mirror of
https://github.com/status-im/consul.git
synced 2025-01-10 22:06:20 +00:00
Moves ACL disabled response logic down into endpoints.
This lets us make the registration of endpoints less fancy, on the road to adding a registration mechanism.
This commit is contained in:
parent
521e46ce91
commit
29367cd5ae
@ -14,16 +14,24 @@ type aclCreateResponse struct {
|
|||||||
ID string
|
ID string
|
||||||
}
|
}
|
||||||
|
|
||||||
// ACLDisabled handles if ACL datacenter is not configured
|
// checkACLDisabled will return a standard response if ACLs are disabled. This
|
||||||
func ACLDisabled(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
// returns true if they are disabled and we should not continue.
|
||||||
|
func (s *HTTPServer) checkACLDisabled(resp http.ResponseWriter, req *http.Request) bool {
|
||||||
|
if s.agent.config.ACLDatacenter != "" {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
resp.WriteHeader(http.StatusUnauthorized)
|
resp.WriteHeader(http.StatusUnauthorized)
|
||||||
fmt.Fprint(resp, "ACL support disabled")
|
fmt.Fprint(resp, "ACL support disabled")
|
||||||
return nil, nil
|
return true
|
||||||
}
|
}
|
||||||
|
|
||||||
// ACLBootstrap is used to perform a one-time ACL bootstrap operation on
|
// ACLBootstrap is used to perform a one-time ACL bootstrap operation on
|
||||||
// a cluster to get the first management token.
|
// a cluster to get the first management token.
|
||||||
func (s *HTTPServer) ACLBootstrap(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
func (s *HTTPServer) ACLBootstrap(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
||||||
|
if s.checkACLDisabled(resp, req) {
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
if req.Method != "PUT" {
|
if req.Method != "PUT" {
|
||||||
return nil, MethodNotAllowedError{req.Method, []string{"PUT"}}
|
return nil, MethodNotAllowedError{req.Method, []string{"PUT"}}
|
||||||
}
|
}
|
||||||
@ -48,6 +56,9 @@ func (s *HTTPServer) ACLBootstrap(resp http.ResponseWriter, req *http.Request) (
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (s *HTTPServer) ACLDestroy(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
func (s *HTTPServer) ACLDestroy(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
||||||
|
if s.checkACLDisabled(resp, req) {
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
if req.Method != "PUT" {
|
if req.Method != "PUT" {
|
||||||
return nil, MethodNotAllowedError{req.Method, []string{"PUT"}}
|
return nil, MethodNotAllowedError{req.Method, []string{"PUT"}}
|
||||||
}
|
}
|
||||||
@ -74,6 +85,9 @@ func (s *HTTPServer) ACLDestroy(resp http.ResponseWriter, req *http.Request) (in
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (s *HTTPServer) ACLCreate(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
func (s *HTTPServer) ACLCreate(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
||||||
|
if s.checkACLDisabled(resp, req) {
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
if req.Method != "PUT" {
|
if req.Method != "PUT" {
|
||||||
return nil, MethodNotAllowedError{req.Method, []string{"PUT"}}
|
return nil, MethodNotAllowedError{req.Method, []string{"PUT"}}
|
||||||
}
|
}
|
||||||
@ -81,6 +95,9 @@ func (s *HTTPServer) ACLCreate(resp http.ResponseWriter, req *http.Request) (int
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (s *HTTPServer) ACLUpdate(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
func (s *HTTPServer) ACLUpdate(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
||||||
|
if s.checkACLDisabled(resp, req) {
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
if req.Method != "PUT" {
|
if req.Method != "PUT" {
|
||||||
return nil, MethodNotAllowedError{req.Method, []string{"PUT"}}
|
return nil, MethodNotAllowedError{req.Method, []string{"PUT"}}
|
||||||
}
|
}
|
||||||
@ -129,6 +146,9 @@ func (s *HTTPServer) aclSet(resp http.ResponseWriter, req *http.Request, update
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (s *HTTPServer) ACLClone(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
func (s *HTTPServer) ACLClone(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
||||||
|
if s.checkACLDisabled(resp, req) {
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
if req.Method != "PUT" {
|
if req.Method != "PUT" {
|
||||||
return nil, MethodNotAllowedError{req.Method, []string{"PUT"}}
|
return nil, MethodNotAllowedError{req.Method, []string{"PUT"}}
|
||||||
}
|
}
|
||||||
@ -181,6 +201,9 @@ func (s *HTTPServer) ACLClone(resp http.ResponseWriter, req *http.Request) (inte
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (s *HTTPServer) ACLGet(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
func (s *HTTPServer) ACLGet(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
||||||
|
if s.checkACLDisabled(resp, req) {
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
if req.Method != "GET" {
|
if req.Method != "GET" {
|
||||||
return nil, MethodNotAllowedError{req.Method, []string{"GET"}}
|
return nil, MethodNotAllowedError{req.Method, []string{"GET"}}
|
||||||
}
|
}
|
||||||
@ -215,6 +238,9 @@ func (s *HTTPServer) ACLGet(resp http.ResponseWriter, req *http.Request) (interf
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (s *HTTPServer) ACLList(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
func (s *HTTPServer) ACLList(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
||||||
|
if s.checkACLDisabled(resp, req) {
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
if req.Method != "GET" {
|
if req.Method != "GET" {
|
||||||
return nil, MethodNotAllowedError{req.Method, []string{"GET"}}
|
return nil, MethodNotAllowedError{req.Method, []string{"GET"}}
|
||||||
}
|
}
|
||||||
@ -241,6 +267,9 @@ func (s *HTTPServer) ACLList(resp http.ResponseWriter, req *http.Request) (inter
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (s *HTTPServer) ACLReplicationStatus(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
func (s *HTTPServer) ACLReplicationStatus(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
||||||
|
if s.checkACLDisabled(resp, req) {
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
if req.Method != "GET" {
|
if req.Method != "GET" {
|
||||||
return nil, MethodNotAllowedError{req.Method, []string{"GET"}}
|
return nil, MethodNotAllowedError{req.Method, []string{"GET"}}
|
||||||
}
|
}
|
||||||
|
@ -3,14 +3,53 @@ package agent
|
|||||||
import (
|
import (
|
||||||
"bytes"
|
"bytes"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
|
"fmt"
|
||||||
"net/http"
|
"net/http"
|
||||||
"net/http/httptest"
|
"net/http/httptest"
|
||||||
|
"strings"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"github.com/hashicorp/consul/acl"
|
"github.com/hashicorp/consul/acl"
|
||||||
"github.com/hashicorp/consul/agent/structs"
|
"github.com/hashicorp/consul/agent/structs"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
func TestACL_Disabled_Response(t *testing.T) {
|
||||||
|
t.Parallel()
|
||||||
|
a := NewTestAgent(t.Name(), "")
|
||||||
|
defer a.Shutdown()
|
||||||
|
|
||||||
|
tests := []func(resp http.ResponseWriter, req *http.Request) (interface{}, error){
|
||||||
|
a.srv.ACLBootstrap,
|
||||||
|
a.srv.ACLDestroy,
|
||||||
|
a.srv.ACLCreate,
|
||||||
|
a.srv.ACLUpdate,
|
||||||
|
a.srv.ACLClone,
|
||||||
|
a.srv.ACLGet,
|
||||||
|
a.srv.ACLList,
|
||||||
|
a.srv.ACLReplicationStatus,
|
||||||
|
a.srv.AgentToken, // See TestAgent_Token.
|
||||||
|
}
|
||||||
|
for i, tt := range tests {
|
||||||
|
t.Run(fmt.Sprintf("%d", i), func(t *testing.T) {
|
||||||
|
req, _ := http.NewRequest("PUT", "/should/not/care", nil)
|
||||||
|
resp := httptest.NewRecorder()
|
||||||
|
obj, err := tt(resp, req)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("err: %v", err)
|
||||||
|
}
|
||||||
|
if obj != nil {
|
||||||
|
t.Fatalf("bad: %#v", obj)
|
||||||
|
}
|
||||||
|
if got, want := resp.Code, http.StatusUnauthorized; got != want {
|
||||||
|
t.Fatalf("got %d want %d", got, want)
|
||||||
|
}
|
||||||
|
if !strings.Contains(resp.Body.String(), "ACL support disabled") {
|
||||||
|
t.Fatalf("bad: %#v", resp)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func makeTestACL(t *testing.T, srv *HTTPServer) string {
|
func makeTestACL(t *testing.T, srv *HTTPServer) string {
|
||||||
body := bytes.NewBuffer(nil)
|
body := bytes.NewBuffer(nil)
|
||||||
enc := json.NewEncoder(body)
|
enc := json.NewEncoder(body)
|
||||||
|
@ -809,6 +809,9 @@ func (h *httpLogHandler) HandleLog(log string) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (s *HTTPServer) AgentToken(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
func (s *HTTPServer) AgentToken(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
||||||
|
if s.checkACLDisabled(resp, req) {
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
if req.Method != "PUT" {
|
if req.Method != "PUT" {
|
||||||
return nil, MethodNotAllowedError{req.Method, []string{"PUT"}}
|
return nil, MethodNotAllowedError{req.Method, []string{"PUT"}}
|
||||||
}
|
}
|
||||||
|
@ -1771,6 +1771,10 @@ func TestAgent_Monitor_ACLDeny(t *testing.T) {
|
|||||||
|
|
||||||
func TestAgent_Token(t *testing.T) {
|
func TestAgent_Token(t *testing.T) {
|
||||||
t.Parallel()
|
t.Parallel()
|
||||||
|
|
||||||
|
// The behavior of this handler when ACLs are disabled is vetted over
|
||||||
|
// in TestACL_Disabled_Response since there's already good infra set
|
||||||
|
// up over there to test this, and it calls the common function.
