Gets rid of the Consul service exception under version 8.

Fixes #2816.
This commit is contained in:
James Phillips 2017-03-23 16:10:50 -07:00
parent 7c2509f407
commit a22c04f1bf
No known key found for this signature in database
GPG Key ID: 77183E682AC5FC11
2 changed files with 20 additions and 4 deletions

View File

@ -341,9 +341,14 @@ func (f *aclFilter) allowNode(node string) bool {
// allowService is used to determine if a service is accessible for an ACL.
func (f *aclFilter) allowService(service string) bool {
if service == "" || service == ConsulServiceID {
if service == "" {
return true
}
if !f.enforceVersion8 && service == ConsulServiceID {
return true
}
return f.acl.ServiceRead(service)
}

View File

@ -903,18 +903,29 @@ func TestACL_filterServices(t *testing.T) {
services := structs.Services{
"service1": []string{},
"service2": []string{},
"consul": []string{},
}
// Try permissive filtering
// Try permissive filtering.
filt := newAclFilter(acl.AllowAll(), nil, false)
filt.filterServices(services)
if len(services) != 2 {
if len(services) != 3 {
t.Fatalf("bad: %#v", services)
}
// Try restrictive filtering
// Try restrictive filtering.
filt = newAclFilter(acl.DenyAll(), nil, false)
filt.filterServices(services)
if len(services) != 1 {
t.Fatalf("bad: %#v", services)
}
if _, ok := services["consul"]; !ok {
t.Fatalf("bad: %#v", services)
}
// Try restrictive filtering with version 8 enforcement.
filt = newAclFilter(acl.DenyAll(), nil, true)
filt.filterServices(services)
if len(services) != 0 {
t.Fatalf("bad: %#v", services)
}