agent/config: add AllowManagedRoot

2018-06-12 14:25:08 +02:00 · 2018-06-12 14:25:08 +02:00 · a7690301f9
parent 549dc22944
commit a7690301f9
4 changed files with 50 additions and 27 deletions
--- a/agent/config/builder.go
+++ b/agent/config/builder.go
@ -527,32 +527,21 @@ func (b *Builder) Build() (rt RuntimeConfig, err error) {
 	consulRaftLeaderLeaseTimeout := b.durationVal("consul.raft.leader_lease_timeout", c.Consul.Raft.LeaderLeaseTimeout) * time.Duration(performanceRaftMultiplier)

 	// Connect proxy defaults.
-	var connectEnabled bool
-	var connectCAProvider string
-	var connectCAConfig map[string]interface{}
-	if c.Connect != nil {
-		connectEnabled = b.boolVal(c.Connect.Enabled)
-		connectCAProvider = b.stringVal(c.Connect.CAProvider)
-		connectCAConfig = c.Connect.CAConfig
-		if c.Connect.CAConfig != nil {
+	connectEnabled := b.boolVal(c.Connect.Enabled)
+	connectCAProvider := b.stringVal(c.Connect.CAProvider)
+	connectCAConfig := c.Connect.CAConfig
+	if connectCAConfig != nil {
 		TranslateKeys(connectCAConfig, map[string]string{
 			"private_key":     "PrivateKey",
 			"root_cert":       "RootCert",
 			"rotation_period": "RotationPeriod",
 		})
 	}
-	}

-	proxyDefaultExecMode := ""
-	var proxyDefaultDaemonCommand []string
-	var proxyDefaultScriptCommand []string
-	proxyDefaultConfig := make(map[string]interface{})
-	if c.Connect != nil && c.Connect.ProxyDefaults != nil {
-		proxyDefaultExecMode = b.stringVal(c.Connect.ProxyDefaults.ExecMode)
-		proxyDefaultDaemonCommand = c.Connect.ProxyDefaults.DaemonCommand
-		proxyDefaultScriptCommand = c.Connect.ProxyDefaults.ScriptCommand
-		proxyDefaultConfig = c.Connect.ProxyDefaults.Config
-	}
+	proxyDefaultExecMode := b.stringVal(c.Connect.ProxyDefaults.ExecMode)
+	proxyDefaultDaemonCommand := c.Connect.ProxyDefaults.DaemonCommand
+	proxyDefaultScriptCommand := c.Connect.ProxyDefaults.ScriptCommand
+	proxyDefaultConfig := c.Connect.ProxyDefaults.Config

 	// ----------------------------------------------------------------
 	// build runtime config
@ -675,6 +664,7 @@ func (b *Builder) Build() (rt RuntimeConfig, err error) {
 		ConnectEnabled:                   connectEnabled,
 		ConnectCAProvider:                connectCAProvider,
 		ConnectCAConfig:                  connectCAConfig,
+		ConnectProxyAllowManagedRoot:     b.boolVal(c.Connect.Proxy.AllowManagedRoot),
 		ConnectProxyBindMinPort:          proxyMinPort,
 		ConnectProxyBindMaxPort:          proxyMaxPort,
 		ConnectProxyDefaultExecMode:      proxyDefaultExecMode,
--- a/agent/config/config.go
+++ b/agent/config/config.go
@ -160,7 +160,7 @@ type Config struct {
 	CheckUpdateInterval         *string                  `json:"check_update_interval,omitempty" hcl:"check_update_interval" mapstructure:"check_update_interval"`
 	Checks                      []CheckDefinition        `json:"checks,omitempty" hcl:"checks" mapstructure:"checks"`
 	ClientAddr                  *string                  `json:"client_addr,omitempty" hcl:"client_addr" mapstructure:"client_addr"`
-	Connect                     *Connect                 `json:"connect,omitempty" hcl:"connect" mapstructure:"connect"`
+	Connect                     Connect                  `json:"connect,omitempty" hcl:"connect" mapstructure:"connect"`
 	DNS                         DNS                      `json:"dns_config,omitempty" hcl:"dns_config" mapstructure:"dns_config"`
 	DNSDomain                   *string                  `json:"domain,omitempty" hcl:"domain" mapstructure:"domain"`
 	DNSRecursors                []string                 `json:"recursors,omitempty" hcl:"recursors" mapstructure:"recursors"`
@ -370,12 +370,21 @@ type Connect struct {
 	// Enabled opts the agent into connect. It should be set on all clients and
 	// servers in a cluster for correct connect operation.
 	Enabled       *bool                  `json:"enabled,omitempty" hcl:"enabled" mapstructure:"enabled"`
-	ProxyDefaults *ConnectProxyDefaults  `json:"proxy_defaults,omitempty" hcl:"proxy_defaults" mapstructure:"proxy_defaults"`
+	Proxy         ConnectProxy           `json:"proxy,omitempty" hcl:"proxy" mapstructure:"proxy"`
+	ProxyDefaults ConnectProxyDefaults   `json:"proxy_defaults,omitempty" hcl:"proxy_defaults" mapstructure:"proxy_defaults"`
 	CAProvider    *string                `json:"ca_provider,omitempty" hcl:"ca_provider" mapstructure:"ca_provider"`
 	CAConfig      map[string]interface{} `json:"ca_config,omitempty" hcl:"ca_config" mapstructure:"ca_config"`
 }

-// ConnectProxyDefaults is the agent-global connect proxy configuration.
+// ConnectProxy is the agent-global connect proxy configuration.
+type ConnectProxy struct {
+	// Consul will not execute managed proxies if its EUID is 0 (root).
+	// If this is true, then Consul will execute proxies if Consul is
+	// running as root. This is not recommended.
+	AllowManagedRoot *bool `json:"allow_managed_root" hcl:"allow_managed_root" mapstructure:"allow_managed_root"`
+}
+
+// ConnectProxyDefaults is the agent-global defaults for managed Connect proxies.
 type ConnectProxyDefaults struct {
 	// ExecMode is used where a registration doesn't include an exec_mode.
 	// Defaults to daemon.
--- a/agent/config/runtime.go
+++ b/agent/config/runtime.go
@ -630,6 +630,10 @@ type RuntimeConfig struct {
 	// port is specified.
 	ConnectProxyBindMaxPort int

+	// ConnectProxyAllowManagedRoot is true if Consul can execute managed
+	// proxies when running as root (EUID == 0).
+	ConnectProxyAllowManagedRoot bool
+
 	// ConnectProxyDefaultExecMode is used where a registration doesn't include an
 	// exec_mode. Defaults to daemon.
 	ConnectProxyDefaultExecMode string
--- a/agent/config/runtime_test.go
+++ b/agent/config/runtime_test.go
@ -2070,6 +2070,7 @@ func TestConfigFlagsAndEdgecases(t *testing.T) {
 				rt.DataDir = dataDir
 			},
 		},
+
 		{
 			desc: "HCL service managed proxy 'upstreams'",
 			args: []string{
@ -2156,6 +2157,23 @@ func TestConfigFlagsAndEdgecases(t *testing.T) {
 				}
 			},
 		},
+
+		{
+			desc: "enabling Connect allow_managed_root",
+			args: []string{
+				`-data-dir=` + dataDir,
+			},
+			json: []string{
+				`{ "connect": { "proxy": { "allow_managed_root": true } } }`,
+			},
+			hcl: []string{
+				`connect { proxy { allow_managed_root = true } }`,
+			},
+			patch: func(rt *RuntimeConfig) {
+				rt.DataDir = dataDir
+				rt.ConnectProxyAllowManagedRoot = true
+			},
+		},
 	}

 	testConfig(t, tests, dataDir)
@ -3519,6 +3537,7 @@ func TestFullConfig(t *testing.T) {
 			"g4cvJyys": "IRLXE9Ds",
 			"hyMy9Oxn": "XeBp4Sis",
 		},
+		ConnectProxyAllowManagedRoot:     false,
 		ConnectProxyDefaultExecMode:      "script",
 		ConnectProxyDefaultDaemonCommand: []string{"consul", "connect", "proxy"},
 		ConnectProxyDefaultScriptCommand: []string{"proxyctl.sh"},
@ -4200,6 +4219,7 @@ func TestSanitize(t *testing.T) {
    "ConnectCAConfig": {},
    "ConnectCAProvider": "",
    "ConnectEnabled": false,
+    "ConnectProxyAllowManagedRoot": false,
    "ConnectProxyBindMaxPort": 0,
    "ConnectProxyBindMinPort": 0,
    "ConnectProxyDefaultConfig": {},