acl: remove many instances of authz == nil
This commit is contained in:
Daniel Nephin
parent
bbc05ae869
commit
b6d9d0d9f7
|
|
@ -293,7 +293,7 @@ func (a *ACL) TokenRead(args *structs.ACLTokenGetRequest, reply *structs.ACLToke
|
||||||
// secrets will be redacted
|
// secrets will be redacted
|
||||||
if authz, err = a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
|
if authz, err = a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
|
||||||
return err
|
return err
|
||||||
} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
|
} else if authz.ACLRead(&authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -358,7 +358,7 @@ func (a *ACL) TokenClone(args *structs.ACLTokenSetRequest, reply *structs.ACLTok
|
||||||
authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.ACLToken.EnterpriseMeta, &authzContext)
|
authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.ACLToken.EnterpriseMeta, &authzContext)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
|
} else if authz.ACLWrite(&authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -429,7 +429,7 @@ func (a *ACL) TokenSet(args *structs.ACLTokenSetRequest, reply *structs.ACLToken
|
||||||
var authzContext acl.AuthorizerContext
|
var authzContext acl.AuthorizerContext
|
||||||
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.ACLToken.EnterpriseMeta, &authzContext); err != nil {
|
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.ACLToken.EnterpriseMeta, &authzContext); err != nil {
|
||||||
return err
|
return err
|
||||||
} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
|
} else if authz.ACLWrite(&authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -835,7 +835,7 @@ func (a *ACL) TokenDelete(args *structs.ACLTokenDeleteRequest, reply *string) er
|
||||||
var authzContext acl.AuthorizerContext
|
var authzContext acl.AuthorizerContext
|
||||||
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
|
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
|
||||||
return err
|
return err
|
||||||
} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
|
} else if authz.ACLWrite(&authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -924,7 +924,7 @@ func (a *ACL) TokenList(args *structs.ACLTokenListRequest, reply *structs.ACLTok
|
||||||
// merge the token default meta into the requests meta
|
// merge the token default meta into the requests meta
|
||||||
args.EnterpriseMeta.Merge(&requestMeta)
|
args.EnterpriseMeta.Merge(&requestMeta)
|
||||||
args.EnterpriseMeta.FillAuthzContext(&authzContext)
|
args.EnterpriseMeta.FillAuthzContext(&authzContext)
|
||||||
if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
|
if authz.ACLRead(&authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -1035,7 +1035,7 @@ func (a *ACL) PolicyRead(args *structs.ACLPolicyGetRequest, reply *structs.ACLPo
|
||||||
var authzContext acl.AuthorizerContext
|
var authzContext acl.AuthorizerContext
|
||||||
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
|
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
|
||||||
return err
|
return err
|
||||||
} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
|
} else if authz.ACLRead(&authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -1115,7 +1115,7 @@ func (a *ACL) PolicySet(args *structs.ACLPolicySetRequest, reply *structs.ACLPol
|
||||||
|
|
||||||
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.Policy.EnterpriseMeta, &authzContext); err != nil {
|
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.Policy.EnterpriseMeta, &authzContext); err != nil {
|
||||||
return err
|
return err
|
||||||
} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
|
} else if authz.ACLWrite(&authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -1246,7 +1246,7 @@ func (a *ACL) PolicyDelete(args *structs.ACLPolicyDeleteRequest, reply *string)
|
||||||
|
|
||||||
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
|
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
|
||||||
return err
|
return err
|
||||||
} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
|
} else if authz.ACLWrite(&authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -1297,7 +1297,7 @@ func (a *ACL) PolicyList(args *structs.ACLPolicyListRequest, reply *structs.ACLP
|
||||||
authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
|
authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
|
} else if authz.ACLRead(&authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -1469,7 +1469,7 @@ func (a *ACL) RoleRead(args *structs.ACLRoleGetRequest, reply *structs.ACLRoleRe
|
||||||
|
|
||||||
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
|
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
|
||||||
return err
|
return err
|
||||||
} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
|
} else if authz.ACLRead(&authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -1549,7 +1549,7 @@ func (a *ACL) RoleSet(args *structs.ACLRoleSetRequest, reply *structs.ACLRole) e
|
||||||
|
|
||||||
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.Role.EnterpriseMeta, &authzContext); err != nil {
|
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.Role.EnterpriseMeta, &authzContext); err != nil {
|
||||||
return err
|
return err
|
||||||
} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
|
} else if authz.ACLWrite(&authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -1707,7 +1707,7 @@ func (a *ACL) RoleDelete(args *structs.ACLRoleDeleteRequest, reply *string) erro
|
||||||
|
|
||||||
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
|
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
|
||||||
return err
|
return err
|
||||||
} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
|
} else if authz.ACLWrite(&authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -1754,7 +1754,7 @@ func (a *ACL) RoleList(args *structs.ACLRoleListRequest, reply *structs.ACLRoleL
|
||||||
authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
|
authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
|
} else if authz.ACLRead(&authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -1853,7 +1853,7 @@ func (a *ACL) BindingRuleRead(args *structs.ACLBindingRuleGetRequest, reply *str
|
||||||
authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
|
authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
|
} else if authz.ACLRead(&authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -1894,7 +1894,7 @@ func (a *ACL) BindingRuleSet(args *structs.ACLBindingRuleSetRequest, reply *stru
|
||||||
// Verify token is permitted to modify ACLs
|
// Verify token is permitted to modify ACLs
|
||||||
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.BindingRule.EnterpriseMeta, &authzContext); err != nil {
|
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.BindingRule.EnterpriseMeta, &authzContext); err != nil {
|
||||||
return err
|
return err
|
||||||
} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
|
} else if authz.ACLWrite(&authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -2023,7 +2023,7 @@ func (a *ACL) BindingRuleDelete(args *structs.ACLBindingRuleDeleteRequest, reply
|
||||||
// Verify token is permitted to modify ACLs
|
// Verify token is permitted to modify ACLs
|
||||||
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
|
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
|
||||||
return err
|
return err
|
||||||
} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
|
} else if authz.ACLWrite(&authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -2071,7 +2071,7 @@ func (a *ACL) BindingRuleList(args *structs.ACLBindingRuleListRequest, reply *st
|
||||||
authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
|
authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
|
} else if authz.ACLRead(&authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -2110,7 +2110,7 @@ func (a *ACL) AuthMethodRead(args *structs.ACLAuthMethodGetRequest, reply *struc
|
||||||
|
|
||||||
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
|
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
|
||||||
return err
|
return err
|
||||||
} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
|
} else if authz.ACLRead(&authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -2155,7 +2155,7 @@ func (a *ACL) AuthMethodSet(args *structs.ACLAuthMethodSetRequest, reply *struct
|
||||||
|
|
||||||
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.AuthMethod.EnterpriseMeta, &authzContext); err != nil {
|
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.AuthMethod.EnterpriseMeta, &authzContext); err != nil {
|
||||||
return err
|
return err
|
||||||
} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
|
} else if authz.ACLWrite(&authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -2267,7 +2267,7 @@ func (a *ACL) AuthMethodDelete(args *structs.ACLAuthMethodDeleteRequest, reply *
|
||||||
|
|
||||||
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
|
if authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext); err != nil {
|
||||||
return err
|
return err
|
||||||
} else if authz == nil || authz.ACLWrite(&authzContext) != acl.Allow {
|
} else if authz.ACLWrite(&authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -2321,7 +2321,7 @@ func (a *ACL) AuthMethodList(args *structs.ACLAuthMethodListRequest, reply *stru
|
||||||
authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
|
authz, err := a.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
} else if authz == nil || authz.ACLRead(&authzContext) != acl.Allow {
|
} else if authz.ACLRead(&authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -157,7 +157,7 @@ func (k *KVS) Get(args *structs.KeyRequest, reply *structs.IndexedDirEntries) er
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if authz != nil && authz.KeyRead(args.Key, &authzContext) != acl.Allow {
|
if authz.KeyRead(args.Key, &authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -194,7 +194,7 @@ func (k *KVS) List(args *structs.KeyRequest, reply *structs.IndexedDirEntries) e
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
if authz != nil && k.srv.config.ACLEnableKeyListPolicy && authz.KeyList(args.Key, &authzContext) != acl.Allow {
|
if k.srv.config.ACLEnableKeyListPolicy && authz.KeyList(args.Key, &authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -206,9 +206,7 @@ func (k *KVS) List(args *structs.KeyRequest, reply *structs.IndexedDirEntries) e
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if authz != nil {
|
ent = FilterDirEnt(authz, ent)
|
||||||
ent = FilterDirEnt(authz, ent)
|
|
||||||
}
|
|
||||||
|
|
||||||
if len(ent) == 0 {
|
if len(ent) == 0 {
|
||||||
// Must provide non-zero index to prevent blocking
|
// Must provide non-zero index to prevent blocking
|
||||||
|
|
|
||||||
|
|
@ -75,9 +75,7 @@ func (h *Server) Subscribe(req *pbsubscribe.SubscribeRequest, serverStream pbsub
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
var ok bool
|
if !event.Payload.HasReadPermission(authz) {
|
||||||
event, ok = filterByAuth(authz, event)
|
|
||||||
if !ok {
|
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -126,16 +124,6 @@ func forwardToDC(
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// filterByAuth to only those Events allowed by the acl token.
|
|
||||||
func filterByAuth(authz acl.Authorizer, event stream.Event) (stream.Event, bool) {
|
|
||||||
// authz will be nil when ACLs are disabled
|
|
||||||
if authz == nil {
|
|
||||||
return event, true
|
|
||||||
}
|
|
||||||
|
|
||||||
return event, event.Payload.HasReadPermission(authz)
|
|
||||||
}
|
|
||||||
|
|
||||||
func newEventFromStreamEvent(event stream.Event) *pbsubscribe.Event {
|
func newEventFromStreamEvent(event stream.Event) *pbsubscribe.Event {
|
||||||
e := &pbsubscribe.Event{Index: event.Index}
|
e := &pbsubscribe.Event{Index: event.Index}
|
||||||
switch {
|
switch {
|
||||||
|
|
|
||||||
|
|
@ -298,9 +298,6 @@ func (x *Intention) Validate() error {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ixn *Intention) CanRead(authz acl.Authorizer) bool {
|
func (ixn *Intention) CanRead(authz acl.Authorizer) bool {
|
||||||
if authz == nil {
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
var authzContext acl.AuthorizerContext
|
var authzContext acl.AuthorizerContext
|
||||||
|
|
||||||
// Read access on either end of the intention allows you to read the
|
// Read access on either end of the intention allows you to read the
|
||||||
|
|
@ -325,11 +322,12 @@ func (ixn *Intention) CanRead(authz acl.Authorizer) bool {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ixn *Intention) CanWrite(authz acl.Authorizer) bool {
|
func (ixn *Intention) CanWrite(authz acl.Authorizer) bool {
|
||||||
if authz == nil || authz == acl.ManageAll() {
|
if authz == acl.ManageAll() {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
var authzContext acl.AuthorizerContext
|
var authzContext acl.AuthorizerContext
|
||||||
|
|
||||||
|
// TODO: this line seems to require checking 'authz == acl.ManageAll()' above
|
||||||
if ixn.DestinationName == "" {
|
if ixn.DestinationName == "" {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue