luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

Enterprise Sync - 2019.12.18 (#6968) 

Enterprise Sync - 2019.12.18
This commit is contained in:
Matt Keeler 2019-12-18 15:05:36 -05:00 committed by GitHub
parent f0befc3b7a 6de4eb8569
commit 1e59560e0e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
35 changed files with 982 additions and 748 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
acl/acl_oss.go
View File

@ -2,7 +2,7 @@
package acl
// EnterpriseACLConfig stub
type EnterpriseACLConfig struct{}
// Config stub
type Config struct{}
func (_ *EnterpriseACLConfig) Close() {}
func (_ *Config) Close() {}

158
acl/acl_test.go
View File

@ -36,315 +36,315 @@ func legacyPolicy(policy *Policy) *Policy {
// nicer in the embedded struct within TestACL
//
func checkAllowACLRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkAllowACLRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Allow, authz.ACLRead(entCtx))
}
func checkAllowACLWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkAllowACLWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Allow, authz.ACLWrite(entCtx))
}
func checkAllowAgentRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkAllowAgentRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Allow, authz.AgentRead(prefix, entCtx))
}
func checkAllowAgentWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkAllowAgentWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Allow, authz.AgentWrite(prefix, entCtx))
}
func checkAllowEventRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkAllowEventRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Allow, authz.EventRead(prefix, entCtx))
}
func checkAllowEventWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkAllowEventWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Allow, authz.EventWrite(prefix, entCtx))
}
func checkAllowIntentionDefaultAllow(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkAllowIntentionDefaultAllow(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Allow, authz.IntentionDefaultAllow(entCtx))
}
func checkAllowIntentionRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkAllowIntentionRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Allow, authz.IntentionRead(prefix, entCtx))
}
func checkAllowIntentionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkAllowIntentionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Allow, authz.IntentionWrite(prefix, entCtx))
}
func checkAllowKeyRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkAllowKeyRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Allow, authz.KeyRead(prefix, entCtx))
}
func checkAllowKeyList(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkAllowKeyList(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Allow, authz.KeyList(prefix, entCtx))
}
func checkAllowKeyringRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkAllowKeyringRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Allow, authz.KeyringRead(entCtx))
}
func checkAllowKeyringWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkAllowKeyringWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Allow, authz.KeyringWrite(entCtx))
}
func checkAllowKeyWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkAllowKeyWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Allow, authz.KeyWrite(prefix, entCtx))
}
func checkAllowKeyWritePrefix(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkAllowKeyWritePrefix(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Allow, authz.KeyWritePrefix(prefix, entCtx))
}
func checkAllowNodeRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkAllowNodeRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Allow, authz.NodeRead(prefix, entCtx))
}
func checkAllowNodeWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkAllowNodeWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Allow, authz.NodeWrite(prefix, entCtx))
}
func checkAllowOperatorRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkAllowOperatorRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Allow, authz.OperatorRead(entCtx))
}
func checkAllowOperatorWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkAllowOperatorWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Allow, authz.OperatorWrite(entCtx))
}
func checkAllowPreparedQueryRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkAllowPreparedQueryRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Allow, authz.PreparedQueryRead(prefix, entCtx))
}
func checkAllowPreparedQueryWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkAllowPreparedQueryWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Allow, authz.PreparedQueryWrite(prefix, entCtx))
}
func checkAllowServiceRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkAllowServiceRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Allow, authz.ServiceRead(prefix, entCtx))
}
func checkAllowServiceWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkAllowServiceWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Allow, authz.ServiceWrite(prefix, entCtx))
}
func checkAllowSessionRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkAllowSessionRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Allow, authz.SessionRead(prefix, entCtx))
}
func checkAllowSessionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkAllowSessionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Allow, authz.SessionWrite(prefix, entCtx))
}
func checkAllowSnapshot(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkAllowSnapshot(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Allow, authz.Snapshot(entCtx))
}
func checkDenyACLRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDenyACLRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Deny, authz.ACLRead(entCtx))
}
func checkDenyACLWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDenyACLWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Deny, authz.ACLWrite(entCtx))
}
func checkDenyAgentRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDenyAgentRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Deny, authz.AgentRead(prefix, entCtx))
}
func checkDenyAgentWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDenyAgentWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Deny, authz.AgentWrite(prefix, entCtx))
}
func checkDenyEventRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDenyEventRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Deny, authz.EventRead(prefix, entCtx))
}
func checkDenyEventWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDenyEventWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Deny, authz.EventWrite(prefix, entCtx))
}
func checkDenyIntentionDefaultAllow(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDenyIntentionDefaultAllow(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Deny, authz.IntentionDefaultAllow(entCtx))
}
func checkDenyIntentionRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDenyIntentionRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Deny, authz.IntentionRead(prefix, entCtx))
}
func checkDenyIntentionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDenyIntentionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Deny, authz.IntentionWrite(prefix, entCtx))
}
func checkDenyKeyRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDenyKeyRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Deny, authz.KeyRead(prefix, entCtx))
}
func checkDenyKeyList(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDenyKeyList(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Deny, authz.KeyList(prefix, entCtx))
}
func checkDenyKeyringRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDenyKeyringRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Deny, authz.KeyringRead(entCtx))
}
func checkDenyKeyringWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDenyKeyringWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Deny, authz.KeyringWrite(entCtx))
}
func checkDenyKeyWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDenyKeyWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Deny, authz.KeyWrite(prefix, entCtx))
}
func checkDenyKeyWritePrefix(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDenyKeyWritePrefix(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Deny, authz.KeyWritePrefix(prefix, entCtx))
}
func checkDenyNodeRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDenyNodeRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Deny, authz.NodeRead(prefix, entCtx))
}
func checkDenyNodeWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDenyNodeWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Deny, authz.NodeWrite(prefix, entCtx))
}
func checkDenyOperatorRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDenyOperatorRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Deny, authz.OperatorRead(entCtx))
}
func checkDenyOperatorWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDenyOperatorWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Deny, authz.OperatorWrite(entCtx))
}
func checkDenyPreparedQueryRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDenyPreparedQueryRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Deny, authz.PreparedQueryRead(prefix, entCtx))
}
func checkDenyPreparedQueryWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDenyPreparedQueryWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Deny, authz.PreparedQueryWrite(prefix, entCtx))
}
func checkDenyServiceRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDenyServiceRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Deny, authz.ServiceRead(prefix, entCtx))
}
func checkDenyServiceWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDenyServiceWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Deny, authz.ServiceWrite(prefix, entCtx))
}
func checkDenySessionRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDenySessionRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Deny, authz.SessionRead(prefix, entCtx))
}
func checkDenySessionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDenySessionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Deny, authz.SessionWrite(prefix, entCtx))
}
func checkDenySnapshot(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDenySnapshot(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Deny, authz.Snapshot(entCtx))
}
func checkDefaultACLRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDefaultACLRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Default, authz.ACLRead(entCtx))
}
func checkDefaultACLWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDefaultACLWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Default, authz.ACLWrite(entCtx))
}
func checkDefaultAgentRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDefaultAgentRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Default, authz.AgentRead(prefix, entCtx))
}
func checkDefaultAgentWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDefaultAgentWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Default, authz.AgentWrite(prefix, entCtx))
}
func checkDefaultEventRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDefaultEventRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Default, authz.EventRead(prefix, entCtx))
}
func checkDefaultEventWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDefaultEventWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Default, authz.EventWrite(prefix, entCtx))
}
func checkDefaultIntentionDefaultAllow(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDefaultIntentionDefaultAllow(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Default, authz.IntentionDefaultAllow(entCtx))
}
func checkDefaultIntentionRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDefaultIntentionRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Default, authz.IntentionRead(prefix, entCtx))
}
func checkDefaultIntentionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDefaultIntentionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Default, authz.IntentionWrite(prefix, entCtx))
}
func checkDefaultKeyRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDefaultKeyRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Default, authz.KeyRead(prefix, entCtx))
}
func checkDefaultKeyList(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDefaultKeyList(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Default, authz.KeyList(prefix, entCtx))
}
func checkDefaultKeyringRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDefaultKeyringRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Default, authz.KeyringRead(entCtx))
}
func checkDefaultKeyringWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDefaultKeyringWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Default, authz.KeyringWrite(entCtx))
}
func checkDefaultKeyWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDefaultKeyWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Default, authz.KeyWrite(prefix, entCtx))
}
func checkDefaultKeyWritePrefix(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDefaultKeyWritePrefix(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Default, authz.KeyWritePrefix(prefix, entCtx))
}
func checkDefaultNodeRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDefaultNodeRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Default, authz.NodeRead(prefix, entCtx))
}
func checkDefaultNodeWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDefaultNodeWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Default, authz.NodeWrite(prefix, entCtx))
}
func checkDefaultOperatorRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDefaultOperatorRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Default, authz.OperatorRead(entCtx))
}
func checkDefaultOperatorWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDefaultOperatorWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Default, authz.OperatorWrite(entCtx))
}
func checkDefaultPreparedQueryRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDefaultPreparedQueryRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Default, authz.PreparedQueryRead(prefix, entCtx))
}
func checkDefaultPreparedQueryWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDefaultPreparedQueryWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Default, authz.PreparedQueryWrite(prefix, entCtx))
}
func checkDefaultServiceRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDefaultServiceRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Default, authz.ServiceRead(prefix, entCtx))
}
func checkDefaultServiceWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDefaultServiceWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Default, authz.ServiceWrite(prefix, entCtx))
}
func checkDefaultSessionRead(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDefaultSessionRead(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Default, authz.SessionRead(prefix, entCtx))
}
func checkDefaultSessionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDefaultSessionWrite(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Default, authz.SessionWrite(prefix, entCtx))
}
func checkDefaultSnapshot(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext) {
func checkDefaultSnapshot(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext) {
require.Equal(t, Default, authz.Snapshot(entCtx))
}
@ -352,7 +352,7 @@ func TestACL(t *testing.T) {
type aclCheck struct {
name string
prefix string
check func(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext)
check func(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext)
}
type aclTest struct {

58
acl/authorizer.go
View File

@ -53,102 +53,102 @@ const (
// Authorizer is the interface for policy enforcement.
type Authorizer interface {
// ACLRead checks for permission to list all the ACLs
ACLRead(*EnterpriseAuthorizerContext) EnforcementDecision
ACLRead(*AuthorizerContext) EnforcementDecision
// ACLWrite checks for permission to manipulate ACLs
ACLWrite(*EnterpriseAuthorizerContext) EnforcementDecision
ACLWrite(*AuthorizerContext) EnforcementDecision
// AgentRead checks for permission to read from agent endpoints for a
// given node.
AgentRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
AgentRead(string, *AuthorizerContext) EnforcementDecision
// AgentWrite checks for permission to make changes via agent endpoints
// for a given node.
AgentWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
AgentWrite(string, *AuthorizerContext) EnforcementDecision
// EventRead determines if a specific event can be queried.
EventRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
EventRead(string, *AuthorizerContext) EnforcementDecision
// EventWrite determines if a specific event may be fired.
EventWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
EventWrite(string, *AuthorizerContext) EnforcementDecision
// IntentionDefaultAllow determines the default authorized behavior
// when no intentions match a Connect request.
IntentionDefaultAllow(*EnterpriseAuthorizerContext) EnforcementDecision
IntentionDefaultAllow(*AuthorizerContext) EnforcementDecision
// IntentionRead determines if a specific intention can be read.
IntentionRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
IntentionRead(string, *AuthorizerContext) EnforcementDecision
// IntentionWrite determines if a specific intention can be
// created, modified, or deleted.
IntentionWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
IntentionWrite(string, *AuthorizerContext) EnforcementDecision
// KeyList checks for permission to list keys under a prefix
KeyList(string, *EnterpriseAuthorizerContext) EnforcementDecision
KeyList(string, *AuthorizerContext) EnforcementDecision
// KeyRead checks for permission to read a given key
KeyRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
KeyRead(string, *AuthorizerContext) EnforcementDecision
// KeyWrite checks for permission to write a given key
KeyWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
KeyWrite(string, *AuthorizerContext) EnforcementDecision
// KeyWritePrefix checks for permission to write to an
// entire key prefix. This means there must be no sub-policies
// that deny a write.
KeyWritePrefix(string, *EnterpriseAuthorizerContext) EnforcementDecision
KeyWritePrefix(string, *AuthorizerContext) EnforcementDecision
// KeyringRead determines if the encryption keyring used in
// the gossip layer can be read.
KeyringRead(*EnterpriseAuthorizerContext) EnforcementDecision
KeyringRead(*AuthorizerContext) EnforcementDecision
// KeyringWrite determines if the keyring can be manipulated
KeyringWrite(*EnterpriseAuthorizerContext) EnforcementDecision
KeyringWrite(*AuthorizerContext) EnforcementDecision
// NodeRead checks for permission to read (discover) a given node.
NodeRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
NodeRead(string, *AuthorizerContext) EnforcementDecision
// NodeWrite checks for permission to create or update (register) a
// given node.
NodeWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
NodeWrite(string, *AuthorizerContext) EnforcementDecision
// OperatorRead determines if the read-only Consul operator functions
// can be used.
OperatorRead(*EnterpriseAuthorizerContext) EnforcementDecision
OperatorRead(*AuthorizerContext) EnforcementDecision
// OperatorWrite determines if the state-changing Consul operator
// functions can be used.
OperatorWrite(*EnterpriseAuthorizerContext) EnforcementDecision
OperatorWrite(*AuthorizerContext) EnforcementDecision
// PreparedQueryRead determines if a specific prepared query can be read
// to show its contents (this is not used for execution).
PreparedQueryRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
PreparedQueryRead(string, *AuthorizerContext) EnforcementDecision
// PreparedQueryWrite determines if a specific prepared query can be
// created, modified, or deleted.
PreparedQueryWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
PreparedQueryWrite(string, *AuthorizerContext) EnforcementDecision
// ServiceRead checks for permission to read a given service
ServiceRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
ServiceRead(string, *AuthorizerContext) EnforcementDecision
// ServiceWrite checks for permission to create or update a given
// service
ServiceWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
ServiceWrite(string, *AuthorizerContext) EnforcementDecision
// SessionRead checks for permission to read sessions for a given node.
SessionRead(string, *EnterpriseAuthorizerContext) EnforcementDecision
SessionRead(string, *AuthorizerContext) EnforcementDecision
// SessionWrite checks for permission to create sessions for a given
// node.
SessionWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision
SessionWrite(string, *AuthorizerContext) EnforcementDecision
// Snapshot checks for permission to take and restore snapshots.
Snapshot(*EnterpriseAuthorizerContext) EnforcementDecision
Snapshot(*AuthorizerContext) EnforcementDecision
// Embedded Interface for Consul Enterprise specific ACL enforcement
EnterpriseAuthorizer
enterpriseAuthorizer
}
func Enforce(authz Authorizer, rsc Resource, segment string, access string, ctx *EnterpriseAuthorizerContext) (EnforcementDecision, error) {
func Enforce(authz Authorizer, rsc Resource, segment string, access string, ctx *AuthorizerContext) (EnforcementDecision, error) {
lowerAccess := strings.ToLower(access)
switch rsc {
@ -234,7 +234,7 @@ func Enforce(authz Authorizer, rsc Resource, segment string, access string, ctx
return authz.SessionWrite(segment, ctx), nil
}
default:
if processed, decision, err := EnforceEnterprise(authz, rsc, segment, lowerAccess, ctx); processed {
if processed, decision, err := enforceEnterprise(authz, rsc, segment, lowerAccess, ctx); processed {
return decision, err
}
return Deny, fmt.Errorf("Invalid ACL resource requested: %q", rsc)

10
acl/authorizer_oss.go
View File

@ -2,12 +2,12 @@
package acl
// EnterpriseAuthorizerContext stub
type EnterpriseAuthorizerContext struct{}
// AuthorizerContext stub
type AuthorizerContext struct{}
// EnterpriseAuthorizer stub interface
type EnterpriseAuthorizer interface{}
// enterpriseAuthorizer stub interface
type enterpriseAuthorizer interface{}
func EnforceEnterprise(_ Authorizer, _ Resource, _ string, _ string, _ *EnterpriseAuthorizerContext) (bool, EnforcementDecision, error) {
func enforceEnterprise(_ Authorizer, _ Resource, _ string, _ string, _ *AuthorizerContext) (bool, EnforcementDecision, error) {
return false, Deny, nil
}

54
acl/authorizer_test.go
View File

@ -13,77 +13,77 @@ type mockAuthorizer struct {
}
// ACLRead checks for permission to list all the ACLs
func (m *mockAuthorizer) ACLRead(ctx *EnterpriseAuthorizerContext) EnforcementDecision {
func (m *mockAuthorizer) ACLRead(ctx *AuthorizerContext) EnforcementDecision {
ret := m.Called(ctx)
return ret.Get(0).(EnforcementDecision)
}
// ACLWrite checks for permission to manipulate ACLs
func (m *mockAuthorizer) ACLWrite(ctx *EnterpriseAuthorizerContext) EnforcementDecision {
func (m *mockAuthorizer) ACLWrite(ctx *AuthorizerContext) EnforcementDecision {
ret := m.Called(ctx)
return ret.Get(0).(EnforcementDecision)
}
// AgentRead checks for permission to read from agent endpoints for a
// given node.
func (m *mockAuthorizer) AgentRead(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
func (m *mockAuthorizer) AgentRead(segment string, ctx *AuthorizerContext) EnforcementDecision {
ret := m.Called(segment, ctx)
return ret.Get(0).(EnforcementDecision)
}
// AgentWrite checks for permission to make changes via agent endpoints
// for a given node.
func (m *mockAuthorizer) AgentWrite(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
func (m *mockAuthorizer) AgentWrite(segment string, ctx *AuthorizerContext) EnforcementDecision {
ret := m.Called(segment, ctx)
return ret.Get(0).(EnforcementDecision)
}
// EventRead determines if a specific event can be queried.
func (m *mockAuthorizer) EventRead(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
func (m *mockAuthorizer) EventRead(segment string, ctx *AuthorizerContext) EnforcementDecision {
ret := m.Called(segment, ctx)
return ret.Get(0).(EnforcementDecision)
}
// EventWrite determines if a specific event may be fired.
func (m *mockAuthorizer) EventWrite(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
func (m *mockAuthorizer) EventWrite(segment string, ctx *AuthorizerContext) EnforcementDecision {
ret := m.Called(segment, ctx)
return ret.Get(0).(EnforcementDecision)
}
// IntentionDefaultAllow determines the default authorized behavior
// when no intentions match a Connect request.
func (m *mockAuthorizer) IntentionDefaultAllow(ctx *EnterpriseAuthorizerContext) EnforcementDecision {
func (m *mockAuthorizer) IntentionDefaultAllow(ctx *AuthorizerContext) EnforcementDecision {
ret := m.Called(ctx)
return ret.Get(0).(EnforcementDecision)
}
// IntentionRead determines if a specific intention can be read.
func (m *mockAuthorizer) IntentionRead(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
func (m *mockAuthorizer) IntentionRead(segment string, ctx *AuthorizerContext) EnforcementDecision {
ret := m.Called(segment, ctx)
return ret.Get(0).(EnforcementDecision)
}
// IntentionWrite determines if a specific intention can be
// created, modified, or deleted.
func (m *mockAuthorizer) IntentionWrite(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
func (m *mockAuthorizer) IntentionWrite(segment string, ctx *AuthorizerContext) EnforcementDecision {
ret := m.Called(segment, ctx)
return ret.Get(0).(EnforcementDecision)
}
// KeyList checks for permission to list keys under a prefix
func (m *mockAuthorizer) KeyList(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
func (m *mockAuthorizer) KeyList(segment string, ctx *AuthorizerContext) EnforcementDecision {
ret := m.Called(segment, ctx)
return ret.Get(0).(EnforcementDecision)
}
// KeyRead checks for permission to read a given key
func (m *mockAuthorizer) KeyRead(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
func (m *mockAuthorizer) KeyRead(segment string, ctx *AuthorizerContext) EnforcementDecision {
ret := m.Called(segment, ctx)
return ret.Get(0).(EnforcementDecision)
}
// KeyWrite checks for permission to write a given key
func (m *mockAuthorizer) KeyWrite(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
func (m *mockAuthorizer) KeyWrite(segment string, ctx *AuthorizerContext) EnforcementDecision {
ret := m.Called(segment, ctx)
return ret.Get(0).(EnforcementDecision)
}
@ -91,93 +91,93 @@ func (m *mockAuthorizer) KeyWrite(segment string, ctx *EnterpriseAuthorizerConte
// KeyWritePrefix checks for permission to write to an
// entire key prefix. This means there must be no sub-policies
// that deny a write.
func (m *mockAuthorizer) KeyWritePrefix(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
func (m *mockAuthorizer) KeyWritePrefix(segment string, ctx *AuthorizerContext) EnforcementDecision {
ret := m.Called(segment, ctx)
return ret.Get(0).(EnforcementDecision)
}
// KeyringRead determines if the encryption keyring used in
// the gossip layer can be read.
func (m *mockAuthorizer) KeyringRead(ctx *EnterpriseAuthorizerContext) EnforcementDecision {
func (m *mockAuthorizer) KeyringRead(ctx *AuthorizerContext) EnforcementDecision {
ret := m.Called(ctx)
return ret.Get(0).(EnforcementDecision)
}
// KeyringWrite determines if the keyring can be manipulated
func (m *mockAuthorizer) KeyringWrite(ctx *EnterpriseAuthorizerContext) EnforcementDecision {
func (m *mockAuthorizer) KeyringWrite(ctx *AuthorizerContext) EnforcementDecision {
ret := m.Called(ctx)
return ret.Get(0).(EnforcementDecision)
}
// NodeRead checks for permission to read (discover) a given node.
func (m *mockAuthorizer) NodeRead(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
func (m *mockAuthorizer) NodeRead(segment string, ctx *AuthorizerContext) EnforcementDecision {
ret := m.Called(segment, ctx)
return ret.Get(0).(EnforcementDecision)
}
// NodeWrite checks for permission to create or update (register) a
// given node.
func (m *mockAuthorizer) NodeWrite(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
func (m *mockAuthorizer) NodeWrite(segment string, ctx *AuthorizerContext) EnforcementDecision {
ret := m.Called(segment, ctx)
return ret.Get(0).(EnforcementDecision)
}
// OperatorRead determines if the read-only Consul operator functions
// can be used. ret := m.Called(segment, ctx)
func (m *mockAuthorizer) OperatorRead(ctx *EnterpriseAuthorizerContext) EnforcementDecision {
func (m *mockAuthorizer) OperatorRead(ctx *AuthorizerContext) EnforcementDecision {
ret := m.Called(ctx)
return ret.Get(0).(EnforcementDecision)
}
// OperatorWrite determines if the state-changing Consul operator
// functions can be used.
func (m *mockAuthorizer) OperatorWrite(ctx *EnterpriseAuthorizerContext) EnforcementDecision {
func (m *mockAuthorizer) OperatorWrite(ctx *AuthorizerContext) EnforcementDecision {
ret := m.Called(ctx)
return ret.Get(0).(EnforcementDecision)
}
// PreparedQueryRead determines if a specific prepared query can be read
// to show its contents (this is not used for execution).
func (m *mockAuthorizer) PreparedQueryRead(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
func (m *mockAuthorizer) PreparedQueryRead(segment string, ctx *AuthorizerContext) EnforcementDecision {
ret := m.Called(segment, ctx)
return ret.Get(0).(EnforcementDecision)
}
// PreparedQueryWrite determines if a specific prepared query can be
// created, modified, or deleted.
func (m *mockAuthorizer) PreparedQueryWrite(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
func (m *mockAuthorizer) PreparedQueryWrite(segment string, ctx *AuthorizerContext) EnforcementDecision {
ret := m.Called(segment, ctx)
return ret.Get(0).(EnforcementDecision)
}
// ServiceRead checks for permission to read a given service
func (m *mockAuthorizer) ServiceRead(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
func (m *mockAuthorizer) ServiceRead(segment string, ctx *AuthorizerContext) EnforcementDecision {
ret := m.Called(segment, ctx)
return ret.Get(0).(EnforcementDecision)
}
// ServiceWrite checks for permission to create or update a given
// service
func (m *mockAuthorizer) ServiceWrite(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
func (m *mockAuthorizer) ServiceWrite(segment string, ctx *AuthorizerContext) EnforcementDecision {
ret := m.Called(segment, ctx)
return ret.Get(0).(EnforcementDecision)
}
// SessionRead checks for permission to read sessions for a given node.
func (m *mockAuthorizer) SessionRead(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
func (m *mockAuthorizer) SessionRead(segment string, ctx *AuthorizerContext) EnforcementDecision {
ret := m.Called(segment, ctx)
return ret.Get(0).(EnforcementDecision)
}
// SessionWrite checks for permission to create sessions for a given
// node.
func (m *mockAuthorizer) SessionWrite(segment string, ctx *EnterpriseAuthorizerContext) EnforcementDecision {
func (m *mockAuthorizer) SessionWrite(segment string, ctx *AuthorizerContext) EnforcementDecision {
ret := m.Called(segment, ctx)
return ret.Get(0).(EnforcementDecision)
}
// Snapshot checks for permission to take and restore snapshots.
func (m *mockAuthorizer) Snapshot(ctx *EnterpriseAuthorizerContext) EnforcementDecision {
func (m *mockAuthorizer) Snapshot(ctx *AuthorizerContext) EnforcementDecision {
ret := m.Called(ctx)
return ret.Get(0).(EnforcementDecision)
}
@ -599,7 +599,7 @@ func TestACL_Enforce(t *testing.T) {
m := &mockAuthorizer{}
if tcase.err == "" {
var nilCtx *EnterpriseAuthorizerContext
var nilCtx *AuthorizerContext
if tcase.segment != "" {
m.On(tcase.method, tcase.segment, nilCtx).Return(tcase.ret)
} else {

