Adds a new management ACL for prepared queries.

bensojona · Nov 16, 2015 · ce0881a · ce0881a
1 parent ff351b2
commit ce0881a
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 0 deletions.
diff --git a/acl/acl.go b/acl/acl.go
@@ -70,6 +70,12 @@ type ACL interface {
 
 	// ACLModify checks for permission to manipulate ACLs
 	ACLModify() bool
+
+	// QueryList checks for permission to list all the prepared queries.
+	QueryList() bool
+
+	// QueryModify checks for permission to modify any prepared query.
+	QueryModify() bool
 }
 
 // StaticACL is used to implement a base ACL policy. It either
@@ -124,6 +130,14 @@ func (s *StaticACL) ACLModify() bool {
 	return s.allowManage
 }
 
+func (s *StaticACL) QueryList() bool {
+	return s.allowManage
+}
+
+func (s *StaticACL) QueryModify() bool {
+	return s.allowManage
+}
+
 // AllowAll returns an ACL rule that allows all operations
 func AllowAll() ACL {
 	return allowAll
@@ -374,3 +388,13 @@ func (p *PolicyACL) ACLList() bool {
 func (p *PolicyACL) ACLModify() bool {
 	return p.parent.ACLModify()
 }
+
+// QueryList checks if listing of all prepared queries is allowed.
+func (p *PolicyACL) QueryList() bool {
+	return p.parent.QueryList()
+}
+
+// QueryModify checks if modifying of any prepared query is allowed.
+func (p *PolicyACL) QueryModify() bool {
+	return p.parent.QueryModify()
+}
diff --git a/acl/acl_test.go b/acl/acl_test.go
@@ -65,6 +65,12 @@ func TestStaticACL(t *testing.T) {
 	if all.ACLModify() {
 		t.Fatalf("should not allow")
 	}
+	if all.QueryList() {
+		t.Fatalf("should not allow")
+	}
+	if all.QueryModify() {
+		t.Fatalf("should not allow")
+	}
 
 	if none.KeyRead("foobar") {
 		t.Fatalf("should not allow")
@@ -102,6 +108,12 @@ func TestStaticACL(t *testing.T) {
 	if none.ACLModify() {
 		t.Fatalf("should not allow")
 	}
+	if none.QueryList() {
+		t.Fatalf("should not allow")
+	}
+	if none.QueryModify() {
+		t.Fatalf("should not allow")
+	}
 
 	if !manage.KeyRead("foobar") {
 		t.Fatalf("should allow")
@@ -133,6 +145,12 @@ func TestStaticACL(t *testing.T) {
 	if !manage.ACLModify() {
 		t.Fatalf("should allow")
 	}
+	if !manage.QueryList() {
+		t.Fatalf("should allow")
+	}
+	if !manage.QueryModify() {
+		t.Fatalf("should allow")
+	}
 }
 
 func TestPolicyACL(t *testing.T) {
@@ -369,6 +387,20 @@ func TestPolicyACL_Parent(t *testing.T) {
 			t.Fatalf("Write fail: %#v", c)
 		}
 	}
+
+	// Check some management functions that chain up
+	if acl.ACLList() {
+		t.Fatalf("should not allow")
+	}
+	if acl.ACLModify() {
+		t.Fatalf("should not allow")
+	}
+	if acl.QueryList() {
+		t.Fatalf("should not allow")
+	}
+	if acl.QueryModify() {
+		t.Fatalf("should not allow")
+	}
 }
 
 func TestPolicyACL_Keyring(t *testing.T) {