Add hook for validating the enterprise meta attached to a reque… (#6695)

This commit is contained in:
Matt Keeler 2019-10-30 12:42:39 -04:00 committed by GitHub
parent ae57e736d2
commit 21f98f426e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 97 additions and 0 deletions

View file

@ -192,6 +192,10 @@ func (a *ACL) TokenRead(args *structs.ACLTokenGetRequest, reply *structs.ACLToke
return err
}
if err := a.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err
}
// clients will not know whether the server has local token store. In the case
// where it doesn't we will transparently forward requests.
if !a.srv.LocalTokensEnabled() {
@ -258,6 +262,10 @@ func (a *ACL) TokenClone(args *structs.ACLTokenSetRequest, reply *structs.ACLTok
return err
}
if err := a.srv.validateEnterpriseRequest(&args.ACLToken.EnterpriseMeta, true); err != nil {
return err
}
// clients will not know whether the server has local token store. In the case
// where it doesn't we will transparently forward requests.
if !a.srv.LocalTokensEnabled() {
@ -323,6 +331,10 @@ func (a *ACL) TokenSet(args *structs.ACLTokenSetRequest, reply *structs.ACLToken
return err
}
if err := a.srv.validateEnterpriseRequest(&args.ACLToken.EnterpriseMeta, true); err != nil {
return err
}
// Global token creation/modification always goes to the ACL DC
if !args.ACLToken.Local {
args.Datacenter = a.srv.config.ACLDatacenter
@ -711,6 +723,10 @@ func (a *ACL) TokenDelete(args *structs.ACLTokenDeleteRequest, reply *string) er
return err
}
if err := a.srv.validateEnterpriseRequest(&args.EnterpriseMeta, true); err != nil {
return err
}
if !a.srv.LocalTokensEnabled() {
args.Datacenter = a.srv.config.ACLDatacenter
}
@ -794,6 +810,10 @@ func (a *ACL) TokenList(args *structs.ACLTokenListRequest, reply *structs.ACLTok
return err
}
if err := a.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err
}
if !a.srv.LocalTokensEnabled() {
if args.Datacenter != a.srv.config.ACLDatacenter {
args.Datacenter = a.srv.config.ACLDatacenter
@ -903,6 +923,10 @@ func (a *ACL) PolicyRead(args *structs.ACLPolicyGetRequest, reply *structs.ACLPo
return err
}
if err := a.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err
}
if done, err := a.srv.forward("ACL.PolicyRead", args, args, reply); done {
return err
}
@ -964,6 +988,10 @@ func (a *ACL) PolicySet(args *structs.ACLPolicySetRequest, reply *structs.ACLPol
return err
}
if err := a.srv.validateEnterpriseRequest(&args.Policy.EnterpriseMeta, true); err != nil {
return err
}
if !a.srv.InACLDatacenter() {
args.Datacenter = a.srv.config.ACLDatacenter
}
@ -1096,6 +1124,10 @@ func (a *ACL) PolicyDelete(args *structs.ACLPolicyDeleteRequest, reply *string)
return err
}
if err := a.srv.validateEnterpriseRequest(&args.EnterpriseMeta, true); err != nil {
return err
}
if !a.srv.InACLDatacenter() {
args.Datacenter = a.srv.config.ACLDatacenter
}
@ -1156,6 +1188,10 @@ func (a *ACL) PolicyList(args *structs.ACLPolicyListRequest, reply *structs.ACLP
return err
}
if err := a.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err
}
if done, err := a.srv.forward("ACL.PolicyList", args, args, reply); done {
return err
}
@ -1308,6 +1344,10 @@ func (a *ACL) RoleRead(args *structs.ACLRoleGetRequest, reply *structs.ACLRoleRe
return err
}
if err := a.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err
}
if done, err := a.srv.forward("ACL.RoleRead", args, args, reply); done {
return err
}
@ -1378,6 +1418,10 @@ func (a *ACL) RoleSet(args *structs.ACLRoleSetRequest, reply *structs.ACLRole) e
return err
}
if err := a.srv.validateEnterpriseRequest(&args.Role.EnterpriseMeta, true); err != nil {
return err
}
if !a.srv.InACLDatacenter() {
args.Datacenter = a.srv.config.ACLDatacenter
}
