acl: move vet functions
These functions are moved to the one place they are called to improve code locality. They are being moved out of agent/consul/acl.go in preparation for moving ACLResolver to an acl package.
This commit is contained in:
parent
c8eedabc7c
commit
37c67cb280
|
@ -2048,45 +2048,3 @@ func (r *ACLResolver) filterACL(token string, subj interface{}) error {
|
||||||
|
|
||||||
return r.filterACLWithAuthorizer(authorizer, subj)
|
return r.filterACLWithAuthorizer(authorizer, subj)
|
||||||
}
|
}
|
||||||
|
|
||||||
// vetNodeTxnOp applies the given ACL policy to a node transaction operation.
|
|
||||||
func vetNodeTxnOp(op *structs.TxnNodeOp, rule acl.Authorizer) error {
|
|
||||||
// Fast path if ACLs are not enabled.
|
|
||||||
if rule == nil {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
var authzContext acl.AuthorizerContext
|
|
||||||
op.FillAuthzContext(&authzContext)
|
|
||||||
|
|
||||||
if rule.NodeWrite(op.Node.Node, &authzContext) != acl.Allow {
|
|
||||||
return acl.ErrPermissionDenied
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// vetCheckTxnOp applies the given ACL policy to a check transaction operation.
|
|
||||||
func vetCheckTxnOp(op *structs.TxnCheckOp, rule acl.Authorizer) error {
|
|
||||||
// Fast path if ACLs are not enabled.
|
|
||||||
if rule == nil {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
var authzContext acl.AuthorizerContext
|
|
||||||
op.FillAuthzContext(&authzContext)
|
|
||||||
|
|
||||||
if op.Check.ServiceID == "" {
|
|
||||||
// Node-level check.
|
|
||||||
if rule.NodeWrite(op.Check.Node, &authzContext) != acl.Allow {
|
|
||||||
return acl.ErrPermissionDenied
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
// Service-level check.
|
|
||||||
if rule.ServiceWrite(op.Check.ServiceName, &authzContext) != acl.Allow {
|
|
||||||
return acl.ErrPermissionDenied
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
|
@ -108,6 +108,36 @@ func (t *Txn) preCheck(authorizer acl.Authorizer, ops structs.TxnOps) structs.Tx
|
||||||
return errors
|
return errors
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// vetNodeTxnOp applies the given ACL policy to a node transaction operation.
|
||||||
|
func vetNodeTxnOp(op *structs.TxnNodeOp, rule acl.Authorizer) error {
|
||||||
|
var authzContext acl.AuthorizerContext
|
||||||
|
op.FillAuthzContext(&authzContext)
|
||||||
|
|
||||||
|
if rule.NodeWrite(op.Node.Node, &authzContext) != acl.Allow {
|
||||||
|
return acl.ErrPermissionDenied
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// vetCheckTxnOp applies the given ACL policy to a check transaction operation.
|
||||||
|
func vetCheckTxnOp(op *structs.TxnCheckOp, rule acl.Authorizer) error {
|
||||||
|
var authzContext acl.AuthorizerContext
|
||||||
|
op.FillAuthzContext(&authzContext)
|
||||||
|
|
||||||
|
if op.Check.ServiceID == "" {
|
||||||
|
// Node-level check.
|
||||||
|
if rule.NodeWrite(op.Check.Node, &authzContext) != acl.Allow {
|
||||||
|
return acl.ErrPermissionDenied
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
// Service-level check.
|
||||||
|
if rule.ServiceWrite(op.Check.ServiceName, &authzContext) != acl.Allow {
|
||||||
|
return acl.ErrPermissionDenied
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
// Apply is used to apply multiple operations in a single, atomic transaction.
|
// Apply is used to apply multiple operations in a single, atomic transaction.
|
||||||
func (t *Txn) Apply(args *structs.TxnRequest, reply *structs.TxnResponse) error {
|
func (t *Txn) Apply(args *structs.TxnRequest, reply *structs.TxnResponse) error {
|
||||||
if done, err := t.srv.ForwardRPC("Txn.Apply", args, reply); done {
|
if done, err := t.srv.ForwardRPC("Txn.Apply", args, reply); done {
|
||||||
|
|
Loading…
Reference in New Issue