52
acl/chained_authorizer.go
View File

@ -34,14 +34,14 @@ func (c *ChainedAuthorizer) executeChain(enforce func(authz Authorizer) Enforcem
}
// ACLRead checks for permission to list all the ACLs
func (c *ChainedAuthorizer) ACLRead(entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
func (c *ChainedAuthorizer) ACLRead(entCtx *AuthorizerContext) EnforcementDecision {
return c.executeChain(func(authz Authorizer) EnforcementDecision {
return authz.ACLRead(entCtx)
})
}
// ACLWrite checks for permission to manipulate ACLs
func (c *ChainedAuthorizer) ACLWrite(entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
func (c *ChainedAuthorizer) ACLWrite(entCtx *AuthorizerContext) EnforcementDecision {
return c.executeChain(func(authz Authorizer) EnforcementDecision {
return authz.ACLWrite(entCtx)
})
@ -49,7 +49,7 @@ func (c *ChainedAuthorizer) ACLWrite(entCtx *EnterpriseAuthorizerContext) Enforc
// AgentRead checks for permission to read from agent endpoints for a
// given node.
func (c *ChainedAuthorizer) AgentRead(node string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
func (c *ChainedAuthorizer) AgentRead(node string, entCtx *AuthorizerContext) EnforcementDecision {
return c.executeChain(func(authz Authorizer) EnforcementDecision {
return authz.AgentRead(node, entCtx)
})
@ -57,21 +57,21 @@ func (c *ChainedAuthorizer) AgentRead(node string, entCtx *EnterpriseAuthorizerC
// AgentWrite checks for permission to make changes via agent endpoints
// for a given node.
func (c *ChainedAuthorizer) AgentWrite(node string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
func (c *ChainedAuthorizer) AgentWrite(node string, entCtx *AuthorizerContext) EnforcementDecision {
return c.executeChain(func(authz Authorizer) EnforcementDecision {
return authz.AgentWrite(node, entCtx)
})
}
// EventRead determines if a specific event can be queried.
func (c *ChainedAuthorizer) EventRead(name string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
func (c *ChainedAuthorizer) EventRead(name string, entCtx *AuthorizerContext) EnforcementDecision {
return c.executeChain(func(authz Authorizer) EnforcementDecision {
return authz.EventRead(name, entCtx)
})
}
// EventWrite determines if a specific event may be fired.
func (c *ChainedAuthorizer) EventWrite(name string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
func (c *ChainedAuthorizer) EventWrite(name string, entCtx *AuthorizerContext) EnforcementDecision {
return c.executeChain(func(authz Authorizer) EnforcementDecision {
return authz.EventWrite(name, entCtx)
})
@ -79,14 +79,14 @@ func (c *ChainedAuthorizer) EventWrite(name string, entCtx *EnterpriseAuthorizer
// IntentionDefaultAllow determines the default authorized behavior
// when no intentions match a Connect request.
func (c *ChainedAuthorizer) IntentionDefaultAllow(entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
func (c *ChainedAuthorizer) IntentionDefaultAllow(entCtx *AuthorizerContext) EnforcementDecision {
return c.executeChain(func(authz Authorizer) EnforcementDecision {
return authz.IntentionDefaultAllow(entCtx)
})
}
// IntentionRead determines if a specific intention can be read.
func (c *ChainedAuthorizer) IntentionRead(prefix string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
func (c *ChainedAuthorizer) IntentionRead(prefix string, entCtx *AuthorizerContext) EnforcementDecision {
return c.executeChain(func(authz Authorizer) EnforcementDecision {
return authz.IntentionRead(prefix, entCtx)
})
@ -94,28 +94,28 @@ func (c *ChainedAuthorizer) IntentionRead(prefix string, entCtx *EnterpriseAutho
// IntentionWrite determines if a specific intention can be
// created, modified, or deleted.
func (c *ChainedAuthorizer) IntentionWrite(prefix string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
func (c *ChainedAuthorizer) IntentionWrite(prefix string, entCtx *AuthorizerContext) EnforcementDecision {
return c.executeChain(func(authz Authorizer) EnforcementDecision {
return authz.IntentionWrite(prefix, entCtx)
})
}
// KeyList checks for permission to list keys under a prefix
func (c *ChainedAuthorizer) KeyList(keyPrefix string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
func (c *ChainedAuthorizer) KeyList(keyPrefix string, entCtx *AuthorizerContext) EnforcementDecision {
return c.executeChain(func(authz Authorizer) EnforcementDecision {
return authz.KeyList(keyPrefix, entCtx)
})
}
// KeyRead checks for permission to read a given key
func (c *ChainedAuthorizer) KeyRead(key string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
func (c *ChainedAuthorizer) KeyRead(key string, entCtx *AuthorizerContext) EnforcementDecision {
return c.executeChain(func(authz Authorizer) EnforcementDecision {
return authz.KeyRead(key, entCtx)
})
}
// KeyWrite checks for permission to write a given key
func (c *ChainedAuthorizer) KeyWrite(key string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
func (c *ChainedAuthorizer) KeyWrite(key string, entCtx *AuthorizerContext) EnforcementDecision {
return c.executeChain(func(authz Authorizer) EnforcementDecision {
return authz.KeyWrite(key, entCtx)
})
@ -124,7 +124,7 @@ func (c *ChainedAuthorizer) KeyWrite(key string, entCtx *EnterpriseAuthorizerCon
// KeyWritePrefix checks for permission to write to an
// entire key prefix. This means there must be no sub-policies
// that deny a write.
func (c *ChainedAuthorizer) KeyWritePrefix(keyPrefix string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
func (c *ChainedAuthorizer) KeyWritePrefix(keyPrefix string, entCtx *AuthorizerContext) EnforcementDecision {
return c.executeChain(func(authz Authorizer) EnforcementDecision {
return authz.KeyWritePrefix(keyPrefix, entCtx)
})
@ -132,21 +132,21 @@ func (c *ChainedAuthorizer) KeyWritePrefix(keyPrefix string, entCtx *EnterpriseA
// KeyringRead determines if the encryption keyring used in
// the gossip layer can be read.
func (c *ChainedAuthorizer) KeyringRead(entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
func (c *ChainedAuthorizer) KeyringRead(entCtx *AuthorizerContext) EnforcementDecision {
return c.executeChain(func(authz Authorizer) EnforcementDecision {
return authz.KeyringRead(entCtx)
})
}
// KeyringWrite determines if the keyring can be manipulated
func (c *ChainedAuthorizer) KeyringWrite(entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
func (c *ChainedAuthorizer) KeyringWrite(entCtx *AuthorizerContext) EnforcementDecision {
return c.executeChain(func(authz Authorizer) EnforcementDecision {
return authz.KeyringWrite(entCtx)
})
}
// NodeRead checks for permission to read (discover) a given node.
func (c *ChainedAuthorizer) NodeRead(node string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
func (c *ChainedAuthorizer) NodeRead(node string, entCtx *AuthorizerContext) EnforcementDecision {
return c.executeChain(func(authz Authorizer) EnforcementDecision {
return authz.NodeRead(node, entCtx)
})
@ -154,7 +154,7 @@ func (c *ChainedAuthorizer) NodeRead(node string, entCtx *EnterpriseAuthorizerCo
// NodeWrite checks for permission to create or update (register) a
// given node.
func (c *ChainedAuthorizer) NodeWrite(node string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
func (c *ChainedAuthorizer) NodeWrite(node string, entCtx *AuthorizerContext) EnforcementDecision {
return c.executeChain(func(authz Authorizer) EnforcementDecision {
return authz.NodeWrite(node, entCtx)
})
@ -162,7 +162,7 @@ func (c *ChainedAuthorizer) NodeWrite(node string, entCtx *EnterpriseAuthorizerC
// OperatorRead determines if the read-only Consul operator functions
// can be used.
func (c *ChainedAuthorizer) OperatorRead(entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
func (c *ChainedAuthorizer) OperatorRead(entCtx *AuthorizerContext) EnforcementDecision {
return c.executeChain(func(authz Authorizer) EnforcementDecision {
return authz.OperatorRead(entCtx)
})
@ -170,7 +170,7 @@ func (c *ChainedAuthorizer) OperatorRead(entCtx *EnterpriseAuthorizerContext) En
// OperatorWrite determines if the state-changing Consul operator
// functions can be used.
func (c *ChainedAuthorizer) OperatorWrite(entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
func (c *ChainedAuthorizer) OperatorWrite(entCtx *AuthorizerContext) EnforcementDecision {
return c.executeChain(func(authz Authorizer) EnforcementDecision {
return authz.OperatorWrite(entCtx)
})
@ -178,7 +178,7 @@ func (c *ChainedAuthorizer) OperatorWrite(entCtx *EnterpriseAuthorizerContext) E
// PreparedQueryRead determines if a specific prepared query can be read
// to show its contents (this is not used for execution).
func (c *ChainedAuthorizer) PreparedQueryRead(query string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
func (c *ChainedAuthorizer) PreparedQueryRead(query string, entCtx *AuthorizerContext) EnforcementDecision {
return c.executeChain(func(authz Authorizer) EnforcementDecision {
return authz.PreparedQueryRead(query, entCtx)
})
@ -186,14 +186,14 @@ func (c *ChainedAuthorizer) PreparedQueryRead(query string, entCtx *EnterpriseAu
// PreparedQueryWrite determines if a specific prepared query can be
// created, modified, or deleted.
func (c *ChainedAuthorizer) PreparedQueryWrite(query string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
func (c *ChainedAuthorizer) PreparedQueryWrite(query string, entCtx *AuthorizerContext) EnforcementDecision {
return c.executeChain(func(authz Authorizer) EnforcementDecision {
return authz.PreparedQueryWrite(query, entCtx)
})
}
// ServiceRead checks for permission to read a given service
func (c *ChainedAuthorizer) ServiceRead(name string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
func (c *ChainedAuthorizer) ServiceRead(name string, entCtx *AuthorizerContext) EnforcementDecision {
return c.executeChain(func(authz Authorizer) EnforcementDecision {
return authz.ServiceRead(name, entCtx)
})
@ -201,14 +201,14 @@ func (c *ChainedAuthorizer) ServiceRead(name string, entCtx *EnterpriseAuthorize
// ServiceWrite checks for permission to create or update a given
// service
func (c *ChainedAuthorizer) ServiceWrite(name string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
func (c *ChainedAuthorizer) ServiceWrite(name string, entCtx *AuthorizerContext) EnforcementDecision {
return c.executeChain(func(authz Authorizer) EnforcementDecision {
return authz.ServiceWrite(name, entCtx)
})
}
// SessionRead checks for permission to read sessions for a given node.
func (c *ChainedAuthorizer) SessionRead(node string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
func (c *ChainedAuthorizer) SessionRead(node string, entCtx *AuthorizerContext) EnforcementDecision {
return c.executeChain(func(authz Authorizer) EnforcementDecision {
return authz.SessionRead(node, entCtx)
})
@ -216,14 +216,14 @@ func (c *ChainedAuthorizer) SessionRead(node string, entCtx *EnterpriseAuthorize
// SessionWrite checks for permission to create sessions for a given
// node.
func (c *ChainedAuthorizer) SessionWrite(node string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
func (c *ChainedAuthorizer) SessionWrite(node string, entCtx *AuthorizerContext) EnforcementDecision {
return c.executeChain(func(authz Authorizer) EnforcementDecision {
return authz.SessionWrite(node, entCtx)
})
}
// Snapshot checks for permission to take and restore snapshots.
func (c *ChainedAuthorizer) Snapshot(entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
func (c *ChainedAuthorizer) Snapshot(entCtx *AuthorizerContext) EnforcementDecision {
return c.executeChain(func(authz Authorizer) EnforcementDecision {
return authz.Snapshot(entCtx)
})

3
acl/chained_authorizer_oss.go
View File

@ -1,3 +0,0 @@
// +build !consulent
package acl

52
acl/chained_authorizer_test.go
View File

@ -6,82 +6,82 @@ import (
type testAuthorizer EnforcementDecision
func (authz testAuthorizer) ACLRead(*EnterpriseAuthorizerContext) EnforcementDecision {
func (authz testAuthorizer) ACLRead(*AuthorizerContext) EnforcementDecision {
return EnforcementDecision(authz)
}
func (authz testAuthorizer) ACLWrite(*EnterpriseAuthorizerContext) EnforcementDecision {
func (authz testAuthorizer) ACLWrite(*AuthorizerContext) EnforcementDecision {
return EnforcementDecision(authz)
}
func (authz testAuthorizer) AgentRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
func (authz testAuthorizer) AgentRead(string, *AuthorizerContext) EnforcementDecision {
return EnforcementDecision(authz)
}
func (authz testAuthorizer) AgentWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
func (authz testAuthorizer) AgentWrite(string, *AuthorizerContext) EnforcementDecision {
return EnforcementDecision(authz)
}
func (authz testAuthorizer) EventRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
func (authz testAuthorizer) EventRead(string, *AuthorizerContext) EnforcementDecision {
return EnforcementDecision(authz)
}
func (authz testAuthorizer) EventWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
func (authz testAuthorizer) EventWrite(string, *AuthorizerContext) EnforcementDecision {
return EnforcementDecision(authz)
}
func (authz testAuthorizer) IntentionDefaultAllow(*EnterpriseAuthorizerContext) EnforcementDecision {
func (authz testAuthorizer) IntentionDefaultAllow(*AuthorizerContext) EnforcementDecision {
return EnforcementDecision(authz)
}
func (authz testAuthorizer) IntentionRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
func (authz testAuthorizer) IntentionRead(string, *AuthorizerContext) EnforcementDecision {
return EnforcementDecision(authz)
}
func (authz testAuthorizer) IntentionWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
func (authz testAuthorizer) IntentionWrite(string, *AuthorizerContext) EnforcementDecision {
return EnforcementDecision(authz)
}
func (authz testAuthorizer) KeyList(string, *EnterpriseAuthorizerContext) EnforcementDecision {
func (authz testAuthorizer) KeyList(string, *AuthorizerContext) EnforcementDecision {
return EnforcementDecision(authz)
}
func (authz testAuthorizer) KeyRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
func (authz testAuthorizer) KeyRead(string, *AuthorizerContext) EnforcementDecision {
return EnforcementDecision(authz)
}
func (authz testAuthorizer) KeyWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
func (authz testAuthorizer) KeyWrite(string, *AuthorizerContext) EnforcementDecision {
return EnforcementDecision(authz)
}
func (authz testAuthorizer) KeyWritePrefix(string, *EnterpriseAuthorizerContext) EnforcementDecision {
func (authz testAuthorizer) KeyWritePrefix(string, *AuthorizerContext) EnforcementDecision {
return EnforcementDecision(authz)
}
func (authz testAuthorizer) KeyringRead(*EnterpriseAuthorizerContext) EnforcementDecision {
func (authz testAuthorizer) KeyringRead(*AuthorizerContext) EnforcementDecision {
return EnforcementDecision(authz)
}
func (authz testAuthorizer) KeyringWrite(*EnterpriseAuthorizerContext) EnforcementDecision {
func (authz testAuthorizer) KeyringWrite(*AuthorizerContext) EnforcementDecision {
return EnforcementDecision(authz)
}
func (authz testAuthorizer) NodeRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
func (authz testAuthorizer) NodeRead(string, *AuthorizerContext) EnforcementDecision {
return EnforcementDecision(authz)
}
func (authz testAuthorizer) NodeWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
func (authz testAuthorizer) NodeWrite(string, *AuthorizerContext) EnforcementDecision {
return EnforcementDecision(authz)
}
func (authz testAuthorizer) OperatorRead(*EnterpriseAuthorizerContext) EnforcementDecision {
func (authz testAuthorizer) OperatorRead(*AuthorizerContext) EnforcementDecision {
return EnforcementDecision(authz)
}
func (authz testAuthorizer) OperatorWrite(*EnterpriseAuthorizerContext) EnforcementDecision {
func (authz testAuthorizer) OperatorWrite(*AuthorizerContext) EnforcementDecision {
return EnforcementDecision(authz)
}
func (authz testAuthorizer) PreparedQueryRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
func (authz testAuthorizer) PreparedQueryRead(string, *AuthorizerContext) EnforcementDecision {
return EnforcementDecision(authz)
}
func (authz testAuthorizer) PreparedQueryWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
func (authz testAuthorizer) PreparedQueryWrite(string, *AuthorizerContext) EnforcementDecision {
return EnforcementDecision(authz)
}
func (authz testAuthorizer) ServiceRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
func (authz testAuthorizer) ServiceRead(string, *AuthorizerContext) EnforcementDecision {
return EnforcementDecision(authz)
}
func (authz testAuthorizer) ServiceWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
func (authz testAuthorizer) ServiceWrite(string, *AuthorizerContext) EnforcementDecision {
return EnforcementDecision(authz)
}
func (authz testAuthorizer) SessionRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
func (authz testAuthorizer) SessionRead(string, *AuthorizerContext) EnforcementDecision {
return EnforcementDecision(authz)
}
func (authz testAuthorizer) SessionWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
func (authz testAuthorizer) SessionWrite(string, *AuthorizerContext) EnforcementDecision {
return EnforcementDecision(authz)
}
func (authz testAuthorizer) Snapshot(*EnterpriseAuthorizerContext) EnforcementDecision {
func (authz testAuthorizer) Snapshot(*AuthorizerContext) EnforcementDecision {
return EnforcementDecision(authz)
}

0
acl/acl.go → acl/errors.go
View File

8
acl/policy.go
View File

@ -161,7 +161,7 @@ func isPolicyValid(policy string, allowList bool) bool {
return true
}
func (pr *PolicyRules) Validate(conf *EnterpriseACLConfig) error {
func (pr *PolicyRules) Validate(conf *Config) error {
// Validate the acl policy - this one is allowed to be empty
if pr.ACL != "" && !isPolicyValid(pr.ACL, false) {
return fmt.Errorf("Invalid acl policy: %#v", pr.ACL)
@ -288,7 +288,7 @@ func (pr *PolicyRules) Validate(conf *EnterpriseACLConfig) error {
return nil
}
func parseCurrent(rules string, conf *EnterpriseACLConfig, meta *EnterprisePolicyMeta) (*Policy, error) {
func parseCurrent(rules string, conf *Config, meta *EnterprisePolicyMeta) (*Policy, error) {
p, err := decodeRules(rules, conf, meta)
if err != nil {
return nil, err
@ -305,7 +305,7 @@ func parseCurrent(rules string, conf *EnterpriseACLConfig, meta *EnterprisePolic
return p, nil
}
func parseLegacy(rules string, conf *EnterpriseACLConfig) (*Policy, error) {
func parseLegacy(rules string, conf *Config) (*Policy, error) {
p := &Policy{}
type LegacyPolicy struct {
@ -422,7 +422,7 @@ func parseLegacy(rules string, conf *EnterpriseACLConfig) (*Policy, error) {
// NewPolicyFromSource is used to parse the specified ACL rules into an
// intermediary set of policies, before being compiled into
// the ACL
func NewPolicyFromSource(id string, revision uint64, rules string, syntax SyntaxVersion, conf *EnterpriseACLConfig, meta *EnterprisePolicyMeta) (*Policy, error) {
func NewPolicyFromSource(id string, revision uint64, rules string, syntax SyntaxVersion, conf *Config, meta *EnterprisePolicyMeta) (*Policy, error) {
if rules == "" {
// Hot path for empty source
return &Policy{ID: id, Revision: revision}, nil

