open-consul/consul/acl_endpoint.go

package consul

import (
	"fmt"
	"time"

	"github.com/armon/go-metrics"
	"github.com/hashicorp/consul/acl"
	"github.com/hashicorp/consul/consul/structs"
)

// ACL endpoint is used to manipulate ACLs
type ACL struct {
	srv *Server
}

// Apply is used to apply a modifying request to the data store. This should
// only be used for operations that modify the data
func (a *ACL) Apply(args *structs.ACLRequest, reply *string) error {
	if done, err := a.srv.forward("ACL.Apply", args, args, reply); done {
		return err
	}
	defer metrics.MeasureSince([]string{"consul", "acl", "apply"}, time.Now())

	// Verify we are allowed to serve this request
	if a.srv.config.ACLDatacenter != a.srv.config.Datacenter {
		return fmt.Errorf(aclDisabled)
	}

	// Verify token is permitted to modify ACLs
	if acl, err := a.srv.resolveToken(args.Token); err != nil {
		return err
	} else if acl == nil || !acl.ACLModify() {
		return permissionDeniedErr
	}

	switch args.Op {
	case structs.ACLSet:
		// Verify the ACL type
		switch args.ACL.Type {
		case structs.ACLTypeClient:
		case structs.ACLTypeManagement:
		default:
			return fmt.Errorf("Invalid ACL Type")
		}

		// Verify this is not a root ACL
		if acl.RootACL(args.ACL.ID) != nil {
			return fmt.Errorf("%s: Cannot modify root ACL", permissionDenied)
		}

		// Validate the rules compile
		_, err := acl.Parse(args.ACL.Rules)
		if err != nil {
			return fmt.Errorf("ACL rule compilation failed: %v", err)
		}

		// If no ID is provided, generate a new ID. This must
		// be done prior to appending to the raft log, because the ID is not
		// deterministic. Once the entry is in the log, the state update MUST
		// be deterministic or the followers will not converge.
		if args.ACL.ID == "" {
			state := a.srv.fsm.State()
			for {
				args.ACL.ID = generateUUID()
				_, acl, err := state.ACLGet(args.ACL.ID)
				if err != nil {
					a.srv.logger.Printf("[ERR] consul.acl: ACL lookup failed: %v", err)
					return err
				}
				if acl == nil {
					break
				}
			}
		}

	case structs.ACLDelete:
		if args.ACL.ID == "" {
			return fmt.Errorf("Missing ACL ID")
		} else if args.ACL.ID == anonymousToken {
			return fmt.Errorf("%s: Cannot delete anonymous token", permissionDenied)
		}

	default:
		return fmt.Errorf("Invalid ACL Operation")
	}

	// Apply the update
	resp, err := a.srv.raftApply(structs.ACLRequestType, args)
	if err != nil {
		a.srv.logger.Printf("[ERR] consul.acl: Apply failed: %v", err)
		return err
	}
	if respErr, ok := resp.(error); ok {
		return respErr
	}

	// Clear the cache if applicable
	if args.ACL.ID != "" {
		a.srv.aclAuthCache.ClearACL(args.ACL.ID)
	}

	// Check if the return type is a string
	if respString, ok := resp.(string); ok {
		*reply = respString
	}
	return nil
}

// Get is used to retrieve a single ACL
func (a *ACL) Get(args *structs.ACLSpecificRequest,
	reply *structs.IndexedACLs) error {
	if done, err := a.srv.forward("ACL.Get", args, args, reply); done {
		return err
	}

	// Verify we are allowed to serve this request
	if a.srv.config.ACLDatacenter != a.srv.config.Datacenter {
		return fmt.Errorf(aclDisabled)
	}

	// Get the local state
	state := a.srv.fsm.State()
	return a.srv.blockingRPC(&args.QueryOptions,
		&reply.QueryMeta,
		state.QueryTables("ACLGet"),
		func() error {
			index, acl, err := state.ACLGet(args.ACL)
			reply.Index = index
			if acl != nil {
				reply.ACLs = structs.ACLs{acl}
			} else {
				reply.ACLs = nil
			}
			return err
		})
}

// GetPolicy is used to retrieve a compiled policy object with a TTL. Does not
// support a blocking query.
func (a *ACL) GetPolicy(args *structs.ACLPolicyRequest, reply *structs.ACLPolicy) error {
	if done, err := a.srv.forward("ACL.GetPolicy", args, args, reply); done {
		return err
	}

	// Verify we are allowed to serve this request
	if a.srv.config.ACLDatacenter != a.srv.config.Datacenter {
		return fmt.Errorf(aclDisabled)
	}

	// Get the policy via the cache
	parent, policy, err := a.srv.aclAuthCache.GetACLPolicy(args.ACL)
	if err != nil {
		return err
	}

	// Generate an ETag
	conf := a.srv.config
	etag := fmt.Sprintf("%s:%s", parent, policy.ID)

	// Setup the response
	reply.ETag = etag
	reply.TTL = conf.ACLTTL
	a.srv.setQueryMeta(&reply.QueryMeta)

	// Only send the policy on an Etag mis-match
	if args.ETag != etag {
		reply.Parent = parent
		reply.Policy = policy
	}
	return nil
}

// List is used to list all the ACLs
func (a *ACL) List(args *structs.DCSpecificRequest,
	reply *structs.IndexedACLs) error {
	if done, err := a.srv.forward("ACL.List", args, args, reply); done {
		return err
	}

	// Verify we are allowed to serve this request
	if a.srv.config.ACLDatacenter != a.srv.config.Datacenter {
		return fmt.Errorf(aclDisabled)
	}

	// Verify token is permitted to list ACLs
	if acl, err := a.srv.resolveToken(args.Token); err != nil {
		return err
	} else if acl == nil || !acl.ACLList() {
		return permissionDeniedErr
	}

	// Get the local state
	state := a.srv.fsm.State()
	return a.srv.blockingRPC(&args.QueryOptions,
		&reply.QueryMeta,
		state.QueryTables("ACLList"),
		func() error {
			var err error
			reply.Index, reply.ACLs, err = state.ACLList()
			return err
		})
}
consul: Adding ACL endpoint 2014-08-06 00:05:59 +00:00			`package consul`

			`import (`
			`"fmt"`
consul: Verify compilation of rules 2014-08-08 23:00:32 +00:00			`"time"`

consul: Adding ACL endpoint 2014-08-06 00:05:59 +00:00			`"github.com/armon/go-metrics"`
consul: Verify compilation of rules 2014-08-08 23:00:32 +00:00			`"github.com/hashicorp/consul/acl"`
consul: Adding ACL endpoint 2014-08-06 00:05:59 +00:00			`"github.com/hashicorp/consul/consul/structs"`
			`)`

			`// ACL endpoint is used to manipulate ACLs`
			`type ACL struct {`
			`srv *Server`
			`}`

			`// Apply is used to apply a modifying request to the data store. This should`
			`// only be used for operations that modify the data`
			`func (a ACL) Apply(args structs.ACLRequest, reply *string) error {`
			`if done, err := a.srv.forward("ACL.Apply", args, args, reply); done {`
			`return err`
			`}`
			`defer metrics.MeasureSince([]string{"consul", "acl", "apply"}, time.Now())`

consul: Starting token enforcement 2014-08-12 22:32:44 +00:00			`// Verify we are allowed to serve this request`
			`if a.srv.config.ACLDatacenter != a.srv.config.Datacenter {`
			`return fmt.Errorf(aclDisabled)`
			`}`

consul: Deny delete anonymous or update of root policies 2014-08-22 21:55:09 +00:00			`// Verify token is permitted to modify ACLs`
consul: Starting token enforcement 2014-08-12 22:32:44 +00:00			`if acl, err := a.srv.resolveToken(args.Token); err != nil {`
			`return err`
			`} else if acl == nil \|\| !acl.ACLModify() {`
			`return permissionDeniedErr`
			`}`

agent: ACL endpoint tests 2014-08-06 17:30:47 +00:00			`switch args.Op {`
			`case structs.ACLSet:`
			`// Verify the ACL type`
			`switch args.ACL.Type {`
			`case structs.ACLTypeClient:`
			`case structs.ACLTypeManagement:`
			`default:`
			`return fmt.Errorf("Invalid ACL Type")`
			`}`

consul: Deny delete anonymous or update of root policies 2014-08-22 21:55:09 +00:00			`// Verify this is not a root ACL`
			`if acl.RootACL(args.ACL.ID) != nil {`
			`return fmt.Errorf("%s: Cannot modify root ACL", permissionDenied)`
			`}`

consul: Verify compilation of rules 2014-08-08 23:00:32 +00:00			`// Validate the rules compile`
			`_, err := acl.Parse(args.ACL.Rules)`
			`if err != nil {`
			`return fmt.Errorf("ACL rule compilation failed: %v", err)`
			`}`
consul: Adding ACL endpoint 2014-08-06 00:05:59 +00:00
consul: ACL.Apply allows upserting with custom ID 2015-05-06 02:19:45 +00:00			`// If no ID is provided, generate a new ID. This must`
consul: Fix non-deterministic ACL IDs 2014-10-09 19:23:32 +00:00			`// be done prior to appending to the raft log, because the ID is not`
			`// deterministic. Once the entry is in the log, the state update MUST`
			`// be deterministic or the followers will not converge.`
consul: ACL.Apply allows upserting with custom ID 2015-05-06 02:19:45 +00:00			`if args.ACL.ID == "" {`
			`state := a.srv.fsm.State()`
consul: Fix non-deterministic ACL IDs 2014-10-09 19:23:32 +00:00			`for {`
			`args.ACL.ID = generateUUID()`
			`_, acl, err := state.ACLGet(args.ACL.ID)`
			`if err != nil {`
			`a.srv.logger.Printf("[ERR] consul.acl: ACL lookup failed: %v", err)`
			`return err`
			`}`
			`if acl == nil {`
			`break`
			`}`
			`}`
			`}`

agent: ACL endpoint tests 2014-08-06 17:30:47 +00:00			`case structs.ACLDelete:`
			`if args.ACL.ID == "" {`
			`return fmt.Errorf("Missing ACL ID")`
consul: Deny delete anonymous or update of root policies 2014-08-22 21:55:09 +00:00			`} else if args.ACL.ID == anonymousToken {`
			`return fmt.Errorf("%s: Cannot delete anonymous token", permissionDenied)`
agent: ACL endpoint tests 2014-08-06 17:30:47 +00:00			`}`

			`default:`
			`return fmt.Errorf("Invalid ACL Operation")`
consul: Adding ACL endpoint 2014-08-06 00:05:59 +00:00			`}`

			`// Apply the update`
			`resp, err := a.srv.raftApply(structs.ACLRequestType, args)`
			`if err != nil {`
			`a.srv.logger.Printf("[ERR] consul.acl: Apply failed: %v", err)`
			`return err`
			`}`
			`if respErr, ok := resp.(error); ok {`
			`return respErr`
			`}`

consul: Ensure authoritative cache is purged after update 2014-08-18 22:23:02 +00:00			`// Clear the cache if applicable`
			`if args.ACL.ID != "" {`
			`a.srv.aclAuthCache.ClearACL(args.ACL.ID)`
			`}`

consul: Adding ACL endpoint 2014-08-06 00:05:59 +00:00			`// Check if the return type is a string`
			`if respString, ok := resp.(string); ok {`
			`*reply = respString`
			`}`
			`return nil`
			`}`

			`// Get is used to retrieve a single ACL`
			`func (a ACL) Get(args structs.ACLSpecificRequest,`
			`reply *structs.IndexedACLs) error {`
			`if done, err := a.srv.forward("ACL.Get", args, args, reply); done {`
			`return err`
			`}`

consul: Starting token enforcement 2014-08-12 22:32:44 +00:00			`// Verify we are allowed to serve this request`
			`if a.srv.config.ACLDatacenter != a.srv.config.Datacenter {`
			`return fmt.Errorf(aclDisabled)`
			`}`

consul: Adding ACL endpoint 2014-08-06 00:05:59 +00:00			`// Get the local state`
			`state := a.srv.fsm.State()`
			`return a.srv.blockingRPC(&args.QueryOptions,`
			`&reply.QueryMeta,`
			`state.QueryTables("ACLGet"),`
			`func() error {`
			`index, acl, err := state.ACLGet(args.ACL)`
			`reply.Index = index`
			`if acl != nil {`
			`reply.ACLs = structs.ACLs{acl}`
consul: Fixing potential issue with blocking queries for {Session,ACL}.Get 2015-01-13 20:02:30 +00:00			`} else {`
			`reply.ACLs = nil`
consul: Adding ACL endpoint 2014-08-06 00:05:59 +00:00			`}`
			`return err`
			`})`
			`}`

