acl: Remove the remaining authz == nil checks

These checks were a bit more involved. They were previously skipping some code paths
when the authorizer was nil. After looking through these it seems correct to remove the
authz == nil check, since it will never evaluate to true.
This commit is contained in:
Daniel Nephin 2021-07-30 14:55:35 -04:00
parent dc50b36b0f
commit 8cf1aa1bda
8 changed files with 85 additions and 113 deletions

View File

@ -200,8 +200,6 @@ func (c *Catalog) Register(args *structs.RegisterRequest, reply *struct{}) error
} }
// Check the complete register request against the given ACL policy. // Check the complete register request against the given ACL policy.
if authz != nil {
state := c.srv.fsm.State()
_, ns, err := state.NodeServices(nil, args.Node, entMeta) _, ns, err := state.NodeServices(nil, args.Node, entMeta)
if err != nil { if err != nil {
return fmt.Errorf("Node lookup failed: %v", err) return fmt.Errorf("Node lookup failed: %v", err)
@ -209,7 +207,6 @@ func (c *Catalog) Register(args *structs.RegisterRequest, reply *struct{}) error
if err := vetRegisterWithACL(authz, args, ns); err != nil { if err := vetRegisterWithACL(authz, args, ns); err != nil {
return err return err
} }
}
_, err = c.srv.raftApply(structs.RegisterRequestType, args) _, err = c.srv.raftApply(structs.RegisterRequestType, args)
return err return err
@ -238,7 +235,6 @@ func (c *Catalog) Deregister(args *structs.DeregisterRequest, reply *struct{}) e
} }
// Check the complete deregister request against the given ACL policy. // Check the complete deregister request against the given ACL policy.
if authz != nil {
state := c.srv.fsm.State() state := c.srv.fsm.State()
var ns *structs.NodeService var ns *structs.NodeService
@ -261,8 +257,6 @@ func (c *Catalog) Deregister(args *structs.DeregisterRequest, reply *struct{}) e
return err return err
} }
}
_, err = c.srv.raftApply(structs.DeregisterRequestType, args) _, err = c.srv.raftApply(structs.DeregisterRequestType, args)
return err return err
} }

View File

@ -142,13 +142,11 @@ func (c *Coordinate) Update(args *structs.CoordinateUpdateRequest, reply *struct
if err != nil { if err != nil {
return err return err
} }
if authz != nil {
var authzContext acl.AuthorizerContext var authzContext acl.AuthorizerContext
structs.DefaultEnterpriseMetaInDefaultPartition().FillAuthzContext(&authzContext) structs.DefaultEnterpriseMetaInDefaultPartition().FillAuthzContext(&authzContext)
if authz.NodeWrite(args.Node, &authzContext) != acl.Allow { if authz.NodeWrite(args.Node, &authzContext) != acl.Allow {
return acl.ErrPermissionDenied return acl.ErrPermissionDenied
} }
}
// Add the coordinate to the map of pending updates. // Add the coordinate to the map of pending updates.
key := fmt.Sprintf("%s:%s", args.Node, args.Segment) key := fmt.Sprintf("%s:%s", args.Node, args.Segment)
@ -226,13 +224,11 @@ func (c *Coordinate) Node(args *structs.NodeSpecificRequest, reply *structs.Inde
if err != nil { if err != nil {
return err return err
} }
if authz != nil {
var authzContext acl.AuthorizerContext var authzContext acl.AuthorizerContext
structs.WildcardEnterpriseMetaInDefaultPartition().FillAuthzContext(&authzContext) structs.WildcardEnterpriseMetaInDefaultPartition().FillAuthzContext(&authzContext)
if authz.NodeRead(args.Node, &authzContext) != acl.Allow { if authz.NodeRead(args.Node, &authzContext) != acl.Allow {
return acl.ErrPermissionDenied return acl.ErrPermissionDenied
} }
}
return c.srv.blockingQuery(&args.QueryOptions, return c.srv.blockingQuery(&args.QueryOptions,
&reply.QueryMeta, &reply.QueryMeta,

View File

@ -593,7 +593,6 @@ func (s *Intention) Match(args *structs.IntentionQueryRequest, reply *structs.In
} }
} }
if authz != nil {
var authzContext acl.AuthorizerContext var authzContext acl.AuthorizerContext
// Go through each entry to ensure we have intention:read for the resource. // Go through each entry to ensure we have intention:read for the resource.
@ -612,7 +611,6 @@ func (s *Intention) Match(args *structs.IntentionQueryRequest, reply *structs.In
return acl.ErrPermissionDenied return acl.ErrPermissionDenied
} }
} }
}
return s.srv.blockingQuery( return s.srv.blockingQuery(
&args.QueryOptions, &args.QueryOptions,
@ -710,10 +708,7 @@ func (s *Intention) Check(args *structs.IntentionQueryRequest, reply *structs.In
// NOTE(mitchellh): This is the same behavior as the agent authorize // NOTE(mitchellh): This is the same behavior as the agent authorize
// endpoint. If this behavior is incorrect, we should also change it there // endpoint. If this behavior is incorrect, we should also change it there
// which is much more important. // which is much more important.
defaultDecision := acl.Allow defaultDecision := authz.IntentionDefaultAllow(nil)
if authz != nil {
defaultDecision = authz.IntentionDefaultAllow(nil)
}
state := s.srv.fsm.State() state := s.srv.fsm.State()

View File

@ -169,10 +169,7 @@ func (m *Internal) ServiceTopology(args *structs.ServiceSpecificRequest, reply *
&args.QueryOptions, &args.QueryOptions,
&reply.QueryMeta, &reply.QueryMeta,
func(ws memdb.WatchSet, state *state.Store) error { func(ws memdb.WatchSet, state *state.Store) error {
defaultAllow := acl.Allow defaultAllow := authz.IntentionDefaultAllow(nil)
if authz != nil {
defaultAllow = authz.IntentionDefaultAllow(nil)
}
index, topology, err := state.ServiceTopology(ws, args.Datacenter, args.ServiceName, args.ServiceKind, defaultAllow, &args.EnterpriseMeta) index, topology, err := state.ServiceTopology(ws, args.Datacenter, args.ServiceName, args.ServiceKind, defaultAllow, &args.EnterpriseMeta)
if err != nil { if err != nil {
@ -216,10 +213,7 @@ func (m *Internal) IntentionUpstreams(args *structs.ServiceSpecificRequest, repl
&args.QueryOptions, &args.QueryOptions,
&reply.QueryMeta, &reply.QueryMeta,
func(ws memdb.WatchSet, state *state.Store) error { func(ws memdb.WatchSet, state *state.Store) error {
defaultDecision := acl.Allow defaultDecision := authz.IntentionDefaultAllow(nil)
if authz != nil {
defaultDecision = authz.IntentionDefaultAllow(nil)
}
sn := structs.NewServiceName(args.ServiceName, &args.EnterpriseMeta) sn := structs.NewServiceName(args.ServiceName, &args.EnterpriseMeta)
index, services, err := state.IntentionTopology(ws, sn, false, defaultDecision) index, services, err := state.IntentionTopology(ws, sn, false, defaultDecision)

View File

@ -263,9 +263,7 @@ func (k *KVS) ListKeys(args *structs.KeyListRequest, reply *structs.IndexedKeyLi
reply.Index = index reply.Index = index
} }
if authz != nil {
entries = FilterDirEnt(authz, entries) entries = FilterDirEnt(authz, entries)
}
// Collect the keys from the filtered entries // Collect the keys from the filtered entries
prefixLen := len(args.Prefix) prefixLen := len(args.Prefix)

View File

@ -72,7 +72,6 @@ func (s *Session) Apply(args *structs.SessionRequest, reply *string) error {
return err return err
} }
if authz != nil {
switch args.Op { switch args.Op {
case structs.SessionDestroy: case structs.SessionDestroy:
state := s.srv.fsm.State() state := s.srv.fsm.State()
@ -95,7 +94,6 @@ func (s *Session) Apply(args *structs.SessionRequest, reply *string) error {
default: default:
return fmt.Errorf("Invalid session operation %q", args.Op) return fmt.Errorf("Invalid session operation %q", args.Op)
} }
}
// Ensure that the specified behavior is allowed // Ensure that the specified behavior is allowed
switch args.Session.Behavior { switch args.Session.Behavior {

View File

@ -128,7 +128,6 @@ RUN_QUERY:
events := s.agent.UserEvents() events := s.agent.UserEvents()
// Filter the events using the ACL, if present // Filter the events using the ACL, if present
if authz != nil {
for i := 0; i < len(events); i++ { for i := 0; i < len(events); i++ {
name := events[i].Name name := events[i].Name
if authz.EventRead(name, nil) == acl.Allow { if authz.EventRead(name, nil) == acl.Allow {
@ -138,7 +137,6 @@ RUN_QUERY:
events = append(events[:i], events[i+1:]...) events = append(events[:i], events[i+1:]...)
i-- i--
} }
}
// Filter the events if requested // Filter the events if requested
if nameFilter != "" { if nameFilter != "" {

View File

@ -9,12 +9,13 @@ import (
"sort" "sort"
"strings" "strings"
"github.com/hashicorp/go-hclog"
"github.com/hashicorp/consul/acl" "github.com/hashicorp/consul/acl"
"github.com/hashicorp/consul/agent/config" "github.com/hashicorp/consul/agent/config"
"github.com/hashicorp/consul/agent/structs" "github.com/hashicorp/consul/agent/structs"
"github.com/hashicorp/consul/api" "github.com/hashicorp/consul/api"
"github.com/hashicorp/consul/logging" "github.com/hashicorp/consul/logging"
"github.com/hashicorp/go-hclog"
) )
// ServiceSummary is used to summarize a service // ServiceSummary is used to summarize a service
@ -607,7 +608,6 @@ func (s *HTTPHandlers) UIMetricsProxy(resp http.ResponseWriter, req *http.Reques
return nil, err return nil, err
} }
if authz != nil {
// This endpoint requires wildcard read on all services and all nodes. // This endpoint requires wildcard read on all services and all nodes.
// //
// In enterprise it requires this _in all namespaces_ too. // In enterprise it requires this _in all namespaces_ too.
@ -618,7 +618,6 @@ func (s *HTTPHandlers) UIMetricsProxy(resp http.ResponseWriter, req *http.Reques
if authz.NodeReadAll(&authzContext) != acl.Allow || authz.ServiceReadAll(&authzContext) != acl.Allow { if authz.NodeReadAll(&authzContext) != acl.Allow || authz.ServiceReadAll(&authzContext) != acl.Allow {
return nil, acl.ErrPermissionDenied return nil, acl.ErrPermissionDenied
} }
}
log := s.agent.logger.Named(logging.UIMetricsProxy) log := s.agent.logger.Named(logging.UIMetricsProxy)