2014-08-06 00:05:59 +00:00
|
|
|
package consul
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
2014-08-08 23:00:32 +00:00
|
|
|
"time"
|
|
|
|
|
2014-08-06 00:05:59 +00:00
|
|
|
"github.com/armon/go-metrics"
|
2014-08-08 23:00:32 +00:00
|
|
|
"github.com/hashicorp/consul/acl"
|
pkg refactor
command/agent/* -> agent/*
command/consul/* -> agent/consul/*
command/agent/command{,_test}.go -> command/agent{,_test}.go
command/base/command.go -> command/base.go
command/base/* -> command/*
commands.go -> command/commands.go
The script which did the refactor is:
(
cd $GOPATH/src/github.com/hashicorp/consul
git mv command/agent/command.go command/agent.go
git mv command/agent/command_test.go command/agent_test.go
git mv command/agent/flag_slice_value{,_test}.go command/
git mv command/agent .
git mv command/base/command.go command/base.go
git mv command/base/config_util{,_test}.go command/
git mv commands.go command/
git mv consul agent
rmdir command/base/
gsed -i -e 's|package agent|package command|' command/agent{,_test}.go
gsed -i -e 's|package agent|package command|' command/flag_slice_value{,_test}.go
gsed -i -e 's|package base|package command|' command/base.go command/config_util{,_test}.go
gsed -i -e 's|package main|package command|' command/commands.go
gsed -i -e 's|base.Command|BaseCommand|' command/commands.go
gsed -i -e 's|agent.Command|AgentCommand|' command/commands.go
gsed -i -e 's|\tCommand:|\tBaseCommand:|' command/commands.go
gsed -i -e 's|base\.||' command/commands.go
gsed -i -e 's|command\.||' command/commands.go
gsed -i -e 's|command|c|' main.go
gsed -i -e 's|range Commands|range command.Commands|' main.go
gsed -i -e 's|Commands: Commands|Commands: command.Commands|' main.go
gsed -i -e 's|base\.BoolValue|BoolValue|' command/operator_autopilot_set.go
gsed -i -e 's|base\.DurationValue|DurationValue|' command/operator_autopilot_set.go
gsed -i -e 's|base\.StringValue|StringValue|' command/operator_autopilot_set.go
gsed -i -e 's|base\.UintValue|UintValue|' command/operator_autopilot_set.go
gsed -i -e 's|\bCommand\b|BaseCommand|' command/base.go
gsed -i -e 's|BaseCommand Options|Command Options|' command/base.go
gsed -i -e 's|base.Command|BaseCommand|' command/*.go
gsed -i -e 's|c\.Command|c.BaseCommand|g' command/*.go
gsed -i -e 's|\tCommand:|\tBaseCommand:|' command/*_test.go
gsed -i -e 's|base\.||' command/*_test.go
gsed -i -e 's|\bCommand\b|AgentCommand|' command/agent{,_test}.go
gsed -i -e 's|cmd.AgentCommand|cmd.BaseCommand|' command/agent.go
gsed -i -e 's|cli.AgentCommand = new(Command)|cli.Command = new(AgentCommand)|' command/agent_test.go
gsed -i -e 's|exec.AgentCommand|exec.Command|' command/agent_test.go
gsed -i -e 's|exec.BaseCommand|exec.Command|' command/agent_test.go
gsed -i -e 's|NewTestAgent|agent.NewTestAgent|' command/agent_test.go
gsed -i -e 's|= TestConfig|= agent.TestConfig|' command/agent_test.go
gsed -i -e 's|: RetryJoin|: agent.RetryJoin|' command/agent_test.go
gsed -i -e 's|\.\./\.\./|../|' command/config_util_test.go
gsed -i -e 's|\bverifyUniqueListeners|VerifyUniqueListeners|' agent/config{,_test}.go command/agent.go
gsed -i -e 's|\bserfLANKeyring\b|SerfLANKeyring|g' agent/{agent,keyring,testagent}.go command/agent.go
gsed -i -e 's|\bserfWANKeyring\b|SerfWANKeyring|g' agent/{agent,keyring,testagent}.go command/agent.go
gsed -i -e 's|\bNewAgent\b|agent.New|g' command/agent{,_test}.go
gsed -i -e 's|\bNewAgent|New|' agent/{acl_test,agent,testagent}.go
