whitelist_acl_test

2025-04-17 10:10:20 +00:00 · 2017-12-11 18:25:46 +00:00 · 2017-12-11 18:25:46 +00:00 · 19a2244cb7
commit 19a2244cb7
parent 0292e3612a
2 changed files with 37 additions and 3 deletions
--- a/salt/acl/init.py
+++ b/salt/acl/init.py
@ -18,8 +18,9 @@ class PublisherACL(object):
    Represents the publisher ACL and provides methods
    to query the ACL for given operations
    '''
-    def __init__(self, blacklist):
+    def __init__(self, blacklist, whitelist):
        self.blacklist = blacklist
+        self.whitelist = whitelist

    def user_is_blacklisted(self, user):
        '''
@ -36,3 +37,15 @@ class PublisherACL(object):
            if not salt.utils.check_whitelist_blacklist(fun, blacklist=self.blacklist.get('modules', [])):
                return True
        return False
+
+    def user_is_whitelisted(self, user):
+        return salt.utils.check_whitelist_blacklist(user, whitelist=self.whitelist.get('users', []))
+
+    def cmd_is_whitelisted(self, cmd):
+        # If this is a regular command, it is a single function
+        if isinstance(cmd, str):
+            cmd = [cmd]
+        for fun in cmd:
+            if salt.utils.check_whitelist_blacklist(fun, whitelist=self.whitelist.get('modules', [])):
+                return True
+        return False
--- a/tests/unit/acl/test_client.py
+++ b/tests/unit/acl/test_client.py
@ -19,15 +19,20 @@ class ClientACLTestCase(TestCase):
            'users': ['joker', 'penguin', '*bad_*', 'blocked_.*', '^Homer$'],
            'modules': ['cmd.run', 'test.fib', 'rm-rf.*'],
        }
+        self.whitelist = {
+            'users': ['testuser', 'saltuser'],
+            'modules': ['test.ping', 'grains.items'],
+        }

    def tearDown(self):
        del self.blacklist
+        del self.whitelist

    def test_user_is_blacklisted(self):
        '''
        test user_is_blacklisted
        '''
-        client_acl = acl.PublisherACL(self.blacklist)
+        client_acl = acl.PublisherACL(self.blacklist, self.whitelist)

        self.assertTrue(client_acl.user_is_blacklisted('joker'))
        self.assertTrue(client_acl.user_is_blacklisted('penguin'))
@ -51,7 +56,7 @@ class ClientACLTestCase(TestCase):
        '''
        test cmd_is_blacklisted
        '''
-        client_acl = acl.PublisherACL(self.blacklist)
+        client_acl = acl.PublisherACL(self.blacklist, self.whitelist)

        self.assertTrue(client_acl.cmd_is_blacklisted('cmd.run'))
        self.assertTrue(client_acl.cmd_is_blacklisted('test.fib'))
@ -63,3 +68,19 @@ class ClientACLTestCase(TestCase):

        self.assertTrue(client_acl.cmd_is_blacklisted(['cmd.run', 'state.sls']))
        self.assertFalse(client_acl.cmd_is_blacklisted(['state.highstate', 'state.sls']))
+
+    def test_publisher_acl_whitelisted(self):
+        '''
+        test publisher_acl
+        '''
+        publisher_acl = acl.PublisherACL(self.blacklist, self.whitelist)
+
+        self.assertTrue(publisher_acl.user_is_whitelisted('testuser'))
+        self.assertTrue(publisher_acl.user_is_whitelisted('saltuser'))
+        self.assertTrue(publisher_acl.cmd_is_whitelisted('test.ping'))
+        self.assertTrue(publisher_acl.cmd_is_whitelisted('grains.items'))
+
+        self.assertFalse(publisher_acl.cmd_is_whitelisted('devuser'))
+        self.assertFalse(publisher_acl.cmd_is_whitelisted('superuser'))
+        self.assertFalse(publisher_acl.cmd_is_whitelisted('cmd.run'))
+        self.assertFalse(publisher_acl.cmd_is_whitelisted('test.version'))