-
Notifications
You must be signed in to change notification settings - Fork 57
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(daemon): Port accessChecker API from snapd
- Loading branch information
1 parent
c658437
commit a513795
Showing
6 changed files
with
290 additions
and
323 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
// -*- Mode: Go; indent-tabs-mode: t -*- | ||
|
||
/* | ||
* Copyright (C) 2021 Canonical Ltd | ||
* | ||
* This program is free software: you can redistribute it and/or modify | ||
* it under the terms of the GNU General Public License version 3 as | ||
* published by the Free Software Foundation. | ||
* | ||
* This program is distributed in the hope that it will be useful, | ||
* but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
* GNU General Public License for more details. | ||
* | ||
* You should have received a copy of the GNU General Public License | ||
* along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
* | ||
*/ | ||
|
||
// Based on: https://github.com/snapcore/snapd/blob/master/daemon/access.go | ||
|
||
package daemon | ||
|
||
import ( | ||
"net/http" | ||
) | ||
|
||
// accessChecker checks whether a particular request is allowed. | ||
// | ||
// An access checker will either allow a request (returns nil) or deny it. | ||
type accessChecker interface { | ||
CheckAccess(d *Daemon, r *http.Request, ucred *ucrednet, user *UserState) Response | ||
} | ||
|
||
// openAccess allows all requests | ||
type openAccess struct{} | ||
|
||
func (ac openAccess) CheckAccess(d *Daemon, r *http.Request, ucred *ucrednet, user *UserState) Response { | ||
return nil | ||
} | ||
|
||
// rootAccess allows requests from the root uid | ||
type rootAccess struct{} | ||
|
||
func (ac rootAccess) CheckAccess(d *Daemon, r *http.Request, ucred *ucrednet, user *UserState) Response { | ||
if ucred != nil && ucred.Uid == 0 { | ||
return nil | ||
} | ||
return statusForbidden("access denied") | ||
} | ||
|
||
// userAccess allows requests from any local user | ||
type userAccess struct{} | ||
|
||
func (ac userAccess) CheckAccess(d *Daemon, r *http.Request, ucred *ucrednet, user *UserState) Response { | ||
if ucred == nil { | ||
return statusForbidden("access denied") | ||
} | ||
return nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,87 @@ | ||
// -*- Mode: Go; indent-tabs-mode: t -*- | ||
|
||
/* | ||
* Copyright (C) 2021 Canonical Ltd | ||
* | ||
* This program is free software: you can redistribute it and/or modify | ||
* it under the terms of the GNU General Public License version 3 as | ||
* published by the Free Software Foundation. | ||
* | ||
* This program is distributed in the hope that it will be useful, | ||
* but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
* GNU General Public License for more details. | ||
* | ||
* You should have received a copy of the GNU General Public License | ||
* along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
* | ||
*/ | ||
|
||
// Based on: https://github.com/snapcore/snapd/blob/master/daemon/access.go | ||
|
||
package daemon_test | ||
|
||
import ( | ||
. "gopkg.in/check.v1" | ||
|
||
"github.com/canonical/pebble/internals/daemon" | ||
) | ||
|
||
type accessSuite struct { | ||
} | ||
|
||
var _ = Suite(&accessSuite{}) | ||
|
||
var ( | ||
errForbidden = daemon.StatusForbidden("access denied") | ||
errUnauthorized = daemon.StatusUnauthorized("access denied") | ||
) | ||
|
||
const ( | ||
socketPath = "/tmp/foo.sock" | ||
) | ||
|
||
func (s *accessSuite) TestOpenAccess(c *C) { | ||
var ac daemon.AccessChecker = daemon.OpenAccess{} | ||
|
||
// openAccess allows access without peer credentials. | ||
c.Check(ac.CheckAccess(nil, nil, nil, nil), IsNil) | ||
|
||
// openAccess allows access from normal user | ||
ucred := &daemon.Ucrednet{Uid: 42, Pid: 100, Socket: socketPath} | ||
c.Check(ac.CheckAccess(nil, nil, ucred, nil), IsNil) | ||
|
||
// openAccess allows access from root user | ||
ucred = &daemon.Ucrednet{Uid: 0, Pid: 100, Socket: socketPath} | ||
c.Check(ac.CheckAccess(nil, nil, ucred, nil), IsNil) | ||
} | ||
|
||
func (s *accessSuite) TestUserAccess(c *C) { | ||
var ac daemon.AccessChecker = daemon.UserAccess{} | ||
|
||
// userAccess denies access without peer credentials. | ||
c.Check(ac.CheckAccess(nil, nil, nil, nil), DeepEquals, errForbidden) | ||
|
||
// userAccess allows access from root user | ||
ucred := &daemon.Ucrednet{Uid: 0, Pid: 100, Socket: socketPath} | ||
c.Check(ac.CheckAccess(nil, nil, ucred, nil), IsNil) | ||
|
||
// userAccess allows access form normal user | ||
ucred = &daemon.Ucrednet{Uid: 42, Pid: 100, Socket: socketPath} | ||
c.Check(ac.CheckAccess(nil, nil, ucred, nil), IsNil) | ||
} | ||
|
||
func (s *accessSuite) TestRootAccess(c *C) { | ||
var ac daemon.AccessChecker = daemon.RootAccess{} | ||
|
||
// rootAccess denies access without peer credentials. | ||
c.Check(ac.CheckAccess(nil, nil, nil, nil), DeepEquals, errForbidden) | ||
|
||
// Non-root users are forbidden | ||
ucred := &daemon.Ucrednet{Uid: 42, Pid: 100, Socket: socketPath} | ||
c.Check(ac.CheckAccess(nil, nil, ucred, nil), DeepEquals, errForbidden) | ||
|
||
// Root is granted access | ||
ucred = &daemon.Ucrednet{Uid: 0, Pid: 100, Socket: socketPath} | ||
c.Check(ac.CheckAccess(nil, nil, ucred, nil), IsNil) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.