veyron2/security, veyron2/services/security/access: Update security.ACL to support the Access API.
- Move access.ACL to security.ACL and update services that use ACLs.
- Replace PublicID.Match(PrincipalPattern) with
Matches(PublicID, PrincipalPattern).
Change-Id: I59b6399a30089c48d97755e96e428e692c6551e0
diff --git a/security/acl_authorizer.go b/security/acl_authorizer.go
index 82b35d9..9d88e13 100644
--- a/security/acl_authorizer.go
+++ b/security/acl_authorizer.go
@@ -18,7 +18,6 @@
errACL = errors.New("no matching ACL entry found")
errInvalidLabel = errors.New("label is invalid")
errNilID = errors.New("identity being matched is nil")
- errNilACL = errors.New("ACL is nil")
nullACL security.ACL
)
@@ -82,13 +81,8 @@
if id == nil {
return errNilID
}
- if acl == nil {
- return errNilACL
- }
- for key, labels := range acl {
- if labels.HasLabel(label) && id.Match(key) {
- return nil
- }
+ if acl.Matches(id, label) {
+ return nil
}
return errACL
}
@@ -96,7 +90,7 @@
func loadACLFromFile(filePath string) (security.ACL, error) {
f, err := os.Open(filePath)
if err != nil {
- return nil, err
+ return nullACL, err
}
defer f.Close()
return security.LoadACL(f)
diff --git a/security/acl_authorizer_test.go b/security/acl_authorizer_test.go
index 6c54ca4..8e58b33 100644
--- a/security/acl_authorizer_test.go
+++ b/security/acl_authorizer_test.go
@@ -162,14 +162,19 @@
var (
veyronPrivateID = security.FakePrivateID("veyron")
alicePrivateID = security.FakePrivateID("alice")
+ bobPrivateID = security.FakePrivateID("bob")
+ chePrivateID = security.FakePrivateID("che")
veyron = veyronPrivateID.PublicID()
alice = alicePrivateID.PublicID()
- bob = security.FakePrivateID("bob").PublicID()
+ bob = bobPrivateID.PublicID()
+ che = chePrivateID.PublicID()
// Blessed principals
veyronAlice = bless(alice, veyronPrivateID, "alice")
veyronBob = bless(bob, veyronPrivateID, "bob")
+ veyronChe = bless(che, veyronPrivateID, "che")
veyronAliceFriend = bless(bob, derive(veyronAlice, alicePrivateID), "friend")
+ veyronCheFriend = bless(che, derive(veyronChe, chePrivateID), "friend")
)
// Convenience function for combining Labels into a LabelSet.
LS := func(labels ...security.Label) security.LabelSet {
@@ -181,11 +186,17 @@
}
// ACL for testing
- acl := security.ACL{
+ acl := security.ACL{}
+ acl.In.Principals = map[security.PrincipalPattern]security.LabelSet{
"*": LS(R),
"fake/veyron/alice/*": LS(W, R),
"fake/veyron/alice": LS(A, D, M),
"fake/veyron/bob": LS(D, M),
+ "fake/veyron/che/*": LS(W, R),
+ "fake/veyron/che": LS(W, R),
+ }
+ acl.NotIn.Principals = map[security.PrincipalPattern]security.LabelSet{
+ "fake/veyron/che/friend": LS(W),
}
// Authorizations for the above ACL.
@@ -193,6 +204,7 @@
// alice and bob have only what "*" has.
alice: LS(R),
bob: LS(R),
+ che: LS(R),
// veyron and veyronAlice have R, W, A, D, M from the "veyron/alice" and
// "veyron/alice/*" ACL entries.
veyron: LS(R, W, A, D, M),
@@ -201,6 +213,11 @@
veyronBob: LS(R, D, M),
// veyronAliceFriend has W, R from the "veyron/alice/*" ACL entry.
veyronAliceFriend: LS(W, R),
+ // veyronChe has W, R from the "veyron/che" entry.
