mirror of
https://github.com/kemko/nomad.git
synced 2026-01-01 16:05:42 +03:00
Migrate acls to generics (#13721)
* Migrate acls to generics See hashicorp/go-immutable-radix#43 * deps: fixup go.mod formatting Co-authored-by: Seth Hoenig <shoenig@duck.com>
This commit is contained in:
Michael Schurter
54
acl/acl.go
54
acl/acl.go
@@ -5,7 +5,7 @@ import (
|
||||
"sort"
|
||||
"strings"
|
||||
|
||||
iradix "github.com/hashicorp/go-immutable-radix"
|
||||
iradix "github.com/hashicorp/go-immutable-radix/v2"
|
||||
glob "github.com/ryanuber/go-glob"
|
||||
)
|
||||
|
||||
@@ -48,21 +48,21 @@ type ACL struct {
|
||||
management bool
|
||||
|
||||
// namespaces maps a namespace to a capabilitySet
|
||||
namespaces *iradix.Tree
|
||||
namespaces *iradix.Tree[capabilitySet]
|
||||
|
||||
// wildcardNamespaces maps a glob pattern of a namespace to a capabilitySet
|
||||
// We use an iradix for the purposes of ordered iteration.
|
||||
wildcardNamespaces *iradix.Tree
|
||||
wildcardNamespaces *iradix.Tree[capabilitySet]
|
||||
|
||||
// hostVolumes maps a named host volume to a capabilitySet
|
||||
hostVolumes *iradix.Tree
|
||||
hostVolumes *iradix.Tree[capabilitySet]
|
||||
|
||||
// wildcardHostVolumes maps a glob pattern of host volume names to a capabilitySet
|
||||
// We use an iradix for the purposes of ordered iteration.
|
||||
wildcardHostVolumes *iradix.Tree
|
||||
wildcardHostVolumes *iradix.Tree[capabilitySet]
|
||||
|
||||
variables *iradix.Tree
|
||||
wildcardVariables *iradix.Tree
|
||||
variables *iradix.Tree[capabilitySet]
|
||||
wildcardVariables *iradix.Tree[capabilitySet]
|
||||
|
||||
agent string
|
||||
node string
|
||||
@@ -97,12 +97,12 @@ func NewACL(management bool, policies []*Policy) (*ACL, error) {
|
||||
|
||||
// Create the ACL object
|
||||
acl := &ACL{}
|
||||
nsTxn := iradix.New().Txn()
|
||||
wnsTxn := iradix.New().Txn()
|
||||
hvTxn := iradix.New().Txn()
|
||||
whvTxn := iradix.New().Txn()
|
||||
svTxn := iradix.New().Txn()
|
||||
wsvTxn := iradix.New().Txn()
|
||||
nsTxn := iradix.New[capabilitySet]().Txn()
|
||||
wnsTxn := iradix.New[capabilitySet]().Txn()
|
||||
hvTxn := iradix.New[capabilitySet]().Txn()
|
||||
whvTxn := iradix.New[capabilitySet]().Txn()
|
||||
svTxn := iradix.New[capabilitySet]().Txn()
|
||||
wsvTxn := iradix.New[capabilitySet]().Txn()
|
||||
|
||||
for _, policy := range policies {
|
||||
NAMESPACES:
|
||||
@@ -116,7 +116,7 @@ func NewACL(management bool, policies []*Policy) (*ACL, error) {
|
||||
if globDefinition {
|
||||
raw, ok := wnsTxn.Get([]byte(ns.Name))
|
||||
if ok {
|
||||
capabilities = raw.(capabilitySet)
|
||||
capabilities = raw
|
||||
} else {
|
||||
capabilities = make(capabilitySet)
|
||||
wnsTxn.Insert([]byte(ns.Name), capabilities)
|
||||
@@ -124,7 +124,7 @@ func NewACL(management bool, policies []*Policy) (*ACL, error) {
|
||||
} else {
|
||||
raw, ok := nsTxn.Get([]byte(ns.Name))
|
||||
if ok {
|
||||
capabilities = raw.(capabilitySet)
|
||||
capabilities = raw
|
||||
} else {
|
||||
capabilities = make(capabilitySet)
|
||||
nsTxn.Insert([]byte(ns.Name), capabilities)
|
||||
@@ -138,7 +138,7 @@ func NewACL(management bool, policies []*Policy) (*ACL, error) {
|
||||
if globDefinition || strings.Contains(pathPolicy.PathSpec, "*") {
|
||||
raw, ok := wsvTxn.Get(key)
|
||||
if ok {
|
||||
svCapabilities = raw.(capabilitySet)
|
||||
svCapabilities = raw
|
||||
} else {
|
||||
svCapabilities = make(capabilitySet)
|
||||
}
|
||||
@@ -146,7 +146,7 @@ func NewACL(management bool, policies []*Policy) (*ACL, error) {
|
||||
} else {
|
||||
raw, ok := svTxn.Get(key)
|
||||
if ok {
|
||||
svCapabilities = raw.(capabilitySet)
|
||||
svCapabilities = raw
|
||||
} else {
|
||||
svCapabilities = make(capabilitySet)
|
||||
}
|
||||
@@ -186,7 +186,7 @@ func NewACL(management bool, policies []*Policy) (*ACL, error) {
|
||||
if globDefinition {
|
||||
raw, ok := whvTxn.Get([]byte(hv.Name))
|
||||
if ok {
|
||||
capabilities = raw.(capabilitySet)
|
||||
capabilities = raw
|
||||
} else {
|
||||
capabilities = make(capabilitySet)
|
||||
whvTxn.Insert([]byte(hv.Name), capabilities)
|
||||
@@ -194,7 +194,7 @@ func NewACL(management bool, policies []*Policy) (*ACL, error) {
|
||||
} else {
|
||||
raw, ok := hvTxn.Get([]byte(hv.Name))
|
||||
if ok {
|
||||
capabilities = raw.(capabilitySet)
|
||||
capabilities = raw
|
||||
} else {
|
||||
capabilities = make(capabilitySet)
|
||||
hvTxn.Insert([]byte(hv.Name), capabilities)
|
||||
@@ -401,7 +401,7 @@ func (a *ACL) matchingNamespaceCapabilitySet(ns string) (capabilitySet, bool) {
|
||||
// Check for a concrete matching capability set
|
||||
raw, ok := a.namespaces.Get([]byte(ns))
|
||||
if ok {
|
||||
return raw.(capabilitySet), true
|
||||
return raw, true
|
||||
}
|
||||
|
||||
// We didn't find a concrete match, so lets try and evaluate globs.
|
||||
@@ -429,8 +429,7 @@ func (a *ACL) anyNamespaceAllowsAnyOp() bool {
|
||||
func (a *ACL) anyNamespaceAllows(cb func(capabilitySet) bool) bool {
|
||||
allow := false
|
||||
|
||||
checkFn := func(_ []byte, iv interface{}) bool {
|
||||
v := iv.(capabilitySet)
|
||||
checkFn := func(_ []byte, v capabilitySet) bool {
|
||||
allow = cb(v)
|
||||
return allow
|
||||
}
|
||||
@@ -453,7 +452,7 @@ func (a *ACL) matchingHostVolumeCapabilitySet(name string) (capabilitySet, bool)
|
||||
// Check for a concrete matching capability set
|
||||
raw, ok := a.hostVolumes.Get([]byte(name))
|
||||
if ok {
|
||||
return raw.(capabilitySet), true
|
||||
return raw, true
|
||||
}
|
||||
|
||||
// We didn't find a concrete match, so lets try and evaluate globs.
|
||||
@@ -469,7 +468,7 @@ func (a *ACL) matchingVariablesCapabilitySet(ns, path string) (capabilitySet, bo
|
||||
// Check for a concrete matching capability set
|
||||
raw, ok := a.variables.Get([]byte(ns + "\x00" + path))
|
||||
if ok {
|
||||
return raw.(capabilitySet), true
|
||||
return raw, true
|
||||
}
|
||||
|
||||
// We didn't find a concrete match, so lets try and evaluate globs.
|
||||
@@ -482,7 +481,7 @@ type matchingGlob struct {
|
||||
capabilitySet capabilitySet
|
||||
}
|
||||
|
||||
func (a *ACL) findClosestMatchingGlob(radix *iradix.Tree, ns string) (capabilitySet, bool) {
|
||||
func (a *ACL) findClosestMatchingGlob(radix *iradix.Tree[capabilitySet], ns string) (capabilitySet, bool) {
|
||||
// First, find all globs that match.
|
||||
matchingGlobs := findAllMatchingWildcards(radix, ns)
|
||||
|
||||
@@ -506,14 +505,13 @@ func (a *ACL) findClosestMatchingGlob(radix *iradix.Tree, ns string) (capability
|
||||
return matchingGlobs[0].capabilitySet, true
|
||||
}
|
||||
|
||||
func findAllMatchingWildcards(radix *iradix.Tree, name string) []matchingGlob {
|
||||
func findAllMatchingWildcards(radix *iradix.Tree[capabilitySet], name string) []matchingGlob {
|
||||
var matches []matchingGlob
|
||||
|
||||
nsLen := len(name)
|
||||
|
||||
radix.Root().Walk(func(bk []byte, iv interface{}) bool {
|
||||
radix.Root().Walk(func(bk []byte, v capabilitySet) bool {
|
||||
k := string(bk)
|
||||
v := iv.(capabilitySet)
|
||||
|
||||
isMatch := glob.Glob(k, name)
|
||||
if isMatch {
|
||||
|
||||
Reference in New Issue
Block a user