From 4b947222a86332bf35ef4e4712eb10fe8091fa81 Mon Sep 17 00:00:00 2001 From: Alex Dadgar Date: Mon, 11 Sep 2017 16:31:37 -0700 Subject: [PATCH 1/2] Deployment.GetDeployment ACL enforcement --- nomad/acl_testutil_test.go | 57 ++++++++++++++++++++++++++ nomad/deployment_endpoint.go | 8 ++++ nomad/deployment_endpoint_test.go | 54 ++++++++++++++++++++++++ website/source/api/deployments.html.md | 6 +-- 4 files changed, 122 insertions(+), 3 deletions(-) create mode 100644 nomad/acl_testutil_test.go diff --git a/nomad/acl_testutil_test.go b/nomad/acl_testutil_test.go new file mode 100644 index 000000000..4cf5a9627 --- /dev/null +++ b/nomad/acl_testutil_test.go @@ -0,0 +1,57 @@ +package nomad + +import ( + "fmt" + "testing" + + "github.com/hashicorp/nomad/nomad/mock" + "github.com/hashicorp/nomad/nomad/state" + "github.com/hashicorp/nomad/nomad/structs" + "github.com/stretchr/testify/assert" +) + +// NamespacePolicy is a helper for generating the policy hcl for a given +// namepsace. Either policy or capabilites may be nil but not both. +func NamespacePolicy(namespace string, policy string, capabilities []string) string { + policyHCL := fmt.Sprintf("namespace %q {", namespace) + if policy != "" { + policyHCL += fmt.Sprintf("\n\tpolicy = %q", policy) + } + if len(capabilities) != 0 { + policyHCL += fmt.Sprintf("\n\tcapabilities = %q", capabilities) + } + policyHCL += "\n}" + return policyHCL +} + +// CreatePolicy creates a policy with the given name and rule. +func CreatePolicy(t *testing.T, state *state.StateStore, index uint64, name, rule string) { + t.Helper() + + // Create the ACLPolicy + policy := &structs.ACLPolicy{ + Name: name, + Rules: rule, + } + policy.SetHash() + assert.Nil(t, state.UpsertACLPolicies(index, []*structs.ACLPolicy{policy})) +} + +// CreateToken creates a local, client token for the given policies +func CreateToken(t *testing.T, state *state.StateStore, index uint64, policies []string) *structs.ACLToken { + t.Helper() + + // Create the ACLToken + token := mock.ACLToken() + token.Policies = policies + token.SetHash() + assert.Nil(t, state.UpsertACLTokens(index, []*structs.ACLToken{token})) + return token +} + +// CreatePolicyAndToken creates a policy and then returns a token configured for +// just that policy. CreatePolicyAndToken uses the given index and index+1. +func CreatePolicyAndToken(t *testing.T, state *state.StateStore, index uint64, name, rule string) *structs.ACLToken { + CreatePolicy(t, state, index, name, rule) + return CreateToken(t, state, index+1, []string{name}) +} diff --git a/nomad/deployment_endpoint.go b/nomad/deployment_endpoint.go index 4a20aa1c4..ab067eab2 100644 --- a/nomad/deployment_endpoint.go +++ b/nomad/deployment_endpoint.go @@ -6,6 +6,7 @@ import ( metrics "github.com/armon/go-metrics" memdb "github.com/hashicorp/go-memdb" + "github.com/hashicorp/nomad/acl" "github.com/hashicorp/nomad/nomad/state" "github.com/hashicorp/nomad/nomad/structs" ) @@ -23,6 +24,13 @@ func (d *Deployment) GetDeployment(args *structs.DeploymentSpecificRequest, } defer metrics.MeasureSince([]string{"nomad", "deployment", "get_deployment"}, time.Now()) + // Check namespace read-job permissions + if aclObj, err := d.srv.resolveToken(args.SecretID); err != nil { + return err + } else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilityReadJob) { + return structs.ErrPermissionDenied + } + // Setup the blocking query opts := blockingOptions{ queryOpts: &args.QueryOptions, diff --git a/nomad/deployment_endpoint_test.go b/nomad/deployment_endpoint_test.go index 07fbbdc90..62182e1c9 100644 --- a/nomad/deployment_endpoint_test.go +++ b/nomad/deployment_endpoint_test.go @@ -6,6 +6,7 @@ import ( memdb "github.com/hashicorp/go-memdb" msgpackrpc "github.com/hashicorp/net-rpc-msgpackrpc" + "github.com/hashicorp/nomad/acl" "github.com/hashicorp/nomad/helper" "github.com/hashicorp/nomad/nomad/mock" "github.com/hashicorp/nomad/nomad/structs" @@ -44,6 +45,59 @@ func TestDeploymentEndpoint_GetDeployment(t *testing.T) { assert.Equal(d, resp.Deployment, "Returned deployment not equal") } +func TestDeploymentEndpoint_GetDeployment_ACL(t *testing.T) { + t.Parallel() + s1, root := testACLServer(t, nil) + defer s1.Shutdown() + codec := rpcClient(t, s1) + testutil.WaitForLeader(t, s1.RPC) + assert := assert.New(t) + + // Create the deployment + j := mock.Job() + d := mock.Deployment() + d.JobID = j.ID + state := s1.fsm.State() + + assert.Nil(state.UpsertJob(999, j), "UpsertJob") + assert.Nil(state.UpsertDeployment(1000, d), "UpsertDeployment") + + // Create the namespace policy and tokens + goodToken := CreatePolicyAndToken(t, state, 1001, "test-good", + NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) + badToken := CreatePolicyAndToken(t, state, 1003, "test-bad", + NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) + + // Lookup the deployments without a token and expect failure + get := &structs.DeploymentSpecificRequest{ + DeploymentID: d.ID, + QueryOptions: structs.QueryOptions{ + Region: "global", + Namespace: structs.DefaultNamespace, + }, + } + var resp structs.SingleDeploymentResponse + assert.NotNil(msgpackrpc.CallWithCodec(codec, "Deployment.GetDeployment", get, &resp), "RPC") + + // Try with a good token + get.SecretID = goodToken.SecretID + assert.Nil(msgpackrpc.CallWithCodec(codec, "Deployment.GetDeployment", get, &resp), "RPC") + assert.EqualValues(resp.Index, 1000, "resp.Index") + assert.Equal(d, resp.Deployment, "Returned deployment not equal") + + // Try with a bad token + get.SecretID = badToken.SecretID + err := msgpackrpc.CallWithCodec(codec, "Deployment.GetDeployment", get, &resp) + assert.NotNil(err, "RPC") + assert.Equal(err.Error(), structs.ErrPermissionDenied.Error()) + + // Try with a root token + get.SecretID = root.SecretID + assert.Nil(msgpackrpc.CallWithCodec(codec, "Deployment.GetDeployment", get, &resp), "RPC") + assert.EqualValues(resp.Index, 1000, "resp.Index") + assert.Equal(d, resp.Deployment, "Returned deployment not equal") +} + func TestDeploymentEndpoint_GetDeployment_Blocking(t *testing.T) { t.Parallel() s1 := testServer(t, nil) diff --git a/website/source/api/deployments.html.md b/website/source/api/deployments.html.md index 55b3c60da..86b775002 100644 --- a/website/source/api/deployments.html.md +++ b/website/source/api/deployments.html.md @@ -83,9 +83,9 @@ The table below shows this endpoint's support for [blocking queries](/api/index.html#blocking-queries) and [required ACLs](/api/index.html#acls). -| Blocking Queries | ACL Required | -| ---------------- | ------------ | -| `YES` | `none` | +| Blocking Queries | ACL Required | +| ---------------- | -------------------- | +| `YES` | `namespace:read-job` | ### Parameters From 1e644393aa3949cd938fd1166d8ee6d901cf10ec Mon Sep 17 00:00:00 2001 From: Alex Dadgar Date: Thu, 14 Sep 2017 10:50:04 -0700 Subject: [PATCH 2/2] review feeback --- nomad/deployment_endpoint_test.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/nomad/deployment_endpoint_test.go b/nomad/deployment_endpoint_test.go index 62182e1c9..c7c1ebc3e 100644 --- a/nomad/deployment_endpoint_test.go +++ b/nomad/deployment_endpoint_test.go @@ -63,9 +63,9 @@ func TestDeploymentEndpoint_GetDeployment_ACL(t *testing.T) { assert.Nil(state.UpsertDeployment(1000, d), "UpsertDeployment") // Create the namespace policy and tokens - goodToken := CreatePolicyAndToken(t, state, 1001, "test-good", + validToken := CreatePolicyAndToken(t, state, 1001, "test-valid", NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) - badToken := CreatePolicyAndToken(t, state, 1003, "test-bad", + invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid", NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) // Lookup the deployments without a token and expect failure @@ -80,13 +80,13 @@ func TestDeploymentEndpoint_GetDeployment_ACL(t *testing.T) { assert.NotNil(msgpackrpc.CallWithCodec(codec, "Deployment.GetDeployment", get, &resp), "RPC") // Try with a good token - get.SecretID = goodToken.SecretID + get.SecretID = validToken.SecretID assert.Nil(msgpackrpc.CallWithCodec(codec, "Deployment.GetDeployment", get, &resp), "RPC") assert.EqualValues(resp.Index, 1000, "resp.Index") assert.Equal(d, resp.Deployment, "Returned deployment not equal") // Try with a bad token - get.SecretID = badToken.SecretID + get.SecretID = invalidToken.SecretID err := msgpackrpc.CallWithCodec(codec, "Deployment.GetDeployment", get, &resp) assert.NotNil(err, "RPC") assert.Equal(err.Error(), structs.ErrPermissionDenied.Error())