mirror of https://github.com/status-im/consul.git
acl: return a resposne from ResolveToken that includes the ACLIdentity
So that we can duplicate duplicate methods.
This commit is contained in:
parent
8c9c48e219
commit
a5e8af79c3
|
@ -102,10 +102,10 @@ func (a *TestACLAgent) ResolveTokenToIdentity(secretID string) (structs.ACLIdent
|
||||||
return a.resolveIdentFn(secretID)
|
return a.resolveIdentFn(secretID)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (a *TestACLAgent) ResolveTokenAndDefaultMeta(secretID string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (acl.Authorizer, error) {
|
func (a *TestACLAgent) ResolveTokenAndDefaultMeta(secretID string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (consul.ACLResolveResult, error) {
|
||||||
identity, authz, err := a.ResolveTokenToIdentityAndAuthorizer(secretID)
|
identity, authz, err := a.ResolveTokenToIdentityAndAuthorizer(secretID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return consul.ACLResolveResult{}, err
|
||||||
}
|
}
|
||||||
|
|
||||||
// Default the EnterpriseMeta based on the Tokens meta or actual defaults
|
// Default the EnterpriseMeta based on the Tokens meta or actual defaults
|
||||||
|
@ -119,7 +119,7 @@ func (a *TestACLAgent) ResolveTokenAndDefaultMeta(secretID string, entMeta *stru
|
||||||
// Use the meta to fill in the ACL authorization context
|
// Use the meta to fill in the ACL authorization context
|
||||||
entMeta.FillAuthzContext(authzContext)
|
entMeta.FillAuthzContext(authzContext)
|
||||||
|
|
||||||
return authz, err
|
return consul.ACLResolveResult{Authorizer: authz, ACLIdentity: identity}, err
|
||||||
}
|
}
|
||||||
|
|
||||||
// All of these are stubs to satisfy the interface
|
// All of these are stubs to satisfy the interface
|
||||||
|
|
|
@ -174,7 +174,7 @@ type delegate interface {
|
||||||
// actions based on the permissions granted to the token.
|
// actions based on the permissions granted to the token.
|
||||||
// If either entMeta or authzContext are non-nil they will be populated with the
|
// If either entMeta or authzContext are non-nil they will be populated with the
|
||||||
// default partition and namespace from the token.
|
// default partition and namespace from the token.
|
||||||
ResolveTokenAndDefaultMeta(token string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (acl.Authorizer, error)
|
ResolveTokenAndDefaultMeta(token string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (consul.ACLResolveResult, error)
|
||||||
|
|
||||||
RPC(method string, args interface{}, reply interface{}) error
|
RPC(method string, args interface{}, reply interface{}) error
|
||||||
SnapshotRPC(args *structs.SnapshotRequest, in io.Reader, out io.Writer, replyFn structs.SnapshotReplyFn) error
|
SnapshotRPC(args *structs.SnapshotRequest, in io.Reader, out io.Writer, replyFn structs.SnapshotReplyFn) error
|
||||||
|
|
|
@ -1640,8 +1640,8 @@ type fakeResolveTokenDelegate struct {
|
||||||
authorizer acl.Authorizer
|
authorizer acl.Authorizer
|
||||||
}
|
}
|
||||||
|
|
||||||
func (f fakeResolveTokenDelegate) ResolveTokenAndDefaultMeta(_ string, _ *structs.EnterpriseMeta, _ *acl.AuthorizerContext) (acl.Authorizer, error) {
|
func (f fakeResolveTokenDelegate) ResolveTokenAndDefaultMeta(_ string, _ *structs.EnterpriseMeta, _ *acl.AuthorizerContext) (consul.ACLResolveResult, error) {
|
||||||
return f.authorizer, nil
|
return consul.ACLResolveResult{Authorizer: f.authorizer}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestAgent_Reload(t *testing.T) {
|
func TestAgent_Reload(t *testing.T) {
|
||||||
|
|
|
@ -1115,6 +1115,19 @@ func (r *ACLResolver) ResolveTokenToIdentityAndAuthorizer(token string) (structs
|
||||||
return identity, acl.NewChainedAuthorizer(chain), nil
|
return identity, acl.NewChainedAuthorizer(chain), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type ACLResolveResult struct {
|
||||||
|
acl.Authorizer
|
||||||
|
// TODO: likely we can reduce this interface
|
||||||
|
structs.ACLIdentity
|
||||||
|
}
|
||||||
|
|
||||||
|
func (a ACLResolveResult) AccessorID() string {
|
||||||
|
if a.ACLIdentity == nil {
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
return a.ACLIdentity.ID()
|
||||||
|
}
|
||||||
|
|
||||||
// TODO: rename to AccessorIDFromToken. This method is only used to retrieve the
|
// TODO: rename to AccessorIDFromToken. This method is only used to retrieve the
|
||||||
// ACLIdentity.ID, so we don't need to return a full ACLIdentity. We could
|
// ACLIdentity.ID, so we don't need to return a full ACLIdentity. We could
|
||||||
// return a much smaller type (instad of just a string) to allow for changes
|
// return a much smaller type (instad of just a string) to allow for changes
|
||||||
|
@ -1158,10 +1171,10 @@ func (r *ACLResolver) ACLsEnabled() bool {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
|
||||||
func (r *ACLResolver) ResolveTokenAndDefaultMeta(token string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (acl.Authorizer, error) {
|
func (r *ACLResolver) ResolveTokenAndDefaultMeta(token string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (ACLResolveResult, error) {
|
||||||
identity, authz, err := r.ResolveTokenToIdentityAndAuthorizer(token)
|
identity, authz, err := r.ResolveTokenToIdentityAndAuthorizer(token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return ACLResolveResult{}, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if entMeta == nil {
|
if entMeta == nil {
|
||||||
|
@ -1179,7 +1192,7 @@ func (r *ACLResolver) ResolveTokenAndDefaultMeta(token string, entMeta *structs.
