2014-01-04 01:15:51 +00:00
|
|
|
package agent
|
|
|
|
|
|
|
|
import (
|
2019-02-27 19:28:31 +00:00
|
|
|
"encoding/json"
|
2014-01-30 23:35:38 +00:00
|
|
|
"fmt"
|
2014-01-04 01:15:51 +00:00
|
|
|
"net/http"
|
2019-02-27 19:28:31 +00:00
|
|
|
"path/filepath"
|
2015-01-21 17:53:31 +00:00
|
|
|
"strconv"
|
2014-01-04 01:15:51 +00:00
|
|
|
"strings"
|
2018-04-19 10:15:32 +00:00
|
|
|
|
2020-01-28 23:50:41 +00:00
|
|
|
"github.com/hashicorp/go-hclog"
|
2019-10-04 18:37:34 +00:00
|
|
|
"github.com/hashicorp/go-memdb"
|
|
|
|
"github.com/mitchellh/hashstructure"
|
|
|
|
|
2017-08-23 14:52:48 +00:00
|
|
|
"github.com/hashicorp/consul/acl"
|
2019-03-06 17:13:28 +00:00
|
|
|
cachetype "github.com/hashicorp/consul/agent/cache-types"
|
2018-10-17 20:20:35 +00:00
|
|
|
"github.com/hashicorp/consul/agent/debug"
|
2017-07-06 10:34:00 +00:00
|
|
|
"github.com/hashicorp/consul/agent/structs"
|
2019-02-27 19:28:31 +00:00
|
|
|
token_store "github.com/hashicorp/consul/agent/token"
|
2020-08-26 15:04:11 +00:00
|
|
|
"github.com/hashicorp/consul/agent/xds/proxysupport"
|
2017-04-19 23:00:11 +00:00
|
|
|
"github.com/hashicorp/consul/api"
|
2017-05-15 20:10:36 +00:00
|
|
|
"github.com/hashicorp/consul/ipaddr"
|
2017-08-14 14:36:07 +00:00
|
|
|
"github.com/hashicorp/consul/lib"
|
2019-02-27 19:28:31 +00:00
|
|
|
"github.com/hashicorp/consul/lib/file"
|
2020-01-28 23:50:41 +00:00
|
|
|
"github.com/hashicorp/consul/logging"
|
|
|
|
"github.com/hashicorp/consul/logging/monitor"
|
2016-06-06 20:19:31 +00:00
|
|
|
"github.com/hashicorp/consul/types"
|
2019-09-26 02:55:52 +00:00
|
|
|
"github.com/hashicorp/go-bexpr"
|
2016-06-06 08:53:30 +00:00
|
|
|
"github.com/hashicorp/serf/coordinate"
|
|
|
|
"github.com/hashicorp/serf/serf"
|
2018-04-06 06:55:49 +00:00
|
|
|
"github.com/prometheus/client_golang/prometheus"
|
|
|
|
"github.com/prometheus/client_golang/prometheus/promhttp"
|
2014-01-04 01:15:51 +00:00
|
|
|
)
|
|
|
|
|
2017-04-21 00:46:29 +00:00
|
|
|
type Self struct {
|
2017-10-04 17:43:17 +00:00
|
|
|
Config interface{}
|
|
|
|
DebugConfig map[string]interface{}
|
|
|
|
Coord *coordinate.Coordinate
|
|
|
|
Member serf.Member
|
|
|
|
Stats map[string]map[string]string
|
|
|
|
Meta map[string]string
|
2020-08-26 15:04:11 +00:00
|
|
|
XDS *xdsSelf `json:"xDS,omitempty"`
|
|
|
|
}
|
|
|
|
|
|
|
|
type xdsSelf struct {
|
|
|
|
SupportedProxies map[string][]string
|
2014-05-27 22:09:28 +00:00
|
|
|
}
|
|
|
|
|
2014-05-25 23:59:48 +00:00
|
|
|
func (s *HTTPServer) AgentSelf(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
2016-12-14 17:33:57 +00:00
|
|
|
// Fetch the ACL token, if any, and enforce agent policy.
|
|
|
|
var token string
|
|
|
|
s.parseToken(req, &token)
|
2017-08-23 14:52:48 +00:00
|
|
|
rule, err := s.agent.resolveToken(token)
|
2016-12-14 17:33:57 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2019-10-15 20:58:50 +00:00
|
|
|
if rule != nil && rule.AgentRead(s.agent.config.NodeName, nil) != acl.Allow {
|
2017-08-23 14:52:48 +00:00
|
|
|
return nil, acl.ErrPermissionDenied
|
2016-12-14 17:33:57 +00:00
|
|
|
}
|
|
|
|
|
2018-01-19 23:25:22 +00:00
|
|
|
var cs lib.CoordinateSet
|
|
|
|
if !s.agent.config.DisableCoordinates {
|
|
|
|
var err error
|
|
|
|
if cs, err = s.agent.GetLANCoordinate(); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-08-26 15:04:11 +00:00
|
|
|
var xds *xdsSelf
|
|
|
|
if s.agent.grpcServer != nil {
|
|
|
|
xds = &xdsSelf{
|
|
|
|
SupportedProxies: map[string][]string{
|
|
|
|
"envoy": proxysupport.EnvoyVersions,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-10-04 17:43:17 +00:00
|
|
|
config := struct {
|
|
|
|
Datacenter string
|
|
|
|
NodeName string
|
2018-01-10 23:17:33 +00:00
|
|
|
NodeID string
|
2017-10-04 17:43:17 +00:00
|
|
|
Revision string
|
|
|
|
Server bool
|
|
|
|
Version string
|
|
|
|
}{
|
|
|
|
Datacenter: s.agent.config.Datacenter,
|
|
|
|
NodeName: s.agent.config.NodeName,
|
2018-01-10 23:17:33 +00:00
|
|
|
NodeID: string(s.agent.config.NodeID),
|
2017-10-04 17:43:17 +00:00
|
|
|
Revision: s.agent.config.Revision,
|
|
|
|
Server: s.agent.config.ServerMode,
|
|
|
|
Version: s.agent.config.Version,
|
|
|
|
}
|
2017-04-21 00:46:29 +00:00
|
|
|
return Self{
|
2017-10-04 17:43:17 +00:00
|
|
|
Config: config,
|
|
|
|
DebugConfig: s.agent.config.Sanitized(),
|
|
|
|
Coord: cs[s.agent.config.SegmentName],
|
|
|
|
Member: s.agent.LocalMember(),
|
|
|
|
Stats: s.agent.Stats(),
|
2017-08-28 12:17:13 +00:00
|
|
|
Meta: s.agent.State.Metadata(),
|
2020-08-26 15:04:11 +00:00
|
|
|
XDS: xds,
|
2014-05-27 22:09:28 +00:00
|
|
|
}, nil
|
2014-05-25 23:59:48 +00:00
|
|
|
}
|
|
|
|
|
2020-03-03 13:18:19 +00:00
|
|
|
// acceptsOpenMetricsMimeType returns true if mime type is Prometheus-compatible
|
|
|
|
func acceptsOpenMetricsMimeType(acceptHeader string) bool {
|
|
|
|
mimeTypes := strings.Split(acceptHeader, ",")
|
|
|
|
for _, v := range mimeTypes {
|
|
|
|
mimeInfo := strings.Split(v, ";")
|
|
|
|
if len(mimeInfo) > 0 {
|
|
|
|
rawMime := strings.ToLower(strings.Trim(mimeInfo[0], " "))
|
|
|
|
if rawMime == "application/openmetrics-text" {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
if rawMime == "text/plain" && (len(mimeInfo) > 1 && strings.Trim(mimeInfo[1], " ") == "version=0.4.0") {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
2018-04-09 11:16:03 +00:00
|
|
|
// enablePrometheusOutput will look for Prometheus mime-type or format Query parameter the same way as Nomad
|
|
|
|
func enablePrometheusOutput(req *http.Request) bool {
|
|
|
|
if format := req.URL.Query().Get("format"); format == "prometheus" {
|
|
|
|
return true
|
|
|
|
}
|
2020-03-03 13:18:19 +00:00
|
|
|
return acceptsOpenMetricsMimeType(req.Header.Get("Accept"))
|
2018-04-09 11:16:03 +00:00
|
|
|
}
|
|
|
|
|
2017-08-08 20:05:38 +00:00
|
|
|
func (s *HTTPServer) AgentMetrics(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
|
|
|
// Fetch the ACL token, if any, and enforce agent policy.
|
|
|
|
var token string
|
|
|
|
s.parseToken(req, &token)
|
2017-08-23 14:52:48 +00:00
|
|
|
rule, err := s.agent.resolveToken(token)
|
2017-08-08 20:05:38 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2019-10-15 20:58:50 +00:00
|
|
|
if rule != nil && rule.AgentRead(s.agent.config.NodeName, nil) != acl.Allow {
|
2017-08-23 14:52:48 +00:00
|
|
|
return nil, acl.ErrPermissionDenied
|
2017-08-08 20:05:38 +00:00
|
|
|
}
|
2018-04-09 11:16:03 +00:00
|
|
|
if enablePrometheusOutput(req) {
|
2018-06-14 12:52:48 +00:00
|
|
|
if s.agent.config.Telemetry.PrometheusRetentionTime < 1 {
|
2018-04-06 12:21:05 +00:00
|
|
|
resp.WriteHeader(http.StatusUnsupportedMediaType)
|
2018-10-03 21:47:56 +00:00
|
|
|
fmt.Fprint(resp, "Prometheus is not enabled since its retention time is not positive")
|
2018-04-06 12:21:05 +00:00
|
|
|
return nil, nil
|
|
|
|
}
|
2018-04-06 06:55:49 +00:00
|
|
|
handlerOptions := promhttp.HandlerOpts{
|
2020-01-28 23:50:41 +00:00
|
|
|
ErrorLog: s.agent.logger.StandardLogger(&hclog.StandardLoggerOptions{
|
|
|
|
InferLevels: true,
|
|
|
|
}),
|
2018-04-09 11:16:03 +00:00
|
|
|
ErrorHandling: promhttp.ContinueOnError,
|
2018-04-06 06:55:49 +00:00
|
|
|
}
|
2017-08-08 20:05:38 +00:00
|
|
|
|
2018-04-06 06:55:49 +00:00
|
|
|
handler := promhttp.HandlerFor(prometheus.DefaultGatherer, handlerOptions)
|
|
|
|
handler.ServeHTTP(resp, req)
|
|
|
|
return nil, nil
|
|
|
|
}
|
2017-08-08 20:05:38 +00:00
|
|
|
return s.agent.MemSink.DisplayMetrics(resp, req)
|
|
|
|
}
|
|
|
|
|
2016-11-30 18:29:42 +00:00
|
|
|
func (s *HTTPServer) AgentReload(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
2016-12-14 17:33:57 +00:00
|
|
|
// Fetch the ACL token, if any, and enforce agent policy.
|
|
|
|
var token string
|
|
|
|
s.parseToken(req, &token)
|
2017-08-23 14:52:48 +00:00
|
|
|
rule, err := s.agent.resolveToken(token)
|
2016-12-14 17:33:57 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2019-10-15 20:58:50 +00:00
|
|
|
if rule != nil && rule.AgentWrite(s.agent.config.NodeName, nil) != acl.Allow {
|
2017-08-23 14:52:48 +00:00
|
|
|
return nil, acl.ErrPermissionDenied
|
2016-12-14 17:33:57 +00:00
|
|
|
}
|
2016-11-30 18:29:42 +00:00
|
|
|
|
2020-06-10 20:47:35 +00:00
|
|
|
return nil, s.agent.ReloadConfig()
|
2016-11-30 18:29:42 +00:00
|
|
|
}
|
|
|
|
|
2019-08-09 19:19:30 +00:00
|
|
|
func buildAgentService(s *structs.NodeService) api.AgentService {
|
2019-01-07 14:39:23 +00:00
|
|
|
weights := api.AgentWeights{Passing: 1, Warning: 1}
|
|
|
|
if s.Weights != nil {
|
|
|
|
if s.Weights.Passing > 0 {
|
|
|
|
weights.Passing = s.Weights.Passing
|
|
|
|
}
|
|
|
|
weights.Warning = s.Weights.Warning
|
|
|
|
}
|
2019-06-17 14:51:50 +00:00
|
|
|
|
|
|
|
var taggedAddrs map[string]api.ServiceAddress
|
|
|
|
if len(s.TaggedAddresses) > 0 {
|
|
|
|
taggedAddrs = make(map[string]api.ServiceAddress)
|
|
|
|
for k, v := range s.TaggedAddresses {
|
|
|
|
taggedAddrs[k] = v.ToAPIServiceAddress()
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-01-07 14:39:23 +00:00
|
|
|
as := api.AgentService{
|
|
|
|
Kind: api.ServiceKind(s.Kind),
|
|
|
|
ID: s.ID,
|
|
|
|
Service: s.Service,
|
|
|
|
Tags: s.Tags,
|
|
|
|
Meta: s.Meta,
|
|
|
|
Port: s.Port,
|
|
|
|
Address: s.Address,
|
2019-06-17 14:51:50 +00:00
|
|
|
TaggedAddresses: taggedAddrs,
|
2019-01-07 14:39:23 +00:00
|
|
|
EnableTagOverride: s.EnableTagOverride,
|
|
|
|
CreateIndex: s.CreateIndex,
|
|
|
|
ModifyIndex: s.ModifyIndex,
|
|
|
|
Weights: weights,
|
|
|
|
}
|
|
|
|
|
|
|
|
if as.Tags == nil {
|
|
|
|
as.Tags = []string{}
|
|
|
|
}
|
|
|
|
if as.Meta == nil {
|
|
|
|
as.Meta = map[string]string{}
|
|
|
|
}
|
2019-06-18 00:52:01 +00:00
|
|
|
// Attach Proxy config if exists
|
2020-03-26 16:20:56 +00:00
|
|
|
if s.Kind == structs.ServiceKindConnectProxy || s.IsGateway() {
|
2019-01-07 14:39:23 +00:00
|
|
|
as.Proxy = s.Proxy.ToAPI()
|
|
|
|
}
|
|
|
|
|
2019-08-09 19:19:30 +00:00
|
|
|
// Attach Connect configs if they exist.
|
|
|
|
if s.Connect.Native {
|
2019-01-07 14:39:23 +00:00
|
|
|
as.Connect = &api.AgentServiceConnect{
|
|
|
|
Native: true,
|
|
|
|
}
|
|
|
|
}
|
2019-12-10 02:26:41 +00:00
|
|
|
|
|
|
|
fillAgentServiceEnterpriseMeta(&as, &s.EnterpriseMeta)
|
2019-01-07 14:39:23 +00:00
|
|
|
return as
|
|
|
|
}
|
|
|
|
|
2014-01-04 01:15:51 +00:00
|
|
|
func (s *HTTPServer) AgentServices(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
2016-12-14 22:16:46 +00:00
|
|
|
// Fetch the ACL token, if any.
|
|
|
|
var token string
|
|
|
|
s.parseToken(req, &token)
|
|
|
|
|
2019-12-10 02:26:41 +00:00
|
|
|
var entMeta structs.EnterpriseMeta
|
|
|
|
if err := s.parseEntMetaNoWildcard(req, &entMeta); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2019-04-16 16:00:15 +00:00
|
|
|
var filterExpression string
|
|
|
|
s.parseFilter(req, &filterExpression)
|
|
|
|
|
2019-12-18 18:46:53 +00:00
|
|
|
authz, err := s.agent.resolveTokenAndDefaultMeta(token, &entMeta, nil)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2019-12-10 02:26:41 +00:00
|
|
|
services := s.agent.State.Services(&entMeta)
|
2019-12-18 18:46:53 +00:00
|
|
|
if err := s.agent.filterServicesWithAuthorizer(authz, &services); err != nil {
|
2016-12-14 22:16:46 +00:00
|
|
|
return nil, err
|
|
|
|
}
|
2017-04-28 01:22:07 +00:00
|
|
|
|
2018-04-20 13:24:24 +00:00
|
|
|
// Convert into api.AgentService since that includes Connect config but so far
|
|
|
|
// NodeService doesn't need to internally. They are otherwise identical since
|
|
|
|
// that is the struct used in client for reading the one we output here
|
|
|
|
// anyway.
|
|
|
|
agentSvcs := make(map[string]*api.AgentService)
|
|
|
|
|
2017-04-28 01:22:07 +00:00
|
|
|
// Use empty list instead of nil
|
2018-02-07 15:02:10 +00:00
|
|
|
for id, s := range services {
|
2019-08-09 19:19:30 +00:00
|
|
|
agentService := buildAgentService(s)
|
2019-12-10 02:26:41 +00:00
|
|
|
agentSvcs[id.ID] = &agentService
|
2017-04-28 01:22:07 +00:00
|
|
|
}
|
|
|
|
|
2019-04-16 16:00:15 +00:00
|
|
|
filter, err := bexpr.CreateFilter(filterExpression, nil, agentSvcs)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return filter.Execute(agentSvcs)
|
2014-01-21 01:00:52 +00:00
|
|
|
}
|
|
|
|
|
2018-09-27 14:00:51 +00:00
|
|
|
// GET /v1/agent/service/:service_id
|
|
|
|
//
|
|
|
|
// Returns the service definition for a single local services and allows
|
|
|
|
// blocking watch using hash-based blocking.
|
|
|
|
func (s *HTTPServer) AgentService(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
|
|
|
// Get the proxy ID. Note that this is the ID of a proxy's service instance.
|
|
|
|
id := strings.TrimPrefix(req.URL.Path, "/v1/agent/service/")
|
|
|
|
|
|
|
|
// Maybe block
|
|
|
|
var queryOpts structs.QueryOptions
|
|
|
|
if parseWait(resp, req, &queryOpts) {
|
|
|
|
// parseWait returns an error itself
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Parse the token
|
|
|
|
var token string
|
|
|
|
s.parseToken(req, &token)
|
|
|
|
|
2019-12-10 02:26:41 +00:00
|
|
|
var entMeta structs.EnterpriseMeta
|
|
|
|
if err := s.parseEntMetaNoWildcard(req, &entMeta); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2019-12-18 18:46:53 +00:00
|
|
|
// need to resolve to default the meta
|
|
|
|
_, err := s.agent.resolveTokenAndDefaultMeta(token, &entMeta, nil)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2018-09-27 14:00:51 +00:00
|
|
|
// Parse hash specially. Eventually this should happen in parseWait and end up
|
|
|
|
// in QueryOptions but I didn't want to make very general changes right away.
|
|
|
|
hash := req.URL.Query().Get("hash")
|
|
|
|
|
2019-12-10 02:26:41 +00:00
|
|
|
sid := structs.NewServiceID(id, &entMeta)
|
|
|
|
|
2019-09-26 02:55:52 +00:00
|
|
|
resultHash, service, err := s.agent.LocalBlockingQuery(false, hash, queryOpts.MaxQueryTime,
|
2018-09-27 14:00:51 +00:00
|
|
|
func(ws memdb.WatchSet) (string, interface{}, error) {
|
|
|
|
|
2019-12-10 02:26:41 +00:00
|
|
|
svcState := s.agent.State.ServiceState(sid)
|
2018-09-27 14:00:51 +00:00
|
|
|
if svcState == nil {
|
|
|
|
resp.WriteHeader(http.StatusNotFound)
|
2020-01-24 15:04:58 +00:00
|
|
|
fmt.Fprintf(resp, "unknown service ID: %s", sid.String())
|
2018-09-27 14:00:51 +00:00
|
|
|
return "", nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
svc := svcState.Service
|
|
|
|
|
|
|
|
// Setup watch on the service
|
|
|
|
ws.Add(svcState.WatchCh)
|
|
|
|
|
|
|
|
// Check ACLs.
|
2019-12-18 18:46:53 +00:00
|
|
|
authz, err := s.agent.resolveToken(token)
|
2018-09-27 14:00:51 +00:00
|
|
|
if err != nil {
|
|
|
|
return "", nil, err
|
|
|
|
}
|
2019-12-18 18:43:24 +00:00
|
|
|
var authzContext acl.AuthorizerContext
|
2019-12-10 02:26:41 +00:00
|
|
|
svc.FillAuthzContext(&authzContext)
|
2019-12-18 18:46:53 +00:00
|
|
|
if authz != nil && authz.ServiceRead(svc.Service, &authzContext) != acl.Allow {
|
2018-09-27 14:00:51 +00:00
|
|
|
return "", nil, acl.ErrPermissionDenied
|
|
|
|
}
|
|
|
|
|
|
|
|
// Calculate the content hash over the response, minus the hash field
|
2019-08-10 13:15:19 +00:00
|
|
|
aSvc := buildAgentService(svc)
|
|
|
|
reply := &aSvc
|
2018-09-27 14:00:51 +00:00
|
|
|
|
|
|
|
rawHash, err := hashstructure.Hash(reply, nil)
|
|
|
|
if err != nil {
|
|
|
|
return "", nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Include the ContentHash in the response body
|
|
|
|
reply.ContentHash = fmt.Sprintf("%x", rawHash)
|
|
|
|
|
|
|
|
return reply.ContentHash, reply, nil
|
2019-09-26 02:55:52 +00:00
|
|
|
},
|
|
|
|
)
|
|
|
|
if resultHash != "" {
|
|
|
|
resp.Header().Set("X-Consul-ContentHash", resultHash)
|
|
|
|
}
|
|
|
|
return service, err
|
2018-09-27 14:00:51 +00:00
|
|
|
}
|
|
|
|
|
2014-01-21 01:00:52 +00:00
|
|
|
func (s *HTTPServer) AgentChecks(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
2016-12-14 22:16:46 +00:00
|
|
|
// Fetch the ACL token, if any.
|
|
|
|
var token string
|
|
|
|
s.parseToken(req, &token)
|
|
|
|
|
2019-12-10 02:26:41 +00:00
|
|
|
var entMeta structs.EnterpriseMeta
|
|
|
|
if err := s.parseEntMetaNoWildcard(req, &entMeta); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2019-12-18 18:46:53 +00:00
|
|
|
authz, err := s.agent.resolveTokenAndDefaultMeta(token, &entMeta, nil)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2019-04-16 16:00:15 +00:00
|
|
|
var filterExpression string
|
|
|
|
s.parseFilter(req, &filterExpression)
|
|
|
|
filter, err := bexpr.CreateFilter(filterExpression, nil, nil)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2019-12-10 02:26:41 +00:00
|
|
|
checks := s.agent.State.Checks(&entMeta)
|
2019-12-18 18:46:53 +00:00
|
|
|
if err := s.agent.filterChecksWithAuthorizer(authz, &checks); err != nil {
|
2016-12-14 22:16:46 +00:00
|
|
|
return nil, err
|
|
|
|
}
|
2017-04-28 01:22:07 +00:00
|
|
|
|
2019-12-10 02:26:41 +00:00
|
|
|
agentChecks := make(map[types.CheckID]*structs.HealthCheck)
|
|
|
|
|
2017-04-28 01:22:07 +00:00
|
|
|
// Use empty list instead of nil
|
2018-02-07 04:35:55 +00:00
|
|
|
for id, c := range checks {
|
2017-04-28 01:22:07 +00:00
|
|
|
if c.ServiceTags == nil {
|
2018-02-07 04:35:55 +00:00
|
|
|
clone := *c
|
|
|
|
clone.ServiceTags = make([]string, 0)
|
2019-12-10 02:26:41 +00:00
|
|
|
agentChecks[id.ID] = &clone
|
|
|
|
} else {
|
|
|
|
agentChecks[id.ID] = c
|
2017-04-28 01:22:07 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-12-10 02:26:41 +00:00
|
|
|
return filter.Execute(agentChecks)
|
2014-01-04 01:15:51 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (s *HTTPServer) AgentMembers(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
2016-12-14 22:16:46 +00:00
|
|
|
// Fetch the ACL token, if any.
|
|
|
|
var token string
|
|
|
|
s.parseToken(req, &token)
|
|
|
|
|
2014-01-04 01:15:51 +00:00
|
|
|
// Check if the WAN is being queried
|
|
|
|
wan := false
|
|
|
|
if other := req.URL.Query().Get("wan"); other != "" {
|
|
|
|
wan = true
|
|
|
|
}
|
2016-12-14 22:16:46 +00:00
|
|
|
|
2017-08-14 14:36:07 +00:00
|
|
|
segment := req.URL.Query().Get("segment")
|
2017-09-05 20:40:19 +00:00
|
|
|
if wan {
|
|
|
|
switch segment {
|
|
|
|
case "", api.AllSegments:
|
|
|
|
// The zero value and the special "give me all members"
|
|
|
|
// key are ok, otherwise the argument doesn't apply to
|
|
|
|
// the WAN.
|
|
|
|
default:
|
|
|
|
resp.WriteHeader(http.StatusBadRequest)
|
|
|
|
fmt.Fprint(resp, "Cannot provide a segment with wan=true")
|
|
|
|
return nil, nil
|
|
|
|
}
|
2017-08-14 14:36:07 +00:00
|
|
|
}
|
|
|
|
|
2016-12-14 22:16:46 +00:00
|
|
|
var members []serf.Member
|
2014-01-04 01:15:51 +00:00
|
|
|
if wan {
|
2016-12-14 22:16:46 +00:00
|
|
|
members = s.agent.WANMembers()
|
2017-08-14 14:36:07 +00:00
|
|
|
} else {
|
|
|
|
var err error
|
2017-09-05 19:22:20 +00:00
|
|
|
if segment == api.AllSegments {
|
|
|
|
members, err = s.agent.delegate.LANMembersAllSegments()
|
|
|
|
} else {
|
|
|
|
members, err = s.agent.delegate.LANSegmentMembers(segment)
|
|
|
|
}
|
2017-08-14 14:36:07 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2016-12-14 22:16:46 +00:00
|
|
|
}
|
|
|
|
if err := s.agent.filterMembers(token, &members); err != nil {
|
|
|
|
return nil, err
|
2014-01-04 01:15:51 +00:00
|
|
|
}
|
2016-12-14 22:16:46 +00:00
|
|
|
return members, nil
|
2014-01-04 01:15:51 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (s *HTTPServer) AgentJoin(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
2016-12-14 17:33:57 +00:00
|
|
|
// Fetch the ACL token, if any, and enforce agent policy.
|
|
|
|
var token string
|
|
|
|
s.parseToken(req, &token)
|
2017-08-23 14:52:48 +00:00
|
|
|
rule, err := s.agent.resolveToken(token)
|
2016-12-14 17:33:57 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2019-10-15 20:58:50 +00:00
|
|
|
if rule != nil && rule.AgentWrite(s.agent.config.NodeName, nil) != acl.Allow {
|
2017-08-23 14:52:48 +00:00
|
|
|
return nil, acl.ErrPermissionDenied
|
2016-12-14 17:33:57 +00:00
|
|
|
}
|
|
|
|
|
2014-01-04 01:15:51 +00:00
|
|
|
// Check if the WAN is being queried
|
|
|
|
wan := false
|
|
|
|
if other := req.URL.Query().Get("wan"); other != "" {
|
|
|
|
wan = true
|
|
|
|
}
|
|
|
|
|
|
|
|
// Get the address
|
|
|
|
addr := strings.TrimPrefix(req.URL.Path, "/v1/agent/join/")
|
2020-03-09 20:59:02 +00:00
|
|
|
|
2014-01-04 01:15:51 +00:00
|
|
|
if wan {
|
2020-03-09 20:59:02 +00:00
|
|
|
if s.agent.config.ConnectMeshGatewayWANFederationEnabled {
|
|
|
|
return nil, fmt.Errorf("WAN join is disabled when wan federation via mesh gateways is enabled")
|
|
|
|
}
|
2017-04-21 01:59:42 +00:00
|
|
|
_, err = s.agent.JoinWAN([]string{addr})
|
2014-01-04 01:15:51 +00:00
|
|
|
} else {
|
2017-04-21 01:59:42 +00:00
|
|
|
_, err = s.agent.JoinLAN([]string{addr})
|
2014-01-04 01:15:51 +00:00
|
|
|
}
|
2017-04-21 01:59:42 +00:00
|
|
|
return nil, err
|
2014-01-04 01:15:51 +00:00
|
|
|
}
|
|
|
|
|
2016-11-30 18:29:42 +00:00
|
|
|
func (s *HTTPServer) AgentLeave(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
2016-12-14 17:33:57 +00:00
|
|
|
// Fetch the ACL token, if any, and enforce agent policy.
|
|
|
|
var token string
|
|
|
|
s.parseToken(req, &token)
|
2017-08-23 14:52:48 +00:00
|
|
|
rule, err := s.agent.resolveToken(token)
|
2016-12-14 17:33:57 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2019-10-15 20:58:50 +00:00
|
|
|
if rule != nil && rule.AgentWrite(s.agent.config.NodeName, nil) != acl.Allow {
|
2017-08-23 14:52:48 +00:00
|
|
|
return nil, acl.ErrPermissionDenied
|
2016-12-14 17:33:57 +00:00
|
|
|
}
|
|
|
|
|
2016-11-30 18:29:42 +00:00
|
|
|
if err := s.agent.Leave(); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2017-06-20 07:29:20 +00:00
|
|
|
return nil, s.agent.ShutdownAgent()
|
2016-11-30 18:29:42 +00:00
|
|
|
}
|
|
|
|
|
2014-01-04 01:15:51 +00:00
|
|
|
func (s *HTTPServer) AgentForceLeave(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
2016-12-14 17:33:57 +00:00
|
|
|
// Fetch the ACL token, if any, and enforce agent policy.
|
|
|
|
var token string
|
|
|
|
s.parseToken(req, &token)
|
2017-08-23 14:52:48 +00:00
|
|
|
rule, err := s.agent.resolveToken(token)
|
2016-12-14 17:33:57 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2020-01-14 22:40:34 +00:00
|
|
|
if rule != nil && rule.OperatorWrite(nil) != acl.Allow {
|
2017-08-23 14:52:48 +00:00
|
|
|
return nil, acl.ErrPermissionDenied
|
2016-12-14 17:33:57 +00:00
|
|
|
}
|
|
|
|
|
2019-10-04 21:10:02 +00:00
|
|
|
//Check the value of the prune query
|
|
|
|
_, prune := req.URL.Query()["prune"]
|
|
|
|
|
2014-01-04 01:15:51 +00:00
|
|
|
addr := strings.TrimPrefix(req.URL.Path, "/v1/agent/force-leave/")
|
2019-10-04 21:10:02 +00:00
|
|
|
return nil, s.agent.ForceLeave(addr, prune)
|
2014-01-04 01:15:51 +00:00
|
|
|
}
|
2014-01-30 22:58:36 +00:00
|
|
|
|
2016-12-14 17:33:57 +00:00
|
|
|
// syncChanges is a helper function which wraps a blocking call to sync
|
|
|
|
// services and checks to the server. If the operation fails, we only
|
|
|
|
// only warn because the write did succeed and anti-entropy will sync later.
|
|
|
|
func (s *HTTPServer) syncChanges() {
|
2017-08-28 12:17:13 +00:00
|
|
|
if err := s.agent.State.SyncChanges(); err != nil {
|
2020-01-28 23:50:41 +00:00
|
|
|
s.agent.logger.Error("failed to sync changes", "error", err)
|
2016-12-14 17:33:57 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-01-30 22:58:36 +00:00
|
|
|
func (s *HTTPServer) AgentRegisterCheck(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
2019-12-18 18:46:53 +00:00
|
|
|
var token string
|
|
|
|
s.parseToken(req, &token)
|
|
|
|
|
2017-06-15 16:46:06 +00:00
|
|
|
var args structs.CheckDefinition
|
2019-12-10 02:26:41 +00:00
|
|
|
if err := s.parseEntMetaNoWildcard(req, &args.EnterpriseMeta); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2019-10-29 18:13:36 +00:00
|
|
|
|
|
|
|
if err := decodeBody(req.Body, &args); err != nil {
|
2017-08-23 19:19:11 +00:00
|
|
|
resp.WriteHeader(http.StatusBadRequest)
|
Use fmt.Fprint/Fprintf/Fprintln
Used the following rewrite rules:
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b, c, d))) -> fmt.Fprintf(resp, a, b, c, d)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b, c))) -> fmt.Fprintf(resp, a, b, c)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b))) -> fmt.Fprintf(resp, a, b)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a))) -> fmt.Fprint(resp, a)' *.go
gofmt -w -r 'resp.Write([]byte(a + "\n")) -> fmt.Fprintln(resp, a)' *.go
gofmt -w -r 'resp.Write([]byte(a)) -> fmt.Fprint(resp, a)' *.go
2017-04-20 14:07:42 +00:00
|
|
|
fmt.Fprintf(resp, "Request decode failed: %v", err)
|
2014-01-30 23:35:38 +00:00
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
2016-12-14 22:16:46 +00:00
|
|
|
// Verify the check has a name.
|
2014-01-30 23:35:38 +00:00
|
|
|
if args.Name == "" {
|
2017-08-23 19:19:11 +00:00
|
|
|
resp.WriteHeader(http.StatusBadRequest)
|
Use fmt.Fprint/Fprintf/Fprintln
Used the following rewrite rules:
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b, c, d))) -> fmt.Fprintf(resp, a, b, c, d)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b, c))) -> fmt.Fprintf(resp, a, b, c)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b))) -> fmt.Fprintf(resp, a, b)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a))) -> fmt.Fprint(resp, a)' *.go
gofmt -w -r 'resp.Write([]byte(a + "\n")) -> fmt.Fprintln(resp, a)' *.go
gofmt -w -r 'resp.Write([]byte(a)) -> fmt.Fprint(resp, a)' *.go
2017-04-20 14:07:42 +00:00
|
|
|
fmt.Fprint(resp, "Missing check name")
|
2014-01-30 23:35:38 +00:00
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
2015-04-12 00:53:48 +00:00
|
|
|
if args.Status != "" && !structs.ValidStatus(args.Status) {
|
2017-08-23 19:19:11 +00:00
|
|
|
resp.WriteHeader(http.StatusBadRequest)
|
Use fmt.Fprint/Fprintf/Fprintln
Used the following rewrite rules:
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b, c, d))) -> fmt.Fprintf(resp, a, b, c, d)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b, c))) -> fmt.Fprintf(resp, a, b, c)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b))) -> fmt.Fprintf(resp, a, b)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a))) -> fmt.Fprint(resp, a)' *.go
gofmt -w -r 'resp.Write([]byte(a + "\n")) -> fmt.Fprintln(resp, a)' *.go
gofmt -w -r 'resp.Write([]byte(a)) -> fmt.Fprint(resp, a)' *.go
2017-04-20 14:07:42 +00:00
|
|
|
fmt.Fprint(resp, "Bad check status")
|
2015-04-12 00:53:48 +00:00
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
2019-12-18 18:46:53 +00:00
|
|
|
authz, err := s.agent.resolveTokenAndDefaultMeta(token, &args.EnterpriseMeta, nil)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2016-12-14 22:16:46 +00:00
|
|
|
// Construct the health check.
|
2014-02-03 23:15:35 +00:00
|
|
|
health := args.HealthCheck(s.agent.config.NodeName)
|
2014-01-30 23:35:38 +00:00
|
|
|
|
2016-12-14 22:16:46 +00:00
|
|
|
// Verify the check type.
|
2017-05-15 19:49:13 +00:00
|
|
|
chkType := args.CheckType()
|
2019-12-18 18:46:53 +00:00
|
|
|
err = chkType.Validate()
|
2017-10-10 23:54:06 +00:00
|
|
|
if err != nil {
|
2017-08-23 19:19:11 +00:00
|
|
|
resp.WriteHeader(http.StatusBadRequest)
|
2017-10-10 23:54:06 +00:00
|
|
|
fmt.Fprint(resp, fmt.Errorf("Invalid check: %v", err))
|
2014-01-30 23:35:38 +00:00
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
2019-10-17 18:33:11 +00:00
|
|
|
// Store the type of check based on the definition
|
|
|
|
health.Type = chkType.Type()
|
|
|
|
|
2019-04-30 23:00:57 +00:00
|
|
|
if health.ServiceID != "" {
|
|
|
|
// fixup the service name so that vetCheckRegister requires the right ACLs
|
2019-12-10 02:26:41 +00:00
|
|
|
service := s.agent.State.Service(health.CompoundServiceID())
|
2019-04-30 23:00:57 +00:00
|
|
|
if service != nil {
|
|
|
|
health.ServiceName = service.Service
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-12-14 22:16:46 +00:00
|
|
|
// Get the provided token, if any, and vet against any ACL policies.
|
2019-12-18 18:46:53 +00:00
|
|
|
if err := s.agent.vetCheckRegisterWithAuthorizer(authz, health); err != nil {
|
2016-12-14 22:16:46 +00:00
|
|
|
return nil, err
|
|
|
|
}
|
2015-04-28 01:26:23 +00:00
|
|
|
|
2016-12-14 22:16:46 +00:00
|
|
|
// Add the check.
|
2018-10-11 12:22:11 +00:00
|
|
|
if err := s.agent.AddCheck(health, chkType, true, token, ConfigSourceRemote); err != nil {
|
2015-02-20 23:45:06 +00:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
s.syncChanges()
|
|
|
|
return nil, nil
|
2014-01-30 22:58:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (s *HTTPServer) AgentDeregisterCheck(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
2019-12-10 02:26:41 +00:00
|
|
|
checkID := structs.NewCheckID(types.CheckID(strings.TrimPrefix(req.URL.Path, "/v1/agent/check/deregister/")), nil)
|
2016-12-14 22:16:46 +00:00
|
|
|
|
|
|
|
// Get the provided token, if any, and vet against any ACL policies.
|
|
|
|
var token string
|
|
|
|
s.parseToken(req, &token)
|
2019-12-10 02:26:41 +00:00
|
|
|
|
|
|
|
if err := s.parseEntMetaNoWildcard(req, &checkID.EnterpriseMeta); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2019-12-18 18:46:53 +00:00
|
|
|
authz, err := s.agent.resolveTokenAndDefaultMeta(token, &checkID.EnterpriseMeta, nil)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2019-12-10 02:26:41 +00:00
|
|
|
checkID.Normalize()
|
|
|
|
|
2019-12-18 18:46:53 +00:00
|
|
|
if err := s.agent.vetCheckUpdateWithAuthorizer(authz, checkID); err != nil {
|
2016-12-14 22:16:46 +00:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2015-02-20 23:45:06 +00:00
|
|
|
if err := s.agent.RemoveCheck(checkID, true); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
s.syncChanges()
|
|
|
|
return nil, nil
|
2014-01-30 22:58:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (s *HTTPServer) AgentCheckPass(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
2016-06-06 20:19:31 +00:00
|
|
|
checkID := types.CheckID(strings.TrimPrefix(req.URL.Path, "/v1/agent/check/pass/"))
|
2014-01-30 23:18:05 +00:00
|
|
|
note := req.URL.Query().Get("note")
|
2019-12-10 02:26:41 +00:00
|
|
|
return s.agentCheckUpdate(resp, req, checkID, api.HealthPassing, note)
|
2014-01-30 22:58:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (s *HTTPServer) AgentCheckWarn(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
2016-06-06 20:19:31 +00:00
|
|
|
checkID := types.CheckID(strings.TrimPrefix(req.URL.Path, "/v1/agent/check/warn/"))
|
2014-01-30 23:18:05 +00:00
|
|
|
note := req.URL.Query().Get("note")
|
2016-12-14 22:16:46 +00:00
|
|
|
|
2019-12-10 02:26:41 +00:00
|
|
|
return s.agentCheckUpdate(resp, req, checkID, api.HealthWarning, note)
|
2016-12-14 22:16:46 +00:00
|
|
|
|
2014-01-30 22:58:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (s *HTTPServer) AgentCheckFail(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
2016-06-06 20:19:31 +00:00
|
|
|
checkID := types.CheckID(strings.TrimPrefix(req.URL.Path, "/v1/agent/check/fail/"))
|
2014-01-30 23:18:05 +00:00
|
|
|
note := req.URL.Query().Get("note")
|
2016-12-14 22:16:46 +00:00
|
|
|
|
2019-12-10 02:26:41 +00:00
|
|
|
return s.agentCheckUpdate(resp, req, checkID, api.HealthCritical, note)
|
2014-01-30 22:58:36 +00:00
|
|
|
}
|
|
|
|
|
2016-03-03 01:08:06 +00:00
|
|
|
// checkUpdate is the payload for a PUT to AgentCheckUpdate.
|
|
|
|
type checkUpdate struct {
|
2017-04-19 23:00:11 +00:00
|
|
|
// Status us one of the api.Health* states, "passing", "warning", or
|
2016-03-03 01:08:06 +00:00
|
|
|
// "critical".
|
|
|
|
Status string
|
|
|
|
|
|
|
|
// Output is the information to post to the UI for operators as the
|
|
|
|
// output of the process that decided to hit the TTL check. This is
|
|
|
|
// different from the note field that's associated with the check
|
|
|
|
// itself.
|
|
|
|
Output string
|
|
|
|
}
|
|
|
|
|
|
|
|
// AgentCheckUpdate is a PUT-based alternative to the GET-based Pass/Warn/Fail
|
|
|
|
// APIs.
|
|
|
|
func (s *HTTPServer) AgentCheckUpdate(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
|
|
|
var update checkUpdate
|
2019-10-29 18:13:36 +00:00
|
|
|
if err := decodeBody(req.Body, &update); err != nil {
|
2017-08-23 19:19:11 +00:00
|
|
|
resp.WriteHeader(http.StatusBadRequest)
|
Use fmt.Fprint/Fprintf/Fprintln
Used the following rewrite rules:
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b, c, d))) -> fmt.Fprintf(resp, a, b, c, d)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b, c))) -> fmt.Fprintf(resp, a, b, c)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b))) -> fmt.Fprintf(resp, a, b)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a))) -> fmt.Fprint(resp, a)' *.go
gofmt -w -r 'resp.Write([]byte(a + "\n")) -> fmt.Fprintln(resp, a)' *.go
gofmt -w -r 'resp.Write([]byte(a)) -> fmt.Fprint(resp, a)' *.go
2017-04-20 14:07:42 +00:00
|
|
|
fmt.Fprintf(resp, "Request decode failed: %v", err)
|
2016-03-03 01:08:06 +00:00
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
switch update.Status {
|
2017-04-19 23:00:11 +00:00
|
|
|
case api.HealthPassing:
|
|
|
|
case api.HealthWarning:
|
|
|
|
case api.HealthCritical:
|
2016-03-03 01:08:06 +00:00
|
|
|
default:
|
2017-08-23 19:19:11 +00:00
|
|
|
resp.WriteHeader(http.StatusBadRequest)
|
Use fmt.Fprint/Fprintf/Fprintln
Used the following rewrite rules:
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b, c, d))) -> fmt.Fprintf(resp, a, b, c, d)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b, c))) -> fmt.Fprintf(resp, a, b, c)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b))) -> fmt.Fprintf(resp, a, b)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a))) -> fmt.Fprint(resp, a)' *.go
gofmt -w -r 'resp.Write([]byte(a + "\n")) -> fmt.Fprintln(resp, a)' *.go
gofmt -w -r 'resp.Write([]byte(a)) -> fmt.Fprint(resp, a)' *.go
2017-04-20 14:07:42 +00:00
|
|
|
fmt.Fprintf(resp, "Invalid check status: '%s'", update.Status)
|
2016-03-03 01:08:06 +00:00
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
2016-06-06 20:19:31 +00:00
|
|
|
checkID := types.CheckID(strings.TrimPrefix(req.URL.Path, "/v1/agent/check/update/"))
|
2016-12-14 22:16:46 +00:00
|
|
|
|
2019-12-10 02:26:41 +00:00
|
|
|
return s.agentCheckUpdate(resp, req, checkID, update.Status, update.Output)
|
|
|
|
}
|
|
|
|
|
2020-06-23 17:18:22 +00:00
|
|
|
func (s *HTTPServer) agentCheckUpdate(_resp http.ResponseWriter, req *http.Request, checkID types.CheckID, status string, output string) (interface{}, error) {
|
2019-12-10 02:26:41 +00:00
|
|
|
cid := structs.NewCheckID(checkID, nil)
|
|
|
|
|
2016-12-14 22:16:46 +00:00
|
|
|
// Get the provided token, if any, and vet against any ACL policies.
|
|
|
|
var token string
|
|
|
|
s.parseToken(req, &token)
|
2019-12-10 02:26:41 +00:00
|
|
|
|
|
|
|
if err := s.parseEntMetaNoWildcard(req, &cid.EnterpriseMeta); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2019-12-18 18:46:53 +00:00
|
|
|
authz, err := s.agent.resolveTokenAndDefaultMeta(token, &cid.EnterpriseMeta, nil)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2019-12-10 02:26:41 +00:00
|
|
|
cid.Normalize()
|
|
|
|
|
2019-12-18 18:46:53 +00:00
|
|
|
if err := s.agent.vetCheckUpdateWithAuthorizer(authz, cid); err != nil {
|
2016-12-14 22:16:46 +00:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2019-12-10 02:26:41 +00:00
|
|
|
if err := s.agent.updateTTLCheck(cid, status, output); err != nil {
|
2016-03-03 01:08:06 +00:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
s.syncChanges()
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
2019-01-07 14:39:23 +00:00
|
|
|
// agentHealthService Returns Health for a given service ID
|
2019-12-10 02:26:41 +00:00
|
|
|
func agentHealthService(serviceID structs.ServiceID, s *HTTPServer) (int, string, api.HealthChecks) {
|
|
|
|
checks := s.agent.State.ChecksForService(serviceID, true)
|
2019-01-07 14:39:23 +00:00
|
|
|
serviceChecks := make(api.HealthChecks, 0)
|
|
|
|
for _, c := range checks {
|
2019-12-10 02:26:41 +00:00
|
|
|
// TODO: harmonize struct.HealthCheck and api.HealthCheck (or at least extract conversion function)
|
|
|
|
healthCheck := &api.HealthCheck{
|
|
|
|
Node: c.Node,
|
|
|
|
CheckID: string(c.CheckID),
|
|
|
|
Name: c.Name,
|
|
|
|
Status: c.Status,
|
|
|
|
Notes: c.Notes,
|
|
|
|
Output: c.Output,
|
|
|
|
ServiceID: c.ServiceID,
|
|
|
|
ServiceName: c.ServiceName,
|
|
|
|
ServiceTags: c.ServiceTags,
|
2019-01-07 14:39:23 +00:00
|
|
|
}
|
2019-12-10 02:26:41 +00:00
|
|
|
fillHealthCheckEnterpriseMeta(healthCheck, &c.EnterpriseMeta)
|
|
|
|
serviceChecks = append(serviceChecks, healthCheck)
|
2019-01-07 14:39:23 +00:00
|
|
|
}
|
|
|
|
status := serviceChecks.AggregatedStatus()
|
|
|
|
switch status {
|
|
|
|
case api.HealthWarning:
|
|
|
|
return http.StatusTooManyRequests, status, serviceChecks
|
|
|
|
case api.HealthPassing:
|
|
|
|
return http.StatusOK, status, serviceChecks
|
|
|
|
default:
|
|
|
|
return http.StatusServiceUnavailable, status, serviceChecks
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func returnTextPlain(req *http.Request) bool {
|
|
|
|
if contentType := req.Header.Get("Accept"); strings.HasPrefix(contentType, "text/plain") {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
if format := req.URL.Query().Get("format"); format != "" {
|
|
|
|
return format == "text"
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
// AgentHealthServiceByID return the local Service Health given its ID
|
|
|
|
func (s *HTTPServer) AgentHealthServiceByID(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
|
|
|
// Pull out the service id (service id since there may be several instance of the same service on this host)
|
|
|
|
serviceID := strings.TrimPrefix(req.URL.Path, "/v1/agent/health/service/id/")
|
|
|
|
if serviceID == "" {
|
|
|
|
return nil, &BadRequestError{Reason: "Missing serviceID"}
|
|
|
|
}
|
2019-12-10 02:26:41 +00:00
|
|
|
|
|
|
|
var entMeta structs.EnterpriseMeta
|
|
|
|
if err := s.parseEntMetaNoWildcard(req, &entMeta); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2020-01-31 14:57:38 +00:00
|
|
|
var token string
|
|
|
|
s.parseToken(req, &token)
|
|
|
|
|
|
|
|
// need to resolve to default the meta
|
|
|
|
var authzContext acl.AuthorizerContext
|
|
|
|
authz, err := s.agent.resolveTokenAndDefaultMeta(token, &entMeta, &authzContext)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2020-04-15 16:03:29 +00:00
|
|
|
sid := structs.NewServiceID(serviceID, &entMeta)
|
2019-12-10 02:26:41 +00:00
|
|
|
|
|
|
|
if service := s.agent.State.Service(sid); service != nil {
|
2020-01-31 14:57:38 +00:00
|
|
|
if authz != nil && authz.ServiceRead(service.Service, &authzContext) != acl.Allow {
|
|
|
|
return nil, acl.ErrPermissionDenied
|
|
|
|
}
|
2019-12-10 02:26:41 +00:00
|
|
|
code, status, healthChecks := agentHealthService(sid, s)
|
|
|
|
if returnTextPlain(req) {
|
|
|
|
return status, CodeWithPayloadError{StatusCode: code, Reason: status, ContentType: "text/plain"}
|
|
|
|
}
|
|
|
|
serviceInfo := buildAgentService(service)
|
|
|
|
result := &api.AgentServiceChecksInfo{
|
|
|
|
AggregatedStatus: status,
|
|
|
|
Checks: healthChecks,
|
|
|
|
Service: &serviceInfo,
|
2019-01-07 14:39:23 +00:00
|
|
|
}
|
2019-12-10 02:26:41 +00:00
|
|
|
return result, CodeWithPayloadError{StatusCode: code, Reason: status, ContentType: "application/json"}
|
2019-01-07 14:39:23 +00:00
|
|
|
}
|
2019-12-10 02:26:41 +00:00
|
|
|
notFoundReason := fmt.Sprintf("ServiceId %s not found", sid.String())
|
2019-01-07 14:39:23 +00:00
|
|
|
if returnTextPlain(req) {
|
2019-12-10 02:26:41 +00:00
|
|
|
return notFoundReason, CodeWithPayloadError{StatusCode: http.StatusNotFound, Reason: notFoundReason, ContentType: "application/json"}
|
2019-01-07 14:39:23 +00:00
|
|
|
}
|
|
|
|
return &api.AgentServiceChecksInfo{
|
|
|
|
AggregatedStatus: api.HealthCritical,
|
|
|
|
Checks: nil,
|
|
|
|
Service: nil,
|
|
|
|
}, CodeWithPayloadError{StatusCode: http.StatusNotFound, Reason: notFoundReason, ContentType: "application/json"}
|
|
|
|
}
|
|
|
|
|
|
|
|
// AgentHealthServiceByName return the worse status of all the services with given name on an agent
|
|
|
|
func (s *HTTPServer) AgentHealthServiceByName(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
|
|
|
// Pull out the service name
|
|
|
|
serviceName := strings.TrimPrefix(req.URL.Path, "/v1/agent/health/service/name/")
|
|
|
|
if serviceName == "" {
|
|
|
|
return nil, &BadRequestError{Reason: "Missing service Name"}
|
|
|
|
}
|
2019-12-10 02:26:41 +00:00
|
|
|
|
|
|
|
var entMeta structs.EnterpriseMeta
|
|
|
|
if err := s.parseEntMetaNoWildcard(req, &entMeta); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2020-01-31 14:57:38 +00:00
|
|
|
var token string
|
|
|
|
s.parseToken(req, &token)
|
|
|
|
|
|
|
|
// need to resolve to default the meta
|
|
|
|
var authzContext acl.AuthorizerContext
|
|
|
|
authz, err := s.agent.resolveTokenAndDefaultMeta(token, &entMeta, &authzContext)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
if authz != nil && authz.ServiceRead(serviceName, &authzContext) != acl.Allow {
|
|
|
|
return nil, acl.ErrPermissionDenied
|
|
|
|
}
|
|
|
|
|
2019-01-07 14:39:23 +00:00
|
|
|
code := http.StatusNotFound
|
|
|
|
status := fmt.Sprintf("ServiceName %s Not Found", serviceName)
|
2019-12-10 02:26:41 +00:00
|
|
|
services := s.agent.State.Services(&entMeta)
|
2019-01-07 14:39:23 +00:00
|
|
|
result := make([]api.AgentServiceChecksInfo, 0, 16)
|
|
|
|
for _, service := range services {
|
|
|
|
if service.Service == serviceName {
|
2020-04-15 16:03:29 +00:00
|
|
|
sid := structs.NewServiceID(service.ID, &entMeta)
|
2019-12-10 02:26:41 +00:00
|
|
|
|
|
|
|
scode, sstatus, healthChecks := agentHealthService(sid, s)
|
2019-08-09 19:19:30 +00:00
|
|
|
serviceInfo := buildAgentService(service)
|
2019-01-07 14:39:23 +00:00
|
|
|
res := api.AgentServiceChecksInfo{
|
|
|
|
AggregatedStatus: sstatus,
|
|
|
|
Checks: healthChecks,
|
|
|
|
Service: &serviceInfo,
|
|
|
|
}
|
|
|
|
result = append(result, res)
|
|
|
|
// When service is not found, we ignore it and keep existing HTTP status
|
|
|
|
if code == http.StatusNotFound {
|
|
|
|
code = scode
|
|
|
|
status = sstatus
|
|
|
|
}
|
|
|
|
// We take the worst of all statuses, so we keep iterating
|
|
|
|
// passing: 200 < warning: 429 < critical: 503
|
|
|
|
if code < scode {
|
|
|
|
code = scode
|
|
|
|
status = sstatus
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if returnTextPlain(req) {
|
|
|
|
return status, CodeWithPayloadError{StatusCode: code, Reason: status, ContentType: "text/plain"}
|
|
|
|
}
|
|
|
|
return result, CodeWithPayloadError{StatusCode: code, Reason: status, ContentType: "application/json"}
|
|
|
|
}
|
|
|
|
|
2014-01-30 22:58:36 +00:00
|
|
|
func (s *HTTPServer) AgentRegisterService(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
2017-06-15 16:46:06 +00:00
|
|
|
var args structs.ServiceDefinition
|
2016-12-14 22:16:46 +00:00
|
|
|
// Fixup the type decode of TTL or Interval if a check if provided.
|
2014-04-25 02:44:27 +00:00
|
|
|
|
2019-12-10 02:26:41 +00:00
|
|
|
if err := s.parseEntMetaNoWildcard(req, &args.EnterpriseMeta); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2019-10-29 18:13:36 +00:00
|
|
|
if err := decodeBody(req.Body, &args); err != nil {
|
2017-08-23 19:19:11 +00:00
|
|
|
resp.WriteHeader(http.StatusBadRequest)
|
Use fmt.Fprint/Fprintf/Fprintln
Used the following rewrite rules:
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b, c, d))) -> fmt.Fprintf(resp, a, b, c, d)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b, c))) -> fmt.Fprintf(resp, a, b, c)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b))) -> fmt.Fprintf(resp, a, b)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a))) -> fmt.Fprint(resp, a)' *.go
gofmt -w -r 'resp.Write([]byte(a + "\n")) -> fmt.Fprintln(resp, a)' *.go
gofmt -w -r 'resp.Write([]byte(a)) -> fmt.Fprint(resp, a)' *.go
2017-04-20 14:07:42 +00:00
|
|
|
fmt.Fprintf(resp, "Request decode failed: %v", err)
|
2014-01-30 23:35:38 +00:00
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
2016-12-14 22:16:46 +00:00
|
|
|
// Verify the service has a name.
|
2014-01-30 23:35:38 +00:00
|
|
|
if args.Name == "" {
|
2017-08-23 19:19:11 +00:00
|
|
|
resp.WriteHeader(http.StatusBadRequest)
|
Use fmt.Fprint/Fprintf/Fprintln
Used the following rewrite rules:
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b, c, d))) -> fmt.Fprintf(resp, a, b, c, d)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b, c))) -> fmt.Fprintf(resp, a, b, c)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b))) -> fmt.Fprintf(resp, a, b)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a))) -> fmt.Fprint(resp, a)' *.go
gofmt -w -r 'resp.Write([]byte(a + "\n")) -> fmt.Fprintln(resp, a)' *.go
gofmt -w -r 'resp.Write([]byte(a)) -> fmt.Fprint(resp, a)' *.go
2017-04-20 14:07:42 +00:00
|
|
|
fmt.Fprint(resp, "Missing service name")
|
2014-01-30 23:35:38 +00:00
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
2017-05-08 16:34:45 +00:00
|
|
|
// Check the service address here and in the catalog RPC endpoint
|
2018-03-19 16:56:00 +00:00
|
|
|
// since service registration isn't synchronous.
|
2017-05-15 20:10:36 +00:00
|
|
|
if ipaddr.IsAny(args.Address) {
|
2017-08-23 19:19:11 +00:00
|
|
|
resp.WriteHeader(http.StatusBadRequest)
|
2017-05-08 16:34:45 +00:00
|
|
|
fmt.Fprintf(resp, "Invalid service address")
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
2019-12-18 18:46:53 +00:00
|
|
|
var token string
|
|
|
|
s.parseToken(req, &token)
|
|
|
|
|
|
|
|
authz, err := s.agent.resolveTokenAndDefaultMeta(token, &args.EnterpriseMeta, nil)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2016-12-14 22:16:46 +00:00
|
|
|
// Get the node service.
|
2014-02-03 23:15:35 +00:00
|
|
|
ns := args.NodeService()
|
2018-09-07 14:30:47 +00:00
|
|
|
if ns.Weights != nil {
|
|
|
|
if err := structs.ValidateWeights(ns.Weights); err != nil {
|
|
|
|
resp.WriteHeader(http.StatusBadRequest)
|
|
|
|
fmt.Fprint(resp, fmt.Errorf("Invalid Weights: %v", err))
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
}
|
2020-03-09 20:59:02 +00:00
|
|
|
if err := structs.ValidateServiceMetadata(ns.Kind, ns.Meta, false); err != nil {
|
2018-02-07 00:54:42 +00:00
|
|
|
resp.WriteHeader(http.StatusBadRequest)
|
2018-03-27 20:22:42 +00:00
|
|
|
fmt.Fprint(resp, fmt.Errorf("Invalid Service Meta: %v", err))
|
2018-02-07 00:54:42 +00:00
|
|
|
return nil, nil
|
|
|
|
}
|
2014-01-30 23:35:38 +00:00
|
|
|
|
2018-03-11 01:42:30 +00:00
|
|
|
// Run validation. This is the same validation that would happen on
|
|
|
|
// the catalog endpoint so it helps ensure the sync will work properly.
|
|
|
|
if err := ns.Validate(); err != nil {
|
|
|
|
resp.WriteHeader(http.StatusBadRequest)
|
2020-05-14 18:41:20 +00:00
|
|
|
fmt.Fprint(resp, err.Error())
|
2018-03-11 01:42:30 +00:00
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
2016-12-14 22:16:46 +00:00
|
|
|
// Verify the check type.
|
2017-10-10 23:54:06 +00:00
|
|
|
chkTypes, err := args.CheckTypes()
|
|
|
|
if err != nil {
|
|
|
|
resp.WriteHeader(http.StatusBadRequest)
|
|
|
|
fmt.Fprint(resp, fmt.Errorf("Invalid check: %v", err))
|
|
|
|
return nil, nil
|
|
|
|
}
|
2015-01-14 01:52:17 +00:00
|
|
|
for _, check := range chkTypes {
|
2015-04-12 00:53:48 +00:00
|
|
|
if check.Status != "" && !structs.ValidStatus(check.Status) {
|
2017-08-23 19:19:11 +00:00
|
|
|
resp.WriteHeader(http.StatusBadRequest)
|
Use fmt.Fprint/Fprintf/Fprintln
Used the following rewrite rules:
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b, c, d))) -> fmt.Fprintf(resp, a, b, c, d)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b, c))) -> fmt.Fprintf(resp, a, b, c)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b))) -> fmt.Fprintf(resp, a, b)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a))) -> fmt.Fprint(resp, a)' *.go
gofmt -w -r 'resp.Write([]byte(a + "\n")) -> fmt.Fprintln(resp, a)' *.go
gofmt -w -r 'resp.Write([]byte(a)) -> fmt.Fprint(resp, a)' *.go
2017-04-20 14:07:42 +00:00
|
|
|
fmt.Fprint(resp, "Status for checks must 'passing', 'warning', 'critical'")
|
2015-04-12 00:53:48 +00:00
|
|
|
return nil, nil
|
|
|
|
}
|
2014-01-30 23:35:38 +00:00
|
|
|
}
|
|
|
|
|
2018-09-27 13:33:12 +00:00
|
|
|
// Verify the sidecar check types
|
|
|
|
if args.Connect != nil && args.Connect.SidecarService != nil {
|
|
|
|
chkTypes, err := args.Connect.SidecarService.CheckTypes()
|
|
|
|
if err != nil {
|
|
|
|
return nil, &BadRequestError{
|
|
|
|
Reason: fmt.Sprintf("Invalid check in sidecar_service: %v", err),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
for _, check := range chkTypes {
|
|
|
|
if check.Status != "" && !structs.ValidStatus(check.Status) {
|
|
|
|
return nil, &BadRequestError{
|
|
|
|
Reason: "Status for checks must 'passing', 'warning', 'critical'",
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-12-14 22:16:46 +00:00
|
|
|
// Get the provided token, if any, and vet against any ACL policies.
|
2019-12-18 18:46:53 +00:00
|
|
|
if err := s.agent.vetServiceRegisterWithAuthorizer(authz, ns); err != nil {
|
2016-12-14 22:16:46 +00:00
|
|
|
return nil, err
|
|
|
|
}
|
2015-04-28 01:26:23 +00:00
|
|
|
|
2018-09-27 13:33:12 +00:00
|
|
|
// See if we have a sidecar to register too
|
|
|
|
sidecar, sidecarChecks, sidecarToken, err := s.agent.sidecarServiceFromNodeService(ns, token)
|
|
|
|
if err != nil {
|
|
|
|
return nil, &BadRequestError{
|
|
|
|
Reason: fmt.Sprintf("Invalid SidecarService: %s", err)}
|
|
|
|
}
|
|
|
|
if sidecar != nil {
|
2018-10-09 16:57:26 +00:00
|
|
|
// Make sure we are allowed to register the sidecar using the token
|
2018-09-27 13:33:12 +00:00
|
|
|
// specified (might be specific to sidecar or the same one as the overall
|
|
|
|
// request).
|
|
|
|
if err := s.agent.vetServiceRegister(sidecarToken, sidecar); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
// We parsed the sidecar registration, now remove it from the NodeService
|
|
|
|
// for the actual service since it's done it's job and we don't want to
|
|
|
|
// persist it in the actual state/catalog. SidecarService is meant to be a
|
|
|
|
// registration syntax sugar so don't propagate it any further.
|
|
|
|
ns.Connect.SidecarService = nil
|
|
|
|
}
|
|
|
|
|
2016-12-14 22:16:46 +00:00
|
|
|
// Add the service.
|
2019-09-02 15:38:29 +00:00
|
|
|
replaceExistingChecks := false
|
|
|
|
|
|
|
|
query := req.URL.Query()
|
|
|
|
if len(query["replace-existing-checks"]) > 0 && (query.Get("replace-existing-checks") == "" || query.Get("replace-existing-checks") == "true") {
|
|
|
|
replaceExistingChecks = true
|
|
|
|
}
|
|
|
|
|
|
|
|
if replaceExistingChecks {
|
|
|
|
if err := s.agent.AddServiceAndReplaceChecks(ns, chkTypes, true, token, ConfigSourceRemote); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
if err := s.agent.AddService(ns, chkTypes, true, token, ConfigSourceRemote); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2015-02-20 23:45:06 +00:00
|
|
|
}
|
2018-09-27 13:33:12 +00:00
|
|
|
// Add sidecar.
|
|
|
|
if sidecar != nil {
|
2019-09-24 15:04:48 +00:00
|
|
|
if replaceExistingChecks {
|
|
|
|
if err := s.agent.AddServiceAndReplaceChecks(sidecar, sidecarChecks, true, sidecarToken, ConfigSourceRemote); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
if err := s.agent.AddService(sidecar, sidecarChecks, true, sidecarToken, ConfigSourceRemote); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2018-09-27 13:33:12 +00:00
|
|
|
}
|
|
|
|
}
|
2015-02-20 23:45:06 +00:00
|
|
|
s.syncChanges()
|
|
|
|
return nil, nil
|
2014-01-30 22:58:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (s *HTTPServer) AgentDeregisterService(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
2019-12-10 02:26:41 +00:00
|
|
|
sid := structs.NewServiceID(strings.TrimPrefix(req.URL.Path, "/v1/agent/service/deregister/"), nil)
|
2016-12-14 22:16:46 +00:00
|
|
|
|
|
|
|
// Get the provided token, if any, and vet against any ACL policies.
|
|
|
|
var token string
|
|
|
|
s.parseToken(req, &token)
|
2019-12-10 02:26:41 +00:00
|
|
|
|
|
|
|
if err := s.parseEntMetaNoWildcard(req, &sid.EnterpriseMeta); err != nil {
|
2016-12-14 22:16:46 +00:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2019-12-18 18:46:53 +00:00
|
|
|
authz, err := s.agent.resolveTokenAndDefaultMeta(token, &sid.EnterpriseMeta, nil)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2019-12-10 02:26:41 +00:00
|
|
|
sid.Normalize()
|
|
|
|
|
2019-12-18 18:46:53 +00:00
|
|
|
if err := s.agent.vetServiceUpdateWithAuthorizer(authz, sid); err != nil {
|
2019-12-10 02:26:41 +00:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := s.agent.RemoveService(sid); err != nil {
|
2015-02-20 23:45:06 +00:00
|
|
|
return nil, err
|
|
|
|
}
|
2018-06-13 07:57:48 +00:00
|
|
|
|
2015-02-20 23:45:06 +00:00
|
|
|
s.syncChanges()
|
|
|
|
return nil, nil
|
2014-01-30 22:58:36 +00:00
|
|
|
}
|
2015-01-15 08:16:34 +00:00
|
|
|
|
|
|
|
func (s *HTTPServer) AgentServiceMaintenance(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
|
|
|
// Ensure we have a service ID
|
2019-12-10 02:26:41 +00:00
|
|
|
sid := structs.NewServiceID(strings.TrimPrefix(req.URL.Path, "/v1/agent/service/maintenance/"), nil)
|
|
|
|
|
|
|
|
if sid.ID == "" {
|
2017-08-23 19:19:11 +00:00
|
|
|
resp.WriteHeader(http.StatusBadRequest)
|
Use fmt.Fprint/Fprintf/Fprintln
Used the following rewrite rules:
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b, c, d))) -> fmt.Fprintf(resp, a, b, c, d)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b, c))) -> fmt.Fprintf(resp, a, b, c)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b))) -> fmt.Fprintf(resp, a, b)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a))) -> fmt.Fprint(resp, a)' *.go
gofmt -w -r 'resp.Write([]byte(a + "\n")) -> fmt.Fprintln(resp, a)' *.go
gofmt -w -r 'resp.Write([]byte(a)) -> fmt.Fprint(resp, a)' *.go
2017-04-20 14:07:42 +00:00
|
|
|
fmt.Fprint(resp, "Missing service ID")
|
2015-01-15 08:16:34 +00:00
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Ensure we have some action
|
|
|
|
params := req.URL.Query()
|
|
|
|
if _, ok := params["enable"]; !ok {
|
2017-08-23 19:19:11 +00:00
|
|
|
resp.WriteHeader(http.StatusBadRequest)
|
Use fmt.Fprint/Fprintf/Fprintln
Used the following rewrite rules:
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b, c, d))) -> fmt.Fprintf(resp, a, b, c, d)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b, c))) -> fmt.Fprintf(resp, a, b, c)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b))) -> fmt.Fprintf(resp, a, b)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a))) -> fmt.Fprint(resp, a)' *.go
gofmt -w -r 'resp.Write([]byte(a + "\n")) -> fmt.Fprintln(resp, a)' *.go
gofmt -w -r 'resp.Write([]byte(a)) -> fmt.Fprint(resp, a)' *.go
2017-04-20 14:07:42 +00:00
|
|
|
fmt.Fprint(resp, "Missing value for enable")
|
2015-01-15 08:16:34 +00:00
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
raw := params.Get("enable")
|
2015-01-21 17:53:31 +00:00
|
|
|
enable, err := strconv.ParseBool(raw)
|
|
|
|
if err != nil {
|
2017-08-23 19:19:11 +00:00
|
|
|
resp.WriteHeader(http.StatusBadRequest)
|
Use fmt.Fprint/Fprintf/Fprintln
Used the following rewrite rules:
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b, c, d))) -> fmt.Fprintf(resp, a, b, c, d)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b, c))) -> fmt.Fprintf(resp, a, b, c)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b))) -> fmt.Fprintf(resp, a, b)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a))) -> fmt.Fprint(resp, a)' *.go
gofmt -w -r 'resp.Write([]byte(a + "\n")) -> fmt.Fprintln(resp, a)' *.go
gofmt -w -r 'resp.Write([]byte(a)) -> fmt.Fprint(resp, a)' *.go
2017-04-20 14:07:42 +00:00
|
|
|
fmt.Fprintf(resp, "Invalid value for enable: %q", raw)
|
2015-01-15 08:16:34 +00:00
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
2016-12-14 22:16:46 +00:00
|
|
|
// Get the provided token, if any, and vet against any ACL policies.
