acl: do not resolve local tokens from remote dcs (#8068)
This commit is contained in:
parent
b7cf5139dd
commit
7404712854
|
@ -417,6 +417,9 @@ func (r *ACLResolver) fetchAndCacheIdentityFromToken(token string, cached *struc
|
|||
if resp.Token == nil {
|
||||
r.cache.PutIdentity(cacheID, nil)
|
||||
return nil, acl.ErrNotFound
|
||||
} else if resp.Token.Local && r.config.Datacenter != resp.SourceDatacenter {
|
||||
r.cache.PutIdentity(cacheID, nil)
|
||||
return nil, acl.PermissionDeniedError{Cause: fmt.Sprintf("This is a local token in datacenter %q", resp.SourceDatacenter)}
|
||||
} else {
|
||||
r.cache.PutIdentity(cacheID, resp.Token)
|
||||
return resp.Token, nil
|
||||
|
|
|
@ -260,6 +260,7 @@ func (a *ACL) TokenRead(args *structs.ACLTokenGetRequest, reply *structs.ACLToke
|
|||
}
|
||||
|
||||
reply.Index, reply.Token = index, token
|
||||
reply.SourceDatacenter = args.Datacenter
|
||||
return nil
|
||||
})
|
||||
}
|
||||
|
|
|
@ -3703,3 +3703,49 @@ func TestDedupeServiceIdentities(t *testing.T) {
|
|||
})
|
||||
}
|
||||
}
|
||||
func TestACL_LocalToken(t *testing.T) {
|
||||
t.Run("local token in same dc", func(t *testing.T) {
|
||||
d := &ACLResolverTestDelegate{
|
||||
datacenter: "dc1",
|
||||
tokenReadFn: func(_ *structs.ACLTokenGetRequest, reply *structs.ACLTokenResponse) error {
|
||||
reply.Token = &structs.ACLToken{Local: true}
|
||||
// different dc
|
||||
reply.SourceDatacenter = "dc1"
|
||||
return nil
|
||||
},
|
||||
}
|
||||
r := newTestACLResolver(t, d, nil)
|
||||
_, err := r.fetchAndCacheIdentityFromToken("", nil)
|
||||
require.NoError(t, err)
|
||||
})
|
||||
|
||||
t.Run("non local token in remote dc", func(t *testing.T) {
|
||||
d := &ACLResolverTestDelegate{
|
||||
datacenter: "dc1",
|
||||
tokenReadFn: func(_ *structs.ACLTokenGetRequest, reply *structs.ACLTokenResponse) error {
|
||||
reply.Token = &structs.ACLToken{Local: false}
|
||||
// different dc
|
||||
reply.SourceDatacenter = "remote"
|
||||
return nil
|
||||
},
|
||||
}
|
||||
r := newTestACLResolver(t, d, nil)
|
||||
_, err := r.fetchAndCacheIdentityFromToken("", nil)
|
||||
require.NoError(t, err)
|
||||
})
|
||||
|
||||
t.Run("local token in remote dc", func(t *testing.T) {
|
||||
d := &ACLResolverTestDelegate{
|
||||
datacenter: "dc1",
|
||||
tokenReadFn: func(_ *structs.ACLTokenGetRequest, reply *structs.ACLTokenResponse) error {
|
||||
reply.Token = &structs.ACLToken{Local: true}
|
||||
// different dc
|
||||
reply.SourceDatacenter = "remote"
|
||||
return nil
|
||||
},
|
||||
}
|
||||
r := newTestACLResolver(t, d, nil)
|
||||
_, err := r.fetchAndCacheIdentityFromToken("", nil)
|
||||
require.Equal(t, acl.PermissionDeniedError{Cause: "This is a local token in datacenter \"remote\""}, err)
|
||||
})
|
||||
}
|
||||
|
|
|
@ -1258,8 +1258,9 @@ type ACLTokenBootstrapRequest struct {
|
|||
|
||||
// ACLTokenResponse returns a single Token + metadata
|
||||
type ACLTokenResponse struct {
|
||||
Token *ACLToken
|
||||
Redacted bool // whether the token's secret was redacted
|
||||
Token *ACLToken
|
||||
Redacted bool // whether the token's secret was redacted
|
||||
SourceDatacenter string
|
||||
QueryMeta
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue