mirror of https://github.com/status-im/consul.git
Merge pull request #12250 from hashicorp/dnephin/acl-resolver-safer-identity
acl: un-embed ACLIdentity
This commit is contained in:
commit
2ef26f48b8
|
@ -39,6 +39,12 @@ type TestACLAgent struct {
|
||||||
func NewTestACLAgent(t *testing.T, name string, hcl string, resolveAuthz authzResolver, resolveIdent identResolver) *TestACLAgent {
|
func NewTestACLAgent(t *testing.T, name string, hcl string, resolveAuthz authzResolver, resolveIdent identResolver) *TestACLAgent {
|
||||||
t.Helper()
|
t.Helper()
|
||||||
|
|
||||||
|
if resolveIdent == nil {
|
||||||
|
resolveIdent = func(s string) (structs.ACLIdentity, error) {
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
a := &TestACLAgent{resolveAuthzFn: resolveAuthz, resolveIdentFn: resolveIdent}
|
a := &TestACLAgent{resolveAuthzFn: resolveAuthz, resolveIdentFn: resolveIdent}
|
||||||
|
|
||||||
dataDir := testutil.TempDir(t, "acl-agent")
|
dataDir := testutil.TempDir(t, "acl-agent")
|
||||||
|
|
|
@ -1120,7 +1120,7 @@ func (r *ACLResolver) ResolveToken(token string) (ACLResolveResult, error) {
|
||||||
type ACLResolveResult struct {
|
type ACLResolveResult struct {
|
||||||
acl.Authorizer
|
acl.Authorizer
|
||||||
// TODO: likely we can reduce this interface
|
// TODO: likely we can reduce this interface
|
||||||
structs.ACLIdentity
|
ACLIdentity structs.ACLIdentity
|
||||||
}
|
}
|
||||||
|
|
||||||
func (a ACLResolveResult) AccessorID() string {
|
func (a ACLResolveResult) AccessorID() string {
|
||||||
|
@ -1130,6 +1130,10 @@ func (a ACLResolveResult) AccessorID() string {
|
||||||
return a.ACLIdentity.ID()
|
return a.ACLIdentity.ID()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (a ACLResolveResult) Identity() structs.ACLIdentity {
|
||||||
|
return a.ACLIdentity
|
||||||
|
}
|
||||||
|
|
||||||
func (r *ACLResolver) ACLsEnabled() bool {
|
func (r *ACLResolver) ACLsEnabled() bool {
|
||||||
// Whether we desire ACLs to be enabled according to configuration
|
// Whether we desire ACLs to be enabled according to configuration
|
||||||
if !r.config.ACLsEnabled {
|
if !r.config.ACLsEnabled {
|
||||||
|
|
|
@ -437,7 +437,7 @@ func (m *Internal) KeyringOperation(
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := m.srv.validateEnterpriseToken(authz.ACLIdentity); err != nil {
|
if err := m.srv.validateEnterpriseToken(authz.Identity()); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
switch args.Operation {
|
switch args.Operation {
|
||||||
|
|
|
@ -21,7 +21,7 @@ func (op *Operator) AutopilotGetConfiguration(args *structs.DCSpecificRequest, r
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := op.srv.validateEnterpriseToken(authz.ACLIdentity); err != nil {
|
if err := op.srv.validateEnterpriseToken(authz.Identity()); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if authz.OperatorRead(nil) != acl.Allow {
|
if authz.OperatorRead(nil) != acl.Allow {
|
||||||
|
@ -53,7 +53,7 @@ func (op *Operator) AutopilotSetConfiguration(args *structs.AutopilotSetConfigRe
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := op.srv.validateEnterpriseToken(authz.ACLIdentity); err != nil {
|
if err := op.srv.validateEnterpriseToken(authz.Identity()); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if authz.OperatorWrite(nil) != acl.Allow {
|
if authz.OperatorWrite(nil) != acl.Allow {
|
||||||
|
@ -88,7 +88,7 @@ func (op *Operator) ServerHealth(args *structs.DCSpecificRequest, reply *structs
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := op.srv.validateEnterpriseToken(authz.ACLIdentity); err != nil {
|
if err := op.srv.validateEnterpriseToken(authz.Identity()); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if authz.OperatorRead(nil) != acl.Allow {
|
if authz.OperatorRead(nil) != acl.Allow {
|
||||||
|
@ -155,7 +155,7 @@ func (op *Operator) AutopilotState(args *structs.DCSpecificRequest, reply *autop
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := op.srv.validateEnterpriseToken(authz.ACLIdentity); err != nil {
|
if err := op.srv.validateEnterpriseToken(authz.Identity()); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if authz.OperatorRead(nil) != acl.Allow {
|
if authz.OperatorRead(nil) != acl.Allow {
|
||||||
|
|
|
@ -85,7 +85,7 @@ func (op *Operator) RaftRemovePeerByAddress(args *structs.RaftRemovePeerRequest,
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := op.srv.validateEnterpriseToken(authz.ACLIdentity); err != nil {
|
if err := op.srv.validateEnterpriseToken(authz.Identity()); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if authz.OperatorWrite(nil) != acl.Allow {
|
if authz.OperatorWrite(nil) != acl.Allow {
|
||||||
|
@ -138,7 +138,7 @@ func (op *Operator) RaftRemovePeerByID(args *structs.RaftRemovePeerRequest, repl
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := op.srv.validateEnterpriseToken(authz.ACLIdentity); err != nil {
|
if err := op.srv.validateEnterpriseToken(authz.Identity()); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if authz.OperatorWrite(nil) != acl.Allow {
|
if authz.OperatorWrite(nil) != acl.Allow {
|
||||||
|
|
Loading…
Reference in New Issue