mirror of
https://github.com/status-im/consul.git
synced 2025-01-18 17:52:17 +00:00
revert method name change in xds server protocol for version compatibility (#16195)
This commit is contained in:
parent
b4151780d6
commit
1e7e52e3ef
@ -37,7 +37,7 @@ type TestACLAgent struct {
|
|||||||
|
|
||||||
// NewTestACLAgent does just enough so that all the code within agent/acl.go can work
|
// NewTestACLAgent does just enough so that all the code within agent/acl.go can work
|
||||||
// Basically it needs a local state for some of the vet* functions, a logger and a delegate.
|
// Basically it needs a local state for some of the vet* functions, a logger and a delegate.
|
||||||
// The key is that we are the delegate so we can control the ResolveTokenSecret responses
|
// The key is that we are the delegate so we can control the ResolveToken responses
|
||||||
func NewTestACLAgent(t *testing.T, name string, hcl string, resolveAuthz authzResolver, resolveIdent identResolver) *TestACLAgent {
|
func NewTestACLAgent(t *testing.T, name string, hcl string, resolveAuthz authzResolver, resolveIdent identResolver) *TestACLAgent {
|
||||||
t.Helper()
|
t.Helper()
|
||||||
|
|
||||||
@ -89,9 +89,9 @@ func NewTestACLAgent(t *testing.T, name string, hcl string, resolveAuthz authzRe
|
|||||||
return a
|
return a
|
||||||
}
|
}
|
||||||
|
|
||||||
func (a *TestACLAgent) ResolveTokenSecret(secretID string) (acl.Authorizer, error) {
|
func (a *TestACLAgent) ResolveToken(secretID string) (acl.Authorizer, error) {
|
||||||
if a.resolveAuthzFn == nil {
|
if a.resolveAuthzFn == nil {
|
||||||
return nil, fmt.Errorf("ResolveTokenSecret call is unexpected - no authz resolver callback set")
|
return nil, fmt.Errorf("ResolveToken call is unexpected - no authz resolver callback set")
|
||||||
}
|
}
|
||||||
|
|
||||||
_, authz, err := a.resolveAuthzFn(secretID)
|
_, authz, err := a.resolveAuthzFn(secretID)
|
||||||
@ -99,7 +99,7 @@ func (a *TestACLAgent) ResolveTokenSecret(secretID string) (acl.Authorizer, erro
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (a *TestACLAgent) ResolveTokenAndDefaultMeta(secretID string, entMeta *acl.EnterpriseMeta, authzContext *acl.AuthorizerContext) (resolver.Result, error) {
|
func (a *TestACLAgent) ResolveTokenAndDefaultMeta(secretID string, entMeta *acl.EnterpriseMeta, authzContext *acl.AuthorizerContext) (resolver.Result, error) {
|
||||||
authz, err := a.ResolveTokenSecret(secretID)
|
authz, err := a.ResolveToken(secretID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return resolver.Result{}, err
|
return resolver.Result{}, err
|
||||||
}
|
}
|
||||||
|
@ -993,10 +993,10 @@ func (r *ACLResolver) resolveLocallyManagedToken(token string) (structs.ACLIdent
|
|||||||
return r.resolveLocallyManagedEnterpriseToken(token)
|
return r.resolveLocallyManagedEnterpriseToken(token)
|
||||||
}
|
}
|
||||||
|
|
||||||
// ResolveTokenSecret to an acl.Authorizer and structs.ACLIdentity. The acl.Authorizer
|
// ResolveToken to an acl.Authorizer and structs.ACLIdentity. The acl.Authorizer
|
||||||
// can be used to check permissions granted to the token using its secret, and the
|
// can be used to check permissions granted to the token using its secret, and the
|
||||||
// ACLIdentity describes the token and any defaults applied to it.
|
// ACLIdentity describes the token and any defaults applied to it.
|
||||||
func (r *ACLResolver) ResolveTokenSecret(tokenSecretID string) (resolver.Result, error) {
|
func (r *ACLResolver) ResolveToken(tokenSecretID string) (resolver.Result, error) {
|
||||||
if !r.ACLsEnabled() {
|
if !r.ACLsEnabled() {
|
||||||
return resolver.Result{Authorizer: acl.ManageAll()}, nil
|
return resolver.Result{Authorizer: acl.ManageAll()}, nil
|
||||||
}
|
}
|
||||||
@ -1078,7 +1078,7 @@ func (r *ACLResolver) ResolveTokenAndDefaultMeta(
|
|||||||
entMeta *acl.EnterpriseMeta,
|
entMeta *acl.EnterpriseMeta,
|
||||||
authzContext *acl.AuthorizerContext,
|
authzContext *acl.AuthorizerContext,
|
||||||
) (resolver.Result, error) {
|
) (resolver.Result, error) {
|
||||||
result, err := r.ResolveTokenSecret(tokenSecretID)
|
result, err := r.ResolveToken(tokenSecretID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return resolver.Result{}, err
|
return resolver.Result{}, err
|
||||||
}
|
}
|
||||||
@ -1121,7 +1121,7 @@ func filterACLWithAuthorizer(logger hclog.Logger, authorizer acl.Authorizer, sub
|
|||||||
// not authorized for read access will be removed from subj.
|
// not authorized for read access will be removed from subj.
