From 8dba52cee229a6e3f421cbf2f96beb9adb257004 Mon Sep 17 00:00:00 2001
From: Derek Strickland <1111455+DerekStrickland@users.noreply.github.com>
Date: Thu, 18 Aug 2022 16:33:00 -0400
Subject: [PATCH] sentinel: add support for Nomad ACL Token and Namespace
 (#14171)

* sentinel: add ability to reference Nomad ACL Token and Namespace in Sentinel policies
---
 .changelog/14171.txt      |  3 +++
 nomad/job_endpoint.go     | 34 +++++++++++++++++++++++-----------
 nomad/job_endpoint_oss.go |  2 +-
 3 files changed, 27 insertions(+), 12 deletions(-)
 create mode 100644 .changelog/14171.txt

diff --git a/.changelog/14171.txt b/.changelog/14171.txt
new file mode 100644
index 000000000..ca84601d6
--- /dev/null
+++ b/.changelog/14171.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+sentinel: add the ability to reference the namespace and Nomad acl token in policies
+```
diff --git a/nomad/job_endpoint.go b/nomad/job_endpoint.go
index cf93971e6..311857787 100644
--- a/nomad/job_endpoint.go
+++ b/nomad/job_endpoint.go
@@ -104,12 +104,12 @@ func (j *Job) Register(args *structs.JobRegisterRequest, reply *structs.JobRegis
 
 	// Attach the Nomad token's accessor ID so that deploymentwatcher
 	// can reference the token later
-	tokenID, err := j.srv.ResolveSecretToken(args.AuthToken)
+	nomadACLToken, err := j.srv.ResolveSecretToken(args.AuthToken)
 	if err != nil {
 		return err
 	}
-	if tokenID != nil {
-		args.Job.NomadTokenID = tokenID.AccessorID
+	if nomadACLToken != nil {
+		args.Job.NomadTokenID = nomadACLToken.AccessorID
 	}
 
 	// Set the warning message
@@ -273,7 +273,11 @@ func (j *Job) Register(args *structs.JobRegisterRequest, reply *structs.JobRegis
 
 	// Enforce Sentinel policies. Pass a copy of the job to prevent
 	// sentinel from altering it.
-	policyWarnings, err := j.enforceSubmitJob(args.PolicyOverride, args.Job.Copy())
+	ns, err := snap.NamespaceByName(nil, args.RequestNamespace())
+	if err != nil {
+		return err
+	}
+	policyWarnings, err := j.enforceSubmitJob(args.PolicyOverride, args.Job.Copy(), nomadACLToken, ns)
 	if err != nil {
 		return err
 	}
@@ -1623,8 +1627,22 @@ func (j *Job) Plan(args *structs.JobPlanRequest, reply *structs.JobPlanResponse)
 		}
 	}
 
+	// Acquire a snapshot of the state
+	snap, err := j.srv.fsm.State().Snapshot()
+	if err != nil {
+		return err
+	}
+
 	// Enforce Sentinel policies
-	policyWarnings, err := j.enforceSubmitJob(args.PolicyOverride, args.Job)
+	nomadACLToken, err := snap.ACLTokenBySecretID(nil, args.AuthToken)
+	if err != nil && !strings.Contains(err.Error(), "missing secret id") {
+		return err
+	}
+	ns, err := snap.NamespaceByName(nil, args.RequestNamespace())
+	if err != nil {
+		return err
+	}
+	policyWarnings, err := j.enforceSubmitJob(args.PolicyOverride, args.Job, nomadACLToken, ns)
 	if err != nil {
 		return err
 	}
@@ -1633,12 +1651,6 @@ func (j *Job) Plan(args *structs.JobPlanRequest, reply *structs.JobPlanResponse)
 		reply.Warnings = structs.MergeMultierrorWarnings(warnings...)
 	}
 
-	// Acquire a snapshot of the state
-	snap, err := j.srv.fsm.State().Snapshot()
-	if err != nil {
-		return err
-	}
-
 	// Interpolate the job for this region
 	err = j.interpolateMultiregionFields(args)
 	if err != nil {
diff --git a/nomad/job_endpoint_oss.go b/nomad/job_endpoint_oss.go
index 7f2b56c78..d80281a3b 100644
--- a/nomad/job_endpoint_oss.go
+++ b/nomad/job_endpoint_oss.go
@@ -8,7 +8,7 @@ import (
 )
 
 // enforceSubmitJob is used to check any Sentinel policies for the submit-job scope
-func (j *Job) enforceSubmitJob(override bool, job *structs.Job) (error, error) {
+func (j *Job) enforceSubmitJob(override bool, job *structs.Job, nomadACLToken *structs.ACLToken, ns *structs.Namespace) (error, error) {
 	return nil, nil
 }