mirror of https://github.com/status-im/consul.git
acl: remove rule == nil checks
This commit is contained in:
parent
323039dd06
commit
9dd6d26d05
|
@ -193,9 +193,6 @@ func (a *Agent) filterMembers(token string, members *[]serf.Member) error {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if rule == nil {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
var authzContext acl.AuthorizerContext
|
var authzContext acl.AuthorizerContext
|
||||||
structs.DefaultEnterpriseMetaInDefaultPartition().FillAuthzContext(&authzContext)
|
structs.DefaultEnterpriseMetaInDefaultPartition().FillAuthzContext(&authzContext)
|
||||||
|
@ -216,6 +213,7 @@ func (a *Agent) filterMembers(token string, members *[]serf.Member) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
// filterServices redacts services that the token doesn't have access to.
|
// filterServices redacts services that the token doesn't have access to.
|
||||||
|
// TODO: move to test file
|
||||||
func (a *Agent) filterServices(token string, services *map[structs.ServiceID]*structs.NodeService) error {
|
func (a *Agent) filterServices(token string, services *map[structs.ServiceID]*structs.NodeService) error {
|
||||||
// Resolve the token and bail if ACLs aren't enabled.
|
// Resolve the token and bail if ACLs aren't enabled.
|
||||||
authz, err := a.delegate.ResolveTokenAndDefaultMeta(token, nil, nil)
|
authz, err := a.delegate.ResolveTokenAndDefaultMeta(token, nil, nil)
|
||||||
|
|
|
@ -175,7 +175,7 @@ func (s *HTTPHandlers) AgentMetricsStream(resp http.ResponseWriter, req *http.Re
|
||||||
switch {
|
switch {
|
||||||
case err != nil:
|
case err != nil:
|
||||||
return nil, err
|
return nil, err
|
||||||
case rule != nil && rule.AgentRead(s.agent.config.NodeName, nil) != acl.Allow:
|
case rule.AgentRead(s.agent.config.NodeName, nil) != acl.Allow:
|
||||||
return nil, acl.ErrPermissionDenied
|
return nil, acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1448,7 +1448,7 @@ func TestHTTPHandlers_AgentMetricsStream(t *testing.T) {
|
||||||
bd.Tokens = new(tokenStore.Store)
|
bd.Tokens = new(tokenStore.Store)
|
||||||
sink := metrics.NewInmemSink(20*time.Millisecond, time.Second)
|
sink := metrics.NewInmemSink(20*time.Millisecond, time.Second)
|
||||||
bd.MetricsHandler = sink
|
bd.MetricsHandler = sink
|
||||||
d := fakeResolveTokenDelegate{}
|
d := fakeResolveTokenDelegate{authorizer: acl.ManageAll()}
|
||||||
agent := &Agent{
|
agent := &Agent{
|
||||||
baseDeps: bd,
|
baseDeps: bd,
|
||||||
delegate: d,
|
delegate: d,
|
||||||
|
|
|
@ -2028,11 +2028,10 @@ func (a *ACL) BindingRuleDelete(args *structs.ACLBindingRuleDeleteRequest, reply
|
||||||
}
|
}
|
||||||
|
|
||||||
_, rule, err := a.srv.fsm.State().ACLBindingRuleGetByID(nil, args.BindingRuleID, &args.EnterpriseMeta)
|
_, rule, err := a.srv.fsm.State().ACLBindingRuleGetByID(nil, args.BindingRuleID, &args.EnterpriseMeta)
|
||||||
if err != nil {
|
switch {
|
||||||
|
case err != nil:
|
||||||
return err
|
return err
|
||||||
}
|
case rule == nil:
|
||||||
|
|
||||||
if rule == nil {
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -169,7 +169,7 @@ func (a *ACL) Apply(args *structs.ACLRequest, reply *string) error {
|
||||||
// NOTE: We will not support enterprise authorizer contexts with legacy ACLs
|
// NOTE: We will not support enterprise authorizer contexts with legacy ACLs
|
||||||
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
|
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
|
||||||
return err
|
return err
|
||||||
} else if rule == nil || rule.ACLWrite(nil) != acl.Allow {
|
} else if rule.ACLWrite(nil) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -261,7 +261,7 @@ func (a *ACL) List(args *structs.DCSpecificRequest,
|
||||||
// and this check for ACLWrite is basically what it did before.
|
// and this check for ACLWrite is basically what it did before.
|
||||||
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
|
if rule, err := a.srv.ResolveToken(args.Token); err != nil {
|
||||||
return err
|
return err
|
||||||
} else if rule == nil || rule.ACLWrite(nil) != acl.Allow {
|
} else if rule.ACLWrite(nil) != acl.Allow {
|
||||||
return acl.ErrPermissionDenied
|
return acl.ErrPermissionDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -452,23 +452,21 @@ func (m *Internal) KeyringOperation(
|
||||||
if err := m.srv.validateEnterpriseToken(identity); err != nil {
|
if err := m.srv.validateEnterpriseToken(identity); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if rule != nil {
|
switch args.Operation {
|
||||||
switch args.Operation {
|
case structs.KeyringList:
|
||||||
case structs.KeyringList:
|
if rule.KeyringRead(nil) != acl.Allow {
|
||||||
if rule.KeyringRead(nil) != acl.Allow {
|
return fmt.Errorf("Reading keyring denied by ACLs")
|
||||||
return fmt.Errorf("Reading keyring denied by ACLs")
|
|
||||||
}
|
|
||||||
case structs.KeyringInstall:
|
|
||||||
fallthrough
|
|
||||||
case structs.KeyringUse:
|
|
||||||
fallthrough
|
|
||||||
case structs.KeyringRemove:
|
|
||||||
if rule.KeyringWrite(nil) != acl.Allow {
|
|
||||||
return fmt.Errorf("Modifying keyring denied due to ACLs")
|
|
||||||
}
|
|
||||||
default:
|
|
||||||
panic("Invalid keyring operation")
|
|
||||||
}
|
}
|
||||||
|
case structs.KeyringInstall:
|
||||||
|
fallthrough
|
||||||
|
case structs.KeyringUse:
|
||||||
|
fallthrough
|
||||||
|
case structs.KeyringRemove:
|
||||||
|
if rule.KeyringWrite(nil) != acl.Allow {
|
||||||
|
return fmt.Errorf("Modifying keyring denied due to ACLs")
|
||||||
|
}
|
||||||
|
default:
|
||||||
|
panic("Invalid keyring operation")
|
||||||
}
|
}
|
||||||
|
|
||||||
if args.LocalOnly || args.Forwarded || m.srv.serfWAN == nil {
|
if args.LocalOnly || args.Forwarded || m.srv.serfWAN == nil {
|
||||||
|
|
|
@ -5,10 +5,11 @@ import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
|
"github.com/mitchellh/cli"
|
||||||
|
|
||||||
"github.com/hashicorp/consul/command/acl"
|
"github.com/hashicorp/consul/command/acl"
|
||||||
"github.com/hashicorp/consul/command/acl/bindingrule"
|
"github.com/hashicorp/consul/command/acl/bindingrule"
|
||||||
"github.com/hashicorp/consul/command/flags"
|
"github.com/hashicorp/consul/command/flags"
|
||||||
"github.com/mitchellh/cli"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
func New(ui cli.Ui) *cmd {
|
func New(ui cli.Ui) *cmd {
|
||||||
|
@ -85,10 +86,11 @@ func (c *cmd) Run(args []string) int {
|
||||||
}
|
}
|
||||||
|
|
||||||
rule, _, err := client.ACL().BindingRuleRead(ruleID, nil)
|
rule, _, err := client.ACL().BindingRuleRead(ruleID, nil)
|
||||||
if err != nil {
|
switch {
|
||||||
|
case err != nil:
|
||||||
c.UI.Error(fmt.Sprintf("Error reading binding rule %q: %v", ruleID, err))
|
c.UI.Error(fmt.Sprintf("Error reading binding rule %q: %v", ruleID, err))
|
||||||
return 1
|
return 1
|
||||||
} else if rule == nil {
|
case rule == nil:
|
||||||
c.UI.Error(fmt.Sprintf("Binding rule not found with ID %q", ruleID))
|
c.UI.Error(fmt.Sprintf("Binding rule not found with ID %q", ruleID))
|
||||||
return 1
|
return 1
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue