mirror of
https://github.com/status-im/consul.git
synced 2025-01-24 20:51:10 +00:00
Merge pull request #10792 from hashicorp/dnephin/rename-authz-vars
acl: use authz consistently as the variable name for an acl.Authorizer
This commit is contained in:
commit
887d11923b
@ -141,7 +141,7 @@ func (a *Agent) vetCheckUpdateWithAuthorizer(authz acl.Authorizer, checkID struc
|
|||||||
// filterMembers redacts members that the token doesn't have access to.
|
// filterMembers redacts members that the token doesn't have access to.
|
||||||
func (a *Agent) filterMembers(token string, members *[]serf.Member) error {
|
func (a *Agent) filterMembers(token string, members *[]serf.Member) error {
|
||||||
// Resolve the token and bail if ACLs aren't enabled.
|
// Resolve the token and bail if ACLs aren't enabled.
|
||||||
rule, err := a.delegate.ResolveTokenAndDefaultMeta(token, nil, nil)
|
authz, err := a.delegate.ResolveTokenAndDefaultMeta(token, nil, nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -152,7 +152,7 @@ func (a *Agent) filterMembers(token string, members *[]serf.Member) error {
|
|||||||
m := *members
|
m := *members
|
||||||
for i := 0; i < len(m); i++ {
|
for i := 0; i < len(m); i++ {
|
||||||
node := m[i].Name
|
node := m[i].Name
|
||||||
if rule.NodeRead(node, &authzContext) == acl.Allow {
|
if authz.NodeRead(node, &authzContext) == acl.Allow {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
accessorID := a.aclAccessorID(token)
|
accessorID := a.aclAccessorID(token)
|
||||||
|
@ -104,13 +104,13 @@ func (s *HTTPHandlers) ACLRulesTranslate(resp http.ResponseWriter, req *http.Req
|
|||||||
|
|
||||||
var token string
|
var token string
|
||||||
s.parseToken(req, &token)
|
s.parseToken(req, &token)
|
||||||
rule, err := s.agent.delegate.ResolveTokenAndDefaultMeta(token, nil, nil)
|
authz, err := s.agent.delegate.ResolveTokenAndDefaultMeta(token, nil, nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
// Should this require lesser permissions? Really the only reason to require authorization at all is
|
// Should this require lesser permissions? Really the only reason to require authorization at all is
|
||||||
// to prevent external entities from DoS Consul with repeated rule translation requests
|
// to prevent external entities from DoS Consul with repeated rule translation requests
|
||||||
if rule.ACLRead(nil) != acl.Allow {
|
if authz.ACLRead(nil) != acl.Allow {
|
||||||
return nil, acl.ErrPermissionDenied
|
return nil, acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -51,11 +51,11 @@ func (s *HTTPHandlers) AgentSelf(resp http.ResponseWriter, req *http.Request) (i
|
|||||||
// Fetch the ACL token, if any, and enforce agent policy.
|
// Fetch the ACL token, if any, and enforce agent policy.
|
||||||
var token string
|
var token string
|
||||||
s.parseToken(req, &token)
|
s.parseToken(req, &token)
|
||||||
rule, err := s.agent.delegate.ResolveTokenAndDefaultMeta(token, nil, nil)
|
authz, err := s.agent.delegate.ResolveTokenAndDefaultMeta(token, nil, nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
if rule.AgentRead(s.agent.config.NodeName, nil) != acl.Allow {
|
if authz.AgentRead(s.agent.config.NodeName, nil) != acl.Allow {
|
||||||
return nil, acl.ErrPermissionDenied
|
return nil, acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -140,11 +140,11 @@ func (s *HTTPHandlers) AgentMetrics(resp http.ResponseWriter, req *http.Request)
|
|||||||
// Fetch the ACL token, if any, and enforce agent policy.
|
// Fetch the ACL token, if any, and enforce agent policy.
|
||||||
var token string
|
var token string
|
||||||
s.parseToken(req, &token)
|
s.parseToken(req, &token)
|
||||||
rule, err := s.agent.delegate.ResolveTokenAndDefaultMeta(token, nil, nil)
|
authz, err := s.agent.delegate.ResolveTokenAndDefaultMeta(token, nil, nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
if rule.AgentRead(s.agent.config.NodeName, nil) != acl.Allow {
|
if authz.AgentRead(s.agent.config.NodeName, nil) != acl.Allow {
|
||||||
return nil, acl.ErrPermissionDenied
|
return nil, acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
if enablePrometheusOutput(req) {
|
if enablePrometheusOutput(req) {
|
||||||
@ -171,11 +171,11 @@ func (s *HTTPHandlers) AgentMetricsStream(resp http.ResponseWriter, req *http.Re
|
|||||||
// Fetch the ACL token, if any, and enforce agent policy.
|
// Fetch the ACL token, if any, and enforce agent policy.
