mirror of https://github.com/status-im/consul.git
acl: do not resolve local tokens from remote dcs (#8068)
This commit is contained in:
Hans Hasselberg
hashicorp-ci
parent
9e6718ad0f
commit
a678b47c73
|
|
@ -417,6 +417,9 @@ func (r *ACLResolver) fetchAndCacheIdentityFromToken(token string, cached *struc
|
||||||
if resp.Token == nil {
|
if resp.Token == nil {
|
||||||
r.cache.PutIdentity(cacheID, nil)
|
r.cache.PutIdentity(cacheID, nil)
|
||||||
return nil, acl.ErrNotFound
|
return nil, acl.ErrNotFound
|
||||||
|
} else if resp.Token.Local && r.config.Datacenter != resp.SourceDatacenter {
|
||||||
|
r.cache.PutIdentity(cacheID, nil)
|
||||||
|
return nil, acl.PermissionDeniedError{Cause: fmt.Sprintf("This is a local token in datacenter %q", resp.SourceDatacenter)}
|
||||||
} else {
|
} else {
|
||||||
r.cache.PutIdentity(cacheID, resp.Token)
|
r.cache.PutIdentity(cacheID, resp.Token)
|
||||||
return resp.Token, nil
|
return resp.Token, nil
|
||||||
|
|
|
||||||
|
|
@ -260,6 +260,7 @@ func (a *ACL) TokenRead(args *structs.ACLTokenGetRequest, reply *structs.ACLToke
|
||||||
}
|
}
|
||||||
|
|
||||||
reply.Index, reply.Token = index, token
|
reply.Index, reply.Token = index, token
|
||||||
|
reply.SourceDatacenter = args.Datacenter
|
||||||
return nil
|
return nil
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -3703,3 +3703,49 @@ func TestDedupeServiceIdentities(t *testing.T) {
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
func TestACL_LocalToken(t *testing.T) {
|
||||||
|
t.Run("local token in same dc", func(t *testing.T) {
|
||||||
|
d := &ACLResolverTestDelegate{
|
||||||
|
datacenter: "dc1",
|
||||||
|
tokenReadFn: func(_ *structs.ACLTokenGetRequest, reply *structs.ACLTokenResponse) error {
|
||||||
|
reply.Token = &structs.ACLToken{Local: true}
|
||||||
|
// different dc
|
||||||
|
reply.SourceDatacenter = "dc1"
|
||||||
|
return nil
|
||||||
|
},
|
||||||
|
}
|
||||||
|
r := newTestACLResolver(t, d, nil)
|
||||||
|
_, err := r.fetchAndCacheIdentityFromToken("", nil)
|
||||||
|
require.NoError(t, err)
|
||||||
|
})
|
||||||
|
|
||||||
|
t.Run("non local token in remote dc", func(t *testing.T) {
|
||||||
|
d := &ACLResolverTestDelegate{
|
||||||
|
datacenter: "dc1",
|
||||||
|
tokenReadFn: func(_ *structs.ACLTokenGetRequest, reply *structs.ACLTokenResponse) error {
|
||||||
|
reply.Token = &structs.ACLToken{Local: false}
|
||||||
|
// different dc
|
||||||
|
reply.SourceDatacenter = "remote"
|
||||||
|
return nil
|
||||||
|
},
|
||||||
|
}
|
||||||
|
r := newTestACLResolver(t, d, nil)
|
||||||
|
_, err := r.fetchAndCacheIdentityFromToken("", nil)
|
||||||
|
require.NoError(t, err)
|
||||||
|
})
|
||||||
|
|
||||||
|
t.Run("local token in remote dc", func(t *testing.T) {
|
||||||
|
d := &ACLResolverTestDelegate{
|
||||||
|
datacenter: "dc1",
|
||||||
|
tokenReadFn: func(_ *structs.ACLTokenGetRequest, reply *structs.ACLTokenResponse) error {
|
||||||
|
reply.Token = &structs.ACLToken{Local: true}
|
||||||
|
// different dc
|
||||||
|
reply.SourceDatacenter = "remote"
|
||||||
|
return nil
|
||||||
|
},
|
||||||
|
}
|
||||||
|
r := newTestACLResolver(t, d, nil)
|
||||||
|
_, err := r.fetchAndCacheIdentityFromToken("", nil)
|
||||||
|
require.Equal(t, acl.PermissionDeniedError{Cause: "This is a local token in datacenter \"remote\""}, err)
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -1260,6 +1260,7 @@ type ACLTokenBootstrapRequest struct {
|
||||||
type ACLTokenResponse struct {
|
type ACLTokenResponse struct {
|
||||||
Token *ACLToken
|
Token *ACLToken
|
||||||
Redacted bool // whether the token's secret was redacted
|
Redacted bool // whether the token's secret was redacted
|
||||||
|
SourceDatacenter string
|
||||||
QueryMeta
|
QueryMeta
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue