This is an automated email from the ASF dual-hosted git repository.
tysonnorris pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-openwhisk.git
The following commit(s) were added to refs/heads/master by this push:
new eff21ec Update KindRestrictor to merge namespace and default
whitelists (#4114)
eff21ec is described below
commit eff21ec7481d3b72ae0273dba8bcae09b87e73e0
Author: Andy Steed <[email protected]>
AuthorDate: Wed Nov 28 17:11:36 2018 -0800
Update KindRestrictor to merge namespace and default whitelists (#4114)
Merge subject whitelist limit and default whitelist during KindRestrictor
check
---
.../apache/openwhisk/core/entitlement/KindRestrictor.scala | 6 ++----
.../openwhisk/core/controller/test/KindRestrictorTests.scala | 12 ++++++------
2 files changed, 8 insertions(+), 10 deletions(-)
diff --git
a/core/controller/src/main/scala/org/apache/openwhisk/core/entitlement/KindRestrictor.scala
b/core/controller/src/main/scala/org/apache/openwhisk/core/entitlement/KindRestrictor.scala
index 8154cd8..88ba6d6 100644
---
a/core/controller/src/main/scala/org/apache/openwhisk/core/entitlement/KindRestrictor.scala
+++
b/core/controller/src/main/scala/org/apache/openwhisk/core/entitlement/KindRestrictor.scala
@@ -46,10 +46,8 @@ case class KindRestrictor(whitelist: Option[Set[String]] =
None)(implicit loggin
})(TransactionId.controller)
def check(user: Identity, kind: String): Boolean = {
- user.limits.allowedKinds
- .orElse(whitelist)
- .map(allowed => allowed.contains(kind))
- .getOrElse(true)
+ val kindList =
user.limits.allowedKinds.getOrElse(Set.empty).union(whitelist.getOrElse(Set.empty))
+ kindList.isEmpty || kindList.contains(kind)
}
}
diff --git
a/tests/src/test/scala/org/apache/openwhisk/core/controller/test/KindRestrictorTests.scala
b/tests/src/test/scala/org/apache/openwhisk/core/controller/test/KindRestrictorTests.scala
index 40084b3..ebdc85a 100644
---
a/tests/src/test/scala/org/apache/openwhisk/core/controller/test/KindRestrictorTests.scala
+++
b/tests/src/test/scala/org/apache/openwhisk/core/controller/test/KindRestrictorTests.scala
@@ -49,16 +49,16 @@ class KindRestrictorTests extends FlatSpec with Matchers
with StreamLogging {
allKinds.foreach(k => kr.check(subject, k) shouldBe true)
}
- it should "not grant subject access to any kinds if limit is the empty set"
in {
+ it should "grant subject access to any kinds if limit is the empty set" in {
val subject = WhiskAuthHelpers.newIdentity().copy(limits =
UserLimits(allowedKinds = Some(Set.empty)))
val kr = KindRestrictor()
- allKinds.foreach(k => kr.check(subject, k) shouldBe false)
+ allKinds.foreach(k => kr.check(subject, k) shouldBe true)
}
- it should "not grant subject access to any kinds if white list is the empty
set" in {
+ it should "grant subject access to any kinds if white list is the empty set"
in {
val subject = WhiskAuthHelpers.newIdentity()
val kr = KindRestrictor(Set[String]())
- allKinds.foreach(k => kr.check(subject, k) shouldBe false)
+ allKinds.foreach(k => kr.check(subject, k) shouldBe true)
}
it should "grant subject access only to subject-limited kinds" in {
@@ -75,11 +75,11 @@ class KindRestrictorTests extends FlatSpec with Matchers
with StreamLogging {
disallowedKinds.foreach(k => kr.check(subject, k) shouldBe false)
}
- it should "grant subject access only to explicitly limited kind" in {
+ it should "grant subject access both explicitly limited kinds and default
whitelisted kinds" in {
val explicitKind = allowedKinds.head
val subject = WhiskAuthHelpers.newIdentity().copy(limits =
UserLimits(allowedKinds = Some(Set(explicitKind))))
val kr = KindRestrictor(allowedKinds.tail)
- allKinds.foreach(k => kr.check(subject, k) shouldBe (k == explicitKind))
+ allKinds.foreach(k => kr.check(subject, k) shouldBe
allowedKinds.contains(k))
}
}
