Don't allow connect watches in agent/cli yet

2018-04-26 18:06:26 +01:00 · 2018-04-26 18:06:26 +01:00 · 1b197d934a
parent 946e872f2f
commit 1b197d934a
4 changed files with 47 additions and 0 deletions
--- a/agent/agent.go
+++ b/agent/agent.go
@ -621,6 +621,16 @@ func (a *Agent) reloadWatches(cfg *config.RuntimeConfig) error {
 			return fmt.Errorf("Handler type '%s' not recognized", params["handler_type"])
 		}

+		// Don't let people use connect watches via this mechanism for now as it
+		// needs thought about how to do securely and shouldn't be necessary. Note
+		// that if the type assertion fails an type is not a string then
+		// ParseExample below will error so we don't need to handle that case.
+		if typ, ok := params["type"].(string); ok {
+			if strings.HasPrefix(typ, "connect_") {
+				return fmt.Errorf("Watch type %s is not allowed in agent config", typ)
+			}
+		}
+
 		// Parse the watches, excluding 'handler' and 'args'
 		wp, err := watch.ParseExempt(params, []string{"handler", "args"})
 		if err != nil {
--- a/agent/agent_test.go
+++ b/agent/agent_test.go
@ -2259,6 +2259,18 @@ func TestAgent_reloadWatches(t *testing.T) {
 		t.Fatalf("bad: %s", err)
 	}

+	// Should fail to reload with connect watches
+	newConf.Watches = []map[string]interface{}{
+		{
+			"type": "connect_roots",
+			"key":  "asdf",
+			"args": []interface{}{"ls"},
+		},
+	}
+	if err := a.reloadWatches(&newConf); err == nil || !strings.Contains(err.Error(), "not allowed in agent config") {
+		t.Fatalf("bad: %s", err)
+	}
+
 	// Should still succeed with only HTTPS addresses
 	newConf.HTTPSAddrs = newConf.HTTPAddrs
 	newConf.HTTPAddrs = make([]net.Addr, 0)
--- a/command/watch/watch.go
+++ b/command/watch/watch.go
@ -135,6 +135,11 @@ func (c *cmd) Run(args []string) int {
 		return 1
 	}

+	if strings.HasPrefix(wp.Type, "connect_") {
+		c.UI.Error(fmt.Sprintf("Type %s is not supported in the CLI tool", wp.Type))
+		return 1
+	}
+
 	// Create and test the HTTP client
 	client, err := c.http.APIClient()
 	if err != nil {
--- a/command/watch/watch_test.go
+++ b/command/watch/watch_test.go
@ -33,3 +33,23 @@ func TestWatchCommand(t *testing.T) {
 		t.Fatalf("bad: %#v", ui.OutputWriter.String())
 	}
 }
+
+func TestWatchCommandNoConnect(t *testing.T) {
+	t.Parallel()
+	a := agent.NewTestAgent(t.Name(), ``)
+	defer a.Shutdown()
+
+	ui := cli.NewMockUi()
+	c := New(ui, nil)
+	args := []string{"-http-addr=" + a.HTTPAddr(), "-type=connect_leaf"}
+
+	code := c.Run(args)
+	if code != 1 {
+		t.Fatalf("bad: %d. %#v", code, ui.ErrorWriter.String())
+	}
+
+	if !strings.Contains(ui.ErrorWriter.String(),
+		"Type connect_leaf is not supported in the CLI tool") {
+		t.Fatalf("bad: %#v", ui.ErrorWriter.String())
+	}
+}