luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

Allow the PolicyResolve and RoleResolve endpoints to process na… (#7296)

This commit is contained in:
Matt Keeler 2020-02-13 14:55:27 -05:00 committed by GitHub
parent 0cdc75a6e3
commit be0d6efac9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 40 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
agent/consul/acl_endpoint.go
View File

@ -1249,13 +1249,27 @@ func (a *ACL) PolicyResolve(args *structs.ACLPolicyBatchGetRequest, reply *struc
return err
}
entIdentity, entPolicies, err := a.srv.acls.resolveEnterpriseIdentityAndPolicies(identity)
if err != nil {
return err
}
idMap := make(map[string]*structs.ACLPolicy)
for _, policyID := range identity.PolicyIDs() {
idMap[policyID] = nil
}
if entIdentity != nil {
for _, policyID := range entIdentity.PolicyIDs() {
idMap[policyID] = nil
}
}
for _, policy := range policies {
idMap[policy.ID] = policy
}
for _, policy := range entPolicies {
idMap[policy.ID] = policy
}
for _, policyID := range args.PolicyIDs {
if policy, ok := idMap[policyID]; ok {
@ -1679,13 +1693,27 @@ func (a *ACL) RoleResolve(args *structs.ACLRoleBatchGetRequest, reply *structs.A
return err
}
entIdentity, entRoles, err := a.srv.acls.resolveEnterpriseIdentityAndRoles(identity)
if err != nil {
return err
}
idMap := make(map[string]*structs.ACLRole)
for _, roleID := range identity.RoleIDs() {
idMap[roleID] = nil
}
if entIdentity != nil {
for _, roleID := range entIdentity.RoleIDs() {
idMap[roleID] = nil
}
}
for _, role := range roles {
idMap[role.ID] = role
}
for _, role := range entRoles {
idMap[role.ID] = role
}
for _, roleID := range args.RoleIDs {
if role, ok := idMap[roleID]; ok {

12
agent/consul/acl_oss.go
View File

@ -24,3 +24,15 @@ func newACLConfig(hclog.Logger) *acl.Config {
func (r *ACLResolver) resolveEnterpriseDefaultsForIdentity(identity structs.ACLIdentity) (acl.Authorizer, error) {
return nil, nil
}
// resolveEnterpriseIdentityAndRoles will resolve an enterprise identity to an additional set of roles
func (_ *ACLResolver) resolveEnterpriseIdentityAndRoles(_ structs.ACLIdentity) (structs.ACLIdentity, structs.ACLRoles, error) {
// this function does nothing in OSS
return nil, nil, nil
}
// resolveEnterpriseIdentityAndPolicies will resolve an enterprise identity to an additional set of policies
func (_ *ACLResolver) resolveEnterpriseIdentityAndPolicies(_ structs.ACLIdentity) (structs.ACLIdentity, structs.ACLPolicies, error) {
// this function does nothing in OSS
return nil, nil, nil
}