2014-08-13 17:42:10 +00:00
|
|
|
package consul
|
|
|
|
|
|
|
|
import (
|
|
|
|
"github.com/hashicorp/consul/acl"
|
2017-07-06 10:34:00 +00:00
|
|
|
"github.com/hashicorp/consul/agent/structs"
|
2014-08-13 17:42:10 +00:00
|
|
|
)
|
|
|
|
|
2014-08-13 18:31:23 +00:00
|
|
|
type dirEntFilter struct {
|
2018-10-19 16:04:07 +00:00
|
|
|
authorizer acl.Authorizer
|
|
|
|
ent structs.DirEntries
|
2014-08-13 18:31:23 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (d *dirEntFilter) Len() int {
|
|
|
|
return len(d.ent)
|
|
|
|
}
|
|
|
|
func (d *dirEntFilter) Filter(i int) bool {
|
2019-11-25 17:57:35 +00:00
|
|
|
var entCtx acl.EnterpriseAuthorizerContext
|
|
|
|
d.ent[i].FillAuthzContext(&entCtx)
|
|
|
|
|
|
|
|
return d.authorizer.KeyRead(d.ent[i].Key, &entCtx) != acl.Allow
|
2014-08-13 18:31:23 +00:00
|
|
|
}
|
|
|
|
func (d *dirEntFilter) Move(dst, src, span int) {
|
|
|
|
copy(d.ent[dst:dst+span], d.ent[src:src+span])
|
|
|
|
}
|
|
|
|
|
|
|
|
// FilterDirEnt is used to filter a list of directory entries
|
|
|
|
// by applying an ACL policy
|
2018-10-19 16:04:07 +00:00
|
|
|
func FilterDirEnt(authorizer acl.Authorizer, ent structs.DirEntries) structs.DirEntries {
|
|
|
|
df := dirEntFilter{authorizer: authorizer, ent: ent}
|
2017-08-09 22:06:57 +00:00
|
|
|
return ent[:FilterEntries(&df)]
|
2014-08-13 18:31:23 +00:00
|
|
|
}
|
|
|
|
|
2016-05-13 22:58:55 +00:00
|
|
|
type txnResultsFilter struct {
|
2018-10-19 16:04:07 +00:00
|
|
|
authorizer acl.Authorizer
|
|
|
|
results structs.TxnResults
|
2016-05-13 22:58:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (t *txnResultsFilter) Len() int {
|
|
|
|
return len(t.results)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (t *txnResultsFilter) Filter(i int) bool {
|
2019-10-15 20:58:50 +00:00
|
|
|
// TODO (namespaces) use a real ent authz context for most of these checks
|
2016-05-13 22:58:55 +00:00
|
|
|
result := t.results[i]
|
2018-12-12 10:29:54 +00:00
|
|
|
switch {
|
|
|
|
case result.KV != nil:
|
2019-10-15 20:58:50 +00:00
|
|
|
return t.authorizer.KeyRead(result.KV.Key, nil) != acl.Allow
|
2018-12-12 10:29:54 +00:00
|
|
|
case result.Node != nil:
|
2019-10-15 20:58:50 +00:00
|
|
|
return t.authorizer.NodeRead(result.Node.Node, nil) != acl.Allow
|
2018-12-12 10:29:54 +00:00
|
|
|
case result.Service != nil:
|
2019-10-15 20:58:50 +00:00
|
|
|
return t.authorizer.ServiceRead(result.Service.Service, nil) != acl.Allow
|
2018-12-12 10:29:54 +00:00
|
|
|
case result.Check != nil:
|
|
|
|
if result.Check.ServiceName != "" {
|
2019-10-15 20:58:50 +00:00
|
|
|
return t.authorizer.ServiceRead(result.Check.ServiceName, nil) != acl.Allow
|
2018-12-12 10:29:54 +00:00
|
|
|
}
|
2019-10-15 20:58:50 +00:00
|
|
|
return t.authorizer.NodeRead(result.Check.Node, nil) != acl.Allow
|
2016-05-13 22:58:55 +00:00
|
|
|
}
|
2017-04-21 01:59:42 +00:00
|
|
|
return false
|
2016-05-13 22:58:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (t *txnResultsFilter) Move(dst, src, span int) {
|
|
|
|
copy(t.results[dst:dst+span], t.results[src:src+span])
|
|
|
|
}
|
|
|
|
|
|
|
|
// FilterTxnResults is used to filter a list of transaction results by
|
|
|
|
// applying an ACL policy.
|
2018-10-19 16:04:07 +00:00
|
|
|
func FilterTxnResults(authorizer acl.Authorizer, results structs.TxnResults) structs.TxnResults {
|
|
|
|
rf := txnResultsFilter{authorizer: authorizer, results: results}
|
2017-08-09 22:06:57 +00:00
|
|
|
return results[:FilterEntries(&rf)]
|
2016-05-13 22:58:55 +00:00
|
|
|
}
|
|
|
|
|
2015-09-15 12:22:08 +00:00
|
|
|
// Filter interface is used with FilterEntries to do an
|
2014-08-13 18:31:23 +00:00
|
|
|
// in-place filter of a slice.
|
|
|
|
type Filter interface {
|
|
|
|
Len() int
|
|
|
|
Filter(int) bool
|
|
|
|
Move(dst, src, span int)
|
|
|
|
}
|
|
|
|
|
|
|
|
// FilterEntries is used to do an inplace filter of
|
|
|
|
// a slice. This has cost proportional to the list length.
|
|
|
|
func FilterEntries(f Filter) int {
|
2014-08-13 17:42:10 +00:00
|
|
|
// Compact the list
|
|
|
|
dst := 0
|
|
|
|
src := 0
|
2014-08-13 18:31:23 +00:00
|
|
|
n := f.Len()
|
2014-08-13 17:42:10 +00:00
|
|
|
for dst < n {
|
2014-08-13 18:31:23 +00:00
|
|
|
for src < n && f.Filter(src) {
|
2014-08-13 17:42:10 +00:00
|
|
|
src++
|
|
|
|
}
|
2014-08-13 18:31:23 +00:00
|
|
|
if src == n {
|
|
|
|
break
|
|
|
|
}
|
2014-08-13 17:42:10 +00:00
|
|
|
end := src + 1
|
2014-08-13 18:31:23 +00:00
|
|
|
for end < n && !f.Filter(end) {
|
2014-08-13 17:42:10 +00:00
|
|
|
end++
|
|
|
|
}
|
|
|
|
span := end - src
|
2014-08-13 18:31:23 +00:00
|
|
|
if span > 0 {
|
|
|
|
f.Move(dst, src, span)
|
|
|
|
dst += span
|
|
|
|
src += span
|
|
|
|
}
|
2014-08-13 17:42:10 +00:00
|
|
|
}
|
|
|
|
|
2014-08-13 18:31:23 +00:00
|
|
|
// Return the size of the slice
|
|
|
|
return dst
|
2014-08-13 17:42:10 +00:00
|
|
|
}
|