Auth - Add debugging to loading rules (#1420)

* Fix auth multi-rule edgecase * Add logging to auth rules Co-authored-by: Ben Toogood <ben@micro.mu>
2020-03-26 16:30:31 +00:00 · 2020-03-26 16:30:31 +00:00 · 00e7804f96
commit 00e7804f96
parent 42b6bf5bbf
1 changed files with 6 additions and 5 deletions
--- a/auth/service/service.go
+++ b/auth/service/service.go
@ -125,11 +125,10 @@ func (s *svc) Revoke(role string, res *auth.Resource) error {
 // Verify an account has access to a resource
 func (s *svc) Verify(acc *auth.Account, res *auth.Resource) error {
 	queries := [][]string{
-		{res.Type, res.Name, res.Endpoint},      // check for specific role, e.g. service.foo.ListFoo:admin (role is checked in accessForRule)
+		{res.Type, res.Name, res.Endpoint}, // check for specific role, e.g. service.foo.ListFoo:admin (role is checked in accessForRule)
-		{res.Type, res.Name, res.Endpoint, "*"}, // check for wildcard role, e.g. service.foo.ListFoo:*
+		{res.Type, res.Name, "*"},          // check for wildcard endpoint, e.g. service.foo*
-		{res.Type, res.Name, "*"},               // check for wildcard endpoint, e.g. service.foo*
+		{res.Type, "*"},                    // check for wildcard name, e.g. service.*
-		{res.Type, "*"},                         // check for wildcard name, e.g. service.*
+		{"*"},                              // check for wildcard type, e.g. *
 		{"*"},                                   // check for wildcard type, e.g. *
 	}
 	// endpoint is a url which can have wildcard excludes, e.g.
@ -242,6 +241,7 @@ func (s *svc) listRules(filters ...string) []*rulePb.Rule {
 // loadRules retrieves the rules from the auth service
 func (s *svc) loadRules() {
 	log.Infof("Loading rules from auth service\n")
 	rsp, err := s.rule.List(context.TODO(), &rulePb.ListRequest{})
 	s.Lock()
 	defer s.Unlock()
@ -251,6 +251,7 @@ func (s *svc) loadRules() {
 		return
 	}
 	log.Infof("Loaded %v rules from the auth service\n", len(rsp.Rules))
 	s.rules = rsp.Rules
 }