|
2015-09-10 18:43:59 +00:00
|
|
|
var token string
|
|
|
|
s.parseToken(req, &token)
|
2019-12-10 02:26:41 +00:00
|
|
|
|
|
|
|
if err := s.parseEntMetaNoWildcard(req, &sid.EnterpriseMeta); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2019-12-18 18:46:53 +00:00
|
|
|
authz, err := s.agent.resolveTokenAndDefaultMeta(token, &sid.EnterpriseMeta, nil)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2019-12-10 02:26:41 +00:00
|
|
|
sid.Normalize()
|
|
|
|
|
2019-12-18 18:46:53 +00:00
|
|
|
if err := s.agent.vetServiceUpdateWithAuthorizer(authz, sid); err != nil {
|
2016-12-14 22:16:46 +00:00
|
|
|
return nil, err
|
|
|
|
}
|
2015-09-10 18:43:59 +00:00
|
|
|
|
2015-01-15 08:16:34 +00:00
|
|
|
if enable {
|
2015-01-21 20:21:57 +00:00
|
|
|
reason := params.Get("reason")
|
2019-12-10 02:26:41 +00:00
|
|
|
if err = s.agent.EnableServiceMaintenance(sid, reason, token); err != nil {
|
2017-08-23 19:19:11 +00:00
|
|
|
resp.WriteHeader(http.StatusNotFound)
|
Use fmt.Fprint/Fprintf/Fprintln
Used the following rewrite rules:
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b, c, d))) -> fmt.Fprintf(resp, a, b, c, d)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b, c))) -> fmt.Fprintf(resp, a, b, c)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b))) -> fmt.Fprintf(resp, a, b)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a))) -> fmt.Fprint(resp, a)' *.go
gofmt -w -r 'resp.Write([]byte(a + "\n")) -> fmt.Fprintln(resp, a)' *.go
gofmt -w -r 'resp.Write([]byte(a)) -> fmt.Fprint(resp, a)' *.go
2017-04-20 14:07:42 +00:00
|
|
|
fmt.Fprint(resp, err.Error())
|
2015-01-21 21:28:26 +00:00
|
|
|
return nil, nil
|
2015-01-15 09:17:35 +00:00
|
|
|
}
|
2015-01-15 08:16:34 +00:00
|
|
|
} else {
|
2019-12-10 02:26:41 +00:00
|
|
|
if err = s.agent.DisableServiceMaintenance(sid); err != nil {
|
2017-08-23 19:19:11 +00:00
|
|
|
resp.WriteHeader(http.StatusNotFound)
|
Use fmt.Fprint/Fprintf/Fprintln
Used the following rewrite rules:
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b, c, d))) -> fmt.Fprintf(resp, a, b, c, d)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b, c))) -> fmt.Fprintf(resp, a, b, c)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b))) -> fmt.Fprintf(resp, a, b)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a))) -> fmt.Fprint(resp, a)' *.go
gofmt -w -r 'resp.Write([]byte(a + "\n")) -> fmt.Fprintln(resp, a)' *.go
gofmt -w -r 'resp.Write([]byte(a)) -> fmt.Fprint(resp, a)' *.go
2017-04-20 14:07:42 +00:00
|
|
|
fmt.Fprint(resp, err.Error())
|
2015-01-21 21:28:26 +00:00
|
|
|
return nil, nil
|
2015-01-15 09:17:35 +00:00
|
|
|
}
|
2015-01-15 08:16:34 +00:00
|
|
|
}
|
2015-02-20 23:45:06 +00:00
|
|
|
s.syncChanges()
|
2015-01-21 21:28:26 +00:00
|
|
|
return nil, nil
|
2015-01-15 08:16:34 +00:00
|
|
|
}
|
2015-01-15 19:20:22 +00:00
|
|
|
|
|
|
|
func (s *HTTPServer) AgentNodeMaintenance(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
|
|
|
// Ensure we have some action
|
|
|
|
params := req.URL.Query()
|
|
|
|
if _, ok := params["enable"]; !ok {
|
2017-08-23 19:19:11 +00:00
|
|
|
resp.WriteHeader(http.StatusBadRequest)
|
Use fmt.Fprint/Fprintf/Fprintln
Used the following rewrite rules:
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b, c, d))) -> fmt.Fprintf(resp, a, b, c, d)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b, c))) -> fmt.Fprintf(resp, a, b, c)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b))) -> fmt.Fprintf(resp, a, b)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a))) -> fmt.Fprint(resp, a)' *.go
gofmt -w -r 'resp.Write([]byte(a + "\n")) -> fmt.Fprintln(resp, a)' *.go
gofmt -w -r 'resp.Write([]byte(a)) -> fmt.Fprint(resp, a)' *.go
2017-04-20 14:07:42 +00:00
|
|
|
fmt.Fprint(resp, "Missing value for enable")
|
2015-01-15 19:20:22 +00:00
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
raw := params.Get("enable")
|
2015-01-21 17:53:31 +00:00
|
|
|
enable, err := strconv.ParseBool(raw)
|
|
|
|
if err != nil {
|
2017-08-23 19:19:11 +00:00
|
|
|
resp.WriteHeader(http.StatusBadRequest)
|
Use fmt.Fprint/Fprintf/Fprintln
Used the following rewrite rules:
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b, c, d))) -> fmt.Fprintf(resp, a, b, c, d)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b, c))) -> fmt.Fprintf(resp, a, b, c)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a, b))) -> fmt.Fprintf(resp, a, b)' *.go
gofmt -w -r 'resp.Write([]byte(fmt.Sprintf(a))) -> fmt.Fprint(resp, a)' *.go
gofmt -w -r 'resp.Write([]byte(a + "\n")) -> fmt.Fprintln(resp, a)' *.go
gofmt -w -r 'resp.Write([]byte(a)) -> fmt.Fprint(resp, a)' *.go
2017-04-20 14:07:42 +00:00
|
|
|
fmt.Fprintf(resp, "Invalid value for enable: %q", raw)
|
2015-01-15 19:20:22 +00:00
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
2016-12-14 22:16:46 +00:00
|
|
|
// Get the provided token, if any, and vet against any ACL policies.
|
2015-09-10 18:43:59 +00:00
|
|
|
var token string
|
|
|
|
s.parseToken(req, &token)
|
2017-08-23 14:52:48 +00:00
|
|
|
rule, err := s.agent.resolveToken(token)
|
2016-12-14 22:16:46 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2019-10-15 20:58:50 +00:00
|
|
|
if rule != nil && rule.NodeWrite(s.agent.config.NodeName, nil) != acl.Allow {
|
2017-08-23 14:52:48 +00:00
|
|
|
return nil, acl.ErrPermissionDenied
|
2016-12-14 22:16:46 +00:00
|
|
|
}
|
2015-09-10 18:43:59 +00:00
|
|
|
|
2015-01-15 19:20:22 +00:00
|
|
|
if enable {
|
2015-09-10 18:43:59 +00:00
|
|
|
s.agent.EnableNodeMaintenance(params.Get("reason"), token)
|
2015-01-15 19:20:22 +00:00
|
|
|
} else {
|
|
|
|
s.agent.DisableNodeMaintenance()
|
|
|
|
}
|
2015-02-20 23:45:06 +00:00
|
|
|
s.syncChanges()
|
2015-01-15 19:20:22 +00:00
|
|
|
return nil, nil
|
|
|
|
}
|
2015-02-20 23:45:06 +00:00
|
|
|
|
2016-11-16 21:45:26 +00:00
|
|
|
func (s *HTTPServer) AgentMonitor(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
2016-12-14 17:33:57 +00:00
|
|
|
// Fetch the ACL token, if any, and enforce agent policy.
|
|
|
|
var token string
|
|
|
|
s.parseToken(req, &token)
|
2017-08-23 14:52:48 +00:00
|
|
|
rule, err := s.agent.resolveToken(token)
|
2016-12-14 17:33:57 +00:00
|
|
|
if err != nil {
|
2016-11-28 21:08:31 +00:00
|
|
|
return nil, err
|
|
|
|
}
|
2019-10-15 20:58:50 +00:00
|
|
|
if rule != nil && rule.AgentRead(s.agent.config.NodeName, nil) != acl.Allow {
|
2017-08-23 14:52:48 +00:00
|
|
|
return nil, acl.ErrPermissionDenied
|
2016-12-14 17:33:57 +00:00
|
|
|
}
|
2016-11-28 21:08:31 +00:00
|
|
|
|
2016-12-14 17:33:57 +00:00
|
|
|
// Get the provided loglevel.
|
2016-11-16 21:45:26 +00:00
|
|
|
logLevel := req.URL.Query().Get("loglevel")
|
|
|
|
if logLevel == "" {
|
|
|
|
logLevel = "INFO"
|
|
|
|
}
|
|
|
|
|
2020-01-28 23:50:41 +00:00
|
|
|
var logJSON bool
|
|
|
|
if _, ok := req.URL.Query()["logjson"]; ok {
|
|
|
|
logJSON = true
|
|
|
|
}
|
2016-11-16 21:45:26 +00:00
|
|
|
|
2020-01-28 23:50:41 +00:00
|
|
|
if !logging.ValidateLogLevel(logLevel) {
|
|
|
|
return nil, BadRequestError{
|
|
|
|
Reason: fmt.Sprintf("Unknown log level: %s", logLevel),
|
|
|
|
}
|
2016-11-16 21:45:26 +00:00
|
|
|
}
|
2020-01-28 23:50:41 +00:00
|
|
|
|
2016-11-16 21:45:26 +00:00
|
|
|
flusher, ok := resp.(http.Flusher)
|
|
|
|
if !ok {
|
|
|
|
return nil, fmt.Errorf("Streaming not supported")
|
|
|
|
}
|
|
|
|
|
2020-01-28 23:50:41 +00:00
|
|
|
monitor := monitor.New(monitor.Config{
|
|
|
|
BufferSize: 512,
|
|
|
|
Logger: s.agent.logger,
|
|
|
|
LoggerOptions: &hclog.LoggerOptions{
|
|
|
|
Level: logging.LevelFromString(logLevel),
|
|
|
|
JSONFormat: logJSON,
|
|
|
|
},
|
|
|
|
})
|
|
|
|
logsCh := monitor.Start()
|
2016-11-16 21:45:26 +00:00
|
|
|
|
2018-02-19 21:53:10 +00:00
|
|
|
// Send header so client can start streaming body
|
|
|
|
resp.WriteHeader(http.StatusOK)
|
2018-04-03 20:33:13 +00:00
|
|
|
|
|
|
|
// 0 byte write is needed before the Flush call so that if we are using
|
|
|
|
// a gzip stream it will go ahead and write out the HTTP response header
|
|
|
|
resp.Write([]byte(""))
|
2018-02-19 21:53:10 +00:00
|
|
|
flusher.Flush()
|
|
|
|
|
2016-12-14 17:33:57 +00:00
|
|
|
// Stream logs until the connection is closed.
|
2016-11-16 21:45:26 +00:00
|
|
|
for {
|
|
|
|
select {
|
2020-01-28 23:50:41 +00:00
|
|
|
case <-req.Context().Done():
|
|
|
|
droppedCount := monitor.Stop()
|
|
|
|
if droppedCount > 0 {
|
|
|
|
s.agent.logger.Warn("Dropped logs during monitor request", "dropped_count", droppedCount)
|
2016-11-28 21:08:31 +00:00
|
|
|
}
|
2016-11-16 21:45:26 +00:00
|
|
|
return nil, nil
|
2020-01-28 23:50:41 +00:00
|
|
|
case log := <-logsCh:
|
|
|
|
fmt.Fprint(resp, string(log))
|
2016-11-16 21:45:26 +00:00
|
|
|
flusher.Flush()
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-07-26 18:03:43 +00:00
|
|
|
func (s *HTTPServer) AgentToken(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
2017-11-28 21:47:30 +00:00
|
|
|
if s.checkACLDisabled(resp, req) {
|
|
|
|
return nil, nil
|
|
|
|
}
|
2017-07-26 18:03:43 +00:00
|
|
|
|
|
|
|
// Fetch the ACL token, if any, and enforce agent policy.
|
|
|
|
var token string
|
|
|
|
s.parseToken(req, &token)
|
2017-08-23 14:52:48 +00:00
|
|
|
rule, err := s.agent.resolveToken(token)
|
2017-07-26 18:03:43 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2019-10-15 20:58:50 +00:00
|
|
|
if rule != nil && rule.AgentWrite(s.agent.config.NodeName, nil) != acl.Allow {
|
2017-08-23 14:52:48 +00:00
|
|
|
return nil, acl.ErrPermissionDenied
|
2017-07-26 18:03:43 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// The body is just the token, but it's in a JSON object so we can add
|
|
|
|
// fields to this later if needed.
|
|
|
|
var args api.AgentToken
|
2019-10-29 18:13:36 +00:00
|
|
|
if err := decodeBody(req.Body, &args); err != nil {
|
2017-07-26 18:03:43 +00:00
|
|
|
resp.WriteHeader(http.StatusBadRequest)
|
|
|
|
fmt.Fprintf(resp, "Request decode failed: %v", err)
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
2019-02-27 19:28:31 +00:00
|
|
|
if s.agent.config.ACLEnableTokenPersistence {
|
|
|
|
// we hold the lock around updating the internal token store
|
|
|
|
// as well as persisting the tokens because we don't want to write
|
|
|
|
// into the store to have something else wipe it out before we can
|
|
|
|
// persist everything (like an agent config reload). The token store
|
|
|
|
// lock is only held for those operations so other go routines that
|
|
|
|
// just need to read some token out of the store will not be impacted
|
|
|
|
// any more than they would be without token persistence.
|
|
|
|
s.agent.persistedTokensLock.Lock()
|
|
|
|
defer s.agent.persistedTokensLock.Unlock()
|
|
|
|
}
|
|
|
|
|
2017-07-26 18:03:43 +00:00
|
|
|
// Figure out the target token.
