luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

Introduce Code Policy validation via sentinel, with a noop implementation

This commit is contained in:
Preetha Appan 2017-09-14 14:31:01 -05:00
parent 69a088ca85
commit 8394ad08db
20 changed files with 373 additions and 155 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

113
acl/acl.go
View File

@ -2,6 +2,7 @@ package acl
import (
"github.com/armon/go-radix"
"github.com/hashicorp/consul/sentinel"
)
var (
@ -17,6 +18,10 @@ var (
manageAll ACL
)
// DefaultPolicyEnforcementLevel will be used if the user leaves the level
// blank when configuring an ACL.
const DefaultPolicyEnforcementLevel = "hard-mandatory"
func init() {
// Setup the singletons
allowAll = &StaticACL{
@ -59,7 +64,7 @@ type ACL interface {
KeyRead(string) bool
// KeyWrite checks for permission to write a given key
KeyWrite(string) bool
KeyWrite(string, sentinel.ScopeFn) bool
// KeyWritePrefix checks for permission to write to an
// entire key prefix. This means there must be no sub-policies
@ -78,7 +83,7 @@ type ACL interface {
// NodeWrite checks for permission to create or update (register) a
// given node.
NodeWrite(string) bool
NodeWrite(string, sentinel.ScopeFn) bool
// OperatorRead determines if the read-only Consul operator functions
// can be used.
@ -101,7 +106,7 @@ type ACL interface {
// ServiceWrite checks for permission to create or update a given
// service
ServiceWrite(string) bool
ServiceWrite(string, sentinel.ScopeFn) bool
// SessionRead checks for permission to read sessions for a given node.
SessionRead(string) bool
@ -150,7 +155,7 @@ func (s *StaticACL) KeyRead(string) bool {
return s.defaultAllow
}
func (s *StaticACL) KeyWrite(string) bool {
func (s *StaticACL) KeyWrite(string, sentinel.ScopeFn) bool {
return s.defaultAllow
}
@ -170,7 +175,7 @@ func (s *StaticACL) NodeRead(string) bool {
return s.defaultAllow
}
func (s *StaticACL) NodeWrite(string) bool {
func (s *StaticACL) NodeWrite(string, sentinel.ScopeFn) bool {
return s.defaultAllow
}
@ -194,7 +199,7 @@ func (s *StaticACL) ServiceRead(string) bool {
return s.defaultAllow
}
func (s *StaticACL) ServiceWrite(string) bool {
func (s *StaticACL) ServiceWrite(string, sentinel.ScopeFn) bool {
return s.defaultAllow
}
@ -239,6 +244,16 @@ func RootACL(id string) ACL {
}
}
// PolicyRule binds a regular ACL policy along with an optional piece of
// code to execute.
type PolicyRule struct {
// aclPolicy is used for simple acl rules(allow/deny/manage)
aclPolicy string
// sentinelPolicy has the code part of a policy
sentinelPolicy Sentinel
}
// PolicyACL is used to wrap a set of ACL policies to provide
// the ACL interface.
type PolicyACL struct {
@ -246,6 +261,10 @@ type PolicyACL struct {
// no matching rule.
parent ACL
// sentinel is an interface for validating and executing sentinel code
// policies.
sentinel sentinel.Evaluator
// agentRules contains the agent policies
agentRules *radix.Tree
@ -278,7 +297,7 @@ type PolicyACL struct {
// New is used to construct a policy based ACL from a set of policies
// and a parent policy to resolve missing cases.
func New(parent ACL, policy *Policy) (*PolicyACL, error) {
func New(parent ACL, policy *Policy, sentinel sentinel.Evaluator) (*PolicyACL, error) {
p := &PolicyACL{
parent: parent,
agentRules: radix.New(),
@ -288,6 +307,7 @@ func New(parent ACL, policy *Policy) (*PolicyACL, error) {
sessionRules: radix.New(),
eventRules: radix.New(),
preparedQueryRules: radix.New(),
sentinel: sentinel,
}
// Load the agent policy
@ -297,17 +317,29 @@ func New(parent ACL, policy *Policy) (*PolicyACL, error) {
// Load the key policy
for _, kp := range policy.Keys {
p.keyRules.Insert(kp.Prefix, kp.Policy)
policyRule := PolicyRule{
aclPolicy: kp.Policy,
sentinelPolicy: kp.Sentinel,
}
p.keyRules.Insert(kp.Prefix, policyRule)
}
// Load the node policy
for _, np := range policy.Nodes {
p.nodeRules.Insert(np.Name, np.Policy)
policyRule := PolicyRule{
aclPolicy: np.Policy,
sentinelPolicy: np.Sentinel,
}
p.nodeRules.Insert(np.Name, policyRule)
}
// Load the service policy
for _, sp := range policy.Services {
p.serviceRules.Insert(sp.Name, sp.Policy)
policyRule := PolicyRule{
aclPolicy: sp.Policy,
sentinelPolicy: sp.Sentinel,
}
p.serviceRules.Insert(sp.Name, policyRule)
}
// Load the session policy
@ -421,7 +453,8 @@ func (p *PolicyACL) KeyRead(key string) bool {
// Look for a matching rule
_, rule, ok := p.keyRules.LongestPrefix(key)
if ok {
switch rule.(string) {
pr := rule.(PolicyRule)
switch pr.aclPolicy {
case PolicyRead, PolicyWrite:
return true
default:
@ -434,27 +467,28 @@ func (p *PolicyACL) KeyRead(key string) bool {
}
// KeyWrite returns if a key is allowed to be written
func (p *PolicyACL) KeyWrite(key string) bool {
func (p *PolicyACL) KeyWrite(key string, scope sentinel.ScopeFn) bool {
// Look for a matching rule
_, rule, ok := p.keyRules.LongestPrefix(key)
if ok {
switch rule.(string) {
pr := rule.(PolicyRule)
switch pr.aclPolicy {
case PolicyWrite:
return true
return p.executeCodePolicy(&pr.sentinelPolicy, scope)
default:
return false
}
}
// No matching rule, use the parent.
return p.parent.KeyWrite(key)
return p.parent.KeyWrite(key, scope)
}
// KeyWritePrefix returns if a prefix is allowed to be written
func (p *PolicyACL) KeyWritePrefix(prefix string) bool {
// Look for a matching rule that denies
_, rule, ok := p.keyRules.LongestPrefix(prefix)
if ok && rule.(string) != PolicyWrite {
if ok && rule.(PolicyRule).aclPolicy != PolicyWrite {
return false
}
@ -462,7 +496,7 @@ func (p *PolicyACL) KeyWritePrefix(prefix string) bool {
deny := false
p.keyRules.WalkPrefix(prefix, func(path string, rule interface{}) bool {
// We have a rule to prevent a write in a sub-directory!
if rule.(string) != PolicyWrite {
if rule.(PolicyRule).aclPolicy != PolicyWrite {
deny = true
return true
}
@ -522,7 +556,8 @@ func (p *PolicyACL) NodeRead(name string) bool {
_, rule, ok := p.nodeRules.LongestPrefix(name)
if ok {
switch rule {
pr := rule.(PolicyRule)
switch pr.aclPolicy {
case PolicyRead, PolicyWrite:
return true
default:
@ -535,21 +570,22 @@ func (p *PolicyACL) NodeRead(name string) bool {
}
// NodeWrite checks if writing (registering) a node is allowed
func (p *PolicyACL) NodeWrite(name string) bool {
func (p *PolicyACL) NodeWrite(name string, scope sentinel.ScopeFn) bool {
// Check for an exact rule or catch-all
_, rule, ok := p.nodeRules.LongestPrefix(name)
if ok {
switch rule {
pr := rule.(PolicyRule)
switch pr.aclPolicy {
case PolicyWrite:
return true
return p.executeCodePolicy(&pr.sentinelPolicy, scope)
default:
return false
}
}
// No matching rule, use the parent.
return p.parent.NodeWrite(name)
return p.parent.NodeWrite(name, scope)
}
// OperatorWrite determines if the state-changing operator functions are
@ -603,9 +639,9 @@ func (p *PolicyACL) PreparedQueryWrite(prefix string) bool {
func (p *PolicyACL) ServiceRead(name string) bool {
// Check for an exact rule or catch-all
_, rule, ok := p.serviceRules.LongestPrefix(name)
if ok {
switch rule {
pr := rule.(PolicyRule)
switch pr.aclPolicy {
case PolicyRead, PolicyWrite:
return true
default:
@ -618,21 +654,21 @@ func (p *PolicyACL) ServiceRead(name string) bool {
}
// ServiceWrite checks if writing (registering) a service is allowed
func (p *PolicyACL) ServiceWrite(name string) bool {
func (p *PolicyACL) ServiceWrite(name string, scope sentinel.ScopeFn) bool {
// Check for an exact rule or catch-all
_, rule, ok := p.serviceRules.LongestPrefix(name)
if ok {
switch rule {
pr := rule.(PolicyRule)
switch pr.aclPolicy {
case PolicyWrite:
return true
return p.executeCodePolicy(&pr.sentinelPolicy, scope)
default:
return false
}
}
// No matching rule, use the parent.
return p.parent.ServiceWrite(name)
return p.parent.ServiceWrite(name, scope)
}
// SessionRead checks for permission to read sessions for a given node.
@ -670,3 +706,22 @@ func (p *PolicyACL) SessionWrite(node string) bool {
// No matching rule, use the parent.
return p.parent.SessionWrite(node)
}
// executeCodePolicy will run the associated code policy if code policies are
// enabled.
func (p *PolicyACL) executeCodePolicy(policy *Sentinel, scope sentinel.ScopeFn) bool {
if p.sentinel == nil {
return true
}
if policy.Code == "" || scope == nil {
return true
}
enforcement := policy.EnforcementLevel
if enforcement == "" {
enforcement = DefaultPolicyEnforcementLevel
}
return p.sentinel.Execute(policy.Code, enforcement, scope())
}

50
acl/acl_test.go
View File

@ -56,7 +56,7 @@ func TestStaticACL(t *testing.T) {
if !all.KeyRead("foobar") {
t.Fatalf("should allow")
}
if !all.KeyWrite("foobar") {
if !all.KeyWrite("foobar", nil) {
t.Fatalf("should allow")
}
if !all.KeyringRead() {
@ -68,7 +68,7 @@ func TestStaticACL(t *testing.T) {
if !all.NodeRead("foobar") {
t.Fatalf("should allow")
}
if !all.NodeWrite("foobar") {
if !all.NodeWrite("foobar", nil) {
t.Fatalf("should allow")
}
if !all.OperatorRead() {
@ -86,7 +86,7 @@ func TestStaticACL(t *testing.T) {
if !all.ServiceRead("foobar") {
t.Fatalf("should allow")
}
if !all.ServiceWrite("foobar") {
if !all.ServiceWrite("foobar", nil) {
t.Fatalf("should allow")
}
if !all.SessionRead("foobar") {
@ -126,7 +126,7 @@ func TestStaticACL(t *testing.T) {
if none.KeyRead("foobar") {
t.Fatalf("should not allow")
}
if none.KeyWrite("foobar") {
if none.KeyWrite("foobar", nil) {
t.Fatalf("should not allow")
}
if none.KeyringRead() {
@ -138,7 +138,7 @@ func TestStaticACL(t *testing.T) {
if none.NodeRead("foobar") {
t.Fatalf("should not allow")
}
if none.NodeWrite("foobar") {
if none.NodeWrite("foobar", nil) {
t.Fatalf("should not allow")
}
if none.OperatorRead() {
@ -156,7 +156,7 @@ func TestStaticACL(t *testing.T) {
if none.ServiceRead("foobar") {
t.Fatalf("should not allow")
}
if none.ServiceWrite("foobar") {
if none.ServiceWrite("foobar", nil) {
t.Fatalf("should not allow")
}
if none.SessionRead("foobar") {
@ -190,7 +190,7 @@ func TestStaticACL(t *testing.T) {
if !manage.KeyRead("foobar") {
t.Fatalf("should allow")
}
if !manage.KeyWrite("foobar") {
if !manage.KeyWrite("foobar", nil) {
t.Fatalf("should allow")
}
if !manage.KeyringRead() {
@ -202,7 +202,7 @@ func TestStaticACL(t *testing.T) {
if !manage.NodeRead("foobar") {
t.Fatalf("should allow")
}
if !manage.NodeWrite("foobar") {
if !manage.NodeWrite("foobar", nil) {
t.Fatalf("should allow")
}
if !manage.OperatorRead() {
@ -220,7 +220,7 @@ func TestStaticACL(t *testing.T) {
if !manage.ServiceRead("foobar") {
t.Fatalf("should allow")
}
if !manage.ServiceWrite("foobar") {
if !manage.ServiceWrite("foobar", nil) {
t.Fatalf("should allow")
}
if !manage.SessionRead("foobar") {
@ -306,7 +306,7 @@ func TestPolicyACL(t *testing.T) {
},
},
}
acl, err := New(all, policy)
acl, err := New(all, policy, nil)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -330,7 +330,7 @@ func TestPolicyACL(t *testing.T) {
if c.read != acl.KeyRead(c.inp) {
t.Fatalf("Read fail: %#v", c)
}
if c.write != acl.KeyWrite(c.inp) {
if c.write != acl.KeyWrite(c.inp, nil) {
t.Fatalf("Write fail: %#v", c)
}
if c.writePrefix != acl.KeyWritePrefix(c.inp) {
@ -357,7 +357,7 @@ func TestPolicyACL(t *testing.T) {
if c.read != acl.ServiceRead(c.inp) {
t.Fatalf("Read fail: %#v", c)
}
if c.write != acl.ServiceWrite(c.inp) {
if c.write != acl.ServiceWrite(c.inp, nil) {
t.Fatalf("Write fail: %#v", c)
}
}
@ -444,7 +444,7 @@ func TestPolicyACL_Parent(t *testing.T) {
},
},
}
root, err := New(deny, policyRoot)
root, err := New(deny, policyRoot, nil)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -477,7 +477,7 @@ func TestPolicyACL_Parent(t *testing.T) {
},
},
}
acl, err := New(root, policy)
acl, err := New(root, policy, nil)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -499,7 +499,7 @@ func TestPolicyACL_Parent(t *testing.T) {
if c.read != acl.KeyRead(c.inp) {
t.Fatalf("Read fail: %#v", c)
}
if c.write != acl.KeyWrite(c.inp) {
if c.write != acl.KeyWrite(c.inp, nil) {
t.Fatalf("Write fail: %#v", c)
}
if c.writePrefix != acl.KeyWritePrefix(c.inp) {
@ -523,7 +523,7 @@ func TestPolicyACL_Parent(t *testing.T) {
if c.read != acl.ServiceRead(c.inp) {
t.Fatalf("Read fail: %#v", c)
}
if c.write != acl.ServiceWrite(c.inp) {
if c.write != acl.ServiceWrite(c.inp, nil) {
t.Fatalf("Write fail: %#v", c)
}
}
@ -585,7 +585,7 @@ func TestPolicyACL_Agent(t *testing.T) {
},
},
}
root, err := New(deny, policyRoot)
root, err := New(deny, policyRoot, nil)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -610,7 +610,7 @@ func TestPolicyACL_Agent(t *testing.T) {
},
},
}
acl, err := New(root, policy)
acl, err := New(root, policy, nil)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -659,7 +659,7 @@ func TestPolicyACL_Keyring(t *testing.T) {
{PolicyDeny, false, false},
}
for _, c := range cases {
acl, err := New(DenyAll(), &Policy{Keyring: c.inp})
acl, err := New(DenyAll(), &Policy{Keyring: c.inp}, nil)
if err != nil {
t.Fatalf("bad: %s", err)
}
@ -685,7 +685,7 @@ func TestPolicyACL_Operator(t *testing.T) {
{PolicyDeny, false, false},
}
for _, c := range cases {
acl, err := New(DenyAll(), &Policy{Operator: c.inp})
acl, err := New(DenyAll(), &Policy{Operator: c.inp}, nil)
if err != nil {
t.Fatalf("bad: %s", err)
}
@ -720,7 +720,7 @@ func TestPolicyACL_Node(t *testing.T) {
},
},
}
root, err := New(deny, policyRoot)
root, err := New(deny, policyRoot, nil)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -745,7 +745,7 @@ func TestPolicyACL_Node(t *testing.T) {
},
},
}
acl, err := New(root, policy)
acl, err := New(root, policy, nil)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -775,7 +775,7 @@ func TestPolicyACL_Node(t *testing.T) {
if c.read != acl.NodeRead(c.inp) {
t.Fatalf("Read fail: %#v", c)
}
if c.write != acl.NodeWrite(c.inp) {
if c.write != acl.NodeWrite(c.inp, nil) {
t.Fatalf("Write fail: %#v", c)
}
}
@ -803,7 +803,7 @@ func TestPolicyACL_Session(t *testing.T) {
},
},
}
root, err := New(deny, policyRoot)
root, err := New(deny, policyRoot, nil)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -828,7 +828,7 @@ func TestPolicyACL_Session(t *testing.T) {
},
},
}
acl, err := New(root, policy)
acl, err := New(root, policy, nil)
if err != nil {
t.Fatalf("err: %v", err)
}

9
acl/cache.go
View File

@ -4,6 +4,7 @@ import (
"crypto/md5"
"fmt"
"github.com/hashicorp/consul/sentinel"
"github.com/hashicorp/golang-lru"
)
@ -24,10 +25,11 @@ type Cache struct {
aclCache *lru.TwoQueueCache // Cache id -> acl
policyCache *lru.TwoQueueCache // Cache policy -> acl
ruleCache *lru.TwoQueueCache // Cache rules -> policy
sentinel sentinel.Evaluator
}
// NewCache constructs a new policy and ACL cache of a given size
func NewCache(size int, faultfn FaultFunc) (*Cache, error) {
func NewCache(size int, faultfn FaultFunc, sentinel sentinel.Evaluator) (*Cache, error) {
if size <= 0 {
return nil, fmt.Errorf("Must provide positive cache size")
}
@ -52,6 +54,7 @@ func NewCache(size int, faultfn FaultFunc) (*Cache, error) {
aclCache: ac,
policyCache: pc,
ruleCache: rc,
sentinel: sentinel,
}
return c, nil
}
@ -69,7 +72,7 @@ func (c *Cache) getPolicy(id, rules string) (*Policy, error) {
if ok {
return raw.(*Policy), nil
}
policy, err := Parse(rules)
policy, err := Parse(rules, c.sentinel)
if err != nil {
return nil, err
}
@ -149,7 +152,7 @@ func (c *Cache) GetACL(id string) (ACL, error) {
}
// Compile the ACL
acl, err := New(parent, policy)
acl, err := New(parent, policy, c.sentinel)
if err != nil {
return nil, err
}

14
acl/cache_test.go
View File

@ -5,7 +5,7 @@ import (
)
func TestCache_GetPolicy(t *testing.T) {
c, err := NewCache(2, nil)
c, err := NewCache(2, nil, nil)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -62,7 +62,7 @@ func TestCache_GetACL(t *testing.T) {
return "deny", policies[id], nil
}
c, err := NewCache(2, faultfn)
c, err := NewCache(2, faultfn, nil)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -125,7 +125,7 @@ func TestCache_ClearACL(t *testing.T) {
return "deny", policies[id], nil
}
c, err := NewCache(16, faultfn)
c, err := NewCache(16, faultfn, nil)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -160,7 +160,7 @@ func TestCache_Purge(t *testing.T) {
return "deny", policies[id], nil
}
c, err := NewCache(16, faultfn)
c, err := NewCache(16, faultfn, nil)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -192,7 +192,7 @@ func TestCache_GetACLPolicy(t *testing.T) {
faultfn := func(id string) (string, string, error) {
return "deny", policies[id], nil
}
c, err := NewCache(16, faultfn)
c, err := NewCache(16, faultfn, nil)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -245,7 +245,7 @@ func TestCache_GetACL_Parent(t *testing.T) {
return "", "", nil
}
c, err := NewCache(16, faultfn)
c, err := NewCache(16, faultfn, nil)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -276,7 +276,7 @@ func TestCache_GetACL_ParentCache(t *testing.T) {
return "", "", nil
}
c, err := NewCache(16, faultfn)
c, err := NewCache(16, faultfn, nil)
if err != nil {
t.Fatalf("err: %v", err)
}

61
acl/policy.go
View File

@ -3,6 +3,7 @@ package acl
import (
"fmt"
"github.com/hashicorp/consul/sentinel"
"github.com/hashicorp/hcl"
)
@ -27,6 +28,12 @@ type Policy struct {
Operator string `hcl:"operator"`
}
// Sentinel defines a snippet of Sentinel code that can be attached to a policy.
type Sentinel struct {
Code string
EnforcementLevel string
}
// AgentPolicy represents a policy for working with agent endpoints on nodes
// with specific name prefixes.
type AgentPolicy struct {
@ -40,8 +47,9 @@ func (a *AgentPolicy) GoString() string {
// KeyPolicy represents a policy for a key
type KeyPolicy struct {
Prefix string `hcl:",key"`
Policy string
Prefix string `hcl:",key"`
Policy string
Sentinel Sentinel
}
func (k *KeyPolicy) GoString() string {
@ -50,8 +58,9 @@ func (k *KeyPolicy) GoString() string {
// NodePolicy represents a policy for a node
type NodePolicy struct {
Name string `hcl:",key"`
Policy string
Name string `hcl:",key"`
Policy string
Sentinel Sentinel
}
func (n *NodePolicy) GoString() string {
@ -60,8 +69,9 @@ func (n *NodePolicy) GoString() string {
// ServicePolicy represents a policy for a service
type ServicePolicy struct {
Name string `hcl:",key"`
Policy string
Name string `hcl:",key"`
Policy string
Sentinel Sentinel
}
func (s *ServicePolicy) GoString() string {
@ -113,10 +123,38 @@ func isPolicyValid(policy string) bool {
}
}
// isSentinelValid makes sure the given sentinel block is valid, and will skip
// out if the evaluator is nil.
func isSentinelValid(sentinel sentinel.Evaluator, basicPolicy string, sp Sentinel) error {
// TODO (slackpad) - Need a unit test for this.
// Sentinel not enabled at all, or for this policy.
if sentinel == nil {
return nil
}
if sp.Code == "" {
return nil
}
// We only allow sentinel code on write policies at this time.
if basicPolicy != PolicyWrite {
return fmt.Errorf("code is only allowed for write policies")
}
// Validate the sentinel parts.
switch sp.EnforcementLevel {
case "", "soft-mandatory", "hard-mandatory":
// OK
default:
return fmt.Errorf("unsupported enforcement level %q", sp.EnforcementLevel)
}
return sentinel.Compile(sp.Code)
}
// Parse is used to parse the specified ACL rules into an
// intermediary set of policies, before being compiled into
// the ACL
func Parse(rules string) (*Policy, error) {
func Parse(rules string, sentinel sentinel.Evaluator) (*Policy, error) {
// Decode the rules
p := &Policy{}
if rules == "" {
@ -140,6 +178,9 @@ func Parse(rules string) (*Policy, error) {
if !isPolicyValid(kp.Policy) {
return nil, fmt.Errorf("Invalid key policy: %#v", kp)
}
if err := isSentinelValid(sentinel, kp.Policy, kp.Sentinel); err != nil {
return nil, fmt.Errorf("Invalid key Sentinel policy: %#v, got error:%v", kp, err)
}
}
// Validate the node policies
@ -147,6 +188,9 @@ func Parse(rules string) (*Policy, error) {
if !isPolicyValid(np.Policy) {
return nil, fmt.Errorf("Invalid node policy: %#v", np)
}
if err := isSentinelValid(sentinel, np.Policy, np.Sentinel); err != nil {
return nil, fmt.Errorf("Invalid node Sentinel policy: %#v, got error:%v", np, err)
}
}
// Validate the service policies
@ -154,6 +198,9 @@ func Parse(rules string) (*Policy, error) {
if !isPolicyValid(sp.Policy) {
return nil, fmt.Errorf("Invalid service policy: %#v", sp)
}
if err := isSentinelValid(sentinel, sp.Policy, sp.Sentinel); err != nil {
return nil, fmt.Errorf("Invalid service Sentinel policy: %#v, got error:%v", sp, err)
}
}
// Validate the session policies

10
acl/policy_test.go
View File

@ -163,7 +163,7 @@ query "bar" {
},
}
out, err := Parse(inp)
out, err := Parse(inp, nil)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -344,7 +344,7 @@ func TestACLPolicy_Parse_JSON(t *testing.T) {
},
}
out, err := Parse(inp)
out, err := Parse(inp, nil)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -362,7 +362,7 @@ keyring = ""
Keyring: "",
}
out, err := Parse(inp)
out, err := Parse(inp, nil)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -380,7 +380,7 @@ operator = ""
Operator: "",
}
out, err := Parse(inp)
out, err := Parse(inp, nil)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -403,7 +403,7 @@ func TestACLPolicy_Bad_Policy(t *testing.T) {
`session "" { policy = "nope" }`,
}
for _, c := range cases {
_, err := Parse(c)
_, err := Parse(c, nil)
if err == nil || !strings.Contains(err.Error(), "Invalid") {
t.Fatalf("expected policy error, got: %#v", err)
}

22
agent/acl.go
View File

@ -91,7 +91,7 @@ func newACLManager(config *config.RuntimeConfig) (*aclManager, error) {
},
},
}
master, err := acl.New(acl.DenyAll(), policy)
master, err := acl.New(acl.DenyAll(), policy, nil)
if err != nil {
return nil, err
}
@ -194,7 +194,7 @@ func (m *aclManager) lookupACL(a *Agent, id string) (acl.ACL, error) {
}
}
acl, err := acl.New(parent, reply.Policy)
acl, err := acl.New(parent, reply.Policy, nil)
if err != nil {
return nil, err
}
@ -252,14 +252,14 @@ func (a *Agent) vetServiceRegister(token string, service *structs.NodeService) e
}
// Vet the service itself.
if !rule.ServiceWrite(service.Service) {
if !rule.ServiceWrite(service.Service, nil) {
return acl.ErrPermissionDenied
}
// Vet any service that might be getting overwritten.
services := a.state.Services()
if existing, ok := services[service.ID]; ok {
if !rule.ServiceWrite(existing.Service) {
if !rule.ServiceWrite(existing.Service, nil) {
return acl.ErrPermissionDenied
}
}
@ -282,7 +282,7 @@ func (a *Agent) vetServiceUpdate(token string, serviceID string) error {
// Vet any changes based on the existing services's info.
services := a.state.Services()
if existing, ok := services[serviceID]; ok {
if !rule.ServiceWrite(existing.Service) {
if !rule.ServiceWrite(existing.Service, nil) {
return acl.ErrPermissionDenied
}
} else {
@ -306,11 +306,11 @@ func (a *Agent) vetCheckRegister(token string, check *structs.HealthCheck) error
// Vet the check itself.
if len(check.ServiceName) > 0 {
if !rule.ServiceWrite(check.ServiceName) {
if !rule.ServiceWrite(check.ServiceName, nil) {
return acl.ErrPermissionDenied
}
} else {
if !rule.NodeWrite(a.config.NodeName) {
if !rule.NodeWrite(a.config.NodeName, nil) {
return acl.ErrPermissionDenied
}
}
@ -319,11 +319,11 @@ func (a *Agent) vetCheckRegister(token string, check *structs.HealthCheck) error
checks := a.state.Checks()
if existing, ok := checks[check.CheckID]; ok {
if len(existing.ServiceName) > 0 {
if !rule.ServiceWrite(existing.ServiceName) {
if !rule.ServiceWrite(existing.ServiceName, nil) {
return acl.ErrPermissionDenied
}
} else {
if !rule.NodeWrite(a.config.NodeName) {
if !rule.NodeWrite(a.config.NodeName, nil) {
return acl.ErrPermissionDenied
}
}
@ -347,11 +347,11 @@ func (a *Agent) vetCheckUpdate(token string, checkID types.CheckID) error {
checks := a.state.Checks()
if existing, ok := checks[checkID]; ok {
if len(existing.ServiceName) > 0 {
if !rule.ServiceWrite(existing.ServiceName) {
if !rule.ServiceWrite(existing.ServiceName, nil) {
return acl.ErrPermissionDenied
}
} else {
if !rule.NodeWrite(a.config.NodeName) {
if !rule.NodeWrite(a.config.NodeName, nil) {
return acl.ErrPermissionDenied
}
}

2
agent/acl_test.go
View File

@ -207,7 +207,7 @@ func TestACL_Special_IDs(t *testing.T) {
if !acl.NodeRead("hello") {
t.Fatalf("should be able to read any node")
}
if acl.NodeWrite("hello") {
if acl.NodeWrite("hello", nil) {
t.Fatalf("should not be able to write any node")
}
}

2
agent/agent_endpoint.go
View File

@ -637,7 +637,7 @@ func (s *HTTPServer) AgentNodeMaintenance(resp http.ResponseWriter, req *http.Re
if err != nil {
return nil, err
}
if rule != nil && !rule.NodeWrite(s.agent.config.NodeName) {
if rule != nil && !rule.NodeWrite(s.agent.config.NodeName, nil) {
return nil, acl.ErrPermissionDenied
}

87
agent/consul/acl.go
View File

@ -9,6 +9,8 @@ import (
"github.com/armon/go-metrics"
"github.com/hashicorp/consul/acl"
"github.com/hashicorp/consul/agent/structs"
"github.com/hashicorp/consul/api"
"github.com/hashicorp/consul/sentinel"
"github.com/hashicorp/golang-lru"
)
@ -102,6 +104,9 @@ type aclCache struct {
// acls is a non-authoritative ACL cache.
acls *lru.TwoQueueCache
// sentinel is the code engine (can be nil).
sentinel sentinel.Evaluator
// aclPolicyCache is a non-authoritative policy cache.
policies *lru.TwoQueueCache
@ -116,13 +121,14 @@ type aclCache struct {
// newACLCache returns a new non-authoritative cache for ACLs. This is used for
// performance, and is used inside the ACL datacenter on non-leader servers, and
// outside the ACL datacenter everywhere.
func newACLCache(conf *Config, logger *log.Logger, rpc rpcFn, local acl.FaultFunc) (*aclCache, error) {
func newACLCache(conf *Config, logger *log.Logger, rpc rpcFn, local acl.FaultFunc, sentinel sentinel.Evaluator) (*aclCache, error) {
var err error
cache := &aclCache{
config: conf,
logger: logger,
rpc: rpc,
local: local,
config: conf,
logger: logger,
rpc: rpc,
local: local,
sentinel: sentinel,
}
// Initialize the non-authoritative ACL cache
@ -206,7 +212,7 @@ func (c *aclCache) lookupACL(id, authDC string) (acl.ACL, error) {
goto ACL_DOWN
}
policy, err := acl.Parse(rules)
policy, err := acl.Parse(rules, c.sentinel)
if err != nil {
c.logger.Printf("[DEBUG] consul.acl: Failed to parse policy for replicated ACL: %v", err)
goto ACL_DOWN
@ -268,7 +274,7 @@ func (c *aclCache) useACLPolicy(id, authDC string, cached *aclCacheEntry, p *str
}
// Compile the ACL
acl, err := acl.New(parent, p.Policy)
acl, err := acl.New(parent, p.Policy, c.sentinel)
if err != nil {
return nil, err
}
@ -327,7 +333,6 @@ func (f *aclFilter) allowService(service string) bool {
if !f.enforceVersion8 && service == structs.ConsulServiceID {
return true
}
return f.acl.ServiceRead(service)
}
@ -564,8 +569,7 @@ func (f *aclFilter) filterPreparedQueries(queries *structs.PreparedQueries) {
}
// filterACL is used to filter results from our service catalog based on the
// rules configured for the provided token. The subject is scrubbed and
// modified in-place, leaving only resources the token can access.
// rules configured for the provided token.
func (s *Server) filterACL(token string, subj interface{}) error {
// Get the ACL from the token
acl, err := s.resolveToken(token)
@ -646,11 +650,45 @@ func vetRegisterWithACL(rule acl.ACL, subj *structs.RegisterRequest,
return nil
}
// This gets called potentially from a few spots so we save it and
// return the structure we made if we have it.
var memo map[string]interface{}
scope := func() map[string]interface{} {
if memo != nil {
return memo
}
node := &api.Node{
ID: string(subj.ID),
Node: subj.Node,
Address: subj.Address,
Datacenter: subj.Datacenter,
TaggedAddresses: subj.TaggedAddresses,
Meta: subj.NodeMeta,
}
var service *api.AgentService
if subj.Service != nil {
service = &api.AgentService{
ID: subj.Service.ID,
Service: subj.Service.Service,
Tags: subj.Service.Tags,
Address: subj.Service.Address,
Port: subj.Service.Port,
EnableTagOverride: subj.Service.EnableTagOverride,
}
}
memo = sentinel.ScopeCatalogUpsert(node, service)
return memo
}
// Vet the node info. This allows service updates to re-post the required
// node info for each request without having to have node "write"
// privileges.
needsNode := ns == nil || subj.ChangesNode(ns.Node)
if needsNode && !rule.NodeWrite(subj.Node) {
if needsNode && !rule.NodeWrite(subj.Node, scope) {
return acl.ErrPermissionDenied
}
@ -658,13 +696,17 @@ func vetRegisterWithACL(rule acl.ACL, subj *structs.RegisterRequest,
// the given service, and that we can write to any existing service that
// is being modified by id (if any).
if subj.Service != nil {
if !rule.ServiceWrite(subj.Service.Service) {
if !rule.ServiceWrite(subj.Service.Service, scope) {
return acl.ErrPermissionDenied
}
if ns != nil {
other, ok := ns.Services[subj.Service.ID]
if ok && !rule.ServiceWrite(other.Service) {
// This is effectively a delete, so we DO NOT apply the
// sentinel scope to the service we are overwriting, just
// the regular ACL policy.
if ok && !rule.ServiceWrite(other.Service, nil) {
return acl.ErrPermissionDenied
}
}
@ -693,7 +735,7 @@ func vetRegisterWithACL(rule acl.ACL, subj *structs.RegisterRequest,
// Node-level check.
if check.ServiceID == "" {
if !rule.NodeWrite(subj.Node) {
if !rule.NodeWrite(subj.Node, scope) {
return acl.ErrPermissionDenied
}
continue
@ -718,7 +760,10 @@ func vetRegisterWithACL(rule acl.ACL, subj *structs.RegisterRequest,
return fmt.Errorf("Unknown service '%s' for check '%s'", check.ServiceID, check.CheckID)
}
if !rule.ServiceWrite(other.Service) {
// We are only adding a check here, so we don't add the scope,
// since the sentinel policy doesn't apply to adding checks at
// this time.
if !rule.ServiceWrite(other.Service, nil) {
return acl.ErrPermissionDenied
}
}
@ -733,11 +778,15 @@ func vetRegisterWithACL(rule acl.ACL, subj *structs.RegisterRequest,
// be nil; similar for the HealthCheck for the referenced health check.
func vetDeregisterWithACL(rule acl.ACL, subj *structs.DeregisterRequest,
ns *structs.NodeService, nc *structs.HealthCheck) error {
// Fast path if ACLs are not enabled.
if rule == nil {
return nil
}
// We don't apply sentinel in this path, since at this time sentinel
// only applies to create and update operations.
// This order must match the code in applyRegister() in fsm.go since it
// also evaluates things in this order, and will ignore fields based on
// this precedence. This lets us also ignore them from an ACL perspective.
@ -745,7 +794,7 @@ func vetDeregisterWithACL(rule acl.ACL, subj *structs.DeregisterRequest,
if ns == nil {
return fmt.Errorf("Unknown service '%s'", subj.ServiceID)
}
if !rule.ServiceWrite(ns.Service) {
if !rule.ServiceWrite(ns.Service, nil) {
return acl.ErrPermissionDenied
}
} else if subj.CheckID != "" {
@ -753,16 +802,16 @@ func vetDeregisterWithACL(rule acl.ACL, subj *structs.DeregisterRequest,
return fmt.Errorf("Unknown check '%s'", subj.CheckID)
}
if nc.ServiceID != "" {
if !rule.ServiceWrite(nc.ServiceName) {
if !rule.ServiceWrite(nc.ServiceName, nil) {
return acl.ErrPermissionDenied
}
} else {
if !rule.NodeWrite(subj.Node) {
if !rule.NodeWrite(subj.Node, nil) {
return acl.ErrPermissionDenied
}
}
} else {
if !rule.NodeWrite(subj.Node) {
if !rule.NodeWrite(subj.Node, nil) {
return acl.ErrPermissionDenied
}
}

2
agent/consul/acl_endpoint.go
View File

@ -107,7 +107,7 @@ func aclApplyInternal(srv *Server, args *structs.ACLRequest, reply *string) erro
}
// Validate the rules compile
_, err := acl.Parse(args.ACL.Rules)
_, err := acl.Parse(args.ACL.Rules, srv.sentinel)
if err != nil {
return fmt.Errorf("ACL rule compilation failed: %v", err)
}

64
agent/consul/acl_test.go
View File

@ -793,11 +793,11 @@ func TestACL_filterHealthChecks(t *testing.T) {
service "foo" {
policy = "read"
}
`)
`, nil)
if err != nil {
t.Fatalf("err %v", err)
}
perms, err := acl.New(acl.DenyAll(), policy)
perms, err := acl.New(acl.DenyAll(), policy, nil)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -827,11 +827,11 @@ service "foo" {
node "node1" {
policy = "read"
}
`)
`, nil)
if err != nil {
t.Fatalf("err %v", err)
}
perms, err = acl.New(perms, policy)
perms, err = acl.New(perms, policy, nil)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -918,11 +918,11 @@ func TestACL_filterServiceNodes(t *testing.T) {
service "foo" {
policy = "read"
}
`)
`, nil)
if err != nil {
t.Fatalf("err %v", err)
}
perms, err := acl.New(acl.DenyAll(), policy)
perms, err := acl.New(acl.DenyAll(), policy, nil)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -952,11 +952,11 @@ service "foo" {
node "node1" {
policy = "read"
}
`)
`, nil)
if err != nil {
t.Fatalf("err %v", err)
}
perms, err = acl.New(perms, policy)
perms, err = acl.New(perms, policy, nil)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -1024,11 +1024,11 @@ func TestACL_filterNodeServices(t *testing.T) {
service "foo" {
policy = "read"
}
`)
`, nil)
if err != nil {
t.Fatalf("err %v", err)
}
perms, err := acl.New(acl.DenyAll(), policy)
perms, err := acl.New(acl.DenyAll(), policy, nil)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -1058,11 +1058,11 @@ service "foo" {
node "node1" {
policy = "read"
}
`)
`, nil)
if err != nil {
t.Fatalf("err %v", err)
}
perms, err = acl.New(perms, policy)
perms, err = acl.New(perms, policy, nil)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -1130,11 +1130,11 @@ func TestACL_filterCheckServiceNodes(t *testing.T) {
service "foo" {
policy = "read"
}
`)
`, nil)
if err != nil {
t.Fatalf("err %v", err)
}
perms, err := acl.New(acl.DenyAll(), policy)
perms, err := acl.New(acl.DenyAll(), policy, nil)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -1167,11 +1167,11 @@ service "foo" {
node "node1" {
policy = "read"
}
`)
`, nil)
if err != nil {
t.Fatalf("err %v", err)
}
perms, err = acl.New(perms, policy)
perms, err = acl.New(perms, policy, nil)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -1321,11 +1321,11 @@ func TestACL_filterNodeDump(t *testing.T) {
service "foo" {
policy = "read"
}
`)
`, nil)
if err != nil {
t.Fatalf("err %v", err)
}
perms, err := acl.New(acl.DenyAll(), policy)
perms, err := acl.New(acl.DenyAll(), policy, nil)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -1361,11 +1361,11 @@ service "foo" {
node "node1" {
policy = "read"
}
`)
`, nil)
if err != nil {
t.Fatalf("err %v", err)
}
perms, err = acl.New(perms, policy)
perms, err = acl.New(perms, policy, nil)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -1563,11 +1563,11 @@ func TestACL_vetRegisterWithACL(t *testing.T) {
node "node" {
policy = "write"
}
`)
`, nil)
if err != nil {
t.Fatalf("err %v", err)
}
perms, err := acl.New(acl.DenyAll(), policy)
perms, err := acl.New(acl.DenyAll(), policy, nil)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -1608,11 +1608,11 @@ node "node" {
service "service" {
policy = "write"
}
`)
`, nil)
if err != nil {
t.Fatalf("err %v", err)
}
perms, err = acl.New(perms, policy)
perms, err = acl.New(perms, policy, nil)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -1638,11 +1638,11 @@ service "service" {
service "other" {
policy = "write"
}
`)
`, nil)
if err != nil {
t.Fatalf("err %v", err)
}
perms, err = acl.New(perms, policy)
perms, err = acl.New(perms, policy, nil)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -1712,11 +1712,11 @@ service "other" {
service "other" {
policy = "deny"
}
`)
`, nil)
if err != nil {
t.Fatalf("err %v", err)
}
perms, err = acl.New(perms, policy)
perms, err = acl.New(perms, policy, nil)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -1742,11 +1742,11 @@ service "other" {
node "node" {
policy = "deny"
}
`)
`, nil)
if err != nil {
t.Fatalf("err %v", err)
}
perms, err = acl.New(perms, policy)
perms, err = acl.New(perms, policy, nil)
if err != nil {
t.Fatalf("err: %v", err)
}
@ -1792,11 +1792,11 @@ node "node" {
service "service" {
policy = "write"
}
`)
`, nil)
if err != nil {
t.Fatalf("err %v", err)
}
perms, err := acl.New(acl.DenyAll(), policy)
perms, err := acl.New(acl.DenyAll(), policy, nil)
if err != nil {
t.Fatalf("err: %v", err)
}

3
agent/consul/catalog_endpoint.go
View File

@ -66,7 +66,7 @@ func (c *Catalog) Register(args *structs.RegisterRequest, reply *struct{}) error
// later if version 0.8 is enabled, so we can eventually just
// delete this and do all the ACL checks down there.
if args.Service.Service != structs.ConsulServiceName {
if rule != nil && !rule.ServiceWrite(args.Service.Service) {
if rule != nil && !rule.ServiceWrite(args.Service.Service, nil) {
return acl.ErrPermissionDenied
}
}
@ -149,6 +149,7 @@ func (c *Catalog) Deregister(args *structs.DeregisterRequest, reply *struct{}) e
if err := vetDeregisterWithACL(rule, args, ns, nc); err != nil {
return err
}
}
if _, err := c.srv.raftApply(structs.DeregisterRequestType, args); err != nil {

5
agent/consul/coordinate_endpoint.go
View File

@ -139,7 +139,10 @@ func (c *Coordinate) Update(args *structs.CoordinateUpdateRequest, reply *struct
return err
}
if rule != nil && c.srv.config.ACLEnforceVersion8 {
if !rule.NodeWrite(args.Node) {
// We don't enforce the sentinel policy here, since at this time
// sentinel only applies to creating or updating node or service
// info, not updating coordinates.
if !rule.NodeWrite(args.Node, nil) {
return acl.ErrPermissionDenied
}
}

12
agent/consul/filter_test.go
View File

@ -10,8 +10,8 @@ import (
func TestFilter_DirEnt(t *testing.T) {
t.Parallel()
policy, _ := acl.Parse(testFilterRules)
aclR, _ := acl.New(acl.DenyAll(), policy)
policy, _ := acl.Parse(testFilterRules, nil)
aclR, _ := acl.New(acl.DenyAll(), policy, nil)
type tcase struct {
in []string
@ -52,8 +52,8 @@ func TestFilter_DirEnt(t *testing.T) {
func TestFilter_Keys(t *testing.T) {
t.Parallel()
policy, _ := acl.Parse(testFilterRules)
aclR, _ := acl.New(acl.DenyAll(), policy)
policy, _ := acl.Parse(testFilterRules, nil)
aclR, _ := acl.New(acl.DenyAll(), policy, nil)
type tcase struct {
in []string
@ -84,8 +84,8 @@ func TestFilter_Keys(t *testing.T) {
func TestFilter_TxnResults(t *testing.T) {
t.Parallel()
policy, _ := acl.Parse(testFilterRules)
aclR, _ := acl.New(acl.DenyAll(), policy)
policy, _ := acl.Parse(testFilterRules, nil)
aclR, _ := acl.New(acl.DenyAll(), policy, nil)
type tcase struct {
in []string

13
agent/consul/kvs_endpoint.go
View File

@ -9,6 +9,7 @@ import (
"github.com/hashicorp/consul/agent/consul/state"
"github.com/hashicorp/consul/agent/structs"
"github.com/hashicorp/consul/api"
"github.com/hashicorp/consul/sentinel"
"github.com/hashicorp/go-memdb"
)
@ -22,6 +23,7 @@ type KVS struct {
// must only be done on the leader.
func kvsPreApply(srv *Server, rule acl.ACL, op api.KVOp, dirEnt *structs.DirEntry) (bool, error) {
// Verify the entry.
if dirEnt.Key == "" && op != api.KVDeleteTree {
return false, fmt.Errorf("Must provide key")
}
@ -46,7 +48,10 @@ func kvsPreApply(srv *Server, rule acl.ACL, op api.KVOp, dirEnt *structs.DirEntr
}
default:
if !rule.KeyWrite(dirEnt.Key) {
scope := func() map[string]interface{} {
return sentinel.ScopeKVUpsert(dirEnt.Key, dirEnt.Value, dirEnt.Flags)
}
if !rule.KeyWrite(dirEnt.Key, scope) {
return false, acl.ErrPermissionDenied
}
}
@ -115,11 +120,10 @@ func (k *KVS) Get(args *structs.KeyRequest, reply *structs.IndexedDirEntries) er
return err
}
acl, err := k.srv.resolveToken(args.Token)
aclRule, err := k.srv.resolveToken(args.Token)
if err != nil {
return err
}
return k.srv.blockingQuery(
&args.QueryOptions,
&reply.QueryMeta,
@ -128,9 +132,10 @@ func (k *KVS) Get(args *structs.KeyRequest, reply *structs.IndexedDirEntries) er
if err != nil {
return err
}
if acl != nil && !acl.KeyRead(args.Key) {
if aclRule != nil && !aclRule.KeyRead(args.Key) {
ent = nil
}
if ent == nil {
// Must provide non-zero index to prevent blocking
// Index 1 is impossible anyways (due to Raft internals)

9
agent/consul/server.go
View File

@ -25,6 +25,7 @@ import (
"github.com/hashicorp/consul/agent/structs"
"github.com/hashicorp/consul/agent/token"
"github.com/hashicorp/consul/lib"
"github.com/hashicorp/consul/sentinel"
"github.com/hashicorp/consul/tlsutil"
"github.com/hashicorp/consul/types"
"github.com/hashicorp/raft"
@ -75,6 +76,9 @@ const (
// Server is Consul server which manages the service discovery,
// health checking, DC forwarding, Raft, and multiple Serf pools.
type Server struct {
// sentinel is the Sentinel code engine (can be nil).
sentinel sentinel.Evaluator
// aclAuthCache is the authoritative ACL cache.
aclAuthCache *acl.Cache
@ -317,7 +321,8 @@ func NewServerLogger(config *Config, logger *log.Logger, tokens *token.Store) (*
s.statsFetcher = NewStatsFetcher(logger, s.connPool, s.config.Datacenter)
// Initialize the authoritative ACL cache.
s.aclAuthCache, err = acl.NewCache(aclCacheSize, s.aclLocalFault)
s.sentinel = sentinel.New(logger)
s.aclAuthCache, err = acl.NewCache(aclCacheSize, s.aclLocalFault, s.sentinel)
if err != nil {
s.Shutdown()
return nil, fmt.Errorf("Failed to create authoritative ACL cache: %v", err)
@ -329,7 +334,7 @@ func NewServerLogger(config *Config, logger *log.Logger, tokens *token.Store) (*
if s.IsACLReplicationEnabled() {
local = s.aclLocalFault
}
if s.aclCache, err = newACLCache(config, logger, s.RPC, local); err != nil {
if s.aclCache, err = newACLCache(config, logger, s.RPC, local, s.sentinel); err != nil {
s.Shutdown()
return nil, fmt.Errorf("Failed to create non-authoritative ACL cache: %v", err)
}

8
sentinel/evaluator.go Normal file
View File

@ -0,0 +1,8 @@
package sentinel
// Evaluator wraps the Sentinel evaluator from the HashiCorp Sentinel policy
// engine.
type Evaluator interface {
Compile(policy string) error
Execute(policy string, enforcementLevel string, data map[string]interface{}) bool
}

29
sentinel/scope.go Normal file
View File

@ -0,0 +1,29 @@
package sentinel
import (
"github.com/hashicorp/consul/api"
)
// ScopeFn is a callback that provides a sentinel scope. This is a callback
// so that if we don't run sentinel for some reason (not enabled or a basic
// policy check means we don't have to) then we don't spend the effort to make
// the map.
type ScopeFn func() map[string]interface{}
// ScopeKVUpsert returns the standard sentinel scope for a KV create or update.
func ScopeKVUpsert(key string, value []byte, flags uint64) map[string]interface{} {
return map[string]interface{}{
"key": key,
"value": string(value),
"flags": flags,
}
}
// ScopeCatalogUpsert returns the standard sentinel scope for a catalog create
// or update. Service is allowed to be nil.
func ScopeCatalogUpsert(node *api.Node, service *api.AgentService) map[string]interface{} {
return map[string]interface{}{
"node": node,
"service": service,
}
}

13
sentinel/sentinel_stub.go Normal file
View File

@ -0,0 +1,13 @@
// +build !ent
package sentinel
import (
"log"
)
// New returns a new instance of the Sentinel code engine. This is only available
// in Consul Enterprise so this version always returns nil.
func New(logger *log.Logger) Evaluator {
return nil
}