mirror of https://github.com/status-im/consul.git
acl: remove Server.ResolveTokenIdentityAndDefaultMeta
This method suffered from similar naming to a couple other methods on Server, and had not great re-use (2 callers). By copying a few of the lines into one of the callers we can move the implementation into the second caller. Once moved, we can see that ResolveTokenAndDefaultMeta is identical in both Client and Server, and likely should be further refactored, possibly into ACLResolver. This change is being made to make ACL resolution easier to trace.
This commit is contained in:
parent
6cf6e7c5fe
commit
b837ba35a0
|
@ -1244,6 +1244,10 @@ func (r *ACLResolver) ResolveTokenToIdentityAndAuthorizer(token string) (structs
|
||||||
return identity, acl.NewChainedAuthorizer(chain), nil
|
return identity, acl.NewChainedAuthorizer(chain), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// TODO: rename to AccessorIDFromToken. This method is only used to retrieve the
|
||||||
|
// ACLIdentity.ID, so we don't need to return a full ACLIdentity. We could
|
||||||
|
// return a much smaller type (instad of just a string) to allow for changes
|
||||||
|
// in the future.
|
||||||
func (r *ACLResolver) ResolveTokenToIdentity(token string) (structs.ACLIdentity, error) {
|
func (r *ACLResolver) ResolveTokenToIdentity(token string) (structs.ACLIdentity, error) {
|
||||||
if !r.ACLsEnabled() {
|
if !r.ACLsEnabled() {
|
||||||
return nil, nil
|
return nil, nil
|
||||||
|
|
|
@ -93,6 +93,7 @@ func (c *Client) ResolveTokenToIdentity(token string) (structs.ACLIdentity, erro
|
||||||
return c.acls.ResolveTokenToIdentity(token)
|
return c.acls.ResolveTokenToIdentity(token)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// TODO: Server has an identical implementation, remove duplication
|
||||||
func (c *Client) ResolveTokenAndDefaultMeta(token string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (acl.Authorizer, error) {
|
func (c *Client) ResolveTokenAndDefaultMeta(token string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (acl.Authorizer, error) {
|
||||||
identity, authz, err := c.acls.ResolveTokenToIdentityAndAuthorizer(token)
|
identity, authz, err := c.acls.ResolveTokenToIdentityAndAuthorizer(token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
@ -235,12 +235,11 @@ func (s *Server) ResolveTokenToIdentity(token string) (structs.ACLIdentity, erro
|
||||||
return s.acls.ResolveTokenToIdentity(token)
|
return s.acls.ResolveTokenToIdentity(token)
|
||||||
}
|
}
|
||||||
|
|
||||||
// ResolveTokenIdentityAndDefaultMeta retrieves an identity and authorizer for the caller,
|
// TODO: Client has an identical implementation, remove duplication
|
||||||
// and populates the EnterpriseMeta based on the AuthorizerContext.
|
func (s *Server) ResolveTokenAndDefaultMeta(token string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (acl.Authorizer, error) {
|
||||||
func (s *Server) ResolveTokenIdentityAndDefaultMeta(token string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (structs.ACLIdentity, acl.Authorizer, error) {
|
|
||||||
identity, authz, err := s.acls.ResolveTokenToIdentityAndAuthorizer(token)
|
identity, authz, err := s.acls.ResolveTokenToIdentityAndAuthorizer(token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
// Default the EnterpriseMeta based on the Tokens meta or actual defaults
|
// Default the EnterpriseMeta based on the Tokens meta or actual defaults
|
||||||
|
@ -254,12 +253,6 @@ func (s *Server) ResolveTokenIdentityAndDefaultMeta(token string, entMeta *struc
|
||||||
// Use the meta to fill in the ACL authorization context
|
// Use the meta to fill in the ACL authorization context
|
||||||
entMeta.FillAuthzContext(authzContext)
|
entMeta.FillAuthzContext(authzContext)
|
||||||
|
|
||||||
return identity, authz, err
|
|
||||||
}
|
|
||||||
|
|
||||||
// ResolveTokenAndDefaultMeta passes through to ResolveTokenIdentityAndDefaultMeta, eliding the identity from its response.
|
|
||||||
func (s *Server) ResolveTokenAndDefaultMeta(token string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (acl.Authorizer, error) {
|
|
||||||
_, authz, err := s.ResolveTokenIdentityAndDefaultMeta(token, entMeta, authzContext)
|
|
||||||
return authz, err
|
return authz, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -100,15 +100,18 @@ func (s *Intention) Apply(args *structs.IntentionRequest, reply *string) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Get the ACL token for the request for the checks below.
|
// Get the ACL token for the request for the checks below.
|
||||||
var entMeta structs.EnterpriseMeta
|
identity, authz, err := s.srv.acls.ResolveTokenToIdentityAndAuthorizer(args.Token)
|
||||||
ident, authz, err := s.srv.ResolveTokenIdentityAndDefaultMeta(args.Token, &entMeta, nil)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
var accessorID string
|
var accessorID string
|
||||||
if ident != nil {
|
var entMeta structs.EnterpriseMeta
|
||||||
accessorID = ident.ID()
|
if identity != nil {
|
||||||
|
entMeta.Merge(identity.EnterpriseMetadata())
|
||||||
|
accessorID = identity.ID()
|
||||||
|
} else {
|
||||||
|
entMeta.Merge(structs.DefaultEnterpriseMetaInDefaultPartition())
|
||||||
}
|
}
|
||||||
|
|
||||||
var (
|
var (
|
||||||
|
|
Loading…
Reference in New Issue