|
||||||
var token string
|
var token string
|
||||||
s.parseToken(req, &token)
|
s.parseToken(req, &token)
|
||||||
rule, err := s.agent.delegate.ResolveTokenAndDefaultMeta(token, nil, nil)
|
authz, err := s.agent.delegate.ResolveTokenAndDefaultMeta(token, nil, nil)
|
||||||
switch {
|
switch {
|
||||||
case err != nil:
|
case err != nil:
|
||||||
return nil, err
|
return nil, err
|
||||||
case rule.AgentRead(s.agent.config.NodeName, nil) != acl.Allow:
|
case authz.AgentRead(s.agent.config.NodeName, nil) != acl.Allow:
|
||||||
return nil, acl.ErrPermissionDenied
|
return nil, acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -220,11 +220,11 @@ func (s *HTTPHandlers) AgentReload(resp http.ResponseWriter, req *http.Request)
|
|||||||
// Fetch the ACL token, if any, and enforce agent policy.
|
// Fetch the ACL token, if any, and enforce agent policy.
|
||||||
var token string
|
var token string
|
||||||
s.parseToken(req, &token)
|
s.parseToken(req, &token)
|
||||||
rule, err := s.agent.delegate.ResolveTokenAndDefaultMeta(token, nil, nil)
|
authz, err := s.agent.delegate.ResolveTokenAndDefaultMeta(token, nil, nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
if rule.AgentWrite(s.agent.config.NodeName, nil) != acl.Allow {
|
if authz.AgentWrite(s.agent.config.NodeName, nil) != acl.Allow {
|
||||||
return nil, acl.ErrPermissionDenied
|
return nil, acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -509,11 +509,11 @@ func (s *HTTPHandlers) AgentJoin(resp http.ResponseWriter, req *http.Request) (i
|
|||||||
// Fetch the ACL token, if any, and enforce agent policy.
|
// Fetch the ACL token, if any, and enforce agent policy.
|
||||||
var token string
|
var token string
|
||||||
s.parseToken(req, &token)
|
s.parseToken(req, &token)
|
||||||
rule, err := s.agent.delegate.ResolveTokenAndDefaultMeta(token, nil, nil)
|
authz, err := s.agent.delegate.ResolveTokenAndDefaultMeta(token, nil, nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
if rule.AgentWrite(s.agent.config.NodeName, nil) != acl.Allow {
|
if authz.AgentWrite(s.agent.config.NodeName, nil) != acl.Allow {
|
||||||
return nil, acl.ErrPermissionDenied
|
return nil, acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -541,11 +541,11 @@ func (s *HTTPHandlers) AgentLeave(resp http.ResponseWriter, req *http.Request) (
|
|||||||
// Fetch the ACL token, if any, and enforce agent policy.
|
// Fetch the ACL token, if any, and enforce agent policy.
|
||||||
var token string
|
var token string
|
||||||
s.parseToken(req, &token)
|
s.parseToken(req, &token)
|
||||||
rule, err := s.agent.delegate.ResolveTokenAndDefaultMeta(token, nil, nil)
|
authz, err := s.agent.delegate.ResolveTokenAndDefaultMeta(token, nil, nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
if rule.AgentWrite(s.agent.config.NodeName, nil) != acl.Allow {
|
if authz.AgentWrite(s.agent.config.NodeName, nil) != acl.Allow {
|
||||||
return nil, acl.ErrPermissionDenied
|
return nil, acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -559,11 +559,11 @@ func (s *HTTPHandlers) AgentForceLeave(resp http.ResponseWriter, req *http.Reque
|
|||||||
// Fetch the ACL token, if any, and enforce agent policy.
|
// Fetch the ACL token, if any, and enforce agent policy.
|
||||||
var token string
|
var token string
|
||||||
s.parseToken(req, &token)
|
s.parseToken(req, &token)
|
||||||
rule, err := s.agent.delegate.ResolveTokenAndDefaultMeta(token, nil, nil)
|
authz, err := s.agent.delegate.ResolveTokenAndDefaultMeta(token, nil, nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
if rule.OperatorWrite(nil) != acl.Allow {
|
if authz.OperatorWrite(nil) != acl.Allow {
|
||||||
return nil, acl.ErrPermissionDenied
|
return nil, acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1195,11 +1195,11 @@ func (s *HTTPHandlers) AgentNodeMaintenance(resp http.ResponseWriter, req *http.
|
|||||||
// Get the provided token, if any, and vet against any ACL policies.
|
// Get the provided token, if any, and vet against any ACL policies.
|
||||||
var token string
|
var token string
|
||||||
s.parseToken(req, &token)
|
s.parseToken(req, &token)
|
||||||
rule, err := s.agent.delegate.ResolveTokenAndDefaultMeta(token, nil, nil)
|
authz, err := s.agent.delegate.ResolveTokenAndDefaultMeta(token, nil, nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
if rule.NodeWrite(s.agent.config.NodeName, nil) != acl.Allow {
|
if authz.NodeWrite(s.agent.config.NodeName, nil) != acl.Allow {
|
||||||
return nil, acl.ErrPermissionDenied
|
return nil, acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1216,11 +1216,11 @@ func (s *HTTPHandlers) AgentMonitor(resp http.ResponseWriter, req *http.Request)
|
|||||||
// Fetch the ACL token, if any, and enforce agent policy.
|
// Fetch the ACL token, if any, and enforce agent policy.
|
||||||
var token string
|
var token string
|
||||||
s.parseToken(req, &token)
|
s.parseToken(req, &token)
|
||||||
rule, err := s.agent.delegate.ResolveTokenAndDefaultMeta(token, nil, nil)
|
authz, err := s.agent.delegate.ResolveTokenAndDefaultMeta(token, nil, nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
if rule.AgentRead(s.agent.config.NodeName, nil) != acl.Allow {
|
if authz.AgentRead(s.agent.config.NodeName, nil) != acl.Allow {
|
||||||
return nil, acl.ErrPermissionDenied
|
return nil, acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1295,11 +1295,11 @@ func (s *HTTPHandlers) AgentToken(resp http.ResponseWriter, req *http.Request) (
|
|||||||
// Fetch the ACL token, if any, and enforce agent policy.
|
// Fetch the ACL token, if any, and enforce agent policy.
|
||||||
var token string
|
var token string
|
||||||
s.parseToken(req, &token)
|
s.parseToken(req, &token)
|
||||||
rule, err := s.agent.delegate.ResolveTokenAndDefaultMeta(token, nil, nil)
|
authz, err := s.agent.delegate.ResolveTokenAndDefaultMeta(token, nil, nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
if rule.AgentWrite(s.agent.config.NodeName, nil) != acl.Allow {
|
if authz.AgentWrite(s.agent.config.NodeName, nil) != acl.Allow {
|
||||||
return nil, acl.ErrPermissionDenied
|
return nil, acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1472,12 +1472,12 @@ func (s *HTTPHandlers) AgentHost(resp http.ResponseWriter, req *http.Request) (i
|
|||||||
// Fetch the ACL token, if any, and enforce agent policy.
|
// Fetch the ACL token, if any, and enforce agent policy.
|
||||||
var token string
|
var token string
|
||||||
s.parseToken(req, &token)
|
s.parseToken(req, &token)
|
||||||
rule, err := s.agent.delegate.ResolveTokenAndDefaultMeta(token, nil, nil)
|
authz, err := s.agent.delegate.ResolveTokenAndDefaultMeta(token, nil, nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if rule.OperatorRead(nil) != acl.Allow {
|
if authz.OperatorRead(nil) != acl.Allow {
|
||||||
return nil, acl.ErrPermissionDenied
|
return nil, acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -167,9 +167,9 @@ func (a *ACL) Apply(args *structs.ACLRequest, reply *string) error {
|
|||||||
|
|
||||||
// Verify token is permitted to modify ACLs
|
// Verify token is permitted to modify ACLs
|
||||||
// NOTE: We will not support enterprise authorizer contexts with legacy ACLs
|
// NOTE: We will not support enterprise authorizer contexts with legacy ACLs
|
||||||
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
|
if authz, err := a.srv.ResolveToken(args.Token); err != nil {
|
||||||
return err
|
return err
|
||||||
} else if rule.ACLWrite(nil) != acl.Allow {
|
} else if authz.ACLWrite(nil) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -259,9 +259,9 @@ func (a *ACL) List(args *structs.DCSpecificRequest,
|
|||||||
// Verify token is permitted to list ACLs
|
// Verify token is permitted to list ACLs
|
||||||
// NOTES: Previously with legacy ACL there was no read-only ACL permissions
|
// NOTES: Previously with legacy ACL there was no read-only ACL permissions
|
||||||
// and this check for ACLWrite is basically what it did before.
|
// and this check for ACLWrite is basically what it did before.
|
||||||
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
|
if authz, err := a.srv.ResolveToken(args.Token); err != nil {
|
||||||
return err
|
return err
|
||||||
} else if rule.ACLWrite(nil) != acl.Allow {
|
} else if authz.ACLWrite(nil) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -61,11 +61,11 @@ func (s *ConnectCA) ConfigurationGet(
|
|||||||
}
|
}
|
||||||
|
|
||||||
// This action requires operator read access.
|
// This action requires operator read access.
|
||||||
rule, err := s.srv.ResolveToken(args.Token)
|
authz, err := s.srv.ResolveToken(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if rule.OperatorWrite(nil) != acl.Allow {
|
if authz.OperatorWrite(nil) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -93,11 +93,11 @@ func (s *ConnectCA) ConfigurationSet(
|
|||||||
}
|
}
|
||||||
|
|
||||||
// This action requires operator write access.
|
// This action requires operator write access.
|
||||||
rule, err := s.srv.ResolveToken(args.Token)
|
authz, err := s.srv.ResolveToken(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if rule.OperatorWrite(nil) != acl.Allow {
|
if authz.OperatorWrite(nil) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -158,7 +158,7 @@ func (s *ConnectCA) Sign(
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Verify that the ACL token provided has permission to act as this service
|
// Verify that the ACL token provided has permission to act as this service
|
||||||
rule, err := s.srv.ResolveToken(args.Token)
|
authz, err := s.srv.ResolveToken(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -175,7 +175,7 @@ func (s *ConnectCA) Sign(
|
|||||||
if isService {
|
if isService {
|
||||||
entMeta.Merge(serviceID.GetEnterpriseMeta())
|
entMeta.Merge(serviceID.GetEnterpriseMeta())
|
||||||
entMeta.FillAuthzContext(&authzContext)
|
entMeta.FillAuthzContext(&authzContext)
|
||||||
if rule.ServiceWrite(serviceID.Service, &authzContext) != acl.Allow {
|
if authz.ServiceWrite(serviceID.Service, &authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -188,7 +188,7 @@ func (s *ConnectCA) Sign(
|
|||||||
} else if isAgent {
|
} else if isAgent {
|
||||||
|
|
||||||
structs.DefaultEnterpriseMetaInDefaultPartition().FillAuthzContext(&authzContext)
|
structs.DefaultEnterpriseMetaInDefaultPartition().FillAuthzContext(&authzContext)
|
||||||
if rule.NodeWrite(agentID.Agent, &authzContext) != acl.Allow {
|
if authz.NodeWrite(agentID.Agent, &authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -220,11 +220,11 @@ func (s *ConnectCA) SignIntermediate(
|
|||||||
}
|
}
|
||||||
|
|
||||||
// This action requires operator write access.
