Allow service identity tokens the ability to read jwt-providers (#17893)

* Allow service identity tokens the ability to read jwt-providers * more tests * service_prefix tests
2023-06-27 12:03:43 -04:00 · 2023-06-27 12:03:43 -04:00 · 767ef2dd4c
parent 601490b9ab
commit 767ef2dd4c
2 changed files with 27 additions and 0 deletions
--- a/agent/structs/config_entry_jwt_provider.go
+++ b/agent/structs/config_entry_jwt_provider.go
@ -316,6 +316,15 @@ func (e *JWTProviderConfigEntry) GetRaftIndex() *RaftIndex               { retur
 func (e *JWTProviderConfigEntry) CanRead(authz acl.Authorizer) error {
 	var authzContext acl.AuthorizerContext
 	e.FillAuthzContext(&authzContext)
+
+	// allow service-identity tokens the ability to read jwt-providers
+	// this is a workaround to allow sidecar proxies to read the jwt-providers
+	// see issue: https://github.com/hashicorp/consul/issues/17886 for more details
+	err := authz.ToAllowAuthorizer().ServiceWriteAnyAllowed(&authzContext)
+	if err == nil {
+		return err
+	}
+
 	return authz.ToAllowAuthorizer().MeshReadAllowed(&authzContext)
 }

--- a/agent/structs/config_entry_jwt_provider_test.go
+++ b/agent/structs/config_entry_jwt_provider_test.go
@ -338,6 +338,24 @@ func TestJWTProviderConfigEntry_ACLs(t *testing.T) {
 					canRead:    false,
 					canWrite:   false,
 				},
+				{
+					name:       "jwt-provider: any service write",
+					authorizer: newTestAuthz(t, `service "" { policy = "write" }`),
+					canRead:    true,
+					canWrite:   false,
+				},
+				{
+					name:       "jwt-provider: specific service write",
+					authorizer: newTestAuthz(t, `service "web" { policy = "write" }`),
+					canRead:    true,
+					canWrite:   false,
+				},
+				{
+					name:       "jwt-provider: any service prefix write",
+					authorizer: newTestAuthz(t, `service_prefix "" { policy = "write" }`),
+					canRead:    true,
+					canWrite:   false,
+				},
 				{
 					name:       "jwt-provider: mesh read",
 					authorizer: newTestAuthz(t, `mesh = "read"`),