|
||||||
// Use the meta to fill in the ACL authorization context
|
// Use the meta to fill in the ACL authorization context
|
||||||
entMeta.FillAuthzContext(authzContext)
|
entMeta.FillAuthzContext(authzContext)
|
||||||
|
|
||||||
return authz, err
|
return ACLResolveResult{Authorizer: authz, ACLIdentity: identity}, err
|
||||||
}
|
}
|
||||||
|
|
||||||
// aclFilter is used to filter results from our state store based on ACL rules
|
// aclFilter is used to filter results from our state store based on ACL rules
|
||||||
|
|
|
@ -159,13 +159,12 @@ func (s *Server) ResolveRoleFromID(roleID string) (bool, *structs.ACLRole, error
|
||||||
return s.InPrimaryDatacenter() || index > 0, role, acl.ErrNotFound
|
return s.InPrimaryDatacenter() || index > 0, role, acl.ErrNotFound
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// TODO: remove
|
||||||
func (s *Server) ResolveToken(token string) (acl.Authorizer, error) {
|
func (s *Server) ResolveToken(token string) (acl.Authorizer, error) {
|
||||||
_, authz, err := s.ACLResolver.ResolveTokenToIdentityAndAuthorizer(token)
|
_, authz, err := s.ACLResolver.ResolveTokenToIdentityAndAuthorizer(token)
|
||||||
return authz, err
|
return authz, err
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO: Client has an identical implementation, remove duplication
|
|
||||||
|
|
||||||
func (s *Server) filterACL(token string, subj interface{}) error {
|
func (s *Server) filterACL(token string, subj interface{}) error {
|
||||||
return filterACL(s.ACLResolver, token, subj)
|
return filterACL(s.ACLResolver, token, subj)
|
||||||
}
|
}
|
||||||
|
|
|
@ -100,6 +100,7 @@ func (s *Intention) Apply(args *structs.IntentionRequest, reply *string) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Get the ACL token for the request for the checks below.
|
// Get the ACL token for the request for the checks below.
|
||||||
|
// TODO: use ResolveTokenAndDefaultMeta
|
||||||
identity, authz, err := s.srv.ACLResolver.ResolveTokenToIdentityAndAuthorizer(args.Token)
|
identity, authz, err := s.srv.ACLResolver.ResolveTokenToIdentityAndAuthorizer(args.Token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
|
|
|
@ -89,8 +89,8 @@ var ACLBootstrapNotAllowedErr = errors.New("ACL bootstrap no longer allowed")
|
||||||
var ACLBootstrapInvalidResetIndexErr = errors.New("Invalid ACL bootstrap reset index")
|
var ACLBootstrapInvalidResetIndexErr = errors.New("Invalid ACL bootstrap reset index")
|
||||||
|
|
||||||
type ACLIdentity interface {
|
type ACLIdentity interface {
|
||||||
// ID returns a string that can be used for logging and telemetry. This should not
|
// ID returns the accessor ID, a string that can be used for logging and
|
||||||
// contain any secret data used for authentication
|
// telemetry. It is not the secret ID used for authentication.
|
||||||
ID() string
|
ID() string
|
||||||
SecretToken() string
|
SecretToken() string
|
||||||
PolicyIDs() []string
|
PolicyIDs() []string
|
||||||
|
|
Loading…
Reference in New Issue