consul: Pulling in ACLs 2014-08-08 22:32:43 +00:00			`// GetPolicy is used to retrieve a compiled policy object with a TTL. Does not`
			`// support a blocking query.`
consul: Support conditional policy fetch 2014-08-08 23:55:47 +00:00			`func (a ACL) GetPolicy(args structs.ACLPolicyRequest, reply *structs.ACLPolicy) error {`
consul: Pulling in ACLs 2014-08-08 22:32:43 +00:00			`if done, err := a.srv.forward("ACL.GetPolicy", args, args, reply); done {`
			`return err`
			`}`

consul: Starting token enforcement 2014-08-12 22:32:44 +00:00			`// Verify we are allowed to serve this request`
			`if a.srv.config.ACLDatacenter != a.srv.config.Datacenter {`
			`return fmt.Errorf(aclDisabled)`
			`}`

consul: Pulling in ACLs 2014-08-08 22:32:43 +00:00			`// Get the policy via the cache`
consul: Resolve parent ACLs 2014-08-12 17:54:56 +00:00			`parent, policy, err := a.srv.aclAuthCache.GetACLPolicy(args.ACL)`
consul: Pulling in ACLs 2014-08-08 22:32:43 +00:00			`if err != nil {`
			`return err`
			`}`

consul: Support conditional policy fetch 2014-08-08 23:55:47 +00:00			`// Generate an ETag`
consul: Enable ACL lookup 2014-08-08 22:52:52 +00:00			`conf := a.srv.config`
consul: Resolve parent ACLs 2014-08-12 17:54:56 +00:00			`etag := fmt.Sprintf("%s:%s", parent, policy.ID)`
consul: Support conditional policy fetch 2014-08-08 23:55:47 +00:00
			`// Setup the response`
			`reply.ETag = etag`
consul: Enable ACL lookup 2014-08-08 22:52:52 +00:00			`reply.TTL = conf.ACLTTL`
consul: Pulling in ACLs 2014-08-08 22:32:43 +00:00			`a.srv.setQueryMeta(&reply.QueryMeta)`
consul: Support conditional policy fetch 2014-08-08 23:55:47 +00:00
			`// Only send the policy on an Etag mis-match`
			`if args.ETag != etag {`
consul: Resolve parent ACLs 2014-08-12 17:54:56 +00:00			`reply.Parent = parent`
consul: Support conditional policy fetch 2014-08-08 23:55:47 +00:00			`reply.Policy = policy`
			`}`
consul: Pulling in ACLs 2014-08-08 22:32:43 +00:00			`return nil`
			`}`

consul: Adding ACL endpoint 2014-08-06 00:05:59 +00:00			`// List is used to list all the ACLs`
			`func (a ACL) List(args structs.DCSpecificRequest,`
			`reply *structs.IndexedACLs) error {`
			`if done, err := a.srv.forward("ACL.List", args, args, reply); done {`
			`return err`
			`}`

consul: Starting token enforcement 2014-08-12 22:32:44 +00:00			`// Verify we are allowed to serve this request`
			`if a.srv.config.ACLDatacenter != a.srv.config.Datacenter {`
			`return fmt.Errorf(aclDisabled)`
			`}`

			`// Verify token is permitted to list ACLs`
			`if acl, err := a.srv.resolveToken(args.Token); err != nil {`
			`return err`
			`} else if acl == nil \|\| !acl.ACLList() {`
			`return permissionDeniedErr`
			`}`

consul: Adding ACL endpoint 2014-08-06 00:05:59 +00:00			`// Get the local state`
			`state := a.srv.fsm.State()`
			`return a.srv.blockingRPC(&args.QueryOptions,`
			`&reply.QueryMeta,`
			`state.QueryTables("ACLList"),`
			`func() error {`
			`var err error`
			`reply.Index, reply.ACLs, err = state.ACLList()`
			`return err`
			`})`
			`}`