|
// This action requires operator write access.
|
||||||
rule, err := s.srv.ResolveToken(args.Token)
|
authz, err := s.srv.ResolveToken(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if rule.OperatorWrite(nil) != acl.Allow {
|
if authz.OperatorWrite(nil) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -31,11 +31,11 @@ func (c *DiscoveryChain) Get(args *structs.DiscoveryChainRequest, reply *structs
|
|||||||
// Fetch the ACL token, if any.
|
// Fetch the ACL token, if any.
|
||||||
entMeta := args.GetEnterpriseMeta()
|
entMeta := args.GetEnterpriseMeta()
|
||||||
var authzContext acl.AuthorizerContext
|
var authzContext acl.AuthorizerContext
|
||||||
rule, err := c.srv.ResolveTokenAndDefaultMeta(args.Token, entMeta, &authzContext)
|
authz, err := c.srv.ResolveTokenAndDefaultMeta(args.Token, entMeta, &authzContext)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if rule.ServiceRead(args.Name, &authzContext) != acl.Allow {
|
if authz.ServiceRead(args.Name, &authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -59,11 +59,11 @@ func (c *FederationState) Apply(args *structs.FederationStateRequest, reply *boo
|
|||||||
defer metrics.MeasureSince([]string{"federation_state", "apply"}, time.Now())
|
defer metrics.MeasureSince([]string{"federation_state", "apply"}, time.Now())
|
||||||
|
|
||||||
// Fetch the ACL token, if any.
|
// Fetch the ACL token, if any.
|
||||||
rule, err := c.srv.ResolveToken(args.Token)
|
authz, err := c.srv.ResolveToken(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if rule.OperatorWrite(nil) != acl.Allow {
|
if authz.OperatorWrite(nil) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -105,11 +105,11 @@ func (c *FederationState) Get(args *structs.FederationStateQuery, reply *structs
|
|||||||
defer metrics.MeasureSince([]string{"federation_state", "get"}, time.Now())
|
defer metrics.MeasureSince([]string{"federation_state", "get"}, time.Now())
|
||||||
|
|
||||||
// Fetch the ACL token, if any.
|
// Fetch the ACL token, if any.
|
||||||
rule, err := c.srv.ResolveToken(args.Token)
|
authz, err := c.srv.ResolveToken(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if rule.OperatorRead(nil) != acl.Allow {
|
if authz.OperatorRead(nil) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -146,11 +146,11 @@ func (c *FederationState) List(args *structs.DCSpecificRequest, reply *structs.I
|
|||||||
defer metrics.MeasureSince([]string{"federation_state", "list"}, time.Now())
|
defer metrics.MeasureSince([]string{"federation_state", "list"}, time.Now())
|
||||||
|
|
||||||
// Fetch the ACL token, if any.
|
// Fetch the ACL token, if any.
|
||||||
rule, err := c.srv.ResolveToken(args.Token)
|
authz, err := c.srv.ResolveToken(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if rule.OperatorRead(nil) != acl.Allow {
|
if authz.OperatorRead(nil) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -399,12 +399,12 @@ func (m *Internal) EventFire(args *structs.EventFireRequest,
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Check ACLs
|
// Check ACLs
|
||||||
rule, err := m.srv.ResolveToken(args.Token)
|
authz, err := m.srv.ResolveToken(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
if rule.EventWrite(args.Name, nil) != acl.Allow {
|
if authz.EventWrite(args.Name, nil) != acl.Allow {
|
||||||
accessorID := m.aclAccessorID(args.Token)
|
accessorID := m.aclAccessorID(args.Token)
|
||||||
m.logger.Warn("user event blocked by ACLs", "event", args.Name, "accessorID", accessorID)
|
m.logger.Warn("user event blocked by ACLs", "event", args.Name, "accessorID", accessorID)
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
@ -440,7 +440,7 @@ func (m *Internal) KeyringOperation(
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Check ACLs
|
// Check ACLs
|
||||||
identity, rule, err := m.srv.acls.ResolveTokenToIdentityAndAuthorizer(args.Token)
|
identity, authz, err := m.srv.acls.ResolveTokenToIdentityAndAuthorizer(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -449,7 +449,7 @@ func (m *Internal) KeyringOperation(
|
|||||||
}
|
}
|
||||||
switch args.Operation {
|
switch args.Operation {
|
||||||
case structs.KeyringList:
|
case structs.KeyringList:
|
||||||
if rule.KeyringRead(nil) != acl.Allow {
|
if authz.KeyringRead(nil) != acl.Allow {
|
||||||
return fmt.Errorf("Reading keyring denied by ACLs")
|
return fmt.Errorf("Reading keyring denied by ACLs")
|
||||||
}
|
}
|
||||||
case structs.KeyringInstall:
|
case structs.KeyringInstall:
|
||||||
@ -457,7 +457,7 @@ func (m *Internal) KeyringOperation(
|
|||||||
case structs.KeyringUse:
|
case structs.KeyringUse:
|
||||||
fallthrough
|
fallthrough
|
||||||
case structs.KeyringRemove:
|
case structs.KeyringRemove:
|
||||||
if rule.KeyringWrite(nil) != acl.Allow {
|
if authz.KeyringWrite(nil) != acl.Allow {
|
||||||
return fmt.Errorf("Modifying keyring denied due to ACLs")
|
return fmt.Errorf("Modifying keyring denied due to ACLs")
|
||||||
}
|
}
|
||||||
default:
|
default:
|
||||||
|
@ -17,14 +17,14 @@ func (op *Operator) AutopilotGetConfiguration(args *structs.DCSpecificRequest, r
|
|||||||
}
|
}
|
||||||
|
|
||||||
// This action requires operator read access.
|
// This action requires operator read access.
|
||||||
identity, rule, err := op.srv.acls.ResolveTokenToIdentityAndAuthorizer(args.Token)
|
identity, authz, err := op.srv.acls.ResolveTokenToIdentityAndAuthorizer(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := op.srv.validateEnterpriseToken(identity); err != nil {
|
if err := op.srv.validateEnterpriseToken(identity); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if rule.OperatorRead(nil) != acl.Allow {
|
if authz.OperatorRead(nil) != acl.Allow {
|
||||||
return acl.PermissionDenied("Missing operator:read permissions")
|
return acl.PermissionDenied("Missing operator:read permissions")
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -49,14 +49,14 @@ func (op *Operator) AutopilotSetConfiguration(args *structs.AutopilotSetConfigRe
|
|||||||
}
|
}
|
||||||
|
|
||||||
// This action requires operator write access.
|
// This action requires operator write access.
|
||||||
identity, rule, err := op.srv.acls.ResolveTokenToIdentityAndAuthorizer(args.Token)
|
identity, authz, err := op.srv.acls.ResolveTokenToIdentityAndAuthorizer(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := op.srv.validateEnterpriseToken(identity); err != nil {
|
if err := op.srv.validateEnterpriseToken(identity); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if rule.OperatorWrite(nil) != acl.Allow {
|
if authz.OperatorWrite(nil) != acl.Allow {
|
||||||
return acl.PermissionDenied("Missing operator:write permissions")
|
return acl.PermissionDenied("Missing operator:write permissions")
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -84,14 +84,14 @@ func (op *Operator) ServerHealth(args *structs.DCSpecificRequest, reply *structs
|
|||||||
}
|
}
|
||||||
|
|
||||||
// This action requires operator read access.
|
// This action requires operator read access.
|
||||||
identity, rule, err := op.srv.acls.ResolveTokenToIdentityAndAuthorizer(args.Token)
|
identity, authz, err := op.srv.acls.ResolveTokenToIdentityAndAuthorizer(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := op.srv.validateEnterpriseToken(identity); err != nil {
|
if err := op.srv.validateEnterpriseToken(identity); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if rule.OperatorRead(nil) != acl.Allow {
|
if authz.OperatorRead(nil) != acl.Allow {
|
||||||
return acl.PermissionDenied("Missing operator:read permissions")
|
return acl.PermissionDenied("Missing operator:read permissions")
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -151,14 +151,14 @@ func (op *Operator) AutopilotState(args *structs.DCSpecificRequest, reply *autop
|
|||||||
}
|
}
|
||||||
|
|
||||||
// This action requires operator read access.
|
// This action requires operator read access.
|
||||||
identity, rule, err := op.srv.acls.ResolveTokenToIdentityAndAuthorizer(args.Token)
|
identity, authz, err := op.srv.acls.ResolveTokenToIdentityAndAuthorizer(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := op.srv.validateEnterpriseToken(identity); err != nil {
|
if err := op.srv.validateEnterpriseToken(identity); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if rule.OperatorRead(nil) != acl.Allow {
|
if authz.OperatorRead(nil) != acl.Allow {
|
||||||
return acl.PermissionDenied("Missing operator:read permissions")
|
return acl.PermissionDenied("Missing operator:read permissions")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -19,11 +19,11 @@ func (op *Operator) RaftGetConfiguration(args *structs.DCSpecificRequest, reply
|
|||||||
}
|
}
|
||||||
|
|
||||||
// This action requires operator read access.
|
// This action requires operator read access.
|
||||||
rule, err := op.srv.ResolveToken(args.Token)
|
authz, err := op.srv.ResolveToken(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if rule.OperatorRead(nil) != acl.Allow {
|
if authz.OperatorRead(nil) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -81,14 +81,14 @@ func (op *Operator) RaftRemovePeerByAddress(args *structs.RaftRemovePeerRequest,
|
|||||||
|
|
||||||
// This is a super dangerous operation that requires operator write
|
// This is a super dangerous operation that requires operator write
|
||||||
// access.
|
// access.