|
||||||
a := NewTestAgent(t.Name(), TestACLConfig()+`
|
a := NewTestAgent(t.Name(), TestACLConfig()+`
|
||||||
acl_token = ""
|
acl_token = ""
|
||||||
acl_agent_token = ""
|
acl_agent_token = ""
|
||||||
|
@ -77,7 +77,6 @@ func (s *HTTPServer) handler(enableDebug bool) http.Handler {
|
|||||||
mux.HandleFunc("/", s.Index)
|
mux.HandleFunc("/", s.Index)
|
||||||
|
|
||||||
// API V1.
|
// API V1.
|
||||||
if s.agent.config.ACLDatacenter != "" {
|
|
||||||
handleFuncMetrics("/v1/acl/bootstrap", s.wrap(s.ACLBootstrap))
|
handleFuncMetrics("/v1/acl/bootstrap", s.wrap(s.ACLBootstrap))
|
||||||
handleFuncMetrics("/v1/acl/create", s.wrap(s.ACLCreate))
|
handleFuncMetrics("/v1/acl/create", s.wrap(s.ACLCreate))
|
||||||
handleFuncMetrics("/v1/acl/update", s.wrap(s.ACLUpdate))
|
handleFuncMetrics("/v1/acl/update", s.wrap(s.ACLUpdate))
|
||||||
@ -87,17 +86,6 @@ func (s *HTTPServer) handler(enableDebug bool) http.Handler {
|
|||||||
handleFuncMetrics("/v1/acl/list", s.wrap(s.ACLList))
|
handleFuncMetrics("/v1/acl/list", s.wrap(s.ACLList))
|
||||||
handleFuncMetrics("/v1/acl/replication", s.wrap(s.ACLReplicationStatus))
|
handleFuncMetrics("/v1/acl/replication", s.wrap(s.ACLReplicationStatus))
|
||||||
handleFuncMetrics("/v1/agent/token/", s.wrap(s.AgentToken))
|
handleFuncMetrics("/v1/agent/token/", s.wrap(s.AgentToken))
|
||||||
} else {
|
|
||||||
handleFuncMetrics("/v1/acl/bootstrap", s.wrap(ACLDisabled))
|
|
||||||
handleFuncMetrics("/v1/acl/create", s.wrap(ACLDisabled))
|
|
||||||
handleFuncMetrics("/v1/acl/update", s.wrap(ACLDisabled))
|
|
||||||
handleFuncMetrics("/v1/acl/destroy/", s.wrap(ACLDisabled))
|
|
||||||
handleFuncMetrics("/v1/acl/info/", s.wrap(ACLDisabled))
|
|
||||||
handleFuncMetrics("/v1/acl/clone/", s.wrap(ACLDisabled))
|
|
||||||
handleFuncMetrics("/v1/acl/list", s.wrap(ACLDisabled))
|
|
||||||
handleFuncMetrics("/v1/acl/replication", s.wrap(ACLDisabled))
|
|
||||||
handleFuncMetrics("/v1/agent/token/", s.wrap(ACLDisabled))
|
|
||||||
}
|
|
||||||
handleFuncMetrics("/v1/agent/self", s.wrap(s.AgentSelf))
|
handleFuncMetrics("/v1/agent/self", s.wrap(s.AgentSelf))
|
||||||
handleFuncMetrics("/v1/agent/maintenance", s.wrap(s.AgentNodeMaintenance))
|
handleFuncMetrics("/v1/agent/maintenance", s.wrap(s.AgentNodeMaintenance))
|
||||||
handleFuncMetrics("/v1/agent/reload", s.wrap(s.AgentReload))
|
handleFuncMetrics("/v1/agent/reload", s.wrap(s.AgentReload))
|
||||||
|
Loading…
x
Reference in New Issue
Block a user