diff --git a/consul/acl.go b/consul/acl.go index 4fe4bb725f..de305d04f5 100644 --- a/consul/acl.go +++ b/consul/acl.go @@ -389,9 +389,9 @@ func (f *aclFilter) filterPreparedQueries(queries *structs.PreparedQueries) { for _, query := range *queries { // If no prefix ACL applies to this query then filter it, since // we know at this point the user doesn't have a management - // token. - prefix := query.GetACLPrefix() - if prefix == nil || !f.acl.PreparedQueryRead(*prefix) { + // token, otherwise see what the policy says. + prefix, ok := query.GetACLPrefix() + if !ok || !f.acl.PreparedQueryRead(prefix) { f.logger.Printf("[DEBUG] consul: dropping prepared query %q from result due to ACLs", query.ID) continue } diff --git a/consul/prepared_query_endpoint.go b/consul/prepared_query_endpoint.go index e17773e2c4..7fc9ac86f5 100644 --- a/consul/prepared_query_endpoint.go +++ b/consul/prepared_query_endpoint.go @@ -65,8 +65,8 @@ func (p *PreparedQuery) Apply(args *structs.PreparedQueryRequest, reply *string) // If prefix ACLs apply to the incoming query, then do an ACL check. We // need to make sure they have write access for whatever they are // proposing. - if prefix := args.Query.GetACLPrefix(); prefix != nil { - if acl != nil && !acl.PreparedQueryWrite(*prefix) { + if prefix, ok := args.Query.GetACLPrefix(); ok { + if acl != nil && !acl.PreparedQueryWrite(prefix) { p.srv.logger.Printf("[WARN] consul.prepared_query: Operation on prepared query '%s' denied due to ACLs", args.Query.ID) return permissionDeniedErr } @@ -85,8 +85,8 @@ func (p *PreparedQuery) Apply(args *structs.PreparedQueryRequest, reply *string) return fmt.Errorf("Cannot modify non-existent prepared query: '%s'", args.Query.ID) } - if prefix := query.GetACLPrefix(); prefix != nil { - if acl != nil && !acl.PreparedQueryWrite(*prefix) { + if prefix, ok := query.GetACLPrefix(); ok { + if acl != nil && !acl.PreparedQueryWrite(prefix) { p.srv.logger.Printf("[WARN] consul.prepared_query: Operation on prepared query '%s' denied due to ACLs", args.Query.ID) return permissionDeniedErr } @@ -216,7 +216,7 @@ func (p *PreparedQuery) Get(args *structs.PreparedQuerySpecificRequest, // always allowed to see it if they have the ID. reply.Index = index reply.Queries = structs.PreparedQueries{query} - if prefix := query.GetACLPrefix(); prefix == nil { + if _, ok := query.GetACLPrefix(); !ok { return nil } diff --git a/consul/structs/prepared_query.go b/consul/structs/prepared_query.go index 7d57e49a14..6058ca50f1 100644 --- a/consul/structs/prepared_query.go +++ b/consul/structs/prepared_query.go @@ -73,13 +73,14 @@ type PreparedQuery struct { } // GetACLPrefix returns the prefix to look up the prepared_query ACL policy for -// this query, or nil if such a policy doesn't apply. -func (pq *PreparedQuery) GetACLPrefix() *string { +// this query, and whether the prefix applies to this query. You always need to +// check the ok value before using the prefix. +func (pq *PreparedQuery) GetACLPrefix() (string, bool) { if pq.Name != "" { - return &pq.Name + return pq.Name, true } - return nil + return "", false } type PreparedQueries []*PreparedQuery diff --git a/consul/structs/prepared_query_test.go b/consul/structs/prepared_query_test.go index 4de25d2a30..b80fff8976 100644 --- a/consul/structs/prepared_query_test.go +++ b/consul/structs/prepared_query_test.go @@ -6,12 +6,12 @@ import ( func TestStructs_PreparedQuery_GetACLPrefix(t *testing.T) { ephemeral := &PreparedQuery{} - if prefix := ephemeral.GetACLPrefix(); prefix != nil { - t.Fatalf("bad: %#v", prefix) + if prefix, ok := ephemeral.GetACLPrefix(); ok { + t.Fatalf("bad: %s", prefix) } named := &PreparedQuery{Name: "hello"} - if prefix := named.GetACLPrefix(); prefix == nil || *prefix != "hello" { + if prefix, ok := named.GetACLPrefix(); !ok || prefix != "hello" { t.Fatalf("bad: %#v", prefix) } }