commit
1e59560e0e
|
@ -2,7 +2,7 @@
|
|||
|
||||
package acl
|
||||
|
||||
// EnterpriseACLConfig stub
|
||||
type EnterpriseACLConfig struct{}
|
||||
// Config stub
|
||||
type Config struct{}
|
||||
|
||||
func (_ *EnterpriseACLConfig) Close() {}
|
||||
func (_ *Config) Close() {}
|
||||
|
|
158
acl/acl_test.go
158
acl/acl_test.go
|
@ -36,315 +36,315 @@ func legacyPolicy(policy *Policy) *Policy {
|
|||
// nicer in the embedded struct within TestACL
|
||||
//
|
||||
|
||||
func checkAllowACLRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowACLRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.ACLRead(entCtx))
|
||||
}
|
||||
|
||||
func checkAllowACLWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowACLWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.ACLWrite(entCtx))
|
||||
}
|
||||
|
||||
func checkAllowAgentRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowAgentRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.AgentRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkAllowAgentWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowAgentWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.AgentWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkAllowEventRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowEventRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.EventRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkAllowEventWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowEventWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.EventWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkAllowIntentionDefaultAllow(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowIntentionDefaultAllow(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.IntentionDefaultAllow(entCtx))
|
||||
}
|
||||
|
||||
func checkAllowIntentionRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowIntentionRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.IntentionRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkAllowIntentionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowIntentionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.IntentionWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkAllowKeyRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowKeyRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.KeyRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkAllowKeyList(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowKeyList(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.KeyList(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkAllowKeyringRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowKeyringRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.KeyringRead(entCtx))
|
||||
}
|
||||
|
||||
func checkAllowKeyringWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowKeyringWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.KeyringWrite(entCtx))
|
||||
}
|
||||
|
||||
func checkAllowKeyWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowKeyWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.KeyWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkAllowKeyWritePrefix(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowKeyWritePrefix(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.KeyWritePrefix(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkAllowNodeRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowNodeRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.NodeRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkAllowNodeWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowNodeWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.NodeWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkAllowOperatorRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowOperatorRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.OperatorRead(entCtx))
|
||||
}
|
||||
|
||||
func checkAllowOperatorWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowOperatorWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.OperatorWrite(entCtx))
|
||||
}
|
||||
|
||||
func checkAllowPreparedQueryRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowPreparedQueryRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.PreparedQueryRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkAllowPreparedQueryWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowPreparedQueryWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.PreparedQueryWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkAllowServiceRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowServiceRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.ServiceRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkAllowServiceWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowServiceWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.ServiceWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkAllowSessionRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowSessionRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.SessionRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkAllowSessionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowSessionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.SessionWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkAllowSnapshot(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkAllowSnapshot(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Allow, authz.Snapshot(entCtx))
|
||||
}
|
||||
|
||||
func checkDenyACLRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyACLRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.ACLRead(entCtx))
|
||||
}
|
||||
|
||||
func checkDenyACLWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyACLWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.ACLWrite(entCtx))
|
||||
}
|
||||
|
||||
func checkDenyAgentRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyAgentRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.AgentRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDenyAgentWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyAgentWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.AgentWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDenyEventRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyEventRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.EventRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDenyEventWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyEventWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.EventWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDenyIntentionDefaultAllow(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyIntentionDefaultAllow(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.IntentionDefaultAllow(entCtx))
|
||||
}
|
||||
|
||||
func checkDenyIntentionRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyIntentionRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.IntentionRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDenyIntentionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyIntentionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.IntentionWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDenyKeyRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyKeyRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.KeyRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDenyKeyList(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyKeyList(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.KeyList(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDenyKeyringRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyKeyringRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.KeyringRead(entCtx))
|
||||
}
|
||||
|
||||
func checkDenyKeyringWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyKeyringWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.KeyringWrite(entCtx))
|
||||
}
|
||||
|
||||
func checkDenyKeyWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyKeyWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.KeyWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDenyKeyWritePrefix(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyKeyWritePrefix(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.KeyWritePrefix(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDenyNodeRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyNodeRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.NodeRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDenyNodeWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyNodeWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.NodeWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDenyOperatorRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyOperatorRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.OperatorRead(entCtx))
|
||||
}
|
||||
|
||||
func checkDenyOperatorWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyOperatorWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.OperatorWrite(entCtx))
|
||||
}
|
||||
|
||||
func checkDenyPreparedQueryRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyPreparedQueryRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.PreparedQueryRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDenyPreparedQueryWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyPreparedQueryWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.PreparedQueryWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDenyServiceRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyServiceRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.ServiceRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDenyServiceWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenyServiceWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.ServiceWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDenySessionRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenySessionRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.SessionRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDenySessionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenySessionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.SessionWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDenySnapshot(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDenySnapshot(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Deny, authz.Snapshot(entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultACLRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultACLRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.ACLRead(entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultACLWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultACLWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.ACLWrite(entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultAgentRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultAgentRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.AgentRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultAgentWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultAgentWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.AgentWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultEventRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultEventRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.EventRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultEventWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultEventWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.EventWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultIntentionDefaultAllow(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultIntentionDefaultAllow(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.IntentionDefaultAllow(entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultIntentionRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultIntentionRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.IntentionRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultIntentionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultIntentionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.IntentionWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultKeyRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultKeyRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.KeyRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultKeyList(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultKeyList(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.KeyList(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultKeyringRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultKeyringRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.KeyringRead(entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultKeyringWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultKeyringWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.KeyringWrite(entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultKeyWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultKeyWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.KeyWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultKeyWritePrefix(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultKeyWritePrefix(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.KeyWritePrefix(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultNodeRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultNodeRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.NodeRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultNodeWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultNodeWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.NodeWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultOperatorRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultOperatorRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.OperatorRead(entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultOperatorWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultOperatorWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.OperatorWrite(entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultPreparedQueryRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultPreparedQueryRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.PreparedQueryRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultPreparedQueryWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultPreparedQueryWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.PreparedQueryWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultServiceRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultServiceRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.ServiceRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultServiceWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultServiceWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.ServiceWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultSessionRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultSessionRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.SessionRead(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultSessionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultSessionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.SessionWrite(prefix, entCtx))
|
||||
}
|
||||
|
||||
func checkDefaultSnapshot(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
|
||||
func checkDefaultSnapshot(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
|
||||
require.Equal(t, Default, authz.Snapshot(entCtx))
|
||||
}
|
||||
|
||||
|
@ -352,7 +352,7 @@ func TestACL(t *testing.T) {
|
|||
type aclCheck struct {
|
||||
name string
|
||||
prefix string
|
||||
check func(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext)
|
||||
check func(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext)
|
||||
}
|
||||
|
||||
type aclTest struct {
|
||||
|
|
|
@ -53,102 +53,102 @@ const (
|
|||
// Authorizer is the interface for policy enforcement.
|
||||
type Authorizer interface {
|
||||
// ACLRead checks for permission to list all the ACLs
|
||||
ACLRead(*EnterpriseAuthorizerContext) EnforcementDecision
|
||||
ACLRead(*AuthorizerContext) EnforcementDecision
|
||||
|
||||
// ACLWrite checks for permission to manipulate ACLs
|
||||
ACLWrite(*EnterpriseAuthorizerContext) EnforcementDecision
|
||||
ACLWrite(*AuthorizerContext) EnforcementDecision
|
||||
|
||||
// AgentRead checks for permission to read from agent endpoints for a
|
||||
// given node.
|
||||
AgentRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
|
||||
AgentRead(string, *AuthorizerContext) EnforcementDecision
|
||||
|
||||
// AgentWrite checks for permission to make changes via agent endpoints
|
||||
// for a given node.
|
||||
AgentWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
|
||||
AgentWrite(string, *AuthorizerContext) EnforcementDecision
|
||||
|
||||
// EventRead determines if a specific event can be queried.
|
||||
EventRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
|
||||
EventRead(string, *AuthorizerContext) EnforcementDecision
|
||||
|
||||
// EventWrite determines if a specific event may be fired.
|
||||
EventWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
|
||||
EventWrite(string, *AuthorizerContext) EnforcementDecision
|
||||
|
||||
// IntentionDefaultAllow determines the default authorized behavior
|
||||
// when no intentions match a Connect request.
|
||||
IntentionDefaultAllow(*EnterpriseAuthorizerContext) EnforcementDecision
|
||||
IntentionDefaultAllow(*AuthorizerContext) EnforcementDecision
|
||||
|
||||
// IntentionRead determines if a specific intention can be read.
|
||||
IntentionRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
|
||||
IntentionRead(string, *AuthorizerContext) EnforcementDecision
|
||||
|
||||
// IntentionWrite determines if a specific intention can be
|
||||
// created, modified, or deleted.
|
||||
IntentionWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
|
||||
IntentionWrite(string, *AuthorizerContext) EnforcementDecision
|
||||
|
||||
// KeyList checks for permission to list keys under a prefix
|
||||
KeyList(string, *EnterpriseAuthorizerContext) EnforcementDecision
|
||||
KeyList(string, *AuthorizerContext) EnforcementDecision
|
||||
|
||||
// KeyRead checks for permission to read a given key
|
||||
KeyRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
|
||||
KeyRead(string, *AuthorizerContext) EnforcementDecision
|
||||
|
||||
// KeyWrite checks for permission to write a given key
|
||||
KeyWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
|
||||
KeyWrite(string, *AuthorizerContext) EnforcementDecision
|
||||
|
||||
// KeyWritePrefix checks for permission to write to an
|
||||
// entire key prefix. This means there must be no sub-policies
|
||||
// that deny a write.
|
||||
KeyWritePrefix(string, *EnterpriseAuthorizerContext) EnforcementDecision
|
||||
KeyWritePrefix(string, *AuthorizerContext) EnforcementDecision
|
||||
|
||||
// KeyringRead determines if the encryption keyring used in
|
||||
// the gossip layer can be read.
|
||||
KeyringRead(*EnterpriseAuthorizerContext) EnforcementDecision
|
||||
KeyringRead(*AuthorizerContext) EnforcementDecision
|
||||
|
||||
// KeyringWrite determines if the keyring can be manipulated
|
||||
KeyringWrite(*EnterpriseAuthorizerContext) EnforcementDecision
|
||||
KeyringWrite(*AuthorizerContext) EnforcementDecision
|
||||
|
||||
// NodeRead checks for permission to read (discover) a given node.
|
||||
NodeRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
|
||||
NodeRead(string, *AuthorizerContext) EnforcementDecision
|
||||
|
||||
// NodeWrite checks for permission to create or update (register) a
|
||||
// given node.
|
||||
NodeWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
|
||||
NodeWrite(string, *AuthorizerContext) EnforcementDecision
|
||||
|
||||
// OperatorRead determines if the read-only Consul operator functions
|
||||
// can be used.
|
||||
OperatorRead(*EnterpriseAuthorizerContext) EnforcementDecision
|
||||
OperatorRead(*AuthorizerContext) EnforcementDecision
|
||||
|
||||
// OperatorWrite determines if the state-changing Consul operator
|
||||
// functions can be used.
|
||||
OperatorWrite(*EnterpriseAuthorizerContext) EnforcementDecision
|
||||
OperatorWrite(*AuthorizerContext) EnforcementDecision
|
||||
|
||||
// PreparedQueryRead determines if a specific prepared query can be read
|
||||
// to show its contents (this is not used for execution).
|
||||
PreparedQueryRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
|
||||
PreparedQueryRead(string, *AuthorizerContext) EnforcementDecision
|
||||
|
||||
// PreparedQueryWrite determines if a specific prepared query can be
|
||||
// created, modified, or deleted.
|
||||
PreparedQueryWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
|
||||
PreparedQueryWrite(string, *AuthorizerContext) EnforcementDecision
|
||||
|
||||
// ServiceRead checks for permission to read a given service
|
||||
ServiceRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
|
||||
ServiceRead(string, *AuthorizerContext) EnforcementDecision
|
||||
|
||||
// ServiceWrite checks for permission to create or update a given
|
||||
// service
|
||||
ServiceWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
|
||||
ServiceWrite(string, *AuthorizerContext) EnforcementDecision
|
||||
|
||||
// SessionRead checks for permission to read sessions for a given node.
|
||||
SessionRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
|
||||
SessionRead(string, *AuthorizerContext) EnforcementDecision
|
||||
|
||||
// SessionWrite checks for permission to create sessions for a given
|
||||
// node.
|
||||
SessionWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
|
||||
SessionWrite(string, *AuthorizerContext) EnforcementDecision
|
||||
|
||||
// Snapshot checks for permission to take and restore snapshots.
|
||||
Snapshot(*EnterpriseAuthorizerContext) EnforcementDecision
|
||||
Snapshot(*AuthorizerContext) EnforcementDecision
|
||||
|
||||
// Embedded Interface for Consul Enterprise specific ACL enforcement
|
||||
EnterpriseAuthorizer
|
||||
enterpriseAuthorizer
|
||||
}
|
||||
|
||||
func Enforce(authz Authorizer, rsc Resource, segment string, access string, ctx *EnterpriseAuthorizerContext) (EnforcementDecision, error) {
|
||||
func Enforce(authz Authorizer, rsc Resource, segment string, access string, ctx *AuthorizerContext) (EnforcementDecision, error) {
|
||||
lowerAccess := strings.ToLower(access)
|
||||
|
||||
switch rsc {
|
||||
|
@ -234,7 +234,7 @@ func Enforce(authz Authorizer, rsc Resource, segment string, access string, ctx
|
|||
return authz.SessionWrite(segment, ctx), nil
|
||||
}
|
||||
default:
|
||||
if processed, decision, err := EnforceEnterprise(authz, rsc, segment, lowerAccess, ctx); processed {
|
||||
if processed, decision, err := enforceEnterprise(authz, rsc, segment, lowerAccess, ctx); processed {
|
||||
return decision, err
|
||||
}
|
||||
return Deny, fmt.Errorf("Invalid ACL resource requested: %q", rsc)
|
||||
|
|
|
@ -2,12 +2,12 @@
|
|||
|
||||
package acl
|
||||
|
||||
// EnterpriseAuthorizerContext stub
|
||||
type EnterpriseAuthorizerContext struct{}
|
||||
// AuthorizerContext stub
|
||||
type AuthorizerContext struct{}
|
||||
|
||||
// EnterpriseAuthorizer stub interface
|
||||
type EnterpriseAuthorizer interface{}
|
||||
// enterpriseAuthorizer stub interface
|
||||
type enterpriseAuthorizer interface{}
|
||||
|
||||
func EnforceEnterprise(_ Authorizer, _ Resource, _ string, _ string, _ *EnterpriseAuthorizerContext) (bool, EnforcementDecision, error) {
|
||||
func enforceEnterprise(_ Authorizer, _ Resource, _ string, _ string, _ *AuthorizerContext) (bool, EnforcementDecision, error) {
|
||||
return false, Deny, nil
|
||||
}
|
||||
|
|
|
@ -13,77 +13,77 @@ type mockAuthorizer struct {
|
|||
}
|
||||
|
||||
// ACLRead checks for permission to list all the ACLs
|
||||
func (m *mockAuthorizer) ACLRead(ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) ACLRead(ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// ACLWrite checks for permission to manipulate ACLs
|
||||
func (m *mockAuthorizer) ACLWrite(ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) ACLWrite(ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// AgentRead checks for permission to read from agent endpoints for a
|
||||
// given node.
|
||||
func (m *mockAuthorizer) AgentRead(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) AgentRead(segment string, ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(segment, ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// AgentWrite checks for permission to make changes via agent endpoints
|
||||
// for a given node.
|
||||
func (m *mockAuthorizer) AgentWrite(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) AgentWrite(segment string, ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(segment, ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// EventRead determines if a specific event can be queried.
|
||||
func (m *mockAuthorizer) EventRead(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) EventRead(segment string, ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(segment, ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// EventWrite determines if a specific event may be fired.
|
||||
func (m *mockAuthorizer) EventWrite(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) EventWrite(segment string, ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(segment, ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// IntentionDefaultAllow determines the default authorized behavior
|
||||
// when no intentions match a Connect request.
|
||||
func (m *mockAuthorizer) IntentionDefaultAllow(ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) IntentionDefaultAllow(ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// IntentionRead determines if a specific intention can be read.
|
||||
func (m *mockAuthorizer) IntentionRead(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) IntentionRead(segment string, ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(segment, ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// IntentionWrite determines if a specific intention can be
|
||||
// created, modified, or deleted.
|
||||
func (m *mockAuthorizer) IntentionWrite(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) IntentionWrite(segment string, ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(segment, ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// KeyList checks for permission to list keys under a prefix
|
||||
func (m *mockAuthorizer) KeyList(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) KeyList(segment string, ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(segment, ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// KeyRead checks for permission to read a given key
|
||||
func (m *mockAuthorizer) KeyRead(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) KeyRead(segment string, ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(segment, ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// KeyWrite checks for permission to write a given key
|
||||
func (m *mockAuthorizer) KeyWrite(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) KeyWrite(segment string, ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(segment, ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
@ -91,93 +91,93 @@ func (m *mockAuthorizer) KeyWrite(segment string, ctx *EnterpriseAuthorizerConte
|
|||
// KeyWritePrefix checks for permission to write to an
|
||||
// entire key prefix. This means there must be no sub-policies
|
||||
// that deny a write.
|
||||
func (m *mockAuthorizer) KeyWritePrefix(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) KeyWritePrefix(segment string, ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(segment, ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// KeyringRead determines if the encryption keyring used in
|
||||
// the gossip layer can be read.
|
||||
func (m *mockAuthorizer) KeyringRead(ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) KeyringRead(ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// KeyringWrite determines if the keyring can be manipulated
|
||||
func (m *mockAuthorizer) KeyringWrite(ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) KeyringWrite(ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// NodeRead checks for permission to read (discover) a given node.
|
||||
func (m *mockAuthorizer) NodeRead(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) NodeRead(segment string, ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(segment, ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// NodeWrite checks for permission to create or update (register) a
|
||||
// given node.
|
||||
func (m *mockAuthorizer) NodeWrite(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) NodeWrite(segment string, ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(segment, ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// OperatorRead determines if the read-only Consul operator functions
|
||||
// can be used. ret := m.Called(segment, ctx)
|
||||
func (m *mockAuthorizer) OperatorRead(ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) OperatorRead(ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// OperatorWrite determines if the state-changing Consul operator
|
||||
// functions can be used.
|
||||
func (m *mockAuthorizer) OperatorWrite(ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) OperatorWrite(ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// PreparedQueryRead determines if a specific prepared query can be read
|
||||
// to show its contents (this is not used for execution).
|
||||
func (m *mockAuthorizer) PreparedQueryRead(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) PreparedQueryRead(segment string, ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(segment, ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// PreparedQueryWrite determines if a specific prepared query can be
|
||||
// created, modified, or deleted.
|
||||
func (m *mockAuthorizer) PreparedQueryWrite(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) PreparedQueryWrite(segment string, ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(segment, ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// ServiceRead checks for permission to read a given service
|
||||
func (m *mockAuthorizer) ServiceRead(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) ServiceRead(segment string, ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(segment, ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// ServiceWrite checks for permission to create or update a given
|
||||
// service
|
||||
func (m *mockAuthorizer) ServiceWrite(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) ServiceWrite(segment string, ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(segment, ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// SessionRead checks for permission to read sessions for a given node.
|
||||
func (m *mockAuthorizer) SessionRead(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) SessionRead(segment string, ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(segment, ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// SessionWrite checks for permission to create sessions for a given
|
||||
// node.
|
||||
func (m *mockAuthorizer) SessionWrite(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) SessionWrite(segment string, ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(segment, ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
||||
// Snapshot checks for permission to take and restore snapshots.
|
||||
func (m *mockAuthorizer) Snapshot(ctx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (m *mockAuthorizer) Snapshot(ctx *AuthorizerContext) EnforcementDecision {
|
||||
ret := m.Called(ctx)
|
||||
return ret.Get(0).(EnforcementDecision)
|
||||
}
|
||||
|
@ -599,7 +599,7 @@ func TestACL_Enforce(t *testing.T) {
|
|||
m := &mockAuthorizer{}
|
||||
|
||||
if tcase.err == "" {
|
||||
var nilCtx *EnterpriseAuthorizerContext
|
||||
var nilCtx *AuthorizerContext
|
||||
if tcase.segment != "" {
|
||||
m.On(tcase.method, tcase.segment, nilCtx).Return(tcase.ret)
|
||||
} else {
|
||||
|
|
|
@ -34,14 +34,14 @@ func (c *ChainedAuthorizer) executeChain(enforce func(authz Authorizer) Enforcem
|
|||
}
|
||||
|
||||
// ACLRead checks for permission to list all the ACLs
|
||||
func (c *ChainedAuthorizer) ACLRead(entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) ACLRead(entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.ACLRead(entCtx)
|
||||
})
|
||||
}
|
||||
|
||||
// ACLWrite checks for permission to manipulate ACLs
|
||||
func (c *ChainedAuthorizer) ACLWrite(entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) ACLWrite(entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.ACLWrite(entCtx)
|
||||
})
|
||||
|
@ -49,7 +49,7 @@ func (c *ChainedAuthorizer) ACLWrite(entCtx *EnterpriseAuthorizerContext) Enforc
|
|||
|
||||
// AgentRead checks for permission to read from agent endpoints for a
|
||||
// given node.
|
||||
func (c *ChainedAuthorizer) AgentRead(node string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) AgentRead(node string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.AgentRead(node, entCtx)
|
||||
})
|
||||
|
@ -57,21 +57,21 @@ func (c *ChainedAuthorizer) AgentRead(node string, entCtx *EnterpriseAuthorizerC
|
|||
|
||||
// AgentWrite checks for permission to make changes via agent endpoints
|
||||
// for a given node.
|
||||
func (c *ChainedAuthorizer) AgentWrite(node string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) AgentWrite(node string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.AgentWrite(node, entCtx)
|
||||
})
|
||||
}
|
||||
|
||||
// EventRead determines if a specific event can be queried.
|
||||
func (c *ChainedAuthorizer) EventRead(name string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) EventRead(name string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.EventRead(name, entCtx)
|
||||
})
|
||||
}
|
||||
|
||||
// EventWrite determines if a specific event may be fired.
|
||||
func (c *ChainedAuthorizer) EventWrite(name string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) EventWrite(name string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.EventWrite(name, entCtx)
|
||||
})
|
||||
|
@ -79,14 +79,14 @@ func (c *ChainedAuthorizer) EventWrite(name string, entCtx *EnterpriseAuthorizer
|
|||
|
||||
// IntentionDefaultAllow determines the default authorized behavior
|
||||
// when no intentions match a Connect request.
|
||||
func (c *ChainedAuthorizer) IntentionDefaultAllow(entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) IntentionDefaultAllow(entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.IntentionDefaultAllow(entCtx)
|
||||
})
|
||||
}
|
||||
|
||||
// IntentionRead determines if a specific intention can be read.
|
||||
func (c *ChainedAuthorizer) IntentionRead(prefix string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) IntentionRead(prefix string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.IntentionRead(prefix, entCtx)
|
||||
})
|
||||
|
@ -94,28 +94,28 @@ func (c *ChainedAuthorizer) IntentionRead(prefix string, entCtx *EnterpriseAutho
|
|||
|
||||
// IntentionWrite determines if a specific intention can be
|
||||
// created, modified, or deleted.
|
||||
func (c *ChainedAuthorizer) IntentionWrite(prefix string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) IntentionWrite(prefix string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.IntentionWrite(prefix, entCtx)
|
||||
})
|
||||
}
|
||||
|
||||
// KeyList checks for permission to list keys under a prefix
|
||||
func (c *ChainedAuthorizer) KeyList(keyPrefix string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) KeyList(keyPrefix string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.KeyList(keyPrefix, entCtx)
|
||||
})
|
||||
}
|
||||
|
||||
// KeyRead checks for permission to read a given key
|
||||
func (c *ChainedAuthorizer) KeyRead(key string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) KeyRead(key string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.KeyRead(key, entCtx)
|
||||
})
|
||||
}
|
||||
|
||||
// KeyWrite checks for permission to write a given key
|
||||
func (c *ChainedAuthorizer) KeyWrite(key string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) KeyWrite(key string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.KeyWrite(key, entCtx)
|
||||
})
|
||||
|
@ -124,7 +124,7 @@ func (c *ChainedAuthorizer) KeyWrite(key string, entCtx *EnterpriseAuthorizerCon
|
|||
// KeyWritePrefix checks for permission to write to an
|
||||
// entire key prefix. This means there must be no sub-policies
|
||||
// that deny a write.
|
||||
func (c *ChainedAuthorizer) KeyWritePrefix(keyPrefix string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) KeyWritePrefix(keyPrefix string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.KeyWritePrefix(keyPrefix, entCtx)
|
||||
})
|
||||
|
@ -132,21 +132,21 @@ func (c *ChainedAuthorizer) KeyWritePrefix(keyPrefix string, entCtx *EnterpriseA
|
|||
|
||||
// KeyringRead determines if the encryption keyring used in
|
||||
// the gossip layer can be read.
|
||||
func (c *ChainedAuthorizer) KeyringRead(entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) KeyringRead(entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.KeyringRead(entCtx)
|
||||
})
|
||||
}
|
||||
|
||||
// KeyringWrite determines if the keyring can be manipulated
|
||||
func (c *ChainedAuthorizer) KeyringWrite(entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) KeyringWrite(entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.KeyringWrite(entCtx)
|
||||
})
|
||||
}
|
||||
|
||||
// NodeRead checks for permission to read (discover) a given node.
|
||||
func (c *ChainedAuthorizer) NodeRead(node string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) NodeRead(node string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.NodeRead(node, entCtx)
|
||||
})
|
||||
|
@ -154,7 +154,7 @@ func (c *ChainedAuthorizer) NodeRead(node string, entCtx *EnterpriseAuthorizerCo
|
|||
|
||||
// NodeWrite checks for permission to create or update (register) a
|
||||
// given node.
|
||||
func (c *ChainedAuthorizer) NodeWrite(node string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) NodeWrite(node string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.NodeWrite(node, entCtx)
|
||||
})
|
||||
|
@ -162,7 +162,7 @@ func (c *ChainedAuthorizer) NodeWrite(node string, entCtx *EnterpriseAuthorizerC
|
|||
|
||||
// OperatorRead determines if the read-only Consul operator functions
|
||||
// can be used.
|
||||
func (c *ChainedAuthorizer) OperatorRead(entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) OperatorRead(entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.OperatorRead(entCtx)
|
||||
})
|
||||
|
@ -170,7 +170,7 @@ func (c *ChainedAuthorizer) OperatorRead(entCtx *EnterpriseAuthorizerContext) En
|
|||
|
||||
// OperatorWrite determines if the state-changing Consul operator
|
||||
// functions can be used.
|
||||
func (c *ChainedAuthorizer) OperatorWrite(entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) OperatorWrite(entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.OperatorWrite(entCtx)
|
||||
})
|
||||
|
@ -178,7 +178,7 @@ func (c *ChainedAuthorizer) OperatorWrite(entCtx *EnterpriseAuthorizerContext) E
|
|||
|
||||
// PreparedQueryRead determines if a specific prepared query can be read
|
||||
// to show its contents (this is not used for execution).
|
||||
func (c *ChainedAuthorizer) PreparedQueryRead(query string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) PreparedQueryRead(query string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.PreparedQueryRead(query, entCtx)
|
||||
})
|
||||
|
@ -186,14 +186,14 @@ func (c *ChainedAuthorizer) PreparedQueryRead(query string, entCtx *EnterpriseAu
|
|||
|
||||
// PreparedQueryWrite determines if a specific prepared query can be
|
||||
// created, modified, or deleted.
|
||||
func (c *ChainedAuthorizer) PreparedQueryWrite(query string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) PreparedQueryWrite(query string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.PreparedQueryWrite(query, entCtx)
|
||||
})
|
||||
}
|
||||
|
||||
// ServiceRead checks for permission to read a given service
|
||||
func (c *ChainedAuthorizer) ServiceRead(name string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) ServiceRead(name string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.ServiceRead(name, entCtx)
|
||||
})
|
||||
|
@ -201,14 +201,14 @@ func (c *ChainedAuthorizer) ServiceRead(name string, entCtx *EnterpriseAuthorize
|
|||
|
||||
// ServiceWrite checks for permission to create or update a given
|
||||
// service
|
||||
func (c *ChainedAuthorizer) ServiceWrite(name string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) ServiceWrite(name string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.ServiceWrite(name, entCtx)
|
||||
})
|
||||
}
|
||||
|
||||
// SessionRead checks for permission to read sessions for a given node.
|
||||
func (c *ChainedAuthorizer) SessionRead(node string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) SessionRead(node string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.SessionRead(node, entCtx)
|
||||
})
|
||||
|
@ -216,14 +216,14 @@ func (c *ChainedAuthorizer) SessionRead(node string, entCtx *EnterpriseAuthorize
|
|||
|
||||
// SessionWrite checks for permission to create sessions for a given
|
||||
// node.
|
||||
func (c *ChainedAuthorizer) SessionWrite(node string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) SessionWrite(node string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.SessionWrite(node, entCtx)
|
||||
})
|
||||
}
|
||||
|
||||
// Snapshot checks for permission to take and restore snapshots.
|
||||
func (c *ChainedAuthorizer) Snapshot(entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (c *ChainedAuthorizer) Snapshot(entCtx *AuthorizerContext) EnforcementDecision {
|
||||
return c.executeChain(func(authz Authorizer) EnforcementDecision {
|
||||
return authz.Snapshot(entCtx)
|
||||
})
|
||||
|
|
|
@ -1,3 +0,0 @@
|
|||
// +build !consulent
|
||||
|
||||
package acl
|
|
@ -6,82 +6,82 @@ import (
|
|||
|
||||
type testAuthorizer EnforcementDecision
|
||||
|
||||
func (authz testAuthorizer) ACLRead(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) ACLRead(*AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) ACLWrite(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) ACLWrite(*AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) AgentRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) AgentRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) AgentWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) AgentWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) EventRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) EventRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) EventWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) EventWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) IntentionDefaultAllow(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) IntentionDefaultAllow(*AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) IntentionRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) IntentionRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) IntentionWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) IntentionWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) KeyList(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) KeyList(string, *AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) KeyRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) KeyRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) KeyWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) KeyWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) KeyWritePrefix(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) KeyWritePrefix(string, *AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) KeyringRead(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) KeyringRead(*AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) KeyringWrite(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) KeyringWrite(*AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) NodeRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) NodeRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) NodeWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) NodeWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) OperatorRead(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) OperatorRead(*AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) OperatorWrite(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) OperatorWrite(*AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) PreparedQueryRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) PreparedQueryRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) PreparedQueryWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) PreparedQueryWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) ServiceRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) ServiceRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) ServiceWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) ServiceWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) SessionRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) SessionRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) SessionWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) SessionWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
func (authz testAuthorizer) Snapshot(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz testAuthorizer) Snapshot(*AuthorizerContext) EnforcementDecision {
|
||||
return EnforcementDecision(authz)
|
||||
}
|
||||
|
||||
|
|
|
@ -161,7 +161,7 @@ func isPolicyValid(policy string, allowList bool) bool {
|
|||
return true
|
||||
}
|
||||
|
||||
func (pr *PolicyRules) Validate(conf *EnterpriseACLConfig) error {
|
||||
func (pr *PolicyRules) Validate(conf *Config) error {
|
||||
// Validate the acl policy - this one is allowed to be empty
|
||||
if pr.ACL != "" && !isPolicyValid(pr.ACL, false) {
|
||||
return fmt.Errorf("Invalid acl policy: %#v", pr.ACL)
|
||||
|
@ -288,7 +288,7 @@ func (pr *PolicyRules) Validate(conf *EnterpriseACLConfig) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func parseCurrent(rules string, conf *EnterpriseACLConfig, meta *EnterprisePolicyMeta) (*Policy, error) {
|
||||
func parseCurrent(rules string, conf *Config, meta *EnterprisePolicyMeta) (*Policy, error) {
|
||||
p, err := decodeRules(rules, conf, meta)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
@ -305,7 +305,7 @@ func parseCurrent(rules string, conf *EnterpriseACLConfig, meta *EnterprisePolic
|
|||
return p, nil
|
||||
}
|
||||
|
||||
func parseLegacy(rules string, conf *EnterpriseACLConfig) (*Policy, error) {
|
||||
func parseLegacy(rules string, conf *Config) (*Policy, error) {
|
||||
p := &Policy{}
|
||||
|
||||
type LegacyPolicy struct {
|
||||
|
@ -422,7 +422,7 @@ func parseLegacy(rules string, conf *EnterpriseACLConfig) (*Policy, error) {
|
|||
// NewPolicyFromSource is used to parse the specified ACL rules into an
|
||||
// intermediary set of policies, before being compiled into
|
||||
// the ACL
|
||||
func NewPolicyFromSource(id string, revision uint64, rules string, syntax SyntaxVersion, conf *EnterpriseACLConfig, meta *EnterprisePolicyMeta) (*Policy, error) {
|
||||
func NewPolicyFromSource(id string, revision uint64, rules string, syntax SyntaxVersion, conf *Config, meta *EnterprisePolicyMeta) (*Policy, error) {
|
||||
if rules == "" {
|
||||
// Hot path for empty source
|
||||
return &Policy{ID: id, Revision: revision}, nil
|
||||
|
|
|
@ -313,13 +313,13 @@ func (p *policyAuthorizer) loadRules(policy *PolicyRules) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func newPolicyAuthorizer(policies []*Policy, ent *EnterpriseACLConfig) (Authorizer, error) {
|
||||
func newPolicyAuthorizer(policies []*Policy, ent *Config) (Authorizer, error) {
|
||||
policy := MergePolicies(policies)
|
||||
|
||||
return newPolicyAuthorizerFromRules(&policy.PolicyRules, ent)
|
||||
}
|
||||
|
||||
func newPolicyAuthorizerFromRules(rules *PolicyRules, ent *EnterpriseACLConfig) (Authorizer, error) {
|
||||
func newPolicyAuthorizerFromRules(rules *PolicyRules, ent *Config) (Authorizer, error) {
|
||||
p := &policyAuthorizer{
|
||||
agentRules: radix.New(),
|
||||
intentionRules: radix.New(),
|
||||
|
@ -341,7 +341,7 @@ func newPolicyAuthorizerFromRules(rules *PolicyRules, ent *EnterpriseACLConfig)
|
|||
}
|
||||
|
||||
// ACLRead checks if listing of ACLs is allowed
|
||||
func (p *policyAuthorizer) ACLRead(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) ACLRead(*AuthorizerContext) EnforcementDecision {
|
||||
if p.aclRule != nil {
|
||||
return enforce(p.aclRule.access, AccessRead)
|
||||
}
|
||||
|
@ -349,7 +349,7 @@ func (p *policyAuthorizer) ACLRead(*EnterpriseAuthorizerContext) EnforcementDeci
|
|||
}
|
||||
|
||||
// ACLWrite checks if modification of ACLs is allowed
|
||||
func (p *policyAuthorizer) ACLWrite(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) ACLWrite(*AuthorizerContext) EnforcementDecision {
|
||||
if p.aclRule != nil {
|
||||
return enforce(p.aclRule.access, AccessWrite)
|
||||
}
|
||||
|
@ -358,7 +358,7 @@ func (p *policyAuthorizer) ACLWrite(*EnterpriseAuthorizerContext) EnforcementDec
|
|||
|
||||
// AgentRead checks for permission to read from agent endpoints for a given
|
||||
// node.
|
||||
func (p *policyAuthorizer) AgentRead(node string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) AgentRead(node string, _ *AuthorizerContext) EnforcementDecision {
|
||||
if rule, ok := getPolicy(node, p.agentRules); ok {
|
||||
return enforce(rule.access, AccessRead)
|
||||
}
|
||||
|
@ -367,7 +367,7 @@ func (p *policyAuthorizer) AgentRead(node string, _ *EnterpriseAuthorizerContext
|
|||
|
||||
// AgentWrite checks for permission to make changes via agent endpoints for a
|
||||
// given node.
|
||||
func (p *policyAuthorizer) AgentWrite(node string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) AgentWrite(node string, _ *AuthorizerContext) EnforcementDecision {
|
||||
if rule, ok := getPolicy(node, p.agentRules); ok {
|
||||
return enforce(rule.access, AccessWrite)
|
||||
}
|
||||
|
@ -375,7 +375,7 @@ func (p *policyAuthorizer) AgentWrite(node string, _ *EnterpriseAuthorizerContex
|
|||
}
|
||||
|
||||
// Snapshot checks if taking and restoring snapshots is allowed.
|
||||
func (p *policyAuthorizer) Snapshot(_ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) Snapshot(_ *AuthorizerContext) EnforcementDecision {
|
||||
if p.aclRule != nil {
|
||||
return enforce(p.aclRule.access, AccessWrite)
|
||||
}
|
||||
|
@ -384,7 +384,7 @@ func (p *policyAuthorizer) Snapshot(_ *EnterpriseAuthorizerContext) EnforcementD
|
|||
|
||||
// EventRead is used to determine if the policy allows for a
|
||||
// specific user event to be read.
|
||||
func (p *policyAuthorizer) EventRead(name string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) EventRead(name string, _ *AuthorizerContext) EnforcementDecision {
|
||||
if rule, ok := getPolicy(name, p.eventRules); ok {
|
||||
return enforce(rule.access, AccessRead)
|
||||
}
|
||||
|
@ -393,7 +393,7 @@ func (p *policyAuthorizer) EventRead(name string, _ *EnterpriseAuthorizerContext
|
|||
|
||||
// EventWrite is used to determine if new events can be created
|
||||
// (fired) by the policy.
|
||||
func (p *policyAuthorizer) EventWrite(name string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) EventWrite(name string, _ *AuthorizerContext) EnforcementDecision {
|
||||
if rule, ok := getPolicy(name, p.eventRules); ok {
|
||||
return enforce(rule.access, AccessWrite)
|
||||
}
|
||||
|
@ -402,14 +402,14 @@ func (p *policyAuthorizer) EventWrite(name string, _ *EnterpriseAuthorizerContex
|
|||
|
||||
// IntentionDefaultAllow returns whether the default behavior when there are
|
||||
// no matching intentions is to allow or deny.
|
||||
func (p *policyAuthorizer) IntentionDefaultAllow(_ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) IntentionDefaultAllow(_ *AuthorizerContext) EnforcementDecision {
|
||||
// We always go up, this can't be determined by a policy.
|
||||
return Default
|
||||
}
|
||||
|
||||
// IntentionRead checks if writing (creating, updating, or deleting) of an
|
||||
// intention is allowed.
|
||||
func (p *policyAuthorizer) IntentionRead(prefix string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) IntentionRead(prefix string, _ *AuthorizerContext) EnforcementDecision {
|
||||
if rule, ok := getPolicy(prefix, p.intentionRules); ok {
|
||||
return enforce(rule.access, AccessRead)
|
||||
}
|
||||
|
@ -418,7 +418,7 @@ func (p *policyAuthorizer) IntentionRead(prefix string, _ *EnterpriseAuthorizerC
|
|||
|
||||
// IntentionWrite checks if writing (creating, updating, or deleting) of an
|
||||
// intention is allowed.
|
||||
func (p *policyAuthorizer) IntentionWrite(prefix string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) IntentionWrite(prefix string, _ *AuthorizerContext) EnforcementDecision {
|
||||
if rule, ok := getPolicy(prefix, p.intentionRules); ok {
|
||||
return enforce(rule.access, AccessWrite)
|
||||
}
|
||||
|
@ -426,7 +426,7 @@ func (p *policyAuthorizer) IntentionWrite(prefix string, _ *EnterpriseAuthorizer
|
|||
}
|
||||
|
||||
// KeyRead returns if a key is allowed to be read
|
||||
func (p *policyAuthorizer) KeyRead(key string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) KeyRead(key string, _ *AuthorizerContext) EnforcementDecision {
|
||||
if rule, ok := getPolicy(key, p.keyRules); ok {
|
||||
return enforce(rule.access, AccessRead)
|
||||
}
|
||||
|
@ -434,7 +434,7 @@ func (p *policyAuthorizer) KeyRead(key string, _ *EnterpriseAuthorizerContext) E
|
|||
}
|
||||
|
||||
// KeyList returns if a key is allowed to be listed
|
||||
func (p *policyAuthorizer) KeyList(key string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) KeyList(key string, _ *AuthorizerContext) EnforcementDecision {
|
||||
if rule, ok := getPolicy(key, p.keyRules); ok {
|
||||
return enforce(rule.access, AccessList)
|
||||
}
|
||||
|
@ -442,7 +442,7 @@ func (p *policyAuthorizer) KeyList(key string, _ *EnterpriseAuthorizerContext) E
|
|||
}
|
||||
|
||||
// KeyWrite returns if a key is allowed to be written
|
||||
func (p *policyAuthorizer) KeyWrite(key string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) KeyWrite(key string, entCtx *AuthorizerContext) EnforcementDecision {
|
||||
if rule, ok := getPolicy(key, p.keyRules); ok {
|
||||
decision := enforce(rule.access, AccessWrite)
|
||||
if decision == Allow {
|
||||
|
@ -459,7 +459,7 @@ func (p *policyAuthorizer) KeyWrite(key string, entCtx *EnterpriseAuthorizerCont
|
|||
// the KV can be removed. For that reason we must be able to
|
||||
// delete everything under the prefix. First we must have "write"
|
||||
// on the prefix itself
|
||||
func (p *policyAuthorizer) KeyWritePrefix(prefix string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) KeyWritePrefix(prefix string, _ *AuthorizerContext) EnforcementDecision {
|
||||
// Conditions for Allow:
|
||||
// * The longest prefix match rule that would apply to the given prefix
|
||||
// grants AccessWrite
|
||||
|
@ -537,7 +537,7 @@ func (p *policyAuthorizer) KeyWritePrefix(prefix string, _ *EnterpriseAuthorizer
|
|||
|
||||
// KeyringRead is used to determine if the keyring can be
|
||||
// read by the current ACL token.
|
||||
func (p *policyAuthorizer) KeyringRead(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) KeyringRead(*AuthorizerContext) EnforcementDecision {
|
||||
if p.keyringRule != nil {
|
||||
return enforce(p.keyringRule.access, AccessRead)
|
||||
}
|
||||
|
@ -545,7 +545,7 @@ func (p *policyAuthorizer) KeyringRead(*EnterpriseAuthorizerContext) Enforcement
|
|||
}
|
||||
|
||||
// KeyringWrite determines if the keyring can be manipulated.
|
||||
func (p *policyAuthorizer) KeyringWrite(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) KeyringWrite(*AuthorizerContext) EnforcementDecision {
|
||||
if p.keyringRule != nil {
|
||||
return enforce(p.keyringRule.access, AccessWrite)
|
||||
}
|
||||
|
@ -553,7 +553,7 @@ func (p *policyAuthorizer) KeyringWrite(*EnterpriseAuthorizerContext) Enforcemen
|
|||
}
|
||||
|
||||
// OperatorRead determines if the read-only operator functions are allowed.
|
||||
func (p *policyAuthorizer) OperatorRead(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) OperatorRead(*AuthorizerContext) EnforcementDecision {
|
||||
if p.operatorRule != nil {
|
||||
return enforce(p.operatorRule.access, AccessRead)
|
||||
}
|
||||
|
@ -562,7 +562,7 @@ func (p *policyAuthorizer) OperatorRead(*EnterpriseAuthorizerContext) Enforcemen
|
|||
|
||||
// OperatorWrite determines if the state-changing operator functions are
|
||||
// allowed.
|
||||
func (p *policyAuthorizer) OperatorWrite(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) OperatorWrite(*AuthorizerContext) EnforcementDecision {
|
||||
if p.operatorRule != nil {
|
||||
return enforce(p.operatorRule.access, AccessWrite)
|
||||
}
|
||||
|
@ -570,7 +570,7 @@ func (p *policyAuthorizer) OperatorWrite(*EnterpriseAuthorizerContext) Enforceme
|
|||
}
|
||||
|
||||
// NodeRead checks if reading (discovery) of a node is allowed
|
||||
func (p *policyAuthorizer) NodeRead(name string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) NodeRead(name string, _ *AuthorizerContext) EnforcementDecision {
|
||||
if rule, ok := getPolicy(name, p.nodeRules); ok {
|
||||
return enforce(rule.access, AccessRead)
|
||||
}
|
||||
|
@ -578,7 +578,7 @@ func (p *policyAuthorizer) NodeRead(name string, _ *EnterpriseAuthorizerContext)
|
|||
}
|
||||
|
||||
// NodeWrite checks if writing (registering) a node is allowed
|
||||
func (p *policyAuthorizer) NodeWrite(name string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) NodeWrite(name string, _ *AuthorizerContext) EnforcementDecision {
|
||||
if rule, ok := getPolicy(name, p.nodeRules); ok {
|
||||
return enforce(rule.access, AccessWrite)
|
||||
}
|
||||
|
@ -587,7 +587,7 @@ func (p *policyAuthorizer) NodeWrite(name string, _ *EnterpriseAuthorizerContext
|
|||
|
||||
// PreparedQueryRead checks if reading (listing) of a prepared query is
|
||||
// allowed - this isn't execution, just listing its contents.
|
||||
func (p *policyAuthorizer) PreparedQueryRead(prefix string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) PreparedQueryRead(prefix string, _ *AuthorizerContext) EnforcementDecision {
|
||||
if rule, ok := getPolicy(prefix, p.preparedQueryRules); ok {
|
||||
return enforce(rule.access, AccessRead)
|
||||
}
|
||||
|
@ -596,7 +596,7 @@ func (p *policyAuthorizer) PreparedQueryRead(prefix string, _ *EnterpriseAuthori
|
|||
|
||||
// PreparedQueryWrite checks if writing (creating, updating, or deleting) of a
|
||||
// prepared query is allowed.
|
||||
func (p *policyAuthorizer) PreparedQueryWrite(prefix string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) PreparedQueryWrite(prefix string, _ *AuthorizerContext) EnforcementDecision {
|
||||
if rule, ok := getPolicy(prefix, p.preparedQueryRules); ok {
|
||||
return enforce(rule.access, AccessWrite)
|
||||
}
|
||||
|
@ -604,7 +604,7 @@ func (p *policyAuthorizer) PreparedQueryWrite(prefix string, _ *EnterpriseAuthor
|
|||
}
|
||||
|
||||
// ServiceRead checks if reading (discovery) of a service is allowed
|
||||
func (p *policyAuthorizer) ServiceRead(name string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) ServiceRead(name string, _ *AuthorizerContext) EnforcementDecision {
|
||||
if rule, ok := getPolicy(name, p.serviceRules); ok {
|
||||
return enforce(rule.access, AccessRead)
|
||||
}
|
||||
|
@ -612,7 +612,7 @@ func (p *policyAuthorizer) ServiceRead(name string, _ *EnterpriseAuthorizerConte
|
|||
}
|
||||
|
||||
// ServiceWrite checks if writing (registering) a service is allowed
|
||||
func (p *policyAuthorizer) ServiceWrite(name string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) ServiceWrite(name string, _ *AuthorizerContext) EnforcementDecision {
|
||||
if rule, ok := getPolicy(name, p.serviceRules); ok {
|
||||
return enforce(rule.access, AccessWrite)
|
||||
}
|
||||
|
@ -620,7 +620,7 @@ func (p *policyAuthorizer) ServiceWrite(name string, _ *EnterpriseAuthorizerCont
|
|||
}
|
||||
|
||||
// SessionRead checks for permission to read sessions for a given node.
|
||||
func (p *policyAuthorizer) SessionRead(node string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) SessionRead(node string, _ *AuthorizerContext) EnforcementDecision {
|
||||
if rule, ok := getPolicy(node, p.sessionRules); ok {
|
||||
return enforce(rule.access, AccessRead)
|
||||
}
|
||||
|
@ -628,7 +628,7 @@ func (p *policyAuthorizer) SessionRead(node string, _ *EnterpriseAuthorizerConte
|
|||
}
|
||||
|
||||
// SessionWrite checks for permission to create sessions for a given node.
|
||||
func (p *policyAuthorizer) SessionWrite(node string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (p *policyAuthorizer) SessionWrite(node string, _ *AuthorizerContext) EnforcementDecision {
|
||||
// Check for an exact rule or catch-all
|
||||
if rule, ok := getPolicy(node, p.sessionRules); ok {
|
||||
return enforce(rule.access, AccessWrite)
|
||||
|
|
|
@ -5,22 +5,22 @@ package acl
|
|||
// enterprisePolicyAuthorizer stub
|
||||
type enterprisePolicyAuthorizer struct{}
|
||||
|
||||
func (authz *enterprisePolicyAuthorizer) init(*EnterpriseACLConfig) {
|
||||
func (authz *enterprisePolicyAuthorizer) init(*Config) {
|
||||
// nothing to do
|
||||
}
|
||||
|
||||
func (authz *enterprisePolicyAuthorizer) enforce(_ *EnterpriseRule, _ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (authz *enterprisePolicyAuthorizer) enforce(_ *EnterpriseRule, _ *AuthorizerContext) EnforcementDecision {
|
||||
return Default
|
||||
}
|
||||
|
||||
// NewPolicyAuthorizer merges the policies and returns an Authorizer that will enforce them
|
||||
func NewPolicyAuthorizer(policies []*Policy, entConfig *EnterpriseACLConfig) (Authorizer, error) {
|
||||
func NewPolicyAuthorizer(policies []*Policy, entConfig *Config) (Authorizer, error) {
|
||||
return newPolicyAuthorizer(policies, entConfig)
|
||||
}
|
||||
|
||||
// NewPolicyAuthorizerWithDefaults will actually created a ChainedAuthorizer with
|
||||
// the policies compiled into one Authorizer and the backup policy of the defaultAuthz
|
||||
func NewPolicyAuthorizerWithDefaults(defaultAuthz Authorizer, policies []*Policy, entConfig *EnterpriseACLConfig) (Authorizer, error) {
|
||||
func NewPolicyAuthorizerWithDefaults(defaultAuthz Authorizer, policies []*Policy, entConfig *Config) (Authorizer, error) {
|
||||
authz, err := newPolicyAuthorizer(policies, entConfig)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
|
|
@ -17,7 +17,7 @@ func TestPolicyAuthorizer(t *testing.T) {
|
|||
type aclCheck struct {
|
||||
name string
|
||||
prefix string
|
||||
check func(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext)
|
||||
check func(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext)
|
||||
}
|
||||
|
||||
type aclTest struct {
|
||||
|
|
|
@ -14,7 +14,7 @@ type EnterprisePolicyMeta struct{}
|
|||
// EnterpriseRule stub
|
||||
type EnterpriseRule struct{}
|
||||
|
||||
func (r *EnterpriseRule) Validate(string, *EnterpriseACLConfig) error {
|
||||
func (r *EnterpriseRule) Validate(string, *Config) error {
|
||||
// nothing to validate
|
||||
return nil
|
||||
}
|
||||
|
@ -22,12 +22,12 @@ func (r *EnterpriseRule) Validate(string, *EnterpriseACLConfig) error {
|
|||
// EnterprisePolicyRules stub
|
||||
type EnterprisePolicyRules struct{}
|
||||
|
||||
func (r *EnterprisePolicyRules) Validate(*EnterpriseACLConfig) error {
|
||||
func (r *EnterprisePolicyRules) Validate(*Config) error {
|
||||
// nothing to validate
|
||||
return nil
|
||||
}
|
||||
|
||||
func decodeRules(rules string, _ *EnterpriseACLConfig, _ *EnterprisePolicyMeta) (*Policy, error) {
|
||||
func decodeRules(rules string, _ *Config, _ *EnterprisePolicyMeta) (*Policy, error) {
|
||||
p := &Policy{}
|
||||
|
||||
if err := hcl.Decode(p, rules); err != nil {
|
||||
|
|
|
@ -3,13 +3,13 @@ package acl
|
|||
var (
|
||||
// allowAll is a singleton policy which allows all
|
||||
// non-management actions
|
||||
allowAll Authorizer = &StaticAuthorizer{
|
||||
allowAll Authorizer = &staticAuthorizer{
|
||||
allowManage: false,
|
||||
defaultAllow: true,
|
||||
}
|
||||
|
||||
// denyAll is a singleton policy which denies all actions
|
||||
denyAll Authorizer = &StaticAuthorizer{
|
||||
denyAll Authorizer = &staticAuthorizer{
|
||||
allowManage: false,
|
||||
defaultAllow: false,
|
||||
}
|
||||
|
@ -18,7 +18,7 @@ var (
|
|||
// actions, including management
|
||||
// TODO (acls) - Do we need to keep this around? Our config parsing doesn't allow
|
||||
// specifying a default "manage" policy so I believe nothing will every use this.
|
||||
manageAll Authorizer = &StaticAuthorizer{
|
||||
manageAll Authorizer = &staticAuthorizer{
|
||||
allowManage: true,
|
||||
defaultAllow: true,
|
||||
}
|
||||
|
@ -27,187 +27,187 @@ var (
|
|||
// StaticAuthorizer is used to implement a base ACL policy. It either
|
||||
// allows or denies all requests. This can be used as a parent
|
||||
// ACL to act in a blacklist or whitelist mode.
|
||||
type StaticAuthorizer struct {
|
||||
type staticAuthorizer struct {
|
||||
allowManage bool
|
||||
defaultAllow bool
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) ACLRead(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) ACLRead(*AuthorizerContext) EnforcementDecision {
|
||||
if s.allowManage {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) ACLWrite(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) ACLWrite(*AuthorizerContext) EnforcementDecision {
|
||||
if s.allowManage {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) AgentRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) AgentRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) AgentWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) AgentWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) EventRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) EventRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) EventWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) EventWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) IntentionDefaultAllow(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) IntentionDefaultAllow(*AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) IntentionRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) IntentionRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) IntentionWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) IntentionWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) KeyRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) KeyRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) KeyList(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) KeyList(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) KeyWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) KeyWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) KeyWritePrefix(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) KeyWritePrefix(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) KeyringRead(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) KeyringRead(*AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) KeyringWrite(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) KeyringWrite(*AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) NodeRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) NodeRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) NodeWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) NodeWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) OperatorRead(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) OperatorRead(*AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) OperatorWrite(*EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) OperatorWrite(*AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) PreparedQueryRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) PreparedQueryRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) PreparedQueryWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) PreparedQueryWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) ServiceRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) ServiceRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) ServiceWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) ServiceWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) SessionRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) SessionRead(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) SessionWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) SessionWrite(string, *AuthorizerContext) EnforcementDecision {
|
||||
if s.defaultAllow {
|
||||
return Allow
|
||||
}
|
||||
return Deny
|
||||
}
|
||||
|
||||
func (s *StaticAuthorizer) Snapshot(_ *EnterpriseAuthorizerContext) EnforcementDecision {
|
||||
func (s *staticAuthorizer) Snapshot(_ *AuthorizerContext) EnforcementDecision {
|
||||
if s.allowManage {
|
||||
return Allow
|
||||
}
|
||||
|
|
105
agent/acl.go
105
agent/acl.go
|
@ -13,6 +13,13 @@ import (
|
|||
// clients. Some of the enforcement is normative (e.g. self and monitor)
|
||||
// and some is informative (e.g. catalog and health).
|
||||
func (a *Agent) resolveToken(id string) (acl.Authorizer, error) {
|
||||
return a.resolveTokenAndDefaultMeta(id, nil, nil)
|
||||
}
|
||||
|
||||
// resolveTokenAndDefaultMeta is used to resolve an ACL token secret to an
|
||||
// acl.Authorizer and to default any enterprise specific metadata for the request.
|
||||
// The defaulted metadata is then used to fill in an acl.AuthorizationContext.
|
||||
func (a *Agent) resolveTokenAndDefaultMeta(id string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (acl.Authorizer, error) {
|
||||
// ACLs are disabled
|
||||
if !a.delegate.ACLsEnabled() {
|
||||
return nil, nil
|
||||
|
@ -30,7 +37,8 @@ func (a *Agent) resolveToken(id string) (acl.Authorizer, error) {
|
|||
if a.tokens.IsAgentMasterToken(id) {
|
||||
return a.aclMasterAuthorizer, nil
|
||||
}
|
||||
return a.delegate.ResolveToken(id)
|
||||
|
||||
return a.delegate.ResolveTokenAndDefaultMeta(id, entMeta, authzContext)
|
||||
}
|
||||
|
||||
func (a *Agent) initializeACLs() error {
|
||||
|
@ -67,25 +75,30 @@ func (a *Agent) initializeACLs() error {
|
|||
// the given token.
|
||||
func (a *Agent) vetServiceRegister(token string, service *structs.NodeService) error {
|
||||
// Resolve the token and bail if ACLs aren't enabled.
|
||||
rule, err := a.resolveToken(token)
|
||||
authz, err := a.resolveToken(token)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if rule == nil {
|
||||
|
||||
return a.vetServiceRegisterWithAuthorizer(authz, service)
|
||||
}
|
||||
|
||||
func (a *Agent) vetServiceRegisterWithAuthorizer(authz acl.Authorizer, service *structs.NodeService) error {
|
||||
if authz == nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
service.FillAuthzContext(&authzContext)
|
||||
// Vet the service itself.
|
||||
if rule.ServiceWrite(service.Service, &authzContext) != acl.Allow {
|
||||
if authz.ServiceWrite(service.Service, &authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
// Vet any service that might be getting overwritten.
|
||||
if existing := a.State.Service(service.CompoundServiceID()); existing != nil {
|
||||
existing.FillAuthzContext(&authzContext)
|
||||
if rule.ServiceWrite(existing.Service, &authzContext) != acl.Allow {
|
||||
if authz.ServiceWrite(existing.Service, &authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
}
|
||||
|
@ -94,7 +107,7 @@ func (a *Agent) vetServiceRegister(token string, service *structs.NodeService) e
|
|||
// since it can be discovered as an instance of that service.
|
||||
if service.Kind == structs.ServiceKindConnectProxy {
|
||||
service.FillAuthzContext(&authzContext)
|
||||
if rule.ServiceWrite(service.Proxy.DestinationServiceName, &authzContext) != acl.Allow {
|
||||
if authz.ServiceWrite(service.Proxy.DestinationServiceName, &authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
}
|
||||
|
@ -106,20 +119,25 @@ func (a *Agent) vetServiceRegister(token string, service *structs.NodeService) e
|
|||
// token.
|
||||
func (a *Agent) vetServiceUpdate(token string, serviceID structs.ServiceID) error {
|
||||
// Resolve the token and bail if ACLs aren't enabled.
|
||||
rule, err := a.resolveToken(token)
|
||||
authz, err := a.resolveToken(token)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if rule == nil {
|
||||
|
||||
return a.vetServiceUpdateWithAuthorizer(authz, serviceID)
|
||||
}
|
||||
|
||||
func (a *Agent) vetServiceUpdateWithAuthorizer(authz acl.Authorizer, serviceID structs.ServiceID) error {
|
||||
if authz == nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
|
||||
// Vet any changes based on the existing services's info.
|
||||
if existing := a.State.Service(serviceID); existing != nil {
|
||||
existing.FillAuthzContext(&authzContext)
|
||||
if rule.ServiceWrite(existing.Service, &authzContext) != acl.Allow {
|
||||
if authz.ServiceWrite(existing.Service, &authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
} else {
|
||||
|
@ -133,23 +151,28 @@ func (a *Agent) vetServiceUpdate(token string, serviceID structs.ServiceID) erro
|
|||
// given token.
|
||||
func (a *Agent) vetCheckRegister(token string, check *structs.HealthCheck) error {
|
||||
// Resolve the token and bail if ACLs aren't enabled.
|
||||
rule, err := a.resolveToken(token)
|
||||
authz, err := a.resolveToken(token)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if rule == nil {
|
||||
|
||||
return a.vetCheckRegisterWithAuthorizer(authz, check)
|
||||
}
|
||||
|
||||
func (a *Agent) vetCheckRegisterWithAuthorizer(authz acl.Authorizer, check *structs.HealthCheck) error {
|
||||
if authz == nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
check.FillAuthzContext(&authzContext)
|
||||
// Vet the check itself.
|
||||
if len(check.ServiceName) > 0 {
|
||||
if rule.ServiceWrite(check.ServiceName, &authzContext) != acl.Allow {
|
||||
if authz.ServiceWrite(check.ServiceName, &authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
} else {
|
||||
if rule.NodeWrite(a.config.NodeName, &authzContext) != acl.Allow {
|
||||
if authz.NodeWrite(a.config.NodeName, &authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
}
|
||||
|
@ -157,11 +180,11 @@ func (a *Agent) vetCheckRegister(token string, check *structs.HealthCheck) error
|
|||
// Vet any check that might be getting overwritten.
|
||||
if existing := a.State.Check(check.CompoundCheckID()); existing != nil {
|
||||
if len(existing.ServiceName) > 0 {
|
||||
if rule.ServiceWrite(existing.ServiceName, &authzContext) != acl.Allow {
|
||||
if authz.ServiceWrite(existing.ServiceName, &authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
} else {
|
||||
if rule.NodeWrite(a.config.NodeName, &authzContext) != acl.Allow {
|
||||
if authz.NodeWrite(a.config.NodeName, &authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
}
|
||||
|
@ -173,25 +196,30 @@ func (a *Agent) vetCheckRegister(token string, check *structs.HealthCheck) error
|
|||
// vetCheckUpdate makes sure that a check update is allowed by the given token.
|
||||
func (a *Agent) vetCheckUpdate(token string, checkID structs.CheckID) error {
|
||||
// Resolve the token and bail if ACLs aren't enabled.
|
||||
rule, err := a.resolveToken(token)
|
||||
authz, err := a.resolveToken(token)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if rule == nil {
|
||||
|
||||
return a.vetCheckUpdateWithAuthorizer(authz, checkID)
|
||||
}
|
||||
|
||||
func (a *Agent) vetCheckUpdateWithAuthorizer(authz acl.Authorizer, checkID structs.CheckID) error {
|
||||
if authz == nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
checkID.FillAuthzContext(&authzContext)
|
||||
|
||||
// Vet any changes based on the existing check's info.
|
||||
if existing := a.State.Check(checkID); existing != nil {
|
||||
if len(existing.ServiceName) > 0 {
|
||||
if rule.ServiceWrite(existing.ServiceName, &authzContext) != acl.Allow {
|
||||
if authz.ServiceWrite(existing.ServiceName, &authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
} else {
|
||||
if rule.NodeWrite(a.config.NodeName, &authzContext) != acl.Allow {
|
||||
if authz.NodeWrite(a.config.NodeName, &authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
}
|
||||
|
@ -213,7 +241,7 @@ func (a *Agent) filterMembers(token string, members *[]serf.Member) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
structs.DefaultEnterpriseMeta().FillAuthzContext(&authzContext)
|
||||
// Filter out members based on the node policy.
|
||||
m := *members
|
||||
|
@ -233,19 +261,23 @@ func (a *Agent) filterMembers(token string, members *[]serf.Member) error {
|
|||
// filterServices redacts services that the token doesn't have access to.
|
||||
func (a *Agent) filterServices(token string, services *map[structs.ServiceID]*structs.NodeService) error {
|
||||
// Resolve the token and bail if ACLs aren't enabled.
|
||||
rule, err := a.resolveToken(token)
|
||||
authz, err := a.resolveToken(token)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if rule == nil {
|
||||
|
||||
return a.filterServicesWithAuthorizer(authz, services)
|
||||
}
|
||||
|
||||
func (a *Agent) filterServicesWithAuthorizer(authz acl.Authorizer, services *map[structs.ServiceID]*structs.NodeService) error {
|
||||
if authz == nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
// Filter out services based on the service policy.
|
||||
for id, service := range *services {
|
||||
service.FillAuthzContext(&authzContext)
|
||||
if rule.ServiceRead(service.Service, &authzContext) == acl.Allow {
|
||||
if authz.ServiceRead(service.Service, &authzContext) == acl.Allow {
|
||||
continue
|
||||
}
|
||||
a.logger.Printf("[DEBUG] agent: dropping service %q from result due to ACLs", id.String())
|
||||
|
@ -257,25 +289,30 @@ func (a *Agent) filterServices(token string, services *map[structs.ServiceID]*st
|
|||
// filterChecks redacts checks that the token doesn't have access to.
|
||||
func (a *Agent) filterChecks(token string, checks *map[structs.CheckID]*structs.HealthCheck) error {
|
||||
// Resolve the token and bail if ACLs aren't enabled.
|
||||
rule, err := a.resolveToken(token)
|
||||
authz, err := a.resolveToken(token)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if rule == nil {
|
||||
|
||||
return a.filterChecksWithAuthorizer(authz, checks)
|
||||
}
|
||||
|
||||
func (a *Agent) filterChecksWithAuthorizer(authz acl.Authorizer, checks *map[structs.CheckID]*structs.HealthCheck) error {
|
||||
if authz == nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
// Filter out checks based on the node or service policy.
|
||||
for id, check := range *checks {
|
||||
if len(check.ServiceName) > 0 {
|
||||
check.FillAuthzContext(&authzContext)
|
||||
if rule.ServiceRead(check.ServiceName, &authzContext) == acl.Allow {
|
||||
if authz.ServiceRead(check.ServiceName, &authzContext) == acl.Allow {
|
||||
continue
|
||||
}
|
||||
} else {
|
||||
structs.DefaultEnterpriseMeta().FillAuthzContext(&authzContext)
|
||||
if rule.NodeRead(a.config.NodeName, &authzContext) == acl.Allow {
|
||||
if authz.NodeRead(a.config.NodeName, &authzContext) == acl.Allow {
|
||||
continue
|
||||
}
|
||||
}
|
||||
|
|
|
@ -47,7 +47,7 @@ type TestACLAgent struct {
|
|||
// Shutdown() is called.
|
||||
DataDir string
|
||||
|
||||
resolveTokenFn func(string) (acl.Authorizer, error)
|
||||
resolveTokenFn func(string) (structs.ACLIdentity, acl.Authorizer, error)
|
||||
|
||||
*Agent
|
||||
}
|
||||
|
@ -55,7 +55,7 @@ type TestACLAgent struct {
|
|||
// NewTestACLAGent does just enough so that all the code within agent/acl.go can work
|
||||
// Basically it needs a local state for some of the vet* functions, a logger and a delegate.