|
||||||
func filterACL(r *ACLResolver, tokenSecretID string, subj interface{}) error {
|
func filterACL(r *ACLResolver, tokenSecretID string, subj interface{}) error {
|
||||||
// Get the ACL from the token
|
// Get the ACL from the token
|
||||||
authorizer, err := r.ResolveTokenSecret(tokenSecretID)
|
authorizer, err := r.ResolveToken(tokenSecretID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -703,7 +703,7 @@ func (a *ACL) TokenBatchRead(args *structs.ACLTokenBatchGetRequest, reply *struc
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
authz, err := a.srv.ResolveTokenSecret(args.Token)
|
authz, err := a.srv.ResolveToken(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -796,7 +796,7 @@ func (a *ACL) PolicyBatchRead(args *structs.ACLPolicyBatchGetRequest, reply *str
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
authz, err := a.srv.ResolveTokenSecret(args.Token)
|
authz, err := a.srv.ResolveToken(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -1182,7 +1182,7 @@ func (a *ACL) RoleBatchRead(args *structs.ACLRoleBatchGetRequest, reply *structs
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
authz, err := a.srv.ResolveTokenSecret(args.Token)
|
authz, err := a.srv.ResolveToken(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -2115,7 +2115,7 @@ func (a *ACL) Authorize(args *structs.RemoteACLAuthorizationRequest, reply *[]st
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
authz, err := a.srv.ResolveTokenSecret(args.Token)
|
authz, err := a.srv.ResolveToken(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -65,13 +65,13 @@ func verifyAuthorizerChain(t *testing.T, expected resolver.Result, actual resolv
|
|||||||
}
|
}
|
||||||
|
|
||||||
func resolveTokenAsync(r *ACLResolver, token string, ch chan *asyncResolutionResult) {
|
func resolveTokenAsync(r *ACLResolver, token string, ch chan *asyncResolutionResult) {
|
||||||
authz, err := r.ResolveTokenSecret(token)
|
authz, err := r.ResolveToken(token)
|
||||||
ch <- &asyncResolutionResult{authz: authz, err: err}
|
ch <- &asyncResolutionResult{authz: authz, err: err}
|
||||||
}
|
}
|
||||||
|
|
||||||
func resolveTokenSecret(t *testing.T, r *ACLResolver, token string) acl.Authorizer {
|
func resolveTokenSecret(t *testing.T, r *ACLResolver, token string) acl.Authorizer {
|
||||||
t.Helper()
|
t.Helper()
|
||||||
authz, err := r.ResolveTokenSecret(token)
|
authz, err := r.ResolveToken(token)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
return authz
|
return authz
|
||||||
}
|
}
|
||||||
@ -732,7 +732,7 @@ func TestACLResolver_Disabled(t *testing.T) {
|
|||||||
|
|
||||||
r := newTestACLResolver(t, delegate, nil)
|
r := newTestACLResolver(t, delegate, nil)
|
||||||
|
|
||||||
authz, err := r.ResolveTokenSecret("does not exist")
|
authz, err := r.ResolveToken("does not exist")
|
||||||
require.Equal(t, resolver.Result{Authorizer: acl.ManageAll()}, authz)
|
require.Equal(t, resolver.Result{Authorizer: acl.ManageAll()}, authz)
|
||||||
require.Nil(t, err)
|
require.Nil(t, err)
|
||||||
}
|
}
|
||||||
@ -747,19 +747,19 @@ func TestACLResolver_ResolveRootACL(t *testing.T) {
|
|||||||
r := newTestACLResolver(t, delegate, nil)
|
r := newTestACLResolver(t, delegate, nil)
|
||||||
|
|
||||||
t.Run("Allow", func(t *testing.T) {
|
t.Run("Allow", func(t *testing.T) {
|
||||||
_, err := r.ResolveTokenSecret("allow")
|
_, err := r.ResolveToken("allow")
|
||||||
require.Error(t, err)
|
require.Error(t, err)
|
||||||
require.True(t, acl.IsErrRootDenied(err))
|
require.True(t, acl.IsErrRootDenied(err))
|
||||||
})
|
})
|
||||||
|
|
||||||
t.Run("Deny", func(t *testing.T) {
|
t.Run("Deny", func(t *testing.T) {
|
||||||
_, err := r.ResolveTokenSecret("deny")
|
_, err := r.ResolveToken("deny")
|
||||||
require.Error(t, err)
|
require.Error(t, err)
|
||||||
require.True(t, acl.IsErrRootDenied(err))
|
require.True(t, acl.IsErrRootDenied(err))
|
||||||
})
|
})
|
||||||
|
|
||||||
t.Run("Manage", func(t *testing.T) {
|
t.Run("Manage", func(t *testing.T) {
|
||||||
_, err := r.ResolveTokenSecret("manage")
|
_, err := r.ResolveToken("manage")
|
||||||
require.Error(t, err)
|
require.Error(t, err)
|
||||||
require.True(t, acl.IsErrRootDenied(err))
|
require.True(t, acl.IsErrRootDenied(err))
|
||||||
})
|
})
|
||||||
@ -805,7 +805,7 @@ func TestACLResolver_DownPolicy(t *testing.T) {
|
|||||||
config.Config.ACLDownPolicy = "deny"
|
config.Config.ACLDownPolicy = "deny"
|
||||||
})
|
})
|
||||||
|
|
||||||
authz, err := r.ResolveTokenSecret("foo")
|
authz, err := r.ResolveToken("foo")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, authz)
|
require.NotNil(t, authz)
|
||||||
expected := resolver.Result{
|
expected := resolver.Result{
|
||||||
@ -833,7 +833,7 @@ func TestACLResolver_DownPolicy(t *testing.T) {
|
|||||||
config.Config.ACLDownPolicy = "allow"
|
config.Config.ACLDownPolicy = "allow"
|
||||||
})
|
})
|
||||||
|
|
||||||
authz, err := r.ResolveTokenSecret("foo")
|
authz, err := r.ResolveToken("foo")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, authz)
|
require.NotNil(t, authz)
|
||||||
expected := resolver.Result{
|
expected := resolver.Result{
|
||||||
@ -862,7 +862,7 @@ func TestACLResolver_DownPolicy(t *testing.T) {
|
|||||||
config.Config.ACLRoleTTL = 0
|
config.Config.ACLRoleTTL = 0
|
||||||
})
|
})
|
||||||
|
|
||||||
authz, err := r.ResolveTokenSecret("found")
|
authz, err := r.ResolveToken("found")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, authz)
|
require.NotNil(t, authz)
|
||||||
require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil))
|
require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil))
|
||||||
@ -871,7 +871,7 @@ func TestACLResolver_DownPolicy(t *testing.T) {
|
|||||||
requirePolicyCached(t, r, "dc2-key-wr", true, "cached") // from "found" token
|
requirePolicyCached(t, r, "dc2-key-wr", true, "cached") // from "found" token
|
||||||
|
|
||||||
// policy cache expired - so we will fail to resolve that policy and use the default policy only
|
// policy cache expired - so we will fail to resolve that policy and use the default policy only
|
||||||
authz2, err := r.ResolveTokenSecret("found")
|
authz2, err := r.ResolveToken("found")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, authz2)
|
require.NotNil(t, authz2)
|
||||||
require.NotEqual(t, authz, authz2)
|
require.NotEqual(t, authz, authz2)
|
||||||
@ -899,13 +899,13 @@ func TestACLResolver_DownPolicy(t *testing.T) {
|
|||||||
config.Config.ACLRoleTTL = 0
|
config.Config.ACLRoleTTL = 0