|
|
|
|
target := strings.TrimPrefix(req.URL.Path, "/v1/agent/token/")
|
2019-10-04 18:37:34 +00:00
|
|
|
triggerAntiEntropySync := false
|
2017-07-26 18:03:43 +00:00
|
|
|
switch target {
|
2019-02-27 19:28:31 +00:00
|
|
|
case "acl_token", "default":
|
2019-10-04 18:37:34 +00:00
|
|
|
changed := s.agent.tokens.UpdateUserToken(args.Token, token_store.TokenSourceAPI)
|
|
|
|
if changed {
|
|
|
|
triggerAntiEntropySync = true
|
|
|
|
}
|
2017-07-26 18:03:43 +00:00
|
|
|
|
2019-02-27 19:28:31 +00:00
|
|
|
case "acl_agent_token", "agent":
|
2019-10-04 18:37:34 +00:00
|
|
|
changed := s.agent.tokens.UpdateAgentToken(args.Token, token_store.TokenSourceAPI)
|
|
|
|
if changed {
|
|
|
|
triggerAntiEntropySync = true
|
|
|
|
}
|
2017-07-26 18:03:43 +00:00
|
|
|
|
2019-02-27 19:28:31 +00:00
|
|
|
case "acl_agent_master_token", "agent_master":
|
|
|
|
s.agent.tokens.UpdateAgentMasterToken(args.Token, token_store.TokenSourceAPI)
|
2017-08-03 22:39:31 +00:00
|
|
|
|
2019-02-27 19:28:31 +00:00
|
|
|
case "acl_replication_token", "replication":
|
|
|
|
s.agent.tokens.UpdateReplicationToken(args.Token, token_store.TokenSourceAPI)
|
2018-10-15 16:17:48 +00:00
|
|
|
|
2017-07-26 18:03:43 +00:00
|
|
|
default:
|
|
|
|
resp.WriteHeader(http.StatusNotFound)
|
|
|
|
fmt.Fprintf(resp, "Token %q is unknown", target)
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
2019-10-04 18:37:34 +00:00
|
|
|
if triggerAntiEntropySync {
|
|
|
|
s.agent.sync.SyncFull.Trigger()
|
|
|
|
}
|
|
|
|
|
2019-02-27 19:28:31 +00:00
|
|
|
if s.agent.config.ACLEnableTokenPersistence {
|
|
|
|
tokens := persistedTokens{}
|
|
|
|
|
|
|
|
if tok, source := s.agent.tokens.UserTokenAndSource(); tok != "" && source == token_store.TokenSourceAPI {
|
|
|
|
tokens.Default = tok
|
|
|
|
}
|
|
|
|
|
|
|
|
if tok, source := s.agent.tokens.AgentTokenAndSource(); tok != "" && source == token_store.TokenSourceAPI {
|
|
|
|
tokens.Agent = tok
|
|
|
|
}
|
|
|
|
|
|
|
|
if tok, source := s.agent.tokens.AgentMasterTokenAndSource(); tok != "" && source == token_store.TokenSourceAPI {
|
|
|
|
tokens.AgentMaster = tok
|
|
|
|
}
|
|
|
|
|
|
|
|
if tok, source := s.agent.tokens.ReplicationTokenAndSource(); tok != "" && source == token_store.TokenSourceAPI {
|
|
|
|
tokens.Replication = tok
|
|
|
|
}
|
|
|
|
|
|
|
|
data, err := json.Marshal(tokens)
|
|
|
|
if err != nil {
|
2020-01-28 23:50:41 +00:00
|
|
|
s.agent.logger.Warn("failed to persist tokens", "error", err)
|
2019-02-27 19:28:31 +00:00
|
|
|
return nil, fmt.Errorf("Failed to marshal tokens for persistence: %v", err)
|
|
|
|
}
|
|
|
|
|
2020-01-31 16:12:36 +00:00
|
|
|
if err := file.WriteAtomicWithPerms(filepath.Join(s.agent.config.DataDir, tokensPath), data, 0700, 0600); err != nil {
|
2020-01-28 23:50:41 +00:00
|
|
|
s.agent.logger.Warn("failed to persist tokens", "error", err)
|
2019-02-27 19:28:31 +00:00
|
|
|
return nil, fmt.Errorf("Failed to persist tokens - %v", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-01-28 23:50:41 +00:00
|
|
|
s.agent.logger.Info("Updated agent's ACL token", "token", target)
|
2017-07-26 18:03:43 +00:00
|
|
|
return nil, nil
|
|
|
|
}
|
2018-03-17 04:39:26 +00:00
|
|
|
|
|
|
|
// AgentConnectCARoots returns the trusted CA roots.
|
|
|
|
func (s *HTTPServer) AgentConnectCARoots(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
2018-04-11 08:52:51 +00:00
|
|
|
var args structs.DCSpecificRequest
|
|
|
|
if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
2020-06-15 15:01:25 +00:00
|
|
|
raw, m, err := s.agent.cache.Get(req.Context(), cachetype.ConnectCARootName, &args)
|
2018-04-11 08:52:51 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2018-06-15 12:13:54 +00:00
|
|
|
defer setCacheMeta(resp, &m)
|
|
|
|
|
|
|
|
// Add cache hit
|
2018-04-11 08:52:51 +00:00
|
|
|
|
|
|
|
reply, ok := raw.(*structs.IndexedCARoots)
|
|
|
|
if !ok {
|
|
|
|
// This should never happen, but we want to protect against panics
|
|
|
|
return nil, fmt.Errorf("internal error: response type not correct")
|
|
|
|
}
|
|
|
|
defer setMeta(resp, &reply.QueryMeta)
|
|
|
|
|
|
|
|
return *reply, nil
|
2018-03-17 04:39:26 +00:00
|
|
|
}
|
2018-03-21 17:55:39 +00:00
|
|
|
|
|
|
|
// AgentConnectCALeafCert returns the certificate bundle for a service
|
|
|
|
// instance. This supports blocking queries to update the returned bundle.
|
|
|
|
func (s *HTTPServer) AgentConnectCALeafCert(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
2019-03-06 17:13:28 +00:00
|
|
|
// Get the service name. Note that this is the name of the service,
|
2018-05-22 17:33:14 +00:00
|
|
|
// not the ID of the service instance.
|
2018-05-19 06:27:02 +00:00
|
|
|
serviceName := strings.TrimPrefix(req.URL.Path, "/v1/agent/connect/ca/leaf/")
|
2018-03-21 17:55:39 +00:00
|
|
|
|
2018-04-30 21:23:49 +00:00
|
|
|
args := cachetype.ConnectCALeafRequest{
|
2019-08-27 21:45:58 +00:00
|
|
|
Service: serviceName, // Need name not ID
|
2018-04-30 21:23:49 +00:00
|
|
|
}
|
|
|
|
var qOpts structs.QueryOptions
|
2018-07-30 13:11:51 +00:00
|
|
|
|
2020-02-10 15:40:44 +00:00
|
|
|
if err := s.parseEntMetaNoWildcard(req, &args.EnterpriseMeta); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2018-04-30 21:23:49 +00:00
|
|
|
// Store DC in the ConnectCALeafRequest but query opts separately
|
2019-08-09 19:19:30 +00:00
|
|
|
if done := s.parse(resp, req, &args.Datacenter, &qOpts); done {
|
2018-04-30 21:23:49 +00:00
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
args.MinQueryIndex = qOpts.MinQueryIndex
|
2019-01-10 16:23:37 +00:00
|
|
|
args.MaxQueryTime = qOpts.MaxQueryTime
|
2019-08-09 19:19:30 +00:00
|
|
|
args.Token = qOpts.Token
|
2018-04-30 21:23:49 +00:00
|
|
|
|
2020-06-15 15:01:25 +00:00
|
|
|
raw, m, err := s.agent.cache.Get(req.Context(), cachetype.ConnectCALeafName, &args)
|
2018-04-30 21:23:49 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2018-06-15 12:13:54 +00:00
|
|
|
defer setCacheMeta(resp, &m)
|
2018-04-30 21:23:49 +00:00
|
|
|
|
|
|
|
reply, ok := raw.(*structs.IssuedCert)
|
|
|
|
if !ok {
|
|
|
|
// This should never happen, but we want to protect against panics
|
|
|
|
return nil, fmt.Errorf("internal error: response type not correct")
|
|
|
|
}
|
|
|
|
setIndex(resp, reply.ModifyIndex)
|
2018-03-21 17:55:39 +00:00
|
|
|
|
2018-04-30 21:23:49 +00:00
|
|
|
return reply, nil
|
2018-03-21 17:55:39 +00:00
|
|
|
}
|
2018-03-21 23:02:46 +00:00
|
|
|
|
|
|
|
// AgentConnectAuthorize
|
|
|
|
//
|
|
|
|
// POST /v1/agent/connect/authorize
|
2018-05-11 05:37:02 +00:00
|
|
|
//
|
2018-05-19 04:03:10 +00:00
|
|
|
// Note: when this logic changes, consider if the Intention.Check RPC method
|
2018-05-11 05:37:02 +00:00
|
|
|
// also needs to be updated.
|
2018-03-21 23:02:46 +00:00
|
|
|
func (s *HTTPServer) AgentConnectAuthorize(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
2018-03-26 01:50:05 +00:00
|
|
|
// Fetch the token
|
|
|
|
var token string
|
|
|
|
s.parseToken(req, &token)
|
|
|
|
|
2018-03-26 00:52:26 +00:00
|
|
|
var authReq structs.ConnectAuthorizeRequest
|
2020-01-13 20:51:40 +00:00
|
|
|
|
|
|
|
if err := s.parseEntMetaNoWildcard(req, &authReq.EnterpriseMeta); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2019-10-29 18:13:36 +00:00
|
|
|
if err := decodeBody(req.Body, &authReq); err != nil {
|
2018-10-03 19:37:53 +00:00
|
|
|
return nil, BadRequestError{fmt.Sprintf("Request decode failed: %v", err)}
|
2018-05-09 19:30:43 +00:00
|
|
|
}
|
2018-03-27 17:09:13 +00:00
|
|
|
|
2018-10-03 19:37:53 +00:00
|
|
|
authz, reason, cacheMeta, err := s.agent.ConnectAuthorize(token, &authReq)
|
2018-04-17 23:26:58 +00:00
|
|
|
if err != nil {
|
2018-03-26 00:52:26 +00:00
|
|
|
return nil, err
|
|
|
|
}
|
2018-10-03 19:37:53 +00:00
|
|
|
setCacheMeta(resp, cacheMeta)
|
2018-03-26 01:50:05 +00:00
|
|
|
|
2018-03-26 00:52:26 +00:00
|
|
|
return &connectAuthorizeResp{
|
2018-03-26 01:50:05 +00:00
|
|
|
Authorized: authz,
|
|
|
|
Reason: reason,
|
2018-03-26 00:52:26 +00:00
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
2018-03-26 01:02:25 +00:00
|
|
|
// connectAuthorizeResp is the response format/structure for the
|
|
|
|
// /v1/agent/connect/authorize endpoint.
|
2018-03-26 00:52:26 +00:00
|
|
|
type connectAuthorizeResp struct {
|
2018-03-26 01:02:25 +00:00
|
|
|
Authorized bool // True if authorized, false if not
|
|
|
|
Reason string // Reason for the Authorized value (whether true or false)
|
2018-03-21 23:02:46 +00:00
|
|
|
}
|
2018-10-17 20:20:35 +00:00
|
|
|
|
|
|
|
// AgentHost
|
|
|
|
//
|
|
|
|
// GET /v1/agent/host
|
|
|
|
//
|
|
|
|
// Retrieves information about resources available and in-use for the
|
|
|
|
// host the agent is running on such as CPU, memory, and disk usage. Requires
|
|
|
|
// a operator:read ACL token.
|
|
|
|
func (s *HTTPServer) AgentHost(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
|
|
|
// Fetch the ACL token, if any, and enforce agent policy.
|
|
|
|
var token string
|
|
|
|
s.parseToken(req, &token)
|
|
|
|
rule, err := s.agent.resolveToken(token)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2018-11-13 13:43:53 +00:00
|
|
|
|
2019-10-15 20:58:50 +00:00
|
|
|
if rule != nil && rule.OperatorRead(nil) != acl.Allow {
|
2018-10-17 20:20:35 +00:00
|
|
|
return nil, acl.ErrPermissionDenied
|
|
|
|
}
|
|
|
|
|
|
|
|
return debug.CollectHostInfo(), nil
|
|
|
|
}
|