agent/consul: Intention.Get ACLs
This commit is contained in:
parent
fd840da97a
commit
db44a98a2d
|
@ -454,6 +454,33 @@ func (f *aclFilter) filterCoordinates(coords *structs.Coordinates) {
|
||||||
*coords = c
|
*coords = c
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// filterIntentions is used to filter intentions based on ACL rules.
|
||||||
|
// We prune entries the user doesn't have access to, and we redact any tokens
|
||||||
|
// if the user doesn't have a management token.
|
||||||
|
func (f *aclFilter) filterIntentions(ixns *structs.Intentions) {
|
||||||
|
// Management tokens can see everything with no filtering.
|
||||||
|
if f.acl.ACLList() {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// Otherwise, we need to see what the token has access to.
|
||||||
|
ret := make(structs.Intentions, 0, len(*ixns))
|
||||||
|
for _, ixn := range *ixns {
|
||||||
|
// If no prefix ACL applies to this then filter it, since
|
||||||
|
// we know at this point the user doesn't have a management
|
||||||
|
// token, otherwise see what the policy says.
|
||||||
|
prefix, ok := ixn.GetACLPrefix()
|
||||||
|
if !ok || !f.acl.IntentionRead(prefix) {
|
||||||
|
f.logger.Printf("[DEBUG] consul: dropping intention %q from result due to ACLs", ixn.ID)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
ret = append(ret, ixn)
|
||||||
|
}
|
||||||
|
|
||||||
|
*ixns = ret
|
||||||
|
}
|
||||||
|
|
||||||
// filterNodeDump is used to filter through all parts of a node dump and
|
// filterNodeDump is used to filter through all parts of a node dump and
|
||||||
// remove elements the provided ACL token cannot access.
|
// remove elements the provided ACL token cannot access.
|
||||||
func (f *aclFilter) filterNodeDump(dump *structs.NodeDump) {
|
func (f *aclFilter) filterNodeDump(dump *structs.NodeDump) {
|
||||||
|
@ -598,6 +625,9 @@ func (s *Server) filterACL(token string, subj interface{}) error {
|
||||||
case *structs.IndexedHealthChecks:
|
case *structs.IndexedHealthChecks:
|
||||||
filt.filterHealthChecks(&v.HealthChecks)
|
filt.filterHealthChecks(&v.HealthChecks)
|
||||||
|
|
||||||
|
case *structs.IndexedIntentions:
|
||||||
|
filt.filterIntentions(&v.Intentions)
|
||||||
|
|
||||||
case *structs.IndexedNodeDump:
|
case *structs.IndexedNodeDump:
|
||||||
filt.filterNodeDump(&v.Dump)
|
filt.filterNodeDump(&v.Dump)
|
||||||
|
|
||||||
|
|
|
@ -168,7 +168,16 @@ func (s *Intention) Get(
|
||||||
reply.Index = index
|
reply.Index = index
|
||||||
reply.Intentions = structs.Intentions{ixn}
|
reply.Intentions = structs.Intentions{ixn}
|
||||||
|
|
||||||
// TODO: acl filtering
|
// Filter
|
||||||
|
if err := s.srv.filterACL(args.Token, reply); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// If ACLs prevented any responses, error
|
||||||
|
if len(reply.Intentions) == 0 {
|
||||||
|
s.srv.logger.Printf("[WARN] consul.intention: Request to get intention '%s' denied due to ACLs", args.IntentionID)
|
||||||
|
return acl.ErrPermissionDenied
|
||||||
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
},
|
},
|
||||||
|
|
|
@ -654,6 +654,96 @@ service "foo" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Test reading with ACLs
|
||||||
|
func TestIntentionGet_acl(t *testing.T) {
|
||||||
|
t.Parallel()
|
||||||
|
dir1, s1 := testServerWithConfig(t, func(c *Config) {
|
||||||
|
c.ACLDatacenter = "dc1"
|
||||||
|
c.ACLMasterToken = "root"
|
||||||
|
c.ACLDefaultPolicy = "deny"
|
||||||
|
})
|
||||||
|
defer os.RemoveAll(dir1)
|
||||||
|
defer s1.Shutdown()
|
||||||
|
codec := rpcClient(t, s1)
|
||||||
|
defer codec.Close()
|
||||||
|
|
||||||
|
testrpc.WaitForLeader(t, s1.RPC, "dc1")
|
||||||
|
|
||||||
|
// Create an ACL with service write permissions. This will grant
|
||||||
|
// intentions read.
|
||||||
|
var token string
|
||||||
|
{
|
||||||
|
var rules = `
|
||||||
|
service "foo" {
|
||||||
|
policy = "write"
|
||||||
|
}`
|
||||||
|
|
||||||
|
req := structs.ACLRequest{
|
||||||
|
Datacenter: "dc1",
|
||||||
|
Op: structs.ACLSet,
|
||||||
|
ACL: structs.ACL{
|
||||||
|
Name: "User token",
|
||||||
|
Type: structs.ACLTypeClient,
|
||||||
|
Rules: rules,
|
||||||
|
},
|
||||||
|
WriteRequest: structs.WriteRequest{Token: "root"},
|
||||||
|
}
|
||||||
|
if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil {
|
||||||
|
t.Fatalf("err: %v", err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Setup a basic record to create
|
||||||
|
ixn := structs.IntentionRequest{
|
||||||
|
Datacenter: "dc1",
|
||||||
|
Op: structs.IntentionOpCreate,
|
||||||
|
Intention: structs.TestIntention(t),
|
||||||
|
}
|
||||||
|
ixn.Intention.DestinationName = "foobar"
|
||||||
|
ixn.WriteRequest.Token = "root"
|
||||||
|
|
||||||
|
// Create
|
||||||
|
var reply string
|
||||||
|
if err := msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply); err != nil {
|
||||||
|
t.Fatalf("err: %v", err)
|
||||||
|
}
|
||||||
|
ixn.Intention.ID = reply
|
||||||
|
|
||||||
|
// Read without token should be error
|
||||||
|
{
|
||||||
|
req := &structs.IntentionQueryRequest{
|
||||||
|
Datacenter: "dc1",
|
||||||
|
IntentionID: ixn.Intention.ID,
|
||||||
|
}
|
||||||
|
|
||||||
|
var resp structs.IndexedIntentions
|
||||||
|
err := msgpackrpc.CallWithCodec(codec, "Intention.Get", req, &resp)
|
||||||
|
if !acl.IsErrPermissionDenied(err) {
|
||||||
|
t.Fatalf("bad: %v", err)
|
||||||
|
}
|
||||||
|
if len(resp.Intentions) != 0 {
|
||||||
|
t.Fatalf("bad: %v", resp)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Read with token should work
|
||||||
|
{
|
||||||
|
req := &structs.IntentionQueryRequest{
|
||||||
|
Datacenter: "dc1",
|
||||||
|
IntentionID: ixn.Intention.ID,
|
||||||
|
QueryOptions: structs.QueryOptions{Token: token},
|
||||||
|
}
|
||||||
|
|
||||||
|
var resp structs.IndexedIntentions
|
||||||
|
if err := msgpackrpc.CallWithCodec(codec, "Intention.Get", req, &resp); err != nil {
|
||||||
|
t.Fatalf("err: %v", err)
|
||||||
|
}
|
||||||
|
if len(resp.Intentions) != 1 {
|
||||||
|
t.Fatalf("bad: %v", resp)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func TestIntentionList(t *testing.T) {
|
func TestIntentionList(t *testing.T) {
|
||||||
t.Parallel()
|
t.Parallel()
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue