This is an automated email from the ASF dual-hosted git repository. tysonnorris pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/incubator-openwhisk.git
The following commit(s) were added to refs/heads/master by this push: new eff21ec Update KindRestrictor to merge namespace and default whitelists (#4114) eff21ec is described below commit eff21ec7481d3b72ae0273dba8bcae09b87e73e0 Author: Andy Steed <andrewst...@gmail.com> AuthorDate: Wed Nov 28 17:11:36 2018 -0800 Update KindRestrictor to merge namespace and default whitelists (#4114) Merge subject whitelist limit and default whitelist during KindRestrictor check --- .../apache/openwhisk/core/entitlement/KindRestrictor.scala | 6 ++---- .../openwhisk/core/controller/test/KindRestrictorTests.scala | 12 ++++++------ 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/core/controller/src/main/scala/org/apache/openwhisk/core/entitlement/KindRestrictor.scala b/core/controller/src/main/scala/org/apache/openwhisk/core/entitlement/KindRestrictor.scala index 8154cd8..88ba6d6 100644 --- a/core/controller/src/main/scala/org/apache/openwhisk/core/entitlement/KindRestrictor.scala +++ b/core/controller/src/main/scala/org/apache/openwhisk/core/entitlement/KindRestrictor.scala @@ -46,10 +46,8 @@ case class KindRestrictor(whitelist: Option[Set[String]] = None)(implicit loggin })(TransactionId.controller) def check(user: Identity, kind: String): Boolean = { - user.limits.allowedKinds - .orElse(whitelist) - .map(allowed => allowed.contains(kind)) - .getOrElse(true) + val kindList = user.limits.allowedKinds.getOrElse(Set.empty).union(whitelist.getOrElse(Set.empty)) + kindList.isEmpty || kindList.contains(kind) } } diff --git a/tests/src/test/scala/org/apache/openwhisk/core/controller/test/KindRestrictorTests.scala b/tests/src/test/scala/org/apache/openwhisk/core/controller/test/KindRestrictorTests.scala index 40084b3..ebdc85a 100644 --- a/tests/src/test/scala/org/apache/openwhisk/core/controller/test/KindRestrictorTests.scala +++ b/tests/src/test/scala/org/apache/openwhisk/core/controller/test/KindRestrictorTests.scala @@ -49,16 +49,16 @@ class KindRestrictorTests extends FlatSpec with Matchers with StreamLogging { allKinds.foreach(k => kr.check(subject, k) shouldBe true) } - it should "not grant subject access to any kinds if limit is the empty set" in { + it should "grant subject access to any kinds if limit is the empty set" in { val subject = WhiskAuthHelpers.newIdentity().copy(limits = UserLimits(allowedKinds = Some(Set.empty))) val kr = KindRestrictor() - allKinds.foreach(k => kr.check(subject, k) shouldBe false) + allKinds.foreach(k => kr.check(subject, k) shouldBe true) } - it should "not grant subject access to any kinds if white list is the empty set" in { + it should "grant subject access to any kinds if white list is the empty set" in { val subject = WhiskAuthHelpers.newIdentity() val kr = KindRestrictor(Set[String]()) - allKinds.foreach(k => kr.check(subject, k) shouldBe false) + allKinds.foreach(k => kr.check(subject, k) shouldBe true) } it should "grant subject access only to subject-limited kinds" in { @@ -75,11 +75,11 @@ class KindRestrictorTests extends FlatSpec with Matchers with StreamLogging { disallowedKinds.foreach(k => kr.check(subject, k) shouldBe false) } - it should "grant subject access only to explicitly limited kind" in { + it should "grant subject access both explicitly limited kinds and default whitelisted kinds" in { val explicitKind = allowedKinds.head val subject = WhiskAuthHelpers.newIdentity().copy(limits = UserLimits(allowedKinds = Some(Set(explicitKind)))) val kr = KindRestrictor(allowedKinds.tail) - allKinds.foreach(k => kr.check(subject, k) shouldBe (k == explicitKind)) + allKinds.foreach(k => kr.check(subject, k) shouldBe allowedKinds.contains(k)) } }