luxolus
/
open-nomad
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

Merge pull request #6391 from hashicorp/b-ns-job-register-check 

nomad: defensive check for namespaces in job registration call
This commit is contained in:
Mahmood Ali 2019-09-27 14:39:44 -04:00 committed by GitHub
parent bdccad567c 674a457865
commit 4a93081275
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 21 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
client/fs_endpoint_test.go
View File

@ -905,6 +905,7 @@ func TestFS_Logs_TaskPending(t *testing.T) {
args := &structs.JobRegisterRequest{}
args.Job = job
args.WriteRequest.Region = "global"
args.Namespace = job.Namespace
var jobResp structs.JobRegisterResponse
require.NoError(s.RPC("Job.Register", args, &jobResp))

10
nomad/job_endpoint.go
View File

@ -88,6 +88,11 @@ func (j *Job) Register(args *structs.JobRegisterRequest, reply *structs.JobRegis
return fmt.Errorf("missing job for registration")
}
// defensive check; http layer and RPC requester should ensure namespaces are set consistently
if args.RequestNamespace() != args.Job.Namespace {
return fmt.Errorf("mismatched request namespace in request: %q, %q", args.RequestNamespace(), args.Job.Namespace)
}
// Run admission controllers
job, warnings, err := j.admissionControllers(args.Job)
if err != nil {
@ -343,6 +348,11 @@ func (j *Job) Summary(args *structs.JobSummaryRequest,
func (j *Job) Validate(args *structs.JobValidateRequest, reply *structs.JobValidateResponse) error {
defer metrics.MeasureSince([]string{"nomad", "job", "validate"}, time.Now())
// defensive check; http layer and RPC requester should ensure namespaces are set consistently
if args.RequestNamespace() != args.Job.Namespace {
return fmt.Errorf("mismatched request namespace in request: %q, %q", args.RequestNamespace(), args.Job.Namespace)
}
job, mutateWarnings, err := j.admissionMutators(args.Job)
if err != nil {
return err

10
nomad/job_endpoint_test.go
View File

@ -364,7 +364,10 @@ func TestJobEndpoint_Register_ACL(t *testing.T) {
codec := rpcClient(t, s1)
req := &structs.JobRegisterRequest{
Job: tt.Job,
WriteRequest: structs.WriteRequest{Region: "global"},
WriteRequest: structs.WriteRequest{
Region: "global",
Namespace: tt.Job.Namespace,
},
}
req.AuthToken = tt.Token
@ -408,7 +411,10 @@ func TestJobEndpoint_Register_InvalidNamespace(t *testing.T) {
job.Namespace = "foo"
req := &structs.JobRegisterRequest{
Job: job,
WriteRequest: structs.WriteRequest{Region: "global"},
WriteRequest: structs.WriteRequest{
Region: "global",
Namespace: job.Namespace,
},
}
// Try without a token, expect failure