Merge pull request #3384 from hashicorp/f-self-policies

Ability to introspect self token
This commit is contained in:
Alex Dadgar 2017-10-13 17:11:22 -07:00 committed by GitHub
commit c3f06b2134
10 changed files with 285 additions and 20 deletions

View file

@ -144,6 +144,16 @@ func (a *ACLTokens) Info(accessorID string, q *QueryOptions) (*ACLToken, *QueryM
return &resp, wm, nil
}
// Self is used to query our own token
func (a *ACLTokens) Self(q *QueryOptions) (*ACLToken, *QueryMeta, error) {
var resp ACLToken
wm, err := a.client.query("/v1/acl/token/self", &resp, q)
if err != nil {
return nil, nil, err
}
return &resp, wm, nil
}
// ACLPolicyListStub is used to for listing ACL policies
type ACLPolicyListStub struct {
Name string

View file

@ -182,6 +182,36 @@ func TestACLTokens_Info(t *testing.T) {
assert.Equal(t, out, out2)
}
func TestACLTokens_Self(t *testing.T) {
t.Parallel()
c, s, _ := makeACLClient(t, nil, nil)
defer s.Stop()
at := c.ACLTokens()
token := &ACLToken{
Name: "foo",
Type: "client",
Policies: []string{"foo1"},
}
// Create the token
out, wm, err := at.Create(token, nil)
assert.Nil(t, err)
assertWriteMeta(t, wm)
assert.NotNil(t, out)
// Set the clients token to the new token
c.SetSecretID(out.SecretID)
at = c.ACLTokens()
// Query the token
out2, qm, err := at.Self(nil)
if assert.Nil(t, err) {
assertQueryMeta(t, qm)
assert.Equal(t, out, out2)
}
}
func TestACLTokens_Delete(t *testing.T) {
t.Parallel()
c, s, _ := makeACLClient(t, nil, nil)

View file

@ -154,29 +154,35 @@ func (s *HTTPServer) ACLTokenBootstrap(resp http.ResponseWriter, req *http.Reque
}
func (s *HTTPServer) ACLTokenSpecificRequest(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
accessor := strings.TrimPrefix(req.URL.Path, "/v1/acl/token")
path := req.URL.Path
// If there is no accessor, this must be a create
if len(accessor) == 0 {
switch path {
case "/v1/acl/token":
if !(req.Method == "PUT" || req.Method == "POST") {
return nil, CodedError(405, ErrInvalidMethod)
}
return s.aclTokenUpdate(resp, req, "")
case "/v1/acl/token/self":
return s.aclTokenSelf(resp, req)
}
// Check if no accessor is given past the slash
accessor = accessor[1:]
if accessor == "" {
accessor := strings.TrimPrefix(path, "/v1/acl/token/")
return s.aclTokenCrud(resp, req, accessor)
}
func (s *HTTPServer) aclTokenCrud(resp http.ResponseWriter, req *http.Request,
tokenAccessor string) (interface{}, error) {
if tokenAccessor == "" {
return nil, CodedError(400, "Missing Token Accessor")
}
switch req.Method {
case "GET":
return s.aclTokenQuery(resp, req, accessor)
return s.aclTokenQuery(resp, req, tokenAccessor)
case "PUT", "POST":
return s.aclTokenUpdate(resp, req, accessor)
return s.aclTokenUpdate(resp, req, tokenAccessor)
case "DELETE":
return s.aclTokenDelete(resp, req, accessor)
return s.aclTokenDelete(resp, req, tokenAccessor)
default:
return nil, CodedError(405, ErrInvalidMethod)
}
@ -203,6 +209,29 @@ func (s *HTTPServer) aclTokenQuery(resp http.ResponseWriter, req *http.Request,
return out.Token, nil
}
func (s *HTTPServer) aclTokenSelf(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
if req.Method != "GET" {
return nil, CodedError(405, ErrInvalidMethod)
}
args := structs.ResolveACLTokenRequest{}
if s.parse(resp, req, &args.Region, &args.QueryOptions) {
return nil, nil
}
args.SecretID = args.AuthToken
var out structs.ResolveACLTokenResponse
if err := s.agent.RPC("ACL.ResolveToken", &args, &out); err != nil {
return nil, err
}
setMeta(resp, &out.QueryMeta)
if out.Token == nil {
return nil, CodedError(404, "ACL token not found")
}
return out.Token, nil
}
func (s *HTTPServer) aclTokenUpdate(resp http.ResponseWriter, req *http.Request,
tokenAccessor string) (interface{}, error) {
// Parse the token

View file

@ -322,6 +322,55 @@ func TestHTTP_ACLTokenQuery(t *testing.T) {
})
}
func TestHTTP_ACLTokenSelf(t *testing.T) {
t.Parallel()
httpACLTest(t, nil, func(s *TestAgent) {
p1 := mock.ACLToken()
p1.AccessorID = ""
args := structs.ACLTokenUpsertRequest{
Tokens: []*structs.ACLToken{p1},
WriteRequest: structs.WriteRequest{
Region: "global",
AuthToken: s.RootToken.SecretID,
},
}
var resp structs.ACLTokenUpsertResponse
if err := s.Agent.RPC("ACL.UpsertTokens", &args, &resp); err != nil {
t.Fatalf("err: %v", err)
}
out := resp.Tokens[0]
// Make the HTTP request
req, err := http.NewRequest("GET", "/v1/acl/token/self", nil)
if err != nil {
t.Fatalf("err: %v", err)
}
respW := httptest.NewRecorder()
setToken(req, out)
// Make the request
obj, err := s.Server.ACLTokenSpecificRequest(respW, req)
if err != nil {
t.Fatalf("err: %v", err)
}
// Check for the index
if respW.HeaderMap.Get("X-Nomad-Index") == "" {
t.Fatalf("missing index")
}
if respW.HeaderMap.Get("X-Nomad-KnownLeader") != "true" {
t.Fatalf("missing known leader")
}
if respW.HeaderMap.Get("X-Nomad-LastContact") == "" {
t.Fatalf("missing last contact")
}
// Check the output
n := obj.(*structs.ACLToken)
assert.Equal(t, out, n)
})
}
func TestHTTP_ACLTokenCreate(t *testing.T) {
t.Parallel()
httpACLTest(t, nil, func(s *TestAgent) {

3
dev/acls/default-ns.hcl Normal file
View file

@ -0,0 +1,3 @@
namespace "default" {
policy = "write"
}

3
dev/acls/node-read.hcl Normal file
View file

@ -0,0 +1,3 @@
node {
policy = "read"
}

View file

@ -121,12 +121,36 @@ func (a *ACL) ListPolicies(args *structs.ACLPolicyListRequest, reply *structs.AC
defer metrics.MeasureSince([]string{"nomad", "acl", "list_policies"}, time.Now())
// Check management level permissions
if acl, err := a.srv.ResolveToken(args.AuthToken); err != nil {
acl, err := a.srv.ResolveToken(args.AuthToken)
if err != nil {
return err
} else if acl == nil || !acl.IsManagement() {
} else if acl == nil {
return structs.ErrPermissionDenied
}
// If it is not a management token determine the policies that may be listed
mgt := acl.IsManagement()
var policies map[string]struct{}
if !mgt {
snap, err := a.srv.fsm.State().Snapshot()
if err != nil {
return err
}
token, err := snap.ACLTokenBySecretID(nil, args.AuthToken)
if err != nil {
return err
}
if token == nil {
return structs.ErrTokenNotFound
}
policies = make(map[string]struct{}, len(token.Policies))
for _, p := range token.Policies {
policies[p] = struct{}{}
}
}
// Setup the blocking query
opts := blockingOptions{
queryOpts: &args.QueryOptions,
@ -152,8 +176,10 @@ func (a *ACL) ListPolicies(args *structs.ACLPolicyListRequest, reply *structs.AC
break
}
policy := raw.(*structs.ACLPolicy)
if _, ok := policies[policy.Name]; ok || mgt {
reply.Policies = append(reply.Policies, policy.Stub())
}
}
// Use the last index that affected the policy table
index, err := state.Index("acl_policy")
@ -183,12 +209,42 @@ func (a *ACL) GetPolicy(args *structs.ACLPolicySpecificRequest, reply *structs.S
defer metrics.MeasureSince([]string{"nomad", "acl", "get_policy"}, time.Now())
// Check management level permissions
if acl, err := a.srv.ResolveToken(args.AuthToken); err != nil {
acl, err := a.srv.ResolveToken(args.AuthToken)
if err != nil {
return err
} else if acl == nil || !acl.IsManagement() {
} else if acl == nil {
return structs.ErrPermissionDenied
}
// If it is not a management token determine if it can get this policy
mgt := acl.IsManagement()
if !mgt {
snap, err := a.srv.fsm.State().Snapshot()
if err != nil {
return err
}
token, err := snap.ACLTokenBySecretID(nil, args.AuthToken)
if err != nil {
return err
}
if token == nil {
return structs.ErrTokenNotFound
}
found := false
for _, p := range token.Policies {
if p == args.Name {
found = true
break
}
}
if !found {
return structs.ErrPermissionDenied
}
}
// Setup the blocking query
opts := blockingOptions{
queryOpts: &args.QueryOptions,

View file

@ -28,6 +28,11 @@ func TestACLEndpoint_GetPolicy(t *testing.T) {
policy := mock.ACLPolicy()
s1.fsm.State().UpsertACLPolicies(1000, []*structs.ACLPolicy{policy})
// Create a token with one the policy
token := mock.ACLToken()
token.Policies = []string{policy.Name}
s1.fsm.State().UpsertACLTokens(1001, []*structs.ACLToken{token})
// Lookup the policy
get := &structs.ACLPolicySpecificRequest{
Name: policy.Name,
@ -50,6 +55,21 @@ func TestACLEndpoint_GetPolicy(t *testing.T) {
}
assert.Equal(t, uint64(1000), resp.Index)
assert.Nil(t, resp.Policy)
// Lookup the policy with the token
get = &structs.ACLPolicySpecificRequest{
Name: policy.Name,
QueryOptions: structs.QueryOptions{
Region: "global",
AuthToken: token.SecretID,
},
}
var resp2 structs.SingleACLPolicyResponse
if err := msgpackrpc.CallWithCodec(codec, "ACL.GetPolicy", get, &resp2); err != nil {
t.Fatalf("err: %v", err)
}
assert.EqualValues(t, 1000, resp2.Index)
assert.Equal(t, policy, resp2.Policy)
}
func TestACLEndpoint_GetPolicy_Blocking(t *testing.T) {
@ -290,6 +310,7 @@ func TestACLEndpoint_GetPolicies_Blocking(t *testing.T) {
}
func TestACLEndpoint_ListPolicies(t *testing.T) {
assert := assert.New(t)
t.Parallel()
s1, root := testACLServer(t, nil)
defer s1.Shutdown()
@ -304,6 +325,11 @@ func TestACLEndpoint_ListPolicies(t *testing.T) {
p2.Name = "aaaabbbb-3350-4b4b-d185-0e1992ed43e9"
s1.fsm.State().UpsertACLPolicies(1000, []*structs.ACLPolicy{p1, p2})
// Create a token with one of those policies
token := mock.ACLToken()
token.Policies = []string{p1.Name}
s1.fsm.State().UpsertACLTokens(1001, []*structs.ACLToken{token})
// Lookup the policies
get := &structs.ACLPolicyListRequest{
QueryOptions: structs.QueryOptions{
@ -315,8 +341,8 @@ func TestACLEndpoint_ListPolicies(t *testing.T) {
if err := msgpackrpc.CallWithCodec(codec, "ACL.ListPolicies", get, &resp); err != nil {
t.Fatalf("err: %v", err)
}
assert.Equal(t, uint64(1000), resp.Index)
assert.Equal(t, 2, len(resp.Policies))
assert.EqualValues(1000, resp.Index)
assert.Len(resp.Policies, 2)
// Lookup the policies by prefix
get = &structs.ACLPolicyListRequest{
@ -330,8 +356,24 @@ func TestACLEndpoint_ListPolicies(t *testing.T) {
if err := msgpackrpc.CallWithCodec(codec, "ACL.ListPolicies", get, &resp2); err != nil {
t.Fatalf("err: %v", err)
}
assert.Equal(t, uint64(1000), resp2.Index)
assert.Equal(t, 1, len(resp2.Policies))
assert.EqualValues(1000, resp2.Index)
assert.Len(resp2.Policies, 1)
// List policies using the created token
get = &structs.ACLPolicyListRequest{
QueryOptions: structs.QueryOptions{
Region: "global",
AuthToken: token.SecretID,
},
}
var resp3 structs.ACLPolicyListResponse
if err := msgpackrpc.CallWithCodec(codec, "ACL.ListPolicies", get, &resp3); err != nil {
t.Fatalf("err: %v", err)
}
assert.EqualValues(1000, resp3.Index)
if assert.Len(resp3.Policies, 1) {
assert.Equal(resp3.Policies[0].Name, p1.Name)
}
}
func TestACLEndpoint_ListPolicies_Blocking(t *testing.T) {

View file

@ -26,7 +26,7 @@ The table below shows this endpoint's support for
| Blocking Queries | Consistency Modes | ACL Required |
| ---------------- | ----------------- | ------------ |
| `YES` | `all` | `management` |
| `YES` | `all` | `management` for all policies.<br>Output when given a non-management token will be limited to the policies on the token itself |
### Sample Request
@ -110,7 +110,7 @@ The table below shows this endpoint's support for
| Blocking Queries | Consistency Modes | ACL Required |
| ---------------- | ----------------- | ------------ |
| `YES` | `all` | `management` |
| `YES` | `all` | `management` or token with access to policy |
### Sample Request

View file

@ -268,6 +268,49 @@ $ curl \
}
```
## Read Self Token
This endpoint reads the ACL token given by the passed SecretID. If the token is a global token
which has been replicated to the region it may lag behind the authoritative region.
| Method | Path | Produces |
| ------ | ---------------------------- | -------------------------- |
| `GET` | `/acl/token/self` | `application/json` |
The table below shows this endpoint's support for
[blocking queries](/api/index.html#blocking-queries), [consistency modes](/api/index.html#consistency-modes) and
[required ACLs](/api/index.html#acls).
| Blocking Queries | Consistency Modes | ACL Required |
| ---------------- | ----------------- | ------------ |
| `YES` | `all` | Any valid ACL token |
### Sample Request
```text
$ curl \
--header "X-Nomad-Token: 8176afd3-772d-0b71-8f85-7fa5d903e9d4"
https://nomad.rocks/v1/acl/token/self
```
### Sample Response
```json
{
"AccessorID": "aa534e09-6a07-0a45-2295-a7f77063d429",
"SecretID": "8176afd3-772d-0b71-8f85-7fa5d903e9d4",
"Name": "Read-write token",
"Type": "client",
"Policies": [
"readwrite"
],
"Global": false,
"CreateTime": "2017-08-23T23:25:41.429154233Z",
"CreateIndex": 52,
"ModifyIndex": 64
}
```
## Delete Token
This endpoint deletes the ACL token by accessor. This request is forwarded to the