|
||||||
})
|
})
|
||||||
|
|
||||||
authz, err := r.ResolveTokenSecret("found-role")
|
authz, err := r.ResolveToken("found-role")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, authz)
|
require.NotNil(t, authz)
|
||||||
require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil))
|
require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil))
|
||||||
|
|
||||||
// role cache expired - so we will fail to resolve that role and use the default policy only
|
// role cache expired - so we will fail to resolve that role and use the default policy only
|
||||||
authz2, err := r.ResolveTokenSecret("found-role")
|
authz2, err := r.ResolveToken("found-role")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, authz2)
|
require.NotNil(t, authz2)
|
||||||
require.False(t, authz == authz2)
|
require.False(t, authz == authz2)
|
||||||
@ -928,14 +928,14 @@ func TestACLResolver_DownPolicy(t *testing.T) {
|
|||||||
config.Config.ACLTokenTTL = 0
|
config.Config.ACLTokenTTL = 0
|
||||||
})
|
})
|
||||||
|
|
||||||
authz, err := r.ResolveTokenSecret("found")
|
authz, err := r.ResolveToken("found")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, authz)
|
require.NotNil(t, authz)
|
||||||
require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil))
|
require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil))
|
||||||
|
|
||||||
requireIdentityCached(t, r, "found", true, "cached")
|
requireIdentityCached(t, r, "found", true, "cached")
|
||||||
|
|
||||||
authz2, err := r.ResolveTokenSecret("found")
|
authz2, err := r.ResolveToken("found")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, authz2)
|
require.NotNil(t, authz2)
|
||||||
verifyAuthorizerChain(t, authz, authz2)
|
verifyAuthorizerChain(t, authz, authz2)
|
||||||
@ -957,7 +957,7 @@ func TestACLResolver_DownPolicy(t *testing.T) {
|
|||||||
config.Config.ACLDownPolicy = "extend-cache"
|
config.Config.ACLDownPolicy = "extend-cache"
|
||||||
})
|
})
|
||||||
|
|
||||||
authz, err := r.ResolveTokenSecret("not-found")
|
authz, err := r.ResolveToken("not-found")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, authz)
|
require.NotNil(t, authz)
|
||||||
require.Equal(t, acl.Deny, authz.NodeWrite("foo", nil))
|
require.Equal(t, acl.Deny, authz.NodeWrite("foo", nil))
|
||||||
@ -979,14 +979,14 @@ func TestACLResolver_DownPolicy(t *testing.T) {
|
|||||||
config.Config.ACLTokenTTL = 0
|
config.Config.ACLTokenTTL = 0
|
||||||
})
|
})
|
||||||
|
|
||||||
authz, err := r.ResolveTokenSecret("found-role")
|
authz, err := r.ResolveToken("found-role")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, authz)
|
require.NotNil(t, authz)
|
||||||
require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil))
|
require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil))
|
||||||
|
|
||||||
requireIdentityCached(t, r, "found-role", true, "still cached")
|
requireIdentityCached(t, r, "found-role", true, "still cached")
|
||||||
|
|
||||||
authz2, err := r.ResolveTokenSecret("found-role")
|
authz2, err := r.ResolveToken("found-role")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, authz2)
|
require.NotNil(t, authz2)
|
||||||
// testing pointer equality - these will be the same object because it is cached.
|
// testing pointer equality - these will be the same object because it is cached.
|
||||||
@ -1011,7 +1011,7 @@ func TestACLResolver_DownPolicy(t *testing.T) {
|
|||||||
config.Config.ACLRoleTTL = 0
|
config.Config.ACLRoleTTL = 0
|
||||||
})
|
})
|
||||||
|
|
||||||
authz, err := r.ResolveTokenSecret("found")
|
authz, err := r.ResolveToken("found")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, authz)
|
require.NotNil(t, authz)
|
||||||
require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil))
|
require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil))
|
||||||
@ -1020,7 +1020,7 @@ func TestACLResolver_DownPolicy(t *testing.T) {
|
|||||||
requirePolicyCached(t, r, "dc2-key-wr", true, "cached") // from "found" token
|
requirePolicyCached(t, r, "dc2-key-wr", true, "cached") // from "found" token
|
||||||
|
|
||||||
// Will just use the policy cache
|
// Will just use the policy cache
|
||||||
authz2, err := r.ResolveTokenSecret("found")
|
authz2, err := r.ResolveToken("found")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, authz2)
|
require.NotNil(t, authz2)
|
||||||
verifyAuthorizerChain(t, authz, authz2)
|
verifyAuthorizerChain(t, authz, authz2)
|
||||||
@ -1048,13 +1048,13 @@ func TestACLResolver_DownPolicy(t *testing.T) {
|
|||||||
config.Config.ACLRoleTTL = 0
|
config.Config.ACLRoleTTL = 0
|
||||||
})
|
})
|
||||||
|
|
||||||
authz, err := r.ResolveTokenSecret("found-role")
|
authz, err := r.ResolveToken("found-role")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, authz)
|
require.NotNil(t, authz)
|
||||||
require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil))
|
require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil))
|
||||||
|
|
||||||
// Will just use the policy cache
|
// Will just use the policy cache
|
||||||
authz2, err := r.ResolveTokenSecret("found-role")
|
authz2, err := r.ResolveToken("found-role")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, authz2)
|
require.NotNil(t, authz2)
|
||||||
verifyAuthorizerChain(t, authz, authz2)
|
verifyAuthorizerChain(t, authz, authz2)
|
||||||
@ -1081,7 +1081,7 @@ func TestACLResolver_DownPolicy(t *testing.T) {
|
|||||||
config.Config.ACLRoleTTL = 0
|
config.Config.ACLRoleTTL = 0
|
||||||
})
|
})
|
||||||
|
|
||||||
authz, err := r.ResolveTokenSecret("found")
|
authz, err := r.ResolveToken("found")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, authz)
|
require.NotNil(t, authz)
|
||||||
require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil))
|
require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil))
|
||||||
@ -1090,7 +1090,7 @@ func TestACLResolver_DownPolicy(t *testing.T) {
|
|||||||
requirePolicyCached(t, r, "dc2-key-wr", true, "cached") // from "found" token
|
requirePolicyCached(t, r, "dc2-key-wr", true, "cached") // from "found" token
|
||||||
|
|
||||||
// The identity should have been cached so this should still be valid
|
// The identity should have been cached so this should still be valid
|
||||||
authz2, err := r.ResolveTokenSecret("found")
|
authz2, err := r.ResolveToken("found")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, authz2)
|
require.NotNil(t, authz2)
|
||||||
// testing pointer equality - these will be the same object because it is cached.
|
// testing pointer equality - these will be the same object because it is cached.
|
||||||
@ -1099,7 +1099,7 @@ func TestACLResolver_DownPolicy(t *testing.T) {
|
|||||||
|
|
||||||
// the go routine spawned will eventually return with a authz that doesn't have the policy
|
// the go routine spawned will eventually return with a authz that doesn't have the policy
|
||||||
retry.Run(t, func(t *retry.R) {
|
retry.Run(t, func(t *retry.R) {
|
||||||
authz3, err := r.ResolveTokenSecret("found")
|
authz3, err := r.ResolveToken("found")
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
assert.NotNil(t, authz3)
|
assert.NotNil(t, authz3)
|
||||||
assert.Equal(t, acl.Deny, authz3.NodeWrite("foo", nil))
|
assert.Equal(t, acl.Deny, authz3.NodeWrite("foo", nil))
|
||||||
@ -1129,13 +1129,13 @@ func TestACLResolver_DownPolicy(t *testing.T) {
|
|||||||
config.Config.ACLRoleTTL = 0
|
config.Config.ACLRoleTTL = 0
|
||||||
})
|
})
|
||||||
|
|
||||||
authz, err := r.ResolveTokenSecret("found-role")
|
authz, err := r.ResolveToken("found-role")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, authz)
|
require.NotNil(t, authz)
|
||||||
require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil))
|
require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil))
|
||||||
|
|
||||||
// The identity should have been cached so this should still be valid
|
// The identity should have been cached so this should still be valid
|
||||||
authz2, err := r.ResolveTokenSecret("found-role")
|
authz2, err := r.ResolveToken("found-role")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, authz2)
|
require.NotNil(t, authz2)
|
||||||
// testing pointer equality - these will be the same object because it is cached.
|
// testing pointer equality - these will be the same object because it is cached.
|
||||||
@ -1144,7 +1144,7 @@ func TestACLResolver_DownPolicy(t *testing.T) {
|
|||||||
|
|
||||||
// the go routine spawned will eventually return with a authz that doesn't have the policy
|
// the go routine spawned will eventually return with a authz that doesn't have the policy
|
||||||
retry.Run(t, func(t *retry.R) {
|
retry.Run(t, func(t *retry.R) {
|
||||||
authz3, err := r.ResolveTokenSecret("found-role")
|
authz3, err := r.ResolveToken("found-role")
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
assert.NotNil(t, authz3)
|
assert.NotNil(t, authz3)
|
||||||
assert.Equal(t, acl.Deny, authz3.NodeWrite("foo", nil))
|
assert.Equal(t, acl.Deny, authz3.NodeWrite("foo", nil))
|
||||||
@ -1170,7 +1170,7 @@ func TestACLResolver_DownPolicy(t *testing.T) {
|
|||||||
config.Config.ACLRoleTTL = 0
|
config.Config.ACLRoleTTL = 0
|
||||||
})
|
})
|
||||||
|
|
||||||
authz, err := r.ResolveTokenSecret("found")
|
authz, err := r.ResolveToken("found")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, authz)
|
require.NotNil(t, authz)
|
||||||
require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil))
|
require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil))
|
||||||
@ -1178,7 +1178,7 @@ func TestACLResolver_DownPolicy(t *testing.T) {
|
|||||||
requirePolicyCached(t, r, "node-wr", true, "cached") // from "found" token
|
requirePolicyCached(t, r, "node-wr", true, "cached") // from "found" token
|
||||||
requirePolicyCached(t, r, "dc2-key-wr", true, "cached") // from "found" token
|
requirePolicyCached(t, r, "dc2-key-wr", true, "cached") // from "found" token
|
||||||
|
|
||||||
authz2, err := r.ResolveTokenSecret("found")
|
authz2, err := r.ResolveToken("found")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, authz2)
|
require.NotNil(t, authz2)
|
||||||
// testing pointer equality - these will be the same object because it is cached.
|
// testing pointer equality - these will be the same object because it is cached.
|
||||||
@ -1206,7 +1206,7 @@ func TestACLResolver_DownPolicy(t *testing.T) {
|
|||||||
config.Config.ACLRoleTTL = 0
|
config.Config.ACLRoleTTL = 0
|
||||||
})
|
})
|
||||||
|
|
||||||
authz, err := r.ResolveTokenSecret("found-role")
|
authz, err := r.ResolveToken("found-role")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, authz)
|
require.NotNil(t, authz)
|
||||||
require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil))
|
require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil))
|
||||||
@ -1214,7 +1214,7 @@ func TestACLResolver_DownPolicy(t *testing.T) {
|
|||||||
requirePolicyCached(t, r, "node-wr", true, "still cached") // from "found" token
|
requirePolicyCached(t, r, "node-wr", true, "still cached") // from "found" token
|
||||||
requirePolicyCached(t, r, "dc2-key-wr", true, "still cached") // from "found" token
|
requirePolicyCached(t, r, "dc2-key-wr", true, "still cached") // from "found" token
|
||||||
|
|
||||||
authz2, err := r.ResolveTokenSecret("found-role")
|
authz2, err := r.ResolveToken("found-role")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, authz2)
|
require.NotNil(t, authz2)
|
||||||
// testing pointer equality - these will be the same object because it is cached.
|
// testing pointer equality - these will be the same object because it is cached.
|
||||||
@ -1238,7 +1238,7 @@ func TestACLResolver_DownPolicy(t *testing.T) {
|
|||||||
config.Config.ACLTokenTTL = 0
|
config.Config.ACLTokenTTL = 0
|
||||||
})
|
})
|
||||||
|
|
||||||
authz, err := r.ResolveTokenSecret("found")
|
authz, err := r.ResolveToken("found")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, authz)
|
require.NotNil(t, authz)
|
||||||
require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil))
|
require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil))
|
||||||
@ -1246,7 +1246,7 @@ func TestACLResolver_DownPolicy(t *testing.T) {
|
|||||||
requireIdentityCached(t, r, "found", true, "cached")
|
requireIdentityCached(t, r, "found", true, "cached")
|
||||||
|
|
||||||
// The identity should have been cached so this should still be valid
|
// The identity should have been cached so this should still be valid
|
||||||
authz2, err := r.ResolveTokenSecret("found")
|
authz2, err := r.ResolveToken("found")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, authz2)
|
require.NotNil(t, authz2)
|
||||||
verifyAuthorizerChain(t, authz, authz2)
|
verifyAuthorizerChain(t, authz, authz2)
|
||||||
@ -1254,7 +1254,7 @@ func TestACLResolver_DownPolicy(t *testing.T) {
|
|||||||
|
|
||||||
// the go routine spawned will eventually return and this will be a not found error
|
// the go routine spawned will eventually return and this will be a not found error
|
||||||
retry.Run(t, func(t *retry.R) {
|
retry.Run(t, func(t *retry.R) {
|
||||||
_, err := r.ResolveTokenSecret("found")
|
_, err := r.ResolveToken("found")
|
||||||
assert.Error(t, err)
|
assert.Error(t, err)
|
||||||
assert.True(t, acl.IsErrNotFound(err))
|
assert.True(t, acl.IsErrNotFound(err))
|
||||||
})
|
})
|
||||||
@ -1305,7 +1305,7 @@ func TestACLResolver_DownPolicy(t *testing.T) {
|
|||||||
})
|
})
|
||||||
|
|
||||||
// Prime the standard caches.
|
// Prime the standard caches.
|
||||||
authz, err := r.ResolveTokenSecret(secretID)
|
authz, err := r.ResolveToken(secretID)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, authz)
|
require.NotNil(t, authz)
|
||||||
require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil))
|
require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil))
|
||||||
@ -1319,7 +1319,7 @@ func TestACLResolver_DownPolicy(t *testing.T) {
|
|||||||
// during token resolve.
|
// during token resolve.
|
||||||
r.cache.RemovePolicy("dc2-key-wr")
|
r.cache.RemovePolicy("dc2-key-wr")
|
||||||
|
|
||||||
_, err = r.ResolveTokenSecret(secretID)
|
_, err = r.ResolveToken(secretID)
|
||||||
require.True(t, acl.IsErrNotFound(err))
|
require.True(t, acl.IsErrNotFound(err))
|
||||||
|
|
||||||
requireIdentityCached(t, r, secretID, false, "identity not found cached")
|
requireIdentityCached(t, r, secretID, false, "identity not found cached")
|
||||||
@ -1365,7 +1365,7 @@ func TestACLResolver_DownPolicy(t *testing.T) {
|
|||||||
})
|
})
|
||||||
|
|
||||||
// Prime the standard caches.
|
// Prime the standard caches.
|
||||||
authz, err := r.ResolveTokenSecret(secretID)
|
authz, err := r.ResolveToken(secretID)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, authz)
|
require.NotNil(t, authz)
|
||||||
require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil))
|
require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil))
|
||||||
@ -1379,7 +1379,7 @@ func TestACLResolver_DownPolicy(t *testing.T) {
|
|||||||
// during token resolve.
|
// during token resolve.
|
||||||
r.cache.RemovePolicy("dc2-key-wr")
|
r.cache.RemovePolicy("dc2-key-wr")
|
||||||
|
|
||||||
_, err = r.ResolveTokenSecret(secretID)
|
_, err = r.ResolveToken(secretID)
|
||||||
require.True(t, acl.IsErrPermissionDenied(err))
|
require.True(t, acl.IsErrPermissionDenied(err))
|
||||||
|
|
||||||
require.Nil(t, r.cache.GetIdentityWithSecretToken(secretID), "identity not stored at all")
|
require.Nil(t, r.cache.GetIdentityWithSecretToken(secretID), "identity not stored at all")
|
||||||
@ -1402,7 +1402,7 @@ func TestACLResolver_DatacenterScoping(t *testing.T) {
|
|||||||
}
|
}
|
||||||
r := newTestACLResolver(t, delegate, nil)
|
r := newTestACLResolver(t, delegate, nil)
|
||||||
|
|
||||||
authz, err := r.ResolveTokenSecret("found")
|
authz, err := r.ResolveToken("found")
|
||||||
require.NotNil(t, authz)
|
require.NotNil(t, authz)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.Equal(t, acl.Deny, authz.ACLRead(nil))
|
require.Equal(t, acl.Deny, authz.ACLRead(nil))
|
||||||
@ -1424,7 +1424,7 @@ func TestACLResolver_DatacenterScoping(t *testing.T) {
|
|||||||
config.Config.Datacenter = "dc2"
|
config.Config.Datacenter = "dc2"
|
||||||
})
|
})
|
||||||
|
|
||||||
authz, err := r.ResolveTokenSecret("found")
|
authz, err := r.ResolveToken("found")
|
||||||
require.NotNil(t, authz)
|
require.NotNil(t, authz)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.Equal(t, acl.Deny, authz.ACLRead(nil))
|
require.Equal(t, acl.Deny, authz.ACLRead(nil))
|
||||||
@ -1505,7 +1505,7 @@ func TestACLResolver_Client(t *testing.T) {
|
|||||||
// Must use the token secret here in order for the cached identity
|
// Must use the token secret here in order for the cached identity
|
||||||
// to be removed properly. Many other tests just resolve some other
|
// to be removed properly. Many other tests just resolve some other
|
||||||
// random name and it wont matter but this one cannot.
|
// random name and it wont matter but this one cannot.
|
||||||
authz, err := r.ResolveTokenSecret("a1a54629-5050-4d17-8a4e-560d2423f835")
|
authz, err := r.ResolveToken("a1a54629-5050-4d17-8a4e-560d2423f835")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, authz)
|
require.NotNil(t, authz)
|
||||||
require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil))
|
require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil))
|
||||||
@ -1522,7 +1522,7 @@ func TestACLResolver_Client(t *testing.T) {
|
|||||||
// then the policy will be resolved but resolution will return ACL not found
|
// then the policy will be resolved but resolution will return ACL not found
|
||||||
// resolution will stop with the not found error (even though we still have the
|
// resolution will stop with the not found error (even though we still have the
|
||||||
// policies within the cache)
|
// policies within the cache)
|
||||||
_, err = r.ResolveTokenSecret("a1a54629-5050-4d17-8a4e-560d2423f835")
|
_, err = r.ResolveToken("a1a54629-5050-4d17-8a4e-560d2423f835")
|
||||||
require.EqualError(t, err, acl.ErrNotFound.Error())
|
require.EqualError(t, err, acl.ErrNotFound.Error())
|
||||||
|
|
||||||
require.True(t, modified)
|
require.True(t, modified)
|
||||||
@ -1672,7 +1672,7 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega
|
|||||||
|
|
||||||
runTwiceAndReset("Missing Identity", func(t *testing.T) {
|
runTwiceAndReset("Missing Identity", func(t *testing.T) {
|
||||||
delegate.UseTestLocalData(nil)
|
delegate.UseTestLocalData(nil)
|
||||||
_, err := r.ResolveTokenSecret("doesn't exist")
|
_, err := r.ResolveToken("doesn't exist")
|
||||||
require.Error(t, err)
|
require.Error(t, err)
|
||||||
require.True(t, acl.IsErrNotFound(err))
|
require.True(t, acl.IsErrNotFound(err))
|
||||||
})
|
})
|
||||||
@ -1981,7 +1981,7 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega
|
|||||||
// to verify that the keys for caching synthetic policies don't bleed
|
// to verify that the keys for caching synthetic policies don't bleed
|
||||||
// over between each other.
|
// over between each other.
|
||||||
t.Run("synthetic-policy-1", func(t *testing.T) { // service identity
|
t.Run("synthetic-policy-1", func(t *testing.T) { // service identity
|
||||||
authz, err := r.ResolveTokenSecret("found-synthetic-policy-1")
|
authz, err := r.ResolveToken("found-synthetic-policy-1")
|
||||||
require.NotNil(t, authz)
|
require.NotNil(t, authz)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
// spot check some random perms
|
// spot check some random perms
|
||||||
@ -1995,7 +1995,7 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega
|
|||||||
require.Equal(t, acl.Allow, authz.NodeRead("any-node", nil))
|
require.Equal(t, acl.Allow, authz.NodeRead("any-node", nil))
|
||||||
})
|
})
|
||||||
t.Run("synthetic-policy-2", func(t *testing.T) { // service identity
|
t.Run("synthetic-policy-2", func(t *testing.T) { // service identity
|
||||||
authz, err := r.ResolveTokenSecret("found-synthetic-policy-2")
|
authz, err := r.ResolveToken("found-synthetic-policy-2")
|
||||||
require.NotNil(t, authz)
|
require.NotNil(t, authz)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
// spot check some random perms
|
// spot check some random perms
|
||||||
@ -2009,7 +2009,7 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega
|
|||||||
require.Equal(t, acl.Allow, authz.NodeRead("any-node", nil))
|
require.Equal(t, acl.Allow, authz.NodeRead("any-node", nil))
|
||||||
})
|
})
|
||||||
t.Run("synthetic-policy-3", func(t *testing.T) { // node identity
|
t.Run("synthetic-policy-3", func(t *testing.T) { // node identity
|
||||||
authz, err := r.ResolveTokenSecret("found-synthetic-policy-3")
|
authz, err := r.ResolveToken("found-synthetic-policy-3")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, authz)
|
require.NotNil(t, authz)
|
||||||
|
|
||||||
@ -2025,7 +2025,7 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega
|
|||||||
require.Equal(t, acl.Deny, authz.NodeWrite("test-node-dc2", nil))
|
require.Equal(t, acl.Deny, authz.NodeWrite("test-node-dc2", nil))
|
||||||
})
|
})
|
||||||
t.Run("synthetic-policy-4", func(t *testing.T) { // node identity
|
t.Run("synthetic-policy-4", func(t *testing.T) { // node identity
|
||||||
authz, err := r.ResolveTokenSecret("found-synthetic-policy-4")
|
authz, err := r.ResolveToken("found-synthetic-policy-4")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, authz)
|
require.NotNil(t, authz)
|
||||||
|
|
||||||
@ -2060,7 +2060,7 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega
|
|||||||
RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2},
|
RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2},
|
||||||
},
|
},
|
||||||
})
|
})
|
||||||
authz, err := r.ResolveTokenSecret("")
|
authz, err := r.ResolveToken("")
|
||||||
require.NotNil(t, authz)
|
require.NotNil(t, authz)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.Equal(t, acl.Deny, authz.ACLRead(nil))
|
require.Equal(t, acl.Deny, authz.ACLRead(nil))
|
||||||
@ -2084,7 +2084,7 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega
|
|||||||
RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2},
|
RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2},
|
||||||
},
|
},
|
||||||
})
|
})
|
||||||
authz, err := r.ResolveTokenSecret("with-intentions")
|
authz, err := r.ResolveToken("with-intentions")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, authz)
|
require.NotNil(t, authz)
|
||||||
require.Equal(t, acl.Allow, authz.ServiceRead("", nil))
|
require.Equal(t, acl.Allow, authz.ServiceRead("", nil))
|
||||||
@ -2165,7 +2165,7 @@ func TestACLResolver_AgentRecovery(t *testing.T) {
|
|||||||
|
|
||||||
tokens.UpdateAgentRecoveryToken("9a184a11-5599-459e-b71a-550e5f9a5a23", token.TokenSourceConfig)
|
tokens.UpdateAgentRecoveryToken("9a184a11-5599-459e-b71a-550e5f9a5a23", token.TokenSourceConfig)
|
||||||
|
|
||||||
authz, err := r.ResolveTokenSecret("9a184a11-5599-459e-b71a-550e5f9a5a23")
|
authz, err := r.ResolveToken("9a184a11-5599-459e-b71a-550e5f9a5a23")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, authz.ACLIdentity)
|
require.NotNil(t, authz.ACLIdentity)
|
||||||
require.Equal(t, "agent-recovery:foo", authz.ACLIdentity.ID())
|
require.Equal(t, "agent-recovery:foo", authz.ACLIdentity.ID())
|
||||||
@ -2189,7 +2189,7 @@ func TestACLResolver_ServerManagementToken(t *testing.T) {
|
|||||||
cfg.Config.NodeName = "foo"
|
cfg.Config.NodeName = "foo"
|
||||||
})
|
})
|
||||||
|
|
||||||
authz, err := r.ResolveTokenSecret(testToken)
|
authz, err := r.ResolveToken(testToken)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, authz.ACLIdentity)
|
require.NotNil(t, authz.ACLIdentity)
|
||||||
require.Equal(t, structs.ServerManagementTokenAccessorID, authz.ACLIdentity.ID())
|
require.Equal(t, structs.ServerManagementTokenAccessorID, authz.ACLIdentity.ID())
|
||||||
@ -2292,7 +2292,7 @@ func TestACLResolver_ResolveToken_UpdatesPurgeTheCache(t *testing.T) {
|
|||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
testutil.RunStep(t, "first resolve", func(t *testing.T) {
|
testutil.RunStep(t, "first resolve", func(t *testing.T) {
|
||||||
authz, err := srv.ACLResolver.ResolveTokenSecret(token)
|
authz, err := srv.ACLResolver.ResolveToken(token)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, authz)
|
require.NotNil(t, authz)
|
||||||
require.Equal(t, acl.Allow, authz.KeyRead("foo", nil))
|
require.Equal(t, acl.Allow, authz.KeyRead("foo", nil))
|
||||||
@ -2311,7 +2311,7 @@ func TestACLResolver_ResolveToken_UpdatesPurgeTheCache(t *testing.T) {
|
|||||||
err := msgpackrpc.CallWithCodec(codec, "ACL.PolicySet", &reqPolicy, &structs.ACLPolicy{})
|
err := msgpackrpc.CallWithCodec(codec, "ACL.PolicySet", &reqPolicy, &structs.ACLPolicy{})
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
authz, err := srv.ACLResolver.ResolveTokenSecret(token)
|
authz, err := srv.ACLResolver.ResolveToken(token)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, authz)
|
require.NotNil(t, authz)
|
||||||
require.Equal(t, acl.Deny, authz.KeyRead("foo", nil))
|
require.Equal(t, acl.Deny, authz.KeyRead("foo", nil))
|
||||||
@ -2327,7 +2327,7 @@ func TestACLResolver_ResolveToken_UpdatesPurgeTheCache(t *testing.T) {
|
|||||||
err := msgpackrpc.CallWithCodec(codec, "ACL.TokenDelete", &req, &resp)
|
err := msgpackrpc.CallWithCodec(codec, "ACL.TokenDelete", &req, &resp)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
_, err = srv.ACLResolver.ResolveTokenSecret(token)
|
_, err = srv.ACLResolver.ResolveToken(token)
|
||||||
require.True(t, acl.IsErrNotFound(err), "Error %v is not acl.ErrNotFound", err)
|
require.True(t, acl.IsErrNotFound(err), "Error %v is not acl.ErrNotFound", err)
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
@ -60,7 +60,7 @@ func (s *ConnectCA) ConfigurationGet(
|
|||||||
}
|
}
|
||||||
|
|
||||||
// This action requires operator read access.
