Return detailed error if uploaders deny upload. #71

2026-04-19 19:28:22 +00:00 · 2015-03-20 00:11:30 +03:00
parent c8713aa412
commit cc3f5149c6
2 changed files with 22 additions and 13 deletions
--- a/deb/uploaders.go
+++ b/deb/uploaders.go
@@ -2,8 +2,10 @@ package deb

 import (
 	"encoding/json"
+	"fmt"
 	"github.com/DisposaBoy/JsonConfigReader"
 	"github.com/smira/aptly/utils"
+	"os"
 )

 // UploadersRule is single rule of format: what packages can group or key upload
@@ -14,6 +16,11 @@ type UploadersRule struct {
 	CompiledCondition PackageQuery `json:"-"`
 }

+func (u UploadersRule) String() string {
+	b, _ := json.Marshal(u)
+	return string(b)
+}
+
 // Uploaders is configuration of restrictions for .changes file importing
 type Uploaders struct {
 	Groups map[string][]string `json:"groups"`
@@ -22,7 +29,7 @@ type Uploaders struct {

 // NewUploadersFromFile loads Uploaders structue from .json file
 func NewUploadersFromFile(path string) (*Uploaders, error) {
-	uploaders = &deb.Uploaders{}
+	uploaders := &Uploaders{}
 	f, err := os.Open(path)
 	if err != nil {
 		return nil, fmt.Errorf("error loading uploaders file: %s", err)
@@ -66,14 +73,14 @@ func (u *Uploaders) ExpandGroups(items []string) []string {
 }

 // IsAllowed checks whether listed keys are allowed to upload given .changes file
-func (u *Uploaders) IsAllowed(changes *Changes) bool {
+func (u *Uploaders) IsAllowed(changes *Changes) error {
 	for _, rule := range u.Rules {
 		if rule.CompiledCondition.Matches(changes) {
 			deny := u.ExpandGroups(rule.Deny)
 			for _, key := range changes.SignatureKeys {
 				for _, item := range deny {
 					if item == "*" || key.Matches(utils.GpgKey(item)) {
-						return false
+						return fmt.Errorf("denied according to rule: %s", rule)
 					}
 				}
 			}
@@ -82,12 +89,12 @@ func (u *Uploaders) IsAllowed(changes *Changes) bool {
 			for _, key := range changes.SignatureKeys {
 				for _, item := range allow {
 					if item == "*" || key.Matches(utils.GpgKey(item)) {
-						return true
+						return nil
 					}
 				}
 			}
 		}
 	}

-	return false
+	return fmt.Errorf("denied as no rule matches")
 }
--- a/deb/uploaders_test.go
+++ b/deb/uploaders_test.go
@@ -58,22 +58,24 @@ func (s *UploadersSuite) TestIsAllowed(c *C) {
 	}

 	// no keys - not allowed
-	c.Check(u.IsAllowed(&Changes{SignatureKeys: []utils.GpgKey{}, Stanza: Stanza{"Source": "calamares"}}), Equals, false)
+	c.Check(u.IsAllowed(&Changes{SignatureKeys: []utils.GpgKey{}, Stanza: Stanza{"Source": "calamares"}}), ErrorMatches, "denied as no rule matches")

 	// no rule - not allowed
-	c.Check(u.IsAllowed(&Changes{SignatureKeys: []utils.GpgKey{"37E1C17570096AD1", "EC4B033C70096AD1"}, Stanza: Stanza{"Source": "unknown-calamares"}}), Equals, false)
+	c.Check(u.IsAllowed(&Changes{SignatureKeys: []utils.GpgKey{"37E1C17570096AD1", "EC4B033C70096AD1"}, Stanza: Stanza{"Source": "unknown-calamares"}}), ErrorMatches, "denied as no rule matches")

 	// first rule: allow anyone do stuff with calamares
-	c.Check(u.IsAllowed(&Changes{SignatureKeys: []utils.GpgKey{"ABCD1234", "1234ABCD"}, Stanza: Stanza{"Source": "calamares"}}), Equals, true)
+	c.Check(u.IsAllowed(&Changes{SignatureKeys: []utils.GpgKey{"ABCD1234", "1234ABCD"}, Stanza: Stanza{"Source": "calamares"}}), IsNil)

 	// second rule: nobody is allowed to do stuff with never-calamares
-	c.Check(u.IsAllowed(&Changes{SignatureKeys: []utils.GpgKey{"ABCD1234", "1234ABCD"}, Stanza: Stanza{"Source": "never-calamares"}}), Equals, false)
+	c.Check(u.IsAllowed(&Changes{SignatureKeys: []utils.GpgKey{"ABCD1234", "1234ABCD"}, Stanza: Stanza{"Source": "never-calamares"}}),
+		ErrorMatches, "denied according to rule: {\"condition\":\"\",\"allow\":null,\"deny\":\\[\"\\*\"\\]}")

 	// third rule: anyone from the group or explicit key
-	c.Check(u.IsAllowed(&Changes{SignatureKeys: []utils.GpgKey{"45678901", "12345678"}, Stanza: Stanza{"Source": "some-calamares"}}), Equals, true)
-	c.Check(u.IsAllowed(&Changes{SignatureKeys: []utils.GpgKey{"37E1C17570096AD1"}, Stanza: Stanza{"Source": "some-calamares"}}), Equals, true)
-	c.Check(u.IsAllowed(&Changes{SignatureKeys: []utils.GpgKey{"70096AD1"}, Stanza: Stanza{"Source": "some-calamares"}}), Equals, true)
+	c.Check(u.IsAllowed(&Changes{SignatureKeys: []utils.GpgKey{"45678901", "12345678"}, Stanza: Stanza{"Source": "some-calamares"}}), IsNil)
+	c.Check(u.IsAllowed(&Changes{SignatureKeys: []utils.GpgKey{"37E1C17570096AD1"}, Stanza: Stanza{"Source": "some-calamares"}}), IsNil)
+	c.Check(u.IsAllowed(&Changes{SignatureKeys: []utils.GpgKey{"70096AD1"}, Stanza: Stanza{"Source": "some-calamares"}}), IsNil)

 	// fourth rule: some are not allowed
-	c.Check(u.IsAllowed(&Changes{SignatureKeys: []utils.GpgKey{"ABCD1234", "45678901"}, Stanza: Stanza{"Source": "some-calamares"}}), Equals, false)
+	c.Check(u.IsAllowed(&Changes{SignatureKeys: []utils.GpgKey{"ABCD1234", "45678901"}, Stanza: Stanza{"Source": "some-calamares"}}),
+		ErrorMatches, "denied according to rule: {\"condition\":\"\",\"allow\":null,\"deny\":\\[\"45678901\",\"12345678\"\\]}")
 }