Merge pull request #3293 from hashicorp/f-self-token

Allow querying self token
2017-09-29 10:54:37 -07:00 · 2017-09-29 10:54:37 -07:00 · b772fb650e
parent 90ab6038c0 765b030bec
commit b772fb650e
3 changed files with 30 additions and 4 deletions
--- a/nomad/acl_endpoint.go
+++ b/nomad/acl_endpoint.go
@ -622,10 +622,13 @@ func (a *ACL) GetToken(args *structs.ACLTokenSpecificRequest, reply *structs.Sin
 	}
 	defer metrics.MeasureSince([]string{"nomad", "acl", "get_token"}, time.Now())

-	// Check management level permissions
-	if acl, err := a.srv.resolveToken(args.SecretID); err != nil {
+	acl, err := a.srv.resolveToken(args.SecretID)
+	if err != nil {
 		return err
-	} else if acl == nil || !acl.IsManagement() {
+	}
+
+	// Ensure ACLs are enabled and this call is made with one
+	if acl == nil {
 		return structs.ErrPermissionDenied
 	}

@ -640,6 +643,19 @@ func (a *ACL) GetToken(args *structs.ACLTokenSpecificRequest, reply *structs.Sin
 				return err
 			}

+			if out == nil {
+				// If the token doesn't resolve, only allow management tokens to
+				// block.
+				if !acl.IsManagement() {
+					return structs.ErrPermissionDenied
+				}
+
+				// Check management level permissions or that the secret ID matches the
+				// accessor ID
+			} else if !acl.IsManagement() && out.SecretID != args.SecretID {
+				return structs.ErrPermissionDenied
+			}
+
 			// Setup the output
 			reply.Token = out
 			if out != nil {
--- a/nomad/acl_endpoint_test.go
+++ b/nomad/acl_endpoint_test.go
@ -509,6 +509,16 @@ func TestACLEndpoint_GetToken(t *testing.T) {
 	}
 	assert.Equal(t, uint64(1000), resp.Index)
 	assert.Nil(t, resp.Token)
+
+	// Lookup the token by accessor id using the tokens secret ID
+	get.AccessorID = token.AccessorID
+	get.SecretID = token.SecretID
+	var resp2 structs.SingleACLTokenResponse
+	if err := msgpackrpc.CallWithCodec(codec, "ACL.GetToken", get, &resp2); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	assert.Equal(t, uint64(1000), resp2.Index)
+	assert.Equal(t, token, resp2.Token)
 }

 func TestACLEndpoint_GetToken_Blocking(t *testing.T) {
--- a/website/source/api/acl-tokens.html.md
+++ b/website/source/api/acl-tokens.html.md
@ -241,7 +241,7 @@ The table below shows this endpoint's support for

 | Blocking Queries | Consistency Modes | ACL Required |
 | ---------------- | ----------------- | ------------ |
-| `YES`            | `all`             | `management` |
+| `YES`            | `all`             | `management` or a SecretID matching the AccessorID |

 ### Sample Request