+ veyronChe: LS(W, R),
+ // veyronCheFriend has W, R from the "veyron/che/*" entry, but loses W
+ // from the blacklist entry "veyron/che/friend".
+ veyronCheFriend: LS(R),
// nil PublicIDs are not authorized.
nil: LS(),
}
@@ -219,7 +236,7 @@
// Modify the ACL stored in the file and verify that the authorizations appropriately
// change for the fileACLAuthorizer.
- acl["fake/veyron/bob"] = LS(R, W, A, D, M)
+ acl.In.Principals["fake/veyron/bob"] = LS(R, W, A, D, M)
updateACLInFile(fileName, acl)
authorizations[veyronBob] = LS(R, W, A, D, M)
@@ -243,7 +260,7 @@
}
func TestNilACLAuthorizer(t *testing.T) {
- authorizer := NewACLAuthorizer(nil)
+ authorizer := NewACLAuthorizer(nullACL)
testNothingPermitted(t, authorizer)
testSelfRPCs(t, authorizer)
}
diff --git a/security/caveat/caveat.go b/security/caveat/caveat.go
index a0e0f11..d3da712 100644
--- a/security/caveat/caveat.go
+++ b/security/caveat/caveat.go
@@ -52,7 +52,7 @@
// identified by the PrincipalPatterns on the caveat.
func (c PeerIdentity) Validate(ctx security.Context) error {
for _, p := range c {
- if ctx.LocalID() != nil && ctx.LocalID().Match(p) {
+ if ctx.LocalID() != nil && security.Matches(ctx.LocalID(), p) {
return nil
}
}
diff --git a/security/flag/flag_test.go b/security/flag/flag_test.go
index 03ae915..0f7ff63 100644
--- a/security/flag/flag_test.go
+++ b/security/flag/flag_test.go
@@ -30,7 +30,10 @@
}
var (
acl1 = security.ACL{}
- acl2 = security.ACL{"veyron/alice": security.LabelSet(security.ReadLabel | security.WriteLabel), "veyron/bob": security.LabelSet(security.ReadLabel)}
+ acl2 = security.NewWhitelistACL(map[security.PrincipalPattern]security.LabelSet{
+ "veyron/alice": security.LabelSet(security.ReadLabel | security.WriteLabel),
+ "veyron/bob": security.LabelSet(security.ReadLabel),
+ })
)
acl2File := tsecurity.SaveACLToFile(acl2)
defer os.Remove(acl2File)
@@ -49,11 +52,11 @@
wantAuth: vsecurity.NewACLAuthorizer(acl1),
},
{
- flags: flagValue{"acl": "{\"veyron/alice\":\"RW\", \"veyron/bob\": \"R\"}"},
+ flags: flagValue{"acl": "{\"In\":{\"Principals\":{\"veyron/alice\":\"RW\", \"veyron/bob\": \"R\"}}}"},
wantAuth: vsecurity.NewACLAuthorizer(acl2),
},
{
- flags: flagValue{"acl": "{\"veyron/bob\":\"R\", \"veyron/alice\": \"WR\"}"},
+ flags: flagValue{"acl": "{\"In\":{\"Principals\":{\"veyron/bob\":\"R\", \"veyron/alice\": \"WR\"}}}"},
wantAuth: vsecurity.NewACLAuthorizer(acl2),
},
{
@@ -61,7 +64,7 @@
wantAuth: vsecurity.NewFileACLAuthorizer(acl2File),
},
{
- flags: flagValue{"acl_file": acl2File, "acl": "{\"veyron/alice\":\"RW\", \"veyron/bob\": \"R\"}"},
+ flags: flagValue{"acl_file": acl2File, "acl": "{\"In\":{\"Principals\":{\"veyron/alice\":\"RW\", \"veyron/bob\": \"R\"}}}"},
wantPanic: true,
},
}
