consul: Prevent resolution of root policy

2014-08-12 10:58:02 -07:00 · 2014-08-12 10:58:02 -07:00 · 5561148c8e
parent 8c5bb94c74
commit 5561148c8e
2 changed files with 29 additions and 0 deletions
--- a/consul/acl.go
+++ b/consul/acl.go
@ -14,6 +14,9 @@ const (
 	// aclNotFound indicates there is no matching ACL
 	aclNotFound = "ACL not found"

+	// rootDenied is returned when attempting to resolve a root ACL
+	rootDenied = "Cannot resolve root ACL"
+
 	// anonymousToken is the token ID we re-write to if there
 	// is no token ID provided
 	anonymousToken = "anonymous"
@ -60,6 +63,8 @@ func (s *Server) resolveToken(id string) (acl.ACL, error) {
 	// Handle the anonymous token
 	if len(id) == 0 {
 		id = anonymousToken
+	} else if acl.RootACL(id) != nil {
+		return nil, errors.New(rootDenied)
 	}

 	// Check if we are the ACL datacenter and the leader, use the
--- a/consul/acl_test.go
+++ b/consul/acl_test.go
@ -29,6 +29,30 @@ func TestACL_Disabled(t *testing.T) {
 	}
 }

+func TestACL_ResolveRootACL(t *testing.T) {
+	dir1, s1 := testServerWithConfig(t, func(c *Config) {
+		c.ACLDatacenter = "dc1" // Enable ACLs!
+	})
+	defer os.RemoveAll(dir1)
+	defer s1.Shutdown()
+
+	acl, err := s1.resolveToken("allow")
+	if err == nil || err.Error() != rootDenied {
+		t.Fatalf("err: %v", err)
+	}
+	if acl != nil {
+		t.Fatalf("bad: %v", acl)
+	}
+
+	acl, err = s1.resolveToken("deny")
+	if err == nil || err.Error() != rootDenied {
+		t.Fatalf("err: %v", err)
+	}
+	if acl != nil {
+		t.Fatalf("bad: %v", acl)
+	}
+}
+
 func TestACL_Authority_NotFound(t *testing.T) {
 	dir1, s1 := testServerWithConfig(t, func(c *Config) {
 		c.ACLDatacenter = "dc1" // Enable ACLs!