From 7f22587b8134fb59c7466e83c524775758a7a915 Mon Sep 17 00:00:00 2001 From: "R.I.Pienaar" Date: Wed, 22 Jan 2025 16:52:18 +0100 Subject: [PATCH] (#2209) Extract authorization into a external callable Signed-off-by: R.I.Pienaar --- integration/agentharness/agent.go | 4 +- providers/agent/mcorpc/agent.go | 48 +++++++++++++----- providers/agent/mcorpc/authz_actionpolicy.go | 16 +++--- .../agent/mcorpc/authz_actionpolicy_test.go | 10 +--- providers/agent/mcorpc/authz_jwt.go | 18 +++---- providers/agent/mcorpc/authz_jwt_test.go | 18 +++---- providers/agent/mcorpc/authz_rego.go | 44 ++++++++++------- providers/agent/mcorpc/authz_rego_test.go | 49 ++++++++++--------- providers/agent/mcorpc/mcorpc.go | 16 +----- 9 files changed, 119 insertions(+), 104 deletions(-) diff --git a/integration/agentharness/agent.go b/integration/agentharness/agent.go index f8c8fbc0c..de05fba21 100644 --- a/integration/agentharness/agent.go +++ b/integration/agentharness/agent.go @@ -1,4 +1,4 @@ -// Copyright (c) 2022, R.I. Pienaar and the Choria Project contributors +// Copyright (c) 2022-2025, R.I. Pienaar and the Choria Project contributors // // SPDX-License-Identifier: Apache-2.0 @@ -70,7 +70,7 @@ type ActionMiddleware interface { type AgentHarness struct { name string ddl *addl.DDL - fw mcorpc.ChoriaFramework + fw inter.Framework log *logrus.Entry actions map[string]*MockActionMiddleware } diff --git a/providers/agent/mcorpc/agent.go b/providers/agent/mcorpc/agent.go index 5385c4dba..9ef074091 100644 --- a/providers/agent/mcorpc/agent.go +++ b/providers/agent/mcorpc/agent.go @@ -1,4 +1,4 @@ -// Copyright (c) 2020-2022, R.I. Pienaar and the Choria Project contributors +// Copyright (c) 2020-2025, R.I. Pienaar and the Choria Project contributors // // SPDX-License-Identifier: Apache-2.0 @@ -30,7 +30,7 @@ type ActivationChecker func() bool type Agent struct { Log *logrus.Entry Config *config.Config - Choria ChoriaFramework + Choria inter.Framework ServerInfoSource agents.ServerInfoSource activationCheck ActivationChecker @@ -39,7 +39,7 @@ type Agent struct { } // New creates a new MCollective SimpleRPC compatible agent -func New(name string, metadata *agents.Metadata, fw ChoriaFramework, log *logrus.Entry) *Agent { +func New(name string, metadata *agents.Metadata, fw inter.Framework, log *logrus.Entry) *Agent { a := &Agent{ meta: metadata, Log: log.WithFields(logrus.Fields{"agent": name}), @@ -218,34 +218,60 @@ func (a *Agent) parseIncomingMessage(msg []byte, request protocol.Request) (*Req } func (a *Agent) authorize(req *Request) bool { - if !a.Config.RPCAuthorization { + if req.Agent != a.Name() { + a.Log.Errorf("Could not process authorization for request for a different agent") + return false + } + + return AuthorizeRequest(a.Choria, req, a.Config, a.ServerInfoSource, a.Log) +} + +// AuthorizeRequest authorizes a request using the configured authorizer +func AuthorizeRequest(fw inter.Framework, req *Request, cfg *config.Config, si agents.ServerInfoSource, log *logrus.Entry) bool { + if cfg == nil { + log.Errorf("Could not process authorization without a configuration") + return false + } + if !cfg.RPCAuthorization { return true } + if req == nil { + log.Errorf("Could not process authorization without a request") + return false + } + if req.Agent == "" { + log.Errorf("Could not process authorization without a agent name") + return false + } + if si == nil { + log.Errorf("Could not process authorization without a server info source") + return false + } - prov := strings.ToLower(a.Config.RPCAuthorizationProvider) + prov := strings.ToLower(cfg.RPCAuthorizationProvider) switch prov { case "action_policy": - return actionPolicyAuthorize(req, a, a.Log) + return actionPolicyAuthorize(req, cfg, log) case "rego_policy": - auth, err := regoPolicyAuthorize(req, a, a.Log) + auth, err := regoPolicyAuthorize(req, fw, si, cfg, log) if err != nil { - a.Log.Errorf("Could not process Open Policy Agent policy: %v", err) + log.Errorf("Could not process Open Policy Agent policy: %v", err) return false } return auth case "aaasvc", "aaasvc_policy": - auth, err := aaasvcPolicyAuthorize(req, a, a.Log) + auth, err := aaasvcPolicyAuthorize(req, cfg, log) if err != nil { - a.Log.Errorf("Could not process JWT policy: %v", err) + log.Errorf("Could not process JWT policy: %v", err) return false } return auth default: - a.Log.Errorf("Unsupported authorization provider: %s", prov) + log.Errorf("Unsupported authorization provider: %s", prov) } diff --git a/providers/agent/mcorpc/authz_actionpolicy.go b/providers/agent/mcorpc/authz_actionpolicy.go index 4566f4f35..061263561 100644 --- a/providers/agent/mcorpc/authz_actionpolicy.go +++ b/providers/agent/mcorpc/authz_actionpolicy.go @@ -1,4 +1,4 @@ -// Copyright (c) 2020-2021, R.I. Pienaar and the Choria Project contributors +// Copyright (c) 2020-2025, R.I. Pienaar and the Choria Project contributors // // SPDX-License-Identifier: Apache-2.0 @@ -21,17 +21,16 @@ import ( "github.com/sirupsen/logrus" ) -func actionPolicyAuthorize(req *Request, agent *Agent, log *logrus.Entry) bool { +func actionPolicyAuthorize(req *Request, cfg *config.Config, log *logrus.Entry) bool { logger := log.WithFields(logrus.Fields{ "authorizer": "actionpolicy", - "agent": agent.Name(), + "agent": req.Agent, "request": req.RequestID, }) authz := &actionPolicy{ - cfg: agent.Config, + cfg: cfg, req: req, - agent: agent, matcher: &actionPolicyPolicy{log: logger}, groups: make(map[string][]string), log: logger, @@ -48,7 +47,6 @@ func actionPolicyAuthorize(req *Request, agent *Agent, log *logrus.Entry) bool { type actionPolicy struct { cfg *config.Config req *Request - agent *Agent log *logrus.Entry matcher *actionPolicyPolicy groups map[string][]string @@ -168,7 +166,7 @@ func (a *actionPolicy) checkRequestAgainstPolicy() (bool, error) { return false, nil } - factsMatched, err := pol.MatchesFacts(a.agent.Config, a.log) + factsMatched, err := pol.MatchesFacts(a.cfg, a.log) if err != nil { return false, err } @@ -204,7 +202,7 @@ func (a *actionPolicy) defaultPolicyFileName() string { } func (a *actionPolicy) lookupPolicyFile() (string, error) { - agentPolicy := filepath.Join(filepath.Dir(a.cfg.ConfigFile), "policies", a.agent.Name()+".policy") + agentPolicy := filepath.Join(filepath.Dir(a.cfg.ConfigFile), "policies", a.req.Agent+".policy") a.log.Debugf("Looking up agent policy in %s", agentPolicy) if util.FileExist(agentPolicy) { @@ -218,7 +216,7 @@ func (a *actionPolicy) lookupPolicyFile() (string, error) { } } - return "", fmt.Errorf("no policy found for %s", a.agent.Name()) + return "", fmt.Errorf("no policy found for %s", a.req.Agent) } func (a *actionPolicy) parseGroupFile(gfile string) error { diff --git a/providers/agent/mcorpc/authz_actionpolicy_test.go b/providers/agent/mcorpc/authz_actionpolicy_test.go index 56e25ddd8..2188a09c4 100644 --- a/providers/agent/mcorpc/authz_actionpolicy_test.go +++ b/providers/agent/mcorpc/authz_actionpolicy_test.go @@ -1,4 +1,4 @@ -// Copyright (c) 2020-2021, R.I. Pienaar and the Choria Project contributors +// Copyright (c) 2020-2025, R.I. Pienaar and the Choria Project contributors // // SPDX-License-Identifier: Apache-2.0 @@ -21,7 +21,6 @@ var _ = Describe("ActionPolicy", func() { pol *actionPolicyPolicy logger *logrus.Entry mockctl *gomock.Controller - fw *imock.MockFramework cfg *config.Config logbuffer *bytes.Buffer ) @@ -33,7 +32,7 @@ var _ = Describe("ActionPolicy", func() { pol = &actionPolicyPolicy{log: logger} mockctl = gomock.NewController(GinkgoT()) - fw, cfg = imock.NewFrameworkForTests(mockctl, GinkgoWriter) + _, cfg = imock.NewFrameworkForTests(mockctl, GinkgoWriter) cfg.ClassesFile = "testdata/classes.txt" cfg.FactSourceFile = "testdata/facts.json" cfg.DisableSecurityProviderVerify = true @@ -48,11 +47,6 @@ var _ = Describe("ActionPolicy", func() { Action: "test", CallerID: "choria=ginkgo.mcollective", }, - agent: &Agent{ - Log: logger, - Config: cfg, - Choria: fw, - }, } }) diff --git a/providers/agent/mcorpc/authz_jwt.go b/providers/agent/mcorpc/authz_jwt.go index 306a9e953..8722a4056 100644 --- a/providers/agent/mcorpc/authz_jwt.go +++ b/providers/agent/mcorpc/authz_jwt.go @@ -21,24 +21,22 @@ import ( ) type aaasvcPolicy struct { - cfg *config.Config - req *Request - agent *Agent - log *logrus.Entry + cfg *config.Config + req *Request + log *logrus.Entry } -func aaasvcPolicyAuthorize(req *Request, agent *Agent, log *logrus.Entry) (bool, error) { +func aaasvcPolicyAuthorize(req *Request, cfg *config.Config, log *logrus.Entry) (bool, error) { logger := log.WithFields(logrus.Fields{ "authorizer": "aaasvc", - "agent": agent.Name(), + "agent": req.Agent, "request": req.RequestID, }) authz := &aaasvcPolicy{ - cfg: agent.Config, - req: req, - agent: agent, - log: logger, + cfg: cfg, + req: req, + log: logger, } return authz.authorize() diff --git a/providers/agent/mcorpc/authz_jwt_test.go b/providers/agent/mcorpc/authz_jwt_test.go index 217e4d8ef..09a97c4c8 100644 --- a/providers/agent/mcorpc/authz_jwt_test.go +++ b/providers/agent/mcorpc/authz_jwt_test.go @@ -1,4 +1,4 @@ -// Copyright (c) 2022, R.I. Pienaar and the Choria Project contributors +// Copyright (c) 2022-2025, R.I. Pienaar and the Choria Project contributors // // SPDX-License-Identifier: Apache-2.0 @@ -86,14 +86,14 @@ var _ = Describe("McoRPC/JWTAuthorizer", func() { }) It("Should fail for no caller public data", func() { - allowed, err := aaasvcPolicyAuthorize(req, agent, log) + allowed, err := aaasvcPolicyAuthorize(req, agent.Config, log) Expect(err).To(MatchError("no policy received in request")) Expect(allowed).To(BeFalse()) }) It("Should handle invalid tokens", func() { req.CallerPublicData = "blah" - allowed, err := aaasvcPolicyAuthorize(req, agent, log) + allowed, err := aaasvcPolicyAuthorize(req, agent.Config, log) Expect(err).To(MatchError("invalid token in request: token contains an invalid number of segments")) Expect(allowed).To(BeFalse()) }) @@ -105,7 +105,7 @@ var _ = Describe("McoRPC/JWTAuthorizer", func() { Expect(err).ToNot(HaveOccurred()) req.Agent = "discovery" - allowed, err := aaasvcPolicyAuthorize(req, agent, log) + allowed, err := aaasvcPolicyAuthorize(req, agent.Config, log) Expect(err).ToNot(HaveOccurred()) Expect(allowed).To(BeTrue()) Expect(logBuff).To(gbytes.Say("Allowing discovery request")) @@ -117,7 +117,7 @@ var _ = Describe("McoRPC/JWTAuthorizer", func() { req.CallerPublicData, err = tokens.SignToken(claims, prik) Expect(err).ToNot(HaveOccurred()) - allowed, err := aaasvcPolicyAuthorize(req, agent, log) + allowed, err := aaasvcPolicyAuthorize(req, agent.Config, log) Expect(err).To(MatchError("no policy received in token")) Expect(allowed).To(BeFalse()) }) @@ -129,7 +129,7 @@ var _ = Describe("McoRPC/JWTAuthorizer", func() { req.CallerPublicData, err = tokens.SignToken(claims, prik) Expect(err).ToNot(HaveOccurred()) - allowed, err := aaasvcPolicyAuthorize(req, agent, log) + allowed, err := aaasvcPolicyAuthorize(req, agent.Config, log) Expect(err).To(MatchError("invalid agent policy: fail")) Expect(allowed).To(BeFalse()) }) @@ -140,7 +140,7 @@ var _ = Describe("McoRPC/JWTAuthorizer", func() { req.CallerPublicData, err = tokens.SignToken(claims, prik) Expect(err).ToNot(HaveOccurred()) - allowed, err := aaasvcPolicyAuthorize(req, agent, log) + allowed, err := aaasvcPolicyAuthorize(req, agent.Config, log) Expect(err).ToNot(HaveOccurred()) Expect(allowed).To(BeTrue()) }) @@ -153,7 +153,7 @@ var _ = Describe("McoRPC/JWTAuthorizer", func() { req.CallerPublicData, err = tokens.SignToken(claims, prik) Expect(err).ToNot(HaveOccurred()) - allowed, err := aaasvcPolicyAuthorize(req, agent, log) + allowed, err := aaasvcPolicyAuthorize(req, agent.Config, log) Expect(err).To(HaveOccurred()) Expect(err.Error()).To(MatchRegexp("could not initialize opa evaluator")) Expect(allowed).To(BeFalse()) @@ -165,7 +165,7 @@ var _ = Describe("McoRPC/JWTAuthorizer", func() { req.CallerPublicData, err = tokens.SignToken(claims, prik) Expect(err).ToNot(HaveOccurred()) - allowed, err := aaasvcPolicyAuthorize(req, agent, log) + allowed, err := aaasvcPolicyAuthorize(req, agent.Config, log) Expect(err).ToNot(HaveOccurred()) Expect(allowed).To(BeTrue()) }) diff --git a/providers/agent/mcorpc/authz_rego.go b/providers/agent/mcorpc/authz_rego.go index 38af49807..4746b14e0 100644 --- a/providers/agent/mcorpc/authz_rego.go +++ b/providers/agent/mcorpc/authz_rego.go @@ -8,6 +8,8 @@ import ( "context" "encoding/json" "fmt" + "github.com/choria-io/go-choria/inter" + "github.com/choria-io/go-choria/server/agents" "path/filepath" "github.com/choria-io/go-choria/config" @@ -18,24 +20,26 @@ import ( ) type regoPolicy struct { - cfg *config.Config - req *Request - agent *Agent - log *logrus.Entry + cfg *config.Config + req *Request + fw inter.Framework + si agents.ServerInfoSource + log *logrus.Entry } -func regoPolicyAuthorize(req *Request, agent *Agent, log *logrus.Entry) (bool, error) { +func regoPolicyAuthorize(req *Request, fw inter.Framework, si agents.ServerInfoSource, cfg *config.Config, log *logrus.Entry) (bool, error) { logger := log.WithFields(logrus.Fields{ "authorizer": "regoPolicy", - "agent": agent.Name(), + "agent": req.Agent, "request": req.RequestID, }) authz := ®oPolicy{ - cfg: agent.Config, - req: req, - agent: agent, - log: logger, + cfg: cfg, + req: req, + si: si, + fw: fw, + log: logger, } return authz.authorize() @@ -66,7 +70,8 @@ func (r *regoPolicy) authorize() (bool, error) { return false, err } - allowed, err := evaluator.Evaluate(context.Background(), r.regoInputs()) + inputs := r.regoInputs() + allowed, err := evaluator.Evaluate(context.Background(), inputs) switch err := err.(type) { case nil: break @@ -84,10 +89,15 @@ func (r *regoPolicy) authorize() (bool, error) { return allowed, nil } +var overRideRegoName string + func (r *regoPolicy) lookupPolicyFile() (string, error) { dir := filepath.Join(filepath.Dir(r.cfg.ConfigFile), "policies", "rego") - regoPolicy := filepath.Join(dir, r.agent.Name()+".rego") + regoPolicy := filepath.Join(dir, r.req.Agent+".rego") + if overRideRegoName != "" { + regoPolicy = filepath.Join(dir, overRideRegoName+".rego") + } r.log.Debugf("Looking up rego policy in %s", regoPolicy) if util.FileExist(regoPolicy) { @@ -100,14 +110,14 @@ func (r *regoPolicy) lookupPolicyFile() (string, error) { r.log.Debugf("Using policy file: %s", defaultPolicy) return defaultPolicy, nil } - return "", fmt.Errorf("no policy %s found for %s in %s", defaultPolicy, r.agent.Name(), dir) + return "", fmt.Errorf("no policy %s found for %s in %s", defaultPolicy, r.req.Agent, dir) } func (r *regoPolicy) regoInputs() map[string]any { facts := map[string]any{} - sif := r.agent.ServerInfoSource.Facts() + sif := r.si.Facts() err := json.Unmarshal(sif, &facts) if err != nil { r.log.Errorf("could not marshal facts for rego policy: %v", err) @@ -128,9 +138,9 @@ func (r *regoPolicy) regoInputs() map[string]any { "ttl": r.req.TTL, "time": r.req.Time, "facts": facts, - "classes": r.agent.ServerInfoSource.Classes(), - "agents": r.agent.ServerInfoSource.KnownAgents(), - "provision_mode": r.agent.Choria.ProvisionMode(), + "classes": r.si.Classes(), + "agents": r.si.KnownAgents(), + "provision_mode": r.fw.ProvisionMode(), } } diff --git a/providers/agent/mcorpc/authz_rego_test.go b/providers/agent/mcorpc/authz_rego_test.go index 1fad3bda9..536262f77 100644 --- a/providers/agent/mcorpc/authz_rego_test.go +++ b/providers/agent/mcorpc/authz_rego_test.go @@ -1,4 +1,4 @@ -// Copyright (c) 2020-2021, R.I. Pienaar and the Choria Project contributors +// Copyright (c) 2020-2025, R.I. Pienaar and the Choria Project contributors // // SPDX-License-Identifier: Apache-2.0 @@ -39,6 +39,7 @@ var _ = Describe("RegoPolicy", func() { ) BeforeEach(func() { + overRideRegoName = "" mockctl = gomock.NewController(GinkgoT()) fw, cfg = imock.NewFrameworkForTests(mockctl, GinkgoWriter) fw.EXPECT().ProvisionMode().Return(false).AnyTimes() @@ -121,6 +122,8 @@ var _ = Describe("RegoPolicy", func() { authz = ®oPolicy{ cfg: cfg, log: fw.Logger("x"), + si: srvInfo, + fw: am.Choria(), req: &Request{ Agent: ginkgoAgent.meta.Name, Action: "boop", @@ -130,7 +133,6 @@ var _ = Describe("RegoPolicy", func() { Time: time.Now(), Filter: protocol.NewFilter(), }, - agent: ginkgoAgent, } }) @@ -149,7 +151,7 @@ var _ = Describe("RegoPolicy", func() { }) It("Default policy should fail", func() { - authz.agent.meta.Name = "boop" + authz.req.Agent = "boop" auth, err := authz.authorize() Expect(err).ToNot(HaveOccurred()) @@ -160,7 +162,7 @@ var _ = Describe("RegoPolicy", func() { Context("When facts are correct", func() { It("Should succeed", func() { - authz.agent.meta.Name = "facts" + authz.req.Agent = "facts" auth, err := authz.authorize() Expect(err).ToNot(HaveOccurred()) Expect(auth).To(BeTrue()) @@ -170,7 +172,7 @@ var _ = Describe("RegoPolicy", func() { Context("When classes are present and available", func() { It("Should succeed", func() { - authz.agent.meta.Name = "classes" + authz.req.Agent = "classes" auth, err := authz.authorize() Expect(err).ToNot(HaveOccurred()) @@ -191,8 +193,7 @@ var _ = Describe("RegoPolicy", func() { It("Should fail with a default policy", func() { authz.req.CallerID = "not=it" - authz.agent.meta.Name = "boop" - Expect(authz.agent.Name()).To(Equal("boop")) + authz.req.Agent = "boop" authz.cfg.SetOption("plugin.regopolicy.enable_default", "y") auth, err := authz.authorize() @@ -206,7 +207,7 @@ var _ = Describe("RegoPolicy", func() { Describe("Agents", func() { Context("If agent exists on the server", func() { It("Should succeed", func() { - authz.agent.meta.Name = "agent" + authz.req.Agent = "agent" auth, err := authz.authorize() Expect(err).ToNot(HaveOccurred()) @@ -218,7 +219,7 @@ var _ = Describe("RegoPolicy", func() { Describe("Request data", func() { Context("It should succeed if the request parameters are set right", func() { It("Should succeed", func() { - authz.agent.meta.Name = "data" + authz.req.Agent = "data" auth, err := authz.authorize() Expect(err).ToNot(HaveOccurred()) @@ -280,6 +281,8 @@ var _ = Describe("RegoPolicy", func() { authz = ®oPolicy{ cfg: cfg, log: fw.Logger(""), + si: srvInfo, + fw: am.Choria(), req: &Request{ Agent: ginkgoAgent.meta.Name, Action: "boop", @@ -290,7 +293,6 @@ var _ = Describe("RegoPolicy", func() { Time: time.Now(), Filter: protocol.NewFilter(), }, - agent: ginkgoAgent, } }) @@ -308,7 +310,7 @@ var _ = Describe("RegoPolicy", func() { }) It("Default policy should fail", func() { - authz.agent.meta.Name = "boop" + authz.req.Agent = "boop" auth, err := authz.authorize() Expect(err).ToNot(HaveOccurred()) @@ -319,8 +321,7 @@ var _ = Describe("RegoPolicy", func() { Context("When facts are incorrect", func() { It("Should deny", func() { - - authz.agent.meta.Name = "facts" + authz.req.Agent = "facts" auth, err := authz.authorize() Expect(err).ToNot(HaveOccurred()) Expect(auth).To(BeFalse()) @@ -330,7 +331,7 @@ var _ = Describe("RegoPolicy", func() { Context("When classes are different but available", func() { It("Should fail", func() { - authz.agent.meta.Name = "classes" + authz.req.Agent = "classes" auth, err := authz.authorize() Expect(err).ToNot(HaveOccurred()) @@ -342,7 +343,7 @@ var _ = Describe("RegoPolicy", func() { Describe("Agents", func() { Context("If agent does not exist on the server", func() { It("Should fail", func() { - authz.agent.meta.Name = "agent" + authz.req.Agent = "agent" auth, err := authz.authorize() Expect(err).ToNot(HaveOccurred()) @@ -354,7 +355,7 @@ var _ = Describe("RegoPolicy", func() { Describe("Request data", func() { Context("The request parameters aren't set right", func() { It("Should fail", func() { - authz.agent.meta.Name = "data" + authz.req.Agent = "data" auth, err := authz.authorize() Expect(err).ToNot(HaveOccurred()) @@ -424,6 +425,8 @@ var _ = Describe("RegoPolicy", func() { authz = ®oPolicy{ cfg: cfg, log: fw.Logger(""), + si: srvInfo, + fw: am.Choria(), req: &Request{ Agent: ginkgoAgent.meta.Name, Action: "boop", @@ -434,15 +437,13 @@ var _ = Describe("RegoPolicy", func() { Time: time.Now(), Filter: protocol.NewFilter(), }, - agent: ginkgoAgent, } }) Context("with multiple allow statements", func() { It("Should allow", func() { - authz.agent.meta.Name = "multiple" + overRideRegoName = "multiple" auth, err := authz.authorize() - Expect(err).ToNot(HaveOccurred()) Expect(auth).To(BeTrue()) }) @@ -472,6 +473,8 @@ var _ = Describe("RegoPolicy", func() { authz = ®oPolicy{ cfg: cfg, log: fw.Logger(""), + si: srvInfo, + fw: am.Choria(), req: &Request{ Agent: ginkgoAgent.meta.Name, Action: "poob", @@ -482,13 +485,12 @@ var _ = Describe("RegoPolicy", func() { Time: time.Now(), Filter: protocol.NewFilter(), }, - agent: ginkgoAgent, } }) Context("with multiple allow statements", func() { It("Should allow", func() { - authz.agent.meta.Name = "multiple" + overRideRegoName = "multiple" auth, err := authz.authorize() Expect(err).ToNot(HaveOccurred()) @@ -520,6 +522,8 @@ var _ = Describe("RegoPolicy", func() { authz = ®oPolicy{ cfg: cfg, log: fw.Logger(""), + si: srvInfo, + fw: am.Choria(), req: &Request{ Agent: ginkgoAgent.meta.Name, Action: "poob", @@ -530,13 +534,12 @@ var _ = Describe("RegoPolicy", func() { Time: time.Now(), Filter: protocol.NewFilter(), }, - agent: ginkgoAgent, } }) Context("with multiple allow statements", func() { It("Should deny", func() { - authz.agent.meta.Name = "multiple" + overRideRegoName = "multiple" auth, err := authz.authorize() Expect(err).ToNot(HaveOccurred()) diff --git a/providers/agent/mcorpc/mcorpc.go b/providers/agent/mcorpc/mcorpc.go index a928fcdd2..f3009c7ee 100644 --- a/providers/agent/mcorpc/mcorpc.go +++ b/providers/agent/mcorpc/mcorpc.go @@ -1,4 +1,4 @@ -// Copyright (c) 2020-2022, R.I. Pienaar and the Choria Project contributors +// Copyright (c) 2020-2025, R.I. Pienaar and the Choria Project contributors // // SPDX-License-Identifier: Apache-2.0 @@ -18,24 +18,10 @@ import ( "fmt" "time" - "github.com/choria-io/go-choria/config" "github.com/choria-io/go-choria/protocol" - "github.com/choria-io/go-choria/srvcache" "github.com/choria-io/go-choria/validator" ) -// ChoriaFramework provides access to the choria framework -type ChoriaFramework interface { - Configuration() *config.Config - FacterDomain() (string, error) - FacterCmd() string - MiddlewareServers() (srvcache.Servers, error) - NewTransportFromJSON(data []byte) (protocol.TransportMessage, error) - ProvisionMode() bool - UniqueID() string - Certname() string -} - // StatusCode is a reply status as defined by MCollective SimpleRPC - integers 0 to 5 // // See the constants OK, RPCAborted, UnknownRPCAction, MissingRPCData, InvalidRPCData and UnknownRPCError