79 lines
2.4 KiB
Go
79 lines
2.4 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
package state
|
|
|
|
import (
|
|
memdb "github.com/hashicorp/go-memdb"
|
|
|
|
"github.com/hashicorp/consul/agent/consul/stream"
|
|
"github.com/hashicorp/consul/agent/structs"
|
|
)
|
|
|
|
// aclChangeUnsubscribeEvent creates and returns stream.UnsubscribeEvents that
|
|
// are used to unsubscribe any subscriptions which match the tokens from the events.
|
|
//
|
|
// These are special events that will never be returned to a subscriber.
|
|
func aclChangeUnsubscribeEvent(tx ReadTxn, changes Changes) ([]stream.Event, error) {
|
|
var secretIDs []string
|
|
|
|
for _, change := range changes.Changes {
|
|
switch change.Table {
|
|
case tableACLTokens:
|
|
token := changeObject(change).(*structs.ACLToken)
|
|
secretIDs = append(secretIDs, token.SecretID)
|
|
|
|
case tableACLRoles:
|
|
role := changeObject(change).(*structs.ACLRole)
|
|
tokens, err := aclTokenListByRole(tx, role.ID, &role.EnterpriseMeta)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
secretIDs = appendSecretIDsFromTokenIterator(secretIDs, tokens)
|
|
|
|
case tableACLPolicies:
|
|
policy := changeObject(change).(*structs.ACLPolicy)
|
|
tokens, err := aclTokenListByPolicy(tx, policy.ID, &policy.EnterpriseMeta)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
secretIDs = appendSecretIDsFromTokenIterator(secretIDs, tokens)
|
|
|
|
q := Query{Value: policy.ID, EnterpriseMeta: policy.EnterpriseMeta}
|
|
roles, err := tx.Get(tableACLRoles, indexPolicies, q)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
for role := roles.Next(); role != nil; role = roles.Next() {
|
|
role := role.(*structs.ACLRole)
|
|
|
|
tokens, err := aclTokenListByRole(tx, role.ID, &policy.EnterpriseMeta)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
secretIDs = appendSecretIDsFromTokenIterator(secretIDs, tokens)
|
|
}
|
|
}
|
|
}
|
|
// There may be duplicate secretIDs here. We rely on this event allowing
|
|
// for duplicate IDs.
|
|
return []stream.Event{stream.NewCloseSubscriptionEvent(secretIDs)}, nil
|
|
}
|
|
|
|
// changeObject returns the object before it was deleted if the change was a delete,
|
|
// otherwise returns the object after the change.
|
|
func changeObject(change memdb.Change) interface{} {
|
|
if change.Deleted() {
|
|
return change.Before
|
|
}
|
|
return change.After
|
|
}
|
|
|
|
func appendSecretIDsFromTokenIterator(seq []string, tokens memdb.ResultIterator) []string {
|
|
for token := tokens.Next(); token != nil; token = tokens.Next() {
|
|
token := token.(*structs.ACLToken)
|
|
seq = append(seq, token.SecretID)
|
|
}
|
|
return seq
|
|
}
|