Add varadic functions to auth store

5 years ago · 1ffc3d566e
parent e0cf01cefc
commit 1ffc3d566e
5 changed files with 41 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -17,6 +17,7 @@ This release uses a new Raft consensus version, with the move to Hashicorp Raft
 - [PR #607](https://github.com/rqlite/rqlite/pull/607): Various Redirect fixes.
 - [PR #609](https://github.com/rqlite/rqlite/pull/609): Simplify rqlite implementation.
 - [PR #610](https://github.com/rqlite/rqlite/pull/610): Write node backup directly to HTTP response writer. Thanks @sum12.
+- [PR #611](https://github.com/rqlite/rqlite/pull/611): Add varadic perm check functions to auth store.

 ## 4.6.0 (November 29th 2019)
 _This release adds significant new functionality to the command-line tool, including much more control over backup and restore of the database. [Visit the Releases page](https://github.com/rqlite/rqlite/releases/tag/v4.6.0) to download this release._
--- a/auth/credential_store.go
+++ b/auth/credential_store.go
@ -99,6 +99,19 @@ func (c *CredentialsStore) HasPerm(username string, perm string) bool {
 	return true
 }

+// HasAnyPerm returns true if username has at least one of the given perms.
+// It does not perform any password checking.
+func (c *CredentialsStore) HasAnyPerm(username string, perm ...string) bool {
+	return func(p []string) bool {
+		for i := range p {
+			if c.HasPerm(username, p[i]) {
+				return true
+			}
+		}
+		return false
+	}(perm)
+}
+
 // HasPermRequest returns true if the username returned by b has the givem perm.
 // It does not perform any password checking, but if there is no username
 // in the request, it returns false.
--- a/auth/credential_store_test.go
+++ b/auth/credential_store_test.go
@ -160,6 +160,25 @@ func Test_AuthPermsLoadSingle(t *testing.T) {
 	if perm := store.HasPerm("username2", "baz"); !perm {
 		t.Fatalf("username1 does not have baz perm")
 	}
+
+	if perm := store.HasAnyPerm("username1", "foo"); !perm {
+		t.Fatalf("username1 does not have foo perm")
+	}
+	if perm := store.HasAnyPerm("username1", "bar"); !perm {
+		t.Fatalf("username1 does not have bar perm")
+	}
+	if perm := store.HasAnyPerm("username1", "foo", "bar"); !perm {
+		t.Fatalf("username1 does not have foo or bar perm")
+	}
+	if perm := store.HasAnyPerm("username1", "foo", "qux"); !perm {
+		t.Fatalf("username1 does not have foo or qux perm")
+	}
+	if perm := store.HasAnyPerm("username1", "qux", "bar"); !perm {
+		t.Fatalf("username1 does not have bar perm")
+	}
+	if perm := store.HasAnyPerm("username1", "baz", "qux"); perm {
+		t.Fatalf("username1 has baz or qux perm")
+	}
 }

 func Test_AuthLoadHashedSingleRequest(t *testing.T) {
--- a/http/service.go
+++ b/http/service.go
@ -70,6 +70,9 @@ type CredentialStore interface {

 	// HasPerm returns whether username has the given perm.
 	HasPerm(username string, perm string) bool
+
+	// HasAnyPerm returns whether username has any of the given perms.
+	HasAnyPerm(username string, perm ...string) bool
 }

 // Statuser is the interface status providers must implement.
@ -746,7 +749,7 @@ func (s *Service) CheckRequestPerm(r *http.Request, perm string) bool {
 	if !ok {
 		return false
 	}
-	return s.credentialStore.HasPerm(username, PermAll) || s.credentialStore.HasPerm(username, perm)
+	return s.credentialStore.HasAnyPerm(username, perm, PermAll)
 }

 func (s *Service) leaderAPIAddr() string {
--- a/http/service_test.go
+++ b/http/service_test.go
@ -529,6 +529,10 @@ func (m *mockCredentialStore) HasPerm(username, perm string) bool {
 	return m.HasPermOK
 }

+func (m *mockCredentialStore) HasAnyPerm(username string, perm ...string) bool {
+	return m.HasPermOK
+}
+
 type mockStatuser struct {
 }