acl: remove rule == nil checks
This commit is contained in:
parent
701d4ffef0
commit
2503f27a36
|
@ -193,9 +193,6 @@ func (a *Agent) filterMembers(token string, members *[]serf.Member) error {
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if rule == nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
var authzContext acl.AuthorizerContext
|
||||
structs.DefaultEnterpriseMetaInDefaultPartition().FillAuthzContext(&authzContext)
|
||||
|
@ -216,6 +213,7 @@ func (a *Agent) filterMembers(token string, members *[]serf.Member) error {
|
|||
}
|
||||
|
||||
// filterServices redacts services that the token doesn't have access to.
|
||||
// TODO: move to test file
|
||||
func (a *Agent) filterServices(token string, services *map[structs.ServiceID]*structs.NodeService) error {
|
||||
// Resolve the token and bail if ACLs aren't enabled.
|
||||
authz, err := a.delegate.ResolveTokenAndDefaultMeta(token, nil, nil)
|
||||
|
|
|
@ -175,7 +175,7 @@ func (s *HTTPHandlers) AgentMetricsStream(resp http.ResponseWriter, req *http.Re
|
|||
switch {
|
||||
case err != nil:
|
||||
return nil, err
|
||||
case rule != nil && rule.AgentRead(s.agent.config.NodeName, nil) != acl.Allow:
|
||||
case rule.AgentRead(s.agent.config.NodeName, nil) != acl.Allow:
|
||||
return nil, acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
|
|
|
@ -1448,7 +1448,7 @@ func TestHTTPHandlers_AgentMetricsStream(t *testing.T) {
|
|||
bd.Tokens = new(tokenStore.Store)
|
||||
sink := metrics.NewInmemSink(20*time.Millisecond, time.Second)
|
||||
bd.MetricsHandler = sink
|
||||
d := fakeResolveTokenDelegate{}
|
||||
d := fakeResolveTokenDelegate{authorizer: acl.ManageAll()}
|
||||
agent := &Agent{
|
||||
baseDeps: bd,
|
||||
delegate: d,
|
||||
|
|
|
@ -2028,11 +2028,10 @@ func (a *ACL) BindingRuleDelete(args *structs.ACLBindingRuleDeleteRequest, reply
|
|||
}
|
||||
|
||||
_, rule, err := a.srv.fsm.State().ACLBindingRuleGetByID(nil, args.BindingRuleID, &args.EnterpriseMeta)
|
||||
if err != nil {
|
||||
switch {
|
||||
case err != nil:
|
||||
return err
|
||||
}
|
||||
|
||||
if rule == nil {
|
||||
case rule == nil:
|
||||
return nil
|
||||
}
|
||||
|
||||
|
|
|
@ -169,7 +169,7 @@ func (a *ACL) Apply(args *structs.ACLRequest, reply *string) error {
|
|||
// NOTE: We will not support enterprise authorizer contexts with legacy ACLs
|
||||
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
|
||||
return err
|
||||
} else if rule == nil || rule.ACLWrite(nil) != acl.Allow {
|
||||
} else if rule.ACLWrite(nil) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
|
@ -261,7 +261,7 @@ func (a *ACL) List(args *structs.DCSpecificRequest,
|
|||
// and this check for ACLWrite is basically what it did before.
|
||||
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
|
||||
return err
|
||||
} else if rule == nil || rule.ACLWrite(nil) != acl.Allow {
|
||||
} else if rule.ACLWrite(nil) != acl.Allow {
|
||||
return acl.ErrPermissionDenied
|
||||
}
|
||||
|
||||
|
|
|
@ -452,23 +452,21 @@ func (m *Internal) KeyringOperation(
|
|||
if err := m.srv.validateEnterpriseToken(identity); err != nil {
|
||||
return err
|
||||
}
|
||||
if rule != nil {
|
||||
switch args.Operation {
|
||||
case structs.KeyringList:
|
||||
if rule.KeyringRead(nil) != acl.Allow {
|
||||
return fmt.Errorf("Reading keyring denied by ACLs")
|
||||
}
|
||||
case structs.KeyringInstall:
|
||||
fallthrough
|
||||
case structs.KeyringUse:
|
||||
fallthrough
|
||||
case structs.KeyringRemove:
|
||||
if rule.KeyringWrite(nil) != acl.Allow {
|
||||
return fmt.Errorf("Modifying keyring denied due to ACLs")
|
||||
}
|
||||
default:
|
||||
panic("Invalid keyring operation")
|
||||
switch args.Operation {
|
||||
case structs.KeyringList:
|
||||
if rule.KeyringRead(nil) != acl.Allow {
|
||||
return fmt.Errorf("Reading keyring denied by ACLs")
|
||||
}
|
||||
case structs.KeyringInstall:
|
||||
fallthrough
|
||||
case structs.KeyringUse:
|
||||
fallthrough
|
||||
case structs.KeyringRemove:
|
||||
if rule.KeyringWrite(nil) != acl.Allow {
|
||||
return fmt.Errorf("Modifying keyring denied due to ACLs")
|
||||
}
|
||||
default:
|
||||
panic("Invalid keyring operation")
|
||||
}
|
||||
|
||||
if args.LocalOnly || args.Forwarded || m.srv.serfWAN == nil {
|
||||
|
|
|
@ -5,10 +5,11 @@ import (
|
|||
"fmt"
|
||||
"strings"
|
||||
|
||||
"github.com/mitchellh/cli"
|
||||
|
||||
"github.com/hashicorp/consul/command/acl"
|
||||
"github.com/hashicorp/consul/command/acl/bindingrule"
|
||||
"github.com/hashicorp/consul/command/flags"
|
||||
"github.com/mitchellh/cli"
|
||||
)
|
||||
|
||||
func New(ui cli.Ui) *cmd {
|
||||
|
@ -85,10 +86,11 @@ func (c *cmd) Run(args []string) int {
|
|||
}
|
||||
|
||||
rule, _, err := client.ACL().BindingRuleRead(ruleID, nil)
|
||||
if err != nil {
|
||||
switch {
|
||||
case err != nil:
|
||||
c.UI.Error(fmt.Sprintf("Error reading binding rule %q: %v", ruleID, err))
|
||||
return 1
|
||||
} else if rule == nil {
|
||||
case rule == nil:
|
||||
c.UI.Error(fmt.Sprintf("Binding rule not found with ID %q", ruleID))
|
||||
return 1
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue