github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #905 from maver1ck/master

Browse Source 
Consul prefix services ACLs
pull/912/head
Armon Dadgar 10 years ago
parent f3a8f907fb 11425734d5
commit e111c38dc3
2 changed files with 15 additions and 11 deletions
Show Stats Download Patch File Download Diff File

18
acl/acl.go
Unescape View File

@ -135,7 +135,7 @@ type PolicyACL struct {
keyRules *radix.Tree
// serviceRules contains the service policies
serviceRules map[string]string
serviceRules *radix.Tree
}
// New is used to construct a policy based ACL from a set of policies
@ -144,7 +144,7 @@ func New(parent ACL, policy *Policy) (*PolicyACL, error) {
p := &PolicyACL{
parent: parent,
keyRules: radix.New(),
serviceRules: make(map[string]string, len(policy.Services)),
serviceRules: radix.New(),
}
// Load the key policy
@ -154,7 +154,7 @@ func New(parent ACL, policy *Policy) (*PolicyACL, error) {
// Load the service policy
for _, sp := range policy.Services {
p.serviceRules[sp.Name] = sp.Policy
p.serviceRules.Insert(sp.Name, sp.Policy)
}
return p, nil
}
@ -231,10 +231,8 @@ func (p *PolicyACL) KeyWritePrefix(prefix string) bool {
// ServiceRead checks if reading (discovery) of a service is allowed
func (p *PolicyACL) ServiceRead(name string) bool {
// Check for an exact rule or catch-all
rule, ok := p.serviceRules[name]
if !ok {
rule, ok = p.serviceRules[""]
}
_, rule, ok := p.serviceRules.LongestPrefix(name)
if ok {
switch rule {
case ServicePolicyWrite:
@ -253,10 +251,8 @@ func (p *PolicyACL) ServiceRead(name string) bool {
// ServiceWrite checks if writing (registering) a service is allowed
func (p *PolicyACL) ServiceWrite(name string) bool {
// Check for an exact rule or catch-all
rule, ok := p.serviceRules[name]
if !ok {
rule, ok = p.serviceRules[""]
}
_, rule, ok := p.serviceRules.LongestPrefix(name)
if ok {
switch rule {
case ServicePolicyWrite:

8
acl/acl_test.go
Unescape View File

@ -127,6 +127,10 @@ func TestPolicyACL(t *testing.T) {
Name: "bar",
Policy: ServicePolicyDeny,
},
&ServicePolicy{
Name: "barfoo",
Policy: ServicePolicyWrite,
},
},
}
acl, err := New(all, policy)
@ -171,6 +175,10 @@ func TestPolicyACL(t *testing.T) {
{"other", true, true},
{"foo", true, false},
{"bar", false, false},
{"foobar", true, false},
{"barfo", false, false},
{"barfoo", true, true},
{"barfoo2", true, true},
}
for _, c := range scases {
if c.read != acl.ServiceRead(c.inp) {

Write Preview
Loading…
Cancel
Save