From c2d9041c0f01039577232ac19bdb37539e024153 Mon Sep 17 00:00:00 2001
From: Matt Keeler <mkeeler@users.noreply.github.com>
Date: Wed, 30 Oct 2019 09:10:11 -0400
Subject: [PATCH] PreVerify acl:read access for listing endpoints (#6696)

We still will need to filter results based on the authorizer too but this helps to give an early 403.
---
 agent/consul/acl_endpoint.go | 25 ++++++++++++++++++++-----
 1 file changed, 20 insertions(+), 5 deletions(-)

diff --git a/agent/consul/acl_endpoint.go b/agent/consul/acl_endpoint.go
index 62fa6aafb..ea1a41832 100644
--- a/agent/consul/acl_endpoint.go
+++ b/agent/consul/acl_endpoint.go
@@ -807,10 +807,13 @@ func (a *ACL) TokenList(args *structs.ACLTokenListRequest, reply *structs.ACLTok
 		return err
 	}
 
+	var entCtx acl.EnterpriseAuthorizerContext
+	args.FillAuthzContext(&entCtx)
+
 	rule, err := a.srv.ResolveToken(args.Token)
 	if err != nil {
 		return err
-	} else if rule == nil {
+	} else if rule == nil || rule.ACLRead(&entCtx) != acl.Allow {
 		return acl.ErrPermissionDenied
 	}
 
@@ -1157,10 +1160,13 @@ func (a *ACL) PolicyList(args *structs.ACLPolicyListRequest, reply *structs.ACLP
 		return err
 	}
 
+	var entCtx acl.EnterpriseAuthorizerContext
+	args.FillAuthzContext(&entCtx)
+
 	rule, err := a.srv.ResolveToken(args.Token)
 	if err != nil {
 		return err
-	} else if rule == nil {
+	} else if rule == nil || rule.ACLRead(&entCtx) != acl.Allow {
 		return acl.ErrPermissionDenied
 	}
 
@@ -1573,10 +1579,13 @@ func (a *ACL) RoleList(args *structs.ACLRoleListRequest, reply *structs.ACLRoleL
 		return err
 	}
 
+	var entCtx acl.EnterpriseAuthorizerContext
+	args.FillAuthzContext(&entCtx)
+
 	rule, err := a.srv.ResolveToken(args.Token)
 	if err != nil {
 		return err
-	} else if rule == nil {
+	} else if rule == nil || rule.ACLRead(&entCtx) != acl.Allow {
 		return acl.ErrPermissionDenied
 	}
 
@@ -1867,10 +1876,13 @@ func (a *ACL) BindingRuleList(args *structs.ACLBindingRuleListRequest, reply *st
 		return err
 	}
 
+	var entCtx acl.EnterpriseAuthorizerContext
+	args.FillAuthzContext(&entCtx)
+
 	rule, err := a.srv.ResolveToken(args.Token)
 	if err != nil {
 		return err
-	} else if rule == nil {
+	} else if rule == nil || rule.ACLRead(&entCtx) != acl.Allow {
 		return acl.ErrPermissionDenied
 	}
 
@@ -2073,10 +2085,13 @@ func (a *ACL) AuthMethodList(args *structs.ACLAuthMethodListRequest, reply *stru
 		return err
 	}
 
+	var entCtx acl.EnterpriseAuthorizerContext
+	args.FillAuthzContext(&entCtx)
+
 	rule, err := a.srv.ResolveToken(args.Token)
 	if err != nil {
 		return err
-	} else if rule == nil {
+	} else if rule == nil || rule.ACLRead(&entCtx) != acl.Allow {
 		return acl.ErrPermissionDenied
 	}