disk: new path policies struct and methods
Build a new path policy struct, ased on the new path trie struct. It is designed to be able to store policies for paths. A Check method can then be used to look up the policy for a given path based on the defined policies.
This commit is contained in:
Christian Kellner
parent
00555722b2
commit
9523694879
2 changed files with 104 additions and 0 deletions
54
internal/disk/path_policy.go
Normal file
54
internal/disk/path_policy.go
Normal file
|
|
@ -0,0 +1,54 @@
|
|||
package disk
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"path"
|
||||
)
|
||||
|
||||
type PathPolicy struct {
|
||||
Deny bool // explicitly do not allow this entry
|
||||
Exact bool // require and exact match, no subdirs
|
||||
}
|
||||
|
||||
type PathPolicies = PathTrie
|
||||
|
||||
// Create a new PathPolicies trie from a map of path to PathPolicy
|
||||
func NewPathPolicies(entries map[string]PathPolicy) *PathPolicies {
|
||||
|
||||
noType := make(map[string]interface{}, len(entries))
|
||||
|
||||
for k, v := range entries {
|
||||
noType[k] = v
|
||||
}
|
||||
|
||||
return NewPathTrieFromMap(noType)
|
||||
}
|
||||
|
||||
// Check a given path at dir against the PathPolicies
|
||||
func (pol *PathPolicies) Check(dir string) error {
|
||||
|
||||
// Quickly check we have a mountpoint and it is absolute
|
||||
if dir == "" || dir[0] != '/' {
|
||||
return fmt.Errorf("mountpoint must be absolute path")
|
||||
}
|
||||
|
||||
// ensure that only clean mountpoints are valid
|
||||
if dir != path.Clean(dir) {
|
||||
return fmt.Errorf("mountpoint must be a canonical path")
|
||||
}
|
||||
|
||||
node, left := pol.Lookup(dir)
|
||||
policy, ok := node.Payload.(PathPolicy)
|
||||
if !ok {
|
||||
panic("programming error: invalid path trie payload")
|
||||
}
|
||||
|
||||
// 1) path is explicitly not allowed or
|
||||
// 2) a subpath was match but an explicit match is required
|
||||
if policy.Deny || (policy.Exact && len(left) > 0) {
|
||||
return fmt.Errorf("path '%s ' is not allowed", dir)
|
||||
}
|
||||
|
||||
// exact match or recursive mountpoints allowed
|
||||
return nil
|
||||
}
|
||||
50
internal/disk/path_policy_test.go
Normal file
50
internal/disk/path_policy_test.go
Normal file
|
|
@ -0,0 +1,50 @@
|
|||
package disk
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
)
|
||||
|
||||
func TestPathPolicyCheck(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
|
||||
entires := map[string]PathPolicy{
|
||||
"/": {Exact: true},
|
||||
"/boot": {Exact: true},
|
||||
"/boot/efi": {Exact: true},
|
||||
"/var": {},
|
||||
"/var/empty": {Deny: true},
|
||||
"/srv": {},
|
||||
"/home": {},
|
||||
}
|
||||
|
||||
policies := NewPathPolicies(entires)
|
||||
assert.NotNil(policies)
|
||||
|
||||
tests := map[string]bool{
|
||||
"/": true,
|
||||
"/custom": false,
|
||||
"/boot": true,
|
||||
"/boot/grub2": false,
|
||||
"/boot/efi": true,
|
||||
"/boot/efi/redora": false,
|
||||
"/srv": true,
|
||||
"/srv/www": true,
|
||||
"/srv/www/data": true,
|
||||
"/var": true,
|
||||
"/var/log": true,
|
||||
"/var/empty": false,
|
||||
"/var/empty/dir": false,
|
||||
}
|
||||
|
||||
for k, v := range tests {
|
||||
err := policies.Check(k)
|
||||
if v {
|
||||
assert.NoError(err)
|
||||
} else {
|
||||
assert.Errorf(err, "unexpected error for path '%s'", k)
|
||||
|
||||
}
|
||||
}
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue