tysonnorris closed pull request #4114: Update KindRestrictor to merge namespace and default whitelists URL: https://github.com/apache/incubator-openwhisk/pull/4114
This is a PR merged from a forked repository. As GitHub hides the original diff on merge, it is displayed below for the sake of provenance: As this is a foreign pull request (from a fork), the diff is supplied below (as it won't show otherwise due to GitHub magic): diff --git a/core/controller/src/main/scala/org/apache/openwhisk/core/entitlement/KindRestrictor.scala b/core/controller/src/main/scala/org/apache/openwhisk/core/entitlement/KindRestrictor.scala index 8154cd8b86..88ba6d63aa 100644 --- a/core/controller/src/main/scala/org/apache/openwhisk/core/entitlement/KindRestrictor.scala +++ b/core/controller/src/main/scala/org/apache/openwhisk/core/entitlement/KindRestrictor.scala @@ -46,10 +46,8 @@ case class KindRestrictor(whitelist: Option[Set[String]] = None)(implicit loggin })(TransactionId.controller) def check(user: Identity, kind: String): Boolean = { - user.limits.allowedKinds - .orElse(whitelist) - .map(allowed => allowed.contains(kind)) - .getOrElse(true) + val kindList = user.limits.allowedKinds.getOrElse(Set.empty).union(whitelist.getOrElse(Set.empty)) + kindList.isEmpty || kindList.contains(kind) } } diff --git a/tests/src/test/scala/org/apache/openwhisk/core/controller/test/KindRestrictorTests.scala b/tests/src/test/scala/org/apache/openwhisk/core/controller/test/KindRestrictorTests.scala index 40084b3564..ebdc85a1fa 100644 --- a/tests/src/test/scala/org/apache/openwhisk/core/controller/test/KindRestrictorTests.scala +++ b/tests/src/test/scala/org/apache/openwhisk/core/controller/test/KindRestrictorTests.scala @@ -49,16 +49,16 @@ class KindRestrictorTests extends FlatSpec with Matchers with StreamLogging { allKinds.foreach(k => kr.check(subject, k) shouldBe true) } - it should "not grant subject access to any kinds if limit is the empty set" in { + it should "grant subject access to any kinds if limit is the empty set" in { val subject = WhiskAuthHelpers.newIdentity().copy(limits = UserLimits(allowedKinds = Some(Set.empty))) val kr = KindRestrictor() - allKinds.foreach(k => kr.check(subject, k) shouldBe false) + allKinds.foreach(k => kr.check(subject, k) shouldBe true) } - it should "not grant subject access to any kinds if white list is the empty set" in { + it should "grant subject access to any kinds if white list is the empty set" in { val subject = WhiskAuthHelpers.newIdentity() val kr = KindRestrictor(Set[String]()) - allKinds.foreach(k => kr.check(subject, k) shouldBe false) + allKinds.foreach(k => kr.check(subject, k) shouldBe true) } it should "grant subject access only to subject-limited kinds" in { @@ -75,11 +75,11 @@ class KindRestrictorTests extends FlatSpec with Matchers with StreamLogging { disallowedKinds.foreach(k => kr.check(subject, k) shouldBe false) } - it should "grant subject access only to explicitly limited kind" in { + it should "grant subject access both explicitly limited kinds and default whitelisted kinds" in { val explicitKind = allowedKinds.head val subject = WhiskAuthHelpers.newIdentity().copy(limits = UserLimits(allowedKinds = Some(Set(explicitKind)))) val kr = KindRestrictor(allowedKinds.tail) - allKinds.foreach(k => kr.check(subject, k) shouldBe (k == explicitKind)) + allKinds.foreach(k => kr.check(subject, k) shouldBe allowedKinds.contains(k)) } } ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services