syncbase: Authorization helpers for recursively checking Resolve.
Added helpers for authorization with verifying Resolve on all
ancestors and returning fuzzy errors (ErrNoExistOrNoAccess) when
caller is not authorized for Exists(). Authorization now uses
explicitly listed tags, providing more flexibility than RPC method
attached tags (e.g. allowing multiple tags, checking different tags
on Database and Collection, etc.).
Updated Exists() RPCs to use the new authorization helpers.
Expanded tests to cover Exists() permission checking. More tests
will be added in subsequent CLs to cover error fuzzifying.
MultiPart: 3/3
Change-Id: Ie6d22b6b3115e59a9506bc709dec1deb8442b31d
diff --git a/go/src/v.io/x/sensorlog/internal/sbutil/syncbase_test.go b/go/src/v.io/x/sensorlog/internal/sbutil/syncbase_test.go
index d6687b7..1f51e24 100644
--- a/go/src/v.io/x/sensorlog/internal/sbutil/syncbase_test.go
+++ b/go/src/v.io/x/sensorlog/internal/sbutil/syncbase_test.go
@@ -18,7 +18,10 @@
)
func TestCreateOrOpenDB(t *testing.T) {
- _, ctxOwner, sbName, rootPrincipal, cleanup := sbtu.SetupOrDieCustom("u:one", "u:one:sb", nil)
+ _, ctxOwner, sbName, rootPrincipal, cleanup := sbtu.SetupOrDieCustom("u:one", "u:one:sb",
+ access.Permissions{}.
+ Add(security.AllPrincipals, access.TagStrings(access.Resolve)...).
+ Add(security.BlessingPattern("root:u:one"), access.TagStrings(access.Read, access.Write, access.Admin)...))
defer cleanup()
ctxGuest := sbtu.NewCtx(ctxOwner, rootPrincipal, "u:two")
@@ -37,7 +40,7 @@
/*
dbGuest, err := sbutil.CreateOrOpenDB(ctxGuest, sbName, sbmodel.MasterCollections)
if err != nil {
- t.Errorf("CreateOrOpenDB should have succeeded, got error: %v", err)
+ t.Fatalf("CreateOrOpenDB should have succeeded, got error: %v", err)
}
*/
// Expect db permissions with full access for owner, resolve only for others.