56
acl/policy_authorizer.go
View File

@ -313,13 +313,13 @@ func (p *policyAuthorizer) loadRules(policy *PolicyRules) error {
return nil
}
func newPolicyAuthorizer(policies []*Policy, ent *EnterpriseACLConfig) (Authorizer, error) {
func newPolicyAuthorizer(policies []*Policy, ent *Config) (Authorizer, error) {
policy := MergePolicies(policies)
return newPolicyAuthorizerFromRules(&policy.PolicyRules, ent)
}
func newPolicyAuthorizerFromRules(rules *PolicyRules, ent *EnterpriseACLConfig) (Authorizer, error) {
func newPolicyAuthorizerFromRules(rules *PolicyRules, ent *Config) (Authorizer, error) {
p := &policyAuthorizer{
agentRules: radix.New(),
intentionRules: radix.New(),
@ -341,7 +341,7 @@ func newPolicyAuthorizerFromRules(rules *PolicyRules, ent *EnterpriseACLConfig)
}
// ACLRead checks if listing of ACLs is allowed
func (p *policyAuthorizer) ACLRead(*EnterpriseAuthorizerContext) EnforcementDecision {
func (p *policyAuthorizer) ACLRead(*AuthorizerContext) EnforcementDecision {
if p.aclRule != nil {
return enforce(p.aclRule.access, AccessRead)
}
@ -349,7 +349,7 @@ func (p *policyAuthorizer) ACLRead(*EnterpriseAuthorizerContext) EnforcementDeci
}
// ACLWrite checks if modification of ACLs is allowed
func (p *policyAuthorizer) ACLWrite(*EnterpriseAuthorizerContext) EnforcementDecision {
func (p *policyAuthorizer) ACLWrite(*AuthorizerContext) EnforcementDecision {
if p.aclRule != nil {
return enforce(p.aclRule.access, AccessWrite)
}
@ -358,7 +358,7 @@ func (p *policyAuthorizer) ACLWrite(*EnterpriseAuthorizerContext) EnforcementDec
// AgentRead checks for permission to read from agent endpoints for a given
// node.
func (p *policyAuthorizer) AgentRead(node string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
func (p *policyAuthorizer) AgentRead(node string, _ *AuthorizerContext) EnforcementDecision {
if rule, ok := getPolicy(node, p.agentRules); ok {
return enforce(rule.access, AccessRead)
}
@ -367,7 +367,7 @@ func (p *policyAuthorizer) AgentRead(node string, _ *EnterpriseAuthorizerContext
// AgentWrite checks for permission to make changes via agent endpoints for a
// given node.
func (p *policyAuthorizer) AgentWrite(node string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
func (p *policyAuthorizer) AgentWrite(node string, _ *AuthorizerContext) EnforcementDecision {
if rule, ok := getPolicy(node, p.agentRules); ok {
return enforce(rule.access, AccessWrite)
}
@ -375,7 +375,7 @@ func (p *policyAuthorizer) AgentWrite(node string, _ *EnterpriseAuthorizerContex
}
// Snapshot checks if taking and restoring snapshots is allowed.
func (p *policyAuthorizer) Snapshot(_ *EnterpriseAuthorizerContext) EnforcementDecision {
func (p *policyAuthorizer) Snapshot(_ *AuthorizerContext) EnforcementDecision {
if p.aclRule != nil {
return enforce(p.aclRule.access, AccessWrite)
}
@ -384,7 +384,7 @@ func (p *policyAuthorizer) Snapshot(_ *EnterpriseAuthorizerContext) EnforcementD
// EventRead is used to determine if the policy allows for a
// specific user event to be read.
func (p *policyAuthorizer) EventRead(name string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
func (p *policyAuthorizer) EventRead(name string, _ *AuthorizerContext) EnforcementDecision {
if rule, ok := getPolicy(name, p.eventRules); ok {
return enforce(rule.access, AccessRead)
}
@ -393,7 +393,7 @@ func (p *policyAuthorizer) EventRead(name string, _ *EnterpriseAuthorizerContext
// EventWrite is used to determine if new events can be created
// (fired) by the policy.
func (p *policyAuthorizer) EventWrite(name string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
func (p *policyAuthorizer) EventWrite(name string, _ *AuthorizerContext) EnforcementDecision {
if rule, ok := getPolicy(name, p.eventRules); ok {
return enforce(rule.access, AccessWrite)
}
@ -402,14 +402,14 @@ func (p *policyAuthorizer) EventWrite(name string, _ *EnterpriseAuthorizerContex
// IntentionDefaultAllow returns whether the default behavior when there are
// no matching intentions is to allow or deny.
func (p *policyAuthorizer) IntentionDefaultAllow(_ *EnterpriseAuthorizerContext) EnforcementDecision {
func (p *policyAuthorizer) IntentionDefaultAllow(_ *AuthorizerContext) EnforcementDecision {
// We always go up, this can't be determined by a policy.
return Default
}
// IntentionRead checks if writing (creating, updating, or deleting) of an
// intention is allowed.
func (p *policyAuthorizer) IntentionRead(prefix string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
func (p *policyAuthorizer) IntentionRead(prefix string, _ *AuthorizerContext) EnforcementDecision {
if rule, ok := getPolicy(prefix, p.intentionRules); ok {
return enforce(rule.access, AccessRead)
}
@ -418,7 +418,7 @@ func (p *policyAuthorizer) IntentionRead(prefix string, _ *EnterpriseAuthorizerC
// IntentionWrite checks if writing (creating, updating, or deleting) of an
// intention is allowed.
func (p *policyAuthorizer) IntentionWrite(prefix string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
func (p *policyAuthorizer) IntentionWrite(prefix string, _ *AuthorizerContext) EnforcementDecision {
if rule, ok := getPolicy(prefix, p.intentionRules); ok {
return enforce(rule.access, AccessWrite)
}
@ -426,7 +426,7 @@ func (p *policyAuthorizer) IntentionWrite(prefix string, _ *EnterpriseAuthorizer
}
// KeyRead returns if a key is allowed to be read
func (p *policyAuthorizer) KeyRead(key string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
func (p *policyAuthorizer) KeyRead(key string, _ *AuthorizerContext) EnforcementDecision {
if rule, ok := getPolicy(key, p.keyRules); ok {
return enforce(rule.access, AccessRead)
}
@ -434,7 +434,7 @@ func (p *policyAuthorizer) KeyRead(key string, _ *EnterpriseAuthorizerContext) E
}
// KeyList returns if a key is allowed to be listed
func (p *policyAuthorizer) KeyList(key string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
func (p *policyAuthorizer) KeyList(key string, _ *AuthorizerContext) EnforcementDecision {
if rule, ok := getPolicy(key, p.keyRules); ok {
return enforce(rule.access, AccessList)
}
@ -442,7 +442,7 @@ func (p *policyAuthorizer) KeyList(key string, _ *EnterpriseAuthorizerContext) E
}
// KeyWrite returns if a key is allowed to be written
func (p *policyAuthorizer) KeyWrite(key string, entCtx *EnterpriseAuthorizerContext) EnforcementDecision {
func (p *policyAuthorizer) KeyWrite(key string, entCtx *AuthorizerContext) EnforcementDecision {
if rule, ok := getPolicy(key, p.keyRules); ok {
decision := enforce(rule.access, AccessWrite)
if decision == Allow {
@ -459,7 +459,7 @@ func (p *policyAuthorizer) KeyWrite(key string, entCtx *EnterpriseAuthorizerCont
// the KV can be removed. For that reason we must be able to
// delete everything under the prefix. First we must have "write"
// on the prefix itself
func (p *policyAuthorizer) KeyWritePrefix(prefix string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
func (p *policyAuthorizer) KeyWritePrefix(prefix string, _ *AuthorizerContext) EnforcementDecision {
// Conditions for Allow:
// * The longest prefix match rule that would apply to the given prefix
// grants AccessWrite
@ -537,7 +537,7 @@ func (p *policyAuthorizer) KeyWritePrefix(prefix string, _ *EnterpriseAuthorizer
// KeyringRead is used to determine if the keyring can be
// read by the current ACL token.
func (p *policyAuthorizer) KeyringRead(*EnterpriseAuthorizerContext) EnforcementDecision {
func (p *policyAuthorizer) KeyringRead(*AuthorizerContext) EnforcementDecision {
if p.keyringRule != nil {
return enforce(p.keyringRule.access, AccessRead)
}
@ -545,7 +545,7 @@ func (p *policyAuthorizer) KeyringRead(*EnterpriseAuthorizerContext) Enforcement
}
// KeyringWrite determines if the keyring can be manipulated.
func (p *policyAuthorizer) KeyringWrite(*EnterpriseAuthorizerContext) EnforcementDecision {
func (p *policyAuthorizer) KeyringWrite(*AuthorizerContext) EnforcementDecision {
if p.keyringRule != nil {
return enforce(p.keyringRule.access, AccessWrite)
}
@ -553,7 +553,7 @@ func (p *policyAuthorizer) KeyringWrite(*EnterpriseAuthorizerContext) Enforcemen
}
// OperatorRead determines if the read-only operator functions are allowed.
func (p *policyAuthorizer) OperatorRead(*EnterpriseAuthorizerContext) EnforcementDecision {
func (p *policyAuthorizer) OperatorRead(*AuthorizerContext) EnforcementDecision {
if p.operatorRule != nil {
return enforce(p.operatorRule.access, AccessRead)
}
@ -562,7 +562,7 @@ func (p *policyAuthorizer) OperatorRead(*EnterpriseAuthorizerContext) Enforcemen
// OperatorWrite determines if the state-changing operator functions are
// allowed.
func (p *policyAuthorizer) OperatorWrite(*EnterpriseAuthorizerContext) EnforcementDecision {
func (p *policyAuthorizer) OperatorWrite(*AuthorizerContext) EnforcementDecision {
if p.operatorRule != nil {
return enforce(p.operatorRule.access, AccessWrite)
}
@ -570,7 +570,7 @@ func (p *policyAuthorizer) OperatorWrite(*EnterpriseAuthorizerContext) Enforceme
}
// NodeRead checks if reading (discovery) of a node is allowed
func (p *policyAuthorizer) NodeRead(name string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
func (p *policyAuthorizer) NodeRead(name string, _ *AuthorizerContext) EnforcementDecision {
if rule, ok := getPolicy(name, p.nodeRules); ok {
return enforce(rule.access, AccessRead)
}
@ -578,7 +578,7 @@ func (p *policyAuthorizer) NodeRead(name string, _ *EnterpriseAuthorizerContext)
}
// NodeWrite checks if writing (registering) a node is allowed
func (p *policyAuthorizer) NodeWrite(name string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
func (p *policyAuthorizer) NodeWrite(name string, _ *AuthorizerContext) EnforcementDecision {
if rule, ok := getPolicy(name, p.nodeRules); ok {
return enforce(rule.access, AccessWrite)
}
@ -587,7 +587,7 @@ func (p *policyAuthorizer) NodeWrite(name string, _ *EnterpriseAuthorizerContext
// PreparedQueryRead checks if reading (listing) of a prepared query is
// allowed - this isn't execution, just listing its contents.
func (p *policyAuthorizer) PreparedQueryRead(prefix string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
func (p *policyAuthorizer) PreparedQueryRead(prefix string, _ *AuthorizerContext) EnforcementDecision {
if rule, ok := getPolicy(prefix, p.preparedQueryRules); ok {
return enforce(rule.access, AccessRead)
}
@ -596,7 +596,7 @@ func (p *policyAuthorizer) PreparedQueryRead(prefix string, _ *EnterpriseAuthori
// PreparedQueryWrite checks if writing (creating, updating, or deleting) of a
// prepared query is allowed.
func (p *policyAuthorizer) PreparedQueryWrite(prefix string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
func (p *policyAuthorizer) PreparedQueryWrite(prefix string, _ *AuthorizerContext) EnforcementDecision {
if rule, ok := getPolicy(prefix, p.preparedQueryRules); ok {
return enforce(rule.access, AccessWrite)
}
@ -604,7 +604,7 @@ func (p *policyAuthorizer) PreparedQueryWrite(prefix string, _ *EnterpriseAuthor
}
// ServiceRead checks if reading (discovery) of a service is allowed
func (p *policyAuthorizer) ServiceRead(name string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
func (p *policyAuthorizer) ServiceRead(name string, _ *AuthorizerContext) EnforcementDecision {
if rule, ok := getPolicy(name, p.serviceRules); ok {
return enforce(rule.access, AccessRead)
}
@ -612,7 +612,7 @@ func (p *policyAuthorizer) ServiceRead(name string, _ *EnterpriseAuthorizerConte
}
// ServiceWrite checks if writing (registering) a service is allowed
func (p *policyAuthorizer) ServiceWrite(name string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
func (p *policyAuthorizer) ServiceWrite(name string, _ *AuthorizerContext) EnforcementDecision {
if rule, ok := getPolicy(name, p.serviceRules); ok {
return enforce(rule.access, AccessWrite)
}
@ -620,7 +620,7 @@ func (p *policyAuthorizer) ServiceWrite(name string, _ *EnterpriseAuthorizerCont
}
// SessionRead checks for permission to read sessions for a given node.
func (p *policyAuthorizer) SessionRead(node string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
func (p *policyAuthorizer) SessionRead(node string, _ *AuthorizerContext) EnforcementDecision {
if rule, ok := getPolicy(node, p.sessionRules); ok {
return enforce(rule.access, AccessRead)
}
@ -628,7 +628,7 @@ func (p *policyAuthorizer) SessionRead(node string, _ *EnterpriseAuthorizerConte
}
// SessionWrite checks for permission to create sessions for a given node.
func (p *policyAuthorizer) SessionWrite(node string, _ *EnterpriseAuthorizerContext) EnforcementDecision {
func (p *policyAuthorizer) SessionWrite(node string, _ *AuthorizerContext) EnforcementDecision {
// Check for an exact rule or catch-all
if rule, ok := getPolicy(node, p.sessionRules); ok {
return enforce(rule.access, AccessWrite)

8
acl/policy_authorizer_oss.go
View File

@ -5,22 +5,22 @@ package acl
// enterprisePolicyAuthorizer stub
type enterprisePolicyAuthorizer struct{}
func (authz *enterprisePolicyAuthorizer) init(*EnterpriseACLConfig) {
func (authz *enterprisePolicyAuthorizer) init(*Config) {
// nothing to do
}
func (authz *enterprisePolicyAuthorizer) enforce(_ *EnterpriseRule, _ *EnterpriseAuthorizerContext) EnforcementDecision {
func (authz *enterprisePolicyAuthorizer) enforce(_ *EnterpriseRule, _ *AuthorizerContext) EnforcementDecision {
return Default
}
// NewPolicyAuthorizer merges the policies and returns an Authorizer that will enforce them
func NewPolicyAuthorizer(policies []*Policy, entConfig *EnterpriseACLConfig) (Authorizer, error) {
func NewPolicyAuthorizer(policies []*Policy, entConfig *Config) (Authorizer, error) {
return newPolicyAuthorizer(policies, entConfig)
}
// NewPolicyAuthorizerWithDefaults will actually created a ChainedAuthorizer with
// the policies compiled into one Authorizer and the backup policy of the defaultAuthz
func NewPolicyAuthorizerWithDefaults(defaultAuthz Authorizer, policies []*Policy, entConfig *EnterpriseACLConfig) (Authorizer, error) {
func NewPolicyAuthorizerWithDefaults(defaultAuthz Authorizer, policies []*Policy, entConfig *Config) (Authorizer, error) {
authz, err := newPolicyAuthorizer(policies, entConfig)
if err != nil {
return nil, err

2
acl/policy_authorizer_test.go
View File

@ -17,7 +17,7 @@ func TestPolicyAuthorizer(t *testing.T) {
type aclCheck struct {
name string
prefix string
check func(t *testing.T, authz Authorizer, prefix string, entCtx *EnterpriseAuthorizerContext)
check func(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext)
}
type aclTest struct {

6
acl/policy_oss.go
View File

@ -14,7 +14,7 @@ type EnterprisePolicyMeta struct{}
// EnterpriseRule stub
type EnterpriseRule struct{}
func (r *EnterpriseRule) Validate(string, *EnterpriseACLConfig) error {
func (r *EnterpriseRule) Validate(string, *Config) error {
// nothing to validate
return nil
}
@ -22,12 +22,12 @@ func (r *EnterpriseRule) Validate(string, *EnterpriseACLConfig) error {
// EnterprisePolicyRules stub
type EnterprisePolicyRules struct{}
func (r *EnterprisePolicyRules) Validate(*EnterpriseACLConfig) error {
func (r *EnterprisePolicyRules) Validate(*Config) error {
// nothing to validate
return nil
}
func decodeRules(rules string, _ *EnterpriseACLConfig, _ *EnterprisePolicyMeta) (*Policy, error) {
func decodeRules(rules string, _ *Config, _ *EnterprisePolicyMeta) (*Policy, error) {
p := &Policy{}
if err := hcl.Decode(p, rules); err != nil {

60
acl/static_authorizer.go
View File

@ -3,13 +3,13 @@ package acl
var (
// allowAll is a singleton policy which allows all
// non-management actions
allowAll Authorizer = &StaticAuthorizer{
allowAll Authorizer = &staticAuthorizer{
allowManage: false,
defaultAllow: true,
}
// denyAll is a singleton policy which denies all actions
denyAll Authorizer = &StaticAuthorizer{
denyAll Authorizer = &staticAuthorizer{
allowManage: false,
defaultAllow: false,
}
@ -18,7 +18,7 @@ var (
// actions, including management
// TODO (acls) - Do we need to keep this around? Our config parsing doesn't allow
// specifying a default "manage" policy so I believe nothing will every use this.
manageAll Authorizer = &StaticAuthorizer{
manageAll Authorizer = &staticAuthorizer{
allowManage: true,
defaultAllow: true,
}
@ -27,187 +27,187 @@ var (
// StaticAuthorizer is used to implement a base ACL policy. It either
// allows or denies all requests. This can be used as a parent
// ACL to act in a blacklist or whitelist mode.
type StaticAuthorizer struct {
type staticAuthorizer struct {
allowManage bool
defaultAllow bool
}
func (s *StaticAuthorizer) ACLRead(*EnterpriseAuthorizerContext) EnforcementDecision {
func (s *staticAuthorizer) ACLRead(*AuthorizerContext) EnforcementDecision {
if s.allowManage {
return Allow
}
return Deny
}
func (s *StaticAuthorizer) ACLWrite(*EnterpriseAuthorizerContext) EnforcementDecision {
func (s *staticAuthorizer) ACLWrite(*AuthorizerContext) EnforcementDecision {
if s.allowManage {
return Allow
}
return Deny
}
func (s *StaticAuthorizer) AgentRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
func (s *staticAuthorizer) AgentRead(string, *AuthorizerContext) EnforcementDecision {
if s.defaultAllow {
return Allow
}
return Deny
}
func (s *StaticAuthorizer) AgentWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
func (s *staticAuthorizer) AgentWrite(string, *AuthorizerContext) EnforcementDecision {
if s.defaultAllow {
return Allow
}
return Deny
}
func (s *StaticAuthorizer) EventRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
func (s *staticAuthorizer) EventRead(string, *AuthorizerContext) EnforcementDecision {
if s.defaultAllow {
return Allow
}
return Deny
}
func (s *StaticAuthorizer) EventWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
func (s *staticAuthorizer) EventWrite(string, *AuthorizerContext) EnforcementDecision {
if s.defaultAllow {
return Allow
}
return Deny
}
func (s *StaticAuthorizer) IntentionDefaultAllow(*EnterpriseAuthorizerContext) EnforcementDecision {
func (s *staticAuthorizer) IntentionDefaultAllow(*AuthorizerContext) EnforcementDecision {
if s.defaultAllow {
return Allow
}
return Deny
}
func (s *StaticAuthorizer) IntentionRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
func (s *staticAuthorizer) IntentionRead(string, *AuthorizerContext) EnforcementDecision {
if s.defaultAllow {
return Allow
}
return Deny
}
func (s *StaticAuthorizer) IntentionWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
func (s *staticAuthorizer) IntentionWrite(string, *AuthorizerContext) EnforcementDecision {
if s.defaultAllow {
return Allow
}
return Deny
}
func (s *StaticAuthorizer) KeyRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
func (s *staticAuthorizer) KeyRead(string, *AuthorizerContext) EnforcementDecision {
if s.defaultAllow {
return Allow
}
return Deny
}
func (s *StaticAuthorizer) KeyList(string, *EnterpriseAuthorizerContext) EnforcementDecision {
func (s *staticAuthorizer) KeyList(string, *AuthorizerContext) EnforcementDecision {
if s.defaultAllow {
return Allow
}
return Deny
}
func (s *StaticAuthorizer) KeyWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
func (s *staticAuthorizer) KeyWrite(string, *AuthorizerContext) EnforcementDecision {
if s.defaultAllow {
return Allow
}
return Deny
}
func (s *StaticAuthorizer) KeyWritePrefix(string, *EnterpriseAuthorizerContext) EnforcementDecision {
func (s *staticAuthorizer) KeyWritePrefix(string, *AuthorizerContext) EnforcementDecision {
if s.defaultAllow {
return Allow
}
return Deny
}
func (s *StaticAuthorizer) KeyringRead(*EnterpriseAuthorizerContext) EnforcementDecision {
func (s *staticAuthorizer) KeyringRead(*AuthorizerContext) EnforcementDecision {
if s.defaultAllow {
return Allow
}
return Deny
}
func (s *StaticAuthorizer) KeyringWrite(*EnterpriseAuthorizerContext) EnforcementDecision {
func (s *staticAuthorizer) KeyringWrite(*AuthorizerContext) EnforcementDecision {
if s.defaultAllow {
return Allow
}
return Deny
}
func (s *StaticAuthorizer) NodeRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
func (s *staticAuthorizer) NodeRead(string, *AuthorizerContext) EnforcementDecision {
if s.defaultAllow {
return Allow
}
return Deny
}
func (s *StaticAuthorizer) NodeWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
func (s *staticAuthorizer) NodeWrite(string, *AuthorizerContext) EnforcementDecision {
if s.defaultAllow {
return Allow
}
return Deny
}
func (s *StaticAuthorizer) OperatorRead(*EnterpriseAuthorizerContext) EnforcementDecision {
func (s *staticAuthorizer) OperatorRead(*AuthorizerContext) EnforcementDecision {
if s.defaultAllow {
return Allow
}
return Deny
}
func (s *StaticAuthorizer) OperatorWrite(*EnterpriseAuthorizerContext) EnforcementDecision {
func (s *staticAuthorizer) OperatorWrite(*AuthorizerContext) EnforcementDecision {
if s.defaultAllow {
return Allow
}
return Deny
}
func (s *StaticAuthorizer) PreparedQueryRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
func (s *staticAuthorizer) PreparedQueryRead(string, *AuthorizerContext) EnforcementDecision {
if s.defaultAllow {
return Allow
}
return Deny
}
func (s *StaticAuthorizer) PreparedQueryWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
func (s *staticAuthorizer) PreparedQueryWrite(string, *AuthorizerContext) EnforcementDecision {
if s.defaultAllow {
return Allow
}
return Deny
}
func (s *StaticAuthorizer) ServiceRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
func (s *staticAuthorizer) ServiceRead(string, *AuthorizerContext) EnforcementDecision {
if s.defaultAllow {
return Allow
}
return Deny
}
func (s *StaticAuthorizer) ServiceWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
func (s *staticAuthorizer) ServiceWrite(string, *AuthorizerContext) EnforcementDecision {
if s.defaultAllow {
return Allow
}
return Deny
}
func (s *StaticAuthorizer) SessionRead(string, *EnterpriseAuthorizerContext) EnforcementDecision {
func (s *staticAuthorizer) SessionRead(string, *AuthorizerContext) EnforcementDecision {
if s.defaultAllow {
return Allow
}
return Deny
}
func (s *StaticAuthorizer) SessionWrite(string, *EnterpriseAuthorizerContext) EnforcementDecision {
func (s *staticAuthorizer) SessionWrite(string, *AuthorizerContext) EnforcementDecision {
if s.defaultAllow {
return Allow
}
return Deny
}
func (s *StaticAuthorizer) Snapshot(_ *EnterpriseAuthorizerContext) EnforcementDecision {
func (s *staticAuthorizer) Snapshot(_ *AuthorizerContext) EnforcementDecision {
if s.allowManage {
return Allow
}

