mirror of https://github.com/certusone/wasmd.git
Add compare logic for stricter AccessConfig
This commit is contained in:
parent
663716aec0
commit
c2ec9092d0
|
@ -330,3 +330,21 @@ func VerifyAddressLen() func(addr []byte) error {
|
|||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
// IsSubset will return true if the caller is the same as the superset,
|
||||
// or if the caller is more restrictive than the superset.
|
||||
func (a AccessConfig) IsSubset(superSet AccessConfig) bool {
|
||||
switch superSet.Permission {
|
||||
case AccessTypeEverybody:
|
||||
// Everything is a subset of this
|
||||
return a.Permission != AccessTypeUnspecified
|
||||
case AccessTypeNobody:
|
||||
// Only an exact match is a subset of this
|
||||
return a.Permission == AccessTypeNobody
|
||||
case AccessTypeOnlyAddress:
|
||||
// An exact match or nobody
|
||||
return a.Permission == AccessTypeNobody || (a.Permission == AccessTypeOnlyAddress && a.Address == superSet.Address)
|
||||
default:
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
|
|
@ -372,3 +372,79 @@ func TestVerifyAddressLen(t *testing.T) {
|
|||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestAccesConfigSubset(t *testing.T) {
|
||||
specs := map[string]struct {
|
||||
check AccessConfig
|
||||
superSet AccessConfig
|
||||
isSubSet bool
|
||||
}{
|
||||
"nobody <= nobody": {
|
||||
superSet: AccessConfig{Permission: AccessTypeNobody},
|
||||
check: AccessConfig{Permission: AccessTypeNobody},
|
||||
isSubSet: true,
|
||||
},
|
||||
"only > nobody": {
|
||||
superSet: AccessConfig{Permission: AccessTypeNobody},
|
||||
check: AccessConfig{Permission: AccessTypeOnlyAddress, Address: "foobar"},
|
||||
isSubSet: false,
|
||||
},
|
||||
"everybody > nobody": {
|
||||
superSet: AccessConfig{Permission: AccessTypeNobody},
|
||||
check: AccessConfig{Permission: AccessTypeEverybody},
|
||||
isSubSet: false,
|
||||
},
|
||||
"nobody <= everybody": {
|
||||
superSet: AccessConfig{Permission: AccessTypeEverybody},
|
||||
check: AccessConfig{Permission: AccessTypeNobody},
|
||||
isSubSet: true,
|
||||
},
|
||||
"only <= everybody": {
|
||||
superSet: AccessConfig{Permission: AccessTypeEverybody},
|
||||
check: AccessConfig{Permission: AccessTypeOnlyAddress, Address: "foobar"},
|
||||
isSubSet: true,
|
||||
},
|
||||
"everybody <= everybody": {
|
||||
superSet: AccessConfig{Permission: AccessTypeEverybody},
|
||||
check: AccessConfig{Permission: AccessTypeEverybody},
|
||||
isSubSet: true,
|
||||
},
|
||||
"nobody <= only": {
|
||||
superSet: AccessConfig{Permission: AccessTypeOnlyAddress, Address: "owner"},
|
||||
check: AccessConfig{Permission: AccessTypeNobody},
|
||||
isSubSet: true,
|
||||
},
|
||||
"only <= only(same)": {
|
||||
superSet: AccessConfig{Permission: AccessTypeOnlyAddress, Address: "owner"},
|
||||
check: AccessConfig{Permission: AccessTypeOnlyAddress, Address: "owner"},
|
||||
isSubSet: true,
|
||||
},
|
||||
"only > only(other)": {
|
||||
superSet: AccessConfig{Permission: AccessTypeOnlyAddress, Address: "owner"},
|
||||
check: AccessConfig{Permission: AccessTypeOnlyAddress, Address: "other"},
|
||||
isSubSet: false,
|
||||
},
|
||||
"everybody > only": {
|
||||
superSet: AccessConfig{Permission: AccessTypeOnlyAddress, Address: "owner"},
|
||||
check: AccessConfig{Permission: AccessTypeEverybody},
|
||||
isSubSet: false,
|
||||
},
|
||||
"nobody > unspecified": {
|
||||
superSet: AccessConfig{Permission: AccessTypeUnspecified},
|
||||
check: AccessConfig{Permission: AccessTypeNobody},
|
||||
isSubSet: false,
|
||||
},
|
||||
"unspecified > everybody": {
|
||||
superSet: AccessConfig{Permission: AccessTypeEverybody},
|
||||
check: AccessConfig{Permission: AccessTypeUnspecified},
|
||||
isSubSet: false,
|
||||
},
|
||||
}
|
||||
|
||||
for name, spec := range specs {
|
||||
t.Run(name, func(t *testing.T) {
|
||||
subset := spec.check.IsSubset(spec.superSet)
|
||||
require.Equal(t, spec.isSubSet, subset)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue