This commit is contained in:
Alex Dadgar 2017-09-27 13:42:56 -07:00
parent 14e6026938
commit 765b030bec
2 changed files with 15 additions and 5 deletions

View file

@ -627,6 +627,11 @@ func (a *ACL) GetToken(args *structs.ACLTokenSpecificRequest, reply *structs.Sin
return err
}
// Ensure ACLs are enabled and this call is made with one
if acl == nil {
return structs.ErrPermissionDenied
}
// Setup the blocking query
opts := blockingOptions{
queryOpts: &args.QueryOptions,
@ -638,12 +643,17 @@ func (a *ACL) GetToken(args *structs.ACLTokenSpecificRequest, reply *structs.Sin
return err
}
// Check management level permissions or that the secret ID matches the
// accessor ID
if acl != nil && out != nil {
if !acl.IsManagement() && out.SecretID != args.SecretID {
if out == nil {
// If the token doesn't resolve, only allow management tokens to
// block.
if !acl.IsManagement() {
return structs.ErrPermissionDenied
}
// Check management level permissions or that the secret ID matches the
// accessor ID
} else if !acl.IsManagement() && out.SecretID != args.SecretID {
return structs.ErrPermissionDenied
}
// Setup the output

View file

@ -241,7 +241,7 @@ The table below shows this endpoint's support for
| Blocking Queries | Consistency Modes | ACL Required |
| ---------------- | ----------------- | ------------ |
| `YES` | `all` | `management` for query other tokens<br>Matching SecretID to AccessorID for querying self |
| `YES` | `all` | `management` or a SecretID matching the AccessorID |
### Sample Request