mirror of
https://github.com/status-im/consul.git
synced 2025-01-10 22:06:20 +00:00
acl: Remove the remaining authz == nil checks
These checks were a bit more involved. They were previously skipping some code paths when the authorizer was nil. After looking through these it seems correct to remove the authz == nil check, since it will never evaluate to true.
This commit is contained in:
parent
dc50b36b0f
commit
8cf1aa1bda
@ -200,8 +200,6 @@ func (c *Catalog) Register(args *structs.RegisterRequest, reply *struct{}) error
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Check the complete register request against the given ACL policy.
|
// Check the complete register request against the given ACL policy.
|
||||||
if authz != nil {
|
|
||||||
state := c.srv.fsm.State()
|
|
||||||
_, ns, err := state.NodeServices(nil, args.Node, entMeta)
|
_, ns, err := state.NodeServices(nil, args.Node, entMeta)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("Node lookup failed: %v", err)
|
return fmt.Errorf("Node lookup failed: %v", err)
|
||||||
@ -209,7 +207,6 @@ func (c *Catalog) Register(args *structs.RegisterRequest, reply *struct{}) error
|
|||||||
if err := vetRegisterWithACL(authz, args, ns); err != nil {
|
if err := vetRegisterWithACL(authz, args, ns); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
_, err = c.srv.raftApply(structs.RegisterRequestType, args)
|
_, err = c.srv.raftApply(structs.RegisterRequestType, args)
|
||||||
return err
|
return err
|
||||||
@ -238,7 +235,6 @@ func (c *Catalog) Deregister(args *structs.DeregisterRequest, reply *struct{}) e
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Check the complete deregister request against the given ACL policy.
|
// Check the complete deregister request against the given ACL policy.
|
||||||
if authz != nil {
|
|
||||||
state := c.srv.fsm.State()
|
state := c.srv.fsm.State()
|
||||||
|
|
||||||
var ns *structs.NodeService
|
var ns *structs.NodeService
|
||||||
@ -261,8 +257,6 @@ func (c *Catalog) Deregister(args *structs.DeregisterRequest, reply *struct{}) e
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
_, err = c.srv.raftApply(structs.DeregisterRequestType, args)
|
_, err = c.srv.raftApply(structs.DeregisterRequestType, args)
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -142,13 +142,11 @@ func (c *Coordinate) Update(args *structs.CoordinateUpdateRequest, reply *struct
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if authz != nil {
|
|
||||||
var authzContext acl.AuthorizerContext
|
var authzContext acl.AuthorizerContext
|
||||||
structs.DefaultEnterpriseMetaInDefaultPartition().FillAuthzContext(&authzContext)
|
structs.DefaultEnterpriseMetaInDefaultPartition().FillAuthzContext(&authzContext)
|
||||||
if authz.NodeWrite(args.Node, &authzContext) != acl.Allow {
|
if authz.NodeWrite(args.Node, &authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
// Add the coordinate to the map of pending updates.
|
// Add the coordinate to the map of pending updates.
|
||||||
key := fmt.Sprintf("%s:%s", args.Node, args.Segment)
|
key := fmt.Sprintf("%s:%s", args.Node, args.Segment)
|
||||||
@ -226,13 +224,11 @@ func (c *Coordinate) Node(args *structs.NodeSpecificRequest, reply *structs.Inde
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if authz != nil {
|
|
||||||
var authzContext acl.AuthorizerContext
|
var authzContext acl.AuthorizerContext
|
||||||
structs.WildcardEnterpriseMetaInDefaultPartition().FillAuthzContext(&authzContext)
|
structs.WildcardEnterpriseMetaInDefaultPartition().FillAuthzContext(&authzContext)
|
||||||
if authz.NodeRead(args.Node, &authzContext) != acl.Allow {
|
if authz.NodeRead(args.Node, &authzContext) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
return c.srv.blockingQuery(&args.QueryOptions,
|
return c.srv.blockingQuery(&args.QueryOptions,
|
||||||
&reply.QueryMeta,
|
&reply.QueryMeta,
|
||||||
|
@ -593,7 +593,6 @@ func (s *Intention) Match(args *structs.IntentionQueryRequest, reply *structs.In
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if authz != nil {
|
|
||||||
var authzContext acl.AuthorizerContext
|
var authzContext acl.AuthorizerContext
|
||||||
// Go through each entry to ensure we have intention:read for the resource.
|
// Go through each entry to ensure we have intention:read for the resource.
|
||||||
|
|
||||||
@ -612,7 +611,6 @@ func (s *Intention) Match(args *structs.IntentionQueryRequest, reply *structs.In
|
|||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
return s.srv.blockingQuery(
|
return s.srv.blockingQuery(
|
||||||
&args.QueryOptions,
|
&args.QueryOptions,
|
||||||
@ -710,10 +708,7 @@ func (s *Intention) Check(args *structs.IntentionQueryRequest, reply *structs.In
|
|||||||
// NOTE(mitchellh): This is the same behavior as the agent authorize
|
// NOTE(mitchellh): This is the same behavior as the agent authorize
|
||||||
// endpoint. If this behavior is incorrect, we should also change it there
|
// endpoint. If this behavior is incorrect, we should also change it there
|
||||||
// which is much more important.
|
// which is much more important.
|
||||||
defaultDecision := acl.Allow
|
defaultDecision := authz.IntentionDefaultAllow(nil)
|
||||||
if authz != nil {
|
|
||||||
defaultDecision = authz.IntentionDefaultAllow(nil)
|
|
||||||
}
|
|
||||||
|
|
||||||
state := s.srv.fsm.State()
|
state := s.srv.fsm.State()
|
||||||
|
|
||||||
|
@ -169,10 +169,7 @@ func (m *Internal) ServiceTopology(args *structs.ServiceSpecificRequest, reply *
|
|||||||
&args.QueryOptions,
|
&args.QueryOptions,
|
||||||
&reply.QueryMeta,
|
&reply.QueryMeta,
|
||||||
func(ws memdb.WatchSet, state *state.Store) error {
|
func(ws memdb.WatchSet, state *state.Store) error {
|
||||||
defaultAllow := acl.Allow
|
defaultAllow := authz.IntentionDefaultAllow(nil)
|
||||||
if authz != nil {
|
|
||||||
defaultAllow = authz.IntentionDefaultAllow(nil)
|
|
||||||
}
|
|
||||||
|
|
||||||
index, topology, err := state.ServiceTopology(ws, args.Datacenter, args.ServiceName, args.ServiceKind, defaultAllow, &args.EnterpriseMeta)
|
index, topology, err := state.ServiceTopology(ws, args.Datacenter, args.ServiceName, args.ServiceKind, defaultAllow, &args.EnterpriseMeta)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -216,10 +213,7 @@ func (m *Internal) IntentionUpstreams(args *structs.ServiceSpecificRequest, repl
|
|||||||
&args.QueryOptions,
|
&args.QueryOptions,
|
||||||
&reply.QueryMeta,
|
&reply.QueryMeta,
|
||||||
func(ws memdb.WatchSet, state *state.Store) error {
|
func(ws memdb.WatchSet, state *state.Store) error {
|
||||||
defaultDecision := acl.Allow
|
defaultDecision := authz.IntentionDefaultAllow(nil)
|
||||||
if authz != nil {
|
|
||||||
defaultDecision = authz.IntentionDefaultAllow(nil)
|
|
||||||
}
|
|
||||||
|
|
||||||
sn := structs.NewServiceName(args.ServiceName, &args.EnterpriseMeta)
|
sn := structs.NewServiceName(args.ServiceName, &args.EnterpriseMeta)
|
||||||
index, services, err := state.IntentionTopology(ws, sn, false, defaultDecision)
|
index, services, err := state.IntentionTopology(ws, sn, false, defaultDecision)
|
||||||
|
@ -263,9 +263,7 @@ func (k *KVS) ListKeys(args *structs.KeyListRequest, reply *structs.IndexedKeyLi
|
|||||||
reply.Index = index
|
reply.Index = index
|
||||||
}
|
}
|
||||||
|
|
||||||
if authz != nil {
|
|
||||||
entries = FilterDirEnt(authz, entries)
|
entries = FilterDirEnt(authz, entries)
|
||||||
}
|
|
||||||
|
|
||||||
// Collect the keys from the filtered entries
|
// Collect the keys from the filtered entries
|
||||||
prefixLen := len(args.Prefix)
|
prefixLen := len(args.Prefix)
|
||||||
|
@ -72,7 +72,6 @@ func (s *Session) Apply(args *structs.SessionRequest, reply *string) error {
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
if authz != nil {
|
|
||||||
switch args.Op {
|
switch args.Op {
|
||||||
case structs.SessionDestroy:
|
case structs.SessionDestroy:
|
||||||
state := s.srv.fsm.State()
|
state := s.srv.fsm.State()
|
||||||
@ -95,7 +94,6 @@ func (s *Session) Apply(args *structs.SessionRequest, reply *string) error {
|
|||||||
default:
|
default:
|
||||||
return fmt.Errorf("Invalid session operation %q", args.Op)
|
return fmt.Errorf("Invalid session operation %q", args.Op)
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
// Ensure that the specified behavior is allowed
|
// Ensure that the specified behavior is allowed
|
||||||
switch args.Session.Behavior {
|
switch args.Session.Behavior {
|
||||||
|
@ -128,7 +128,6 @@ RUN_QUERY:
|
|||||||
events := s.agent.UserEvents()
|
events := s.agent.UserEvents()
|
||||||
|
|
||||||
// Filter the events using the ACL, if present
|
// Filter the events using the ACL, if present
|
||||||
if authz != nil {
|
|
||||||
for i := 0; i < len(events); i++ {
|
for i := 0; i < len(events); i++ {
|
||||||
name := events[i].Name
|
name := events[i].Name
|
||||||
if authz.EventRead(name, nil) == acl.Allow {
|
if authz.EventRead(name, nil) == acl.Allow {
|
||||||
@ -138,7 +137,6 @@ RUN_QUERY:
|
|||||||
events = append(events[:i], events[i+1:]...)
|
events = append(events[:i], events[i+1:]...)
|
||||||
i--
|
i--
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
// Filter the events if requested
|
// Filter the events if requested
|
||||||
if nameFilter != "" {
|
if nameFilter != "" {
|
||||||
|
@ -9,12 +9,13 @@ import (
|
|||||||
"sort"
|
"sort"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
|
"github.com/hashicorp/go-hclog"
|
||||||
|
|
||||||
"github.com/hashicorp/consul/acl"
|
"github.com/hashicorp/consul/acl"
|
||||||
"github.com/hashicorp/consul/agent/config"
|
"github.com/hashicorp/consul/agent/config"
|
||||||
"github.com/hashicorp/consul/agent/structs"
|
"github.com/hashicorp/consul/agent/structs"
|
||||||
"github.com/hashicorp/consul/api"
|
"github.com/hashicorp/consul/api"
|
||||||
"github.com/hashicorp/consul/logging"
|
"github.com/hashicorp/consul/logging"
|
||||||
"github.com/hashicorp/go-hclog"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
// ServiceSummary is used to summarize a service
|
// ServiceSummary is used to summarize a service
|
||||||
@ -607,7 +608,6 @@ func (s *HTTPHandlers) UIMetricsProxy(resp http.ResponseWriter, req *http.Reques
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if authz != nil {
|
|
||||||
// This endpoint requires wildcard read on all services and all nodes.
|
// This endpoint requires wildcard read on all services and all nodes.
|
||||||
//
|
//
|
||||||
// In enterprise it requires this _in all namespaces_ too.
|
// In enterprise it requires this _in all namespaces_ too.
|
||||||
@ -618,7 +618,6 @@ func (s *HTTPHandlers) UIMetricsProxy(resp http.ResponseWriter, req *http.Reques
|
|||||||
if authz.NodeReadAll(&authzContext) != acl.Allow || authz.ServiceReadAll(&authzContext) != acl.Allow {
|
if authz.NodeReadAll(&authzContext) != acl.Allow || authz.ServiceReadAll(&authzContext) != acl.Allow {
|
||||||
return nil, acl.ErrPermissionDenied
|
return nil, acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
log := s.agent.logger.Named(logging.UIMetricsProxy)
|
log := s.agent.logger.Named(logging.UIMetricsProxy)
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user