Merge pull request #3205 from hashicorp/f-deployment-acl

Deployment.GetDeployment ACL enforcement

nomad/acl_testutil_test.go

@@ -0,0 +1,57 @@
+package nomad
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/nomad/nomad/mock"
+	"github.com/hashicorp/nomad/nomad/state"
+	"github.com/hashicorp/nomad/nomad/structs"
+	"github.com/stretchr/testify/assert"
+)
+
+// NamespacePolicy is a helper for generating the policy hcl for a given
+// namepsace. Either policy or capabilites may be nil but not both.
+func NamespacePolicy(namespace string, policy string, capabilities []string) string {
+	policyHCL := fmt.Sprintf("namespace %q {", namespace)
+	if policy != "" {
+		policyHCL += fmt.Sprintf("\n\tpolicy = %q", policy)
+	}
+	if len(capabilities) != 0 {
+		policyHCL += fmt.Sprintf("\n\tcapabilities = %q", capabilities)
+	}
+	policyHCL += "\n}"
+	return policyHCL
+}
+
+// CreatePolicy creates a policy with the given name and rule.
+func CreatePolicy(t *testing.T, state *state.StateStore, index uint64, name, rule string) {
+	t.Helper()
+
+	// Create the ACLPolicy
+	policy := &structs.ACLPolicy{
+		Name:  name,
+		Rules: rule,
+	}
+	policy.SetHash()
+	assert.Nil(t, state.UpsertACLPolicies(index, []*structs.ACLPolicy{policy}))
+}
+
+// CreateToken creates a local, client token for the given policies
+func CreateToken(t *testing.T, state *state.StateStore, index uint64, policies []string) *structs.ACLToken {
+	t.Helper()
+
+	// Create the ACLToken
+	token := mock.ACLToken()
+	token.Policies = policies
+	token.SetHash()
+	assert.Nil(t, state.UpsertACLTokens(index, []*structs.ACLToken{token}))
+	return token
+}
+
+// CreatePolicyAndToken creates a policy and then returns a token configured for
+// just that policy. CreatePolicyAndToken uses the given index and index+1.
+func CreatePolicyAndToken(t *testing.T, state *state.StateStore, index uint64, name, rule string) *structs.ACLToken {
+	CreatePolicy(t, state, index, name, rule)
+	return CreateToken(t, state, index+1, []string{name})
+}

nomad/deployment_endpoint.go

@@ -6,6 +6,7 @@ import (
 
 	metrics "github.com/armon/go-metrics"
 	memdb "github.com/hashicorp/go-memdb"
+	"github.com/hashicorp/nomad/acl"
 	"github.com/hashicorp/nomad/nomad/state"
 	"github.com/hashicorp/nomad/nomad/structs"
 )
@@ -23,6 +24,13 @@ func (d *Deployment) GetDeployment(args *structs.DeploymentSpecificRequest,
 	}
 	defer metrics.MeasureSince([]string{"nomad", "deployment", "get_deployment"}, time.Now())
 
+	// Check namespace read-job permissions
+	if aclObj, err := d.srv.resolveToken(args.SecretID); err != nil {
+		return err
+	} else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilityReadJob) {
+		return structs.ErrPermissionDenied
+	}
+
 	// Setup the blocking query
 	opts := blockingOptions{
 		queryOpts: &args.QueryOptions,

nomad/deployment_endpoint_test.go

@@ -6,6 +6,7 @@ import (
 
 	memdb "github.com/hashicorp/go-memdb"
 	msgpackrpc "github.com/hashicorp/net-rpc-msgpackrpc"
+	"github.com/hashicorp/nomad/acl"
 	"github.com/hashicorp/nomad/helper"
 	"github.com/hashicorp/nomad/nomad/mock"
 	"github.com/hashicorp/nomad/nomad/structs"
@@ -44,6 +45,59 @@ func TestDeploymentEndpoint_GetDeployment(t *testing.T) {
 	assert.Equal(d, resp.Deployment, "Returned deployment not equal")
 }
 
+func TestDeploymentEndpoint_GetDeployment_ACL(t *testing.T) {
+	t.Parallel()
+	s1, root := testACLServer(t, nil)
+	defer s1.Shutdown()
+	codec := rpcClient(t, s1)
+	testutil.WaitForLeader(t, s1.RPC)
+	assert := assert.New(t)
+
+	// Create the deployment
+	j := mock.Job()
+	d := mock.Deployment()
+	d.JobID = j.ID
+	state := s1.fsm.State()
+
+	assert.Nil(state.UpsertJob(999, j), "UpsertJob")
+	assert.Nil(state.UpsertDeployment(1000, d), "UpsertDeployment")
+
+	// Create the namespace policy and tokens
+	validToken := CreatePolicyAndToken(t, state, 1001, "test-valid",
+		NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
+	invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid",
+		NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
+
+	// Lookup the deployments without a token and expect failure
+	get := &structs.DeploymentSpecificRequest{
+		DeploymentID: d.ID,
+		QueryOptions: structs.QueryOptions{
+			Region:    "global",
+			Namespace: structs.DefaultNamespace,
+		},
+	}
+	var resp structs.SingleDeploymentResponse
+	assert.NotNil(msgpackrpc.CallWithCodec(codec, "Deployment.GetDeployment", get, &resp), "RPC")
+
+	// Try with a good token
+	get.SecretID = validToken.SecretID
+	assert.Nil(msgpackrpc.CallWithCodec(codec, "Deployment.GetDeployment", get, &resp), "RPC")
+	assert.EqualValues(resp.Index, 1000, "resp.Index")
+	assert.Equal(d, resp.Deployment, "Returned deployment not equal")
+
+	// Try with a bad token
+	get.SecretID = invalidToken.SecretID
+	err := msgpackrpc.CallWithCodec(codec, "Deployment.GetDeployment", get, &resp)
+	assert.NotNil(err, "RPC")
+	assert.Equal(err.Error(), structs.ErrPermissionDenied.Error())
+
+	// Try with a root token
+	get.SecretID = root.SecretID
+	assert.Nil(msgpackrpc.CallWithCodec(codec, "Deployment.GetDeployment", get, &resp), "RPC")
+	assert.EqualValues(resp.Index, 1000, "resp.Index")
+	assert.Equal(d, resp.Deployment, "Returned deployment not equal")
+}
+
 func TestDeploymentEndpoint_GetDeployment_Blocking(t *testing.T) {
 	t.Parallel()
 	s1 := testServer(t, nil)

website/source/api/deployments.html.md

@@ -83,9 +83,9 @@ The table below shows this endpoint's support for
 [blocking queries](/api/index.html#blocking-queries) and
 [required ACLs](/api/index.html#acls).
 
-| Blocking Queries | ACL Required |
-| ---------------- | ------------ |
-| `YES`            | `none`       |
+| Blocking Queries | ACL Required         |
+| ---------------- | -------------------- |
+| `YES`            | `namespace:read-job` |
 
 ### Parameters