Merge "consistent use of v23 test generate in order to use TestMain and in turn call test.Init."
diff --git a/cmd/debug/impl.go b/cmd/debug/impl.go
index d4d96ce..0207ab8 100644
--- a/cmd/debug/impl.go
+++ b/cmd/debug/impl.go
@@ -18,7 +18,6 @@
"v.io/v23/context"
"v.io/v23/naming"
"v.io/v23/services/mgmt/logreader"
- logtypes "v.io/v23/services/mgmt/logreader/types"
"v.io/v23/services/mgmt/pprof"
"v.io/v23/services/mgmt/stats"
vtracesvc "v.io/v23/services/mgmt/vtrace"
@@ -46,7 +45,7 @@
// logs read flags
cmdLogsRead.Flags.BoolVar(&follow, "f", false, "When true, read will wait for new log entries when it reaches the end of the file.")
cmdLogsRead.Flags.BoolVar(&verbose, "v", false, "When true, read will be more verbose.")
- cmdLogsRead.Flags.IntVar(&numEntries, "n", int(logtypes.AllEntries), "The number of log entries to read.")
+ cmdLogsRead.Flags.IntVar(&numEntries, "n", int(logreader.AllEntries), "The number of log entries to read.")
cmdLogsRead.Flags.Int64Var(&startPos, "o", 0, "The position, in bytes, from which to start reading the log file.")
// stats read flags
diff --git a/services/mgmt/lib/acls/hierarchical_authorizer.go b/services/mgmt/lib/acls/hierarchical_authorizer.go
index 79a98f9..bbae5ac 100644
--- a/services/mgmt/lib/acls/hierarchical_authorizer.go
+++ b/services/mgmt/lib/acls/hierarchical_authorizer.go
@@ -11,11 +11,11 @@
"v.io/x/lib/vlog"
)
-// hierarchicalAuthorizer manages a pair of authorizers for two-level
-// inheritance of AccessLists.
+// hierarchicalAuthorizer contains the state needed to implement
+// hierarchical authorization in the Authorize method.
type hierarchicalAuthorizer struct {
- child security.Authorizer
- rootAccessList access.AccessList
+ rootDir, childDir string
+ get TAMGetter
}
// TAMGetter defines an abstract interface that a customer of
@@ -38,9 +38,11 @@
return rootAuth, nil
}
-// NewHierarchicalAuthorizer creates a new hierarchicalAuthorizer
+// NewHierarchicalAuthorizer creates a new hierarchicalAuthorizer: one
+// that implements a "root" like concept: admin rights at the root of
+// a server can invoke RPCs regardless of permissions set on child objects.
func NewHierarchicalAuthorizer(rootDir, childDir string, get TAMGetter) (security.Authorizer, error) {
- rootTam, intentionallyEmpty, err := get.TAMForPath(rootDir)
+ _, intentionallyEmpty, err := get.TAMForPath(rootDir)
if err != nil {
return nil, err
} else if intentionallyEmpty {
@@ -48,38 +50,48 @@
return nil, nil
}
- // We are at the root so exit early.
- if rootDir == childDir {
- return mkRootAuth(rootTam)
- }
-
- // This is not fatal: the childDir may not exist if we are invoking
- // a Create() method so we only use the root AccessList.
- childTam, intentionallyEmpty, err := get.TAMForPath(childDir)
- if err != nil {
- return nil, err
- } else if intentionallyEmpty {
- return mkRootAuth(rootTam)
- }
-
- childAuth, err := access.PermissionsAuthorizer(childTam, access.TypicalTagType())
- if err != nil {
- vlog.Errorf("Successfully obtained an AccessList from the filesystem but PermissionsAuthorizer couldn't use it: %v", err)
- return nil, err
- }
-
return &hierarchicalAuthorizer{
- child: childAuth,
- rootAccessList: rootTam[string(access.Admin)],
+ rootDir: rootDir,
+ childDir: childDir,
+ get: get,
}, nil
}
-// Authorize provides two-levels of authorization. Admin permission
-// on the root provides a "superuser"-like power for administering the
-// server using an instance of hierarchicalAuthorizer. Otherwise, the
-// default permissions of the named path apply.
func (ha *hierarchicalAuthorizer) Authorize(ctx *context.T) error {
- childErr := ha.child.Authorize(ctx)
+ rootPerms, _, err := ha.get.TAMForPath(ha.rootDir)
+ if err != nil {
+ return err
+ }
+
+ // We are at the root so exit early.
+ if ha.rootDir == ha.childDir {
+ a, err := mkRootAuth(rootPerms)
+ if err != nil {
+ return err
+ }
+ return a.Authorize(ctx)
+ }
+
+ // This is not fatal: the childDir may not exist if we are invoking
+ // a Create() method so we only use the root Permissions.
+ childPerms, intentionallyEmpty, err := ha.get.TAMForPath(ha.childDir)
+ if err != nil {
+ return err
+ } else if intentionallyEmpty {
+ a, err := mkRootAuth(rootPerms)
+ if err != nil {
+ return err
+ }
+ return a.Authorize(ctx)
+ }
+
+ childAuth, err := access.PermissionsAuthorizer(childPerms, access.TypicalTagType())
+ if err != nil {
+ vlog.Errorf("Successfully obtained a Permissions from the filesystem but PermissionsAuthorizer couldn't use it: %v", err)
+ return err
+ }
+
+ childErr := childAuth.Authorize(ctx)
if childErr == nil {
return nil
}
@@ -87,7 +99,7 @@
// Maybe the invoking principal can invoke this method because
// it has root permissions.
names, _ := security.RemoteBlessingNames(ctx)
- if len(names) > 0 && ha.rootAccessList.Includes(names...) {
+ if len(names) > 0 && rootPerms[string(access.Admin)].Includes(names...) {
return nil
}
diff --git a/services/mgmt/logreader/impl/logfile.go b/services/mgmt/logreader/impl/logfile.go
index e2deb1a..b1eb185 100644
--- a/services/mgmt/logreader/impl/logfile.go
+++ b/services/mgmt/logreader/impl/logfile.go
@@ -17,7 +17,6 @@
"v.io/v23/rpc"
"v.io/v23/services/mgmt/logreader"
- "v.io/v23/services/mgmt/logreader/types"
"v.io/v23/verror"
"v.io/x/lib/vlog"
)
@@ -92,7 +91,7 @@
return 0, verror.New(errOperationFailed, call.Context(), fname)
}
reader := newFollowReader(call, f, startpos, follow)
- if numEntries == types.AllEntries {
+ if numEntries == logreader.AllEntries {
numEntries = int32(math.MaxInt32)
}
for n := int32(0); n < numEntries; n++ {
@@ -106,7 +105,7 @@
if err != nil {
return reader.tell(), verror.New(errOperationFailed, call.Context(), fname)
}
- if err := call.SendStream().Send(types.LogEntry{Position: offset, Line: line}); err != nil {
+ if err := call.SendStream().Send(logreader.LogEntry{Position: offset, Line: line}); err != nil {
return reader.tell(), err
}
}
diff --git a/services/mgmt/logreader/impl/logfile_test.go b/services/mgmt/logreader/impl/logfile_test.go
index 6bb7e2e..fa3081a 100644
--- a/services/mgmt/logreader/impl/logfile_test.go
+++ b/services/mgmt/logreader/impl/logfile_test.go
@@ -16,7 +16,6 @@
"v.io/v23/rpc"
"v.io/v23/security"
"v.io/v23/services/mgmt/logreader"
- "v.io/v23/services/mgmt/logreader/types"
"v.io/v23/verror"
_ "v.io/x/ref/profiles"
@@ -115,7 +114,7 @@
}
// Read without follow.
- stream, err := lf.ReadLog(ctx, 0, types.AllEntries, false)
+ stream, err := lf.ReadLog(ctx, 0, logreader.AllEntries, false)
if err != nil {
t.Errorf("ReadLog failed: %v", err)
}
@@ -144,7 +143,7 @@
}
// Read with follow from EOF (where the previous read ended).
- stream, err = lf.ReadLog(ctx, offset, types.AllEntries, false)
+ stream, err = lf.ReadLog(ctx, offset, logreader.AllEntries, false)
if err != nil {
t.Errorf("ReadLog failed: %v", err)
}
