acl: remove rule == nil checks

This commit is contained in:
Daniel Nephin 2021-07-30 13:16:38 -04:00
parent 701d4ffef0
commit 2503f27a36
7 changed files with 27 additions and 30 deletions

View File

@ -193,9 +193,6 @@ func (a *Agent) filterMembers(token string, members *[]serf.Member) error {
if err != nil {
return err
}
if rule == nil {
return nil
}
var authzContext acl.AuthorizerContext
structs.DefaultEnterpriseMetaInDefaultPartition().FillAuthzContext(&authzContext)
@ -216,6 +213,7 @@ func (a *Agent) filterMembers(token string, members *[]serf.Member) error {
}
// filterServices redacts services that the token doesn't have access to.
// TODO: move to test file
func (a *Agent) filterServices(token string, services *map[structs.ServiceID]*structs.NodeService) error {
// Resolve the token and bail if ACLs aren't enabled.
authz, err := a.delegate.ResolveTokenAndDefaultMeta(token, nil, nil)

View File

@ -175,7 +175,7 @@ func (s *HTTPHandlers) AgentMetricsStream(resp http.ResponseWriter, req *http.Re
switch {
case err != nil:
return nil, err
case rule != nil && rule.AgentRead(s.agent.config.NodeName, nil) != acl.Allow:
case rule.AgentRead(s.agent.config.NodeName, nil) != acl.Allow:
return nil, acl.ErrPermissionDenied
}

View File

@ -1448,7 +1448,7 @@ func TestHTTPHandlers_AgentMetricsStream(t *testing.T) {
bd.Tokens = new(tokenStore.Store)
sink := metrics.NewInmemSink(20*time.Millisecond, time.Second)
bd.MetricsHandler = sink
d := fakeResolveTokenDelegate{}
d := fakeResolveTokenDelegate{authorizer: acl.ManageAll()}
agent := &Agent{
baseDeps: bd,
delegate: d,

View File

@ -2028,11 +2028,10 @@ func (a *ACL) BindingRuleDelete(args *structs.ACLBindingRuleDeleteRequest, reply
}
_, rule, err := a.srv.fsm.State().ACLBindingRuleGetByID(nil, args.BindingRuleID, &args.EnterpriseMeta)
if err != nil {
switch {
case err != nil:
return err
}
if rule == nil {
case rule == nil:
return nil
}

View File

@ -169,7 +169,7 @@ func (a *ACL) Apply(args *structs.ACLRequest, reply *string) error {
// NOTE: We will not support enterprise authorizer contexts with legacy ACLs
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
return err
} else if rule == nil || rule.ACLWrite(nil) != acl.Allow {
} else if rule.ACLWrite(nil) != acl.Allow {
return acl.ErrPermissionDenied
}
@ -261,7 +261,7 @@ func (a *ACL) List(args *structs.DCSpecificRequest,
// and this check for ACLWrite is basically what it did before.
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
return err
} else if rule == nil || rule.ACLWrite(nil) != acl.Allow {
} else if rule.ACLWrite(nil) != acl.Allow {
return acl.ErrPermissionDenied
}

View File

@ -452,23 +452,21 @@ func (m *Internal) KeyringOperation(
if err := m.srv.validateEnterpriseToken(identity); err != nil {
return err
}
if rule != nil {
switch args.Operation {
case structs.KeyringList:
if rule.KeyringRead(nil) != acl.Allow {
return fmt.Errorf("Reading keyring denied by ACLs")
}
case structs.KeyringInstall:
fallthrough
case structs.KeyringUse:
fallthrough
case structs.KeyringRemove:
if rule.KeyringWrite(nil) != acl.Allow {
return fmt.Errorf("Modifying keyring denied due to ACLs")
}
default:
panic("Invalid keyring operation")
switch args.Operation {
case structs.KeyringList:
if rule.KeyringRead(nil) != acl.Allow {
return fmt.Errorf("Reading keyring denied by ACLs")
}
case structs.KeyringInstall:
fallthrough
case structs.KeyringUse:
fallthrough
case structs.KeyringRemove:
if rule.KeyringWrite(nil) != acl.Allow {
return fmt.Errorf("Modifying keyring denied due to ACLs")
}
default:
panic("Invalid keyring operation")
}
if args.LocalOnly || args.Forwarded || m.srv.serfWAN == nil {

View File

@ -5,10 +5,11 @@ import (
"fmt"
"strings"
"github.com/mitchellh/cli"
"github.com/hashicorp/consul/command/acl"
"github.com/hashicorp/consul/command/acl/bindingrule"
"github.com/hashicorp/consul/command/flags"
"github.com/mitchellh/cli"
)
func New(ui cli.Ui) *cmd {
@ -85,10 +86,11 @@ func (c *cmd) Run(args []string) int {
}
rule, _, err := client.ACL().BindingRuleRead(ruleID, nil)
if err != nil {
switch {
case err != nil:
c.UI.Error(fmt.Sprintf("Error reading binding rule %q: %v", ruleID, err))
return 1
} else if rule == nil {
case rule == nil:
c.UI.Error(fmt.Sprintf("Binding rule not found with ID %q", ruleID))
return 1
}