|
||||
// The key is that we are the delegate so we can control the ResolveToken responses
|
||||
func NewTestACLAgent(t *testing.T, name string, hcl string, resolveFn func(string) (acl.Authorizer, error)) *TestACLAgent {
|
||||
func NewTestACLAgent(t *testing.T, name string, hcl string, resolveFn func(string) (structs.ACLIdentity, acl.Authorizer, error)) *TestACLAgent {
|
||||
a := &TestACLAgent{Name: name, HCL: hcl, resolveTokenFn: resolveFn}
|
||||
hclDataDir := `data_dir = "acl-agent"`
|
||||
|
||||
|
@ -98,9 +98,38 @@ func (a *TestACLAgent) ResolveToken(secretID string) (acl.Authorizer, error) {
|
|||
panic("This agent is useless without providing a token resolution function")
|
||||
}
|
||||
|
||||
_, authz, err := a.resolveTokenFn(secretID)
|
||||
return authz, err
|
||||
}
|
||||
|
||||
func (a *TestACLAgent) ResolveTokenToIdentityAndAuthorizer(secretID string) (structs.ACLIdentity, acl.Authorizer, error) {
|
||||
if a.resolveTokenFn == nil {
|
||||
panic("This agent is useless without providing a token resolution function")
|
||||
}
|
||||
|
||||
return a.resolveTokenFn(secretID)
|
||||
}
|
||||
|
||||
func (a *TestACLAgent) ResolveTokenAndDefaultMeta(secretID string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (acl.Authorizer, error) {
|
||||
identity, authz, err := a.ResolveTokenToIdentityAndAuthorizer(secretID)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Default the EnterpriseMeta based on the Tokens meta or actual defaults
|
||||
// in the case of unknown identity
|
||||
if identity != nil {
|
||||
entMeta.Merge(identity.EnterpriseMetadata())
|
||||
} else {
|
||||
entMeta.Merge(structs.DefaultEnterpriseMeta())
|
||||
}
|
||||
|
||||
// Use the meta to fill in the ACL authorization context
|
||||
entMeta.FillAuthzContext(authzContext)
|
||||
|
||||
return authz, err
|
||||
}
|
||||
|
||||
// All of these are stubs to satisfy the interface
|
||||
func (a *TestACLAgent) Encrypted() bool {
|
||||
return false
|
||||
|
@ -150,9 +179,9 @@ func TestACL_Version8(t *testing.T) {
|
|||
t.Parallel()
|
||||
|
||||
t.Run("version 8 disabled", func(t *testing.T) {
|
||||
resolveFn := func(string) (acl.Authorizer, error) {
|
||||
resolveFn := func(string) (structs.ACLIdentity, acl.Authorizer, error) {
|
||||
require.Fail(t, "should not have called delegate.ResolveToken")
|
||||
return nil, fmt.Errorf("should not have called delegate.ResolveToken")
|
||||
return nil, nil, fmt.Errorf("should not have called delegate.ResolveToken")
|
||||
}
|
||||
|
||||
a := NewTestACLAgent(t, t.Name(), TestACLConfig()+`
|
||||
|
@ -166,9 +195,9 @@ func TestACL_Version8(t *testing.T) {
|
|||
|
||||
t.Run("version 8 enabled", func(t *testing.T) {
|
||||
called := false
|
||||
resolveFn := func(string) (acl.Authorizer, error) {
|
||||
resolveFn := func(string) (structs.ACLIdentity, acl.Authorizer, error) {
|
||||
called = true
|
||||
return nil, acl.ErrNotFound
|
||||
return nil, nil, acl.ErrNotFound
|
||||
}
|
||||
a := NewTestACLAgent(t, t.Name(), TestACLConfig()+`
|
||||
acl_enforce_version_8 = true
|
||||
|
@ -183,9 +212,9 @@ func TestACL_Version8(t *testing.T) {
|
|||
func TestACL_AgentMasterToken(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
resolveFn := func(string) (acl.Authorizer, error) {
|
||||
resolveFn := func(string) (structs.ACLIdentity, acl.Authorizer, error) {
|
||||
require.Fail(t, "should not have called delegate.ResolveToken")
|
||||
return nil, fmt.Errorf("should not have called delegate.ResolveToken")
|
||||
return nil, nil, fmt.Errorf("should not have called delegate.ResolveToken")
|
||||
}
|
||||
|
||||
a := NewTestACLAgent(t, t.Name(), TestACLConfig(), resolveFn)
|
||||
|
@ -203,9 +232,9 @@ func TestACL_AgentMasterToken(t *testing.T) {
|
|||
func TestACL_RootAuthorizersDenied(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
resolveFn := func(string) (acl.Authorizer, error) {
|
||||
resolveFn := func(string) (structs.ACLIdentity, acl.Authorizer, error) {
|
||||
require.Fail(t, "should not have called delegate.ResolveToken")
|
||||
return nil, fmt.Errorf("should not have called delegate.ResolveToken")
|
||||
return nil, nil, fmt.Errorf("should not have called delegate.ResolveToken")
|
||||
}
|
||||
|
||||
a := NewTestACLAgent(t, t.Name(), TestACLConfig(), resolveFn)
|
||||
|
@ -223,58 +252,76 @@ func TestACL_RootAuthorizersDenied(t *testing.T) {
|
|||
require.True(t, acl.IsErrRootDenied(err))
|
||||
}
|
||||
|
||||
func authzFromPolicy(policy *acl.Policy, cfg *acl.EnterpriseACLConfig) (acl.Authorizer, error) {
|
||||
func authzFromPolicy(policy *acl.Policy, cfg *acl.Config) (acl.Authorizer, error) {
|
||||
return acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, cfg)
|
||||
}
|
||||
|
||||
// catalogPolicy supplies some standard policies to help with testing the
|
||||
// catalog-related vet and filter functions.
|
||||
func catalogPolicy(token string) (acl.Authorizer, error) {
|
||||
switch token {
|
||||
type testToken struct {
|
||||
token structs.ACLToken
|
||||
// yes the rules can exist on the token itself but that is legacy behavior
|
||||
// that I would prefer these tests not rely on
|
||||
rules string
|
||||
}
|
||||
|
||||
case "node-ro":
|
||||
return authzFromPolicy(&acl.Policy{
|
||||
PolicyRules: acl.PolicyRules{
|
||||
NodePrefixes: []*acl.NodeRule{
|
||||
&acl.NodeRule{Name: "Node", Policy: "read"},
|
||||
},
|
||||
var (
|
||||
nodeROSecret = "7e80d017-bccc-492f-8dec-65f03aeaebf3"
|
||||
nodeRWSecret = "e3586ee5-02a2-4bf4-9ec3-9c4be7606e8c"
|
||||
serviceROSecret = "3d2c8552-df3b-4da7-9890-36885cbf56ac"
|
||||
serviceRWSecret = "4a1017a2-f788-4be3-93f2-90566f1340bb"
|
||||
otherRWSecret = "a38e8016-91b6-4876-b3e7-a307abbb2002"
|
||||
|
||||
testTokens = map[string]testToken{
|
||||
nodeROSecret: testToken{
|
||||
token: structs.ACLToken{
|
||||
AccessorID: "9df2d1a4-2d07-414e-8ead-6053f56ed2eb",
|
||||
SecretID: nodeROSecret,
|
||||
},
|
||||
}, nil)
|
||||
case "node-rw":
|
||||
return authzFromPolicy(&acl.Policy{
|
||||
PolicyRules: acl.PolicyRules{
|
||||
NodePrefixes: []*acl.NodeRule{
|
||||
&acl.NodeRule{Name: "Node", Policy: "write"},
|
||||
},
|
||||
rules: `node_prefix "Node" { policy = "read" }`,
|
||||
},
|
||||
nodeRWSecret: testToken{
|
||||
token: structs.ACLToken{
|
||||
AccessorID: "efb6b7d5-d343-47c1-b4cb-aa6b94d2f490",
|
||||
SecretID: nodeROSecret,
|
||||
},
|
||||
}, nil)
|
||||
case "service-ro":
|
||||
return authzFromPolicy(&acl.Policy{
|
||||
PolicyRules: acl.PolicyRules{
|
||||
ServicePrefixes: []*acl.ServiceRule{
|
||||
&acl.ServiceRule{Name: "service", Policy: "read"},
|
||||
},
|
||||
rules: `node_prefix "Node" { policy = "write" }`,
|
||||
},
|
||||
serviceROSecret: testToken{
|
||||
token: structs.ACLToken{
|
||||
AccessorID: "0da53edb-36e5-4603-9c31-79965bad45f5",
|
||||
SecretID: serviceROSecret,
|
||||
},
|
||||
}, nil)
|
||||
case "service-rw":
|
||||
return authzFromPolicy(&acl.Policy{
|
||||
PolicyRules: acl.PolicyRules{
|
||||
ServicePrefixes: []*acl.ServiceRule{
|
||||
&acl.ServiceRule{Name: "service", Policy: "write"},
|
||||
},
|
||||
rules: `service_prefix "service" { policy = "read" }`,
|
||||
},
|
||||
serviceRWSecret: testToken{
|
||||
token: structs.ACLToken{
|
||||
AccessorID: "52504258-137a-41e6-9326-01f40e80872e",
|
||||
SecretID: serviceRWSecret,
|
||||
},
|
||||
}, nil)
|
||||
case "other-rw":
|
||||
return authzFromPolicy(&acl.Policy{
|
||||
PolicyRules: acl.PolicyRules{
|
||||
ServicePrefixes: []*acl.ServiceRule{
|
||||
&acl.ServiceRule{Name: "other", Policy: "write"},
|
||||
},
|
||||
rules: `service_prefix "service" { policy = "write" }`,
|
||||
},
|
||||
otherRWSecret: testToken{
|
||||
token: structs.ACLToken{
|
||||
AccessorID: "5e032c5b-c39e-4552-b5ad-8a9365b099c4",
|
||||
SecretID: otherRWSecret,
|
||||
},
|
||||
}, nil)
|
||||
default:
|
||||
return nil, fmt.Errorf("unknown token %q", token)
|
||||
rules: `service_prefix "other" { policy = "write" }`,
|
||||
},
|
||||
}
|
||||
)
|
||||
|
||||
func catalogPolicy(token string) (structs.ACLIdentity, acl.Authorizer, error) {
|
||||
tok, ok := testTokens[token]
|
||||
if !ok {
|
||||
return nil, nil, acl.ErrNotFound
|
||||
}
|
||||
|
||||
policy, err := acl.NewPolicyFromSource("", 0, tok.rules, acl.SyntaxCurrent, nil, nil)
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
|
||||
authz, err := authzFromPolicy(policy, nil)
|
||||
return &tok.token, authz, err
|
||||
}
|
||||
|
||||
func TestACL_vetServiceRegister(t *testing.T) {
|
||||
|
@ -282,14 +329,14 @@ func TestACL_vetServiceRegister(t *testing.T) {
|
|||
a := NewTestACLAgent(t, t.Name(), TestACLConfig(), catalogPolicy)
|
||||
|
||||
// Register a new service, with permission.
|
||||
err := a.vetServiceRegister("service-rw", &structs.NodeService{
|
||||
err := a.vetServiceRegister(serviceRWSecret, &structs.NodeService{
|
||||
ID: "my-service",
|
||||
Service: "service",
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
// Register a new service without write privs.
|
||||
err = a.vetServiceRegister("service-ro", &structs.NodeService{
|
||||
err = a.vetServiceRegister(serviceROSecret, &structs.NodeService{
|
||||
ID: "my-service",
|
||||
Service: "service",
|
||||
})
|
||||
|
@ -301,7 +348,7 @@ func TestACL_vetServiceRegister(t *testing.T) {
|
|||
ID: "my-service",
|
||||
Service: "other",
|
||||
}, "")
|
||||
err = a.vetServiceRegister("service-rw", &structs.NodeService{
|
||||
err = a.vetServiceRegister(serviceRWSecret, &structs.NodeService{
|
||||
ID: "my-service",
|
||||
Service: "service",
|
||||
})
|
||||
|
@ -313,7 +360,7 @@ func TestACL_vetServiceUpdate(t *testing.T) {
|
|||
a := NewTestACLAgent(t, t.Name(), TestACLConfig(), catalogPolicy)
|
||||
|
||||
// Update a service that doesn't exist.
|
||||
err := a.vetServiceUpdate("service-rw", structs.NewServiceID("my-service", nil))
|
||||
err := a.vetServiceUpdate(serviceRWSecret, structs.NewServiceID("my-service", nil))
|
||||
require.Error(t, err)
|
||||
require.Contains(t, err.Error(), "Unknown service")
|
||||
|
||||
|
@ -322,11 +369,11 @@ func TestACL_vetServiceUpdate(t *testing.T) {
|
|||
ID: "my-service",
|
||||
Service: "service",
|
||||
}, "")
|
||||
err = a.vetServiceUpdate("service-rw", structs.NewServiceID("my-service", nil))
|
||||
err = a.vetServiceUpdate(serviceRWSecret, structs.NewServiceID("my-service", nil))
|
||||
require.NoError(t, err)
|
||||
|
||||
// Update without write privs.
|
||||
err = a.vetServiceUpdate("service-ro", structs.NewServiceID("my-service", nil))
|
||||
err = a.vetServiceUpdate(serviceROSecret, structs.NewServiceID("my-service", nil))
|
||||
require.Error(t, err)
|
||||
require.True(t, acl.IsErrPermissionDenied(err))
|
||||
}
|
||||
|
@ -336,7 +383,7 @@ func TestACL_vetCheckRegister(t *testing.T) {
|
|||
a := NewTestACLAgent(t, t.Name(), TestACLConfig(), catalogPolicy)
|
||||
|
||||
// Register a new service check with write privs.
|
||||
err := a.vetCheckRegister("service-rw", &structs.HealthCheck{
|
||||
err := a.vetCheckRegister(serviceRWSecret, &structs.HealthCheck{
|
||||
CheckID: types.CheckID("my-check"),
|
||||
ServiceID: "my-service",
|
||||
ServiceName: "service",
|
||||
|
@ -344,7 +391,7 @@ func TestACL_vetCheckRegister(t *testing.T) {
|
|||
require.NoError(t, err)
|
||||
|
||||
// Register a new service check without write privs.
|
||||
err = a.vetCheckRegister("service-ro", &structs.HealthCheck{
|
||||
err = a.vetCheckRegister(serviceROSecret, &structs.HealthCheck{
|
||||
CheckID: types.CheckID("my-check"),
|
||||
ServiceID: "my-service",
|
||||
ServiceName: "service",
|
||||
|
@ -353,13 +400,13 @@ func TestACL_vetCheckRegister(t *testing.T) {
|
|||
require.True(t, acl.IsErrPermissionDenied(err))
|
||||
|
||||
// Register a new node check with write privs.
|
||||
err = a.vetCheckRegister("node-rw", &structs.HealthCheck{
|
||||
err = a.vetCheckRegister(nodeRWSecret, &structs.HealthCheck{
|
||||
CheckID: types.CheckID("my-check"),
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
// Register a new node check without write privs.
|
||||
err = a.vetCheckRegister("node-ro", &structs.HealthCheck{
|
||||
err = a.vetCheckRegister(nodeROSecret, &structs.HealthCheck{
|
||||
CheckID: types.CheckID("my-check"),
|
||||
})
|
||||
require.Error(t, err)
|
||||
|
@ -376,7 +423,7 @@ func TestACL_vetCheckRegister(t *testing.T) {
|
|||
ServiceID: "my-service",
|
||||
ServiceName: "other",
|
||||
}, "")
|
||||
err = a.vetCheckRegister("service-rw", &structs.HealthCheck{
|
||||
err = a.vetCheckRegister(serviceRWSecret, &structs.HealthCheck{
|
||||
CheckID: types.CheckID("my-check"),
|
||||
ServiceID: "my-service",
|
||||
ServiceName: "service",
|
||||
|
@ -388,7 +435,7 @@ func TestACL_vetCheckRegister(t *testing.T) {
|
|||
a.State.AddCheck(&structs.HealthCheck{
|
||||
CheckID: types.CheckID("my-node-check"),
|
||||
}, "")
|
||||
err = a.vetCheckRegister("service-rw", &structs.HealthCheck{
|
||||
err = a.vetCheckRegister(serviceRWSecret, &structs.HealthCheck{
|
||||
CheckID: types.CheckID("my-node-check"),
|
||||
ServiceID: "my-service",
|
||||
ServiceName: "service",
|
||||
|
@ -402,7 +449,7 @@ func TestACL_vetCheckUpdate(t *testing.T) {
|
|||
a := NewTestACLAgent(t, t.Name(), TestACLConfig(), catalogPolicy)
|
||||
|
||||
// Update a check that doesn't exist.
|
||||
err := a.vetCheckUpdate("node-rw", structs.NewCheckID("my-check", nil))
|
||||
err := a.vetCheckUpdate(nodeRWSecret, structs.NewCheckID("my-check", nil))
|
||||
require.Error(t, err)
|
||||
require.Contains(t, err.Error(), "Unknown check")
|
||||
|
||||
|
@ -416,11 +463,11 @@ func TestACL_vetCheckUpdate(t *testing.T) {
|
|||
ServiceID: "my-service",
|
||||
ServiceName: "service",
|
||||
}, "")
|
||||
err = a.vetCheckUpdate("service-rw", structs.NewCheckID("my-service-check", nil))
|
||||
err = a.vetCheckUpdate(serviceRWSecret, structs.NewCheckID("my-service-check", nil))
|
||||
require.NoError(t, err)
|
||||
|
||||
// Update service check without write privs.
|
||||
err = a.vetCheckUpdate("service-ro", structs.NewCheckID("my-service-check", nil))
|
||||
err = a.vetCheckUpdate(serviceROSecret, structs.NewCheckID("my-service-check", nil))
|
||||
require.Error(t, err)
|
||||
require.True(t, acl.IsErrPermissionDenied(err), "not permission denied: %s", err.Error())
|
||||
|
||||
|
@ -428,11 +475,11 @@ func TestACL_vetCheckUpdate(t *testing.T) {
|
|||
a.State.AddCheck(&structs.HealthCheck{
|
||||
CheckID: types.CheckID("my-node-check"),
|
||||
}, "")
|
||||
err = a.vetCheckUpdate("node-rw", structs.NewCheckID("my-node-check", nil))
|
||||
err = a.vetCheckUpdate(nodeRWSecret, structs.NewCheckID("my-node-check", nil))
|
||||
require.NoError(t, err)
|
||||
|
||||
// Update without write privs.
|
||||
err = a.vetCheckUpdate("node-ro", structs.NewCheckID("my-node-check", nil))
|
||||
err = a.vetCheckUpdate(nodeROSecret, structs.NewCheckID("my-node-check", nil))
|
||||
require.Error(t, err)
|
||||
require.True(t, acl.IsErrPermissionDenied(err))
|
||||
}
|
||||
|
@ -442,7 +489,7 @@ func TestACL_filterMembers(t *testing.T) {
|
|||
a := NewTestACLAgent(t, t.Name(), TestACLConfig(), catalogPolicy)
|
||||
|
||||
var members []serf.Member
|
||||
require.NoError(t, a.filterMembers("node-ro", &members))
|
||||
require.NoError(t, a.filterMembers(nodeROSecret, &members))
|
||||
require.Len(t, members, 0)
|
||||
|
||||
members = []serf.Member{
|
||||
|
@ -450,7 +497,7 @@ func TestACL_filterMembers(t *testing.T) {
|
|||
serf.Member{Name: "Nope"},
|
||||
serf.Member{Name: "Node 2"},
|
||||
}
|
||||
require.NoError(t, a.filterMembers("node-ro", &members))
|
||||
require.NoError(t, a.filterMembers(nodeROSecret, &members))
|
||||
require.Len(t, members, 2)
|
||||
require.Equal(t, members[0].Name, "Node 1")
|
||||
require.Equal(t, members[1].Name, "Node 2")
|
||||
|
@ -461,11 +508,11 @@ func TestACL_filterServices(t *testing.T) {
|
|||
a := NewTestACLAgent(t, t.Name(), TestACLConfig(), catalogPolicy)
|
||||
|
||||
services := make(map[structs.ServiceID]*structs.NodeService)
|
||||
require.NoError(t, a.filterServices("node-ro", &services))
|
||||
require.NoError(t, a.filterServices(nodeROSecret, &services))
|
||||
|
||||
services[structs.NewServiceID("my-service", nil)] = &structs.NodeService{ID: "my-service", Service: "service"}
|
||||
services[structs.NewServiceID("my-other", nil)] = &structs.NodeService{ID: "my-other", Service: "other"}
|
||||
require.NoError(t, a.filterServices("service-ro", &services))
|
||||
require.NoError(t, a.filterServices(serviceROSecret, &services))
|
||||
require.Contains(t, services, structs.NewServiceID("my-service", nil))
|
||||
require.NotContains(t, services, structs.NewServiceID("my-other", nil))
|
||||
}
|
||||
|
@ -475,12 +522,12 @@ func TestACL_filterChecks(t *testing.T) {
|
|||
a := NewTestACLAgent(t, t.Name(), TestACLConfig(), catalogPolicy)
|
||||
|
||||
checks := make(map[structs.CheckID]*structs.HealthCheck)
|
||||
require.NoError(t, a.filterChecks("node-ro", &checks))
|
||||
require.NoError(t, a.filterChecks(nodeROSecret, &checks))
|
||||
|
||||
checks[structs.NewCheckID("my-node", nil)] = &structs.HealthCheck{}
|
||||
checks[structs.NewCheckID("my-service", nil)] = &structs.HealthCheck{ServiceName: "service"}
|
||||
checks[structs.NewCheckID("my-other", nil)] = &structs.HealthCheck{ServiceName: "other"}
|
||||
require.NoError(t, a.filterChecks("service-ro", &checks))
|
||||
require.NoError(t, a.filterChecks(serviceROSecret, &checks))
|
||||
_, ok := checks[structs.NewCheckID("my-node", nil)]
|
||||
require.False(t, ok)
|
||||
_, ok = checks[structs.NewCheckID("my-service", nil)]
|
||||
|
@ -491,7 +538,7 @@ func TestACL_filterChecks(t *testing.T) {
|
|||
checks[structs.NewCheckID("my-node", nil)] = &structs.HealthCheck{}
|
||||
checks[structs.NewCheckID("my-service", nil)] = &structs.HealthCheck{ServiceName: "service"}
|
||||
checks[structs.NewCheckID("my-other", nil)] = &structs.HealthCheck{ServiceName: "other"}
|
||||
require.NoError(t, a.filterChecks("node-ro", &checks))
|
||||
require.NoError(t, a.filterChecks(nodeROSecret, &checks))
|
||||
_, ok = checks[structs.NewCheckID("my-node", nil)]
|
||||
require.True(t, ok)
|
||||
_, ok = checks[structs.NewCheckID("my-service", nil)]
|
||||
|
|
|
@ -136,6 +136,7 @@ type delegate interface {
|
|||
JoinLAN(addrs []string) (n int, err error)
|
||||
RemoveFailedNode(node string, prune bool) error
|
||||
ResolveToken(secretID string) (acl.Authorizer, error)
|
||||
ResolveTokenAndDefaultMeta(secretID string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (acl.Authorizer, error)
|
||||
RPC(method string, args interface{}, reply interface{}) error
|
||||
ACLsEnabled() bool
|
||||
UseLegacyACLs() bool
|
||||
|
@ -2700,8 +2701,6 @@ func (a *Agent) addCheck(check *structs.HealthCheck, chkType *structs.CheckType,
|
|||
ttl.Start()
|
||||
a.checkTTLs[cid] = ttl
|
||||
|
||||
a.logger.Printf("[DEBUG] ttl checks: %+v", a.checkTTLs)
|
||||
|
||||
case chkType.IsHTTP():
|
||||
if existing, ok := a.checkHTTPs[cid]; ok {
|
||||
existing.Stop()
|
||||
|
@ -3160,7 +3159,7 @@ func (a *Agent) loadCheckState(check *structs.HealthCheck) error {
|
|||
|
||||
// Check if the state has expired
|
||||
if time.Now().Unix() >= p.Expires {
|
||||
a.logger.Printf("[DEBUG] agent: check state expired for %q, not restoring", cid)
|
||||
a.logger.Printf("[DEBUG] agent: check state expired for %q, not restoring", cid.String())
|
||||
return a.purgeCheckState(cid)
|
||||
}
|
||||
|
||||
|
|
|
@ -220,8 +220,13 @@ func (s *HTTPServer) AgentServices(resp http.ResponseWriter, req *http.Request)
|
|||
var filterExpression string
|
||||
s.parseFilter(req, &filterExpression)
|
||||
|
||||
authz, err := s.agent.resolveTokenAndDefaultMeta(token, &entMeta, nil)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
services := s.agent.State.Services(&entMeta)
|
||||
if err := s.agent.filterServices(token, &services); err != nil {
|
||||
if err := s.agent.filterServicesWithAuthorizer(authz, &services); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
|
@ -269,6 +274,12 @@ func (s *HTTPServer) AgentService(resp http.ResponseWriter, req *http.Request) (
|
|||
return nil, err
|
||||
}
|
||||
|
||||
// need to resolve to default the meta
|
||||
_, err := s.agent.resolveTokenAndDefaultMeta(token, &entMeta, nil)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Parse hash specially. Eventually this should happen in parseWait and end up
|
||||
// in QueryOptions but I didn't want to make very general changes right away.
|
||||
hash := req.URL.Query().Get("hash")
|
||||
|
@ -291,13 +302,13 @@ func (s *HTTPServer) AgentService(resp http.ResponseWriter, req *http.Request) (
|
|||
ws.Add(svcState.WatchCh)
|
||||
|
||||
// Check ACLs.
|
||||
rule, err := s.agent.resolveToken(token)
|
||||
authz, err := s.agent.resolveToken(token)
|
||||
if err != nil {
|
||||
return "", nil, err
|
||||
}
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
svc.FillAuthzContext(&authzContext)
|
||||
if rule != nil && rule.ServiceRead(svc.Service, &authzContext) != acl.Allow {
|
||||
if authz != nil && authz.ServiceRead(svc.Service, &authzContext) != acl.Allow {
|
||||
return "", nil, acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
|
@ -332,6 +343,11 @@ func (s *HTTPServer) AgentChecks(resp http.ResponseWriter, req *http.Request) (i
|
|||
return nil, err
|
||||
}
|
||||
|
||||
authz, err := s.agent.resolveTokenAndDefaultMeta(token, &entMeta, nil)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
var filterExpression string
|
||||
s.parseFilter(req, &filterExpression)
|
||||
filter, err := bexpr.CreateFilter(filterExpression, nil, nil)
|
||||
|
@ -340,7 +356,7 @@ func (s *HTTPServer) AgentChecks(resp http.ResponseWriter, req *http.Request) (i
|
|||
}
|
||||
|
||||
checks := s.agent.State.Checks(&entMeta)
|
||||
if err := s.agent.filterChecks(token, &checks); err != nil {
|
||||
if err := s.agent.filterChecksWithAuthorizer(authz, &checks); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
|
@ -480,6 +496,9 @@ func (s *HTTPServer) syncChanges() {
|
|||
}
|
||||
|
||||
func (s *HTTPServer) AgentRegisterCheck(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
||||
var token string
|
||||
s.parseToken(req, &token)
|
||||
|
||||
var args structs.CheckDefinition
|
||||
if err := s.parseEntMetaNoWildcard(req, &args.EnterpriseMeta); err != nil {
|
||||
return nil, err
|
||||
|
@ -504,12 +523,17 @@ func (s *HTTPServer) AgentRegisterCheck(resp http.ResponseWriter, req *http.Requ
|
|||
return nil, nil
|
||||
}
|
||||
|
||||
authz, err := s.agent.resolveTokenAndDefaultMeta(token, &args.EnterpriseMeta, nil)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Construct the health check.
|
||||
health := args.HealthCheck(s.agent.config.NodeName)
|
||||
|
||||
// Verify the check type.
|
||||
chkType := args.CheckType()
|
||||
err := chkType.Validate()
|
||||
err = chkType.Validate()
|
||||
if err != nil {
|
||||
resp.WriteHeader(http.StatusBadRequest)
|
||||
fmt.Fprint(resp, fmt.Errorf("Invalid check: %v", err))
|
||||
|
@ -528,9 +552,7 @@ func (s *HTTPServer) AgentRegisterCheck(resp http.ResponseWriter, req *http.Requ
|
|||
}
|
||||
|
||||
// Get the provided token, if any, and vet against any ACL policies.
|
||||
var token string
|
||||
s.parseToken(req, &token)
|
||||
if err := s.agent.vetCheckRegister(token, health); err != nil {
|
||||
if err := s.agent.vetCheckRegisterWithAuthorizer(authz, health); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
|
@ -553,9 +575,14 @@ func (s *HTTPServer) AgentDeregisterCheck(resp http.ResponseWriter, req *http.Re
|
|||
return nil, err
|
||||
}
|
||||
|
||||
authz, err := s.agent.resolveTokenAndDefaultMeta(token, &checkID.EnterpriseMeta, nil)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
checkID.Normalize()
|
||||
|
||||
if err := s.agent.vetCheckUpdate(token, checkID); err != nil {
|
||||
if err := s.agent.vetCheckUpdateWithAuthorizer(authz, checkID); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
|
@ -636,9 +663,14 @@ func (s *HTTPServer) agentCheckUpdate(resp http.ResponseWriter, req *http.Reques
|
|||
return nil, err
|
||||
}
|
||||
|
||||
authz, err := s.agent.resolveTokenAndDefaultMeta(token, &cid.EnterpriseMeta, nil)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
cid.Normalize()
|
||||
|
||||
if err := s.agent.vetCheckUpdate(token, cid); err != nil {
|
||||
if err := s.agent.vetCheckUpdateWithAuthorizer(authz, cid); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
|
@ -808,6 +840,14 @@ func (s *HTTPServer) AgentRegisterService(resp http.ResponseWriter, req *http.Re
|
|||
return nil, nil
|
||||
}
|
||||
|
||||
var token string
|
||||
s.parseToken(req, &token)
|
||||
|
||||
authz, err := s.agent.resolveTokenAndDefaultMeta(token, &args.EnterpriseMeta, nil)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Get the node service.
|
||||
ns := args.NodeService()
|
||||
if ns.Weights != nil {
|
||||
|
@ -864,9 +904,7 @@ func (s *HTTPServer) AgentRegisterService(resp http.ResponseWriter, req *http.Re
|
|||
}
|
||||
|
||||
// Get the provided token, if any, and vet against any ACL policies.
|
||||
var token string
|
||||
s.parseToken(req, &token)
|
||||
if err := s.agent.vetServiceRegister(token, ns); err != nil {
|
||||
if err := s.agent.vetServiceRegisterWithAuthorizer(authz, ns); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
|
@ -934,9 +972,14 @@ func (s *HTTPServer) AgentDeregisterService(resp http.ResponseWriter, req *http.
|
|||
return nil, err
|
||||
}
|
||||
|
||||
authz, err := s.agent.resolveTokenAndDefaultMeta(token, &sid.EnterpriseMeta, nil)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
sid.Normalize()
|
||||
|
||||
if err := s.agent.vetServiceUpdate(token, sid); err != nil {
|
||||
if err := s.agent.vetServiceUpdateWithAuthorizer(authz, sid); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
|
@ -982,9 +1025,14 @@ func (s *HTTPServer) AgentServiceMaintenance(resp http.ResponseWriter, req *http
|
|||
return nil, err
|
||||
}
|
||||
|
||||
authz, err := s.agent.resolveTokenAndDefaultMeta(token, &sid.EnterpriseMeta, nil)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
sid.Normalize()
|
||||
|
||||
if err := s.agent.vetServiceUpdate(token, sid); err != nil {
|
||||
if err := s.agent.vetServiceUpdateWithAuthorizer(authz, sid); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
|
|
|
@ -121,7 +121,7 @@ func (c *CheckMonitor) check() {
|
|||
cmd, err = exec.Script(c.Script)
|
||||
}
|
||||
if err != nil {
|
||||
c.Logger.Printf("[ERR] agent: Check %q failed to setup: %s", c.CheckID, err)
|
||||
c.Logger.Printf("[ERR] agent: Check %q failed to setup: %s", c.CheckID.String(), err)
|
||||
c.Notify.UpdateCheck(c.CheckID, api.HealthCritical, err.Error())
|
||||
return
|
||||
}
|
||||
|
@ -138,13 +138,13 @@ func (c *CheckMonitor) check() {
|
|||
outputStr = fmt.Sprintf("Captured %d of %d bytes\n...\n%s",
|
||||
output.Size(), output.TotalWritten(), outputStr)
|
||||
}
|
||||
c.Logger.Printf("[TRACE] agent: Check %q output: %s", c.CheckID, outputStr)
|
||||
c.Logger.Printf("[TRACE] agent: Check %q output: %s", c.CheckID.String(), outputStr)
|
||||
return outputStr
|
||||
}
|
||||
|
||||
// Start the check
|
||||
if err := cmd.Start(); err != nil {
|
||||
c.Logger.Printf("[ERR] agent: Check %q failed to invoke: %s", c.CheckID, err)
|
||||
c.Logger.Printf("[ERR] agent: Check %q failed to invoke: %s", c.CheckID.String(), err)
|
||||
c.Notify.UpdateCheck(c.CheckID, api.HealthCritical, err.Error())
|
||||
return
|
||||
}
|
||||
|
@ -162,11 +162,11 @@ func (c *CheckMonitor) check() {
|
|||
select {
|
||||
case <-time.After(timeout):
|
||||
if err := exec.KillCommandSubtree(cmd); err != nil {
|
||||
c.Logger.Printf("[WARN] agent: Check %q failed to kill after timeout: %s", c.CheckID, err)
|
||||
c.Logger.Printf("[WARN] agent: Check %q failed to kill after timeout: %s", c.CheckID.String(), err)
|
||||
}
|
||||
|
||||
msg := fmt.Sprintf("Timed out (%s) running check", timeout.String())
|
||||
c.Logger.Printf("[WARN] agent: Check %q: %s", c.CheckID, msg)
|
||||
c.Logger.Printf("[WARN] agent: Check %q: %s", c.CheckID.String(), msg)
|
||||
|
||||
outputStr := truncateAndLogOutput()
|
||||
if len(outputStr) > 0 {
|
||||
|
@ -259,7 +259,7 @@ func (c *CheckTTL) run() {
|
|||
select {
|
||||
case <-c.timer.C:
|
||||
c.Logger.Printf("[WARN] agent: Check %q missed TTL, is now critical",
|
||||
c.CheckID)
|
||||
c.CheckID.String())
|
||||
c.Notify.UpdateCheck(c.CheckID, api.HealthCritical, c.getExpiredOutput())
|
||||
|
||||
case <-c.stopCh:
|
||||
|
@ -285,7 +285,7 @@ func (c *CheckTTL) getExpiredOutput() string {
|
|||
// and to renew the TTL. If expired, TTL is restarted.
|
||||
// output is returned (might be truncated)
|
||||
func (c *CheckTTL) SetStatus(status, output string) string {
|
||||
c.Logger.Printf("[DEBUG] agent: Check %q status is now %s", c.CheckID, status)
|
||||
c.Logger.Printf("[DEBUG] agent: Check %q status is now %s", c.CheckID.String(), status)
|
||||
total := len(output)
|
||||
if total > c.OutputMaxSize {
|
||||
output = fmt.Sprintf("%s ... (captured %d of %d bytes)",
|
||||
|
@ -450,7 +450,7 @@ func (c *CheckHTTP) check() {
|
|||
// Read the response into a circular buffer to limit the size
|
||||
output, _ := circbuf.NewBuffer(int64(c.OutputMaxSize))
|
||||
if _, err := io.Copy(output, resp.Body); err != nil {
|
||||
c.Logger.Printf("[WARN] agent: Check %q error while reading body: %s", c.CheckID, err)
|
||||
c.Logger.Printf("[WARN] agent: Check %q error while reading body: %s", c.CheckID.String(), err)
|
||||
}
|
||||
|
||||
// Format the response body
|
||||
|
@ -542,7 +542,7 @@ func (c *CheckTCP) run() {
|
|||
func (c *CheckTCP) check() {
|
||||
conn, err := c.dialer.Dial(`tcp`, c.TCP)
|
||||
if err != nil {
|
||||
c.Logger.Printf("[WARN] agent: Check %q socket connection failed: %s", c.CheckID, err)
|
||||
c.Logger.Printf("[WARN] agent: Check %q socket connection failed: %s", c.CheckID.String(), err)
|
||||
c.StatusHandler.updateCheck(c.CheckID, api.HealthCritical, err.Error())
|
||||
return
|
||||
}
|
||||
|
@ -615,7 +615,7 @@ func (c *CheckDocker) check() {
|
|||
var out string
|
||||
status, b, err := c.doCheck()
|
||||
if err != nil {
|
||||
c.Logger.Printf("[DEBUG] agent: Check %q: %s", c.CheckID, err)
|
||||
c.Logger.Printf("[DEBUG] agent: Check %q: %s", c.CheckID.String(), err)
|
||||
out = err.Error()
|
||||
} else {
|
||||
// out is already limited to CheckBufSize since we're getting a
|
||||
|
@ -625,7 +625,7 @@ func (c *CheckDocker) check() {
|
|||
if int(b.TotalWritten()) > len(out) {
|
||||
out = fmt.Sprintf("Captured %d of %d bytes\n...\n%s", len(out), b.TotalWritten(), out)
|
||||
}
|
||||
c.Logger.Printf("[TRACE] agent: Check %q output: %s", c.CheckID, out)
|
||||
c.Logger.Printf("[TRACE] agent: Check %q output: %s", c.CheckID.String(), out)
|
||||
}
|
||||
c.StatusHandler.updateCheck(c.CheckID, status, out)
|
||||
}
|
||||
|
@ -657,10 +657,10 @@ func (c *CheckDocker) doCheck() (string, *circbuf.Buffer, error) {
|
|||
case 0:
|
||||
return api.HealthPassing, buf, nil
|
||||
case 1:
|
||||
c.Logger.Printf("[DEBUG] agent: Check %q failed with exit code: %d", c.CheckID, exitCode)
|
||||
c.Logger.Printf("[DEBUG] agent: Check %q failed with exit code: %d", c.CheckID.String(), exitCode)
|
||||
return api.HealthWarning, buf, nil
|
||||
default:
|
||||
c.Logger.Printf("[DEBUG] agent: Check %q failed with exit code: %d", c.CheckID, exitCode)
|
||||
c.Logger.Printf("[DEBUG] agent: Check %q failed with exit code: %d", c.CheckID.String(), exitCode)
|
||||
return api.HealthCritical, buf, nil
|
||||
}
|
||||
}
|
||||
|
@ -782,19 +782,19 @@ func (s *StatusHandler) updateCheck(checkID structs.CheckID, status, output stri
|
|||
s.successCounter++
|
||||
s.failuresCounter = 0
|
||||
if s.successCounter >= s.successBeforePassing {
|
||||
s.logger.Printf("[DEBUG] agent: Check %q is %q", checkID, status)
|
||||
s.logger.Printf("[DEBUG] agent: Check %q is %q", checkID.String(), status)
|
||||
s.inner.UpdateCheck(checkID, status, output)
|
||||
return
|
||||
}
|
||||
s.logger.Printf("[WARN] agent: Check %q was %q but has not reached success threshold %d/%d", checkID, status, s.successCounter, s.successBeforePassing)
|
||||
s.logger.Printf("[WARN] agent: Check %q was %q but has not reached success threshold %d/%d", checkID.String(), status, s.successCounter, s.successBeforePassing)
|
||||
} else {
|
||||
s.failuresCounter++
|
||||
s.successCounter = 0
|
||||
if s.failuresCounter >= s.failuresBeforeCritical {
|
||||
s.logger.Printf("[WARN] agent: Check %q is now critical", checkID)
|
||||
s.logger.Printf("[WARN] agent: Check %q is now critical", checkID.String())
|
||||
s.inner.UpdateCheck(checkID, status, output)
|
||||
return
|
||||
}
|
||||
s.logger.Printf("[WARN] agent: Check %q failed but has not reached failure threshold %d/%d", checkID, s.failuresCounter, s.failuresBeforeCritical)
|
||||
s.logger.Printf("[WARN] agent: Check %q failed but has not reached failure threshold %d/%d", checkID.String(), s.failuresCounter, s.failuresBeforeCritical)
|
||||
}
|
||||
}
|
||||
|
|
|
@ -69,6 +69,44 @@ const (
|
|||
tokenRoleResolutionMaxRetries = 5
|
||||
)
|
||||
|
||||
// missingIdentity is used to return some identity in the event that the real identity cannot be ascertained
|
||||
type missingIdentity struct {
|
||||
reason string
|
||||
token string
|
||||
}
|
||||
|
||||
func (id *missingIdentity) ID() string {
|
||||
return id.reason
|
||||
}
|
||||
|
||||
func (id *missingIdentity) SecretToken() string {
|
||||
return id.token
|
||||
}
|
||||
|
||||
func (id *missingIdentity) PolicyIDs() []string {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (id *missingIdentity) RoleIDs() []string {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (id *missingIdentity) EmbeddedPolicy() *structs.ACLPolicy {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (id *missingIdentity) ServiceIdentityList() []*structs.ACLServiceIdentity {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (id *missingIdentity) IsExpired(asOf time.Time) bool {
|
||||
return false
|
||||
}
|
||||
|
||||
func (id *missingIdentity) EnterpriseMetadata() *structs.EnterpriseMeta {
|
||||
return structs.DefaultEnterpriseMeta()
|
||||
}
|
||||
|
||||
func minTTL(a time.Duration, b time.Duration) time.Duration {
|
||||
if a < b {
|
||||
return a
|
||||
|
@ -130,7 +168,7 @@ type ACLResolverConfig struct {
|
|||
AutoDisable bool
|
||||
|
||||
// EnterpriseACLConfig contains Consul Enterprise specific ACL configuration
|
||||
EnterpriseConfig *acl.EnterpriseACLConfig
|
||||
EnterpriseConfig *acl.Config
|
||||
}
|
||||
|
||||
// ACLResolver is the type to handle all your token and policy resolution needs.
|
||||
|
@ -163,7 +201,7 @@ type ACLResolver struct {
|
|||
logger *log.Logger
|
||||
|
||||
delegate ACLResolverDelegate
|
||||
entConf *acl.EnterpriseACLConfig
|
||||
entConf *acl.Config
|
||||
|
||||
cache *structs.ACLCaches
|
||||
identityGroup singleflight.Group
|
||||
|
@ -287,7 +325,7 @@ func (r *ACLResolver) fetchAndCacheTokenLegacy(token string, cached *structs.Aut
|
|||
}
|
||||
}
|
||||
|
||||
func (r *ACLResolver) resolveTokenLegacy(token string) (acl.Authorizer, error) {
|
||||
func (r *ACLResolver) resolveTokenLegacy(token string) (structs.ACLIdentity, acl.Authorizer, error) {
|
||||
defer metrics.MeasureSince([]string{"acl", "resolveTokenLegacy"}, time.Now())
|
||||
|
||||
// Attempt to resolve locally first (local results are not cached)
|
||||
|
@ -297,18 +335,23 @@ func (r *ACLResolver) resolveTokenLegacy(token string) (acl.Authorizer, error) {
|
|||
if err == nil && identity != nil {
|
||||
policies, err := r.resolvePoliciesForIdentity(identity)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
return identity, nil, err
|
||||
}
|
||||
|
||||
authz, err := policies.Compile(r.cache, r.entConf)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
return identity, nil, err
|
||||
}
|
||||
|
||||
return acl.NewChainedAuthorizer([]acl.Authorizer{authz, acl.RootAuthorizer(r.config.ACLDefaultPolicy)}), nil
|
||||
return identity, acl.NewChainedAuthorizer([]acl.Authorizer{authz, acl.RootAuthorizer(r.config.ACLDefaultPolicy)}), nil
|
||||
}
|
||||
|
||||
return nil, err
|
||||
return nil, nil, err
|
||||
}
|
||||
|
||||
identity := &missingIdentity{
|
||||
reason: "legacy-token",
|
||||
token: token,
|
||||
}
|
||||
|
||||
// Look in the cache prior to making a RPC request
|
||||
|
@ -317,9 +360,9 @@ func (r *ACLResolver) resolveTokenLegacy(token string) (acl.Authorizer, error) {
|
|||
if entry != nil && entry.Age() <= minTTL(entry.TTL, r.config.ACLTokenTTL) {
|
||||
metrics.IncrCounter([]string{"acl", "token", "cache_hit"}, 1)
|
||||
if entry.Authorizer != nil {
|
||||
return entry.Authorizer, nil
|
||||
return identity, entry.Authorizer, nil
|
||||
}
|
||||
return nil, acl.ErrNotFound
|
||||
return identity, nil, acl.ErrNotFound
|
||||
}
|
||||
|
||||
metrics.IncrCounter([]string{"acl", "token", "cache_miss"}, 1)
|
||||
|
@ -334,9 +377,9 @@ func (r *ACLResolver) resolveTokenLegacy(token string) (acl.Authorizer, error) {
|
|||
if !waitForResult {
|
||||
// waitForResult being false requires the cacheEntry to not be nil
|
||||
if entry.Authorizer != nil {
|
||||
return entry.Authorizer, nil
|
||||
return identity, entry.Authorizer, nil
|
||||
}
|
||||
return nil, acl.ErrNotFound
|
||||
return identity, nil, acl.ErrNotFound
|
||||
}
|
||||
|
||||
// block waiting for the async RPC to finish.
|
||||
|
@ -347,7 +390,7 @@ func (r *ACLResolver) resolveTokenLegacy(token string) (acl.Authorizer, error) {
|
|||
authorizer = res.Val.(acl.Authorizer)
|
||||
}
|
||||
|
||||
return authorizer, res.Err
|
||||
return identity, authorizer, res.Err
|
||||
}
|
||||
|
||||
func (r *ACLResolver) fetchAndCacheIdentityFromToken(token string, cached *structs.IdentityCacheEntry) (structs.ACLIdentity, error) {
|
||||
|
@ -987,13 +1030,13 @@ func (r *ACLResolver) disableACLsWhenUpstreamDisabled(err error) error {
|
|||
return err
|
||||
}
|
||||
|
||||
func (r *ACLResolver) ResolveToken(token string) (acl.Authorizer, error) {
|
||||
func (r *ACLResolver) ResolveTokenToIdentityAndAuthorizer(token string) (structs.ACLIdentity, acl.Authorizer, error) {
|
||||
if !r.ACLsEnabled() {
|
||||
return nil, nil
|
||||
return nil, nil, nil
|
||||
}
|
||||
|
||||
if acl.RootAuthorizer(token) != nil {
|
||||
return nil, acl.ErrRootDenied
|
||||
return nil, nil, acl.ErrRootDenied
|
||||
}
|
||||
|
||||
// handle the anonymous token
|
||||
|
@ -1002,8 +1045,8 @@ func (r *ACLResolver) ResolveToken(token string) (acl.Authorizer, error) {
|
|||
}
|
||||
|
||||
if r.delegate.UseLegacyACLs() {
|
||||
authorizer, err := r.resolveTokenLegacy(token)
|
||||
return authorizer, r.disableACLsWhenUpstreamDisabled(err)
|
||||
identity, authorizer, err := r.resolveTokenLegacy(token)
|
||||
return identity, authorizer, r.disableACLsWhenUpstreamDisabled(err)
|
||||
}
|
||||
|
||||
defer metrics.MeasureSince([]string{"acl", "ResolveToken"}, time.Now())
|
||||
|
@ -1013,10 +1056,10 @@ func (r *ACLResolver) ResolveToken(token string) (acl.Authorizer, error) {
|
|||
r.disableACLsWhenUpstreamDisabled(err)
|
||||
if IsACLRemoteError(err) {
|
||||
r.logger.Printf("[ERR] consul.acl: %v", err)
|
||||
return r.down, nil
|
||||
return &missingIdentity{reason: "primary-dc-down", token: token}, r.down, nil
|
||||
}
|
||||
|
||||
return nil, err
|
||||
return nil, nil, err
|
||||
}
|
||||
|
||||
// Build the Authorizer
|
||||
|
@ -1024,7 +1067,7 @@ func (r *ACLResolver) ResolveToken(token string) (acl.Authorizer, error) {
|
|||
|
||||
authz, err := policies.Compile(r.cache, r.entConf)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
return nil, nil, err
|
||||
}
|
||||
chain = append(chain, authz)
|
||||
|
||||
|
@ -1032,15 +1075,20 @@ func (r *ACLResolver) ResolveToken(token string) (acl.Authorizer, error) {
|
|||
if err != nil {
|
||||
if IsACLRemoteError(err) {
|
||||
r.logger.Printf("[ERR] consul.acl: %v", err)
|
||||
return r.down, nil
|
||||
return identity, r.down, nil
|
||||
}
|
||||
return nil, err
|
||||
return nil, nil, err
|
||||
} else if authz != nil {
|
||||
chain = append(chain, authz)
|
||||
}
|
||||
|
||||
chain = append(chain, acl.RootAuthorizer(r.config.ACLDefaultPolicy))
|
||||
return acl.NewChainedAuthorizer(chain), nil
|
||||
return identity, acl.NewChainedAuthorizer(chain), nil
|
||||
}
|
||||
|
||||
func (r *ACLResolver) ResolveToken(token string) (acl.Authorizer, error) {
|
||||
_, authz, err := r.ResolveTokenToIdentityAndAuthorizer(token)
|
||||
return authz, err
|
||||
}
|
||||
|
||||
func (r *ACLResolver) ACLsEnabled() bool {
|
||||
|
@ -1092,7 +1140,7 @@ func newACLFilter(authorizer acl.Authorizer, logger *log.Logger, enforceVersion8
|
|||
}
|
||||
|
||||
// allowNode is used to determine if a node is accessible for an ACL.
|
||||
func (f *aclFilter) allowNode(node string, ent *acl.EnterpriseAuthorizerContext) bool {
|
||||
func (f *aclFilter) allowNode(node string, ent *acl.AuthorizerContext) bool {
|
||||
if !f.enforceVersion8 {
|
||||
return true
|
||||
}
|
||||
|
@ -1101,7 +1149,7 @@ func (f *aclFilter) allowNode(node string, ent *acl.EnterpriseAuthorizerContext)
|
|||
}
|
||||
|
||||
// allowService is used to determine if a service is accessible for an ACL.
|
||||
func (f *aclFilter) allowService(service string, ent *acl.EnterpriseAuthorizerContext) bool {
|
||||
func (f *aclFilter) allowService(service string, ent *acl.AuthorizerContext) bool {
|
||||
if service == "" {
|
||||
return true
|
||||
}
|
||||
|
@ -1114,7 +1162,7 @@ func (f *aclFilter) allowService(service string, ent *acl.EnterpriseAuthorizerCo
|
|||
|
||||
// allowSession is used to determine if a session for a node is accessible for
|
||||
// an ACL.
|
||||
func (f *aclFilter) allowSession(node string, ent *acl.EnterpriseAuthorizerContext) bool {
|
||||
func (f *aclFilter) allowSession(node string, ent *acl.AuthorizerContext) bool {
|
||||
if !f.enforceVersion8 {
|
||||
return true
|
||||
}
|
||||
|
@ -1125,7 +1173,7 @@ func (f *aclFilter) allowSession(node string, ent *acl.EnterpriseAuthorizerConte
|
|||
// the configured ACL rules for a token.
|
||||
func (f *aclFilter) filterHealthChecks(checks *structs.HealthChecks) {
|
||||
hc := *checks
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
|
||||
for i := 0; i < len(hc); i++ {
|
||||
check := hc[i]
|
||||
|
@ -1143,7 +1191,7 @@ func (f *aclFilter) filterHealthChecks(checks *structs.HealthChecks) {
|
|||
|
||||
// filterServices is used to filter a set of services based on ACLs.
|
||||
func (f *aclFilter) filterServices(services structs.Services, entMeta *structs.EnterpriseMeta) {
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
entMeta.FillAuthzContext(&authzContext)
|
||||
|
||||
for svc := range services {
|
||||
|
@ -1159,7 +1207,7 @@ func (f *aclFilter) filterServices(services structs.Services, entMeta *structs.E
|
|||
// based on the configured ACL rules.
|
||||
func (f *aclFilter) filterServiceNodes(nodes *structs.ServiceNodes) {
|
||||
sn := *nodes
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
|
||||
for i := 0; i < len(sn); i++ {
|
||||
node := sn[i]
|
||||
|
@ -1181,7 +1229,7 @@ func (f *aclFilter) filterNodeServices(services **structs.NodeServices) {
|
|||
return
|
||||
}
|
||||
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
structs.WildcardEnterpriseMeta().FillAuthzContext(&authzContext)
|
||||
if !f.allowNode((*services).Node.Node, &authzContext) {
|
||||
*services = nil
|
||||
|
@ -1205,7 +1253,7 @@ func (f *aclFilter) filterNodeServiceList(services **structs.NodeServiceList) {
|
|||
return
|
||||
}
|
||||
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
structs.WildcardEnterpriseMeta().FillAuthzContext(&authzContext)
|
||||
if !f.allowNode((*services).Node.Node, &authzContext) {
|
||||
*services = nil
|
||||
|
@ -1238,7 +1286,7 @@ func (f *aclFilter) filterNodeServiceList(services **structs.NodeServiceList) {
|
|||
// filterCheckServiceNodes is used to filter nodes based on ACL rules.
|
||||
func (f *aclFilter) filterCheckServiceNodes(nodes *structs.CheckServiceNodes) {
|
||||
csn := *nodes
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
|
||||
for i := 0; i < len(csn); i++ {
|
||||
node := csn[i]
|
||||
|
@ -1259,7 +1307,7 @@ func (f *aclFilter) filterSessions(sessions *structs.Sessions) {
|
|||
for i := 0; i < len(s); i++ {
|
||||
session := s[i]
|
||||
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
session.FillAuthzContext(&entCtx)
|
||||
|
||||
if f.allowSession(session.Node, &entCtx) {
|
||||
|
@ -1276,7 +1324,7 @@ func (f *aclFilter) filterSessions(sessions *structs.Sessions) {
|
|||
// rules.
|
||||
func (f *aclFilter) filterCoordinates(coords *structs.Coordinates) {
|
||||
c := *coords
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
structs.WildcardEnterpriseMeta().FillAuthzContext(&authzContext)
|
||||
|
||||
for i := 0; i < len(c); i++ {
|
||||
|
@ -1325,7 +1373,7 @@ func (f *aclFilter) filterIntentions(ixns *structs.Intentions) {
|
|||
func (f *aclFilter) filterNodeDump(dump *structs.NodeDump) {
|
||||
nd := *dump
|
||||
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
for i := 0; i < len(nd); i++ {
|
||||
info := nd[i]
|
||||
|
||||
|
@ -1370,7 +1418,7 @@ func (f *aclFilter) filterNodeDump(dump *structs.NodeDump) {
|
|||
func (f *aclFilter) filterNodes(nodes *structs.Nodes) {
|
||||
n := *nodes
|
||||
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
structs.WildcardEnterpriseMeta().FillAuthzContext(&authzContext)
|
||||
|
||||
for i := 0; i < len(n); i++ {
|
||||
|
@ -1393,7 +1441,7 @@ func (f *aclFilter) filterNodes(nodes *structs.Nodes) {
|
|||
// captured tokens, but they can at least see whether or not a token is set.
|
||||
func (f *aclFilter) redactPreparedQueryTokens(query **structs.PreparedQuery) {
|
||||
// Management tokens can see everything with no filtering.
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
structs.DefaultEnterpriseMeta().FillAuthzContext(&authzContext)
|
||||
if f.authorizer.ACLWrite(&authzContext) == acl.Allow {
|
||||
return
|
||||
|
@ -1419,7 +1467,7 @@ func (f *aclFilter) redactPreparedQueryTokens(query **structs.PreparedQuery) {
|
|||
// We prune entries the user doesn't have access to, and we redact any tokens
|
||||
// if the user doesn't have a management token.
|
||||
func (f *aclFilter) filterPreparedQueries(queries *structs.PreparedQueries) {
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
structs.DefaultEnterpriseMeta().FillAuthzContext(&authzContext)
|
||||
// Management tokens can see everything with no filtering.
|
||||
// TODO is this check even necessary - this looks like a search replace from
|
||||
|
@ -1451,7 +1499,7 @@ func (f *aclFilter) filterPreparedQueries(queries *structs.PreparedQueries) {
|
|||
}
|
||||
|
||||
func (f *aclFilter) filterToken(token **structs.ACLToken) {
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
if token == nil || *token == nil || f == nil {
|
||||
return
|
||||
}
|
||||
|
@ -1482,7 +1530,7 @@ func (f *aclFilter) filterTokens(tokens *structs.ACLTokens) {
|
|||
}
|
||||
|
||||
func (f *aclFilter) filterTokenStub(token **structs.ACLTokenListStub) {
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
if token == nil || *token == nil || f == nil {
|
||||
return
|
||||
}
|
||||
|
@ -1507,7 +1555,7 @@ func (f *aclFilter) filterTokenStubs(tokens *[]*structs.ACLTokenListStub) {
|
|||
}
|
||||
|
||||
func (f *aclFilter) filterPolicy(policy **structs.ACLPolicy) {
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
if policy == nil || *policy == nil || f == nil {
|
||||
return
|
||||
}
|
||||
|
@ -1533,7 +1581,7 @@ func (f *aclFilter) filterPolicies(policies *structs.ACLPolicies) {
|
|||
}
|
||||
|
||||
func (f *aclFilter) filterRole(role **structs.ACLRole) {
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
if role == nil || *role == nil || f == nil {
|
||||
return
|
||||
}
|
||||
|
@ -1559,7 +1607,7 @@ func (f *aclFilter) filterRoles(roles *structs.ACLRoles) {
|
|||
}
|
||||
|
||||
func (f *aclFilter) filterBindingRule(rule **structs.ACLBindingRule) {
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
if rule == nil || *rule == nil || f == nil {
|
||||
return
|
||||
}
|
||||
|
@ -1585,7 +1633,7 @@ func (f *aclFilter) filterBindingRules(rules *structs.ACLBindingRules) {
|
|||
}
|
||||
|
||||
func (f *aclFilter) filterAuthMethod(method **structs.ACLAuthMethod) {
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
if method == nil || *method == nil || f == nil {
|
||||
return
|
||||
}
|
||||
|
@ -1734,7 +1782,7 @@ func vetRegisterWithACL(rule acl.Authorizer, subj *structs.RegisterRequest,
|
|||
return nil
|
||||
}
|
||||
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
subj.FillAuthzContext(&authzContext)
|
||||
|
||||
// Vet the node info. This allows service updates to re-post the required
|
||||
|
@ -1761,7 +1809,7 @@ func vetRegisterWithACL(rule acl.Authorizer, subj *structs.RegisterRequest,
|
|||
// This is effectively a delete, so we DO NOT apply the
|
||||
// sentinel scope to the service we are overwriting, just
|
||||
// the regular ACL policy.
|
||||
var secondaryCtx acl.EnterpriseAuthorizerContext
|
||||
var secondaryCtx acl.AuthorizerContext
|
||||
other.FillAuthzContext(&secondaryCtx)
|
||||
|
||||
if rule.ServiceWrite(other.Service, &secondaryCtx) != acl.Allow {
|
||||
|
@ -1822,7 +1870,7 @@ func vetRegisterWithACL(rule acl.Authorizer, subj *structs.RegisterRequest,
|
|||
// We are only adding a check here, so we don't add the scope,
|
||||
// since the sentinel policy doesn't apply to adding checks at
|
||||
// this time.
|
||||
var secondaryCtx acl.EnterpriseAuthorizerContext
|
||||
var secondaryCtx acl.AuthorizerContext
|
||||
other.FillAuthzContext(&secondaryCtx)
|
||||
|
||||
if rule.ServiceWrite(other.Service, &secondaryCtx) != acl.Allow {
|
||||
|
@ -1849,7 +1897,7 @@ func vetDeregisterWithACL(rule acl.Authorizer, subj *structs.DeregisterRequest,
|
|||
// We don't apply sentinel in this path, since at this time sentinel
|
||||
// only applies to create and update operations.
|
||||
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
// fill with the defaults for use with the NodeWrite check
|
||||
subj.FillAuthzContext(&authzContext)
|
||||
|
||||
|
@ -1906,7 +1954,7 @@ func vetNodeTxnOp(op *structs.TxnNodeOp, rule acl.Authorizer) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
op.FillAuthzContext(&authzContext)
|
||||
|
||||
if rule != nil && rule.NodeWrite(op.Node.Node, &authzContext) != acl.Allow {
|
||||
|
@ -1923,7 +1971,7 @@ func vetServiceTxnOp(op *structs.TxnServiceOp, rule acl.Authorizer) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
op.FillAuthzContext(&authzContext)
|
||||
|
||||
if rule.ServiceWrite(op.Service.Service, &authzContext) != acl.Allow {
|
||||
|
@ -1940,7 +1988,7 @@ func vetCheckTxnOp(op *structs.TxnCheckOp, rule acl.Authorizer) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
op.FillAuthzContext(&authzContext)
|
||||
|
||||
if op.Check.ServiceID == "" {
|
||||
|
|
|
@ -106,3 +106,27 @@ func (c *Client) ResolveRoleFromID(roleID string) (bool, *structs.ACLRole, error
|
|||
func (c *Client) ResolveToken(token string) (acl.Authorizer, error) {
|
||||
return c.acls.ResolveToken(token)
|
||||
}
|
||||
|
||||
func (c *Client) ResolveTokenToIdentityAndAuthorizer(token string) (structs.ACLIdentity, acl.Authorizer, error) {
|
||||
return c.acls.ResolveTokenToIdentityAndAuthorizer(token)
|
||||
}
|
||||
|
||||
func (c *Client) ResolveTokenAndDefaultMeta(token string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (acl.Authorizer, error) {
|
||||
identity, authz, err := c.acls.ResolveTokenToIdentityAndAuthorizer(token)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Default the EnterpriseMeta based on the Tokens meta or actual defaults
|
||||
// in the case of unknown identity
|
||||
if identity != nil {
|
||||
entMeta.Merge(identity.EnterpriseMetadata())
|
||||
} else {
|
||||
entMeta.Merge(structs.DefaultEnterpriseMeta())
|
||||
}
|
||||
|
||||
// Use the meta to fill in the ACL authorization context
|
||||
entMeta.FillAuthzContext(authzContext)
|
||||
|
||||
return authz, err
|
||||
}
|
||||
|
|
|
@ -205,19 +205,17 @@ func (a *ACL) TokenRead(args *structs.ACLTokenGetRequest, reply *structs.ACLToke
|
|||
return err
|
||||
}
|
||||
|
||||
var rule acl.Authorizer
|
||||
var authz acl.Authorizer
|
||||
|
||||
if args.TokenIDType == structs.ACLTokenAccessor {
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
|
||||
var err error
|
||||
var authzContext acl.AuthorizerContext
|
||||
// Only ACLRead privileges are required to list tokens
|
||||
// However if you do not have ACLWrite as well the token
|
||||
// secrets will be redacted
|
||||
if rule, err = a.srv.ResolveToken(args.Token); err != nil {
|
||||
if authz, err = a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
|
||||
return err
|
||||
} else if rule == nil || rule.ACLRead(&entCtx) != acl.Allow {
|
||||
} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
}
|
||||
|
@ -231,7 +229,7 @@ func (a *ACL) TokenRead(args *structs.ACLTokenGetRequest, reply *structs.ACLToke
|
|||
if args.TokenIDType == structs.ACLTokenAccessor {
|
||||
index, token, err = state.ACLTokenGetByAccessor(ws, args.TokenID, &args.EnterpriseMeta)
|
||||
if token != nil {
|
||||
a.srv.filterACLWithAuthorizer(rule, &token)
|
||||
a.srv.filterACLWithAuthorizer(authz, &token)
|
||||
|
||||
// token secret was redacted
|
||||
if token.SecretID == redactedToken {
|
||||
|
@ -277,12 +275,11 @@ func (a *ACL) TokenClone(args *structs.ACLTokenSetRequest, reply *structs.ACLTok
|
|||
|
||||
defer metrics.MeasureSince([]string{"acl", "token", "clone"}, time.Now())
|
||||
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
args.ACLToken.FillAuthzContext(&entCtx)
|
||||
|
||||
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
|
||||
var authzContext acl.AuthorizerContext
|
||||
authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.ACLToken.EnterpriseMeta, &authzContext)
|
||||
if err != nil {
|
||||
return err
|
||||
} else if rule == nil || rule.ACLWrite(&entCtx) != acl.Allow {
|
||||
} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
|
@ -348,11 +345,10 @@ func (a *ACL) TokenSet(args *structs.ACLTokenSetRequest, reply *structs.ACLToken
|
|||
defer metrics.MeasureSince([]string{"acl", "token", "upsert"}, time.Now())
|
||||
|
||||
// Verify token is permitted to modify ACLs
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
args.ACLToken.FillAuthzContext(&entCtx)
|
||||
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
|
||||
var authzContext acl.AuthorizerContext
|
||||
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.ACLToken.EnterpriseMeta, &authzContext); err != nil {
|
||||
return err
|
||||
} else if rule == nil || rule.ACLWrite(&entCtx) != acl.Allow {
|
||||
} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
|
@ -737,12 +733,10 @@ func (a *ACL) TokenDelete(args *structs.ACLTokenDeleteRequest, reply *string) er
|
|||
defer metrics.MeasureSince([]string{"acl", "token", "delete"}, time.Now())
|
||||
|
||||
// Verify token is permitted to modify ACLs
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
|
||||
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
|
||||
var authzContext acl.AuthorizerContext
|
||||
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
|
||||
return err
|
||||
} else if rule == nil || rule.ACLWrite(&entCtx) != acl.Allow {
|
||||
} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
|
@ -826,13 +820,11 @@ func (a *ACL) TokenList(args *structs.ACLTokenListRequest, reply *structs.ACLTok
|
|||
return err
|
||||
}
|
||||
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
|
||||
rule, err := a.srv.ResolveToken(args.Token)
|
||||
var authzContext acl.AuthorizerContext
|
||||
authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
|
||||
if err != nil {
|
||||
return err
|
||||
} else if rule == nil || rule.ACLRead(&entCtx) != acl.Allow {
|
||||
} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
|
@ -854,7 +846,7 @@ func (a *ACL) TokenList(args *structs.ACLTokenListRequest, reply *structs.ACLTok
|
|||
}
|
||||
|
||||
// filter down to just the tokens that the requester has permissions to read
|
||||
if err := a.srv.filterACLWithAuthorizer(rule, &stubs); err != nil {
|
||||
if err := a.srv.filterACLWithAuthorizer(authz, &stubs); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
|
@ -876,10 +868,10 @@ func (a *ACL) TokenBatchRead(args *structs.ACLTokenBatchGetRequest, reply *struc
|
|||
return err
|
||||
}
|
||||
|
||||
rule, err := a.srv.ResolveToken(args.Token)
|
||||
authz, err := a.srv.ResolveToken(args.Token)
|
||||
if err != nil {
|
||||
return err
|
||||
} else if rule == nil {
|
||||
} else if authz == nil {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
|
@ -901,7 +893,7 @@ func (a *ACL) TokenBatchRead(args *structs.ACLTokenBatchGetRequest, reply *struc
|
|||
ret := make(structs.ACLTokens, 0, len(tokens))
|
||||
for _, token := range tokens {
|
||||
final := token
|
||||
a.srv.filterACLWithAuthorizer(rule, &final)
|
||||
a.srv.filterACLWithAuthorizer(authz, &final)
|
||||
if final != nil {
|
||||
ret = append(ret, final)
|
||||
if final.SecretID == redactedToken {
|
||||
|
@ -930,12 +922,10 @@ func (a *ACL) PolicyRead(args *structs.ACLPolicyGetRequest, reply *structs.ACLPo
|
|||
return err
|
||||
}
|
||||
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
|
||||
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
|
||||
var authzContext acl.AuthorizerContext
|
||||
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
|
||||
return err
|
||||
} else if rule == nil || rule.ACLRead(&entCtx) != acl.Allow {
|
||||
} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
|
@ -961,10 +951,10 @@ func (a *ACL) PolicyBatchRead(args *structs.ACLPolicyBatchGetRequest, reply *str
|
|||
return err
|
||||
}
|
||||
|
||||
rule, err := a.srv.ResolveToken(args.Token)
|
||||
authz, err := a.srv.ResolveToken(args.Token)
|
||||
if err != nil {
|
||||
return err
|
||||
} else if rule == nil {
|
||||
} else if authz == nil {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
|
@ -975,7 +965,7 @@ func (a *ACL) PolicyBatchRead(args *structs.ACLPolicyBatchGetRequest, reply *str
|
|||
return err
|
||||
}
|
||||
|
||||
a.srv.filterACLWithAuthorizer(rule, &policies)
|
||||
a.srv.filterACLWithAuthorizer(authz, &policies)
|
||||
|
||||
reply.Index, reply.Policies = index, policies
|
||||
return nil
|
||||
|
@ -1002,12 +992,11 @@ func (a *ACL) PolicySet(args *structs.ACLPolicySetRequest, reply *structs.ACLPol
|
|||
defer metrics.MeasureSince([]string{"acl", "policy", "upsert"}, time.Now())
|
||||
|
||||
// Verify token is permitted to modify ACLs
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
args.Policy.FillAuthzContext(&entCtx)
|
||||
var authzContext acl.AuthorizerContext
|
||||
|
||||
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
|
||||
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.Policy.EnterpriseMeta, &authzContext); err != nil {
|
||||
return err
|
||||
} else if rule == nil || rule.ACLWrite(&entCtx) != acl.Allow {
|
||||
} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
|
@ -1138,12 +1127,11 @@ func (a *ACL) PolicyDelete(args *structs.ACLPolicyDeleteRequest, reply *string)
|
|||
defer metrics.MeasureSince([]string{"acl", "policy", "delete"}, time.Now())
|
||||
|
||||
// Verify token is permitted to modify ACLs
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
var authzContext acl.AuthorizerContext
|
||||
|
||||
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
|
||||
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
|
||||
return err
|
||||
} else if rule == nil || rule.ACLWrite(&entCtx) != acl.Allow {
|
||||
} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
|
@ -1195,13 +1183,12 @@ func (a *ACL) PolicyList(args *structs.ACLPolicyListRequest, reply *structs.ACLP
|
|||
return err
|
||||
}
|
||||
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
var authzContext acl.AuthorizerContext
|
||||
|
||||
rule, err := a.srv.ResolveToken(args.Token)
|
||||
authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
|
||||
if err != nil {
|
||||
return err
|
||||
} else if rule == nil || rule.ACLRead(&entCtx) != acl.Allow {
|
||||
} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
|
@ -1213,7 +1200,7 @@ func (a *ACL) PolicyList(args *structs.ACLPolicyListRequest, reply *structs.ACLP
|
|||
}
|
||||
|
||||
// filter down to just what the requester has permissions to see
|
||||
a.srv.filterACLWithAuthorizer(rule, &policies)
|
||||
a.srv.filterACLWithAuthorizer(authz, &policies)
|
||||
|
||||
var stubs structs.ACLPolicyListStubs
|
||||
for _, policy := range policies {
|
||||
|
@ -1351,12 +1338,11 @@ func (a *ACL) RoleRead(args *structs.ACLRoleGetRequest, reply *structs.ACLRoleRe
|
|||
return err
|
||||
}
|
||||
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
var authzContext acl.AuthorizerContext
|
||||
|
||||
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
|
||||
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
|
||||
return err
|
||||
} else if rule == nil || rule.ACLRead(&entCtx) != acl.Allow {
|
||||
} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
|
@ -1391,10 +1377,10 @@ func (a *ACL) RoleBatchRead(args *structs.ACLRoleBatchGetRequest, reply *structs
|
|||
return err
|
||||
}
|
||||
|
||||
rule, err := a.srv.ResolveToken(args.Token)
|
||||
authz, err := a.srv.ResolveToken(args.Token)
|
||||
if err != nil {
|
||||
return err
|
||||
} else if rule == nil {
|
||||
} else if authz == nil {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
|
@ -1405,7 +1391,7 @@ func (a *ACL) RoleBatchRead(args *structs.ACLRoleBatchGetRequest, reply *structs
|
|||
return err
|
||||
}
|
||||
|
||||
a.srv.filterACLWithAuthorizer(rule, &roles)
|
||||
a.srv.filterACLWithAuthorizer(authz, &roles)
|
||||
|
||||
reply.Index, reply.Roles = index, roles
|
||||
return nil
|
||||
|
@ -1432,12 +1418,11 @@ func (a *ACL) RoleSet(args *structs.ACLRoleSetRequest, reply *structs.ACLRole) e
|
|||
defer metrics.MeasureSince([]string{"acl", "role", "upsert"}, time.Now())
|
||||
|
||||
// Verify token is permitted to modify ACLs
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
args.Role.FillAuthzContext(&entCtx)
|
||||
var authzContext acl.AuthorizerContext
|
||||
|
||||
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
|
||||
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.Role.EnterpriseMeta, &authzContext); err != nil {
|
||||
return err
|
||||
} else if rule == nil || rule.ACLWrite(&entCtx) != acl.Allow {
|
||||
} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
|
@ -1582,12 +1567,11 @@ func (a *ACL) RoleDelete(args *structs.ACLRoleDeleteRequest, reply *string) erro
|
|||
defer metrics.MeasureSince([]string{"acl", "role", "delete"}, time.Now())
|
||||
|
||||
// Verify token is permitted to modify ACLs
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
var authzContext acl.AuthorizerContext
|
||||
|
||||
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
|
||||
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
|
||||
return err
|
||||
} else if rule == nil || rule.ACLWrite(&entCtx) != acl.Allow {
|
||||
} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
|
@ -1635,13 +1619,12 @@ func (a *ACL) RoleList(args *structs.ACLRoleListRequest, reply *structs.ACLRoleL
|
|||
return err
|
||||
}
|
||||
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
var authzContext acl.AuthorizerContext
|
||||
|
||||
rule, err := a.srv.ResolveToken(args.Token)
|
||||
authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
|
||||
if err != nil {
|
||||
return err
|
||||
} else if rule == nil || rule.ACLRead(&entCtx) != acl.Allow {
|
||||
} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
|
@ -1652,7 +1635,7 @@ func (a *ACL) RoleList(args *structs.ACLRoleListRequest, reply *structs.ACLRoleL
|
|||
return err
|
||||
}
|
||||
|
||||
a.srv.filterACLWithAuthorizer(rule, &roles)
|
||||
a.srv.filterACLWithAuthorizer(authz, &roles)
|
||||
|
||||
reply.Index, reply.Roles = index, roles
|
||||
return nil
|
||||
|
@ -1721,13 +1704,12 @@ func (a *ACL) BindingRuleRead(args *structs.ACLBindingRuleGetRequest, reply *str
|
|||
return err
|
||||
}
|
||||
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
var authzContext acl.AuthorizerContext
|
||||
|
||||
rule, err := a.srv.ResolveToken(args.Token)
|
||||
authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
|
||||
if err != nil {
|
||||
return err
|
||||
} else if rule == nil || rule.ACLRead(&entCtx) != acl.Allow {
|
||||
} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
|
@ -1763,13 +1745,12 @@ func (a *ACL) BindingRuleSet(args *structs.ACLBindingRuleSetRequest, reply *stru
|
|||
|
||||
defer metrics.MeasureSince([]string{"acl", "bindingrule", "upsert"}, time.Now())
|
||||
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
args.BindingRule.FillAuthzContext(&entCtx)
|
||||
var authzContext acl.AuthorizerContext
|
||||
|
||||
// Verify token is permitted to modify ACLs
|
||||
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
|
||||
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.BindingRule.EnterpriseMeta, &authzContext); err != nil {
|
||||
return err
|
||||
} else if rule == nil || rule.ACLWrite(&entCtx) != acl.Allow {
|
||||
} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
|
@ -1792,6 +1773,7 @@ func (a *ACL) BindingRuleSet(args *structs.ACLBindingRuleSetRequest, reply *stru
|
|||
|
||||
// Verify the role exists
|
||||
var err error
|
||||
// specifically disregarding the enterprise meta here
|
||||
_, existing, err = state.ACLBindingRuleGetByID(nil, rule.ID, nil)
|
||||
if err != nil {
|
||||
return fmt.Errorf("acl binding rule lookup failed: %v", err)
|
||||
|
@ -1894,13 +1876,12 @@ func (a *ACL) BindingRuleDelete(args *structs.ACLBindingRuleDeleteRequest, reply
|
|||
|
||||
defer metrics.MeasureSince([]string{"acl", "bindingrule", "delete"}, time.Now())
|
||||
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
var authzContext acl.AuthorizerContext
|
||||
|
||||
// Verify token is permitted to modify ACLs
|
||||
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
|
||||
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
|
||||
return err
|
||||
} else if rule == nil || rule.ACLWrite(&entCtx) != acl.Allow {
|
||||
} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
|
@ -1948,13 +1929,12 @@ func (a *ACL) BindingRuleList(args *structs.ACLBindingRuleListRequest, reply *st
|
|||
return err
|
||||
}
|
||||
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
var authzContext acl.AuthorizerContext
|
||||
|
||||
rule, err := a.srv.ResolveToken(args.Token)
|
||||
authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
|
||||
if err != nil {
|
||||
return err
|
||||
} else if rule == nil || rule.ACLRead(&entCtx) != acl.Allow {
|
||||
} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
|
@ -1965,7 +1945,7 @@ func (a *ACL) BindingRuleList(args *structs.ACLBindingRuleListRequest, reply *st
|
|||
return err
|
||||
}
|
||||
|
||||
a.srv.filterACLWithAuthorizer(rule, &rules)
|
||||
a.srv.filterACLWithAuthorizer(authz, &rules)
|
||||
|
||||
reply.Index, reply.BindingRules = index, rules
|
||||
return nil
|
||||
|
@ -1989,12 +1969,11 @@ func (a *ACL) AuthMethodRead(args *structs.ACLAuthMethodGetRequest, reply *struc
|
|||
return err
|
||||
}
|
||||
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
var authzContext acl.AuthorizerContext
|
||||
|
||||
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
|
||||
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
|
||||
return err
|
||||
} else if rule == nil || rule.ACLRead(&entCtx) != acl.Allow {
|
||||
} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
|
@ -2031,12 +2010,11 @@ func (a *ACL) AuthMethodSet(args *structs.ACLAuthMethodSetRequest, reply *struct
|
|||
defer metrics.MeasureSince([]string{"acl", "authmethod", "upsert"}, time.Now())
|
||||
|
||||
// Verify token is permitted to modify ACLs
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
args.AuthMethod.FillAuthzContext(&entCtx)
|
||||
var authzContext acl.AuthorizerContext
|
||||
|
||||
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
|
||||
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.AuthMethod.EnterpriseMeta, &authzContext); err != nil {
|
||||
return err
|
||||
} else if rule == nil || rule.ACLWrite(&entCtx) != acl.Allow {
|
||||
} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
|
@ -2119,12 +2097,11 @@ func (a *ACL) AuthMethodDelete(args *structs.ACLAuthMethodDeleteRequest, reply *
|
|||
defer metrics.MeasureSince([]string{"acl", "authmethod", "delete"}, time.Now())
|
||||
|
||||
// Verify token is permitted to modify ACLs
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
var authzContext acl.AuthorizerContext
|
||||
|
||||
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
|
||||
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
|
||||
return err
|
||||
} else if rule == nil || rule.ACLWrite(&entCtx) != acl.Allow {
|
||||
} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
|
@ -2173,13 +2150,12 @@ func (a *ACL) AuthMethodList(args *structs.ACLAuthMethodListRequest, reply *stru
|
|||
return err
|
||||
}
|
||||
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
var authzContext acl.AuthorizerContext
|
||||
|
||||
rule, err := a.srv.ResolveToken(args.Token)
|
||||
authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
|
||||
if err != nil {
|
||||
return err
|
||||
} else if rule == nil || rule.ACLRead(&entCtx) != acl.Allow {
|
||||
} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
|
@ -2190,7 +2166,7 @@ func (a *ACL) AuthMethodList(args *structs.ACLAuthMethodListRequest, reply *stru
|
|||
return err
|
||||
}
|
||||
|
||||
a.srv.filterACLWithAuthorizer(rule, &methods)
|
||||
a.srv.filterACLWithAuthorizer(authz, &methods)
|
||||
|
||||
var stubs structs.ACLAuthMethodListStubs
|
||||
for _, method := range methods {
|
||||
|
|
|
@ -2070,6 +2070,7 @@ func TestACLEndpoint_TokenList(t *testing.T) {
|
|||
defer codec.Close()
|
||||
|
||||
testrpc.WaitForLeader(t, s1.RPC, "dc1")
|
||||
waitForLeaderEstablishment(t, s1)
|
||||
|
||||
acl := ACL{srv: s1}
|
||||
|
||||
|
|
|
@ -16,7 +16,7 @@ func (s *Server) replicationEnterpriseMeta() *structs.EnterpriseMeta {
|
|||
return structs.ReplicationEnterpriseMeta()
|
||||
}
|
||||
|
||||
func newEnterpriseACLConfig(*log.Logger) *acl.EnterpriseACLConfig {
|
||||
func newEnterpriseACLConfig(*log.Logger) *acl.Config {
|
||||
return nil
|
||||
}
|
||||
|
||||
|
|
|
@ -213,6 +213,30 @@ func (s *Server) ResolveToken(token string) (acl.Authorizer, error) {
|
|||
return s.acls.ResolveToken(token)
|
||||
}
|
||||
|
||||
func (s *Server) ResolveTokenToIdentityAndAuthorizer(token string) (structs.ACLIdentity, acl.Authorizer, error) {
|
||||
return s.acls.ResolveTokenToIdentityAndAuthorizer(token)
|
||||
}
|
||||
|
||||
func (s *Server) ResolveTokenAndDefaultMeta(token string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (acl.Authorizer, error) {
|
||||
identity, authz, err := s.acls.ResolveTokenToIdentityAndAuthorizer(token)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Default the EnterpriseMeta based on the Tokens meta or actual defaults
|
||||
// in the case of unknown identity
|
||||
if identity != nil {
|
||||
entMeta.Merge(identity.EnterpriseMetadata())
|
||||
} else {
|
||||
entMeta.Merge(structs.DefaultEnterpriseMeta())
|
||||
}
|
||||
|
||||
// Use the meta to fill in the ACL authorization context
|
||||
entMeta.FillAuthzContext(authzContext)
|
||||
|
||||
return authz, err
|
||||
}
|
||||
|
||||
func (s *Server) filterACL(token string, subj interface{}) error {
|
||||
return s.acls.filterACL(token, subj)
|
||||
}
|
||||
|
|
|
@ -35,7 +35,7 @@ func nodePreApply(nodeName, nodeID string) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func servicePreApply(service *structs.NodeService, rule acl.Authorizer) error {
|
||||
func servicePreApply(service *structs.NodeService, authz acl.Authorizer) error {
|
||||
// Validate the service. This is in addition to the below since
|
||||
// the above just hasn't been moved over yet. We should move it over
|
||||
// in time.
|
||||
|
@ -59,7 +59,7 @@ func servicePreApply(service *structs.NodeService, rule acl.Authorizer) error {
|
|||
return fmt.Errorf("Invalid service address")
|
||||
}
|
||||
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
service.FillAuthzContext(&authzContext)
|
||||
|
||||
// Apply the ACL policy if any. The 'consul' service is excluded
|
||||
|
@ -68,14 +68,14 @@ func servicePreApply(service *structs.NodeService, rule acl.Authorizer) error {
|
|||
// later if version 0.8 is enabled, so we can eventually just
|
||||
// delete this and do all the ACL checks down there.
|
||||
if service.Service != structs.ConsulServiceName {
|
||||
if rule != nil && rule.ServiceWrite(service.Service, &authzContext) != acl.Allow {
|
||||
if authz != nil && authz.ServiceWrite(service.Service, &authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
}
|
||||
|
||||
// Proxies must have write permission on their destination
|
||||
if service.Kind == structs.ServiceKindConnectProxy {
|
||||
if rule != nil && rule.ServiceWrite(service.Proxy.DestinationServiceName, &authzContext) != acl.Allow {
|
||||
if authz != nil && authz.ServiceWrite(service.Proxy.DestinationServiceName, &authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
}
|
||||
|
@ -92,17 +92,25 @@ func checkPreApply(check *structs.HealthCheck) {
|
|||
|
||||
// Register is used register that a node is providing a given service.
|
||||
func (c *Catalog) Register(args *structs.RegisterRequest, reply *struct{}) error {
|
||||
if err := c.srv.validateEnterpriseRequest(args.GetEnterpriseMeta(), true); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if done, err := c.srv.forward("Catalog.Register", args, args, reply); done {
|
||||
return err
|
||||
}
|
||||
defer metrics.MeasureSince([]string{"catalog", "register"}, time.Now())
|
||||
|
||||
// Fetch the ACL token, if any.
|
||||
rule, err := c.srv.ResolveToken(args.Token)
|
||||
authz, err := c.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, nil)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if err := c.srv.validateEnterpriseRequest(args.GetEnterpriseMeta(), true); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// This needs to happen before the other preapply checks as it will fixup some of the
|
||||
// internal enterprise metas on the services and checks
|
||||
state := c.srv.fsm.State()
|
||||
entMeta, err := state.ValidateRegisterRequest(args)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
@ -117,7 +125,7 @@ func (c *Catalog) Register(args *structs.RegisterRequest, reply *struct{}) error
|
|||
|
||||
// Handle a service registration.
|
||||
if args.Service != nil {
|
||||
if err := servicePreApply(args.Service, rule); err != nil {
|
||||
if err := servicePreApply(args.Service, authz); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
@ -141,20 +149,14 @@ func (c *Catalog) Register(args *structs.RegisterRequest, reply *struct{}) error
|
|||
}
|
||||
}
|
||||
|
||||
state := c.srv.fsm.State()
|
||||
entMeta, err := state.ValidateRegisterRequest(args)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// Check the complete register request against the given ACL policy.
|
||||
if rule != nil && c.srv.config.ACLEnforceVersion8 {
|
||||
if authz != nil && c.srv.config.ACLEnforceVersion8 {
|
||||
state := c.srv.fsm.State()
|
||||
_, ns, err := state.NodeServices(nil, args.Node, entMeta)
|
||||
if err != nil {
|
||||
return fmt.Errorf("Node lookup failed: %v", err)
|
||||
}
|
||||
if err := vetRegisterWithACL(rule, args, ns); err != nil {
|
||||
if err := vetRegisterWithACL(authz, args, ns); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
@ -171,10 +173,6 @@ func (c *Catalog) Register(args *structs.RegisterRequest, reply *struct{}) error
|
|||
|
||||
// Deregister is used to remove a service registration for a given node.
|
||||
func (c *Catalog) Deregister(args *structs.DeregisterRequest, reply *struct{}) error {
|
||||
if err := c.srv.validateEnterpriseRequest(&args.EnterpriseMeta, true); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if done, err := c.srv.forward("Catalog.Deregister", args, args, reply); done {
|
||||
return err
|
||||
}
|
||||
|
@ -186,13 +184,17 @@ func (c *Catalog) Deregister(args *structs.DeregisterRequest, reply *struct{}) e
|
|||
}
|
||||
|
||||
// Fetch the ACL token, if any.
|
||||
rule, err := c.srv.ResolveToken(args.Token)
|
||||
authz, err := c.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, nil)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if err := c.srv.validateEnterpriseRequest(&args.EnterpriseMeta, true); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// Check the complete deregister request against the given ACL policy.
|
||||
if rule != nil && c.srv.config.ACLEnforceVersion8 {
|
||||
if authz != nil && c.srv.config.ACLEnforceVersion8 {
|
||||
state := c.srv.fsm.State()
|
||||
|
||||
var ns *structs.NodeService
|
||||
|
@ -211,7 +213,7 @@ func (c *Catalog) Deregister(args *structs.DeregisterRequest, reply *struct{}) e
|
|||
}
|
||||
}
|
||||
|
||||
if err := vetDeregisterWithACL(rule, args, ns, nc); err != nil {
|
||||
if err := vetDeregisterWithACL(authz, args, ns, nc); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
|
@ -282,16 +284,21 @@ func (c *Catalog) ListNodes(args *structs.DCSpecificRequest, reply *structs.Inde
|
|||
|
||||
// ListServices is used to query the services in a DC
|
||||
func (c *Catalog) ListServices(args *structs.DCSpecificRequest, reply *structs.IndexedServices) error {
|
||||
if err := c.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if done, err := c.srv.forward("Catalog.ListServices", args, args, reply); done {
|
||||
return err
|
||||
}
|
||||
|
||||
(*reply).EnterpriseMeta = args.EnterpriseMeta
|
||||
|
||||
authz, err := c.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, nil)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if err := c.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return c.srv.blockingQuery(
|
||||
&args.QueryOptions,
|
||||
&reply.QueryMeta,
|
||||
|
@ -308,17 +315,13 @@ func (c *Catalog) ListServices(args *structs.DCSpecificRequest, reply *structs.I
|
|||
return err
|
||||
}
|
||||
|
||||
reply.Index, reply.Services = index, services
|
||||
return c.srv.filterACL(args.Token, reply)
|
||||
reply.Index, reply.Services, reply.EnterpriseMeta = index, services, args.EnterpriseMeta
|
||||
return c.srv.filterACLWithAuthorizer(authz, reply)
|
||||
})
|
||||
}
|
||||
|
||||
// ServiceNodes returns all the nodes registered as part of a service
|
||||
func (c *Catalog) ServiceNodes(args *structs.ServiceSpecificRequest, reply *structs.IndexedServiceNodes) error {
|
||||
if err := c.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if done, err := c.srv.forward("Catalog.ServiceNodes", args, args, reply); done {
|
||||
return err
|
||||
}
|
||||
|
@ -359,18 +362,20 @@ func (c *Catalog) ServiceNodes(args *structs.ServiceSpecificRequest, reply *stru
|
|||
}
|
||||
}
|
||||
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
args.FillAuthzContext(&authzContext)
|
||||
var authzContext acl.AuthorizerContext
|
||||
authz, err := c.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if err := c.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// If we're doing a connect query, we need read access to the service
|
||||
// we're trying to find proxies for, so check that.
|
||||
if args.Connect {
|
||||
// Fetch the ACL token, if any.
|
||||
rule, err := c.srv.ResolveToken(args.Token)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if rule != nil && rule.ServiceRead(args.ServiceName, &authzContext) != acl.Allow {
|
||||
if authz != nil && authz.ServiceRead(args.ServiceName, &authzContext) != acl.Allow {
|
||||
// Just return nil, which will return an empty response (tested)
|
||||
return nil
|
||||
}
|
||||
|
@ -455,10 +460,6 @@ func (c *Catalog) ServiceNodes(args *structs.ServiceSpecificRequest, reply *stru
|
|||
|
||||
// NodeServices returns all the services registered as part of a node
|
||||
func (c *Catalog) NodeServices(args *structs.NodeSpecificRequest, reply *structs.IndexedNodeServices) error {
|
||||
if err := c.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if done, err := c.srv.forward("Catalog.NodeServices", args, args, reply); done {
|
||||
return err
|
||||
}
|
||||
|
@ -474,6 +475,15 @@ func (c *Catalog) NodeServices(args *structs.NodeSpecificRequest, reply *structs
|
|||
return err
|
||||
}
|
||||
|
||||
_, err = c.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, nil)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if err := c.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return c.srv.blockingQuery(
|
||||
&args.QueryOptions,
|
||||
&reply.QueryMeta,
|
||||
|
@ -501,10 +511,6 @@ func (c *Catalog) NodeServices(args *structs.NodeSpecificRequest, reply *structs
|
|||
}
|
||||
|
||||
func (c *Catalog) NodeServiceList(args *structs.NodeSpecificRequest, reply *structs.IndexedNodeServiceList) error {
|
||||
if err := c.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if done, err := c.srv.forward("Catalog.NodeServiceList", args, args, reply); done {
|
||||
return err
|
||||
}
|
||||
|
@ -520,6 +526,15 @@ func (c *Catalog) NodeServiceList(args *structs.NodeSpecificRequest, reply *stru
|
|||
return err
|
||||
}
|
||||
|
||||
_, err = c.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, nil)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if err := c.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return c.srv.blockingQuery(
|
||||
&args.QueryOptions,
|
||||
&reply.QueryMeta,
|
||||
|
|
|
@ -14,7 +14,7 @@ func (d *dirEntFilter) Len() int {
|
|||
return len(d.ent)
|
||||
}
|
||||
func (d *dirEntFilter) Filter(i int) bool {
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
var entCtx acl.AuthorizerContext
|
||||
d.ent[i].FillAuthzContext(&entCtx)
|
||||
|
||||
return d.authorizer.KeyRead(d.ent[i].Key, &entCtx) != acl.Allow
|
||||
|
|
|
@ -20,10 +20,6 @@ type Health struct {
|
|||
// ChecksInState is used to get all the checks in a given state
|
||||
func (h *Health) ChecksInState(args *structs.ChecksInStateRequest,
|
||||
reply *structs.IndexedHealthChecks) error {
|
||||
if err := h.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if done, err := h.srv.forward("Health.ChecksInState", args, args, reply); done {
|
||||
return err
|
||||
}
|
||||
|
@ -33,6 +29,15 @@ func (h *Health) ChecksInState(args *structs.ChecksInStateRequest,
|
|||
return err
|
||||
}
|
||||
|
||||
_, err = h.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, nil)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if err := h.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return h.srv.blockingQuery(
|
||||
&args.QueryOptions,
|
||||
&reply.QueryMeta,
|
||||
|
@ -66,10 +71,6 @@ func (h *Health) ChecksInState(args *structs.ChecksInStateRequest,
|
|||
// NodeChecks is used to get all the checks for a node
|
||||
func (h *Health) NodeChecks(args *structs.NodeSpecificRequest,
|
||||
reply *structs.IndexedHealthChecks) error {
|
||||
if err := h.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if done, err := h.srv.forward("Health.NodeChecks", args, args, reply); done {
|
||||
return err
|
||||
}
|
||||
|
@ -79,6 +80,15 @@ func (h *Health) NodeChecks(args *structs.NodeSpecificRequest,
|
|||
return err
|
||||
}
|
||||
|
||||
_, err = h.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, nil)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if err := h.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return h.srv.blockingQuery(
|
||||
&args.QueryOptions,
|
||||
&reply.QueryMeta,
|
||||
|
@ -105,10 +115,6 @@ func (h *Health) NodeChecks(args *structs.NodeSpecificRequest,
|
|||
func (h *Health) ServiceChecks(args *structs.ServiceSpecificRequest,
|
||||
reply *structs.IndexedHealthChecks) error {
|
||||
|
||||
if err := h.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// Reject if tag filtering is on
|
||||
if args.TagFilter {
|
||||
return fmt.Errorf("Tag filtering is not supported")
|
||||
|
@ -124,6 +130,15 @@ func (h *Health) ServiceChecks(args *structs.ServiceSpecificRequest,
|
|||
return err
|
||||
}
|
||||
|
||||
_, err = h.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, nil)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if err := h.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return h.srv.blockingQuery(
|
||||
&args.QueryOptions,
|
||||
&reply.QueryMeta,
|
||||
|
@ -156,10 +171,6 @@ func (h *Health) ServiceChecks(args *structs.ServiceSpecificRequest,
|
|||
|
||||
// ServiceNodes returns all the nodes registered as part of a service including health info
|
||||
func (h *Health) ServiceNodes(args *structs.ServiceSpecificRequest, reply *structs.IndexedCheckServiceNodes) error {
|
||||
if err := h.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if done, err := h.srv.forward("Health.ServiceNodes", args, args, reply); done {
|
||||
return err
|
||||
}
|
||||
|
@ -180,16 +191,20 @@ func (h *Health) ServiceNodes(args *structs.ServiceSpecificRequest, reply *struc
|
|||
f = h.serviceNodesDefault
|
||||
}
|
||||
|
||||
var authzContext acl.AuthorizerContext
|
||||
authz, err := h.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if err := h.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// If we're doing a connect query, we need read access to the service
|
||||
// we're trying to find proxies for, so check that.
|
||||
if args.Connect {
|
||||
// Fetch the ACL token, if any.
|
||||
rule, err := h.srv.ResolveToken(args.Token)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if rule != nil && rule.ServiceRead(args.ServiceName, nil) != acl.Allow {
|
||||
if authz != nil && authz.ServiceRead(args.ServiceName, &authzContext) != acl.Allow {
|
||||
// Just return nil, which will return an empty response (tested)
|
||||
return nil
|
||||
}
|
||||
|
|
|
@ -21,20 +21,20 @@ type KVS struct {
|
|||
// preApply does all the verification of a KVS update that is performed BEFORE
|
||||
// we submit as a Raft log entry. This includes enforcing the lock delay which
|
||||
// must only be done on the leader.
|
||||
func kvsPreApply(srv *Server, rule acl.Authorizer, op api.KVOp, dirEnt *structs.DirEntry) (bool, error) {
|
||||
func kvsPreApply(srv *Server, authz acl.Authorizer, op api.KVOp, dirEnt *structs.DirEntry) (bool, error) {
|
||||
// Verify the entry.
|
||||
if dirEnt.Key == "" && op != api.KVDeleteTree {
|
||||
return false, fmt.Errorf("Must provide key")
|
||||
}
|
||||
|
||||
// Apply the ACL policy if any.
|
||||
if rule != nil {
|
||||
if authz != nil {
|
||||
switch op {
|
||||
case api.KVDeleteTree:
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
dirEnt.FillAuthzContext(&authzContext)
|
||||
|
||||
if rule.KeyWritePrefix(dirEnt.Key, &authzContext) != acl.Allow {
|
||||
if authz.KeyWritePrefix(dirEnt.Key, &authzContext) != acl.Allow {
|
||||
return false, acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
|
@ -45,18 +45,18 @@ func kvsPreApply(srv *Server, rule acl.Authorizer, op api.KVOp, dirEnt *structs.
|
|||
// These could reveal information based on the outcome
|
||||
// of the transaction, and they operate on individual
|
||||
// keys so we check them here.
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
dirEnt.FillAuthzContext(&authzContext)
|
||||
|
||||
if rule.KeyRead(dirEnt.Key, &authzContext) != acl.Allow {
|
||||
if authz.KeyRead(dirEnt.Key, &authzContext) != acl.Allow {
|
||||
return false, acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
default:
|
||||
var authzContext acl.EnterpriseAuthorizerContext
|
||||
var authzContext acl.AuthorizerContext
|
||||
dirEnt.FillAuthzContext(&authzContext)
|
||||
|
||||
if rule.KeyWrite(dirEnt.Key, &authzContext) != acl.Allow {
|
||||
if authz.KeyWrite(dirEnt.Key, &authzContext) != acl.Allow {
|
||||
return false, acl.ErrPermissionDenied
|
||||
}
|
||||
}
|
||||
|
@ -88,16 +88,17 @@ func (k *KVS) Apply(args *structs.KVSRequest, reply *bool) error {
|
|||
}
|
||||
defer metrics.MeasureSince([]string{"kvs", "apply"}, time.Now())
|
||||
|
||||
// Perform the pre-apply checks.
|
||||
authz, err := k.srv.ResolveTokenAndDefaultMeta(args.Token, &args.DirEnt.EnterpriseMeta, nil)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if err := k.srv.validateEnterpriseRequest(&args.DirEnt.EnterpriseMeta, true); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// Perform the pre-apply checks.
|
||||
rule, err := k.srv.ResolveToken(args.Token)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
ok, err := kvsPreApply(k.srv, rule, args.Op, &args.DirEnt)
|
||||
ok, err := kvsPreApply(k.srv, authz, args.Op, &args.DirEnt)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
@ -128,15 +129,14 @@ func (k *KVS) Get(args *structs.KeyRequest, reply *structs.IndexedDirEntries) er
|
|||
if done, err := k.srv.forward("KVS.Get", args, args, reply); done {
|
||||
return err
|
||||
}
|
||||
if err := k.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
|
||||
|
||||
var authzContext acl.AuthorizerContext
|
||||
authz, err := k.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
|
||||
rule, err := k.srv.ResolveToken(args.Token)
|
||||
if err != nil {
|
||||
if err := k.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
|
@ -148,7 +148,7 @@ func (k *KVS) Get(args *structs.KeyRequest, reply *structs.IndexedDirEntries) er
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if rule != nil && rule.KeyRead(args.Key, &entCtx) != acl.Allow {
|
||||
if authz != nil && authz.KeyRead(args.Key, &authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
|
@ -174,18 +174,18 @@ func (k *KVS) List(args *structs.KeyRequest, reply *structs.IndexedDirEntries) e
|
|||
if done, err := k.srv.forward("KVS.List", args, args, reply); done {
|
||||
return err
|
||||
}
|
||||
|
||||
var authzContext acl.AuthorizerContext
|
||||
authz, err := k.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if err := k.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
|
||||
rule, err := k.srv.ResolveToken(args.Token)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if rule != nil && k.srv.config.ACLEnableKeyListPolicy && rule.KeyList(args.Key, &entCtx) != acl.Allow {
|
||||
if authz != nil && k.srv.config.ACLEnableKeyListPolicy && authz.KeyList(args.Key, &authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
|
@ -197,8 +197,8 @@ func (k *KVS) List(args *structs.KeyRequest, reply *structs.IndexedDirEntries) e
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if rule != nil {
|
||||
ent = FilterDirEnt(rule, ent)
|
||||
if authz != nil {
|
||||
ent = FilterDirEnt(authz, ent)
|
||||
}
|
||||
|
||||
if len(ent) == 0 {
|
||||
|
@ -226,18 +226,18 @@ func (k *KVS) ListKeys(args *structs.KeyListRequest, reply *structs.IndexedKeyLi
|
|||
if done, err := k.srv.forward("KVS.ListKeys", args, args, reply); done {
|
||||
return err
|
||||
}
|
||||
|
||||
var authzContext acl.AuthorizerContext
|
||||
authz, err := k.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if err := k.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
|
||||
rule, err := k.srv.ResolveToken(args.Token)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if rule != nil && k.srv.config.ACLEnableKeyListPolicy && rule.KeyList(args.Prefix, &entCtx) != acl.Allow {
|
||||
if authz != nil && k.srv.config.ACLEnableKeyListPolicy && authz.KeyList(args.Prefix, &authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
|
@ -258,8 +258,8 @@ func (k *KVS) ListKeys(args *structs.KeyListRequest, reply *structs.IndexedKeyLi
|
|||
reply.Index = index
|
||||
}
|
||||
|
||||
if rule != nil {
|
||||
entries = FilterDirEnt(rule, entries)
|
||||
if authz != nil {
|
||||
entries = FilterDirEnt(authz, entries)
|
||||
}
|
||||
|
||||
// Collect the keys from the filtered entries
|
||||
|
|
|
@ -110,7 +110,7 @@ var (
|
|||
type Server struct {
|
||||
// enterpriseACLConfig is the Consul Enterprise specific items
|
||||
// necessary for ACLs
|
||||
enterpriseACLConfig *acl.EnterpriseACLConfig
|
||||
enterpriseACLConfig *acl.Config
|
||||
|
||||
// acls is used to resolve tokens to effective policies
|
||||
acls *ACLResolver
|
||||
|
|
|
@ -41,6 +41,21 @@ func uniqueNodeName(name string) string {
|
|||
return fmt.Sprintf("%s-node-%d", name, atomic.AddInt64(&id, 1))
|
||||
}
|
||||
|
||||
// This will find the leader of a list of servers and verify that leader establishment has completed
|
||||
func waitForLeaderEstablishment(t *testing.T, servers ...*Server) {
|
||||
t.Helper()
|
||||
retry.Run(t, func(r *retry.R) {
|
||||
hasLeader := false
|
||||
for _, srv := range servers {
|
||||
if srv.IsLeader() {
|
||||
hasLeader = true
|
||||
require.True(r, srv.isReadyForConsistentReads(), "Leader %s hasn't finished establishing leadership yet", srv.config.NodeName)
|
||||
}
|
||||
}
|
||||
require.True(r, hasLeader, "Cluster has not elected a leader yet")
|
||||
})
|
||||
}
|
||||
|
||||
func testServerConfig(t *testing.T) (string, *Config) {
|
||||
dir := testutil.TempDir(t, "consul")
|
||||
config := DefaultConfig()
|
||||
|
|
|
@ -25,10 +25,6 @@ func (s *Session) Apply(args *structs.SessionRequest, reply *string) error {
|
|||
}
|
||||
defer metrics.MeasureSince([]string{"session", "apply"}, time.Now())
|
||||
|
||||
if err := s.srv.validateEnterpriseRequest(&args.Session.EnterpriseMeta, true); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// Verify the args
|
||||
if args.Session.ID == "" && args.Op == structs.SessionDestroy {
|
||||
return fmt.Errorf("Must provide ID")
|
||||
|
@ -37,20 +33,21 @@ func (s *Session) Apply(args *structs.SessionRequest, reply *string) error {
|
|||
return fmt.Errorf("Must provide Node")
|
||||
}
|
||||
|
||||
// TODO (namespaces) (acls) infer entmeta if not provided.
|
||||
|
||||
// The entMeta to populate is the one in the Session struct, not SessionRequest
|
||||
// This is because the Session is what is passed to downstream functions like raftApply
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
args.Session.FillAuthzContext(&entCtx)
|
||||
var authzContext acl.AuthorizerContext
|
||||
|
||||
// Fetch the ACL token, if any, and apply the policy.
|
||||
rule, err := s.srv.ResolveToken(args.Token)
|
||||
authz, err := s.srv.ResolveTokenAndDefaultMeta(args.Token, &args.Session.EnterpriseMeta, &authzContext)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if rule != nil && s.srv.config.ACLEnforceVersion8 {
|
||||
if err := s.srv.validateEnterpriseRequest(&args.Session.EnterpriseMeta, true); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if authz != nil && s.srv.config.ACLEnforceVersion8 {
|
||||
switch args.Op {
|
||||
case structs.SessionDestroy:
|
||||
state := s.srv.fsm.State()
|
||||
|
@ -61,12 +58,12 @@ func (s *Session) Apply(args *structs.SessionRequest, reply *string) error {
|
|||
if existing == nil {
|
||||
return fmt.Errorf("Unknown session %q", args.Session.ID)
|
||||
}
|
||||
if rule.SessionWrite(existing.Node, &entCtx) != acl.Allow {
|
||||
if authz.SessionWrite(existing.Node, &authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
case structs.SessionCreate:
|
||||
if rule.SessionWrite(args.Session.Node, &entCtx) != acl.Allow {
|
||||
if authz.SessionWrite(args.Session.Node, &authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
|
@ -157,16 +154,13 @@ func (s *Session) Get(args *structs.SessionSpecificRequest,
|
|||
return err
|
||||
}
|
||||
|
||||
if err := s.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
|
||||
var authzContext acl.AuthorizerContext
|
||||
authz, err := s.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// TODO (namespaces) TODO (acls) infer args.entmeta if not provided
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
|
||||
rule, err := s.srv.ResolveToken(args.Token)
|
||||
if err != nil {
|
||||
if err := s.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
|
@ -185,7 +179,7 @@ func (s *Session) Get(args *structs.SessionSpecificRequest,
|
|||
} else {
|
||||
reply.Sessions = nil
|
||||
}
|
||||
if err := s.srv.filterACLWithAuthorizer(rule, reply); err != nil {
|
||||
if err := s.srv.filterACLWithAuthorizer(authz, reply); err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
|
@ -199,16 +193,13 @@ func (s *Session) List(args *structs.SessionSpecificRequest,
|
|||
return err
|
||||
}
|
||||
|
||||
if err := s.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
|
||||
var authzContext acl.AuthorizerContext
|
||||
authz, err := s.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// TODO (namespaces) TODO (acls) infer args.entmeta if not provided
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
|
||||
rule, err := s.srv.ResolveToken(args.Token)
|
||||
if err != nil {
|
||||
if err := s.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
|
@ -222,7 +213,7 @@ func (s *Session) List(args *structs.SessionSpecificRequest,
|
|||
}
|
||||
|
||||
reply.Index, reply.Sessions = index, sessions
|
||||
if err := s.srv.filterACLWithAuthorizer(rule, reply); err != nil {
|
||||
if err := s.srv.filterACLWithAuthorizer(authz, reply); err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
|
@ -236,16 +227,13 @@ func (s *Session) NodeSessions(args *structs.NodeSpecificRequest,
|
|||
return err
|
||||
}
|
||||
|
||||
if err := s.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
|
||||
var authzContext acl.AuthorizerContext
|
||||
authz, err := s.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// TODO (namespaces) TODO (acls) infer args.entmeta if not provided
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
|
||||
rule, err := s.srv.ResolveToken(args.Token)
|
||||
if err != nil {
|
||||
if err := s.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
|
@ -259,7 +247,7 @@ func (s *Session) NodeSessions(args *structs.NodeSpecificRequest,
|
|||
}
|
||||
|
||||
reply.Index, reply.Sessions = index, sessions
|
||||
if err := s.srv.filterACLWithAuthorizer(rule, reply); err != nil {
|
||||
if err := s.srv.filterACLWithAuthorizer(authz, reply); err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
|
@ -274,6 +262,13 @@ func (s *Session) Renew(args *structs.SessionSpecificRequest,
|
|||
}
|
||||
defer metrics.MeasureSince([]string{"session", "renew"}, time.Now())
|
||||
|
||||
// Fetch the ACL token, if any, and apply the policy.
|
||||
var authzContext acl.AuthorizerContext
|
||||
authz, err := s.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if err := s.srv.validateEnterpriseRequest(&args.EnterpriseMeta, true); err != nil {
|
||||
return err
|
||||
}
|
||||
|
@ -290,19 +285,8 @@ func (s *Session) Renew(args *structs.SessionSpecificRequest,
|
|||
return nil
|
||||
}
|
||||
|
||||
// TODO (namespaces) (freddy):infer args.entmeta if not provided
|
||||
// Fetch the ACL token, if any, and apply the policy.
|
||||
var entCtx acl.EnterpriseAuthorizerContext
|
||||
args.FillAuthzContext(&entCtx)
|
||||
|
||||
rule, err := s.srv.ResolveToken(args.Token)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if rule != nil && s.srv.config.ACLEnforceVersion8 {
|
||||
if rule.SessionWrite(session.Node, &entCtx) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
if authz != nil && s.srv.config.ACLEnforceVersion8 && authz.SessionWrite(session.Node, &authzContext) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
// Reset the session TTL timer.
|
||||
|
|
|
@ -696,7 +696,7 @@ func (policies ACLPolicyListStubs) Sort() {
|
|||
})
|
||||
}
|
||||
|
||||
func (policies ACLPolicies) resolveWithCache(cache *ACLCaches, entConf *acl.EnterpriseACLConfig) ([]*acl.Policy, error) {
|
||||
func (policies ACLPolicies) resolveWithCache(cache *ACLCaches, entConf *acl.Config) ([]*acl.Policy, error) {
|
||||
// Parse the policies
|
||||
parsed := make([]*acl.Policy, 0, len(policies))
|
||||
for _, policy := range policies {
|
||||
|
@ -721,7 +721,7 @@ func (policies ACLPolicies) resolveWithCache(cache *ACLCaches, entConf *acl.Ente
|
|||
return parsed, nil
|
||||
}
|
||||
|
||||
func (policies ACLPolicies) Compile(cache *ACLCaches, entConf *acl.EnterpriseACLConfig) (acl.Authorizer, error) {
|
||||
func (policies ACLPolicies) Compile(cache *ACLCaches, entConf *acl.Config) (acl.Authorizer, error) {
|
||||
// Determine the cache key
|
||||
cacheKey := policies.HashKey()
|
||||
entry := cache.GetAuthorizer(cacheKey)
|
||||
|
@ -746,7 +746,7 @@ func (policies ACLPolicies) Compile(cache *ACLCaches, entConf *acl.EnterpriseACL
|
|||
return authorizer, nil
|
||||
}
|
||||
|
||||
func (policies ACLPolicies) Merge(cache *ACLCaches, entConf *acl.EnterpriseACLConfig) (*acl.Policy, error) {
|
||||
func (policies ACLPolicies) Merge(cache *ACLCaches, entConf *acl.Config) (*acl.Policy, error) {
|
||||
parsed, err := policies.resolveWithCache(cache, entConf)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
@ -1590,7 +1590,7 @@ func (r *RemoteACLAuthorizationRequest) RequestDatacenter() string {
|
|||
|
||||
func CreateACLAuthorizationResponses(authz acl.Authorizer, requests []ACLAuthorizationRequest) ([]ACLAuthorizationResponse, error) {
|
||||
responses := make([]ACLAuthorizationResponse, len(requests))
|
||||
var ctx acl.EnterpriseAuthorizerContext
|
||||
var ctx acl.AuthorizerContext
|
||||
|
||||
for idx, req := range requests {
|
||||
req.FillAuthzContext(&ctx)
|
||||
|
|
|
@ -21,6 +21,10 @@ func (m *EnterpriseMeta) addToHash(_ hash.Hash, _ bool) {
|
|||
// do nothing
|
||||
}
|
||||
|
||||
func (m *EnterpriseMeta) Merge(_ *EnterpriseMeta) {
|
||||
// do nothing
|
||||
}
|
||||
|
||||
func (m *EnterpriseMeta) Matches(_ *EnterpriseMeta) bool {
|
||||
return true
|
||||
}
|
||||
|
@ -49,28 +53,28 @@ func WildcardEnterpriseMeta() *EnterpriseMeta {
|
|||
}
|
||||
|
||||
// FillAuthzContext stub
|
||||
func (_ *EnterpriseMeta) FillAuthzContext(_ *acl.EnterpriseAuthorizerContext) {}
|
||||
func (_ *EnterpriseMeta) FillAuthzContext(_ *acl.AuthorizerContext) {}
|
||||
|
||||
func (_ *EnterpriseMeta) Normalize() {}
|
||||
|
||||
// FillAuthzContext stub
|
||||
func (_ *DirEntry) FillAuthzContext(_ *acl.EnterpriseAuthorizerContext) {}
|
||||
func (_ *DirEntry) FillAuthzContext(_ *acl.AuthorizerContext) {}
|
||||
|
||||
// FillAuthzContext stub
|
||||
func (_ *RegisterRequest) FillAuthzContext(_ *acl.EnterpriseAuthorizerContext) {}
|
||||
func (_ *RegisterRequest) FillAuthzContext(_ *acl.AuthorizerContext) {}
|
||||
|
||||
func (_ *RegisterRequest) GetEnterpriseMeta() *EnterpriseMeta {
|
||||
return nil
|
||||
}
|
||||
|
||||
// OSS Stub
|
||||
func (op *TxnNodeOp) FillAuthzContext(ctx *acl.EnterpriseAuthorizerContext) {}
|
||||
func (op *TxnNodeOp) FillAuthzContext(ctx *acl.AuthorizerContext) {}
|
||||
|
||||
// OSS Stub
|
||||
func (_ *TxnServiceOp) FillAuthzContext(_ *acl.EnterpriseAuthorizerContext) {}
|
||||
func (_ *TxnServiceOp) FillAuthzContext(_ *acl.AuthorizerContext) {}
|
||||
|
||||
// OSS Stub
|
||||
func (_ *TxnCheckOp) FillAuthzContext(_ *acl.EnterpriseAuthorizerContext) {}
|
||||
func (_ *TxnCheckOp) FillAuthzContext(_ *acl.AuthorizerContext) {}
|
||||
|
||||
func ServiceIDString(id string, _ *EnterpriseMeta) string {
|
||||
return id
|
||||
|
|
Loading…
Reference in New Issue