|
||||||
identity, rule, err := op.srv.acls.ResolveTokenToIdentityAndAuthorizer(args.Token)
|
identity, authz, err := op.srv.acls.ResolveTokenToIdentityAndAuthorizer(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := op.srv.validateEnterpriseToken(identity); err != nil {
|
if err := op.srv.validateEnterpriseToken(identity); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if rule.OperatorWrite(nil) != acl.Allow {
|
if authz.OperatorWrite(nil) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -134,14 +134,14 @@ func (op *Operator) RaftRemovePeerByID(args *structs.RaftRemovePeerRequest, repl
|
|||||||
|
|
||||||
// This is a super dangerous operation that requires operator write
|
// This is a super dangerous operation that requires operator write
|
||||||
// access.
|
// access.
|
||||||
identity, rule, err := op.srv.acls.ResolveTokenToIdentityAndAuthorizer(args.Token)
|
identity, authz, err := op.srv.acls.ResolveTokenToIdentityAndAuthorizer(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := op.srv.validateEnterpriseToken(identity); err != nil {
|
if err := op.srv.validateEnterpriseToken(identity); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if rule.OperatorWrite(nil) != acl.Allow {
|
if authz.OperatorWrite(nil) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -77,7 +77,7 @@ func (p *PreparedQuery) Apply(args *structs.PreparedQueryRequest, reply *string)
|
|||||||
*reply = args.Query.ID
|
*reply = args.Query.ID
|
||||||
|
|
||||||
// Get the ACL token for the request for the checks below.
|
// Get the ACL token for the request for the checks below.
|
||||||
rule, err := p.srv.ResolveToken(args.Token)
|
authz, err := p.srv.ResolveToken(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -86,7 +86,7 @@ func (p *PreparedQuery) Apply(args *structs.PreparedQueryRequest, reply *string)
|
|||||||
// need to make sure they have write access for whatever they are
|
// need to make sure they have write access for whatever they are
|
||||||
// proposing.
|
// proposing.
|
||||||
if prefix, ok := args.Query.GetACLPrefix(); ok {
|
if prefix, ok := args.Query.GetACLPrefix(); ok {
|
||||||
if rule.PreparedQueryWrite(prefix, nil) != acl.Allow {
|
if authz.PreparedQueryWrite(prefix, nil) != acl.Allow {
|
||||||
p.logger.Warn("Operation on prepared query denied due to ACLs", "query", args.Query.ID)
|
p.logger.Warn("Operation on prepared query denied due to ACLs", "query", args.Query.ID)
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
@ -106,7 +106,7 @@ func (p *PreparedQuery) Apply(args *structs.PreparedQueryRequest, reply *string)
|
|||||||
}
|
}
|
||||||
|
|
||||||
if prefix, ok := query.GetACLPrefix(); ok {
|
if prefix, ok := query.GetACLPrefix(); ok {
|
||||||
if rule.PreparedQueryWrite(prefix, nil) != acl.Allow {
|
if authz.PreparedQueryWrite(prefix, nil) != acl.Allow {
|
||||||
p.logger.Warn("Operation on prepared query denied due to ACLs", "query", args.Query.ID)
|
p.logger.Warn("Operation on prepared query denied due to ACLs", "query", args.Query.ID)
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
@ -60,9 +60,9 @@ func (s *Server) dispatchSnapshotRequest(args *structs.SnapshotRequest, in io.Re
|
|||||||
// Verify token is allowed to operate on snapshots. There's only a
|
// Verify token is allowed to operate on snapshots. There's only a
|
||||||
// single ACL sense here (not read and write) since reading gets you
|
// single ACL sense here (not read and write) since reading gets you
|
||||||
// all the ACLs and you could escalate from there.
|
// all the ACLs and you could escalate from there.
|
||||||
if rule, err := s.ResolveToken(args.Token); err != nil {
|
if authz, err := s.ResolveToken(args.Token); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
} else if rule.Snapshot(nil) != acl.Allow {
|
} else if authz.Snapshot(nil) != acl.Allow {
|
||||||
return nil, acl.ErrPermissionDenied
|
return nil, acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -146,11 +146,11 @@ func (t *Txn) Apply(args *structs.TxnRequest, reply *structs.TxnResponse) error
|
|||||||
defer metrics.MeasureSince([]string{"txn", "apply"}, time.Now())
|
defer metrics.MeasureSince([]string{"txn", "apply"}, time.Now())
|
||||||
|
|
||||||
// Run the pre-checks before we send the transaction into Raft.
|
// Run the pre-checks before we send the transaction into Raft.
|
||||||
authorizer, err := t.srv.ResolveToken(args.Token)
|
authz, err := t.srv.ResolveToken(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
reply.Errors = t.preCheck(authorizer, args.Ops)
|
reply.Errors = t.preCheck(authz, args.Ops)
|
||||||
if len(reply.Errors) > 0 {
|
if len(reply.Errors) > 0 {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
@ -164,9 +164,7 @@ func (t *Txn) Apply(args *structs.TxnRequest, reply *structs.TxnResponse) error
|
|||||||
// Convert the return type. This should be a cheap copy since we are
|
// Convert the return type. This should be a cheap copy since we are
|
||||||
// just taking the two slices.
|
// just taking the two slices.
