From f912619157ac0a0782a9103ef585cebe28457a61 Mon Sep 17 00:00:00 2001 From: Chelsea Holland Komlo Date: Tue, 26 Sep 2017 17:38:03 +0000 Subject: [PATCH 1/3] add ACL for GetJob endpoint --- nomad/job_endpoint.go | 7 +++++ nomad/job_endpoint_test.go | 57 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 64 insertions(+) diff --git a/nomad/job_endpoint.go b/nomad/job_endpoint.go index a788f57aa..9e629f550 100644 --- a/nomad/job_endpoint.go +++ b/nomad/job_endpoint.go @@ -632,6 +632,13 @@ func (j *Job) GetJob(args *structs.JobSpecificRequest, } defer metrics.MeasureSince([]string{"nomad", "job", "get_job"}, time.Now()) + // Check for read-job permissions + if aclObj, err := j.srv.resolveToken(args.SecretID); err != nil { + return err + } else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilityReadJob) { + return structs.ErrPermissionDenied + } + // Setup the blocking query opts := blockingOptions{ queryOpts: &args.QueryOptions, diff --git a/nomad/job_endpoint_test.go b/nomad/job_endpoint_test.go index 5cac4b670..1b03e57d0 100644 --- a/nomad/job_endpoint_test.go +++ b/nomad/job_endpoint_test.go @@ -1718,6 +1718,63 @@ func TestJobEndpoint_GetJob(t *testing.T) { } } +func TestJobEndpoint_GetJob_ACL(t *testing.T) { + t.Parallel() + assert := assert.New(t) + + s1, root := testACLServer(t, nil) + defer s1.Shutdown() + codec := rpcClient(t, s1) + testutil.WaitForLeader(t, s1.RPC) + state := s1.fsm.State() + + // Create the job + job := mock.Job() + err := state.UpsertJob(1000, job) + assert.Nil(err) + + // Lookup the job + get := &structs.JobSpecificRequest{ + JobID: job.ID, + QueryOptions: structs.QueryOptions{ + Region: "global", + Namespace: job.Namespace, + }, + } + + // Looking up the job without a token should fail + var resp structs.SingleJobResponse + err = msgpackrpc.CallWithCodec(codec, "Job.GetJob", get, &resp) + assert.NotNil(err) + + // Expect failure for request with an invalid token + invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid", + NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) + + get.SecretID = invalidToken.SecretID + var invalidResp structs.SingleJobResponse + err = msgpackrpc.CallWithCodec(codec, "Job.GetJob", get, &invalidResp) + assert.NotNil(err) + + // Looking up the job with a management token should succeed + get.SecretID = root.SecretID + var validResp structs.SingleJobResponse + err = msgpackrpc.CallWithCodec(codec, "Job.GetJob", get, &validResp) + assert.Nil(err) + assert.Equal(job.ID, validResp.Job.ID) + + // Looking up the job with a valid token should succeed + validToken := CreatePolicyAndToken(t, state, 1005, "test-valid", + NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) + + get.SecretID = validToken.SecretID + var validResp2 structs.SingleJobResponse + err = msgpackrpc.CallWithCodec(codec, "Job.GetJob", get, &validResp2) + assert.Nil(err) + assert.Equal(job.ID, validResp2.Job.ID) + +} + func TestJobEndpoint_GetJob_Blocking(t *testing.T) { t.Parallel() s1 := testServer(t, nil) From d3e8b4812bc0fa72562e6b37668d0df9972399e2 Mon Sep 17 00:00:00 2001 From: Chelsea Holland Komlo Date: Tue, 26 Sep 2017 17:41:53 +0000 Subject: [PATCH 2/3] better test assertions --- nomad/job_endpoint_test.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nomad/job_endpoint_test.go b/nomad/job_endpoint_test.go index 1b03e57d0..363703333 100644 --- a/nomad/job_endpoint_test.go +++ b/nomad/job_endpoint_test.go @@ -1746,6 +1746,7 @@ func TestJobEndpoint_GetJob_ACL(t *testing.T) { var resp structs.SingleJobResponse err = msgpackrpc.CallWithCodec(codec, "Job.GetJob", get, &resp) assert.NotNil(err) + assert.Contains(err.Error(), "Permission denied") // Expect failure for request with an invalid token invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid", @@ -1755,6 +1756,7 @@ func TestJobEndpoint_GetJob_ACL(t *testing.T) { var invalidResp structs.SingleJobResponse err = msgpackrpc.CallWithCodec(codec, "Job.GetJob", get, &invalidResp) assert.NotNil(err) + assert.Contains(err.Error(), "Permission denied") // Looking up the job with a management token should succeed get.SecretID = root.SecretID @@ -1772,7 +1774,6 @@ func TestJobEndpoint_GetJob_ACL(t *testing.T) { err = msgpackrpc.CallWithCodec(codec, "Job.GetJob", get, &validResp2) assert.Nil(err) assert.Equal(job.ID, validResp2.Job.ID) - } func TestJobEndpoint_GetJob_Blocking(t *testing.T) { From 41c30183ee2fef4f7d03a7b9473d48ca32c7aa20 Mon Sep 17 00:00:00 2001 From: Chelsea Holland Komlo Date: Wed, 27 Sep 2017 20:23:06 +0000 Subject: [PATCH 3/3] add documentation --- website/source/api/jobs.html.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/website/source/api/jobs.html.md b/website/source/api/jobs.html.md index 89261fa97..20f6d4b86 100644 --- a/website/source/api/jobs.html.md +++ b/website/source/api/jobs.html.md @@ -236,9 +236,9 @@ The table below shows this endpoint's support for [blocking queries](/api/index.html#blocking-queries) and [required ACLs](/api/index.html#acls). -| Blocking Queries | ACL Required | -| ---------------- | ------------ | -| `YES` | `none` | +| Blocking Queries | ACL Required | +| ---------------- | -------------------------- | +| `YES` | `namespace:read-job` | ### Parameters