func newAuthorizerWithContents(t *testing.T, contents string) authorizer.Authorizer { f, err := ioutil.TempFile("", "auth_test") if err != nil { t.Fatalf("unexpected error creating policyfile: %v", err) } f.Close() defer os.Remove(f.Name()) if err := ioutil.WriteFile(f.Name(), []byte(contents), 0700); err != nil { t.Fatalf("unexpected error writing policyfile: %v", err) } pl, err := abac.NewFromFile(f.Name()) if err != nil { t.Fatalf("unexpected error creating authorizer from policyfile: %v", err) } return pl }
// NewAuthorizerFromAuthorizationConfig returns the right sort of union of multiple authorizer.Authorizer objects // based on the authorizationMode or an error. authorizationMode should be a comma separated values // of AuthorizationModeChoices. func NewAuthorizerFromAuthorizationConfig(authorizationModes []string, authorizationPolicyFile string) (authorizer.Authorizer, error) { if len(authorizationModes) == 0 { return nil, errors.New("Atleast one authorization mode should be passed") } var authorizers []authorizer.Authorizer authorizerMap := make(map[string]bool) for _, authorizationMode := range authorizationModes { if authorizerMap[authorizationMode] { return nil, fmt.Errorf("Authorization mode %s specified more than once", authorizationMode) } // Keep cases in sync with constant list above. switch authorizationMode { case ModeAlwaysAllow: authorizers = append(authorizers, NewAlwaysAllowAuthorizer()) case ModeAlwaysDeny: authorizers = append(authorizers, NewAlwaysDenyAuthorizer()) case ModeABAC: if authorizationPolicyFile == "" { return nil, errors.New("ABAC's authorization policy file not passed") } abacAuthorizer, err := abac.NewFromFile(authorizationPolicyFile) if err != nil { return nil, err } authorizers = append(authorizers, abacAuthorizer) default: return nil, fmt.Errorf("Unknown authorization mode %s specified", authorizationMode) } authorizerMap[authorizationMode] = true } if !authorizerMap[ModeABAC] && authorizationPolicyFile != "" { return nil, errors.New("Cannot specify --authorization-policy-file without mode ABAC") } return union.New(authorizers...), nil }