Allow querying self token

This PR allows querying self ACL token when the SecretID is for the AccessorID in question.
2017-09-25 14:36:19 -07:00 · 2017-09-25 14:36:19 -07:00 · 14e6026938
parent e8629773a2
commit 14e6026938
3 changed files with 21 additions and 5 deletions
--- a/nomad/acl_endpoint.go
+++ b/nomad/acl_endpoint.go
@ -622,11 +622,9 @@ func (a *ACL) GetToken(args *structs.ACLTokenSpecificRequest, reply *structs.Sin
 	}
 	defer metrics.MeasureSince([]string{"nomad", "acl", "get_token"}, time.Now())

-	// Check management level permissions
-	if acl, err := a.srv.resolveToken(args.SecretID); err != nil {
+	acl, err := a.srv.resolveToken(args.SecretID)
+	if err != nil {
 		return err
-	} else if acl == nil || !acl.IsManagement() {
-		return structs.ErrPermissionDenied
 	}

 	// Setup the blocking query
@ -640,6 +638,14 @@ func (a *ACL) GetToken(args *structs.ACLTokenSpecificRequest, reply *structs.Sin
 				return err
 			}

+			// Check management level permissions or that the secret ID matches the
+			// accessor ID
+			if acl != nil && out != nil {
+				if !acl.IsManagement() && out.SecretID != args.SecretID {
+					return structs.ErrPermissionDenied
+				}
+			}
+
 			// Setup the output
 			reply.Token = out
 			if out != nil {
--- a/nomad/acl_endpoint_test.go
+++ b/nomad/acl_endpoint_test.go
@ -509,6 +509,16 @@ func TestACLEndpoint_GetToken(t *testing.T) {
 	}
 	assert.Equal(t, uint64(1000), resp.Index)
 	assert.Nil(t, resp.Token)
+
+	// Lookup the token by accessor id using the tokens secret ID
+	get.AccessorID = token.AccessorID
+	get.SecretID = token.SecretID
+	var resp2 structs.SingleACLTokenResponse
+	if err := msgpackrpc.CallWithCodec(codec, "ACL.GetToken", get, &resp2); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	assert.Equal(t, uint64(1000), resp2.Index)
+	assert.Equal(t, token, resp2.Token)
 }

 func TestACLEndpoint_GetToken_Blocking(t *testing.T) {
--- a/website/source/api/acl-tokens.html.md
+++ b/website/source/api/acl-tokens.html.md
@ -241,7 +241,7 @@ The table below shows this endpoint's support for

 | Blocking Queries | Consistency Modes | ACL Required |
 | ---------------- | ----------------- | ------------ |
-| `YES`            | `all`             | `management` |
+| `YES`            | `all`             | `management` for query other tokens<br>Matching SecretID to AccessorID for querying self |

 ### Sample Request