|
// This action requires operator read access.
|
||||||
authz, err := s.srv.ResolveTokenSecret(args.Token)
|
authz, err := s.srv.ResolveToken(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -92,7 +92,7 @@ func (s *ConnectCA) ConfigurationSet(
|
|||||||
}
|
}
|
||||||
|
|
||||||
// This action requires operator write access.
|
// This action requires operator write access.
|
||||||
authz, err := s.srv.ResolveTokenSecret(args.Token)
|
authz, err := s.srv.ResolveToken(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -149,7 +149,7 @@ func (s *ConnectCA) Sign(
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
authz, err := s.srv.ResolveTokenSecret(args.Token)
|
authz, err := s.srv.ResolveToken(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -181,7 +181,7 @@ func (s *ConnectCA) SignIntermediate(
|
|||||||
}
|
}
|
||||||
|
|
||||||
// This action requires operator write access.
|
// This action requires operator write access.
|
||||||
authz, err := s.srv.ResolveTokenSecret(args.Token)
|
authz, err := s.srv.ResolveToken(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -58,7 +58,7 @@ func (c *FederationState) Apply(args *structs.FederationStateRequest, reply *boo
|
|||||||
defer metrics.MeasureSince([]string{"federation_state", "apply"}, time.Now())
|
defer metrics.MeasureSince([]string{"federation_state", "apply"}, time.Now())
|
||||||
|
|
||||||
// Fetch the ACL token, if any.
|
// Fetch the ACL token, if any.
|
||||||
authz, err := c.srv.ResolveTokenSecret(args.Token)
|
authz, err := c.srv.ResolveToken(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -104,7 +104,7 @@ func (c *FederationState) Get(args *structs.FederationStateQuery, reply *structs
|
|||||||
defer metrics.MeasureSince([]string{"federation_state", "get"}, time.Now())
|
defer metrics.MeasureSince([]string{"federation_state", "get"}, time.Now())
|
||||||
|
|
||||||
// Fetch the ACL token, if any.
|
// Fetch the ACL token, if any.
|
||||||
authz, err := c.srv.ResolveTokenSecret(args.Token)
|
authz, err := c.srv.ResolveToken(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -143,7 +143,7 @@ func (c *FederationState) List(args *structs.DCSpecificRequest, reply *structs.I
|
|||||||
defer metrics.MeasureSince([]string{"federation_state", "list"}, time.Now())
|
defer metrics.MeasureSince([]string{"federation_state", "list"}, time.Now())
|
||||||
|
|
||||||
// Fetch the ACL token, if any.
|
// Fetch the ACL token, if any.
|
||||||
authz, err := c.srv.ResolveTokenSecret(args.Token)
|
authz, err := c.srv.ResolveToken(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -780,7 +780,7 @@ func (m *Internal) KeyringOperation(
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Check ACLs
|
// Check ACLs
|
||||||
authz, err := m.srv.ACLResolver.ResolveTokenSecret(args.Token)
|
authz, err := m.srv.ACLResolver.ResolveToken(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -16,7 +16,7 @@ func (op *Operator) AutopilotGetConfiguration(args *structs.DCSpecificRequest, r
|
|||||||
}
|
}
|
||||||
|
|
||||||
// This action requires operator read access.
|
// This action requires operator read access.
|
||||||
authz, err := op.srv.ACLResolver.ResolveTokenSecret(args.Token)
|
authz, err := op.srv.ACLResolver.ResolveToken(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -49,7 +49,7 @@ func (op *Operator) AutopilotSetConfiguration(args *structs.AutopilotSetConfigRe
|
|||||||
}
|
}
|
||||||
|
|
||||||
// This action requires operator write access.
|
// This action requires operator write access.
|
||||||
authz, err := op.srv.ACLResolver.ResolveTokenSecret(args.Token)
|
authz, err := op.srv.ACLResolver.ResolveToken(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -81,7 +81,7 @@ func (op *Operator) ServerHealth(args *structs.DCSpecificRequest, reply *structs
|
|||||||
}
|
}
|
||||||
|
|
||||||
// This action requires operator read access.
|
// This action requires operator read access.
|
||||||
authz, err := op.srv.ACLResolver.ResolveTokenSecret(args.Token)
|
authz, err := op.srv.ACLResolver.ResolveToken(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -145,7 +145,7 @@ func (op *Operator) AutopilotState(args *structs.DCSpecificRequest, reply *autop
|
|||||||
}
|
}
|
||||||
|
|
||||||
// This action requires operator read access.
|
// This action requires operator read access.
