status-im
/
consul
mirror of https://github.com/status-im/consul.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

agent: disallow API registration with managed proxy if not enabled

This commit is contained in:
Mitchell Hashimoto 2018-06-12 17:35:59 +02:00 committed by Jack Pearkes
parent f7fc026e18
commit 0d6dcbd2f1
2 changed files with 49 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
agent/agent_endpoint.go
View File

@ -623,6 +623,12 @@ func (s *HTTPServer) AgentRegisterService(resp http.ResponseWriter, req *http.Re
return nil, nil return nil, nil
} }
// If we have a proxy, verify that we're allowed to add a proxy via the API
if proxy != nil && !s.agent.config.ConnectProxyAllowManagedAPIRegistration {
return nil, &BadRequestError{
Reason: "Managed proxy registration via the API is disallowed."}
}
// Add the service. // Add the service.
if err := s.agent.AddService(ns, chkTypes, true, token); err != nil { if err := s.agent.AddService(ns, chkTypes, true, token); err != nil {
return nil, err return nil, err

44
agent/agent_endpoint_test.go
View File

@ -1396,7 +1396,13 @@ func TestAgent_RegisterService_ManagedConnectProxy(t *testing.T) {
assert := assert.New(t) assert := assert.New(t)
require := require.New(t) require := require.New(t)
a := NewTestAgent(t.Name(), "") a := NewTestAgent(t.Name(), `
connect {
proxy {
allow_managed_api_registration = true
}
}
`)
defer a.Shutdown() defer a.Shutdown()
// Register a proxy. Note that the destination doesn't exist here on // Register a proxy. Note that the destination doesn't exist here on
@ -1447,6 +1453,42 @@ func TestAgent_RegisterService_ManagedConnectProxy(t *testing.T) {
assert.Equal("abc123", a.State.ServiceToken("web-proxy")) assert.Equal("abc123", a.State.ServiceToken("web-proxy"))
} }
// This tests local agent service registration with a managed proxy with
// API registration disabled (default).
func TestAgent_RegisterService_ManagedConnectProxy_Disabled(t *testing.T) {
t.Parallel()
assert := assert.New(t)
a := NewTestAgent(t.Name(), ``)
defer a.Shutdown()
// Register a proxy. Note that the destination doesn't exist here on
// this agent or in the catalog at all. This is intended and part
// of the design.
args := &api.AgentServiceRegistration{
Name: "web",
Port: 8000,
Connect: &api.AgentServiceConnect{
Proxy: &api.AgentServiceConnectProxy{
ExecMode: "script",
Command: []string{"proxy.sh"},
Config: map[string]interface{}{
"foo": "bar",
},
},
},
}
req, _ := http.NewRequest("PUT", "/v1/agent/service/register?token=abc123", jsonReader(args))
resp := httptest.NewRecorder()
_, err := a.srv.AgentRegisterService(resp, req)
assert.Error(err)
// Ensure the target service does not exist
_, ok := a.State.Services()["web"]
assert.False(ok, "does not has service")
}
// This tests local agent service registration of a unmanaged connect proxy. // This tests local agent service registration of a unmanaged connect proxy.
// This verifies that it is put in the local state store properly for syncing // This verifies that it is put in the local state store properly for syncing
// later. Note that _managed_ connect proxies are registered as part of the // later. Note that _managed_ connect proxies are registered as part of the