PreVerify acl:read access for listing endpoints (#6696)

We still will need to filter results based on the authorizer too but this helps to give an early 403.
This commit is contained in:
Matt Keeler 2019-10-30 09:10:11 -04:00 committed by GitHub
parent 78ad8203a4
commit 8ac79d0b8b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 20 additions and 5 deletions

View File

@ -807,10 +807,13 @@ func (a *ACL) TokenList(args *structs.ACLTokenListRequest, reply *structs.ACLTok
return err
}
var entCtx acl.EnterpriseAuthorizerContext
args.FillAuthzContext(&entCtx)
rule, err := a.srv.ResolveToken(args.Token)
if err != nil {
return err
} else if rule == nil {
} else if rule == nil || rule.ACLRead(&entCtx) != acl.Allow {
return acl.ErrPermissionDenied
}
@ -1157,10 +1160,13 @@ func (a *ACL) PolicyList(args *structs.ACLPolicyListRequest, reply *structs.ACLP
return err
}
var entCtx acl.EnterpriseAuthorizerContext
args.FillAuthzContext(&entCtx)
rule, err := a.srv.ResolveToken(args.Token)
if err != nil {
return err
} else if rule == nil {
} else if rule == nil || rule.ACLRead(&entCtx) != acl.Allow {
return acl.ErrPermissionDenied
}
@ -1573,10 +1579,13 @@ func (a *ACL) RoleList(args *structs.ACLRoleListRequest, reply *structs.ACLRoleL
return err
}
var entCtx acl.EnterpriseAuthorizerContext
args.FillAuthzContext(&entCtx)
rule, err := a.srv.ResolveToken(args.Token)
if err != nil {
return err
} else if rule == nil {
} else if rule == nil || rule.ACLRead(&entCtx) != acl.Allow {
return acl.ErrPermissionDenied
}
@ -1867,10 +1876,13 @@ func (a *ACL) BindingRuleList(args *structs.ACLBindingRuleListRequest, reply *st
return err
}
var entCtx acl.EnterpriseAuthorizerContext
args.FillAuthzContext(&entCtx)
rule, err := a.srv.ResolveToken(args.Token)
if err != nil {
return err
} else if rule == nil {
} else if rule == nil || rule.ACLRead(&entCtx) != acl.Allow {
return acl.ErrPermissionDenied
}
@ -2073,10 +2085,13 @@ func (a *ACL) AuthMethodList(args *structs.ACLAuthMethodListRequest, reply *stru
return err
}
var entCtx acl.EnterpriseAuthorizerContext
args.FillAuthzContext(&entCtx)
rule, err := a.srv.ResolveToken(args.Token)
if err != nil {
return err
} else if rule == nil {
} else if rule == nil || rule.ACLRead(&entCtx) != acl.Allow {
return acl.ErrPermissionDenied
}