From 4f5477ccfa17b087e8d473aa7c87543030729b7f Mon Sep 17 00:00:00 2001 From: Daniel Nephin Date: Fri, 30 Jul 2021 12:55:04 -0400 Subject: [PATCH] acl: move vet functions These functions are moved to the one place they are called to improve code locality. They are being moved out of agent/consul/acl.go in preparation for moving ACLResolver to an acl package. --- agent/consul/acl.go | 42 ------------------------------------ agent/consul/txn_endpoint.go | 30 ++++++++++++++++++++++++++ 2 files changed, 30 insertions(+), 42 deletions(-) diff --git a/agent/consul/acl.go b/agent/consul/acl.go index b53d502104..99711cb27a 100644 --- a/agent/consul/acl.go +++ b/agent/consul/acl.go @@ -2048,45 +2048,3 @@ func (r *ACLResolver) filterACL(token string, subj interface{}) error { return r.filterACLWithAuthorizer(authorizer, subj) } - -// vetNodeTxnOp applies the given ACL policy to a node transaction operation. -func vetNodeTxnOp(op *structs.TxnNodeOp, rule acl.Authorizer) error { - // Fast path if ACLs are not enabled. - if rule == nil { - return nil - } - - var authzContext acl.AuthorizerContext - op.FillAuthzContext(&authzContext) - - if rule.NodeWrite(op.Node.Node, &authzContext) != acl.Allow { - return acl.ErrPermissionDenied - } - - return nil -} - -// vetCheckTxnOp applies the given ACL policy to a check transaction operation. -func vetCheckTxnOp(op *structs.TxnCheckOp, rule acl.Authorizer) error { - // Fast path if ACLs are not enabled. - if rule == nil { - return nil - } - - var authzContext acl.AuthorizerContext - op.FillAuthzContext(&authzContext) - - if op.Check.ServiceID == "" { - // Node-level check. - if rule.NodeWrite(op.Check.Node, &authzContext) != acl.Allow { - return acl.ErrPermissionDenied - } - } else { - // Service-level check. - if rule.ServiceWrite(op.Check.ServiceName, &authzContext) != acl.Allow { - return acl.ErrPermissionDenied - } - } - - return nil -} diff --git a/agent/consul/txn_endpoint.go b/agent/consul/txn_endpoint.go index 2f0081ee59..f9d15bf730 100644 --- a/agent/consul/txn_endpoint.go +++ b/agent/consul/txn_endpoint.go @@ -108,6 +108,36 @@ func (t *Txn) preCheck(authorizer acl.Authorizer, ops structs.TxnOps) structs.Tx return errors } +// vetNodeTxnOp applies the given ACL policy to a node transaction operation. +func vetNodeTxnOp(op *structs.TxnNodeOp, rule acl.Authorizer) error { + var authzContext acl.AuthorizerContext + op.FillAuthzContext(&authzContext) + + if rule.NodeWrite(op.Node.Node, &authzContext) != acl.Allow { + return acl.ErrPermissionDenied + } + return nil +} + +// vetCheckTxnOp applies the given ACL policy to a check transaction operation. +func vetCheckTxnOp(op *structs.TxnCheckOp, rule acl.Authorizer) error { + var authzContext acl.AuthorizerContext + op.FillAuthzContext(&authzContext) + + if op.Check.ServiceID == "" { + // Node-level check. + if rule.NodeWrite(op.Check.Node, &authzContext) != acl.Allow { + return acl.ErrPermissionDenied + } + } else { + // Service-level check. + if rule.ServiceWrite(op.Check.ServiceName, &authzContext) != acl.Allow { + return acl.ErrPermissionDenied + } + } + return nil +} + // Apply is used to apply multiple operations in a single, atomic transaction. func (t *Txn) Apply(args *structs.TxnRequest, reply *structs.TxnResponse) error { if done, err := t.srv.ForwardRPC("Txn.Apply", args, reply); done {