status-im
/
consul
mirror of https://github.com/status-im/consul.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

PreVerify acl:read access for listing endpoints (#6696) 

We still will need to filter results based on the authorizer too but this helps to give an early 403.
This commit is contained in:
Matt Keeler 2019-10-30 09:10:11 -04:00 committed by GitHub
parent 78ad8203a4
commit 8ac79d0b8b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 20 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
agent/consul/acl_endpoint.go
View File

@ -807,10 +807,13 @@ func (a *ACL) TokenList(args *structs.ACLTokenListRequest, reply *structs.ACLTok
return err return err
} }
var entCtx acl.EnterpriseAuthorizerContext
args.FillAuthzContext(&entCtx)
rule, err := a.srv.ResolveToken(args.Token) rule, err := a.srv.ResolveToken(args.Token)
if err != nil { if err != nil {
return err return err
} else if rule == nil { } else if rule == nil || rule.ACLRead(&entCtx) != acl.Allow {
return acl.ErrPermissionDenied return acl.ErrPermissionDenied
} }
@ -1157,10 +1160,13 @@ func (a *ACL) PolicyList(args *structs.ACLPolicyListRequest, reply *structs.ACLP
return err return err
} }
var entCtx acl.EnterpriseAuthorizerContext
args.FillAuthzContext(&entCtx)
rule, err := a.srv.ResolveToken(args.Token) rule, err := a.srv.ResolveToken(args.Token)
if err != nil { if err != nil {
return err return err
} else if rule == nil { } else if rule == nil || rule.ACLRead(&entCtx) != acl.Allow {
return acl.ErrPermissionDenied return acl.ErrPermissionDenied
} }
@ -1573,10 +1579,13 @@ func (a *ACL) RoleList(args *structs.ACLRoleListRequest, reply *structs.ACLRoleL
return err return err
} }
var entCtx acl.EnterpriseAuthorizerContext
args.FillAuthzContext(&entCtx)
rule, err := a.srv.ResolveToken(args.Token) rule, err := a.srv.ResolveToken(args.Token)
if err != nil { if err != nil {
return err return err
} else if rule == nil { } else if rule == nil || rule.ACLRead(&entCtx) != acl.Allow {
return acl.ErrPermissionDenied return acl.ErrPermissionDenied
} }
@ -1867,10 +1876,13 @@ func (a *ACL) BindingRuleList(args *structs.ACLBindingRuleListRequest, reply *st
return err return err
} }
var entCtx acl.EnterpriseAuthorizerContext
args.FillAuthzContext(&entCtx)
rule, err := a.srv.ResolveToken(args.Token) rule, err := a.srv.ResolveToken(args.Token)
if err != nil { if err != nil {
return err return err
} else if rule == nil { } else if rule == nil || rule.ACLRead(&entCtx) != acl.Allow {
return acl.ErrPermissionDenied return acl.ErrPermissionDenied
} }
@ -2073,10 +2085,13 @@ func (a *ACL) AuthMethodList(args *structs.ACLAuthMethodListRequest, reply *stru
return err return err
} }
var entCtx acl.EnterpriseAuthorizerContext
args.FillAuthzContext(&entCtx)
rule, err := a.srv.ResolveToken(args.Token) rule, err := a.srv.ResolveToken(args.Token)
if err != nil { if err != nil {
return err return err
} else if rule == nil { } else if rule == nil || rule.ACLRead(&entCtx) != acl.Allow {
return acl.ErrPermissionDenied return acl.ErrPermissionDenied
} }