Add compare logic for stricter AccessConfig

This commit is contained in:
Ethan Frey 2022-05-09 21:59:18 +02:00
parent 663716aec0
commit c2ec9092d0
2 changed files with 94 additions and 0 deletions

View File

@ -330,3 +330,21 @@ func VerifyAddressLen() func(addr []byte) error {
return nil
}
}
// IsSubset will return true if the caller is the same as the superset,
// or if the caller is more restrictive than the superset.
func (a AccessConfig) IsSubset(superSet AccessConfig) bool {
switch superSet.Permission {
case AccessTypeEverybody:
// Everything is a subset of this
return a.Permission != AccessTypeUnspecified
case AccessTypeNobody:
// Only an exact match is a subset of this
return a.Permission == AccessTypeNobody
case AccessTypeOnlyAddress:
// An exact match or nobody
return a.Permission == AccessTypeNobody || (a.Permission == AccessTypeOnlyAddress && a.Address == superSet.Address)
default:
return false
}
}

View File

@ -372,3 +372,79 @@ func TestVerifyAddressLen(t *testing.T) {
})
}
}
func TestAccesConfigSubset(t *testing.T) {
specs := map[string]struct {
check AccessConfig
superSet AccessConfig
isSubSet bool
}{
"nobody <= nobody": {
superSet: AccessConfig{Permission: AccessTypeNobody},
check: AccessConfig{Permission: AccessTypeNobody},
isSubSet: true,
},
"only > nobody": {
superSet: AccessConfig{Permission: AccessTypeNobody},
check: AccessConfig{Permission: AccessTypeOnlyAddress, Address: "foobar"},
isSubSet: false,
},
"everybody > nobody": {
superSet: AccessConfig{Permission: AccessTypeNobody},
check: AccessConfig{Permission: AccessTypeEverybody},
isSubSet: false,
},
"nobody <= everybody": {
superSet: AccessConfig{Permission: AccessTypeEverybody},
check: AccessConfig{Permission: AccessTypeNobody},
isSubSet: true,
},
"only <= everybody": {
superSet: AccessConfig{Permission: AccessTypeEverybody},
check: AccessConfig{Permission: AccessTypeOnlyAddress, Address: "foobar"},
isSubSet: true,
},
"everybody <= everybody": {
superSet: AccessConfig{Permission: AccessTypeEverybody},
check: AccessConfig{Permission: AccessTypeEverybody},
isSubSet: true,
},
"nobody <= only": {
superSet: AccessConfig{Permission: AccessTypeOnlyAddress, Address: "owner"},
check: AccessConfig{Permission: AccessTypeNobody},
isSubSet: true,
},
"only <= only(same)": {
superSet: AccessConfig{Permission: AccessTypeOnlyAddress, Address: "owner"},
check: AccessConfig{Permission: AccessTypeOnlyAddress, Address: "owner"},
isSubSet: true,
},
"only > only(other)": {
superSet: AccessConfig{Permission: AccessTypeOnlyAddress, Address: "owner"},
check: AccessConfig{Permission: AccessTypeOnlyAddress, Address: "other"},
isSubSet: false,
},
"everybody > only": {
superSet: AccessConfig{Permission: AccessTypeOnlyAddress, Address: "owner"},
check: AccessConfig{Permission: AccessTypeEverybody},
isSubSet: false,
},
"nobody > unspecified": {
superSet: AccessConfig{Permission: AccessTypeUnspecified},
check: AccessConfig{Permission: AccessTypeNobody},
isSubSet: false,
},
"unspecified > everybody": {
superSet: AccessConfig{Permission: AccessTypeEverybody},
check: AccessConfig{Permission: AccessTypeUnspecified},
isSubSet: false,
},
}
for name, spec := range specs {
t.Run(name, func(t *testing.T) {
subset := spec.check.IsSubset(spec.superSet)
require.Equal(t, spec.isSubSet, subset)
})
}
}