|
||||||
if txnResp, ok := resp.(structs.TxnResponse); ok {
|
if txnResp, ok := resp.(structs.TxnResponse); ok {
|
||||||
if authorizer != nil {
|
txnResp.Results = FilterTxnResults(authz, txnResp.Results)
|
||||||
txnResp.Results = FilterTxnResults(authorizer, txnResp.Results)
|
|
||||||
}
|
|
||||||
*reply = txnResp
|
*reply = txnResp
|
||||||
} else {
|
} else {
|
||||||
return fmt.Errorf("unexpected return type %T", resp)
|
return fmt.Errorf("unexpected return type %T", resp)
|
||||||
@ -193,11 +191,11 @@ func (t *Txn) Read(args *structs.TxnReadRequest, reply *structs.TxnReadResponse)
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Run the pre-checks before we perform the read.
|
// Run the pre-checks before we perform the read.
|
||||||
authorizer, err := t.srv.ResolveToken(args.Token)
|
authz, err := t.srv.ResolveToken(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
reply.Errors = t.preCheck(authorizer, args.Ops)
|
reply.Errors = t.preCheck(authz, args.Ops)
|
||||||
if len(reply.Errors) > 0 {
|
if len(reply.Errors) > 0 {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
@ -205,8 +203,6 @@ func (t *Txn) Read(args *structs.TxnReadRequest, reply *structs.TxnReadResponse)
|
|||||||
// Run the read transaction.
|
// Run the read transaction.
|
||||||
state := t.srv.fsm.State()
|
state := t.srv.fsm.State()
|
||||||
reply.Results, reply.Errors = state.TxnRO(args.Ops)
|
reply.Results, reply.Errors = state.TxnRO(args.Ops)
|
||||||
if authorizer != nil {
|
reply.Results = FilterTxnResults(authz, reply.Results)
|
||||||
reply.Results = FilterTxnResults(authorizer, reply.Results)
|
|
||||||
}
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
@ -245,7 +245,7 @@ func (s *HTTPHandlers) handler(enableDebug bool) http.Handler {
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
rule, err := s.agent.delegate.ResolveTokenAndDefaultMeta(token, nil, nil)
|
authz, err := s.agent.delegate.ResolveTokenAndDefaultMeta(token, nil, nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
resp.WriteHeader(http.StatusForbidden)
|
resp.WriteHeader(http.StatusForbidden)
|
||||||
return
|
return
|
||||||
@ -253,7 +253,7 @@ func (s *HTTPHandlers) handler(enableDebug bool) http.Handler {
|
|||||||
|
|
||||||
// If the token provided does not have the necessary permissions,
|
// If the token provided does not have the necessary permissions,
|
||||||
// write a forbidden response
|
// write a forbidden response
|
||||||
if rule.OperatorRead(nil) != acl.Allow {
|
if authz.OperatorRead(nil) != acl.Allow {
|
||||||
resp.WriteHeader(http.StatusForbidden)
|
resp.WriteHeader(http.StatusForbidden)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -246,12 +246,12 @@ func isValidHTTPMethod(method string) bool {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (e *ServiceRouterConfigEntry) CanRead(rule acl.Authorizer) bool {
|
func (e *ServiceRouterConfigEntry) CanRead(authz acl.Authorizer) bool {
|
||||||
return canReadDiscoveryChain(e, rule)
|
return canReadDiscoveryChain(e, authz)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (e *ServiceRouterConfigEntry) CanWrite(rule acl.Authorizer) bool {
|
func (e *ServiceRouterConfigEntry) CanWrite(authz acl.Authorizer) bool {
|
||||||
return canWriteDiscoveryChain(e, rule)
|
return canWriteDiscoveryChain(e, authz)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (e *ServiceRouterConfigEntry) GetRaftIndex() *RaftIndex {
|
func (e *ServiceRouterConfigEntry) GetRaftIndex() *RaftIndex {
|
||||||
@ -580,12 +580,12 @@ func scaleWeight(v float32) int {
|
|||||||
return int(math.Round(float64(v * 100.0)))
|
return int(math.Round(float64(v * 100.0)))
|
||||||
}
|
}
|
||||||
|
|
||||||
func (e *ServiceSplitterConfigEntry) CanRead(rule acl.Authorizer) bool {
|
func (e *ServiceSplitterConfigEntry) CanRead(authz acl.Authorizer) bool {
|
||||||
return canReadDiscoveryChain(e, rule)
|
return canReadDiscoveryChain(e, authz)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (e *ServiceSplitterConfigEntry) CanWrite(rule acl.Authorizer) bool {
|
func (e *ServiceSplitterConfigEntry) CanWrite(authz acl.Authorizer) bool {
|
||||||
return canWriteDiscoveryChain(e, rule)
|
return canWriteDiscoveryChain(e, authz)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (e *ServiceSplitterConfigEntry) GetRaftIndex() *RaftIndex {
|
func (e *ServiceSplitterConfigEntry) GetRaftIndex() *RaftIndex {
|
||||||
@ -955,12 +955,12 @@ func (e *ServiceResolverConfigEntry) Validate() error {
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (e *ServiceResolverConfigEntry) CanRead(rule acl.Authorizer) bool {
|
func (e *ServiceResolverConfigEntry) CanRead(authz acl.Authorizer) bool {
|
||||||
return canReadDiscoveryChain(e, rule)
|
return canReadDiscoveryChain(e, authz)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (e *ServiceResolverConfigEntry) CanWrite(rule acl.Authorizer) bool {
|
func (e *ServiceResolverConfigEntry) CanWrite(authz acl.Authorizer) bool {
|
||||||
return canWriteDiscoveryChain(e, rule)
|
return canWriteDiscoveryChain(e, authz)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (e *ServiceResolverConfigEntry) GetRaftIndex() *RaftIndex {
|
func (e *ServiceResolverConfigEntry) GetRaftIndex() *RaftIndex {
|
||||||
@ -1191,7 +1191,7 @@ func canReadDiscoveryChain(entry discoveryChainConfigEntry, authz acl.Authorizer
|
|||||||
return authz.ServiceRead(entry.GetName(), &authzContext) == acl.Allow
|
return authz.ServiceRead(entry.GetName(), &authzContext) == acl.Allow
|
||||||
}
|
}
|
||||||
|
|
||||||
func canWriteDiscoveryChain(entry discoveryChainConfigEntry, rule acl.Authorizer) bool {
|
func canWriteDiscoveryChain(entry discoveryChainConfigEntry, authz acl.Authorizer) bool {
|
||||||
entryID := NewServiceID(entry.GetName(), entry.GetEnterpriseMeta())
|
entryID := NewServiceID(entry.GetName(), entry.GetEnterpriseMeta())
|
||||||
|
|
||||||
var authzContext acl.AuthorizerContext
|
var authzContext acl.AuthorizerContext
|
||||||
@ -1199,7 +1199,7 @@ func canWriteDiscoveryChain(entry discoveryChainConfigEntry, rule acl.Authorizer
|
|||||||
|
|
||||||
name := entry.GetName()
|
name := entry.GetName()
|
||||||
|
|
||||||
if rule.ServiceWrite(name, &authzContext) != acl.Allow {
|
if authz.ServiceWrite(name, &authzContext) != acl.Allow {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1211,7 +1211,7 @@ func canWriteDiscoveryChain(entry discoveryChainConfigEntry, rule acl.Authorizer
|
|||||||
svc.FillAuthzContext(&authzContext)
|
svc.FillAuthzContext(&authzContext)
|
||||||
// You only need read on related services to redirect traffic flow for
|
// You only need read on related services to redirect traffic flow for
|
||||||
// your own service.
|
// your own service.
|
||||||
if rule.ServiceRead(svc.ID, &authzContext) != acl.Allow {
|
if authz.ServiceRead(svc.ID, &authzContext) != acl.Allow {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -569,7 +569,7 @@ func (s *Server) checkStreamACLs(streamCtx context.Context, cfgSnap *proxycfg.Co
|
|||||||
return status.Errorf(codes.Unauthenticated, "unauthenticated: no config snapshot")
|
return status.Errorf(codes.Unauthenticated, "unauthenticated: no config snapshot")
|
||||||
}
|
}
|
||||||
|
|
||||||
rule, err := s.ResolveToken(tokenFromContext(streamCtx))
|
authz, err := s.ResolveToken(tokenFromContext(streamCtx))
|
||||||
|
|
||||||
if acl.IsErrNotFound(err) {
|
if acl.IsErrNotFound(err) {
|
||||||
return status.Errorf(codes.Unauthenticated, "unauthenticated: %v", err)
|
return status.Errorf(codes.Unauthenticated, "unauthenticated: %v", err)
|
||||||
@ -583,12 +583,12 @@ func (s *Server) checkStreamACLs(streamCtx context.Context, cfgSnap *proxycfg.Co
|
|||||||
switch cfgSnap.Kind {
|
switch cfgSnap.Kind {
|
||||||
case structs.ServiceKindConnectProxy:
|
case structs.ServiceKindConnectProxy:
|
||||||
cfgSnap.ProxyID.EnterpriseMeta.FillAuthzContext(&authzContext)
|
cfgSnap.ProxyID.EnterpriseMeta.FillAuthzContext(&authzContext)
|
||||||
if rule.ServiceWrite(cfgSnap.Proxy.DestinationServiceName, &authzContext) != acl.Allow {
|
if authz.ServiceWrite(cfgSnap.Proxy.DestinationServiceName, &authzContext) != acl.Allow {
|
||||||
return status.Errorf(codes.PermissionDenied, "permission denied")
|
return status.Errorf(codes.PermissionDenied, "permission denied")
|
||||||
}
|
}
|
||||||
case structs.ServiceKindMeshGateway, structs.ServiceKindTerminatingGateway, structs.ServiceKindIngressGateway:
|
case structs.ServiceKindMeshGateway, structs.ServiceKindTerminatingGateway, structs.ServiceKindIngressGateway:
|
||||||
cfgSnap.ProxyID.EnterpriseMeta.FillAuthzContext(&authzContext)
|
cfgSnap.ProxyID.EnterpriseMeta.FillAuthzContext(&authzContext)
|
||||||
if rule.ServiceWrite(cfgSnap.Service, &authzContext) != acl.Allow {
|
if authz.ServiceWrite(cfgSnap.Service, &authzContext) != acl.Allow {
|
||||||
return status.Errorf(codes.PermissionDenied, "permission denied")
|
return status.Errorf(codes.PermissionDenied, "permission denied")
|
||||||
}
|
}
|
||||||
default:
|
default:
|
||||||
|
Loading…
x
Reference in New Issue
Block a user