@ -1519,6 +1563,10 @@ func (a *ACL) RoleDelete(args *structs.ACLRoleDeleteRequest, reply *string) erro
return err
}
if err := a.srv.validateEnterpriseRequest(&args.EnterpriseMeta, true); err != nil {
return err
}
if !a.srv.InACLDatacenter() {
args.Datacenter = a.srv.config.ACLDatacenter
}
@ -1575,6 +1623,10 @@ func (a *ACL) RoleList(args *structs.ACLRoleListRequest, reply *structs.ACLRoleL
return err
}
if err := a.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err
}
if done, err := a.srv.forward("ACL.RoleList", args, args, reply); done {
return err
}
@ -1653,6 +1705,10 @@ func (a *ACL) BindingRuleRead(args *structs.ACLBindingRuleGetRequest, reply *str
return err
}
if err := a.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err
}
if !a.srv.LocalTokensEnabled() {
return errAuthMethodsRequireTokenReplication
}
@ -1689,6 +1745,10 @@ func (a *ACL) BindingRuleSet(args *structs.ACLBindingRuleSetRequest, reply *stru
return err
}
if err := a.srv.validateEnterpriseRequest(&args.BindingRule.EnterpriseMeta, true); err != nil {
return err
}
if !a.srv.LocalTokensEnabled() {
return errAuthMethodsRequireTokenReplication
}
@ -1816,6 +1876,10 @@ func (a *ACL) BindingRuleDelete(args *structs.ACLBindingRuleDeleteRequest, reply
return err
}
if err := a.srv.validateEnterpriseRequest(&args.EnterpriseMeta, true); err != nil {
return err
}
if !a.srv.LocalTokensEnabled() {
return errAuthMethodsRequireTokenReplication
}
@ -1868,6 +1932,10 @@ func (a *ACL) BindingRuleList(args *structs.ACLBindingRuleListRequest, reply *st
return err
}
if err := a.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err
}
if !a.srv.LocalTokensEnabled() {
return errAuthMethodsRequireTokenReplication
}
@ -1905,6 +1973,10 @@ func (a *ACL) AuthMethodRead(args *structs.ACLAuthMethodGetRequest, reply *struc
return err
}
if err := a.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err
}
if !a.srv.LocalTokensEnabled() {
return errAuthMethodsRequireTokenReplication
}
@ -1940,6 +2012,10 @@ func (a *ACL) AuthMethodSet(args *structs.ACLAuthMethodSetRequest, reply *struct
return err
}
if err := a.srv.validateEnterpriseRequest(&args.AuthMethod.EnterpriseMeta, true); err != nil {
return err
}
if !a.srv.LocalTokensEnabled() {
return errAuthMethodsRequireTokenReplication
}
@ -2024,6 +2100,10 @@ func (a *ACL) AuthMethodDelete(args *structs.ACLAuthMethodDeleteRequest, reply *
return err
}
if err := a.srv.validateEnterpriseRequest(&args.EnterpriseMeta, true); err != nil {
return err
}
if !a.srv.LocalTokensEnabled() {
return errAuthMethodsRequireTokenReplication
}
@ -2077,6 +2157,10 @@ func (a *ACL) AuthMethodList(args *structs.ACLAuthMethodListRequest, reply *stru
return err
}
if err := a.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err
}
if !a.srv.LocalTokensEnabled() {
return errAuthMethodsRequireTokenReplication
}
@ -2123,6 +2207,14 @@ func (a *ACL) Login(args *structs.ACLLoginRequest, reply *structs.ACLToken) erro
return errAuthMethodsRequireTokenReplication
}
if args.Auth == nil {
return fmt.Errorf("Invalid Login request: Missing auth parameters")
}
if err := a.srv.validateEnterpriseRequest(&args.Auth.EnterpriseMeta, true); err != nil {
return err
}
if args.Token != "" { // This shouldn't happen.
return errors.New("do not provide a token when logging in")
}

View file

@ -6,6 +6,7 @@ import (
"net"
"github.com/hashicorp/consul/agent/pool"
"github.com/hashicorp/consul/agent/structs"
"github.com/hashicorp/go-version"
"github.com/hashicorp/serf/serf"
)
@ -49,3 +50,7 @@ func (s *Server) establishEnterpriseLeadership() error {
func (s *Server) revokeEnterpriseLeadership() error {
return nil
}
func (s *Server) validateEnterpriseRequest(entMeta *structs.EnterpriseMeta, write bool) error {
return nil
}