fixing up code review comments

client/client.go

@@ -526,6 +526,9 @@ func (c *Client) LatestHostStats() *stats.HostStats {
 	return c.hostStatsCollector.Stats()
 }
 
+// ValidateMigrateToken verifies that a token is for a specific client and
+// allocation, and has been created by a trusted party that has privilaged
+// knowledge of the client's secret identifier
 func (c *Client) ValidateMigrateToken(allocID, migrateToken string) bool {
 	if !c.config.ACLEnabled {
 		return true

command/agent/alloc_endpoint.go

@@ -88,12 +88,11 @@ func (s *HTTPServer) ClientAllocRequest(resp http.ResponseWriter, req *http.Requ
 		return nil, CodedError(404, resourceNotFoundErr)
 	}
 	allocID := tokens[0]
-	migrateToken := req.Header.Get("X-Nomad-Token")
 	switch tokens[1] {
 	case "stats":
 		return s.allocStats(allocID, resp, req)
 	case "snapshot":
-		return s.allocSnapshot(allocID, migrateToken, resp, req)
+		return s.allocSnapshot(allocID, resp, req)
 	case "gc":
 		return s.allocGC(allocID, resp, req)
 	}
@@ -135,8 +134,10 @@ func (s *HTTPServer) allocGC(allocID string, resp http.ResponseWriter, req *http
 	return nil, s.agent.Client().CollectAllocation(allocID)
 }
 
-func (s *HTTPServer) allocSnapshot(allocID, migrateToken string, resp http.ResponseWriter, req *http.Request) (interface{}, error) {
+func (s *HTTPServer) allocSnapshot(allocID string, resp http.ResponseWriter, req *http.Request) (interface{}, error) {
-	if !s.agent.Client().ValidateMigrateToken(allocID, migrateToken) {
+	var secret string
+	s.parseToken(req, &secret)
+	if !s.agent.Client().ValidateMigrateToken(allocID, secret) {
 		return nil, fmt.Errorf("invalid migrate token for allocation %q", allocID)
 	}
 

nomad/node_endpoint_test.go

@@ -1384,7 +1384,7 @@ func TestClientEndpoint_GetClientAllocs_Blocking(t *testing.T) {
 	}
 }
 
-func TestClientEndpoint_GetClientAllocs_WIthMigrateTokens(t *testing.T) {
+func TestClientEndpoint_GetClientAllocs_WithMigrateTokens(t *testing.T) {
 	t.Parallel()
 	assert := assert.New(t)