From ce0881a99a71be94a97ae05bb6b1e744aaacbb87 Mon Sep 17 00:00:00 2001
From: James Phillips <james@hashicorp.com>
Date: Wed, 4 Nov 2015 15:16:21 -0800
Subject: [PATCH] Adds a new management ACL for prepared queries.

---
 acl/acl.go      | 24 ++++++++++++++++++++++++
 acl/acl_test.go | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 56 insertions(+)

diff --git a/acl/acl.go b/acl/acl.go
index 8492177e30..344afc5c34 100644
--- a/acl/acl.go
+++ b/acl/acl.go
@@ -70,6 +70,12 @@ type ACL interface {
 
 	// ACLModify checks for permission to manipulate ACLs
 	ACLModify() bool
+
+	// QueryList checks for permission to list all the prepared queries.
+	QueryList() bool
+
+	// QueryModify checks for permission to modify any prepared query.
+	QueryModify() bool
 }
 
 // StaticACL is used to implement a base ACL policy. It either
@@ -124,6 +130,14 @@ func (s *StaticACL) ACLModify() bool {
 	return s.allowManage
 }
 
+func (s *StaticACL) QueryList() bool {
+	return s.allowManage
+}
+
+func (s *StaticACL) QueryModify() bool {
+	return s.allowManage
+}
+
 // AllowAll returns an ACL rule that allows all operations
 func AllowAll() ACL {
 	return allowAll
@@ -374,3 +388,13 @@ func (p *PolicyACL) ACLList() bool {
 func (p *PolicyACL) ACLModify() bool {
 	return p.parent.ACLModify()
 }
+
+// QueryList checks if listing of all prepared queries is allowed.
+func (p *PolicyACL) QueryList() bool {
+	return p.parent.QueryList()
+}
+
+// QueryModify checks if modifying of any prepared query is allowed.
+func (p *PolicyACL) QueryModify() bool {
+	return p.parent.QueryModify()
+}
diff --git a/acl/acl_test.go b/acl/acl_test.go
index 1b83c81dec..06cdfb7557 100644
--- a/acl/acl_test.go
+++ b/acl/acl_test.go
@@ -65,6 +65,12 @@ func TestStaticACL(t *testing.T) {
 	if all.ACLModify() {
 		t.Fatalf("should not allow")
 	}
+	if all.QueryList() {
+		t.Fatalf("should not allow")
+	}
+	if all.QueryModify() {
+		t.Fatalf("should not allow")
+	}
 
 	if none.KeyRead("foobar") {
 		t.Fatalf("should not allow")
@@ -102,6 +108,12 @@ func TestStaticACL(t *testing.T) {
 	if none.ACLModify() {
 		t.Fatalf("should not allow")
 	}
+	if none.QueryList() {
+		t.Fatalf("should not allow")
+	}
+	if none.QueryModify() {
+		t.Fatalf("should not allow")
+	}
 
 	if !manage.KeyRead("foobar") {
 		t.Fatalf("should allow")
@@ -133,6 +145,12 @@ func TestStaticACL(t *testing.T) {
 	if !manage.ACLModify() {
 		t.Fatalf("should allow")
 	}
+	if !manage.QueryList() {
+		t.Fatalf("should allow")
+	}
+	if !manage.QueryModify() {
+		t.Fatalf("should allow")
+	}
 }
 
 func TestPolicyACL(t *testing.T) {
@@ -369,6 +387,20 @@ func TestPolicyACL_Parent(t *testing.T) {
 			t.Fatalf("Write fail: %#v", c)
 		}
 	}
+
+	// Check some management functions that chain up
+	if acl.ACLList() {
+		t.Fatalf("should not allow")
+	}
+	if acl.ACLModify() {
+		t.Fatalf("should not allow")
+	}
+	if acl.QueryList() {
+		t.Fatalf("should not allow")
+	}
+	if acl.QueryModify() {
+		t.Fatalf("should not allow")
+	}
 }
 
 func TestPolicyACL_Keyring(t *testing.T) {