mirror of https://github.com/hashicorp/consul
Adds a new management ACL for prepared queries.
parent
ff351b289a
commit
ce0881a99a
24
acl/acl.go
24
acl/acl.go
|
@ -70,6 +70,12 @@ type ACL interface {
|
|||
|
||||
// ACLModify checks for permission to manipulate ACLs
|
||||
ACLModify() bool
|
||||
|
||||
// QueryList checks for permission to list all the prepared queries.
|
||||
QueryList() bool
|
||||
|
||||
// QueryModify checks for permission to modify any prepared query.
|
||||
QueryModify() bool
|
||||
}
|
||||
|
||||
// StaticACL is used to implement a base ACL policy. It either
|
||||
|
@ -124,6 +130,14 @@ func (s *StaticACL) ACLModify() bool {
|
|||
return s.allowManage
|
||||
}
|
||||
|
||||
func (s *StaticACL) QueryList() bool {
|
||||
return s.allowManage
|
||||
}
|
||||
|
||||
func (s *StaticACL) QueryModify() bool {
|
||||
return s.allowManage
|
||||
}
|
||||
|
||||
// AllowAll returns an ACL rule that allows all operations
|
||||
func AllowAll() ACL {
|
||||
return allowAll
|
||||
|
@ -374,3 +388,13 @@ func (p *PolicyACL) ACLList() bool {
|
|||
func (p *PolicyACL) ACLModify() bool {
|
||||
return p.parent.ACLModify()
|
||||
}
|
||||
|
||||
// QueryList checks if listing of all prepared queries is allowed.
|
||||
func (p *PolicyACL) QueryList() bool {
|
||||
return p.parent.QueryList()
|
||||
}
|
||||
|
||||
// QueryModify checks if modifying of any prepared query is allowed.
|
||||
func (p *PolicyACL) QueryModify() bool {
|
||||
return p.parent.QueryModify()
|
||||
}
|
||||
|
|
|
@ -65,6 +65,12 @@ func TestStaticACL(t *testing.T) {
|
|||
if all.ACLModify() {
|
||||
t.Fatalf("should not allow")
|
||||
}
|
||||
if all.QueryList() {
|
||||
t.Fatalf("should not allow")
|
||||
}
|
||||
if all.QueryModify() {
|
||||
t.Fatalf("should not allow")
|
||||
}
|
||||
|
||||
if none.KeyRead("foobar") {
|
||||
t.Fatalf("should not allow")
|
||||
|
@ -102,6 +108,12 @@ func TestStaticACL(t *testing.T) {
|
|||
if none.ACLModify() {
|
||||
t.Fatalf("should not allow")
|
||||
}
|
||||
if none.QueryList() {
|
||||
t.Fatalf("should not allow")
|
||||
}
|
||||
if none.QueryModify() {
|
||||
t.Fatalf("should not allow")
|
||||
}
|
||||
|
||||
if !manage.KeyRead("foobar") {
|
||||
t.Fatalf("should allow")
|
||||
|
@ -133,6 +145,12 @@ func TestStaticACL(t *testing.T) {
|
|||
if !manage.ACLModify() {
|
||||
t.Fatalf("should allow")
|
||||
}
|
||||
if !manage.QueryList() {
|
||||
t.Fatalf("should allow")
|
||||
}
|
||||
if !manage.QueryModify() {
|
||||
t.Fatalf("should allow")
|
||||
}
|
||||
}
|
||||
|
||||
func TestPolicyACL(t *testing.T) {
|
||||
|
@ -369,6 +387,20 @@ func TestPolicyACL_Parent(t *testing.T) {
|
|||
t.Fatalf("Write fail: %#v", c)
|
||||
}
|
||||
}
|
||||
|
||||
// Check some management functions that chain up
|
||||
if acl.ACLList() {
|
||||
t.Fatalf("should not allow")
|
||||
}
|
||||
if acl.ACLModify() {
|
||||
t.Fatalf("should not allow")
|
||||
}
|
||||
if acl.QueryList() {
|
||||
t.Fatalf("should not allow")
|
||||
}
|
||||
if acl.QueryModify() {
|
||||
t.Fatalf("should not allow")
|
||||
}
|
||||
}
|
||||
|
||||
func TestPolicyACL_Keyring(t *testing.T) {
|
||||
|
|
Loading…
Reference in New Issue