consul/agent/acl_endpoint.go

252 lines
6.4 KiB
Go
Raw Normal View History

2014-08-06 00:50:36 +00:00
package agent
import (
"fmt"
"net/http"
"strings"
2015-05-06 02:25:10 +00:00
"github.com/hashicorp/consul/acl"
"github.com/hashicorp/consul/agent/structs"
2014-08-06 00:50:36 +00:00
)
// aclCreateResponse is used to wrap the ACL ID
type aclCreateResponse struct {
ID string
}
// ACLDisabled handles if ACL datacenter is not configured
func ACLDisabled(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
2017-08-23 19:19:11 +00:00
resp.WriteHeader(http.StatusUnauthorized)
fmt.Fprint(resp, "ACL support disabled")
return nil, nil
}
// ACLBootstrap is used to perform a one-time ACL bootstrap operation on
// a cluster to get the first management token.
func (s *HTTPServer) ACLBootstrap(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
if req.Method != "PUT" {
resp.WriteHeader(http.StatusMethodNotAllowed)
return nil, nil
}
args := structs.DCSpecificRequest{
Datacenter: s.agent.config.ACLDatacenter,
}
var out structs.ACL
err := s.agent.RPC("ACL.Bootstrap", &args, &out)
if err != nil {
if strings.Contains(err.Error(), structs.ACLBootstrapNotAllowedErr.Error()) {
resp.WriteHeader(http.StatusForbidden)
fmt.Fprint(resp, acl.PermissionDeniedError{Cause: err.Error()}.Error())
return nil, nil
} else {
return nil, err
}
}
return aclCreateResponse{out.ID}, nil
}
2014-08-18 19:05:01 +00:00
func (s *HTTPServer) ACLDestroy(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
2014-08-19 21:28:34 +00:00
// Mandate a PUT request
if req.Method != "PUT" {
2017-08-23 19:19:11 +00:00
resp.WriteHeader(http.StatusMethodNotAllowed)
2014-08-19 21:28:34 +00:00
return nil, nil
}
2014-08-06 00:50:36 +00:00
args := structs.ACLRequest{
2014-08-12 18:35:22 +00:00
Datacenter: s.agent.config.ACLDatacenter,
Op: structs.ACLDelete,
2014-08-06 00:50:36 +00:00
}
2014-08-12 18:35:22 +00:00
s.parseToken(req, &args.Token)
2014-08-06 00:50:36 +00:00
2014-08-06 17:30:47 +00:00
// Pull out the acl id
2014-08-18 19:05:01 +00:00
args.ACL.ID = strings.TrimPrefix(req.URL.Path, "/v1/acl/destroy/")
2014-08-06 00:50:36 +00:00
if args.ACL.ID == "" {
2017-08-23 19:19:11 +00:00
resp.WriteHeader(http.StatusBadRequest)
fmt.Fprint(resp, "Missing ACL")
2014-08-06 00:50:36 +00:00
return nil, nil
}
var out string
if err := s.agent.RPC("ACL.Apply", &args, &out); err != nil {
return nil, err
}
return true, nil
}
func (s *HTTPServer) ACLCreate(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
return s.aclSet(resp, req, false)
}
func (s *HTTPServer) ACLUpdate(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
return s.aclSet(resp, req, true)
}
func (s *HTTPServer) aclSet(resp http.ResponseWriter, req *http.Request, update bool) (interface{}, error) {
// Mandate a PUT request
if req.Method != "PUT" {
2017-08-23 19:19:11 +00:00
resp.WriteHeader(http.StatusMethodNotAllowed)
2014-08-06 00:50:36 +00:00
return nil, nil
}
args := structs.ACLRequest{
2014-08-12 18:35:22 +00:00
Datacenter: s.agent.config.ACLDatacenter,
Op: structs.ACLSet,
2014-08-06 00:50:36 +00:00
ACL: structs.ACL{
Type: structs.ACLTypeClient,
},
}
2014-08-12 18:35:22 +00:00
s.parseToken(req, &args.Token)
2014-08-06 00:50:36 +00:00
// Handle optional request body
if req.ContentLength > 0 {
if err := decodeBody(req, &args.ACL, nil); err != nil {
2017-08-23 19:19:11 +00:00
resp.WriteHeader(http.StatusBadRequest)
fmt.Fprintf(resp, "Request decode failed: %v", err)
2014-08-06 00:50:36 +00:00
return nil, nil
}
}
2015-05-06 02:25:10 +00:00
// Ensure there is an ID set for update. ID is optional for
// create, as one will be generated if not provided.
2014-08-06 00:50:36 +00:00
if update && args.ACL.ID == "" {
2017-08-23 19:19:11 +00:00
resp.WriteHeader(http.StatusBadRequest)
fmt.Fprint(resp, "ACL ID must be set")
2014-08-06 00:50:36 +00:00
return nil, nil
}
// Create the acl, get the ID
var out string
if err := s.agent.RPC("ACL.Apply", &args, &out); err != nil {
return nil, err
}
// Format the response as a JSON object
return aclCreateResponse{out}, nil
}
func (s *HTTPServer) ACLClone(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
2014-08-19 21:28:34 +00:00
// Mandate a PUT request
if req.Method != "PUT" {
2017-08-23 19:19:11 +00:00
resp.WriteHeader(http.StatusMethodNotAllowed)
2014-08-19 21:28:34 +00:00
return nil, nil
}
2014-08-12 18:35:22 +00:00
args := structs.ACLSpecificRequest{
Datacenter: s.agent.config.ACLDatacenter,
}
var dc string
if done := s.parse(resp, req, &dc, &args.QueryOptions); done {
2014-08-06 00:50:36 +00:00
return nil, nil
}
2014-08-06 17:30:47 +00:00
// Pull out the acl id
2014-08-06 00:50:36 +00:00
args.ACL = strings.TrimPrefix(req.URL.Path, "/v1/acl/clone/")
if args.ACL == "" {
2017-08-23 19:19:11 +00:00
resp.WriteHeader(http.StatusBadRequest)
fmt.Fprint(resp, "Missing ACL")
2014-08-06 00:50:36 +00:00
return nil, nil
}
var out structs.IndexedACLs
defer setMeta(resp, &out.QueryMeta)
if err := s.agent.RPC("ACL.Get", &args, &out); err != nil {
return nil, err
}
// Bail if the ACL is not found, this could be a 404 or a 403, so
// always just return a 403.
2014-08-06 00:50:36 +00:00
if len(out.ACLs) == 0 {
return nil, acl.ErrPermissionDenied
2014-08-06 00:50:36 +00:00
}
// Create a new ACL
createArgs := structs.ACLRequest{
Datacenter: args.Datacenter,
Op: structs.ACLSet,
ACL: *out.ACLs[0],
}
createArgs.ACL.ID = ""
2014-08-12 18:35:22 +00:00
createArgs.Token = args.Token
2014-08-06 00:50:36 +00:00
// Create the acl, get the ID
var outID string
if err := s.agent.RPC("ACL.Apply", &createArgs, &outID); err != nil {
return nil, err
}
// Format the response as a JSON object
return aclCreateResponse{outID}, nil
}
func (s *HTTPServer) ACLGet(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
2014-08-12 18:35:22 +00:00
args := structs.ACLSpecificRequest{
Datacenter: s.agent.config.ACLDatacenter,
}
var dc string
if done := s.parse(resp, req, &dc, &args.QueryOptions); done {
2014-08-06 00:50:36 +00:00
return nil, nil
}
2014-08-06 17:30:47 +00:00
// Pull out the acl id
2014-08-06 00:50:36 +00:00
args.ACL = strings.TrimPrefix(req.URL.Path, "/v1/acl/info/")
if args.ACL == "" {
2017-08-23 19:19:11 +00:00
resp.WriteHeader(http.StatusBadRequest)
fmt.Fprint(resp, "Missing ACL")
2014-08-06 00:50:36 +00:00
return nil, nil
}
var out structs.IndexedACLs
defer setMeta(resp, &out.QueryMeta)
if err := s.agent.RPC("ACL.Get", &args, &out); err != nil {
return nil, err
}
// Use empty list instead of nil
if out.ACLs == nil {
out.ACLs = make(structs.ACLs, 0)
}
2014-08-06 00:50:36 +00:00
return out.ACLs, nil
}
func (s *HTTPServer) ACLList(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
2014-08-12 18:35:22 +00:00
args := structs.DCSpecificRequest{
Datacenter: s.agent.config.ACLDatacenter,
}
var dc string
if done := s.parse(resp, req, &dc, &args.QueryOptions); done {
2014-08-06 00:50:36 +00:00
return nil, nil
}
var out structs.IndexedACLs
defer setMeta(resp, &out.QueryMeta)
if err := s.agent.RPC("ACL.List", &args, &out); err != nil {
return nil, err
}
// Use empty list instead of nil
if out.ACLs == nil {
out.ACLs = make(structs.ACLs, 0)
}
2014-08-06 00:50:36 +00:00
return out.ACLs, nil
}
func (s *HTTPServer) ACLReplicationStatus(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
// Note that we do not forward to the ACL DC here. This is a query for
// any DC that's doing replication.
args := structs.DCSpecificRequest{}
s.parseSource(req, &args.Source)
if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done {
return nil, nil
}
// Make the request.
var out structs.ACLReplicationStatus
if err := s.agent.RPC("ACL.ReplicationStatus", &args, &out); err != nil {
return nil, err
}
return out, nil
}