You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@openwhisk.apache.org by GitBox <gi...@apache.org> on 2018/11/29 01:11:38 UTC
[GitHub] tysonnorris closed pull request #4114: Update KindRestrictor to
merge namespace and default whitelists
tysonnorris closed pull request #4114: Update KindRestrictor to merge namespace and default whitelists
URL: https://github.com/apache/incubator-openwhisk/pull/4114
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/core/controller/src/main/scala/org/apache/openwhisk/core/entitlement/KindRestrictor.scala b/core/controller/src/main/scala/org/apache/openwhisk/core/entitlement/KindRestrictor.scala
index 8154cd8b86..88ba6d63aa 100644
--- a/core/controller/src/main/scala/org/apache/openwhisk/core/entitlement/KindRestrictor.scala
+++ b/core/controller/src/main/scala/org/apache/openwhisk/core/entitlement/KindRestrictor.scala
@@ -46,10 +46,8 @@ case class KindRestrictor(whitelist: Option[Set[String]] = None)(implicit loggin
})(TransactionId.controller)
def check(user: Identity, kind: String): Boolean = {
- user.limits.allowedKinds
- .orElse(whitelist)
- .map(allowed => allowed.contains(kind))
- .getOrElse(true)
+ val kindList = user.limits.allowedKinds.getOrElse(Set.empty).union(whitelist.getOrElse(Set.empty))
+ kindList.isEmpty || kindList.contains(kind)
}
}
diff --git a/tests/src/test/scala/org/apache/openwhisk/core/controller/test/KindRestrictorTests.scala b/tests/src/test/scala/org/apache/openwhisk/core/controller/test/KindRestrictorTests.scala
index 40084b3564..ebdc85a1fa 100644
--- a/tests/src/test/scala/org/apache/openwhisk/core/controller/test/KindRestrictorTests.scala
+++ b/tests/src/test/scala/org/apache/openwhisk/core/controller/test/KindRestrictorTests.scala
@@ -49,16 +49,16 @@ class KindRestrictorTests extends FlatSpec with Matchers with StreamLogging {
allKinds.foreach(k => kr.check(subject, k) shouldBe true)
}
- it should "not grant subject access to any kinds if limit is the empty set" in {
+ it should "grant subject access to any kinds if limit is the empty set" in {
val subject = WhiskAuthHelpers.newIdentity().copy(limits = UserLimits(allowedKinds = Some(Set.empty)))
val kr = KindRestrictor()
- allKinds.foreach(k => kr.check(subject, k) shouldBe false)
+ allKinds.foreach(k => kr.check(subject, k) shouldBe true)
}
- it should "not grant subject access to any kinds if white list is the empty set" in {
+ it should "grant subject access to any kinds if white list is the empty set" in {
val subject = WhiskAuthHelpers.newIdentity()
val kr = KindRestrictor(Set[String]())
- allKinds.foreach(k => kr.check(subject, k) shouldBe false)
+ allKinds.foreach(k => kr.check(subject, k) shouldBe true)
}
it should "grant subject access only to subject-limited kinds" in {
@@ -75,11 +75,11 @@ class KindRestrictorTests extends FlatSpec with Matchers with StreamLogging {
disallowedKinds.foreach(k => kr.check(subject, k) shouldBe false)
}
- it should "grant subject access only to explicitly limited kind" in {
+ it should "grant subject access both explicitly limited kinds and default whitelisted kinds" in {
val explicitKind = allowedKinds.head
val subject = WhiskAuthHelpers.newIdentity().copy(limits = UserLimits(allowedKinds = Some(Set(explicitKind))))
val kr = KindRestrictor(allowedKinds.tail)
- allKinds.foreach(k => kr.check(subject, k) shouldBe (k == explicitKind))
+ allKinds.foreach(k => kr.check(subject, k) shouldBe allowedKinds.contains(k))
}
}
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services