[#21] router: Make Deny the highest priority

Signed-off-by: Dmitrii Stepanov <d.stepanov@yadro.com>
2023-12-08 12:37:29 +03:00 · 2023-12-08 12:37:29 +03:00 · 1375e8f7fd
commit 1375e8f7fd
parent 156018bcba
2 changed files with 91 additions and 11 deletions
--- a/pkg/engine/chain_router.go
+++ b/pkg/engine/chain_router.go
@ -86,23 +86,31 @@ func (dr *defaultChainRouter) matchLocalOverrides(name chain.Name, target Target
 	if err != nil {
 		return
 	}
-	for _, c := range localOverrides {
-		if status, ruleFound = c.Match(r); ruleFound && status != chain.Allow {
-			return
-		}
-	}
+	status, ruleFound = dr.getStatusFromChains(localOverrides, r)
 	return
 }

 func (dr *defaultChainRouter) matchMorphRuleChains(name chain.Name, target Target, r resource.Request) (status chain.Status, ruleFound bool, err error) {
 	namespaceChains, err := dr.morph.ListMorphRuleChains(name, target)
 	if err != nil {
-		return
-	}
-	for _, c := range namespaceChains {
-		if status, ruleFound = c.Match(r); ruleFound {
-			return
-		}
+		return chain.NoRuleFound, false, err
 	}
+	status, ruleFound = dr.getStatusFromChains(namespaceChains, r)
 	return
 }
+
+func (dr *defaultChainRouter) getStatusFromChains(chains []*chain.Chain, r resource.Request) (chain.Status, bool) {
+	var allow bool
+	for _, c := range chains {
+		if status, found := c.Match(r); found {
+			if status != chain.Allow {
+				return status, true
+			}
+			allow = true
+		}
+	}
+	if allow {
+		return chain.Allow, true
+	}
+	return chain.NoRuleFound, false
+}