diff --git a/pkg/engine/chain_router.go b/pkg/engine/chain_router.go index fe6c470..3eced4a 100644 --- a/pkg/engine/chain_router.go +++ b/pkg/engine/chain_router.go @@ -52,11 +52,10 @@ func (dr *defaultChainRouter) checkLocal(name chain.Name, rt RequestTarget, r re hasAllow = hasAllow || ruleFound } - status = chain.NoRuleFound if hasAllow { - status = chain.Allow + return chain.Allow, true, nil } - return + return chain.NoRuleFound, false, nil } func (dr *defaultChainRouter) checkMorph(name chain.Name, rt RequestTarget, r resource.Request) (status chain.Status, ruleFound bool, err error) { @@ -69,11 +68,10 @@ func (dr *defaultChainRouter) checkMorph(name chain.Name, rt RequestTarget, r re hasAllow = hasAllow || ruleFound } - status = chain.NoRuleFound if hasAllow { - status = chain.Allow + return chain.Allow, true, nil } - return + return chain.NoRuleFound, false, nil } func (dr *defaultChainRouter) matchLocalOverrides(name chain.Name, target Target, r resource.Request) (status chain.Status, ruleFound bool, err error) { diff --git a/pkg/engine/inmemory/inmemory_test.go b/pkg/engine/inmemory/inmemory_test.go index fca6935..636d544 100644 --- a/pkg/engine/inmemory/inmemory_test.go +++ b/pkg/engine/inmemory/inmemory_test.go @@ -31,6 +31,49 @@ func TestAddRootOverrides(t *testing.T) { require.Equal(t, string(id), string(res[0].ID)) } +func TestInmemory_MultipleTargets(t *testing.T) { + const op = "ape::test::op" + + targets := []engine.Target{ + engine.NamespaceTarget("ns1"), + engine.ContainerTarget("cnr1"), + engine.GroupTarget("group1"), + engine.UserTarget("user1"), + } + for _, tt := range targets { + t.Run("morph", func(t *testing.T) { + s := NewInMemoryLocalOverrides() + s.MorphRuleChainStorage().AddMorphRuleChain(chain.Ingress, tt, &chain.Chain{ + Rules: []chain.Rule{{ + Status: chain.Allow, + Actions: chain.Actions{Names: []string{op}}, + }}, + }) + + req := resourcetest.NewRequest(op, resourcetest.NewResource("r", nil), nil) + status, found, err := s.IsAllowed(chain.Ingress, engine.NewRequestTargetExtended("ns1", "cnr1", "user1", []string{"group1"}), req) + require.NoError(t, err) + require.True(t, found) + require.Equal(t, chain.Allow, status) + }) + t.Run("override", func(t *testing.T) { + s := NewInMemoryLocalOverrides() + s.LocalStorage().AddOverride(chain.Ingress, tt, &chain.Chain{ + Rules: []chain.Rule{{ + Status: chain.Allow, + Actions: chain.Actions{Names: []string{op}}, + }}, + }) + + req := resourcetest.NewRequest(op, resourcetest.NewResource("r", nil), nil) + status, found, err := s.IsAllowed(chain.Ingress, engine.NewRequestTargetExtended("ns1", "cnr1", "user1", []string{"group1"}), req) + require.NoError(t, err) + require.True(t, found) + require.Equal(t, chain.Allow, status) + }) + } +} + func TestInmemory(t *testing.T) { const ( object = "native::object::abc/xyz"