|
||||||
authz, err := op.srv.ACLResolver.ResolveTokenSecret(args.Token)
|
authz, err := op.srv.ACLResolver.ResolveToken(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -18,7 +18,7 @@ func (op *Operator) RaftGetConfiguration(args *structs.DCSpecificRequest, reply
|
|||||||
}
|
}
|
||||||
|
|
||||||
// This action requires operator read access.
|
// This action requires operator read access.
|
||||||
authz, err := op.srv.ResolveTokenSecret(args.Token)
|
authz, err := op.srv.ResolveToken(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -80,7 +80,7 @@ func (op *Operator) RaftRemovePeerByAddress(args *structs.RaftRemovePeerRequest,
|
|||||||
|
|
||||||
// This is a super dangerous operation that requires operator write
|
// This is a super dangerous operation that requires operator write
|
||||||
// access.
|
// access.
|
||||||
authz, err := op.srv.ACLResolver.ResolveTokenSecret(args.Token)
|
authz, err := op.srv.ACLResolver.ResolveToken(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -133,7 +133,7 @@ func (op *Operator) RaftRemovePeerByID(args *structs.RaftRemovePeerRequest, repl
|
|||||||
|
|
||||||
// This is a super dangerous operation that requires operator write
|
// This is a super dangerous operation that requires operator write
|
||||||
// access.
|
// access.
|
||||||
authz, err := op.srv.ACLResolver.ResolveTokenSecret(args.Token)
|
authz, err := op.srv.ACLResolver.ResolveToken(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -78,7 +78,7 @@ func (p *PreparedQuery) Apply(args *structs.PreparedQueryRequest, reply *string)
|
|||||||
*reply = args.Query.ID
|
*reply = args.Query.ID
|
||||||
|
|
||||||
// Get the ACL token for the request for the checks below.
|
// Get the ACL token for the request for the checks below.
|
||||||
authz, err := p.srv.ResolveTokenSecret(args.Token)
|
authz, err := p.srv.ResolveToken(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -58,7 +58,7 @@ func (s *Server) dispatchSnapshotRequest(args *structs.SnapshotRequest, in io.Re
|
|||||||
// Verify token is allowed to operate on snapshots. There's only a
|
// Verify token is allowed to operate on snapshots. There's only a
|
||||||
// single ACL sense here (not read and write) since reading gets you
|
// single ACL sense here (not read and write) since reading gets you
|
||||||
// all the ACLs and you could escalate from there.
|
// all the ACLs and you could escalate from there.
|
||||||
if authz, err := s.ResolveTokenSecret(args.Token); err != nil {
|
if authz, err := s.ResolveToken(args.Token); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
} else if err := authz.ToAllowAuthorizer().SnapshotAllowed(nil); err != nil {
|
} else if err := authz.ToAllowAuthorizer().SnapshotAllowed(nil); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
@ -147,7 +147,7 @@ func (t *Txn) Apply(args *structs.TxnRequest, reply *structs.TxnResponse) error
|
|||||||
defer metrics.MeasureSince([]string{"txn", "apply"}, time.Now())
|
defer metrics.MeasureSince([]string{"txn", "apply"}, time.Now())
|
||||||
|
|
||||||
// Run the pre-checks before we send the transaction into Raft.
|
// Run the pre-checks before we send the transaction into Raft.
|
||||||
authz, err := t.srv.ResolveTokenSecret(args.Token)
|
authz, err := t.srv.ResolveToken(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -191,7 +191,7 @@ func (t *Txn) Read(args *structs.TxnReadRequest, reply *structs.TxnReadResponse)
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Run the pre-checks before we perform the read.
|
// Run the pre-checks before we perform the read.
|
||||||
authz, err := t.srv.ResolveTokenSecret(args.Token)
|
authz, err := t.srv.ResolveToken(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -103,11 +103,11 @@ type ProxyConfigSource interface {
|
|||||||
// A full description of the XDS protocol can be found at
|
// A full description of the XDS protocol can be found at
|
||||||
// https://www.envoyproxy.io/docs/envoy/latest/api-docs/xds_protocol
|
// https://www.envoyproxy.io/docs/envoy/latest/api-docs/xds_protocol
|
||||||
type Server struct {
|
type Server struct {
|
||||||
NodeName string
|
NodeName string
|
||||||
Logger hclog.Logger
|
Logger hclog.Logger
|
||||||
CfgSrc ProxyConfigSource
|
CfgSrc ProxyConfigSource
|
||||||
ResolveTokenSecret ACLResolverFunc
|
ResolveToken ACLResolverFunc
|
||||||
CfgFetcher ConfigFetcher
|
CfgFetcher ConfigFetcher
|
||||||
|
|
||||||
// AuthCheckFrequency is how often we should re-check the credentials used
|
// AuthCheckFrequency is how often we should re-check the credentials used
|
||||||
// during a long-lived gRPC Stream after it has been initially established.
|
// during a long-lived gRPC Stream after it has been initially established.
|
||||||
@ -164,7 +164,7 @@ func NewServer(
|
|||||||
NodeName: nodeName,
|
NodeName: nodeName,
|
||||||
Logger: logger,
|
Logger: logger,
|
||||||
CfgSrc: cfgMgr,
|
CfgSrc: cfgMgr,
|
||||||
ResolveTokenSecret: resolveTokenSecret,
|
ResolveToken: resolveTokenSecret,
|
||||||
CfgFetcher: cfgFetcher,
|
CfgFetcher: cfgFetcher,
|
||||||
AuthCheckFrequency: DefaultAuthCheckFrequency,
|
AuthCheckFrequency: DefaultAuthCheckFrequency,
|
||||||
activeStreams: &activeStreamCounters{},
|
activeStreams: &activeStreamCounters{},
|
||||||
@ -191,7 +191,7 @@ func (s *Server) authenticate(ctx context.Context) (acl.Authorizer, error) {
|
|||||||
return nil, status.Errorf(codes.Internal, "error fetching options from context: %v", err)
|
return nil, status.Errorf(codes.Internal, "error fetching options from context: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
authz, err := s.ResolveTokenSecret(options.Token)
|
authz, err := s.ResolveToken(options.Token)
|
||||||
if acl.IsErrNotFound(err) {
|
if acl.IsErrNotFound(err) {
|
||||||
return nil, status.Errorf(codes.Unauthenticated, "unauthenticated: %v", err)
|
return nil, status.Errorf(codes.Unauthenticated, "unauthenticated: %v", err)
|
||||||
} else if acl.IsErrPermissionDenied(err) {
|
} else if acl.IsErrPermissionDenied(err) {
|
||||||
|
Loading…
x
Reference in New Issue
Block a user