add CanRead/CanWrite methods

common/ipc/ipc.go

@@ -162,6 +162,20 @@ func (ctx *Context) IsTrusted() bool {
 	return ctx.AuthType == ATTrusted
 }
 
+// CanRead reports whether the context is allowed to read data or config.
+// Either the context is trusted, or the remote user is authenticated and
+// is authorized to read.
+func (ctx *Context) CanRead() bool {
+	return ctx.IsTrusted() || ctx.IsAuthenticated() && ctx.User.IsReader()
+}
+
+// CanWrite reports whether the context is allowed to mutate Seesaw state.
+// Either the context is trusted, or the remote user is authenticated and
+// is a member of the admin group.
+func (ctx *Context) CanWrite() bool {
+	return ctx.IsTrusted() || ctx.IsAuthenticated() && ctx.User.IsAdmin()
+}
+
 // User contains information identifying a user.
 type User struct {
 	Groups   []string

engine/ipc.go

@@ -77,7 +77,7 @@ func (s *SeesawEngine) Failover(ctx *ipc.Context, reply *int) error {
 		return errContext
 	}
 
-	if !(ctx.IsAuthenticated() && ctx.User.IsAdmin() || ctx.IsTrusted()) {
+	if !ctx.CanWrite() {
 		return errAccess
 	}
 
@@ -158,7 +158,7 @@ func (s *SeesawEngine) HAStatus(ctx *ipc.Context, status *seesaw.HAStatus) error
 		return errContext
 	}
 
-	if !(ctx.IsAuthenticated() && ctx.User.IsReader() || ctx.IsTrusted()) {
+	if !ctx.CanRead() {
 		return errAccess
 	}
 
@@ -219,7 +219,7 @@ func (s *SeesawEngine) ClusterStatus(ctx *ipc.Context, reply *seesaw.ClusterStat
 		return errContext
 	}
 
-	if !(ctx.IsAuthenticated() && ctx.User.IsReader() || ctx.IsTrusted()) {
+	if !ctx.CanRead() {
 		return errAccess
 	}
 
@@ -247,7 +247,7 @@ func (s *SeesawEngine) ConfigStatus(ctx *ipc.Context, reply *seesaw.ConfigStatus
 		return errContext
 	}
 
-	if !(ctx.IsAuthenticated() && ctx.User.IsReader() || ctx.IsTrusted()) {
+	if !ctx.CanRead() {
 		return errAccess
 	}
 
@@ -280,7 +280,7 @@ func (s *SeesawEngine) ConfigReload(ctx *ipc.Context, reply *int) error {
 		return errContext
 	}
 
-	if !(ctx.IsAuthenticated() && ctx.User.IsAdmin() || ctx.IsTrusted()) {
+	if !ctx.CanWrite() {
 		return errAccess
 	}
 
@@ -299,7 +299,7 @@ func (s *SeesawEngine) ConfigSource(args *ipc.ConfigSource, oldSource *string) e
 		return errContext
 	}
 
-	if !(ctx.IsAuthenticated() && ctx.User.IsAdmin() || ctx.IsTrusted()) {
+	if !ctx.CanWrite() {
 		return errAccess
 	}
 
@@ -325,7 +325,7 @@ func (s *SeesawEngine) BGPNeighbors(ctx *ipc.Context, reply *quagga.Neighbors) e
 		return errContext
 	}
 
-	if !(ctx.IsAuthenticated() && ctx.User.IsReader() || ctx.IsTrusted()) {
+	if !ctx.CanRead() {
 		return errAccess
 	}
 
@@ -345,7 +345,7 @@ func (s *SeesawEngine) VLANs(ctx *ipc.Context, reply *seesaw.VLANs) error {
 		return errContext
 	}
 
-	if !(ctx.IsAuthenticated() && ctx.User.IsReader() || ctx.IsTrusted()) {
+	if !ctx.CanRead() {
 		return errAccess
 	}
 
@@ -368,7 +368,7 @@ func (s *SeesawEngine) Vservers(ctx *ipc.Context, reply *seesaw.VserverMap) erro
 		return errContext
 	}
 
-	if !(ctx.IsAuthenticated() && ctx.User.IsReader() || ctx.IsTrusted()) {
+	if !ctx.CanRead() {
 		return errAccess
 	}
 
@@ -395,7 +395,7 @@ func (s *SeesawEngine) OverrideBackend(args *ipc.Override, reply *int) error {
 		return errContext
 	}
 
-	if !(ctx.IsAuthenticated() && ctx.User.IsAdmin() || ctx.IsTrusted()) {
+	if !ctx.CanWrite() {
 		return errAccess
 	}
 
@@ -417,7 +417,7 @@ func (s *SeesawEngine) OverrideDestination(args *ipc.Override, reply *int) error
 		return errContext
 	}
 
-	if !(ctx.IsAuthenticated() && ctx.User.IsAdmin() || ctx.IsTrusted()) {
+	if !ctx.CanWrite() {
 		return errAccess
 	}