From 21f98f426e299d28944f2a68f26c39359de8f767 Mon Sep 17 00:00:00 2001 From: Matt Keeler Date: Wed, 30 Oct 2019 12:42:39 -0400 Subject: [PATCH] =?UTF-8?q?Add=20hook=20for=20validating=20the=20enterpris?= =?UTF-8?q?e=20meta=20attached=20to=20a=20reque=E2=80=A6=20(#6695)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- agent/consul/acl_endpoint.go | 92 +++++++++++++++++++++++++++ agent/consul/enterprise_server_oss.go | 5 ++ 2 files changed, 97 insertions(+) diff --git a/agent/consul/acl_endpoint.go b/agent/consul/acl_endpoint.go index ea1a41832..8b1f5a3d7 100644 --- a/agent/consul/acl_endpoint.go +++ b/agent/consul/acl_endpoint.go @@ -192,6 +192,10 @@ func (a *ACL) TokenRead(args *structs.ACLTokenGetRequest, reply *structs.ACLToke return err } + if err := a.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil { + return err + } + // clients will not know whether the server has local token store. In the case // where it doesn't we will transparently forward requests. if !a.srv.LocalTokensEnabled() { @@ -258,6 +262,10 @@ func (a *ACL) TokenClone(args *structs.ACLTokenSetRequest, reply *structs.ACLTok return err } + if err := a.srv.validateEnterpriseRequest(&args.ACLToken.EnterpriseMeta, true); err != nil { + return err + } + // clients will not know whether the server has local token store. In the case // where it doesn't we will transparently forward requests. if !a.srv.LocalTokensEnabled() { @@ -323,6 +331,10 @@ func (a *ACL) TokenSet(args *structs.ACLTokenSetRequest, reply *structs.ACLToken return err } + if err := a.srv.validateEnterpriseRequest(&args.ACLToken.EnterpriseMeta, true); err != nil { + return err + } + // Global token creation/modification always goes to the ACL DC if !args.ACLToken.Local { args.Datacenter = a.srv.config.ACLDatacenter @@ -711,6 +723,10 @@ func (a *ACL) TokenDelete(args *structs.ACLTokenDeleteRequest, reply *string) er return err } + if err := a.srv.validateEnterpriseRequest(&args.EnterpriseMeta, true); err != nil { + return err + } + if !a.srv.LocalTokensEnabled() { args.Datacenter = a.srv.config.ACLDatacenter } @@ -794,6 +810,10 @@ func (a *ACL) TokenList(args *structs.ACLTokenListRequest, reply *structs.ACLTok return err } + if err := a.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil { + return err + } + if !a.srv.LocalTokensEnabled() { if args.Datacenter != a.srv.config.ACLDatacenter { args.Datacenter = a.srv.config.ACLDatacenter @@ -903,6 +923,10 @@ func (a *ACL) PolicyRead(args *structs.ACLPolicyGetRequest, reply *structs.ACLPo return err } + if err := a.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil { + return err + } + if done, err := a.srv.forward("ACL.PolicyRead", args, args, reply); done { return err } @@ -964,6 +988,10 @@ func (a *ACL) PolicySet(args *structs.ACLPolicySetRequest, reply *structs.ACLPol return err } + if err := a.srv.validateEnterpriseRequest(&args.Policy.EnterpriseMeta, true); err != nil { + return err + } + if !a.srv.InACLDatacenter() { args.Datacenter = a.srv.config.ACLDatacenter } @@ -1096,6 +1124,10 @@ func (a *ACL) PolicyDelete(args *structs.ACLPolicyDeleteRequest, reply *string) return err } + if err := a.srv.validateEnterpriseRequest(&args.EnterpriseMeta, true); err != nil { + return err + } + if !a.srv.InACLDatacenter() { args.Datacenter = a.srv.config.ACLDatacenter } @@ -1156,6 +1188,10 @@ func (a *ACL) PolicyList(args *structs.ACLPolicyListRequest, reply *structs.ACLP return err } + if err := a.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil { + return err + } + if done, err := a.srv.forward("ACL.PolicyList", args, args, reply); done { return err } @@ -1308,6 +1344,10 @@ func (a *ACL) RoleRead(args *structs.ACLRoleGetRequest, reply *structs.ACLRoleRe return err } + if err := a.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil { + return err + } + if done, err := a.srv.forward("ACL.RoleRead", args, args, reply); done { return err } @@ -1378,6 +1418,10 @@ func (a *ACL) RoleSet(args *structs.ACLRoleSetRequest, reply *structs.ACLRole) e return err } + if err := a.srv.validateEnterpriseRequest(&args.Role.EnterpriseMeta, true); err != nil { + return err + } + if !a.srv.InACLDatacenter() { args.Datacenter = a.srv.config.ACLDatacenter } @@ -1519,6 +1563,10 @@ func (a *ACL) RoleDelete(args *structs.ACLRoleDeleteRequest, reply *string) erro return err } + if err := a.srv.validateEnterpriseRequest(&args.EnterpriseMeta, true); err != nil { + return err + } + if !a.srv.InACLDatacenter() { args.Datacenter = a.srv.config.ACLDatacenter } @@ -1575,6 +1623,10 @@ func (a *ACL) RoleList(args *structs.ACLRoleListRequest, reply *structs.ACLRoleL return err } + if err := a.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil { + return err + } + if done, err := a.srv.forward("ACL.RoleList", args, args, reply); done { return err } @@ -1653,6 +1705,10 @@ func (a *ACL) BindingRuleRead(args *structs.ACLBindingRuleGetRequest, reply *str return err } + if err := a.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil { + return err + } + if !a.srv.LocalTokensEnabled() { return errAuthMethodsRequireTokenReplication } @@ -1689,6 +1745,10 @@ func (a *ACL) BindingRuleSet(args *structs.ACLBindingRuleSetRequest, reply *stru return err } + if err := a.srv.validateEnterpriseRequest(&args.BindingRule.EnterpriseMeta, true); err != nil { + return err + } + if !a.srv.LocalTokensEnabled() { return errAuthMethodsRequireTokenReplication } @@ -1816,6 +1876,10 @@ func (a *ACL) BindingRuleDelete(args *structs.ACLBindingRuleDeleteRequest, reply return err } + if err := a.srv.validateEnterpriseRequest(&args.EnterpriseMeta, true); err != nil { + return err + } + if !a.srv.LocalTokensEnabled() { return errAuthMethodsRequireTokenReplication } @@ -1868,6 +1932,10 @@ func (a *ACL) BindingRuleList(args *structs.ACLBindingRuleListRequest, reply *st return err } + if err := a.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil { + return err + } + if !a.srv.LocalTokensEnabled() { return errAuthMethodsRequireTokenReplication } @@ -1905,6 +1973,10 @@ func (a *ACL) AuthMethodRead(args *structs.ACLAuthMethodGetRequest, reply *struc return err } + if err := a.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil { + return err + } + if !a.srv.LocalTokensEnabled() { return errAuthMethodsRequireTokenReplication } @@ -1940,6 +2012,10 @@ func (a *ACL) AuthMethodSet(args *structs.ACLAuthMethodSetRequest, reply *struct return err } + if err := a.srv.validateEnterpriseRequest(&args.AuthMethod.EnterpriseMeta, true); err != nil { + return err + } + if !a.srv.LocalTokensEnabled() { return errAuthMethodsRequireTokenReplication } @@ -2024,6 +2100,10 @@ func (a *ACL) AuthMethodDelete(args *structs.ACLAuthMethodDeleteRequest, reply * return err } + if err := a.srv.validateEnterpriseRequest(&args.EnterpriseMeta, true); err != nil { + return err + } + if !a.srv.LocalTokensEnabled() { return errAuthMethodsRequireTokenReplication } @@ -2077,6 +2157,10 @@ func (a *ACL) AuthMethodList(args *structs.ACLAuthMethodListRequest, reply *stru return err } + if err := a.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil { + return err + } + if !a.srv.LocalTokensEnabled() { return errAuthMethodsRequireTokenReplication } @@ -2123,6 +2207,14 @@ func (a *ACL) Login(args *structs.ACLLoginRequest, reply *structs.ACLToken) erro return errAuthMethodsRequireTokenReplication } + if args.Auth == nil { + return fmt.Errorf("Invalid Login request: Missing auth parameters") + } + + if err := a.srv.validateEnterpriseRequest(&args.Auth.EnterpriseMeta, true); err != nil { + return err + } + if args.Token != "" { // This shouldn't happen. return errors.New("do not provide a token when logging in") } diff --git a/agent/consul/enterprise_server_oss.go b/agent/consul/enterprise_server_oss.go index b17a7ca0b..365e0900a 100644 --- a/agent/consul/enterprise_server_oss.go +++ b/agent/consul/enterprise_server_oss.go @@ -6,6 +6,7 @@ import ( "net" "github.com/hashicorp/consul/agent/pool" + "github.com/hashicorp/consul/agent/structs" "github.com/hashicorp/go-version" "github.com/hashicorp/serf/serf" ) @@ -49,3 +50,7 @@ func (s *Server) establishEnterpriseLeadership() error { func (s *Server) revokeEnterpriseLeadership() error { return nil } + +func (s *Server) validateEnterpriseRequest(entMeta *structs.EnterpriseMeta, write bool) error { + return nil +}