2018-10-19 16:04:07 +00:00
|
|
|
package consul
|
|
|
|
|
|
|
|
import (
|
2019-04-08 17:05:51 +00:00
|
|
|
"time"
|
2018-10-19 16:04:07 +00:00
|
|
|
|
|
|
|
"github.com/hashicorp/consul/acl"
|
|
|
|
"github.com/hashicorp/consul/agent/structs"
|
|
|
|
)
|
|
|
|
|
|
|
|
var serverACLCacheConfig *structs.ACLCachesConfig = &structs.ACLCachesConfig{
|
2018-11-02 17:00:39 +00:00
|
|
|
// The server's ACL caching has a few underlying assumptions:
|
2018-10-19 16:04:07 +00:00
|
|
|
//
|
|
|
|
// 1 - All policies can be resolved locally. Hence we do not cache any
|
2019-04-15 20:43:19 +00:00
|
|
|
// unparsed policies/roles as we have memdb for that.
|
2018-10-19 16:04:07 +00:00
|
|
|
// 2 - While there could be many identities being used within a DC the
|
|
|
|
// number of distinct policies and combined multi-policy authorizers
|
|
|
|
// will be much less.
|
|
|
|
// 3 - If you need more than 10k tokens cached then you should probably
|
2018-11-02 17:00:39 +00:00
|
|
|
// enable token replication or be using DC local tokens. In both
|
2018-10-19 16:04:07 +00:00
|
|
|
// cases resolving the tokens from memdb will avoid the cache
|
|
|
|
// entirely
|
|
|
|
//
|
|
|
|
Identities: 10 * 1024,
|
|
|
|
Policies: 0,
|
|
|
|
ParsedPolicies: 512,
|
|
|
|
Authorizers: 1024,
|
2019-04-15 20:43:19 +00:00
|
|
|
Roles: 0,
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (s *Server) checkTokenUUID(id string) (bool, error) {
|
|
|
|
state := s.fsm.State()
|
2019-04-08 17:05:51 +00:00
|
|
|
|
|
|
|
// We won't check expiration times here. If we generate a UUID that matches
|
|
|
|
// a token that hasn't been reaped yet, then we won't be able to insert the
|
|
|
|
// new token due to a collision.
|
|
|
|
|
2019-10-24 18:38:09 +00:00
|
|
|
if _, token, err := state.ACLTokenGetByAccessor(nil, id, nil); err != nil {
|
2018-10-19 16:04:07 +00:00
|
|
|
return false, err
|
|
|
|
} else if token != nil {
|
|
|
|
return false, nil
|
|
|
|
}
|
|
|
|
|
2019-10-24 18:38:09 +00:00
|
|
|
if _, token, err := state.ACLTokenGetBySecret(nil, id, nil); err != nil {
|
2018-10-19 16:04:07 +00:00
|
|
|
return false, err
|
|
|
|
} else if token != nil {
|
|
|
|
return false, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
return !structs.ACLIDReserved(id), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *Server) checkPolicyUUID(id string) (bool, error) {
|
|
|
|
state := s.fsm.State()
|
2019-10-24 18:38:09 +00:00
|
|
|
if _, policy, err := state.ACLPolicyGetByID(nil, id, nil); err != nil {
|
2018-10-19 16:04:07 +00:00
|
|
|
return false, err
|
|
|
|
} else if policy != nil {
|
|
|
|
return false, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
return !structs.ACLIDReserved(id), nil
|
|
|
|
}
|
|
|
|
|
2019-04-15 20:43:19 +00:00
|
|
|
func (s *Server) checkRoleUUID(id string) (bool, error) {
|
|
|
|
state := s.fsm.State()
|
2019-10-24 18:38:09 +00:00
|
|
|
if _, role, err := state.ACLRoleGetByID(nil, id, nil); err != nil {
|
2019-04-15 20:43:19 +00:00
|
|
|
return false, err
|
|
|
|
} else if role != nil {
|
|
|
|
return false, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
return !structs.ACLIDReserved(id), nil
|
|
|
|
}
|
|
|
|
|
2019-04-26 17:49:28 +00:00
|
|
|
func (s *Server) checkBindingRuleUUID(id string) (bool, error) {
|
|
|
|
state := s.fsm.State()
|
2019-10-24 18:38:09 +00:00
|
|
|
if _, rule, err := state.ACLBindingRuleGetByID(nil, id, nil); err != nil {
|
2019-04-26 17:49:28 +00:00
|
|
|
return false, err
|
|
|
|
} else if rule != nil {
|
|
|
|
return false, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
return !structs.ACLIDReserved(id), nil
|
|
|
|
}
|
|
|
|
|
2021-11-05 18:51:50 +00:00
|
|
|
func (s *Server) InPrimaryDatacenter() bool {
|
2021-08-06 22:00:58 +00:00
|
|
|
return s.config.PrimaryDatacenter == "" || s.config.Datacenter == s.config.PrimaryDatacenter
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (s *Server) LocalTokensEnabled() bool {
|
|
|
|
// in ACL datacenter so local tokens are always enabled
|
2021-11-05 18:51:50 +00:00
|
|
|
if s.InPrimaryDatacenter() {
|
2018-10-19 16:04:07 +00:00
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
2019-02-27 19:28:31 +00:00
|
|
|
if !s.config.ACLTokenReplication || s.tokens.ReplicationToken() == "" {
|
2020-08-07 10:02:02 +00:00
|
|
|
// token replication is off so local tokens are disabled
|
2018-10-19 16:04:07 +00:00
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
2021-07-30 23:20:02 +00:00
|
|
|
type serverACLResolverBackend struct {
|
|
|
|
// TODO: un-embed
|
|
|
|
*Server
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *serverACLResolverBackend) ACLDatacenter() string {
|
|
|
|
// For resolution running on servers the only option is to contact the
|
|
|
|
// configured ACL Datacenter
|
2021-08-06 22:00:58 +00:00
|
|
|
if s.config.PrimaryDatacenter != "" {
|
|
|
|
return s.config.PrimaryDatacenter
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// This function only gets called if ACLs are enabled.
|
|
|
|
// When no ACL DC is set then it is assumed that this DC
|
|
|
|
// is the primary DC
|
|
|
|
return s.config.Datacenter
|
|
|
|
}
|
|
|
|
|
2020-01-27 19:54:32 +00:00
|
|
|
// ResolveIdentityFromToken retrieves a token's full identity given its secretID.
|
2021-07-30 23:20:02 +00:00
|
|
|
// TODO: why does some code call this directly instead of using ACLResolver.ResolveTokenToIdentity ?
|
2018-10-19 16:04:07 +00:00
|
|
|
func (s *Server) ResolveIdentityFromToken(token string) (bool, structs.ACLIdentity, error) {
|
|
|
|
// only allow remote RPC resolution when token replication is off and
|
|
|
|
// when not in the ACL datacenter
|
2021-11-05 18:51:50 +00:00
|
|
|
if !s.InPrimaryDatacenter() && !s.config.ACLTokenReplication {
|
2018-10-19 16:04:07 +00:00
|
|
|
return false, nil, nil
|
|
|
|
}
|
|
|
|
|
2019-10-24 18:38:09 +00:00
|
|
|
index, aclToken, err := s.fsm.State().ACLTokenGetBySecret(nil, token, nil)
|
2018-10-19 16:04:07 +00:00
|
|
|
if err != nil {
|
|
|
|
return true, nil, err
|
2019-04-08 17:05:51 +00:00
|
|
|
} else if aclToken != nil && !aclToken.IsExpired(time.Now()) {
|
2018-10-19 16:04:07 +00:00
|
|
|
return true, aclToken, nil
|
|
|
|
}
|
|
|
|
|
2021-11-05 18:51:50 +00:00
|
|
|
return s.InPrimaryDatacenter() || index > 0, nil, acl.ErrNotFound
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
|
|
|
|
2021-07-30 23:20:02 +00:00
|
|
|
func (s *serverACLResolverBackend) ResolvePolicyFromID(policyID string) (bool, *structs.ACLPolicy, error) {
|
2019-10-24 18:38:09 +00:00
|
|
|
index, policy, err := s.fsm.State().ACLPolicyGetByID(nil, policyID, nil)
|
2018-10-19 16:04:07 +00:00
|
|
|
if err != nil {
|
|
|
|
return true, nil, err
|
|
|
|
} else if policy != nil {
|
|
|
|
return true, policy, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// If the max index of the policies table is non-zero then we have acls, until then
|
|
|
|
// we may need to allow remote resolution. This is particularly useful to allow updating
|
|
|
|
// the replication token via the API in a non-primary dc.
|
2021-11-05 18:51:50 +00:00
|
|
|
return s.InPrimaryDatacenter() || index > 0, policy, acl.ErrNotFound
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
|
|
|
|
2021-07-30 23:20:02 +00:00
|
|
|
func (s *serverACLResolverBackend) ResolveRoleFromID(roleID string) (bool, *structs.ACLRole, error) {
|
2019-10-24 18:38:09 +00:00
|
|
|
index, role, err := s.fsm.State().ACLRoleGetByID(nil, roleID, nil)
|
2019-04-15 20:43:19 +00:00
|
|
|
if err != nil {
|
|
|
|
return true, nil, err
|
|
|
|
} else if role != nil {
|
|
|
|
return true, role, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// If the max index of the roles table is non-zero then we have acls, until then
|
|
|
|
// we may need to allow remote resolution. This is particularly useful to allow updating
|
|
|
|
// the replication token via the API in a non-primary dc.
|
2021-11-05 18:51:50 +00:00
|
|
|
return s.InPrimaryDatacenter() || index > 0, role, acl.ErrNotFound
|
2019-04-15 20:43:19 +00:00
|
|
|
}
|
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
func (s *Server) ResolveToken(token string) (acl.Authorizer, error) {
|
2021-07-30 21:48:26 +00:00
|
|
|
_, authz, err := s.acls.ResolveTokenToIdentityAndAuthorizer(token)
|
2020-02-04 20:58:56 +00:00
|
|
|
return authz, err
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
|
|
|
|
2020-05-13 17:00:08 +00:00
|
|
|
func (s *Server) ResolveTokenToIdentity(token string) (structs.ACLIdentity, error) {
|
|
|
|
// not using ResolveTokenToIdentityAndAuthorizer because in this case we don't
|
|
|
|
// need to resolve the roles, policies and namespace but just want the identity
|
|
|
|
// information such as accessor id.
|
|
|
|
return s.acls.ResolveTokenToIdentity(token)
|
|
|
|
}
|
|
|
|
|
2021-07-30 22:05:33 +00:00
|
|
|
// TODO: Client has an identical implementation, remove duplication
|
|
|
|
func (s *Server) ResolveTokenAndDefaultMeta(token string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (acl.Authorizer, error) {
|
2021-07-30 21:48:26 +00:00
|
|
|
identity, authz, err := s.acls.ResolveTokenToIdentityAndAuthorizer(token)
|
2019-12-18 18:46:53 +00:00
|
|
|
if err != nil {
|
2021-07-30 22:05:33 +00:00
|
|
|
return nil, err
|
2019-12-18 18:46:53 +00:00
|
|
|
}
|
|
|
|
|
2021-10-26 19:20:57 +00:00
|
|
|
if entMeta == nil {
|
|
|
|
entMeta = &structs.EnterpriseMeta{}
|
|
|
|
}
|
|
|
|
|
2019-12-18 18:46:53 +00:00
|
|
|
// Default the EnterpriseMeta based on the Tokens meta or actual defaults
|
|
|
|
// in the case of unknown identity
|
|
|
|
if identity != nil {
|
|
|
|
entMeta.Merge(identity.EnterpriseMetadata())
|
|
|
|
} else {
|
2021-07-22 18:20:45 +00:00
|
|
|
entMeta.Merge(structs.DefaultEnterpriseMetaInDefaultPartition())
|
2019-12-18 18:46:53 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Use the meta to fill in the ACL authorization context
|
|
|
|
entMeta.FillAuthzContext(authzContext)
|
|
|
|
|
|
|
|
return authz, err
|
|
|
|
}
|
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
func (s *Server) filterACL(token string, subj interface{}) error {
|
2021-07-30 21:19:57 +00:00
|
|
|
return filterACL(s.acls, token, subj)
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
|
|
|
|
2021-07-30 21:08:58 +00:00
|
|
|
func (s *Server) filterACLWithAuthorizer(authorizer acl.Authorizer, subj interface{}) {
|
2021-07-30 21:19:57 +00:00
|
|
|
filterACLWithAuthorizer(s.acls.logger, authorizer, subj)
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|