gsed -i -e 's|\bAgent\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bBool\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bConfig\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bDefaultConfig\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bDevConfig\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bMergeConfig\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bReadConfigPaths\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bParseMetaPair\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bSerfLANKeyring\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bSerfWANKeyring\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|circonus\.agent|circonus|g' command/agent{,_test}.go
gsed -i -e 's|logger\.agent|logger|g' command/agent{,_test}.go
gsed -i -e 's|metrics\.agent|metrics|g' command/agent{,_test}.go
gsed -i -e 's|// agent.Agent|// agent|' command/agent{,_test}.go
gsed -i -e 's|a\.agent\.Config|a.Config|' command/agent{,_test}.go
gsed -i -e 's|agent\.AppendSliceValue|AppendSliceValue|' command/{configtest,validate}.go
gsed -i -e 's|consul/consul|agent/consul|' GNUmakefile
gsed -i -e 's|\.\./test|../../test|' agent/consul/server_test.go
# fix imports
f=$(grep -rl 'github.com/hashicorp/consul/command/agent' * | grep '\.go')
gsed -i -e 's|github.com/hashicorp/consul/command/agent|github.com/hashicorp/consul/agent|' $f
goimports -w $f
f=$(grep -rl 'github.com/hashicorp/consul/consul' * | grep '\.go')
gsed -i -e 's|github.com/hashicorp/consul/consul|github.com/hashicorp/consul/agent/consul|' $f
goimports -w $f
goimports -w command/*.go main.go
)
2017-06-09 22:28:28 +00:00
|
|
|
"github.com/hashicorp/consul/agent/consul/state"
|
2017-07-06 10:34:00 +00:00
|
|
|
"github.com/hashicorp/consul/agent/structs"
|
2017-01-24 08:00:06 +00:00
|
|
|
"github.com/hashicorp/go-memdb"
|
2016-01-29 19:42:34 +00:00
|
|
|
"github.com/hashicorp/go-uuid"
|
2014-08-06 00:05:59 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// ACL endpoint is used to manipulate ACLs
|
|
|
|
type ACL struct {
|
|
|
|
srv *Server
|
|
|
|
}
|
|
|
|
|
2017-08-03 00:05:18 +00:00
|
|
|
// Bootstrap is used to perform a one-time ACL bootstrap operation on
|
|
|
|
// a cluster to get the first management token.
|
|
|
|
func (a *ACL) Bootstrap(args *structs.DCSpecificRequest, reply *structs.ACL) error {
|
|
|
|
if done, err := a.srv.forward("ACL.Bootstrap", args, args, reply); done {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Verify we are allowed to serve this request
|
|
|
|
if a.srv.config.ACLDatacenter != a.srv.config.Datacenter {
|
|
|
|
return fmt.Errorf(aclDisabled)
|
|
|
|
}
|
|
|
|
|
|
|
|
// By doing some pre-checks we can head off later bootstrap attempts
|
|
|
|
// without having to run them through Raft, which should curb abuse.
|
|
|
|
state := a.srv.fsm.State()
|
|
|
|
bs, err := state.ACLGetBootstrap()
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if bs == nil {
|
|
|
|
return structs.ACLBootstrapNotInitializedErr
|
|
|
|
}
|
|
|
|
if !bs.AllowBootstrap {
|
|
|
|
return structs.ACLBootstrapNotAllowedErr
|
|
|
|
}
|
|
|
|
|
|
|
|
// Propose a new token.
|
|
|
|
token, err := uuid.GenerateUUID()
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("failed to make random token: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Attempt a bootstrap.
|
|
|
|
req := structs.ACLRequest{
|
|
|
|
Datacenter: a.srv.config.ACLDatacenter,
|
|
|
|
Op: structs.ACLBootstrapNow,
|
|
|
|
ACL: structs.ACL{
|
|
|
|
ID: token,
|
|
|
|
Name: "Bootstrap Token",
|
|
|
|
Type: structs.ACLTypeManagement,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
resp, err := a.srv.raftApply(structs.ACLRequestType, &req)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
switch v := resp.(type) {
|
|
|
|
case error:
|
|
|
|
return v
|
|
|
|
|
|
|
|
case *structs.ACL:
|
|
|
|
*reply = *v
|
|
|
|
|
|
|
|
default:
|
|
|
|
// Just log this, since it looks like the bootstrap may have
|
|
|
|
// completed.
|
|
|
|
a.srv.logger.Printf("[ERR] consul.acl: Unexpected response during bootstrap: %T", v)
|
|
|
|
}
|
|
|
|
|
|
|
|
a.srv.logger.Printf("[INFO] consul.acl: ACL bootstrap completed")
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2016-08-03 05:04:11 +00:00
|
|
|
// aclApplyInternal is used to apply an ACL request after it has been vetted that
|
|
|
|
// this is a valid operation. It is used when users are updating ACLs, in which
|
|
|
|
// case we check their token to make sure they have management privileges. It is
|
|
|
|
// also used for ACL replication. We want to run the replicated ACLs through the
|
2016-08-09 07:11:00 +00:00
|
|
|
// same checks on the change itself.
|
2016-08-03 05:04:11 +00:00
|
|
|
func aclApplyInternal(srv *Server, args *structs.ACLRequest, reply *string) error {
|
2016-08-09 07:11:00 +00:00
|
|
|
// All ACLs must have an ID by this point.
|
|
|
|
if args.ACL.ID == "" {
|
|
|
|
return fmt.Errorf("Missing ACL ID")
|
|
|
|
}
|
|
|
|
|
2014-08-06 17:30:47 +00:00
|
|
|
switch args.Op {
|
|
|
|
case structs.ACLSet:
|
|
|
|
// Verify the ACL type
|
|
|
|
switch args.ACL.Type {
|
|
|
|
case structs.ACLTypeClient:
|
|
|
|
case structs.ACLTypeManagement:
|
|
|
|
default:
|
|
|
|
return fmt.Errorf("Invalid ACL Type")
|
|
|
|
}
|
|
|
|
|
2014-08-22 21:55:09 +00:00
|
|
|
// Verify this is not a root ACL
|
|
|
|
if acl.RootACL(args.ACL.ID) != nil {
|
|
|
|
return fmt.Errorf("%s: Cannot modify root ACL", permissionDenied)
|
|
|
|
}
|
|
|
|
|
2014-08-08 23:00:32 +00:00
|
|
|
// Validate the rules compile
|
|
|
|
_, err := acl.Parse(args.ACL.Rules)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("ACL rule compilation failed: %v", err)
|
|
|
|
}
|
2014-08-06 00:05:59 +00:00
|
|
|
|
2014-08-06 17:30:47 +00:00
|
|
|
case structs.ACLDelete:
|
2016-08-09 07:11:00 +00:00
|
|
|
if args.ACL.ID == anonymousToken {
|
2014-08-22 21:55:09 +00:00
|
|
|
return fmt.Errorf("%s: Cannot delete anonymous token", permissionDenied)
|
2014-08-06 17:30:47 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
default:
|
|
|
|
return fmt.Errorf("Invalid ACL Operation")
|
2014-08-06 00:05:59 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Apply the update
|
2016-08-03 05:04:11 +00:00
|
|
|
resp, err := srv.raftApply(structs.ACLRequestType, args)
|
2014-08-06 00:05:59 +00:00
|
|
|
if err != nil {
|
2016-08-03 05:04:11 +00:00
|
|
|
srv.logger.Printf("[ERR] consul.acl: Apply failed: %v", err)
|
2014-08-06 00:05:59 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
if respErr, ok := resp.(error); ok {
|
|
|
|
return respErr
|
|
|
|
}
|
|
|
|
|
2016-08-03 05:04:11 +00:00
|
|
|
// Check if the return type is a string
|
|
|
|
if respString, ok := resp.(string); ok {
|
|
|
|
*reply = respString
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Apply is used to apply a modifying request to the data store. This should
|
|
|
|
// only be used for operations that modify the data
|
|
|
|
func (a *ACL) Apply(args *structs.ACLRequest, reply *string) error {
|
|
|
|
if done, err := a.srv.forward("ACL.Apply", args, args, reply); done {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
defer metrics.MeasureSince([]string{"consul", "acl", "apply"}, time.Now())
|
|
|
|
|
|
|
|
// Verify we are allowed to serve this request
|
|
|
|
if a.srv.config.ACLDatacenter != a.srv.config.Datacenter {
|
|
|
|
return fmt.Errorf(aclDisabled)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Verify token is permitted to modify ACLs
|
|
|
|
if acl, err := a.srv.resolveToken(args.Token); err != nil {
|
|
|
|
return err
|
|
|
|
} else if acl == nil || !acl.ACLModify() {
|
2017-04-21 00:02:42 +00:00
|
|
|
return errPermissionDenied
|
2016-08-03 05:04:11 +00:00
|
|
|
}
|
|
|
|
|
2016-08-09 07:11:00 +00:00
|
|
|
// If no ID is provided, generate a new ID. This must be done prior to
|
|
|
|
// appending to the Raft log, because the ID is not deterministic. Once
|
|
|
|
// the entry is in the log, the state update MUST be deterministic or
|
|
|
|
// the followers will not converge.
|
|
|
|
if args.Op == structs.ACLSet && args.ACL.ID == "" {
|
|
|
|
state := a.srv.fsm.State()
|
|
|
|
for {
|
|
|
|
var err error
|
|
|
|
args.ACL.ID, err = uuid.GenerateUUID()
|
|
|
|
if err != nil {
|
|
|
|
a.srv.logger.Printf("[ERR] consul.acl: UUID generation failed: %v", err)
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2017-01-24 08:00:06 +00:00
|
|
|
_, acl, err := state.ACLGet(nil, args.ACL.ID)
|
2016-08-09 07:11:00 +00:00
|
|
|
if err != nil {
|
|
|
|
a.srv.logger.Printf("[ERR] consul.acl: ACL lookup failed: %v", err)
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if acl == nil {
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-08-03 05:04:11 +00:00
|
|
|
// Do the apply now that this update is vetted.
|
|
|
|
if err := aclApplyInternal(a.srv, args, reply); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2014-08-18 22:23:02 +00:00
|
|
|
// Clear the cache if applicable
|
|
|
|
if args.ACL.ID != "" {
|
|
|
|
a.srv.aclAuthCache.ClearACL(args.ACL.ID)
|
|
|
|
}
|
|
|
|
|
2014-08-06 00:05:59 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Get is used to retrieve a single ACL
|
|
|
|
func (a *ACL) Get(args *structs.ACLSpecificRequest,
|
|
|
|
reply *structs.IndexedACLs) error {
|
|
|
|
if done, err := a.srv.forward("ACL.Get", args, args, reply); done {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2014-08-12 22:32:44 +00:00
|
|
|
// Verify we are allowed to serve this request
|
|
|
|
if a.srv.config.ACLDatacenter != a.srv.config.Datacenter {
|
|
|
|
return fmt.Errorf(aclDisabled)
|
|
|
|
}
|
|
|
|
|
2017-01-24 08:00:06 +00:00
|
|
|
return a.srv.blockingQuery(&args.QueryOptions,
|
2014-08-06 00:05:59 +00:00
|
|
|
&reply.QueryMeta,
|
2017-04-21 00:46:29 +00:00
|
|
|
func(ws memdb.WatchSet, state *state.Store) error {
|
2017-01-24 08:00:06 +00:00
|
|
|
index, acl, err := state.ACLGet(ws, args.ACL)
|
2015-10-14 02:18:43 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
reply.Index = index
|
2014-08-06 00:05:59 +00:00
|
|
|
if acl != nil {
|
|
|
|
reply.ACLs = structs.ACLs{acl}
|
2015-01-13 20:02:30 +00:00
|
|
|
} else {
|
|
|
|
reply.ACLs = nil
|
2014-08-06 00:05:59 +00:00
|
|
|
}
|
2015-10-14 02:18:43 +00:00
|
|
|
return nil
|
2014-08-06 00:05:59 +00:00
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2016-08-04 00:01:32 +00:00
|
|
|
// makeACLETag returns an ETag for the given parent and policy.
|
|
|
|
func makeACLETag(parent string, policy *acl.Policy) string {
|
|
|
|
return fmt.Sprintf("%s:%s", parent, policy.ID)
|
|
|
|
}
|
|
|
|
|
2014-08-08 22:32:43 +00:00
|
|
|
// GetPolicy is used to retrieve a compiled policy object with a TTL. Does not
|
|
|
|
// support a blocking query.
|
2014-08-08 23:55:47 +00:00
|
|
|
func (a *ACL) GetPolicy(args *structs.ACLPolicyRequest, reply *structs.ACLPolicy) error {
|
2014-08-08 22:32:43 +00:00
|
|
|
if done, err := a.srv.forward("ACL.GetPolicy", args, args, reply); done {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2014-08-12 22:32:44 +00:00
|
|
|
// Verify we are allowed to serve this request
|
|
|
|
if a.srv.config.ACLDatacenter != a.srv.config.Datacenter {
|
|
|
|
return fmt.Errorf(aclDisabled)
|
|
|
|
}
|
|
|
|
|
2014-08-08 22:32:43 +00:00
|
|
|
// Get the policy via the cache
|
2014-08-12 17:54:56 +00:00
|
|
|
parent, policy, err := a.srv.aclAuthCache.GetACLPolicy(args.ACL)
|
2014-08-08 22:32:43 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2014-08-08 23:55:47 +00:00
|
|
|
// Generate an ETag
|
2014-08-08 22:52:52 +00:00
|
|
|
conf := a.srv.config
|
2016-08-04 00:01:32 +00:00
|
|
|
etag := makeACLETag(parent, policy)
|
2014-08-08 23:55:47 +00:00
|
|
|
|
|
|
|
// Setup the response
|
|
|
|
reply.ETag = etag
|
2014-08-08 22:52:52 +00:00
|
|
|
reply.TTL = conf.ACLTTL
|
2014-08-08 22:32:43 +00:00
|
|
|
a.srv.setQueryMeta(&reply.QueryMeta)
|
2014-08-08 23:55:47 +00:00
|
|
|
|
|
|
|
// Only send the policy on an Etag mis-match
|
|
|
|
if args.ETag != etag {
|
2014-08-12 17:54:56 +00:00
|
|
|
reply.Parent = parent
|
2014-08-08 23:55:47 +00:00
|
|
|
reply.Policy = policy
|
|
|
|
}
|
2014-08-08 22:32:43 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2014-08-06 00:05:59 +00:00
|
|
|
// List is used to list all the ACLs
|
|
|
|
func (a *ACL) List(args *structs.DCSpecificRequest,
|
|
|
|
reply *structs.IndexedACLs) error {
|
|
|
|
if done, err := a.srv.forward("ACL.List", args, args, reply); done {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2014-08-12 22:32:44 +00:00
|
|
|
// Verify we are allowed to serve this request
|
|
|
|
if a.srv.config.ACLDatacenter != a.srv.config.Datacenter {
|
|
|
|
return fmt.Errorf(aclDisabled)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Verify token is permitted to list ACLs
|
|
|
|
if acl, err := a.srv.resolveToken(args.Token); err != nil {
|
|
|
|
return err
|
|
|
|
} else if acl == nil || !acl.ACLList() {
|
2017-04-21 00:02:42 +00:00
|
|
|
return errPermissionDenied
|
2014-08-12 22:32:44 +00:00
|
|
|
}
|
|
|
|
|
2017-01-24 08:00:06 +00:00
|
|
|
return a.srv.blockingQuery(&args.QueryOptions,
|
2014-08-06 00:05:59 +00:00
|
|
|
&reply.QueryMeta,
|
2017-04-21 00:46:29 +00:00
|
|
|
func(ws memdb.WatchSet, state *state.Store) error {
|
2017-01-24 08:00:06 +00:00
|
|
|
index, acls, err := state.ACLList(ws)
|
2015-10-14 02:18:43 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
reply.Index, reply.ACLs = index, acls
|
|
|
|
return nil
|
2014-08-06 00:05:59 +00:00
|
|
|
})
|
|
|
|
}
|
2016-08-05 04:32:36 +00:00
|
|
|
|
|
|
|
// ReplicationStatus is used to retrieve the current ACL replication status.
|
|
|
|
func (a *ACL) ReplicationStatus(args *structs.DCSpecificRequest,
|
|
|
|
reply *structs.ACLReplicationStatus) error {
|
|
|
|
// This must be sent to the leader, so we fix the args since we are
|
|
|
|
// re-using a structure where we don't support all the options.
|
|
|
|
args.RequireConsistent = true
|
|
|
|
args.AllowStale = false
|
|
|
|
if done, err := a.srv.forward("ACL.ReplicationStatus", args, args, reply); done {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
// There's no ACL token required here since this doesn't leak any
|
|
|
|
// sensitive information, and we don't want people to have to use
|
|
|
|
// management tokens if they are querying this via a health check.
|
|
|
|
|
|
|
|
// Poll the latest status.
|
|
|
|
a.srv.aclReplicationStatusLock.RLock()
|
|
|
|
*reply = a.srv.aclReplicationStatus
|
|
|
|
a.srv.aclReplicationStatusLock.RUnlock()
|
|
|
|
return nil
|
|
|
|
}
|