105
agent/acl.go
View File

@ -13,6 +13,13 @@ import (
// clients. Some of the enforcement is normative (e.g. self and monitor)
// and some is informative (e.g. catalog and health).
func (a *Agent) resolveToken(id string) (acl.Authorizer, error) {
return a.resolveTokenAndDefaultMeta(id, nil, nil)
}
// resolveTokenAndDefaultMeta is used to resolve an ACL token secret to an
// acl.Authorizer and to default any enterprise specific metadata for the request.
// The defaulted metadata is then used to fill in an acl.AuthorizationContext.
func (a *Agent) resolveTokenAndDefaultMeta(id string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (acl.Authorizer, error) {
// ACLs are disabled
if !a.delegate.ACLsEnabled() {
return nil, nil
@ -30,7 +37,8 @@ func (a *Agent) resolveToken(id string) (acl.Authorizer, error) {
if a.tokens.IsAgentMasterToken(id) {
return a.aclMasterAuthorizer, nil
}
return a.delegate.ResolveToken(id)
return a.delegate.ResolveTokenAndDefaultMeta(id, entMeta, authzContext)
}
func (a *Agent) initializeACLs() error {
@ -67,25 +75,30 @@ func (a *Agent) initializeACLs() error {
// the given token.
func (a *Agent) vetServiceRegister(token string, service *structs.NodeService) error {
// Resolve the token and bail if ACLs aren't enabled.
rule, err := a.resolveToken(token)
authz, err := a.resolveToken(token)
if err != nil {
return err
}
if rule == nil {
return a.vetServiceRegisterWithAuthorizer(authz, service)
}
func (a *Agent) vetServiceRegisterWithAuthorizer(authz acl.Authorizer, service *structs.NodeService) error {
if authz == nil {
return nil
}
var authzContext acl.EnterpriseAuthorizerContext
var authzContext acl.AuthorizerContext
service.FillAuthzContext(&authzContext)
// Vet the service itself.
if rule.ServiceWrite(service.Service, &authzContext) != acl.Allow {
if authz.ServiceWrite(service.Service, &authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
// Vet any service that might be getting overwritten.
if existing := a.State.Service(service.CompoundServiceID()); existing != nil {
existing.FillAuthzContext(&authzContext)
if rule.ServiceWrite(existing.Service, &authzContext) != acl.Allow {
if authz.ServiceWrite(existing.Service, &authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
}
@ -94,7 +107,7 @@ func (a *Agent) vetServiceRegister(token string, service *structs.NodeService) e
// since it can be discovered as an instance of that service.
if service.Kind == structs.ServiceKindConnectProxy {
service.FillAuthzContext(&authzContext)
if rule.ServiceWrite(service.Proxy.DestinationServiceName, &authzContext) != acl.Allow {
if authz.ServiceWrite(service.Proxy.DestinationServiceName, &authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
}
@ -106,20 +119,25 @@ func (a *Agent) vetServiceRegister(token string, service *structs.NodeService) e
// token.
func (a *Agent) vetServiceUpdate(token string, serviceID structs.ServiceID) error {
// Resolve the token and bail if ACLs aren't enabled.
rule, err := a.resolveToken(token)
authz, err := a.resolveToken(token)
if err != nil {
return err
}
if rule == nil {
return a.vetServiceUpdateWithAuthorizer(authz, serviceID)
}
func (a *Agent) vetServiceUpdateWithAuthorizer(authz acl.Authorizer, serviceID structs.ServiceID) error {
if authz == nil {
return nil
}
var authzContext acl.EnterpriseAuthorizerContext
var authzContext acl.AuthorizerContext
// Vet any changes based on the existing services's info.
if existing := a.State.Service(serviceID); existing != nil {
existing.FillAuthzContext(&authzContext)
if rule.ServiceWrite(existing.Service, &authzContext) != acl.Allow {
if authz.ServiceWrite(existing.Service, &authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
} else {
@ -133,23 +151,28 @@ func (a *Agent) vetServiceUpdate(token string, serviceID structs.ServiceID) erro
// given token.
func (a *Agent) vetCheckRegister(token string, check *structs.HealthCheck) error {
// Resolve the token and bail if ACLs aren't enabled.
rule, err := a.resolveToken(token)
authz, err := a.resolveToken(token)
if err != nil {
return err
}
if rule == nil {
return a.vetCheckRegisterWithAuthorizer(authz, check)
}
func (a *Agent) vetCheckRegisterWithAuthorizer(authz acl.Authorizer, check *structs.HealthCheck) error {
if authz == nil {
return nil
}
var authzContext acl.EnterpriseAuthorizerContext
var authzContext acl.AuthorizerContext
check.FillAuthzContext(&authzContext)
// Vet the check itself.
if len(check.ServiceName) > 0 {
if rule.ServiceWrite(check.ServiceName, &authzContext) != acl.Allow {
if authz.ServiceWrite(check.ServiceName, &authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
} else {
if rule.NodeWrite(a.config.NodeName, &authzContext) != acl.Allow {
if authz.NodeWrite(a.config.NodeName, &authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
}
@ -157,11 +180,11 @@ func (a *Agent) vetCheckRegister(token string, check *structs.HealthCheck) error
// Vet any check that might be getting overwritten.
if existing := a.State.Check(check.CompoundCheckID()); existing != nil {
if len(existing.ServiceName) > 0 {
if rule.ServiceWrite(existing.ServiceName, &authzContext) != acl.Allow {
if authz.ServiceWrite(existing.ServiceName, &authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
} else {
if rule.NodeWrite(a.config.NodeName, &authzContext) != acl.Allow {
if authz.NodeWrite(a.config.NodeName, &authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
}
@ -173,25 +196,30 @@ func (a *Agent) vetCheckRegister(token string, check *structs.HealthCheck) error
// vetCheckUpdate makes sure that a check update is allowed by the given token.
func (a *Agent) vetCheckUpdate(token string, checkID structs.CheckID) error {
// Resolve the token and bail if ACLs aren't enabled.
rule, err := a.resolveToken(token)
authz, err := a.resolveToken(token)
if err != nil {
return err
}
if rule == nil {
return a.vetCheckUpdateWithAuthorizer(authz, checkID)
}
func (a *Agent) vetCheckUpdateWithAuthorizer(authz acl.Authorizer, checkID structs.CheckID) error {
if authz == nil {
return nil
}
var authzContext acl.EnterpriseAuthorizerContext
var authzContext acl.AuthorizerContext
checkID.FillAuthzContext(&authzContext)
// Vet any changes based on the existing check's info.
if existing := a.State.Check(checkID); existing != nil {
if len(existing.ServiceName) > 0 {
if rule.ServiceWrite(existing.ServiceName, &authzContext) != acl.Allow {
if authz.ServiceWrite(existing.ServiceName, &authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
} else {
if rule.NodeWrite(a.config.NodeName, &authzContext) != acl.Allow {
if authz.NodeWrite(a.config.NodeName, &authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
}
@ -213,7 +241,7 @@ func (a *Agent) filterMembers(token string, members *[]serf.Member) error {
return nil
}
var authzContext acl.EnterpriseAuthorizerContext
var authzContext acl.AuthorizerContext
structs.DefaultEnterpriseMeta().FillAuthzContext(&authzContext)
// Filter out members based on the node policy.
m := *members
@ -233,19 +261,23 @@ func (a *Agent) filterMembers(token string, members *[]serf.Member) error {
// filterServices redacts services that the token doesn't have access to.
func (a *Agent) filterServices(token string, services *map[structs.ServiceID]*structs.NodeService) error {
// Resolve the token and bail if ACLs aren't enabled.
rule, err := a.resolveToken(token)
authz, err := a.resolveToken(token)
if err != nil {
return err
}
if rule == nil {
return a.filterServicesWithAuthorizer(authz, services)
}
func (a *Agent) filterServicesWithAuthorizer(authz acl.Authorizer, services *map[structs.ServiceID]*structs.NodeService) error {
if authz == nil {
return nil
}
var authzContext acl.EnterpriseAuthorizerContext
var authzContext acl.AuthorizerContext
// Filter out services based on the service policy.
for id, service := range *services {
service.FillAuthzContext(&authzContext)
if rule.ServiceRead(service.Service, &authzContext) == acl.Allow {
if authz.ServiceRead(service.Service, &authzContext) == acl.Allow {
continue
}
a.logger.Printf("[DEBUG] agent: dropping service %q from result due to ACLs", id.String())
@ -257,25 +289,30 @@ func (a *Agent) filterServices(token string, services *map[structs.ServiceID]*st
// filterChecks redacts checks that the token doesn't have access to.
func (a *Agent) filterChecks(token string, checks *map[structs.CheckID]*structs.HealthCheck) error {
// Resolve the token and bail if ACLs aren't enabled.
rule, err := a.resolveToken(token)
authz, err := a.resolveToken(token)
if err != nil {
return err
}
if rule == nil {
return a.filterChecksWithAuthorizer(authz, checks)
}
func (a *Agent) filterChecksWithAuthorizer(authz acl.Authorizer, checks *map[structs.CheckID]*structs.HealthCheck) error {
if authz == nil {
return nil
}
var authzContext acl.EnterpriseAuthorizerContext
var authzContext acl.AuthorizerContext
// Filter out checks based on the node or service policy.
for id, check := range *checks {
if len(check.ServiceName) > 0 {
check.FillAuthzContext(&authzContext)
if rule.ServiceRead(check.ServiceName, &authzContext) == acl.Allow {
if authz.ServiceRead(check.ServiceName, &authzContext) == acl.Allow {
continue
}
} else {
structs.DefaultEnterpriseMeta().FillAuthzContext(&authzContext)
if rule.NodeRead(a.config.NodeName, &authzContext) == acl.Allow {
if authz.NodeRead(a.config.NodeName, &authzContext) == acl.Allow {
continue
}
}

199
agent/acl_test.go
View File

@ -47,7 +47,7 @@ type TestACLAgent struct {
// Shutdown() is called.
DataDir string
resolveTokenFn func(string) (acl.Authorizer, error)
resolveTokenFn func(string) (structs.ACLIdentity, acl.Authorizer, error)
*Agent
}
@ -55,7 +55,7 @@ type TestACLAgent struct {
// NewTestACLAGent does just enough so that all the code within agent/acl.go can work
// Basically it needs a local state for some of the vet* functions, a logger and a delegate.
// The key is that we are the delegate so we can control the ResolveToken responses
func NewTestACLAgent(t *testing.T, name string, hcl string, resolveFn func(string) (acl.Authorizer, error)) *TestACLAgent {
func NewTestACLAgent(t *testing.T, name string, hcl string, resolveFn func(string) (structs.ACLIdentity, acl.Authorizer, error)) *TestACLAgent {
a := &TestACLAgent{Name: name, HCL: hcl, resolveTokenFn: resolveFn}
hclDataDir := `data_dir = "acl-agent"`
@ -98,9 +98,38 @@ func (a *TestACLAgent) ResolveToken(secretID string) (acl.Authorizer, error) {
panic("This agent is useless without providing a token resolution function")
}
_, authz, err := a.resolveTokenFn(secretID)
return authz, err
}
func (a *TestACLAgent) ResolveTokenToIdentityAndAuthorizer(secretID string) (structs.ACLIdentity, acl.Authorizer, error) {
if a.resolveTokenFn == nil {
panic("This agent is useless without providing a token resolution function")
}
return a.resolveTokenFn(secretID)
}
func (a *TestACLAgent) ResolveTokenAndDefaultMeta(secretID string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (acl.Authorizer, error) {
identity, authz, err := a.ResolveTokenToIdentityAndAuthorizer(secretID)
if err != nil {
return nil, err
}
// Default the EnterpriseMeta based on the Tokens meta or actual defaults
// in the case of unknown identity
if identity != nil {
entMeta.Merge(identity.EnterpriseMetadata())
} else {
entMeta.Merge(structs.DefaultEnterpriseMeta())
}
// Use the meta to fill in the ACL authorization context
entMeta.FillAuthzContext(authzContext)
return authz, err
}
// All of these are stubs to satisfy the interface
func (a *TestACLAgent) Encrypted() bool {
return false
@ -150,9 +179,9 @@ func TestACL_Version8(t *testing.T) {
t.Parallel()
t.Run("version 8 disabled", func(t *testing.T) {
resolveFn := func(string) (acl.Authorizer, error) {
resolveFn := func(string) (structs.ACLIdentity, acl.Authorizer, error) {
require.Fail(t, "should not have called delegate.ResolveToken")
return nil, fmt.Errorf("should not have called delegate.ResolveToken")
return nil, nil, fmt.Errorf("should not have called delegate.ResolveToken")
}
a := NewTestACLAgent(t, t.Name(), TestACLConfig()+`
@ -166,9 +195,9 @@ func TestACL_Version8(t *testing.T) {
t.Run("version 8 enabled", func(t *testing.T) {
called := false
resolveFn := func(string) (acl.Authorizer, error) {
resolveFn := func(string) (structs.ACLIdentity, acl.Authorizer, error) {
called = true
return nil, acl.ErrNotFound
return nil, nil, acl.ErrNotFound
}
a := NewTestACLAgent(t, t.Name(), TestACLConfig()+`
acl_enforce_version_8 = true
@ -183,9 +212,9 @@ func TestACL_Version8(t *testing.T) {
func TestACL_AgentMasterToken(t *testing.T) {
t.Parallel()
resolveFn := func(string) (acl.Authorizer, error) {
resolveFn := func(string) (structs.ACLIdentity, acl.Authorizer, error) {
require.Fail(t, "should not have called delegate.ResolveToken")
return nil, fmt.Errorf("should not have called delegate.ResolveToken")
return nil, nil, fmt.Errorf("should not have called delegate.ResolveToken")
}
a := NewTestACLAgent(t, t.Name(), TestACLConfig(), resolveFn)
@ -203,9 +232,9 @@ func TestACL_AgentMasterToken(t *testing.T) {
func TestACL_RootAuthorizersDenied(t *testing.T) {
t.Parallel()
resolveFn := func(string) (acl.Authorizer, error) {
resolveFn := func(string) (structs.ACLIdentity, acl.Authorizer, error) {
require.Fail(t, "should not have called delegate.ResolveToken")
return nil, fmt.Errorf("should not have called delegate.ResolveToken")
return nil, nil, fmt.Errorf("should not have called delegate.ResolveToken")
}
a := NewTestACLAgent(t, t.Name(), TestACLConfig(), resolveFn)
@ -223,58 +252,76 @@ func TestACL_RootAuthorizersDenied(t *testing.T) {
require.True(t, acl.IsErrRootDenied(err))
}
func authzFromPolicy(policy *acl.Policy, cfg *acl.EnterpriseACLConfig) (acl.Authorizer, error) {
func authzFromPolicy(policy *acl.Policy, cfg *acl.Config) (acl.Authorizer, error) {
return acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, cfg)
}
// catalogPolicy supplies some standard policies to help with testing the
// catalog-related vet and filter functions.
func catalogPolicy(token string) (acl.Authorizer, error) {
switch token {
type testToken struct {
token structs.ACLToken
// yes the rules can exist on the token itself but that is legacy behavior
// that I would prefer these tests not rely on
rules string
}
case "node-ro":
return authzFromPolicy(&acl.Policy{
PolicyRules: acl.PolicyRules{
NodePrefixes: []*acl.NodeRule{
&acl.NodeRule{Name: "Node", Policy: "read"},
},
var (
nodeROSecret = "7e80d017-bccc-492f-8dec-65f03aeaebf3"
nodeRWSecret = "e3586ee5-02a2-4bf4-9ec3-9c4be7606e8c"
serviceROSecret = "3d2c8552-df3b-4da7-9890-36885cbf56ac"
serviceRWSecret = "4a1017a2-f788-4be3-93f2-90566f1340bb"
otherRWSecret = "a38e8016-91b6-4876-b3e7-a307abbb2002"
testTokens = map[string]testToken{
nodeROSecret: testToken{
token: structs.ACLToken{
AccessorID: "9df2d1a4-2d07-414e-8ead-6053f56ed2eb",
SecretID: nodeROSecret,
},
}, nil)
case "node-rw":
return authzFromPolicy(&acl.Policy{
PolicyRules: acl.PolicyRules{
NodePrefixes: []*acl.NodeRule{
&acl.NodeRule{Name: "Node", Policy: "write"},
},
rules: `node_prefix "Node" { policy = "read" }`,
},
nodeRWSecret: testToken{
token: structs.ACLToken{
AccessorID: "efb6b7d5-d343-47c1-b4cb-aa6b94d2f490",
SecretID: nodeROSecret,
},
}, nil)
case "service-ro":
return authzFromPolicy(&acl.Policy{
PolicyRules: acl.PolicyRules{
ServicePrefixes: []*acl.ServiceRule{
&acl.ServiceRule{Name: "service", Policy: "read"},
},
rules: `node_prefix "Node" { policy = "write" }`,
},
serviceROSecret: testToken{
token: structs.ACLToken{
AccessorID: "0da53edb-36e5-4603-9c31-79965bad45f5",
SecretID: serviceROSecret,
},
}, nil)
case "service-rw":
return authzFromPolicy(&acl.Policy{
PolicyRules: acl.PolicyRules{
ServicePrefixes: []*acl.ServiceRule{
&acl.ServiceRule{Name: "service", Policy: "write"},
},
rules: `service_prefix "service" { policy = "read" }`,
},
serviceRWSecret: testToken{
token: structs.ACLToken{
AccessorID: "52504258-137a-41e6-9326-01f40e80872e",
SecretID: serviceRWSecret,
},
}, nil)
case "other-rw":
return authzFromPolicy(&acl.Policy{
PolicyRules: acl.PolicyRules{
ServicePrefixes: []*acl.ServiceRule{
&acl.ServiceRule{Name: "other", Policy: "write"},
},
rules: `service_prefix "service" { policy = "write" }`,
},
otherRWSecret: testToken{
token: structs.ACLToken{
AccessorID: "5e032c5b-c39e-4552-b5ad-8a9365b099c4",
SecretID: otherRWSecret,
},
}, nil)
default:
return nil, fmt.Errorf("unknown token %q", token)
rules: `service_prefix "other" { policy = "write" }`,
},
}
)
func catalogPolicy(token string) (structs.ACLIdentity, acl.Authorizer, error) {
tok, ok := testTokens[token]
if !ok {
return nil, nil, acl.ErrNotFound
}
policy, err := acl.NewPolicyFromSource("", 0, tok.rules, acl.SyntaxCurrent, nil, nil)
if err != nil {
return nil, nil, err
}
authz, err := authzFromPolicy(policy, nil)
return &tok.token, authz, err
}
func TestACL_vetServiceRegister(t *testing.T) {
@ -282,14 +329,14 @@ func TestACL_vetServiceRegister(t *testing.T) {
a := NewTestACLAgent(t, t.Name(), TestACLConfig(), catalogPolicy)
// Register a new service, with permission.
err := a.vetServiceRegister("service-rw", &structs.NodeService{
err := a.vetServiceRegister(serviceRWSecret, &structs.NodeService{
ID: "my-service",
Service: "service",
})
require.NoError(t, err)
// Register a new service without write privs.
err = a.vetServiceRegister("service-ro", &structs.NodeService{
err = a.vetServiceRegister(serviceROSecret, &structs.NodeService{
ID: "my-service",
Service: "service",
})
@ -301,7 +348,7 @@ func TestACL_vetServiceRegister(t *testing.T) {
ID: "my-service",
Service: "other",
}, "")
err = a.vetServiceRegister("service-rw", &structs.NodeService{
err = a.vetServiceRegister(serviceRWSecret, &structs.NodeService{
ID: "my-service",
Service: "service",
})
@ -313,7 +360,7 @@ func TestACL_vetServiceUpdate(t *testing.T) {
a := NewTestACLAgent(t, t.Name(), TestACLConfig(), catalogPolicy)
// Update a service that doesn't exist.
err := a.vetServiceUpdate("service-rw", structs.NewServiceID("my-service", nil))
err := a.vetServiceUpdate(serviceRWSecret, structs.NewServiceID("my-service", nil))
require.Error(t, err)
require.Contains(t, err.Error(), "Unknown service")
@ -322,11 +369,11 @@ func TestACL_vetServiceUpdate(t *testing.T) {
ID: "my-service",
Service: "service",
}, "")
err = a.vetServiceUpdate("service-rw", structs.NewServiceID("my-service", nil))
err = a.vetServiceUpdate(serviceRWSecret, structs.NewServiceID("my-service", nil))
require.NoError(t, err)
// Update without write privs.
err = a.vetServiceUpdate("service-ro", structs.NewServiceID("my-service", nil))
err = a.vetServiceUpdate(serviceROSecret, structs.NewServiceID("my-service", nil))
require.Error(t, err)
require.True(t, acl.IsErrPermissionDenied(err))
}
@ -336,7 +383,7 @@ func TestACL_vetCheckRegister(t *testing.T) {
a := NewTestACLAgent(t, t.Name(), TestACLConfig(), catalogPolicy)
// Register a new service check with write privs.
err := a.vetCheckRegister("service-rw", &structs.HealthCheck{
err := a.vetCheckRegister(serviceRWSecret, &structs.HealthCheck{
CheckID: types.CheckID("my-check"),
ServiceID: "my-service",
ServiceName: "service",
@ -344,7 +391,7 @@ func TestACL_vetCheckRegister(t *testing.T) {
require.NoError(t, err)
// Register a new service check without write privs.
err = a.vetCheckRegister("service-ro", &structs.HealthCheck{
err = a.vetCheckRegister(serviceROSecret, &structs.HealthCheck{
CheckID: types.CheckID("my-check"),
ServiceID: "my-service",
ServiceName: "service",
@ -353,13 +400,13 @@ func TestACL_vetCheckRegister(t *testing.T) {
require.True(t, acl.IsErrPermissionDenied(err))
// Register a new node check with write privs.
err = a.vetCheckRegister("node-rw", &structs.HealthCheck{
err = a.vetCheckRegister(nodeRWSecret, &structs.HealthCheck{
CheckID: types.CheckID("my-check"),
})
require.NoError(t, err)
// Register a new node check without write privs.
err = a.vetCheckRegister("node-ro", &structs.HealthCheck{
err = a.vetCheckRegister(nodeROSecret, &structs.HealthCheck{
CheckID: types.CheckID("my-check"),
})
require.Error(t, err)
@ -376,7 +423,7 @@ func TestACL_vetCheckRegister(t *testing.T) {
ServiceID: "my-service",
ServiceName: "other",
}, "")
err = a.vetCheckRegister("service-rw", &structs.HealthCheck{
err = a.vetCheckRegister(serviceRWSecret, &structs.HealthCheck{
CheckID: types.CheckID("my-check"),
ServiceID: "my-service",
ServiceName: "service",
@ -388,7 +435,7 @@ func TestACL_vetCheckRegister(t *testing.T) {
a.State.AddCheck(&structs.HealthCheck{
CheckID: types.CheckID("my-node-check"),
}, "")
err = a.vetCheckRegister("service-rw", &structs.HealthCheck{
err = a.vetCheckRegister(serviceRWSecret, &structs.HealthCheck{
CheckID: types.CheckID("my-node-check"),
ServiceID: "my-service",
ServiceName: "service",
@ -402,7 +449,7 @@ func TestACL_vetCheckUpdate(t *testing.T) {
a := NewTestACLAgent(t, t.Name(), TestACLConfig(), catalogPolicy)
// Update a check that doesn't exist.
err := a.vetCheckUpdate("node-rw", structs.NewCheckID("my-check", nil))
err := a.vetCheckUpdate(nodeRWSecret, structs.NewCheckID("my-check", nil))
require.Error(t, err)
require.Contains(t, err.Error(), "Unknown check")
@ -416,11 +463,11 @@ func TestACL_vetCheckUpdate(t *testing.T) {
ServiceID: "my-service",
ServiceName: "service",
}, "")
err = a.vetCheckUpdate("service-rw", structs.NewCheckID("my-service-check", nil))
err = a.vetCheckUpdate(serviceRWSecret, structs.NewCheckID("my-service-check", nil))
require.NoError(t, err)
// Update service check without write privs.
err = a.vetCheckUpdate("service-ro", structs.NewCheckID("my-service-check", nil))
err = a.vetCheckUpdate(serviceROSecret, structs.NewCheckID("my-service-check", nil))
require.Error(t, err)
require.True(t, acl.IsErrPermissionDenied(err), "not permission denied: %s", err.Error())
@ -428,11 +475,11 @@ func TestACL_vetCheckUpdate(t *testing.T) {
a.State.AddCheck(&structs.HealthCheck{
CheckID: types.CheckID("my-node-check"),
}, "")
err = a.vetCheckUpdate("node-rw", structs.NewCheckID("my-node-check", nil))
err = a.vetCheckUpdate(nodeRWSecret, structs.NewCheckID("my-node-check", nil))
require.NoError(t, err)
// Update without write privs.
err = a.vetCheckUpdate("node-ro", structs.NewCheckID("my-node-check", nil))
err = a.vetCheckUpdate(nodeROSecret, structs.NewCheckID("my-node-check", nil))
require.Error(t, err)
require.True(t, acl.IsErrPermissionDenied(err))
}
@ -442,7 +489,7 @@ func TestACL_filterMembers(t *testing.T) {
a := NewTestACLAgent(t, t.Name(), TestACLConfig(), catalogPolicy)
var members []serf.Member
require.NoError(t, a.filterMembers("node-ro", &members))
require.NoError(t, a.filterMembers(nodeROSecret, &members))
require.Len(t, members, 0)
members = []serf.Member{
@ -450,7 +497,7 @@ func TestACL_filterMembers(t *testing.T) {
serf.Member{Name: "Nope"},
serf.Member{Name: "Node 2"},
}
require.NoError(t, a.filterMembers("node-ro", &members))
require.NoError(t, a.filterMembers(nodeROSecret, &members))
require.Len(t, members, 2)
require.Equal(t, members[0].Name, "Node 1")
require.Equal(t, members[1].Name, "Node 2")
@ -461,11 +508,11 @@ func TestACL_filterServices(t *testing.T) {
a := NewTestACLAgent(t, t.Name(), TestACLConfig(), catalogPolicy)
services := make(map[structs.ServiceID]*structs.NodeService)
require.NoError(t, a.filterServices("node-ro", &services))
require.NoError(t, a.filterServices(nodeROSecret, &services))
services[structs.NewServiceID("my-service", nil)] = &structs.NodeService{ID: "my-service", Service: "service"}
services[structs.NewServiceID("my-other", nil)] = &structs.NodeService{ID: "my-other", Service: "other"}
require.NoError(t, a.filterServices("service-ro", &services))
require.NoError(t, a.filterServices(serviceROSecret, &services))
require.Contains(t, services, structs.NewServiceID("my-service", nil))
require.NotContains(t, services, structs.NewServiceID("my-other", nil))
}
@ -475,12 +522,12 @@ func TestACL_filterChecks(t *testing.T) {
a := NewTestACLAgent(t, t.Name(), TestACLConfig(), catalogPolicy)
checks := make(map[structs.CheckID]*structs.HealthCheck)
require.NoError(t, a.filterChecks("node-ro", &checks))
require.NoError(t, a.filterChecks(nodeROSecret, &checks))
checks[structs.NewCheckID("my-node", nil)] = &structs.HealthCheck{}
checks[structs.NewCheckID("my-service", nil)] = &structs.HealthCheck{ServiceName: "service"}
checks[structs.NewCheckID("my-other", nil)] = &structs.HealthCheck{ServiceName: "other"}
require.NoError(t, a.filterChecks("service-ro", &checks))
require.NoError(t, a.filterChecks(serviceROSecret, &checks))
_, ok := checks[structs.NewCheckID("my-node", nil)]
require.False(t, ok)
_, ok = checks[structs.NewCheckID("my-service", nil)]
@ -491,7 +538,7 @@ func TestACL_filterChecks(t *testing.T) {
checks[structs.NewCheckID("my-node", nil)] = &structs.HealthCheck{}
checks[structs.NewCheckID("my-service", nil)] = &structs.HealthCheck{ServiceName: "service"}
checks[structs.NewCheckID("my-other", nil)] = &structs.HealthCheck{ServiceName: "other"}
require.NoError(t, a.filterChecks("node-ro", &checks))
require.NoError(t, a.filterChecks(nodeROSecret, &checks))
_, ok = checks[structs.NewCheckID("my-node", nil)]
require.True(t, ok)
_, ok = checks[structs.NewCheckID("my-service", nil)]

5
agent/agent.go
View File

@ -136,6 +136,7 @@ type delegate interface {
JoinLAN(addrs []string) (n int, err error)
RemoveFailedNode(node string, prune bool) error
ResolveToken(secretID string) (acl.Authorizer, error)
ResolveTokenAndDefaultMeta(secretID string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (acl.Authorizer, error)
RPC(method string, args interface{}, reply interface{}) error
ACLsEnabled() bool
UseLegacyACLs() bool
@ -2700,8 +2701,6 @@ func (a *Agent) addCheck(check *structs.HealthCheck, chkType *structs.CheckType,
ttl.Start()
a.checkTTLs[cid] = ttl
a.logger.Printf("[DEBUG] ttl checks: %+v", a.checkTTLs)
case chkType.IsHTTP():
if existing, ok := a.checkHTTPs[cid]; ok {
existing.Stop()
@ -3160,7 +3159,7 @@ func (a *Agent) loadCheckState(check *structs.HealthCheck) error {
// Check if the state has expired
if time.Now().Unix() >= p.Expires {
a.logger.Printf("[DEBUG] agent: check state expired for %q, not restoring", cid)
a.logger.Printf("[DEBUG] agent: check state expired for %q, not restoring", cid.String())
return a.purgeCheckState(cid)
}

80
agent/agent_endpoint.go
View File

@ -220,8 +220,13 @@ func (s *HTTPServer) AgentServices(resp http.ResponseWriter, req *http.Request)
var filterExpression string
s.parseFilter(req, &filterExpression)
authz, err := s.agent.resolveTokenAndDefaultMeta(token, &entMeta, nil)
if err != nil {
return nil, err
}
services := s.agent.State.Services(&entMeta)
if err := s.agent.filterServices(token, &services); err != nil {
if err := s.agent.filterServicesWithAuthorizer(authz, &services); err != nil {
return nil, err
}
@ -269,6 +274,12 @@ func (s *HTTPServer) AgentService(resp http.ResponseWriter, req *http.Request) (
return nil, err
}
// need to resolve to default the meta
_, err := s.agent.resolveTokenAndDefaultMeta(token, &entMeta, nil)
if err != nil {
return nil, err
}
// Parse hash specially. Eventually this should happen in parseWait and end up
// in QueryOptions but I didn't want to make very general changes right away.
hash := req.URL.Query().Get("hash")
@ -291,13 +302,13 @@ func (s *HTTPServer) AgentService(resp http.ResponseWriter, req *http.Request) (
ws.Add(svcState.WatchCh)
// Check ACLs.
rule, err := s.agent.resolveToken(token)
authz, err := s.agent.resolveToken(token)
if err != nil {
return "", nil, err
}
var authzContext acl.EnterpriseAuthorizerContext
var authzContext acl.AuthorizerContext
svc.FillAuthzContext(&authzContext)
if rule != nil && rule.ServiceRead(svc.Service, &authzContext) != acl.Allow {
if authz != nil && authz.ServiceRead(svc.Service, &authzContext) != acl.Allow {
return "", nil, acl.ErrPermissionDenied
}
@ -332,6 +343,11 @@ func (s *HTTPServer) AgentChecks(resp http.ResponseWriter, req *http.Request) (i
return nil, err
}
authz, err := s.agent.resolveTokenAndDefaultMeta(token, &entMeta, nil)
if err != nil {
return nil, err
}
var filterExpression string
s.parseFilter(req, &filterExpression)
filter, err := bexpr.CreateFilter(filterExpression, nil, nil)
@ -340,7 +356,7 @@ func (s *HTTPServer) AgentChecks(resp http.ResponseWriter, req *http.Request) (i
}
checks := s.agent.State.Checks(&entMeta)
if err := s.agent.filterChecks(token, &checks); err != nil {
if err := s.agent.filterChecksWithAuthorizer(authz, &checks); err != nil {
return nil, err
}
@ -480,6 +496,9 @@ func (s *HTTPServer) syncChanges() {
}
func (s *HTTPServer) AgentRegisterCheck(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
var token string
s.parseToken(req, &token)
var args structs.CheckDefinition
if err := s.parseEntMetaNoWildcard(req, &args.EnterpriseMeta); err != nil {
return nil, err
@ -504,12 +523,17 @@ func (s *HTTPServer) AgentRegisterCheck(resp http.ResponseWriter, req *http.Requ
return nil, nil
}
authz, err := s.agent.resolveTokenAndDefaultMeta(token, &args.EnterpriseMeta, nil)
if err != nil {
return nil, err
}
// Construct the health check.
health := args.HealthCheck(s.agent.config.NodeName)
// Verify the check type.
chkType := args.CheckType()
err := chkType.Validate()
err = chkType.Validate()
if err != nil {
resp.WriteHeader(http.StatusBadRequest)
fmt.Fprint(resp, fmt.Errorf("Invalid check: %v", err))
@ -528,9 +552,7 @@ func (s *HTTPServer) AgentRegisterCheck(resp http.ResponseWriter, req *http.Requ
}
// Get the provided token, if any, and vet against any ACL policies.
var token string
s.parseToken(req, &token)
if err := s.agent.vetCheckRegister(token, health); err != nil {
if err := s.agent.vetCheckRegisterWithAuthorizer(authz, health); err != nil {
return nil, err
}
@ -553,9 +575,14 @@ func (s *HTTPServer) AgentDeregisterCheck(resp http.ResponseWriter, req *http.Re
return nil, err
}
authz, err := s.agent.resolveTokenAndDefaultMeta(token, &checkID.EnterpriseMeta, nil)
if err != nil {
return nil, err
}
checkID.Normalize()
if err := s.agent.vetCheckUpdate(token, checkID); err != nil {
if err := s.agent.vetCheckUpdateWithAuthorizer(authz, checkID); err != nil {
return nil, err
}
@ -636,9 +663,14 @@ func (s *HTTPServer) agentCheckUpdate(resp http.ResponseWriter, req *http.Reques
return nil, err
}
authz, err := s.agent.resolveTokenAndDefaultMeta(token, &cid.EnterpriseMeta, nil)
if err != nil {
return nil, err
}
cid.Normalize()
if err := s.agent.vetCheckUpdate(token, cid); err != nil {
if err := s.agent.vetCheckUpdateWithAuthorizer(authz, cid); err != nil {
return nil, err
}
@ -808,6 +840,14 @@ func (s *HTTPServer) AgentRegisterService(resp http.ResponseWriter, req *http.Re
return nil, nil
}
var token string
s.parseToken(req, &token)
authz, err := s.agent.resolveTokenAndDefaultMeta(token, &args.EnterpriseMeta, nil)
if err != nil {
return nil, err
}
// Get the node service.
ns := args.NodeService()
if ns.Weights != nil {
@ -864,9 +904,7 @@ func (s *HTTPServer) AgentRegisterService(resp http.ResponseWriter, req *http.Re
}
// Get the provided token, if any, and vet against any ACL policies.
var token string
s.parseToken(req, &token)
if err := s.agent.vetServiceRegister(token, ns); err != nil {
if err := s.agent.vetServiceRegisterWithAuthorizer(authz, ns); err != nil {
return nil, err
}
@ -934,9 +972,14 @@ func (s *HTTPServer) AgentDeregisterService(resp http.ResponseWriter, req *http.
return nil, err
}
authz, err := s.agent.resolveTokenAndDefaultMeta(token, &sid.EnterpriseMeta, nil)
if err != nil {
return nil, err
}
sid.Normalize()
if err := s.agent.vetServiceUpdate(token, sid); err != nil {
if err := s.agent.vetServiceUpdateWithAuthorizer(authz, sid); err != nil {
return nil, err
}
@ -982,9 +1025,14 @@ func (s *HTTPServer) AgentServiceMaintenance(resp http.ResponseWriter, req *http
return nil, err
}
authz, err := s.agent.resolveTokenAndDefaultMeta(token, &sid.EnterpriseMeta, nil)
if err != nil {
return nil, err
}
sid.Normalize()
if err := s.agent.vetServiceUpdate(token, sid); err != nil {
if err := s.agent.vetServiceUpdateWithAuthorizer(authz, sid); err != nil {
return nil, err
}

34
agent/checks/check.go
View File

@ -121,7 +121,7 @@ func (c *CheckMonitor) check() {
cmd, err = exec.Script(c.Script)
}
if err != nil {
c.Logger.Printf("[ERR] agent: Check %q failed to setup: %s", c.CheckID, err)
c.Logger.Printf("[ERR] agent: Check %q failed to setup: %s", c.CheckID.String(), err)
c.Notify.UpdateCheck(c.CheckID, api.HealthCritical, err.Error())
return
}
@ -138,13 +138,13 @@ func (c *CheckMonitor) check() {
outputStr = fmt.Sprintf("Captured %d of %d bytes\n...\n%s",
output.Size(), output.TotalWritten(), outputStr)
}
c.Logger.Printf("[TRACE] agent: Check %q output: %s", c.CheckID, outputStr)
c.Logger.Printf("[TRACE] agent: Check %q output: %s", c.CheckID.String(), outputStr)
return outputStr
}
// Start the check
if err := cmd.Start(); err != nil {
c.Logger.Printf("[ERR] agent: Check %q failed to invoke: %s", c.CheckID, err)
c.Logger.Printf("[ERR] agent: Check %q failed to invoke: %s", c.CheckID.String(), err)
c.Notify.UpdateCheck(c.CheckID, api.HealthCritical, err.Error())
return
}
@ -162,11 +162,11 @@ func (c *CheckMonitor) check() {
select {
case <-time.After(timeout):
if err := exec.KillCommandSubtree(cmd); err != nil {
c.Logger.Printf("[WARN] agent: Check %q failed to kill after timeout: %s", c.CheckID, err)
c.Logger.Printf("[WARN] agent: Check %q failed to kill after timeout: %s", c.CheckID.String(), err)
}
msg := fmt.Sprintf("Timed out (%s) running check", timeout.String())
c.Logger.Printf("[WARN] agent: Check %q: %s", c.CheckID, msg)
c.Logger.Printf("[WARN] agent: Check %q: %s", c.CheckID.String(), msg)
outputStr := truncateAndLogOutput()
if len(outputStr) > 0 {
@ -259,7 +259,7 @@ func (c *CheckTTL) run() {
select {
case <-c.timer.C:
c.Logger.Printf("[WARN] agent: Check %q missed TTL, is now critical",
c.CheckID)
c.CheckID.String())
c.Notify.UpdateCheck(c.CheckID, api.HealthCritical, c.getExpiredOutput())
case <-c.stopCh:
@ -285,7 +285,7 @@ func (c *CheckTTL) getExpiredOutput() string {
// and to renew the TTL. If expired, TTL is restarted.
// output is returned (might be truncated)
func (c *CheckTTL) SetStatus(status, output string) string {
c.Logger.Printf("[DEBUG] agent: Check %q status is now %s", c.CheckID, status)
c.Logger.Printf("[DEBUG] agent: Check %q status is now %s", c.CheckID.String(), status)
total := len(output)
if total > c.OutputMaxSize {
output = fmt.Sprintf("%s ... (captured %d of %d bytes)",
@ -450,7 +450,7 @@ func (c *CheckHTTP) check() {
// Read the response into a circular buffer to limit the size
output, _ := circbuf.NewBuffer(int64(c.OutputMaxSize))
if _, err := io.Copy(output, resp.Body); err != nil {
c.Logger.Printf("[WARN] agent: Check %q error while reading body: %s", c.CheckID, err)
c.Logger.Printf("[WARN] agent: Check %q error while reading body: %s", c.CheckID.String(), err)
}
// Format the response body
@ -542,7 +542,7 @@ func (c *CheckTCP) run() {
func (c *CheckTCP) check() {
conn, err := c.dialer.Dial(`tcp`, c.TCP)
if err != nil {
c.Logger.Printf("[WARN] agent: Check %q socket connection failed: %s", c.CheckID, err)
c.Logger.Printf("[WARN] agent: Check %q socket connection failed: %s", c.CheckID.String(), err)
c.StatusHandler.updateCheck(c.CheckID, api.HealthCritical, err.Error())
return
}
@ -615,7 +615,7 @@ func (c *CheckDocker) check() {
var out string
status, b, err := c.doCheck()
if err != nil {
c.Logger.Printf("[DEBUG] agent: Check %q: %s", c.CheckID, err)
c.Logger.Printf("[DEBUG] agent: Check %q: %s", c.CheckID.String(), err)
out = err.Error()
} else {
// out is already limited to CheckBufSize since we're getting a
@ -625,7 +625,7 @@ func (c *CheckDocker) check() {
if int(b.TotalWritten()) > len(out) {
out = fmt.Sprintf("Captured %d of %d bytes\n...\n%s", len(out), b.TotalWritten(), out)
}
c.Logger.Printf("[TRACE] agent: Check %q output: %s", c.CheckID, out)
c.Logger.Printf("[TRACE] agent: Check %q output: %s", c.CheckID.String(), out)
}
c.StatusHandler.updateCheck(c.CheckID, status, out)
}
@ -657,10 +657,10 @@ func (c *CheckDocker) doCheck() (string, *circbuf.Buffer, error) {
case 0:
return api.HealthPassing, buf, nil
case 1:
c.Logger.Printf("[DEBUG] agent: Check %q failed with exit code: %d", c.CheckID, exitCode)
c.Logger.Printf("[DEBUG] agent: Check %q failed with exit code: %d", c.CheckID.String(), exitCode)
return api.HealthWarning, buf, nil
default:
c.Logger.Printf("[DEBUG] agent: Check %q failed with exit code: %d", c.CheckID, exitCode)
c.Logger.Printf("[DEBUG] agent: Check %q failed with exit code: %d", c.CheckID.String(), exitCode)
return api.HealthCritical, buf, nil
}
}
@ -782,19 +782,19 @@ func (s *StatusHandler) updateCheck(checkID structs.CheckID, status, output stri
s.successCounter++
s.failuresCounter = 0
if s.successCounter >= s.successBeforePassing {
s.logger.Printf("[DEBUG] agent: Check %q is %q", checkID, status)
s.logger.Printf("[DEBUG] agent: Check %q is %q", checkID.String(), status)
s.inner.UpdateCheck(checkID, status, output)
return
}
s.logger.Printf("[WARN] agent: Check %q was %q but has not reached success threshold %d/%d", checkID, status, s.successCounter, s.successBeforePassing)
s.logger.Printf("[WARN] agent: Check %q was %q but has not reached success threshold %d/%d", checkID.String(), status, s.successCounter, s.successBeforePassing)
} else {
s.failuresCounter++
s.successCounter = 0
if s.failuresCounter >= s.failuresBeforeCritical {
s.logger.Printf("[WARN] agent: Check %q is now critical", checkID)
s.logger.Printf("[WARN] agent: Check %q is now critical", checkID.String())
s.inner.UpdateCheck(checkID, status, output)
return
}
s.logger.Printf("[WARN] agent: Check %q failed but has not reached failure threshold %d/%d", checkID, s.failuresCounter, s.failuresBeforeCritical)
s.logger.Printf("[WARN] agent: Check %q failed but has not reached failure threshold %d/%d", checkID.String(), s.failuresCounter, s.failuresBeforeCritical)
}
}

150
agent/consul/acl.go
View File

@ -69,6 +69,44 @@ const (
tokenRoleResolutionMaxRetries = 5
)
// missingIdentity is used to return some identity in the event that the real identity cannot be ascertained
type missingIdentity struct {
reason string
token string
}
func (id *missingIdentity) ID() string {
return id.reason
}
func (id *missingIdentity) SecretToken() string {
return id.token
}
func (id *missingIdentity) PolicyIDs() []string {
return nil
}
func (id *missingIdentity) RoleIDs() []string {
return nil
}
func (id *missingIdentity) EmbeddedPolicy() *structs.ACLPolicy {
return nil
}
func (id *missingIdentity) ServiceIdentityList() []*structs.ACLServiceIdentity {
return nil
}
func (id *missingIdentity) IsExpired(asOf time.Time) bool {
return false
}
func (id *missingIdentity) EnterpriseMetadata() *structs.EnterpriseMeta {
return structs.DefaultEnterpriseMeta()
}
func minTTL(a time.Duration, b time.Duration) time.Duration {
if a < b {
return a
@ -130,7 +168,7 @@ type ACLResolverConfig struct {
AutoDisable bool
// EnterpriseACLConfig contains Consul Enterprise specific ACL configuration
EnterpriseConfig *acl.EnterpriseACLConfig
EnterpriseConfig *acl.Config
}
// ACLResolver is the type to handle all your token and policy resolution needs.
@ -163,7 +201,7 @@ type ACLResolver struct {
logger *log.Logger
delegate ACLResolverDelegate
entConf *acl.EnterpriseACLConfig
entConf *acl.Config
cache *structs.ACLCaches
identityGroup singleflight.Group
@ -287,7 +325,7 @@ func (r *ACLResolver) fetchAndCacheTokenLegacy(token string, cached *structs.Aut
}
}
func (r *ACLResolver) resolveTokenLegacy(token string) (acl.Authorizer, error) {
func (r *ACLResolver) resolveTokenLegacy(token string) (structs.ACLIdentity, acl.Authorizer, error) {
defer metrics.MeasureSince([]string{"acl", "resolveTokenLegacy"}, time.Now())
// Attempt to resolve locally first (local results are not cached)
@ -297,18 +335,23 @@ func (r *ACLResolver) resolveTokenLegacy(token string) (acl.Authorizer, error) {
if err == nil && identity != nil {
policies, err := r.resolvePoliciesForIdentity(identity)
if err != nil {
return nil, err
return identity, nil, err
}
authz, err := policies.Compile(r.cache, r.entConf)
if err != nil {
return nil, err
return identity, nil, err
}
return acl.NewChainedAuthorizer([]acl.Authorizer{authz, acl.RootAuthorizer(r.config.ACLDefaultPolicy)}), nil
return identity, acl.NewChainedAuthorizer([]acl.Authorizer{authz, acl.RootAuthorizer(r.config.ACLDefaultPolicy)}), nil
}
return nil, err
return nil, nil, err
}
identity := &missingIdentity{
reason: "legacy-token",
token: token,
}
// Look in the cache prior to making a RPC request
@ -317,9 +360,9 @@ func (r *ACLResolver) resolveTokenLegacy(token string) (acl.Authorizer, error) {
if entry != nil && entry.Age() <= minTTL(entry.TTL, r.config.ACLTokenTTL) {
metrics.IncrCounter([]string{"acl", "token", "cache_hit"}, 1)
if entry.Authorizer != nil {
return entry.Authorizer, nil
return identity, entry.Authorizer, nil
}
return nil, acl.ErrNotFound
return identity, nil, acl.ErrNotFound
}
metrics.IncrCounter([]string{"acl", "token", "cache_miss"}, 1)
@ -334,9 +377,9 @@ func (r *ACLResolver) resolveTokenLegacy(token string) (acl.Authorizer, error) {
if !waitForResult {
// waitForResult being false requires the cacheEntry to not be nil
if entry.Authorizer != nil {
return entry.Authorizer, nil
return identity, entry.Authorizer, nil
}
return nil, acl.ErrNotFound
return identity, nil, acl.ErrNotFound
}
// block waiting for the async RPC to finish.
@ -347,7 +390,7 @@ func (r *ACLResolver) resolveTokenLegacy(token string) (acl.Authorizer, error) {
authorizer = res.Val.(acl.Authorizer)
}
return authorizer, res.Err
return identity, authorizer, res.Err
}
func (r *ACLResolver) fetchAndCacheIdentityFromToken(token string, cached *structs.IdentityCacheEntry) (structs.ACLIdentity, error) {
@ -987,13 +1030,13 @@ func (r *ACLResolver) disableACLsWhenUpstreamDisabled(err error) error {
return err
}
func (r *ACLResolver) ResolveToken(token string) (acl.Authorizer, error) {
func (r *ACLResolver) ResolveTokenToIdentityAndAuthorizer(token string) (structs.ACLIdentity, acl.Authorizer, error) {
if !r.ACLsEnabled() {
return nil, nil
return nil, nil, nil
}
if acl.RootAuthorizer(token) != nil {
return nil, acl.ErrRootDenied
return nil, nil, acl.ErrRootDenied
}
// handle the anonymous token
@ -1002,8 +1045,8 @@ func (r *ACLResolver) ResolveToken(token string) (acl.Authorizer, error) {
}
if r.delegate.UseLegacyACLs() {
authorizer, err := r.resolveTokenLegacy(token)
return authorizer, r.disableACLsWhenUpstreamDisabled(err)
identity, authorizer, err := r.resolveTokenLegacy(token)
return identity, authorizer, r.disableACLsWhenUpstreamDisabled(err)
}
defer metrics.MeasureSince([]string{"acl", "ResolveToken"}, time.Now())
@ -1013,10 +1056,10 @@ func (r *ACLResolver) ResolveToken(token string) (acl.Authorizer, error) {
r.disableACLsWhenUpstreamDisabled(err)
if IsACLRemoteError(err) {
r.logger.Printf("[ERR] consul.acl: %v", err)
return r.down, nil
return &missingIdentity{reason: "primary-dc-down", token: token}, r.down, nil
}
return nil, err
return nil, nil, err
}
// Build the Authorizer
@ -1024,7 +1067,7 @@ func (r *ACLResolver) ResolveToken(token string) (acl.Authorizer, error) {
authz, err := policies.Compile(r.cache, r.entConf)
if err != nil {
return nil, err
return nil, nil, err
}
chain = append(chain, authz)
@ -1032,15 +1075,20 @@ func (r *ACLResolver) ResolveToken(token string) (acl.Authorizer, error) {
if err != nil {
if IsACLRemoteError(err) {
r.logger.Printf("[ERR] consul.acl: %v", err)
return r.down, nil
return identity, r.down, nil
}
return nil, err
return nil, nil, err
} else if authz != nil {
chain = append(chain, authz)
}
chain = append(chain, acl.RootAuthorizer(r.config.ACLDefaultPolicy))
return acl.NewChainedAuthorizer(chain), nil
return identity, acl.NewChainedAuthorizer(chain), nil
}
func (r *ACLResolver) ResolveToken(token string) (acl.Authorizer, error) {
_, authz, err := r.ResolveTokenToIdentityAndAuthorizer(token)
return authz, err
}
func (r *ACLResolver) ACLsEnabled() bool {
@ -1092,7 +1140,7 @@ func newACLFilter(authorizer acl.Authorizer, logger *log.Logger, enforceVersion8
}
// allowNode is used to determine if a node is accessible for an ACL.
func (f *aclFilter) allowNode(node string, ent *acl.EnterpriseAuthorizerContext) bool {
func (f *aclFilter) allowNode(node string, ent *acl.AuthorizerContext) bool {
if !f.enforceVersion8 {
return true
}
@ -1101,7 +1149,7 @@ func (f *aclFilter) allowNode(node string, ent *acl.EnterpriseAuthorizerContext)
}
// allowService is used to determine if a service is accessible for an ACL.
func (f *aclFilter) allowService(service string, ent *acl.EnterpriseAuthorizerContext) bool {
func (f *aclFilter) allowService(service string, ent *acl.AuthorizerContext) bool {
if service == "" {
return true
}
@ -1114,7 +1162,7 @@ func (f *aclFilter) allowService(service string, ent *acl.EnterpriseAuthorizerCo
// allowSession is used to determine if a session for a node is accessible for
// an ACL.
func (f *aclFilter) allowSession(node string, ent *acl.EnterpriseAuthorizerContext) bool {
func (f *aclFilter) allowSession(node string, ent *acl.AuthorizerContext) bool {
if !f.enforceVersion8 {
return true
}
@ -1125,7 +1173,7 @@ func (f *aclFilter) allowSession(node string, ent *acl.EnterpriseAuthorizerConte
// the configured ACL rules for a token.
func (f *aclFilter) filterHealthChecks(checks *structs.HealthChecks) {
hc := *checks
var authzContext acl.EnterpriseAuthorizerContext
var authzContext acl.AuthorizerContext
for i := 0; i < len(hc); i++ {
check := hc[i]
@ -1143,7 +1191,7 @@ func (f *aclFilter) filterHealthChecks(checks *structs.HealthChecks) {
// filterServices is used to filter a set of services based on ACLs.
func (f *aclFilter) filterServices(services structs.Services, entMeta *structs.EnterpriseMeta) {
var authzContext acl.EnterpriseAuthorizerContext
var authzContext acl.AuthorizerContext
entMeta.FillAuthzContext(&authzContext)
for svc := range services {
@ -1159,7 +1207,7 @@ func (f *aclFilter) filterServices(services structs.Services, entMeta *structs.E
// based on the configured ACL rules.
func (f *aclFilter) filterServiceNodes(nodes *structs.ServiceNodes) {
sn := *nodes
var authzContext acl.EnterpriseAuthorizerContext
var authzContext acl.AuthorizerContext
for i := 0; i < len(sn); i++ {
node := sn[i]
@ -1181,7 +1229,7 @@ func (f *aclFilter) filterNodeServices(services **structs.NodeServices) {
return
}
var authzContext acl.EnterpriseAuthorizerContext
var authzContext acl.AuthorizerContext
structs.WildcardEnterpriseMeta().FillAuthzContext(&authzContext)
if !f.allowNode((*services).Node.Node, &authzContext) {
*services = nil
@ -1205,7 +1253,7 @@ func (f *aclFilter) filterNodeServiceList(services **structs.NodeServiceList) {
return
}
var authzContext acl.EnterpriseAuthorizerContext
var authzContext acl.AuthorizerContext
structs.WildcardEnterpriseMeta().FillAuthzContext(&authzContext)
if !f.allowNode((*services).Node.Node, &authzContext) {
*services = nil
@ -1238,7 +1286,7 @@ func (f *aclFilter) filterNodeServiceList(services **structs.NodeServiceList) {
// filterCheckServiceNodes is used to filter nodes based on ACL rules.
func (f *aclFilter) filterCheckServiceNodes(nodes *structs.CheckServiceNodes) {
csn := *nodes
var authzContext acl.EnterpriseAuthorizerContext
var authzContext acl.AuthorizerContext
for i := 0; i < len(csn); i++ {
node := csn[i]
@ -1259,7 +1307,7 @@ func (f *aclFilter) filterSessions(sessions *structs.Sessions) {
for i := 0; i < len(s); i++ {
session := s[i]
var entCtx acl.EnterpriseAuthorizerContext
var entCtx acl.AuthorizerContext
session.FillAuthzContext(&entCtx)
if f.allowSession(session.Node, &entCtx) {
@ -1276,7 +1324,7 @@ func (f *aclFilter) filterSessions(sessions *structs.Sessions) {
// rules.
func (f *aclFilter) filterCoordinates(coords *structs.Coordinates) {
c := *coords
var authzContext acl.EnterpriseAuthorizerContext
var authzContext acl.AuthorizerContext
structs.WildcardEnterpriseMeta().FillAuthzContext(&authzContext)
for i := 0; i < len(c); i++ {
@ -1325,7 +1373,7 @@ func (f *aclFilter) filterIntentions(ixns *structs.Intentions) {
func (f *aclFilter) filterNodeDump(dump *structs.NodeDump) {
nd := *dump
var authzContext acl.EnterpriseAuthorizerContext
var authzContext acl.AuthorizerContext
for i := 0; i < len(nd); i++ {
info := nd[i]
@ -1370,7 +1418,7 @@ func (f *aclFilter) filterNodeDump(dump *structs.NodeDump) {
func (f *aclFilter) filterNodes(nodes *structs.Nodes) {
n := *nodes
var authzContext acl.EnterpriseAuthorizerContext
var authzContext acl.AuthorizerContext
structs.WildcardEnterpriseMeta().FillAuthzContext(&authzContext)
for i := 0; i < len(n); i++ {
@ -1393,7 +1441,7 @@ func (f *aclFilter) filterNodes(nodes *structs.Nodes) {
// captured tokens, but they can at least see whether or not a token is set.
func (f *aclFilter) redactPreparedQueryTokens(query **structs.PreparedQuery) {
// Management tokens can see everything with no filtering.
var authzContext acl.EnterpriseAuthorizerContext
var authzContext acl.AuthorizerContext
structs.DefaultEnterpriseMeta().FillAuthzContext(&authzContext)
if f.authorizer.ACLWrite(&authzContext) == acl.Allow {
return
@ -1419,7 +1467,7 @@ func (f *aclFilter) redactPreparedQueryTokens(query **structs.PreparedQuery) {
// We prune entries the user doesn't have access to, and we redact any tokens
// if the user doesn't have a management token.
func (f *aclFilter) filterPreparedQueries(queries *structs.PreparedQueries) {
var authzContext acl.EnterpriseAuthorizerContext
var authzContext acl.AuthorizerContext
structs.DefaultEnterpriseMeta().FillAuthzContext(&authzContext)
// Management tokens can see everything with no filtering.
// TODO is this check even necessary - this looks like a search replace from
@ -1451,7 +1499,7 @@ func (f *aclFilter) filterPreparedQueries(queries *structs.PreparedQueries) {
}
func (f *aclFilter) filterToken(token **structs.ACLToken) {
var entCtx acl.EnterpriseAuthorizerContext
var entCtx acl.AuthorizerContext
if token == nil || *token == nil || f == nil {
return
}
@ -1482,7 +1530,7 @@ func (f *aclFilter) filterTokens(tokens *structs.ACLTokens) {
}
func (f *aclFilter) filterTokenStub(token **structs.ACLTokenListStub) {
var entCtx acl.EnterpriseAuthorizerContext
var entCtx acl.AuthorizerContext
if token == nil || *token == nil || f == nil {
return
}
@ -1507,7 +1555,7 @@ func (f *aclFilter) filterTokenStubs(tokens *[]*structs.ACLTokenListStub) {
}
func (f *aclFilter) filterPolicy(policy **structs.ACLPolicy) {
var entCtx acl.EnterpriseAuthorizerContext
var entCtx acl.AuthorizerContext
if policy == nil || *policy == nil || f == nil {
return
}
@ -1533,7 +1581,7 @@ func (f *aclFilter) filterPolicies(policies *structs.ACLPolicies) {
}
func (f *aclFilter) filterRole(role **structs.ACLRole) {
var entCtx acl.EnterpriseAuthorizerContext
var entCtx acl.AuthorizerContext
if role == nil || *role == nil || f == nil {
return
}
@ -1559,7 +1607,7 @@ func (f *aclFilter) filterRoles(roles *structs.ACLRoles) {
}
func (f *aclFilter) filterBindingRule(rule **structs.ACLBindingRule) {
var entCtx acl.EnterpriseAuthorizerContext
var entCtx acl.AuthorizerContext
if rule == nil || *rule == nil || f == nil {
return
}
@ -1585,7 +1633,7 @@ func (f *aclFilter) filterBindingRules(rules *structs.ACLBindingRules) {
}
func (f *aclFilter) filterAuthMethod(method **structs.ACLAuthMethod) {
var entCtx acl.EnterpriseAuthorizerContext
var entCtx acl.AuthorizerContext
if method == nil || *method == nil || f == nil {
return
}
@ -1734,7 +1782,7 @@ func vetRegisterWithACL(rule acl.Authorizer, subj *structs.RegisterRequest,
return nil
}
var authzContext acl.EnterpriseAuthorizerContext
var authzContext acl.AuthorizerContext
subj.FillAuthzContext(&authzContext)
// Vet the node info. This allows service updates to re-post the required
@ -1761,7 +1809,7 @@ func vetRegisterWithACL(rule acl.Authorizer, subj *structs.RegisterRequest,
// This is effectively a delete, so we DO NOT apply the
// sentinel scope to the service we are overwriting, just
// the regular ACL policy.
var secondaryCtx acl.EnterpriseAuthorizerContext
var secondaryCtx acl.AuthorizerContext
other.FillAuthzContext(&secondaryCtx)
if rule.ServiceWrite(other.Service, &secondaryCtx) != acl.Allow {
@ -1822,7 +1870,7 @@ func vetRegisterWithACL(rule acl.Authorizer, subj *structs.RegisterRequest,
// We are only adding a check here, so we don't add the scope,
// since the sentinel policy doesn't apply to adding checks at
// this time.
var secondaryCtx acl.EnterpriseAuthorizerContext
var secondaryCtx acl.AuthorizerContext
other.FillAuthzContext(&secondaryCtx)
if rule.ServiceWrite(other.Service, &secondaryCtx) != acl.Allow {
@ -1849,7 +1897,7 @@ func vetDeregisterWithACL(rule acl.Authorizer, subj *structs.DeregisterRequest,
// We don't apply sentinel in this path, since at this time sentinel
// only applies to create and update operations.
var authzContext acl.EnterpriseAuthorizerContext
var authzContext acl.AuthorizerContext
// fill with the defaults for use with the NodeWrite check
subj.FillAuthzContext(&authzContext)
@ -1906,7 +1954,7 @@ func vetNodeTxnOp(op *structs.TxnNodeOp, rule acl.Authorizer) error {
return nil
}
var authzContext acl.EnterpriseAuthorizerContext
var authzContext acl.AuthorizerContext
op.FillAuthzContext(&authzContext)
if rule != nil && rule.NodeWrite(op.Node.Node, &authzContext) != acl.Allow {
@ -1923,7 +1971,7 @@ func vetServiceTxnOp(op *structs.TxnServiceOp, rule acl.Authorizer) error {
return nil
}
var authzContext acl.EnterpriseAuthorizerContext
var authzContext acl.AuthorizerContext
op.FillAuthzContext(&authzContext)
if rule.ServiceWrite(op.Service.Service, &authzContext) != acl.Allow {
@ -1940,7 +1988,7 @@ func vetCheckTxnOp(op *structs.TxnCheckOp, rule acl.Authorizer) error {
return nil
}
var authzContext acl.EnterpriseAuthorizerContext
var authzContext acl.AuthorizerContext
op.FillAuthzContext(&authzContext)
if op.Check.ServiceID == "" {

24
agent/consul/acl_client.go
View File

@ -106,3 +106,27 @@ func (c *Client) ResolveRoleFromID(roleID string) (bool, *structs.ACLRole, error
func (c *Client) ResolveToken(token string) (acl.Authorizer, error) {
return c.acls.ResolveToken(token)
}
func (c *Client) ResolveTokenToIdentityAndAuthorizer(token string) (structs.ACLIdentity, acl.Authorizer, error) {
return c.acls.ResolveTokenToIdentityAndAuthorizer(token)
}
func (c *Client) ResolveTokenAndDefaultMeta(token string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (acl.Authorizer, error) {
identity, authz, err := c.acls.ResolveTokenToIdentityAndAuthorizer(token)
if err != nil {
return nil, err
}
// Default the EnterpriseMeta based on the Tokens meta or actual defaults
// in the case of unknown identity
if identity != nil {
entMeta.Merge(identity.EnterpriseMetadata())
} else {
entMeta.Merge(structs.DefaultEnterpriseMeta())
}
// Use the meta to fill in the ACL authorization context
entMeta.FillAuthzContext(authzContext)
return authz, err
}

186
agent/consul/acl_endpoint.go
View File

@ -205,19 +205,17 @@ func (a *ACL) TokenRead(args *structs.ACLTokenGetRequest, reply *structs.ACLToke
return err
}
var rule acl.Authorizer
var authz acl.Authorizer
if args.TokenIDType == structs.ACLTokenAccessor {
var entCtx acl.EnterpriseAuthorizerContext
args.FillAuthzContext(&entCtx)
var err error
var authzContext acl.AuthorizerContext
// Only ACLRead privileges are required to list tokens
// However if you do not have ACLWrite as well the token
// secrets will be redacted
if rule, err = a.srv.ResolveToken(args.Token); err != nil {
if authz, err = a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
return err
} else if rule == nil || rule.ACLRead(&entCtx) != acl.Allow {
} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
}
@ -231,7 +229,7 @@ func (a *ACL) TokenRead(args *structs.ACLTokenGetRequest, reply *structs.ACLToke
if args.TokenIDType == structs.ACLTokenAccessor {
index, token, err = state.ACLTokenGetByAccessor(ws, args.TokenID, &args.EnterpriseMeta)
if token != nil {
a.srv.filterACLWithAuthorizer(rule, &token)
a.srv.filterACLWithAuthorizer(authz, &token)
// token secret was redacted
if token.SecretID == redactedToken {
@ -277,12 +275,11 @@ func (a *ACL) TokenClone(args *structs.ACLTokenSetRequest, reply *structs.ACLTok
defer metrics.MeasureSince([]string{"acl", "token", "clone"}, time.Now())
var entCtx acl.EnterpriseAuthorizerContext
args.ACLToken.FillAuthzContext(&entCtx)
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
var authzContext acl.AuthorizerContext
authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.ACLToken.EnterpriseMeta, &authzContext)
if err != nil {
return err
} else if rule == nil || rule.ACLWrite(&entCtx) != acl.Allow {
} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
@ -348,11 +345,10 @@ func (a *ACL) TokenSet(args *structs.ACLTokenSetRequest, reply *structs.ACLToken
defer metrics.MeasureSince([]string{"acl", "token", "upsert"}, time.Now())
// Verify token is permitted to modify ACLs
var entCtx acl.EnterpriseAuthorizerContext
args.ACLToken.FillAuthzContext(&entCtx)
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
var authzContext acl.AuthorizerContext
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.ACLToken.EnterpriseMeta, &authzContext); err != nil {
return err
} else if rule == nil || rule.ACLWrite(&entCtx) != acl.Allow {
} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
@ -737,12 +733,10 @@ func (a *ACL) TokenDelete(args *structs.ACLTokenDeleteRequest, reply *string) er
defer metrics.MeasureSince([]string{"acl", "token", "delete"}, time.Now())
// Verify token is permitted to modify ACLs
var entCtx acl.EnterpriseAuthorizerContext
args.FillAuthzContext(&entCtx)
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
var authzContext acl.AuthorizerContext
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
return err
} else if rule == nil || rule.ACLWrite(&entCtx) != acl.Allow {
} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
@ -826,13 +820,11 @@ func (a *ACL) TokenList(args *structs.ACLTokenListRequest, reply *structs.ACLTok
return err
}
var entCtx acl.EnterpriseAuthorizerContext
args.FillAuthzContext(&entCtx)
rule, err := a.srv.ResolveToken(args.Token)
var authzContext acl.AuthorizerContext
authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
if err != nil {
return err
} else if rule == nil || rule.ACLRead(&entCtx) != acl.Allow {
} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
@ -854,7 +846,7 @@ func (a *ACL) TokenList(args *structs.ACLTokenListRequest, reply *structs.ACLTok
}
// filter down to just the tokens that the requester has permissions to read
if err := a.srv.filterACLWithAuthorizer(rule, &stubs); err != nil {
if err := a.srv.filterACLWithAuthorizer(authz, &stubs); err != nil {
return err
}
@ -876,10 +868,10 @@ func (a *ACL) TokenBatchRead(args *structs.ACLTokenBatchGetRequest, reply *struc
return err
}
rule, err := a.srv.ResolveToken(args.Token)
authz, err := a.srv.ResolveToken(args.Token)
if err != nil {
return err
} else if rule == nil {
} else if authz == nil {
return acl.ErrPermissionDenied
}
@ -901,7 +893,7 @@ func (a *ACL) TokenBatchRead(args *structs.ACLTokenBatchGetRequest, reply *struc
ret := make(structs.ACLTokens, 0, len(tokens))
for _, token := range tokens {
final := token
a.srv.filterACLWithAuthorizer(rule, &final)
a.srv.filterACLWithAuthorizer(authz, &final)
if final != nil {
ret = append(ret, final)
if final.SecretID == redactedToken {
@ -930,12 +922,10 @@ func (a *ACL) PolicyRead(args *structs.ACLPolicyGetRequest, reply *structs.ACLPo
return err
}
var entCtx acl.EnterpriseAuthorizerContext
args.FillAuthzContext(&entCtx)
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
var authzContext acl.AuthorizerContext
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
return err
} else if rule == nil || rule.ACLRead(&entCtx) != acl.Allow {
} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
@ -961,10 +951,10 @@ func (a *ACL) PolicyBatchRead(args *structs.ACLPolicyBatchGetRequest, reply *str
return err
}
rule, err := a.srv.ResolveToken(args.Token)
authz, err := a.srv.ResolveToken(args.Token)
if err != nil {
return err
} else if rule == nil {
} else if authz == nil {
return acl.ErrPermissionDenied
}
@ -975,7 +965,7 @@ func (a *ACL) PolicyBatchRead(args *structs.ACLPolicyBatchGetRequest, reply *str
return err
}
a.srv.filterACLWithAuthorizer(rule, &policies)
a.srv.filterACLWithAuthorizer(authz, &policies)
reply.Index, reply.Policies = index, policies
return nil
@ -1002,12 +992,11 @@ func (a *ACL) PolicySet(args *structs.ACLPolicySetRequest, reply *structs.ACLPol
defer metrics.MeasureSince([]string{"acl", "policy", "upsert"}, time.Now())
// Verify token is permitted to modify ACLs
var entCtx acl.EnterpriseAuthorizerContext
args.Policy.FillAuthzContext(&entCtx)
var authzContext acl.AuthorizerContext
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.Policy.EnterpriseMeta, &authzContext); err != nil {
return err
} else if rule == nil || rule.ACLWrite(&entCtx) != acl.Allow {
} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
@ -1138,12 +1127,11 @@ func (a *ACL) PolicyDelete(args *structs.ACLPolicyDeleteRequest, reply *string)
defer metrics.MeasureSince([]string{"acl", "policy", "delete"}, time.Now())
// Verify token is permitted to modify ACLs
var entCtx acl.EnterpriseAuthorizerContext
args.FillAuthzContext(&entCtx)
var authzContext acl.AuthorizerContext
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
return err
} else if rule == nil || rule.ACLWrite(&entCtx) != acl.Allow {
} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
@ -1195,13 +1183,12 @@ func (a *ACL) PolicyList(args *structs.ACLPolicyListRequest, reply *structs.ACLP
return err
}
var entCtx acl.EnterpriseAuthorizerContext
args.FillAuthzContext(&entCtx)
var authzContext acl.AuthorizerContext
rule, err := a.srv.ResolveToken(args.Token)
authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
if err != nil {
return err
} else if rule == nil || rule.ACLRead(&entCtx) != acl.Allow {
} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
@ -1213,7 +1200,7 @@ func (a *ACL) PolicyList(args *structs.ACLPolicyListRequest, reply *structs.ACLP
}
// filter down to just what the requester has permissions to see
a.srv.filterACLWithAuthorizer(rule, &policies)
a.srv.filterACLWithAuthorizer(authz, &policies)
var stubs structs.ACLPolicyListStubs
for _, policy := range policies {
@ -1351,12 +1338,11 @@ func (a *ACL) RoleRead(args *structs.ACLRoleGetRequest, reply *structs.ACLRoleRe
return err
}
var entCtx acl.EnterpriseAuthorizerContext
args.FillAuthzContext(&entCtx)
var authzContext acl.AuthorizerContext
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
return err
} else if rule == nil || rule.ACLRead(&entCtx) != acl.Allow {
} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
@ -1391,10 +1377,10 @@ func (a *ACL) RoleBatchRead(args *structs.ACLRoleBatchGetRequest, reply *structs
return err
}
rule, err := a.srv.ResolveToken(args.Token)
authz, err := a.srv.ResolveToken(args.Token)
if err != nil {
return err
} else if rule == nil {
} else if authz == nil {
return acl.ErrPermissionDenied
}
@ -1405,7 +1391,7 @@ func (a *ACL) RoleBatchRead(args *structs.ACLRoleBatchGetRequest, reply *structs
return err
}
a.srv.filterACLWithAuthorizer(rule, &roles)
a.srv.filterACLWithAuthorizer(authz, &roles)
reply.Index, reply.Roles = index, roles
return nil
@ -1432,12 +1418,11 @@ func (a *ACL) RoleSet(args *structs.ACLRoleSetRequest, reply *structs.ACLRole) e
defer metrics.MeasureSince([]string{"acl", "role", "upsert"}, time.Now())
// Verify token is permitted to modify ACLs
var entCtx acl.EnterpriseAuthorizerContext
args.Role.FillAuthzContext(&entCtx)
var authzContext acl.AuthorizerContext
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.Role.EnterpriseMeta, &authzContext); err != nil {
return err
} else if rule == nil || rule.ACLWrite(&entCtx) != acl.Allow {
} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
@ -1582,12 +1567,11 @@ func (a *ACL) RoleDelete(args *structs.ACLRoleDeleteRequest, reply *string) erro
defer metrics.MeasureSince([]string{"acl", "role", "delete"}, time.Now())
// Verify token is permitted to modify ACLs
var entCtx acl.EnterpriseAuthorizerContext
args.FillAuthzContext(&entCtx)
var authzContext acl.AuthorizerContext
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
return err
} else if rule == nil || rule.ACLWrite(&entCtx) != acl.Allow {
} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
@ -1635,13 +1619,12 @@ func (a *ACL) RoleList(args *structs.ACLRoleListRequest, reply *structs.ACLRoleL
return err
}
var entCtx acl.EnterpriseAuthorizerContext
args.FillAuthzContext(&entCtx)
var authzContext acl.AuthorizerContext
rule, err := a.srv.ResolveToken(args.Token)
authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
if err != nil {
return err
} else if rule == nil || rule.ACLRead(&entCtx) != acl.Allow {
} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
@ -1652,7 +1635,7 @@ func (a *ACL) RoleList(args *structs.ACLRoleListRequest, reply *structs.ACLRoleL
return err
}
a.srv.filterACLWithAuthorizer(rule, &roles)
a.srv.filterACLWithAuthorizer(authz, &roles)
reply.Index, reply.Roles = index, roles
return nil
@ -1721,13 +1704,12 @@ func (a *ACL) BindingRuleRead(args *structs.ACLBindingRuleGetRequest, reply *str
return err
}
var entCtx acl.EnterpriseAuthorizerContext
args.FillAuthzContext(&entCtx)
var authzContext acl.AuthorizerContext
rule, err := a.srv.ResolveToken(args.Token)
authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
if err != nil {
return err
} else if rule == nil || rule.ACLRead(&entCtx) != acl.Allow {
} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
@ -1763,13 +1745,12 @@ func (a *ACL) BindingRuleSet(args *structs.ACLBindingRuleSetRequest, reply *stru
defer metrics.MeasureSince([]string{"acl", "bindingrule", "upsert"}, time.Now())
var entCtx acl.EnterpriseAuthorizerContext
args.BindingRule.FillAuthzContext(&entCtx)
var authzContext acl.AuthorizerContext
// Verify token is permitted to modify ACLs
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.BindingRule.EnterpriseMeta, &authzContext); err != nil {
return err
} else if rule == nil || rule.ACLWrite(&entCtx) != acl.Allow {
} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
@ -1792,6 +1773,7 @@ func (a *ACL) BindingRuleSet(args *structs.ACLBindingRuleSetRequest, reply *stru
// Verify the role exists
var err error
// specifically disregarding the enterprise meta here
_, existing, err = state.ACLBindingRuleGetByID(nil, rule.ID, nil)
if err != nil {
return fmt.Errorf("acl binding rule lookup failed: %v", err)
@ -1894,13 +1876,12 @@ func (a *ACL) BindingRuleDelete(args *structs.ACLBindingRuleDeleteRequest, reply
defer metrics.MeasureSince([]string{"acl", "bindingrule", "delete"}, time.Now())
var entCtx acl.EnterpriseAuthorizerContext
args.FillAuthzContext(&entCtx)
var authzContext acl.AuthorizerContext
// Verify token is permitted to modify ACLs
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
return err
} else if rule == nil || rule.ACLWrite(&entCtx) != acl.Allow {
} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
@ -1948,13 +1929,12 @@ func (a *ACL) BindingRuleList(args *structs.ACLBindingRuleListRequest, reply *st
return err
}
var entCtx acl.EnterpriseAuthorizerContext
args.FillAuthzContext(&entCtx)
var authzContext acl.AuthorizerContext
rule, err := a.srv.ResolveToken(args.Token)
authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
if err != nil {
return err
} else if rule == nil || rule.ACLRead(&entCtx) != acl.Allow {
} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
@ -1965,7 +1945,7 @@ func (a *ACL) BindingRuleList(args *structs.ACLBindingRuleListRequest, reply *st
return err
}
a.srv.filterACLWithAuthorizer(rule, &rules)
a.srv.filterACLWithAuthorizer(authz, &rules)
reply.Index, reply.BindingRules = index, rules
return nil
@ -1989,12 +1969,11 @@ func (a *ACL) AuthMethodRead(args *structs.ACLAuthMethodGetRequest, reply *struc
return err
}
var entCtx acl.EnterpriseAuthorizerContext
args.FillAuthzContext(&entCtx)
var authzContext acl.AuthorizerContext
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
return err
} else if rule == nil || rule.ACLRead(&entCtx) != acl.Allow {
} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
@ -2031,12 +2010,11 @@ func (a *ACL) AuthMethodSet(args *structs.ACLAuthMethodSetRequest, reply *struct
defer metrics.MeasureSince([]string{"acl", "authmethod", "upsert"}, time.Now())
// Verify token is permitted to modify ACLs
var entCtx acl.EnterpriseAuthorizerContext
args.AuthMethod.FillAuthzContext(&entCtx)
var authzContext acl.AuthorizerContext
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.AuthMethod.EnterpriseMeta, &authzContext); err != nil {
return err
} else if rule == nil || rule.ACLWrite(&entCtx) != acl.Allow {
} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
@ -2119,12 +2097,11 @@ func (a *ACL) AuthMethodDelete(args *structs.ACLAuthMethodDeleteRequest, reply *
defer metrics.MeasureSince([]string{"acl", "authmethod", "delete"}, time.Now())
// Verify token is permitted to modify ACLs
var entCtx acl.EnterpriseAuthorizerContext
args.FillAuthzContext(&entCtx)
var authzContext acl.AuthorizerContext
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
return err
} else if rule == nil || rule.ACLWrite(&entCtx) != acl.Allow {
} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
@ -2173,13 +2150,12 @@ func (a *ACL) AuthMethodList(args *structs.ACLAuthMethodListRequest, reply *stru
return err
}
var entCtx acl.EnterpriseAuthorizerContext
args.FillAuthzContext(&entCtx)
var authzContext acl.AuthorizerContext
rule, err := a.srv.ResolveToken(args.Token)
authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
if err != nil {
return err
} else if rule == nil || rule.ACLRead(&entCtx) != acl.Allow {
} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
@ -2190,7 +2166,7 @@ func (a *ACL) AuthMethodList(args *structs.ACLAuthMethodListRequest, reply *stru
return err
}
a.srv.filterACLWithAuthorizer(rule, &methods)
a.srv.filterACLWithAuthorizer(authz, &methods)
var stubs structs.ACLAuthMethodListStubs
for _, method := range methods {

1
agent/consul/acl_endpoint_test.go
View File

@ -2070,6 +2070,7 @@ func TestACLEndpoint_TokenList(t *testing.T) {
defer codec.Close()
testrpc.WaitForLeader(t, s1.RPC, "dc1")
waitForLeaderEstablishment(t, s1)
acl := ACL{srv: s1}

2
agent/consul/acl_oss.go
View File

@ -16,7 +16,7 @@ func (s *Server) replicationEnterpriseMeta() *structs.EnterpriseMeta {
return structs.ReplicationEnterpriseMeta()
}
func newEnterpriseACLConfig(*log.Logger) *acl.EnterpriseACLConfig {
func newEnterpriseACLConfig(*log.Logger) *acl.Config {
return nil
}

24
agent/consul/acl_server.go
View File

@ -213,6 +213,30 @@ func (s *Server) ResolveToken(token string) (acl.Authorizer, error) {
return s.acls.ResolveToken(token)
}
func (s *Server) ResolveTokenToIdentityAndAuthorizer(token string) (structs.ACLIdentity, acl.Authorizer, error) {
return s.acls.ResolveTokenToIdentityAndAuthorizer(token)
}
func (s *Server) ResolveTokenAndDefaultMeta(token string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (acl.Authorizer, error) {
identity, authz, err := s.acls.ResolveTokenToIdentityAndAuthorizer(token)
if err != nil {
return nil, err
}
// Default the EnterpriseMeta based on the Tokens meta or actual defaults
// in the case of unknown identity
if identity != nil {
entMeta.Merge(identity.EnterpriseMetadata())
} else {
entMeta.Merge(structs.DefaultEnterpriseMeta())
}
// Use the meta to fill in the ACL authorization context
entMeta.FillAuthzContext(authzContext)
return authz, err
}
func (s *Server) filterACL(token string, subj interface{}) error {
return s.acls.filterACL(token, subj)
}

119
agent/consul/catalog_endpoint.go
View File

@ -35,7 +35,7 @@ func nodePreApply(nodeName, nodeID string) error {
return nil
}
func servicePreApply(service *structs.NodeService, rule acl.Authorizer) error {
func servicePreApply(service *structs.NodeService, authz acl.Authorizer) error {
// Validate the service. This is in addition to the below since
// the above just hasn't been moved over yet. We should move it over
// in time.
@ -59,7 +59,7 @@ func servicePreApply(service *structs.NodeService, rule acl.Authorizer) error {
return fmt.Errorf("Invalid service address")
}
var authzContext acl.EnterpriseAuthorizerContext
var authzContext acl.AuthorizerContext
service.FillAuthzContext(&authzContext)
// Apply the ACL policy if any. The 'consul' service is excluded
@ -68,14 +68,14 @@ func servicePreApply(service *structs.NodeService, rule acl.Authorizer) error {
// later if version 0.8 is enabled, so we can eventually just
// delete this and do all the ACL checks down there.
if service.Service != structs.ConsulServiceName {
if rule != nil && rule.ServiceWrite(service.Service, &authzContext) != acl.Allow {
if authz != nil && authz.ServiceWrite(service.Service, &authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
}
// Proxies must have write permission on their destination
if service.Kind == structs.ServiceKindConnectProxy {
if rule != nil && rule.ServiceWrite(service.Proxy.DestinationServiceName, &authzContext) != acl.Allow {
if authz != nil && authz.ServiceWrite(service.Proxy.DestinationServiceName, &authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
}
@ -92,17 +92,25 @@ func checkPreApply(check *structs.HealthCheck) {
// Register is used register that a node is providing a given service.
func (c *Catalog) Register(args *structs.RegisterRequest, reply *struct{}) error {
if err := c.srv.validateEnterpriseRequest(args.GetEnterpriseMeta(), true); err != nil {
return err
}
if done, err := c.srv.forward("Catalog.Register", args, args, reply); done {
return err
}
defer metrics.MeasureSince([]string{"catalog", "register"}, time.Now())
// Fetch the ACL token, if any.
rule, err := c.srv.ResolveToken(args.Token)
authz, err := c.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, nil)
if err != nil {
return err
}
if err := c.srv.validateEnterpriseRequest(args.GetEnterpriseMeta(), true); err != nil {
return err
}
// This needs to happen before the other preapply checks as it will fixup some of the
// internal enterprise metas on the services and checks
state := c.srv.fsm.State()
entMeta, err := state.ValidateRegisterRequest(args)
if err != nil {
return err
}
@ -117,7 +125,7 @@ func (c *Catalog) Register(args *structs.RegisterRequest, reply *struct{}) error
// Handle a service registration.
if args.Service != nil {
if err := servicePreApply(args.Service, rule); err != nil {
if err := servicePreApply(args.Service, authz); err != nil {
return err
}
}
@ -141,20 +149,14 @@ func (c *Catalog) Register(args *structs.RegisterRequest, reply *struct{}) error
}
}
state := c.srv.fsm.State()
entMeta, err := state.ValidateRegisterRequest(args)
if err != nil {
return err
}
// Check the complete register request against the given ACL policy.
if rule != nil && c.srv.config.ACLEnforceVersion8 {
if authz != nil && c.srv.config.ACLEnforceVersion8 {
state := c.srv.fsm.State()
_, ns, err := state.NodeServices(nil, args.Node, entMeta)
if err != nil {
return fmt.Errorf("Node lookup failed: %v", err)
}
if err := vetRegisterWithACL(rule, args, ns); err != nil {
if err := vetRegisterWithACL(authz, args, ns); err != nil {
return err
}
}
@ -171,10 +173,6 @@ func (c *Catalog) Register(args *structs.RegisterRequest, reply *struct{}) error
// Deregister is used to remove a service registration for a given node.
func (c *Catalog) Deregister(args *structs.DeregisterRequest, reply *struct{}) error {
if err := c.srv.validateEnterpriseRequest(&args.EnterpriseMeta, true); err != nil {
return err
}
if done, err := c.srv.forward("Catalog.Deregister", args, args, reply); done {
return err
}
@ -186,13 +184,17 @@ func (c *Catalog) Deregister(args *structs.DeregisterRequest, reply *struct{}) e
}
// Fetch the ACL token, if any.
rule, err := c.srv.ResolveToken(args.Token)
authz, err := c.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, nil)
if err != nil {
return err
}
if err := c.srv.validateEnterpriseRequest(&args.EnterpriseMeta, true); err != nil {
return err
}
// Check the complete deregister request against the given ACL policy.
if rule != nil && c.srv.config.ACLEnforceVersion8 {
if authz != nil && c.srv.config.ACLEnforceVersion8 {
state := c.srv.fsm.State()
var ns *structs.NodeService
@ -211,7 +213,7 @@ func (c *Catalog) Deregister(args *structs.DeregisterRequest, reply *struct{}) e
}
}
if err := vetDeregisterWithACL(rule, args, ns, nc); err != nil {
if err := vetDeregisterWithACL(authz, args, ns, nc); err != nil {
return err
}
@ -282,16 +284,21 @@ func (c *Catalog) ListNodes(args *structs.DCSpecificRequest, reply *structs.Inde
// ListServices is used to query the services in a DC
func (c *Catalog) ListServices(args *structs.DCSpecificRequest, reply *structs.IndexedServices) error {
if err := c.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err
}
if done, err := c.srv.forward("Catalog.ListServices", args, args, reply); done {
return err
}
(*reply).EnterpriseMeta = args.EnterpriseMeta
authz, err := c.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, nil)
if err != nil {
return err
}
if err := c.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err
}
return c.srv.blockingQuery(
&args.QueryOptions,
&reply.QueryMeta,
@ -308,17 +315,13 @@ func (c *Catalog) ListServices(args *structs.DCSpecificRequest, reply *structs.I
return err
}
reply.Index, reply.Services = index, services
return c.srv.filterACL(args.Token, reply)
reply.Index, reply.Services, reply.EnterpriseMeta = index, services, args.EnterpriseMeta
return c.srv.filterACLWithAuthorizer(authz, reply)
})
}
// ServiceNodes returns all the nodes registered as part of a service
func (c *Catalog) ServiceNodes(args *structs.ServiceSpecificRequest, reply *structs.IndexedServiceNodes) error {
if err := c.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err
}
if done, err := c.srv.forward("Catalog.ServiceNodes", args, args, reply); done {
return err
}
@ -359,18 +362,20 @@ func (c *Catalog) ServiceNodes(args *structs.ServiceSpecificRequest, reply *stru
}
}
var authzContext acl.EnterpriseAuthorizerContext
args.FillAuthzContext(&authzContext)
var authzContext acl.AuthorizerContext
authz, err := c.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
if err != nil {
return err
}
if err := c.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err
}
// If we're doing a connect query, we need read access to the service
// we're trying to find proxies for, so check that.
if args.Connect {
// Fetch the ACL token, if any.
rule, err := c.srv.ResolveToken(args.Token)
if err != nil {
return err
}
if rule != nil && rule.ServiceRead(args.ServiceName, &authzContext) != acl.Allow {
if authz != nil && authz.ServiceRead(args.ServiceName, &authzContext) != acl.Allow {
// Just return nil, which will return an empty response (tested)
return nil
}
@ -455,10 +460,6 @@ func (c *Catalog) ServiceNodes(args *structs.ServiceSpecificRequest, reply *stru
// NodeServices returns all the services registered as part of a node
func (c *Catalog) NodeServices(args *structs.NodeSpecificRequest, reply *structs.IndexedNodeServices) error {
if err := c.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err
}
if done, err := c.srv.forward("Catalog.NodeServices", args, args, reply); done {
return err
}
@ -474,6 +475,15 @@ func (c *Catalog) NodeServices(args *structs.NodeSpecificRequest, reply *structs
return err
}
_, err = c.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, nil)
if err != nil {
return err
}
if err := c.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err
}
return c.srv.blockingQuery(
&args.QueryOptions,
&reply.QueryMeta,
@ -501,10 +511,6 @@ func (c *Catalog) NodeServices(args *structs.NodeSpecificRequest, reply *structs
}
func (c *Catalog) NodeServiceList(args *structs.NodeSpecificRequest, reply *structs.IndexedNodeServiceList) error {
if err := c.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err
}
if done, err := c.srv.forward("Catalog.NodeServiceList", args, args, reply); done {
return err
}
@ -520,6 +526,15 @@ func (c *Catalog) NodeServiceList(args *structs.NodeSpecificRequest, reply *stru
return err
}
_, err = c.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, nil)
if err != nil {
return err
}
if err := c.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err
}
return c.srv.blockingQuery(
&args.QueryOptions,
&reply.QueryMeta,

2
agent/consul/filter.go
View File

@ -14,7 +14,7 @@ func (d *dirEntFilter) Len() int {
return len(d.ent)
}
func (d *dirEntFilter) Filter(i int) bool {
var entCtx acl.EnterpriseAuthorizerContext
var entCtx acl.AuthorizerContext
d.ent[i].FillAuthzContext(&entCtx)
return d.authorizer.KeyRead(d.ent[i].Key, &entCtx) != acl.Allow

61
agent/consul/health_endpoint.go
View File

@ -20,10 +20,6 @@ type Health struct {
// ChecksInState is used to get all the checks in a given state
func (h *Health) ChecksInState(args *structs.ChecksInStateRequest,
reply *structs.IndexedHealthChecks) error {
if err := h.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err
}
if done, err := h.srv.forward("Health.ChecksInState", args, args, reply); done {
return err
}
@ -33,6 +29,15 @@ func (h *Health) ChecksInState(args *structs.ChecksInStateRequest,
return err
}
_, err = h.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, nil)
if err != nil {
return err
}
if err := h.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err
}
return h.srv.blockingQuery(
&args.QueryOptions,
&reply.QueryMeta,
@ -66,10 +71,6 @@ func (h *Health) ChecksInState(args *structs.ChecksInStateRequest,
// NodeChecks is used to get all the checks for a node
func (h *Health) NodeChecks(args *structs.NodeSpecificRequest,
reply *structs.IndexedHealthChecks) error {
if err := h.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err
}
if done, err := h.srv.forward("Health.NodeChecks", args, args, reply); done {
return err
}
@ -79,6 +80,15 @@ func (h *Health) NodeChecks(args *structs.NodeSpecificRequest,
return err
}
_, err = h.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, nil)
if err != nil {
return err
}
if err := h.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err
}
return h.srv.blockingQuery(
&args.QueryOptions,
&reply.QueryMeta,
@ -105,10 +115,6 @@ func (h *Health) NodeChecks(args *structs.NodeSpecificRequest,
func (h *Health) ServiceChecks(args *structs.ServiceSpecificRequest,
reply *structs.IndexedHealthChecks) error {
if err := h.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err
}
// Reject if tag filtering is on
if args.TagFilter {
return fmt.Errorf("Tag filtering is not supported")
@ -124,6 +130,15 @@ func (h *Health) ServiceChecks(args *structs.ServiceSpecificRequest,
return err
}
_, err = h.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, nil)
if err != nil {
return err
}
if err := h.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err
}
return h.srv.blockingQuery(
&args.QueryOptions,
&reply.QueryMeta,
@ -156,10 +171,6 @@ func (h *Health) ServiceChecks(args *structs.ServiceSpecificRequest,
// ServiceNodes returns all the nodes registered as part of a service including health info
func (h *Health) ServiceNodes(args *structs.ServiceSpecificRequest, reply *structs.IndexedCheckServiceNodes) error {
if err := h.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err
}
if done, err := h.srv.forward("Health.ServiceNodes", args, args, reply); done {
return err
}
@ -180,16 +191,20 @@ func (h *Health) ServiceNodes(args *structs.ServiceSpecificRequest, reply *struc
f = h.serviceNodesDefault
}
var authzContext acl.AuthorizerContext
authz, err := h.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
if err != nil {
return err
}
if err := h.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err
}
// If we're doing a connect query, we need read access to the service
// we're trying to find proxies for, so check that.
if args.Connect {
// Fetch the ACL token, if any.
rule, err := h.srv.ResolveToken(args.Token)
if err != nil {
return err
}
if rule != nil && rule.ServiceRead(args.ServiceName, nil) != acl.Allow {
if authz != nil && authz.ServiceRead(args.ServiceName, &authzContext) != acl.Allow {
// Just return nil, which will return an empty response (tested)
return nil
}

82
agent/consul/kvs_endpoint.go
View File

@ -21,20 +21,20 @@ type KVS struct {
// preApply does all the verification of a KVS update that is performed BEFORE
// we submit as a Raft log entry. This includes enforcing the lock delay which
// must only be done on the leader.
func kvsPreApply(srv *Server, rule acl.Authorizer, op api.KVOp, dirEnt *structs.DirEntry) (bool, error) {
func kvsPreApply(srv *Server, authz acl.Authorizer, op api.KVOp, dirEnt *structs.DirEntry) (bool, error) {
// Verify the entry.
if dirEnt.Key == "" && op != api.KVDeleteTree {
return false, fmt.Errorf("Must provide key")
}
// Apply the ACL policy if any.
if rule != nil {
if authz != nil {
switch op {
case api.KVDeleteTree:
var authzContext acl.EnterpriseAuthorizerContext
var authzContext acl.AuthorizerContext
dirEnt.FillAuthzContext(&authzContext)
if rule.KeyWritePrefix(dirEnt.Key, &authzContext) != acl.Allow {
if authz.KeyWritePrefix(dirEnt.Key, &authzContext) != acl.Allow {
return false, acl.ErrPermissionDenied
}
@ -45,18 +45,18 @@ func kvsPreApply(srv *Server, rule acl.Authorizer, op api.KVOp, dirEnt *structs.
// These could reveal information based on the outcome
// of the transaction, and they operate on individual
// keys so we check them here.
var authzContext acl.EnterpriseAuthorizerContext
var authzContext acl.AuthorizerContext
dirEnt.FillAuthzContext(&authzContext)
if rule.KeyRead(dirEnt.Key, &authzContext) != acl.Allow {
if authz.KeyRead(dirEnt.Key, &authzContext) != acl.Allow {
return false, acl.ErrPermissionDenied
}
default:
var authzContext acl.EnterpriseAuthorizerContext
var authzContext acl.AuthorizerContext
dirEnt.FillAuthzContext(&authzContext)
if rule.KeyWrite(dirEnt.Key, &authzContext) != acl.Allow {
if authz.KeyWrite(dirEnt.Key, &authzContext) != acl.Allow {
return false, acl.ErrPermissionDenied
}
}
@ -88,16 +88,17 @@ func (k *KVS) Apply(args *structs.KVSRequest, reply *bool) error {
}
defer metrics.MeasureSince([]string{"kvs", "apply"}, time.Now())
// Perform the pre-apply checks.
authz, err := k.srv.ResolveTokenAndDefaultMeta(args.Token, &args.DirEnt.EnterpriseMeta, nil)
if err != nil {
return err
}
if err := k.srv.validateEnterpriseRequest(&args.DirEnt.EnterpriseMeta, true); err != nil {
return err
}
// Perform the pre-apply checks.
rule, err := k.srv.ResolveToken(args.Token)
if err != nil {
return err
}
ok, err := kvsPreApply(k.srv, rule, args.Op, &args.DirEnt)
ok, err := kvsPreApply(k.srv, authz, args.Op, &args.DirEnt)
if err != nil {
return err
}
@ -128,15 +129,14 @@ func (k *KVS) Get(args *structs.KeyRequest, reply *structs.IndexedDirEntries) er
if done, err := k.srv.forward("KVS.Get", args, args, reply); done {
return err
}
if err := k.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
var authzContext acl.AuthorizerContext
authz, err := k.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
if err != nil {
return err
}
var entCtx acl.EnterpriseAuthorizerContext
args.FillAuthzContext(&entCtx)
rule, err := k.srv.ResolveToken(args.Token)
if err != nil {
if err := k.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err
}
@ -148,7 +148,7 @@ func (k *KVS) Get(args *structs.KeyRequest, reply *structs.IndexedDirEntries) er
if err != nil {
return err
}
if rule != nil && rule.KeyRead(args.Key, &entCtx) != acl.Allow {
if authz != nil && authz.KeyRead(args.Key, &authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
@ -174,18 +174,18 @@ func (k *KVS) List(args *structs.KeyRequest, reply *structs.IndexedDirEntries) e
if done, err := k.srv.forward("KVS.List", args, args, reply); done {
return err
}
var authzContext acl.AuthorizerContext
authz, err := k.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
if err != nil {
return err
}
if err := k.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err
}
var entCtx acl.EnterpriseAuthorizerContext
args.FillAuthzContext(&entCtx)
rule, err := k.srv.ResolveToken(args.Token)
if err != nil {
return err
}
if rule != nil && k.srv.config.ACLEnableKeyListPolicy && rule.KeyList(args.Key, &entCtx) != acl.Allow {
if authz != nil && k.srv.config.ACLEnableKeyListPolicy && authz.KeyList(args.Key, &authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
@ -197,8 +197,8 @@ func (k *KVS) List(args *structs.KeyRequest, reply *structs.IndexedDirEntries) e
if err != nil {
return err
}
if rule != nil {
ent = FilterDirEnt(rule, ent)
if authz != nil {
ent = FilterDirEnt(authz, ent)
}
if len(ent) == 0 {
@ -226,18 +226,18 @@ func (k *KVS) ListKeys(args *structs.KeyListRequest, reply *structs.IndexedKeyLi
if done, err := k.srv.forward("KVS.ListKeys", args, args, reply); done {
return err
}
var authzContext acl.AuthorizerContext
authz, err := k.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
if err != nil {
return err
}
if err := k.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err
}
var entCtx acl.EnterpriseAuthorizerContext
args.FillAuthzContext(&entCtx)
rule, err := k.srv.ResolveToken(args.Token)
if err != nil {
return err
}
if rule != nil && k.srv.config.ACLEnableKeyListPolicy && rule.KeyList(args.Prefix, &entCtx) != acl.Allow {
if authz != nil && k.srv.config.ACLEnableKeyListPolicy && authz.KeyList(args.Prefix, &authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
@ -258,8 +258,8 @@ func (k *KVS) ListKeys(args *structs.KeyListRequest, reply *structs.IndexedKeyLi
reply.Index = index
}
if rule != nil {
entries = FilterDirEnt(rule, entries)
if authz != nil {
entries = FilterDirEnt(authz, entries)
}
// Collect the keys from the filtered entries

2
agent/consul/server.go
View File

@ -110,7 +110,7 @@ var (
type Server struct {
// enterpriseACLConfig is the Consul Enterprise specific items
// necessary for ACLs
enterpriseACLConfig *acl.EnterpriseACLConfig
enterpriseACLConfig *acl.Config
// acls is used to resolve tokens to effective policies
acls *ACLResolver

15
agent/consul/server_test.go
View File

@ -41,6 +41,21 @@ func uniqueNodeName(name string) string {
return fmt.Sprintf("%s-node-%d", name, atomic.AddInt64(&id, 1))
}
// This will find the leader of a list of servers and verify that leader establishment has completed
func waitForLeaderEstablishment(t *testing.T, servers ...*Server) {
t.Helper()
retry.Run(t, func(r *retry.R) {
hasLeader := false
for _, srv := range servers {
if srv.IsLeader() {
hasLeader = true
require.True(r, srv.isReadyForConsistentReads(), "Leader %s hasn't finished establishing leadership yet", srv.config.NodeName)
}
}
require.True(r, hasLeader, "Cluster has not elected a leader yet")
})
}
func testServerConfig(t *testing.T) (string, *Config) {
dir := testutil.TempDir(t, "consul")
config := DefaultConfig()

82
agent/consul/session_endpoint.go
View File

@ -25,10 +25,6 @@ func (s *Session) Apply(args *structs.SessionRequest, reply *string) error {
}
defer metrics.MeasureSince([]string{"session", "apply"}, time.Now())
if err := s.srv.validateEnterpriseRequest(&args.Session.EnterpriseMeta, true); err != nil {
return err
}
// Verify the args
if args.Session.ID == "" && args.Op == structs.SessionDestroy {
return fmt.Errorf("Must provide ID")
@ -37,20 +33,21 @@ func (s *Session) Apply(args *structs.SessionRequest, reply *string) error {
return fmt.Errorf("Must provide Node")
}
// TODO (namespaces) (acls) infer entmeta if not provided.
// The entMeta to populate is the one in the Session struct, not SessionRequest
// This is because the Session is what is passed to downstream functions like raftApply
var entCtx acl.EnterpriseAuthorizerContext
args.Session.FillAuthzContext(&entCtx)
var authzContext acl.AuthorizerContext
// Fetch the ACL token, if any, and apply the policy.
rule, err := s.srv.ResolveToken(args.Token)
authz, err := s.srv.ResolveTokenAndDefaultMeta(args.Token, &args.Session.EnterpriseMeta, &authzContext)
if err != nil {
return err
}
if rule != nil && s.srv.config.ACLEnforceVersion8 {
if err := s.srv.validateEnterpriseRequest(&args.Session.EnterpriseMeta, true); err != nil {
return err
}
if authz != nil && s.srv.config.ACLEnforceVersion8 {
switch args.Op {
case structs.SessionDestroy:
state := s.srv.fsm.State()
@ -61,12 +58,12 @@ func (s *Session) Apply(args *structs.SessionRequest, reply *string) error {
if existing == nil {
return fmt.Errorf("Unknown session %q", args.Session.ID)
}
if rule.SessionWrite(existing.Node, &entCtx) != acl.Allow {
if authz.SessionWrite(existing.Node, &authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
case structs.SessionCreate:
if rule.SessionWrite(args.Session.Node, &entCtx) != acl.Allow {
if authz.SessionWrite(args.Session.Node, &authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
@ -157,16 +154,13 @@ func (s *Session) Get(args *structs.SessionSpecificRequest,
return err
}
if err := s.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
var authzContext acl.AuthorizerContext
authz, err := s.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
if err != nil {
return err
}
// TODO (namespaces) TODO (acls) infer args.entmeta if not provided
var entCtx acl.EnterpriseAuthorizerContext
args.FillAuthzContext(&entCtx)
rule, err := s.srv.ResolveToken(args.Token)
if err != nil {
if err := s.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err
}
@ -185,7 +179,7 @@ func (s *Session) Get(args *structs.SessionSpecificRequest,
} else {
reply.Sessions = nil
}
if err := s.srv.filterACLWithAuthorizer(rule, reply); err != nil {
if err := s.srv.filterACLWithAuthorizer(authz, reply); err != nil {
return err
}
return nil
@ -199,16 +193,13 @@ func (s *Session) List(args *structs.SessionSpecificRequest,
return err
}
if err := s.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
var authzContext acl.AuthorizerContext
authz, err := s.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
if err != nil {
return err
}
// TODO (namespaces) TODO (acls) infer args.entmeta if not provided
var entCtx acl.EnterpriseAuthorizerContext
args.FillAuthzContext(&entCtx)
rule, err := s.srv.ResolveToken(args.Token)
if err != nil {
if err := s.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err
}
@ -222,7 +213,7 @@ func (s *Session) List(args *structs.SessionSpecificRequest,
}
reply.Index, reply.Sessions = index, sessions
if err := s.srv.filterACLWithAuthorizer(rule, reply); err != nil {
if err := s.srv.filterACLWithAuthorizer(authz, reply); err != nil {
return err
}
return nil
@ -236,16 +227,13 @@ func (s *Session) NodeSessions(args *structs.NodeSpecificRequest,
return err
}
if err := s.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
var authzContext acl.AuthorizerContext
authz, err := s.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
if err != nil {
return err
}
// TODO (namespaces) TODO (acls) infer args.entmeta if not provided
var entCtx acl.EnterpriseAuthorizerContext
args.FillAuthzContext(&entCtx)
rule, err := s.srv.ResolveToken(args.Token)
if err != nil {
if err := s.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err
}
@ -259,7 +247,7 @@ func (s *Session) NodeSessions(args *structs.NodeSpecificRequest,
}
reply.Index, reply.Sessions = index, sessions
if err := s.srv.filterACLWithAuthorizer(rule, reply); err != nil {
if err := s.srv.filterACLWithAuthorizer(authz, reply); err != nil {
return err
}
return nil
@ -274,6 +262,13 @@ func (s *Session) Renew(args *structs.SessionSpecificRequest,
}
defer metrics.MeasureSince([]string{"session", "renew"}, time.Now())
// Fetch the ACL token, if any, and apply the policy.
var authzContext acl.AuthorizerContext
authz, err := s.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
if err != nil {
return err
}
if err := s.srv.validateEnterpriseRequest(&args.EnterpriseMeta, true); err != nil {
return err
}
@ -290,19 +285,8 @@ func (s *Session) Renew(args *structs.SessionSpecificRequest,
return nil
}
// TODO (namespaces) (freddy):infer args.entmeta if not provided
// Fetch the ACL token, if any, and apply the policy.
var entCtx acl.EnterpriseAuthorizerContext
args.FillAuthzContext(&entCtx)
rule, err := s.srv.ResolveToken(args.Token)
if err != nil {
return err
}
if rule != nil && s.srv.config.ACLEnforceVersion8 {
if rule.SessionWrite(session.Node, &entCtx) != acl.Allow {
return acl.ErrPermissionDenied
}
if authz != nil && s.srv.config.ACLEnforceVersion8 && authz.SessionWrite(session.Node, &authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
// Reset the session TTL timer.

8
agent/structs/acl.go
View File

@ -696,7 +696,7 @@ func (policies ACLPolicyListStubs) Sort() {
})
}
func (policies ACLPolicies) resolveWithCache(cache *ACLCaches, entConf *acl.EnterpriseACLConfig) ([]*acl.Policy, error) {
func (policies ACLPolicies) resolveWithCache(cache *ACLCaches, entConf *acl.Config) ([]*acl.Policy, error) {
// Parse the policies
parsed := make([]*acl.Policy, 0, len(policies))
for _, policy := range policies {
@ -721,7 +721,7 @@ func (policies ACLPolicies) resolveWithCache(cache *ACLCaches, entConf *acl.Ente
return parsed, nil
}
func (policies ACLPolicies) Compile(cache *ACLCaches, entConf *acl.EnterpriseACLConfig) (acl.Authorizer, error) {
func (policies ACLPolicies) Compile(cache *ACLCaches, entConf *acl.Config) (acl.Authorizer, error) {
// Determine the cache key
cacheKey := policies.HashKey()
entry := cache.GetAuthorizer(cacheKey)
@ -746,7 +746,7 @@ func (policies ACLPolicies) Compile(cache *ACLCaches, entConf *acl.EnterpriseACL
return authorizer, nil
}
func (policies ACLPolicies) Merge(cache *ACLCaches, entConf *acl.EnterpriseACLConfig) (*acl.Policy, error) {
func (policies ACLPolicies) Merge(cache *ACLCaches, entConf *acl.Config) (*acl.Policy, error) {
parsed, err := policies.resolveWithCache(cache, entConf)
if err != nil {
return nil, err
@ -1590,7 +1590,7 @@ func (r *RemoteACLAuthorizationRequest) RequestDatacenter() string {
func CreateACLAuthorizationResponses(authz acl.Authorizer, requests []ACLAuthorizationRequest) ([]ACLAuthorizationResponse, error) {
responses := make([]ACLAuthorizationResponse, len(requests))
var ctx acl.EnterpriseAuthorizerContext
var ctx acl.AuthorizerContext
for idx, req := range requests {
req.FillAuthzContext(&ctx)

16
agent/structs/structs_oss.go
View File

@ -21,6 +21,10 @@ func (m *EnterpriseMeta) addToHash(_ hash.Hash, _ bool) {
// do nothing
}
func (m *EnterpriseMeta) Merge(_ *EnterpriseMeta) {
// do nothing
}
func (m *EnterpriseMeta) Matches(_ *EnterpriseMeta) bool {
return true
}
@ -49,28 +53,28 @@ func WildcardEnterpriseMeta() *EnterpriseMeta {
}
// FillAuthzContext stub
func (_ *EnterpriseMeta) FillAuthzContext(_ *acl.EnterpriseAuthorizerContext) {}
func (_ *EnterpriseMeta) FillAuthzContext(_ *acl.AuthorizerContext) {}
func (_ *EnterpriseMeta) Normalize() {}
// FillAuthzContext stub
func (_ *DirEntry) FillAuthzContext(_ *acl.EnterpriseAuthorizerContext) {}
func (_ *DirEntry) FillAuthzContext(_ *acl.AuthorizerContext) {}
// FillAuthzContext stub
func (_ *RegisterRequest) FillAuthzContext(_ *acl.EnterpriseAuthorizerContext) {}
func (_ *RegisterRequest) FillAuthzContext(_ *acl.AuthorizerContext) {}
func (_ *RegisterRequest) GetEnterpriseMeta() *EnterpriseMeta {
return nil
}
// OSS Stub
func (op *TxnNodeOp) FillAuthzContext(ctx *acl.EnterpriseAuthorizerContext) {}
func (op *TxnNodeOp) FillAuthzContext(ctx *acl.AuthorizerContext) {}
// OSS Stub
func (_ *TxnServiceOp) FillAuthzContext(_ *acl.EnterpriseAuthorizerContext) {}
func (_ *TxnServiceOp) FillAuthzContext(_ *acl.AuthorizerContext) {}
// OSS Stub
func (_ *TxnCheckOp) FillAuthzContext(_ *acl.EnterpriseAuthorizerContext) {}
func (_ *TxnCheckOp) FillAuthzContext(_ *acl.AuthorizerContext) {}
func ServiceIDString(id string, _ *EnterpriseMeta) string {
return id