnforcementDecision {
if s.defaultAllow { if s.defaultAllow {
return Allow return Allow
} }
return Deny return Deny
} }
func (s *StaticAuthorizer) NodeRead(string, *AuthorizerContext) EnforcementDecision { func (s *staticAuthorizer) NodeRead(string, *AuthorizerContext) EnforcementDecision {
if s.defaultAllow { if s.defaultAllow {
return Allow return Allow
} }
return Deny return Deny
} }
func (s *StaticAuthorizer) NodeWrite(string, *AuthorizerContext) EnforcementDecision { func (s *staticAuthorizer) NodeWrite(string, *AuthorizerContext) EnforcementDecision {
if s.defaultAllow { if s.defaultAllow {
return Allow return Allow
} }
return Deny return Deny
} }
func (s *StaticAuthorizer) OperatorRead(*AuthorizerContext) EnforcementDecision { func (s *staticAuthorizer) OperatorRead(*AuthorizerContext) EnforcementDecision {
if s.defaultAllow { if s.defaultAllow {
return Allow return Allow
} }
return Deny return Deny
} }
func (s *StaticAuthorizer) OperatorWrite(*AuthorizerContext) EnforcementDecision { func (s *staticAuthorizer) OperatorWrite(*AuthorizerContext) EnforcementDecision {
if s.defaultAllow { if s.defaultAllow {
return Allow return Allow
} }
return Deny return Deny
} }
func (s *StaticAuthorizer) PreparedQueryRead(string, *AuthorizerContext) EnforcementDecision { func (s *staticAuthorizer) PreparedQueryRead(string, *AuthorizerContext) EnforcementDecision {
if s.defaultAllow { if s.defaultAllow {
return Allow return Allow
} }
return Deny return Deny
} }
func (s *StaticAuthorizer) PreparedQueryWrite(string, *AuthorizerContext) EnforcementDecision { func (s *staticAuthorizer) PreparedQueryWrite(string, *AuthorizerContext) EnforcementDecision {
if s.defaultAllow { if s.defaultAllow {
return Allow return Allow
} }
return Deny return Deny
} }
func (s *StaticAuthorizer) ServiceRead(string, *AuthorizerContext) EnforcementDecision { func (s *staticAuthorizer) ServiceRead(string, *AuthorizerContext) EnforcementDecision {
if s.defaultAllow { if s.defaultAllow {
return Allow return Allow
} }
return Deny return Deny
} }
func (s *StaticAuthorizer) ServiceWrite(string, *AuthorizerContext) EnforcementDecision { func (s *staticAuthorizer) ServiceWrite(string, *AuthorizerContext) EnforcementDecision {
if s.defaultAllow { if s.defaultAllow {
return Allow return Allow
} }
return Deny return Deny
} }
func (s *StaticAuthorizer) SessionRead(string, *AuthorizerContext) EnforcementDecision { func (s *staticAuthorizer) SessionRead(string, *AuthorizerContext) EnforcementDecision {
if s.defaultAllow { if s.defaultAllow {
return Allow return Allow
} }
return Deny return Deny
} }
func (s *StaticAuthorizer) SessionWrite(string, *AuthorizerContext) EnforcementDecision { func (s *staticAuthorizer) SessionWrite(string, *AuthorizerContext) EnforcementDecision {
if s.defaultAllow { if s.defaultAllow {
return Allow return Allow
} }
return Deny return Deny
} }
func (s *StaticAuthorizer) Snapshot(_ *AuthorizerContext) EnforcementDecision { func (s *staticAuthorizer) Snapshot(_ *AuthorizerContext) EnforcementDecision {
if s.allowManage { if s.allowManage {
return Allow return Allow
} }

2
agent/acl_test.go
View File

@ -223,7 +223,7 @@ func TestACL_RootAuthorizersDenied(t *testing.T) {
require.True(t, acl.IsErrRootDenied(err)) require.True(t, acl.IsErrRootDenied(err))
} }
func authzFromPolicy(policy *acl.Policy, cfg *acl.EnterpriseACLConfig) (acl.Authorizer, error) { func authzFromPolicy(policy *acl.Policy, cfg *acl.Config) (acl.Authorizer, error) {
return acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, cfg) return acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, cfg)
} }

4
agent/consul/acl.go
View File

@ -130,7 +130,7 @@ type ACLResolverConfig struct {
AutoDisable bool AutoDisable bool
// EnterpriseACLConfig contains Consul Enterprise specific ACL configuration // EnterpriseACLConfig contains Consul Enterprise specific ACL configuration
EnterpriseConfig *acl.EnterpriseACLConfig EnterpriseConfig *acl.Config
} }
// ACLResolver is the type to handle all your token and policy resolution needs. // ACLResolver is the type to handle all your token and policy resolution needs.
@ -163,7 +163,7 @@ type ACLResolver struct {
logger *log.Logger logger *log.Logger
delegate ACLResolverDelegate delegate ACLResolverDelegate
entConf *acl.EnterpriseACLConfig entConf *acl.Config
cache *structs.ACLCaches cache *structs.ACLCaches
identityGroup singleflight.Group identityGroup singleflight.Group

2
agent/consul/acl_oss.go
View File

@ -16,7 +16,7 @@ func (s *Server) replicationEnterpriseMeta() *structs.EnterpriseMeta {
return structs.ReplicationEnterpriseMeta() return structs.ReplicationEnterpriseMeta()
} }
func newEnterpriseACLConfig(*log.Logger) *acl.EnterpriseACLConfig { func newEnterpriseACLConfig(*log.Logger) *acl.Config {
return nil return nil
} }

2
agent/consul/server.go
View File

@ -110,7 +110,7 @@ var (
type Server struct { type Server struct {
// enterpriseACLConfig is the Consul Enterprise specific items // enterpriseACLConfig is the Consul Enterprise specific items
// necessary for ACLs // necessary for ACLs
enterpriseACLConfig *acl.EnterpriseACLConfig enterpriseACLConfig *acl.Config
// acls is used to resolve tokens to effective policies // acls is used to resolve tokens to effective policies
acls *ACLResolver acls *ACLResolver

6
agent/structs/acl.go
View File

@ -696,7 +696,7 @@ func (policies ACLPolicyListStubs) Sort() {
}) })
} }
func (policies ACLPolicies) resolveWithCache(cache *ACLCaches, entConf *acl.EnterpriseACLConfig) ([]*acl.Policy, error) { func (policies ACLPolicies) resolveWithCache(cache *ACLCaches, entConf *acl.Config) ([]*acl.Policy, error) {
// Parse the policies // Parse the policies
parsed := make([]*acl.Policy, 0, len(policies)) parsed := make([]*acl.Policy, 0, len(policies))
for _, policy := range policies { for _, policy := range policies {
@ -721,7 +721,7 @@ func (policies ACLPolicies) resolveWithCache(cache *ACLCaches, entConf *acl.Ente
return parsed, nil return parsed, nil
} }
func (policies ACLPolicies) Compile(cache *ACLCaches, entConf *acl.EnterpriseACLConfig) (acl.Authorizer, error) { func (policies ACLPolicies) Compile(cache *ACLCaches, entConf *acl.Config) (acl.Authorizer, error) {
// Determine the cache key // Determine the cache key
cacheKey := policies.HashKey() cacheKey := policies.HashKey()
entry := cache.GetAuthorizer(cacheKey) entry := cache.GetAuthorizer(cacheKey)
@ -746,7 +746,7 @@ func (policies ACLPolicies) Compile(cache *ACLCaches, entConf *acl.EnterpriseACL
return authorizer, nil return authorizer, nil
} }
func (policies ACLPolicies) Merge(cache *ACLCaches, entConf *acl.EnterpriseACLConfig) (*acl.Policy, error) { func (policies ACLPolicies) Merge(cache *ACLCaches, entConf *acl.Config) (*acl.Policy, error) {
parsed, err := policies.resolveWithCache(cache, entConf) parsed, err := policies.resolveWithCache(cache, entConf)
if err != nil { if err != nil {
return nil, err return nil, err