acl.AddRecord check limits

2025-06-08 05:57:03 +09:00 · 2024-03-18 14:30:43 +01:00 · 2024-03-18 14:30:43 +01:00 · 045ab61962
commit 045ab61962
parent d499647a98
2 changed files with 37 additions and 6 deletions
--- a/acl/acl.go
+++ b/acl/acl.go
@ -3,6 +3,7 @@ package acl

 import (
 	"context"
+	"errors"
 	"time"

 	"github.com/prometheus/client_golang/prometheus"
@ -22,12 +23,19 @@ const CName = "coordinator.acl"

 var log = logger.NewNamed(CName)

+var ErrLimitExceed = errors.New("limit exceed")
+
+type Limits struct {
+	ReadMembers  uint32
+	WriteMembers uint32
+}
+
 func New() AclService {
 	return &aclService{}
 }

 type AclService interface {
-	AddRecord(ctx context.Context, spaceId string, rec *consensusproto.RawRecord) (result *consensusproto.RawRecordWithId, err error)
+	AddRecord(ctx context.Context, spaceId string, rec *consensusproto.RawRecord, limits Limits) (result *consensusproto.RawRecordWithId, err error)
 	RecordsAfter(ctx context.Context, spaceId, aclHead string) (result []*consensusproto.RawRecordWithId, err error)
 	Permissions(ctx context.Context, identity crypto.PubKey, spaceId string) (res list.AclPermissions, err error)
 	OwnerPubKey(ctx context.Context, spaceId string) (ownerIdentity crypto.PubKey, err error)
@ -74,14 +82,29 @@ func (as *aclService) get(ctx context.Context, spaceId string) (list.AclList, er
 	return aObj.AclList, nil
 }

-func (as *aclService) AddRecord(ctx context.Context, spaceId string, rec *consensusproto.RawRecord) (result *consensusproto.RawRecordWithId, err error) {
+func (as *aclService) AddRecord(ctx context.Context, spaceId string, rec *consensusproto.RawRecord, limits Limits) (result *consensusproto.RawRecordWithId, err error) {
 	acl, err := as.get(ctx, spaceId)
 	if err != nil {
 		return nil, err
 	}
 	acl.RLock()
 	defer acl.RUnlock()
-	err = acl.ValidateRawRecord(rec, nil)
+	err = acl.ValidateRawRecord(rec, func(state *list.AclState) error {
+		var readers, writers int
+		for _, acc := range state.CurrentAccounts() {
+			readers++
+			if acc.Permissions.CanWrite() {
+				writers++
+			}
+			if uint32(readers) > limits.ReadMembers {
+				return ErrLimitExceed
+			}
+			if uint32(writers) > limits.WriteMembers {
+				return ErrLimitExceed
+			}
+		}
+		return nil
+	})
 	if err != nil {
 		return
 	}
--- a/acl/acl_test.go
+++ b/acl/acl_test.go
@ -48,7 +48,10 @@ func TestAclService_AddRecord(t *testing.T) {
 		fx.consCl.EXPECT().AddRecord(ctx, spaceId, inv.InviteRec).Return(expRes, nil)
 		fx.consCl.EXPECT().UnWatch(spaceId)

-		res, err := fx.AddRecord(ctx, spaceId, inv.InviteRec)
+		res, err := fx.AddRecord(ctx, spaceId, inv.InviteRec, Limits{
+			ReadMembers:  10,
+			WriteMembers: 10,
+		})
 		assert.Equal(t, expRes, res)
 		assert.NoError(t, err)

@ -71,11 +74,16 @@ func TestAclService_AddRecord(t *testing.T) {
 		})
 		fx.consCl.EXPECT().UnWatch(spaceId)

-		res, err := fx.AddRecord(ctx, spaceId, inv.InviteRec)
+		res, err := fx.AddRecord(ctx, spaceId, inv.InviteRec, Limits{
+			ReadMembers:  10,
+			WriteMembers: 10,
+		})
 		assert.Nil(t, res)
 		assert.EqualError(t, err, testErr.Error())
 	})
-
+	t.Run("limit exceed", func(t *testing.T) {
+		// TODO:
+	})
 }

 func TestAclService_RecordsAfter(t *testing.T) {