This is an automated email from the ASF dual-hosted git repository. markusthoemmes pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/incubator-openwhisk.git
The following commit(s) were added to refs/heads/master by this push: new 2db1b67 Unify Entitlement SPI signatures. (#3895) 2db1b67 is described below commit 2db1b67ef6cc16b1f19336ed23992fae32a7d9d5 Author: Martin Henke <martin.he...@web.de> AuthorDate: Mon Jul 23 18:47:54 2018 +0200 Unify Entitlement SPI signatures. (#3895) --- .../src/main/scala/whisk/core/entitlement/Entitlement.scala | 8 ++++---- .../main/scala/whisk/core/entitlement/LocalEntitlement.scala | 11 +++++++---- .../whisk/core/controller/test/EntitlementProviderTests.scala | 8 ++++---- .../whisk/core/controller/test/PackageActionsApiTests.scala | 4 ++-- .../scala/whisk/core/controller/test/WebActionsApiTests.scala | 6 +++--- 5 files changed, 20 insertions(+), 17 deletions(-) diff --git a/core/controller/src/main/scala/whisk/core/entitlement/Entitlement.scala b/core/controller/src/main/scala/whisk/core/entitlement/Entitlement.scala index f65ebda..078530a 100644 --- a/core/controller/src/main/scala/whisk/core/entitlement/Entitlement.scala +++ b/core/controller/src/main/scala/whisk/core/entitlement/Entitlement.scala @@ -162,7 +162,7 @@ protected[core] abstract class EntitlementProvider( * @param resource the resource to grant the subject access to * @return a promise that completes with true iff the subject is granted the right to access the requested resource */ - protected[core] def grant(subject: Subject, right: Privilege, resource: Resource)( + protected[core] def grant(user: Identity, right: Privilege, resource: Resource)( implicit transid: TransactionId): Future[Boolean] /** @@ -173,7 +173,7 @@ protected[core] abstract class EntitlementProvider( * @param resource the resource to revoke the subject access to * @return a promise that completes with true iff the subject is revoked the right to access the requested resource */ - protected[core] def revoke(subject: Subject, right: Privilege, resource: Resource)( + protected[core] def revoke(user: Identity, right: Privilege, resource: Resource)( implicit transid: TransactionId): Future[Boolean] /** @@ -184,7 +184,7 @@ protected[core] abstract class EntitlementProvider( * @param resource the resource the subject requests access to * @return a promise that completes with true iff the subject is permitted to access the request resource */ - protected def entitled(subject: Subject, right: Privilege, resource: Resource)( + protected def entitled(user: Identity, right: Privilege, resource: Resource)( implicit transid: TransactionId): Future[Boolean] /** @@ -305,7 +305,7 @@ protected[core] abstract class EntitlementProvider( case true => Future.successful(resource -> true) case false => logging.debug(this, "checking explicit grants") - entitled(user.subject, right, resource).flatMap(b => Future.successful(resource -> b)) + entitled(user, right, resource).flatMap(b => Future.successful(resource -> b)) } } } diff --git a/core/controller/src/main/scala/whisk/core/entitlement/LocalEntitlement.scala b/core/controller/src/main/scala/whisk/core/entitlement/LocalEntitlement.scala index d344427..179437f 100644 --- a/core/controller/src/main/scala/whisk/core/entitlement/LocalEntitlement.scala +++ b/core/controller/src/main/scala/whisk/core/entitlement/LocalEntitlement.scala @@ -23,7 +23,7 @@ import akka.actor.ActorSystem import whisk.common.Logging import whisk.common.TransactionId import whisk.core.WhiskConfig -import whisk.core.entity.{ControllerInstanceId, Subject} +import whisk.core.entity.{ControllerInstanceId, Identity, Subject} import whisk.core.loadBalancer.LoadBalancer protected[core] class LocalEntitlementProvider( @@ -37,8 +37,9 @@ protected[core] class LocalEntitlementProvider( private val matrix = LocalEntitlementProvider.matrix /** Grants subject right to resource by adding them to the entitlement matrix. */ - protected[core] override def grant(subject: Subject, right: Privilege, resource: Resource)( + protected[core] override def grant(user: Identity, right: Privilege, resource: Resource)( implicit transid: TransactionId) = Future { + val subject = user.subject synchronized { val key = (subject, resource.id) matrix.put(key, matrix.get(key) map { _ + right } getOrElse Set(right)) @@ -48,8 +49,9 @@ protected[core] class LocalEntitlementProvider( } /** Revokes subject right to resource by removing them from the entitlement matrix. */ - protected[core] override def revoke(subject: Subject, right: Privilege, resource: Resource)( + protected[core] override def revoke(user: Identity, right: Privilege, resource: Resource)( implicit transid: TransactionId) = Future { + val subject = user.subject synchronized { val key = (subject, resource.id) val newrights = matrix.get(key) map { _ - right } map { matrix.put(key, _) } @@ -59,8 +61,9 @@ protected[core] class LocalEntitlementProvider( } /** Checks if subject has explicit grant for a resource. */ - protected override def entitled(subject: Subject, right: Privilege, resource: Resource)( + protected override def entitled(user: Identity, right: Privilege, resource: Resource)( implicit transid: TransactionId) = Future.successful { + val subject = user.subject lazy val one = matrix.get((subject, resource.id)) map { _ contains right } getOrElse false lazy val any = matrix.get((subject, resource.parent)) map { _ contains right } getOrElse false one || any diff --git a/tests/src/test/scala/whisk/core/controller/test/EntitlementProviderTests.scala b/tests/src/test/scala/whisk/core/controller/test/EntitlementProviderTests.scala index 5a77b14..cd163df 100644 --- a/tests/src/test/scala/whisk/core/controller/test/EntitlementProviderTests.scala +++ b/tests/src/test/scala/whisk/core/controller/test/EntitlementProviderTests.scala @@ -229,10 +229,10 @@ class EntitlementProviderTests extends ControllerTestCommon with ScalaFutures { val one = Resource(someUser.namespace.name.toPath, ACTIONS, Some("xyz")) Await.ready(entitlementProvider.check(adminUser, READ, all), requestTimeout).eitherValue.get should not be Right({}) Await.ready(entitlementProvider.check(adminUser, READ, one), requestTimeout).eitherValue.get should not be Right({}) - Await.result(entitlementProvider.grant(adminUser.subject, READ, all), requestTimeout) // granted + Await.result(entitlementProvider.grant(adminUser, READ, all), requestTimeout) // granted Await.ready(entitlementProvider.check(adminUser, READ, all), requestTimeout).eitherValue.get shouldBe Right({}) Await.ready(entitlementProvider.check(adminUser, READ, one), requestTimeout).eitherValue.get shouldBe Right({}) - Await.result(entitlementProvider.revoke(adminUser.subject, READ, all), requestTimeout) // revoked + Await.result(entitlementProvider.revoke(adminUser, READ, all), requestTimeout) // revoked } it should "grant access to specific resource to a user" in { @@ -245,14 +245,14 @@ class EntitlementProviderTests extends ControllerTestCommon with ScalaFutures { .ready(entitlementProvider.check(adminUser, DELETE, one), requestTimeout) .eitherValue .get should not be Right({}) - Await.result(entitlementProvider.grant(adminUser.subject, READ, one), requestTimeout) // granted + Await.result(entitlementProvider.grant(adminUser, READ, one), requestTimeout) // granted Await.ready(entitlementProvider.check(adminUser, READ, all), requestTimeout).eitherValue.get should not be Right({}) Await.ready(entitlementProvider.check(adminUser, READ, one), requestTimeout).eitherValue.get shouldBe Right({}) Await .ready(entitlementProvider.check(adminUser, DELETE, one), requestTimeout) .eitherValue .get should not be Right({}) - Await.result(entitlementProvider.revoke(adminUser.subject, READ, one), requestTimeout) // revoked + Await.result(entitlementProvider.revoke(adminUser, READ, one), requestTimeout) // revoked } behavior of "Package Collection" diff --git a/tests/src/test/scala/whisk/core/controller/test/PackageActionsApiTests.scala b/tests/src/test/scala/whisk/core/controller/test/PackageActionsApiTests.scala index e8082af..18ff0a8 100644 --- a/tests/src/test/scala/whisk/core/controller/test/PackageActionsApiTests.scala +++ b/tests/src/test/scala/whisk/core/controller/test/PackageActionsApiTests.scala @@ -348,7 +348,7 @@ class PackageActionsApiTests extends ControllerTestCommon with WhiskActionsApi { put(entityStore, binding) put(entityStore, action) val pkgaccess = Resource(provider.namespace, PACKAGES, Some(provider.name.asString)) - Await.result(entitlementProvider.grant(auser.subject, READ, pkgaccess), 1 second) + Await.result(entitlementProvider.grant(auser, READ, pkgaccess), 1 second) Get(s"$collectionPath/${binding.name}/${action.name}") ~> Route.seal(routes(auser)) ~> check { status should be(OK) val response = responseAs[WhiskAction] @@ -492,7 +492,7 @@ class PackageActionsApiTests extends ControllerTestCommon with WhiskActionsApi { put(entityStore, reference) put(entityStore, action) val pkgaccess = Resource(provider.namespace, PACKAGES, Some(provider.name.asString)) - Await.result(entitlementProvider.grant(auser.subject, ACTIVATE, pkgaccess), 1 second) + Await.result(entitlementProvider.grant(auser, ACTIVATE, pkgaccess), 1 second) Post(s"$collectionPath/${reference.name}/${action.name}", content) ~> Route.seal(routes(auser)) ~> check { status should be(Accepted) val response = responseAs[JsObject] diff --git a/tests/src/test/scala/whisk/core/controller/test/WebActionsApiTests.scala b/tests/src/test/scala/whisk/core/controller/test/WebActionsApiTests.scala index 301cdf7..b500fce 100644 --- a/tests/src/test/scala/whisk/core/controller/test/WebActionsApiTests.scala +++ b/tests/src/test/scala/whisk/core/controller/test/WebActionsApiTests.scala @@ -1768,15 +1768,15 @@ trait WebActionsApiBaseTests extends ControllerTestCommon with BeforeAndAfterEac } } - protected[core] override def grant(subject: Subject, right: Privilege, resource: Resource)( + protected[core] override def grant(user: Identity, right: Privilege, resource: Resource)( implicit transid: TransactionId) = ??? /** Revokes subject right to resource by removing them from the entitlement matrix. */ - protected[core] override def revoke(subject: Subject, right: Privilege, resource: Resource)( + protected[core] override def revoke(user: Identity, right: Privilege, resource: Resource)( implicit transid: TransactionId) = ??? /** Checks if subject has explicit grant for a resource. */ - protected override def entitled(subject: Subject, right: Privilege, resource: Resource)( + protected override def entitled(user: Identity, right: Privilege, resource: Resource)( implicit transid: TransactionId) = ??? }