2017-07-26 18:03:43 +00:00
|
|
|
package token
|
|
|
|
|
|
|
|
import (
|
|
|
|
"sync"
|
2019-12-16 20:54:52 +00:00
|
|
|
|
|
|
|
"crypto/subtle"
|
2017-07-26 18:03:43 +00:00
|
|
|
)
|
|
|
|
|
2019-02-27 19:28:31 +00:00
|
|
|
type TokenSource bool
|
|
|
|
|
|
|
|
const (
|
|
|
|
TokenSourceConfig TokenSource = false
|
|
|
|
TokenSourceAPI TokenSource = true
|
|
|
|
)
|
|
|
|
|
2017-07-26 18:03:43 +00:00
|
|
|
// Store is used to hold the special ACL tokens used by Consul agents. It is
|
|
|
|
// designed to update the tokens on the fly, so the token store itself should be
|
|
|
|
// plumbed around and used to get tokens at runtime, don't save the resulting
|
|
|
|
// tokens.
|
|
|
|
type Store struct {
|
|
|
|
// l synchronizes access to the token store.
|
|
|
|
l sync.RWMutex
|
|
|
|
|
|
|
|
// userToken is passed along for requests when the user didn't supply a
|
|
|
|
// token, and may be left blank to use the anonymous token. This will
|
|
|
|
// also be used for agent operations if the agent token isn't set.
|
|
|
|
userToken string
|
|
|
|
|
2019-02-27 19:28:31 +00:00
|
|
|
// userTokenSource indicates where this token originated from
|
|
|
|
userTokenSource TokenSource
|
|
|
|
|
2017-07-26 18:03:43 +00:00
|
|
|
// agentToken is used for internal agent operations like self-registering
|
|
|
|
// with the catalog and anti-entropy, but should never be used for
|
|
|
|
// user-initiated operations.
|
|
|
|
agentToken string
|
|
|
|
|
2019-02-27 19:28:31 +00:00
|
|
|
// agentTokenSource indicates where this token originated from
|
|
|
|
agentTokenSource TokenSource
|
|
|
|
|
2017-07-26 18:03:43 +00:00
|
|
|
// agentMasterToken is a special token that's only used locally for
|
|
|
|
// access to the /v1/agent utility operations if the servers aren't
|
|
|
|
// available.
|
|
|
|
agentMasterToken string
|
2017-08-03 22:39:31 +00:00
|
|
|
|
2019-02-27 19:28:31 +00:00
|
|
|
// agentMasterTokenSource indicates where this token originated from
|
|
|
|
agentMasterTokenSource TokenSource
|
|
|
|
|
|
|
|
// replicationToken is a special token that's used by servers to
|
|
|
|
// replicate data from the primary datacenter.
|
|
|
|
replicationToken string
|
2018-10-15 16:17:48 +00:00
|
|
|
|
2019-02-27 19:28:31 +00:00
|
|
|
// replicationTokenSource indicates where this token originated from
|
|
|
|
replicationTokenSource TokenSource
|
2020-02-04 20:58:56 +00:00
|
|
|
|
|
|
|
// enterpriseTokens contains tokens only used in consul-enterprise
|
|
|
|
enterpriseTokens
|
2017-07-26 18:03:43 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// UpdateUserToken replaces the current user token in the store.
|
2019-10-04 18:37:34 +00:00
|
|
|
// Returns true if it was changed.
|
|
|
|
func (t *Store) UpdateUserToken(token string, source TokenSource) bool {
|
2017-07-26 18:03:43 +00:00
|
|
|
t.l.Lock()
|
2019-10-04 18:37:34 +00:00
|
|
|
changed := (t.userToken != token || t.userTokenSource != source)
|
2017-07-26 18:03:43 +00:00
|
|
|
t.userToken = token
|
2019-02-27 19:28:31 +00:00
|
|
|
t.userTokenSource = source
|
2017-07-26 18:03:43 +00:00
|
|
|
t.l.Unlock()
|
2019-10-04 18:37:34 +00:00
|
|
|
return changed
|
2017-07-26 18:03:43 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// UpdateAgentToken replaces the current agent token in the store.
|
2019-10-04 18:37:34 +00:00
|
|
|
// Returns true if it was changed.
|
|
|
|
func (t *Store) UpdateAgentToken(token string, source TokenSource) bool {
|
2017-07-26 18:03:43 +00:00
|
|
|
t.l.Lock()
|
2019-10-04 18:37:34 +00:00
|
|
|
changed := (t.agentToken != token || t.agentTokenSource != source)
|
2017-07-26 18:03:43 +00:00
|
|
|
t.agentToken = token
|
2019-02-27 19:28:31 +00:00
|
|
|
t.agentTokenSource = source
|
2017-07-26 18:03:43 +00:00
|
|
|
t.l.Unlock()
|
2019-10-04 18:37:34 +00:00
|
|
|
return changed
|
2017-07-26 18:03:43 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// UpdateAgentMasterToken replaces the current agent master token in the store.
|
2019-10-04 18:37:34 +00:00
|
|
|
// Returns true if it was changed.
|
|
|
|
func (t *Store) UpdateAgentMasterToken(token string, source TokenSource) bool {
|
2017-07-26 18:03:43 +00:00
|
|
|
t.l.Lock()
|
2019-10-04 18:37:34 +00:00
|
|
|
changed := (t.agentMasterToken != token || t.agentMasterTokenSource != source)
|
2017-07-26 18:03:43 +00:00
|
|
|
t.agentMasterToken = token
|
2019-02-27 19:28:31 +00:00
|
|
|
t.agentMasterTokenSource = source
|
2017-07-26 18:03:43 +00:00
|
|
|
t.l.Unlock()
|
2019-10-04 18:37:34 +00:00
|
|
|
return changed
|
2017-07-26 18:03:43 +00:00
|
|
|
}
|
|
|
|
|
2019-02-27 19:28:31 +00:00
|
|
|
// UpdateReplicationToken replaces the current replication token in the store.
|
2019-10-04 18:37:34 +00:00
|
|
|
// Returns true if it was changed.
|
|
|
|
func (t *Store) UpdateReplicationToken(token string, source TokenSource) bool {
|
2018-10-15 16:17:48 +00:00
|
|
|
t.l.Lock()
|
2019-10-04 18:37:34 +00:00
|
|
|
changed := (t.replicationToken != token || t.replicationTokenSource != source)
|
2019-02-27 19:28:31 +00:00
|
|
|
t.replicationToken = token
|
|
|
|
t.replicationTokenSource = source
|
2018-10-15 16:17:48 +00:00
|
|
|
t.l.Unlock()
|
2019-10-04 18:37:34 +00:00
|
|
|
return changed
|
2018-10-15 16:17:48 +00:00
|
|
|
}
|
|
|
|
|
2017-07-26 18:03:43 +00:00
|
|
|
// UserToken returns the best token to use for user operations.
|
|
|
|
func (t *Store) UserToken() string {
|
|
|
|
t.l.RLock()
|
|
|
|
defer t.l.RUnlock()
|
|
|
|
|
|
|
|
return t.userToken
|
|
|
|
}
|
|
|
|
|
|
|
|
// AgentToken returns the best token to use for internal agent operations.
|
|
|
|
func (t *Store) AgentToken() string {
|
|
|
|
t.l.RLock()
|
|
|
|
defer t.l.RUnlock()
|
|
|
|
|
2020-04-28 13:44:26 +00:00
|
|
|
if tok := t.enterpriseAgentToken(); tok != "" {
|
|
|
|
return tok
|
|
|
|
}
|
|
|
|
|
2017-07-26 18:03:43 +00:00
|
|
|
if t.agentToken != "" {
|
|
|
|
return t.agentToken
|
|
|
|
}
|
|
|
|
return t.userToken
|
|
|
|
}
|
|
|
|
|
2019-02-27 19:28:31 +00:00
|
|
|
func (t *Store) AgentMasterToken() string {
|
|
|
|
t.l.RLock()
|
|
|
|
defer t.l.RUnlock()
|
|
|
|
|
|
|
|
return t.agentMasterToken
|
|
|
|
}
|
|
|
|
|
|
|
|
// ReplicationToken returns the replication token.
|
|
|
|
func (t *Store) ReplicationToken() string {
|
|
|
|
t.l.RLock()
|
|
|
|
defer t.l.RUnlock()
|
|
|
|
|
|
|
|
return t.replicationToken
|
|
|
|
}
|
|
|
|
|
|
|
|
// UserToken returns the best token to use for user operations.
|
|
|
|
func (t *Store) UserTokenAndSource() (string, TokenSource) {
|
|
|
|
t.l.RLock()
|
|
|
|
defer t.l.RUnlock()
|
|
|
|
|
|
|
|
return t.userToken, t.userTokenSource
|
|
|
|
}
|
|
|
|
|
|
|
|
// AgentToken returns the best token to use for internal agent operations.
|
|
|
|
func (t *Store) AgentTokenAndSource() (string, TokenSource) {
|
|
|
|
t.l.RLock()
|
|
|
|
defer t.l.RUnlock()
|
|
|
|
|
|
|
|
return t.agentToken, t.agentTokenSource
|
|
|
|
}
|
|
|
|
|
|
|
|
func (t *Store) AgentMasterTokenAndSource() (string, TokenSource) {
|
2017-08-03 22:39:31 +00:00
|
|
|
t.l.RLock()
|
|
|
|
defer t.l.RUnlock()
|
|
|
|
|
2019-02-27 19:28:31 +00:00
|
|
|
return t.agentMasterToken, t.agentMasterTokenSource
|
2017-08-03 22:39:31 +00:00
|
|
|
}
|
|
|
|
|
2019-02-27 19:28:31 +00:00
|
|
|
// ReplicationToken returns the replication token.
|
|
|
|
func (t *Store) ReplicationTokenAndSource() (string, TokenSource) {
|
2018-10-15 16:17:48 +00:00
|
|
|
t.l.RLock()
|
|
|
|
defer t.l.RUnlock()
|
|
|
|
|
2019-02-27 19:28:31 +00:00
|
|
|
return t.replicationToken, t.replicationTokenSource
|
2018-10-15 16:17:48 +00:00
|
|
|
}
|
|
|
|
|
2017-07-26 18:03:43 +00:00
|
|
|
// IsAgentMasterToken checks to see if a given token is the agent master token.
|
|
|
|
// This will never match an empty token for safety.
|
|
|
|
func (t *Store) IsAgentMasterToken(token string) bool {
|
|
|
|
t.l.RLock()
|
|
|
|
defer t.l.RUnlock()
|
|
|
|
|
2019-12-16 20:54:52 +00:00
|
|
|
return (token != "") && (subtle.ConstantTimeCompare([]byte(token), []byte(t.agentMasterToken)) == 1)
|
2017-07-26 18:03:43 +00:00
|
|
|
}
|