agent: verify proxy token for ProxyConfig endpoint + tests

This commit is contained in:
Mitchell Hashimoto 2018-05-06 21:02:44 -07:00
parent 5d969e3cbb
commit a099c27b07
No known key found for this signature in database
GPG Key ID: 744E147AA52F5B0A
3 changed files with 253 additions and 0 deletions

View File

@ -2115,6 +2115,39 @@ func (a *Agent) RemoveProxy(proxyID string, persist bool) error {
return nil
}
// verifyProxyToken takes a proxy service ID and a token and verifies
// that the token is allowed to access proxy-related information (leaf
// cert, config, etc.).
//
// The given token may be a local-only proxy token or it may be an ACL
// token. We will attempt to verify the local proxy token first.
func (a *Agent) verifyProxyToken(proxyId, token string) error {
proxy := a.State.Proxy(proxyId)
if proxy == nil {
return fmt.Errorf("unknown proxy service ID: %q", proxyId)
}
// Easy case is if the token just matches our local proxy token.
// If this happens we can return without any requests.
if token == proxy.ProxyToken {
return nil
}
// Doesn't match, we have to do a full token resolution. The required
// permission for any proxy-related endpont is service:write, since
// to register a proxy you require that permission and sensitive data
// is usually present in the configuration.
rule, err := a.resolveToken(token)
if err != nil {
return err
}
if rule != nil && !rule.ServiceWrite(proxy.Proxy.TargetServiceID, nil) {
return acl.ErrPermissionDenied
}
return nil
}
func (a *Agent) cancelCheckMonitors(checkID types.CheckID) {
// Stop any monitors
delete(a.checkReapAfter, checkID)

View File

@ -965,6 +965,10 @@ func (s *HTTPServer) AgentConnectProxyConfig(resp http.ResponseWriter, req *http
return nil, nil
}
// Parse the token
var token string
s.parseToken(req, &token)
// Parse hash specially since it's only this endpoint that uses it currently.
// Eventually this should happen in parseWait and end up in QueryOptions but I
// didn't want to make very general changes right away.
@ -980,6 +984,11 @@ func (s *HTTPServer) AgentConnectProxyConfig(resp http.ResponseWriter, req *http
return "", nil, nil
}
// Validate the ACL token
if err := s.agent.verifyProxyToken(id, token); err != nil {
return "", nil, err
}
// Lookup the target service as a convenience
target := s.agent.State.Service(proxy.Proxy.TargetServiceID)
if target == nil {

View File

@ -2517,6 +2517,217 @@ func TestAgentConnectProxyConfig_Blocking(t *testing.T) {
}
}
func TestAgentConnectProxyConfig_aclDefaultDeny(t *testing.T) {
t.Parallel()
require := require.New(t)
a := NewTestAgent(t.Name(), TestACLConfig()+`
connect {
enabled = true
}
`)
defer a.Shutdown()
// Register a service with a managed proxy
{
reg := &structs.ServiceDefinition{
ID: "test-id",
Name: "test",
Address: "127.0.0.1",
Port: 8000,
Check: structs.CheckType{
TTL: 15 * time.Second,
},
Connect: &structs.ServiceDefinitionConnect{
Proxy: &structs.ServiceDefinitionConnectProxy{},
},
}
req, _ := http.NewRequest("PUT", "/v1/agent/service/register?token=root", jsonReader(reg))
resp := httptest.NewRecorder()
_, err := a.srv.AgentRegisterService(resp, req)
require.NoError(err)
require.Equal(200, resp.Code, "body: %s", resp.Body.String())
}
req, _ := http.NewRequest("GET", "/v1/agent/connect/proxy/test-id-proxy", nil)
resp := httptest.NewRecorder()
_, err := a.srv.AgentConnectProxyConfig(resp, req)
require.True(acl.IsErrPermissionDenied(err))
}
func TestAgentConnectProxyConfig_aclProxyToken(t *testing.T) {
t.Parallel()
require := require.New(t)
a := NewTestAgent(t.Name(), TestACLConfig()+`
connect {
enabled = true
}
`)
defer a.Shutdown()
// Register a service with a managed proxy
{
reg := &structs.ServiceDefinition{
ID: "test-id",
Name: "test",
Address: "127.0.0.1",
Port: 8000,
Check: structs.CheckType{
TTL: 15 * time.Second,
},
Connect: &structs.ServiceDefinitionConnect{
Proxy: &structs.ServiceDefinitionConnectProxy{},
},
}
req, _ := http.NewRequest("PUT", "/v1/agent/service/register?token=root", jsonReader(reg))
resp := httptest.NewRecorder()
_, err := a.srv.AgentRegisterService(resp, req)
require.NoError(err)
require.Equal(200, resp.Code, "body: %s", resp.Body.String())
}
// Get the proxy token from the agent directly, since there is no API
// to expose this.
proxy := a.State.Proxy("test-id-proxy")
require.NotNil(proxy)
token := proxy.ProxyToken
require.NotEmpty(token)
req, _ := http.NewRequest(
"GET", "/v1/agent/connect/proxy/test-id-proxy?token="+token, nil)
resp := httptest.NewRecorder()
obj, err := a.srv.AgentConnectProxyConfig(resp, req)
require.NoError(err)
proxyCfg := obj.(*api.ConnectProxyConfig)
require.Equal("test-id-proxy", proxyCfg.ProxyServiceID)
require.Equal("test-id", proxyCfg.TargetServiceID)
require.Equal("test", proxyCfg.TargetServiceName)
}
func TestAgentConnectProxyConfig_aclServiceWrite(t *testing.T) {
t.Parallel()
require := require.New(t)
a := NewTestAgent(t.Name(), TestACLConfig()+`
connect {
enabled = true
}
`)
defer a.Shutdown()
// Register a service with a managed proxy
{
reg := &structs.ServiceDefinition{
ID: "test-id",
Name: "test",
Address: "127.0.0.1",
Port: 8000,
Check: structs.CheckType{
TTL: 15 * time.Second,
},
Connect: &structs.ServiceDefinitionConnect{
Proxy: &structs.ServiceDefinitionConnectProxy{},
},
}
req, _ := http.NewRequest("PUT", "/v1/agent/service/register?token=root", jsonReader(reg))
resp := httptest.NewRecorder()
_, err := a.srv.AgentRegisterService(resp, req)
require.NoError(err)
require.Equal(200, resp.Code, "body: %s", resp.Body.String())
}
// Create an ACL with service:write for our service
var token string
{
args := map[string]interface{}{
"Name": "User Token",
"Type": "client",
"Rules": `service "test" { policy = "write" }`,
}
req, _ := http.NewRequest("PUT", "/v1/acl/create?token=root", jsonReader(args))
resp := httptest.NewRecorder()
obj, err := a.srv.ACLCreate(resp, req)
if err != nil {
t.Fatalf("err: %v", err)
}
aclResp := obj.(aclCreateResponse)
token = aclResp.ID
}
req, _ := http.NewRequest(
"GET", "/v1/agent/connect/proxy/test-id-proxy?token="+token, nil)
resp := httptest.NewRecorder()
obj, err := a.srv.AgentConnectProxyConfig(resp, req)
require.NoError(err)
proxyCfg := obj.(*api.ConnectProxyConfig)
require.Equal("test-id-proxy", proxyCfg.ProxyServiceID)
require.Equal("test-id", proxyCfg.TargetServiceID)
require.Equal("test", proxyCfg.TargetServiceName)
}
func TestAgentConnectProxyConfig_aclServiceReadDeny(t *testing.T) {
t.Parallel()
require := require.New(t)
a := NewTestAgent(t.Name(), TestACLConfig()+`
connect {
enabled = true
}
`)
defer a.Shutdown()
// Register a service with a managed proxy
{
reg := &structs.ServiceDefinition{
ID: "test-id",
Name: "test",
Address: "127.0.0.1",
Port: 8000,
Check: structs.CheckType{
TTL: 15 * time.Second,
},
Connect: &structs.ServiceDefinitionConnect{
Proxy: &structs.ServiceDefinitionConnectProxy{},
},
}
req, _ := http.NewRequest("PUT", "/v1/agent/service/register?token=root", jsonReader(reg))
resp := httptest.NewRecorder()
_, err := a.srv.AgentRegisterService(resp, req)
require.NoError(err)
require.Equal(200, resp.Code, "body: %s", resp.Body.String())
}
// Create an ACL with service:read for our service
var token string
{
args := map[string]interface{}{
"Name": "User Token",
"Type": "client",
"Rules": `service "test" { policy = "read" }`,
}
req, _ := http.NewRequest("PUT", "/v1/acl/create?token=root", jsonReader(args))
resp := httptest.NewRecorder()
obj, err := a.srv.ACLCreate(resp, req)
if err != nil {
t.Fatalf("err: %v", err)
}
aclResp := obj.(aclCreateResponse)
token = aclResp.ID
}
req, _ := http.NewRequest(
"GET", "/v1/agent/connect/proxy/test-id-proxy?token="+token, nil)
resp := httptest.NewRecorder()
_, err := a.srv.AgentConnectProxyConfig(resp, req)
require.True(acl.IsErrPermissionDenied(err))
}
func TestAgentConnectProxyConfig_ConfigHandling(t *testing.T) {
t.Parallel()