diff --git a/agent/consul/catalog_endpoint.go b/agent/consul/catalog_endpoint.go index 8869481a1e..26eb394175 100644 --- a/agent/consul/catalog_endpoint.go +++ b/agent/consul/catalog_endpoint.go @@ -227,7 +227,7 @@ func (c *Catalog) Register(args *structs.RegisterRequest, reply *struct{}) error // worst let a service update revert a recent node update, so it doesn't open up // too much abuse). func vetRegisterWithACL( - rule acl.Authorizer, + authz acl.Authorizer, subj *structs.RegisterRequest, ns *structs.NodeServices, ) error { @@ -239,7 +239,7 @@ func vetRegisterWithACL( // privileges. needsNode := ns == nil || subj.ChangesNode(ns.Node) - if needsNode && rule.NodeWrite(subj.Node, &authzContext) != acl.Allow { + if needsNode && authz.NodeWrite(subj.Node, &authzContext) != acl.Allow { return acl.ErrPermissionDenied } @@ -247,7 +247,7 @@ func vetRegisterWithACL( // the given service, and that we can write to any existing service that // is being modified by id (if any). if subj.Service != nil { - if rule.ServiceWrite(subj.Service.Service, &authzContext) != acl.Allow { + if authz.ServiceWrite(subj.Service.Service, &authzContext) != acl.Allow { return acl.ErrPermissionDenied } @@ -261,7 +261,7 @@ func vetRegisterWithACL( var secondaryCtx acl.AuthorizerContext other.FillAuthzContext(&secondaryCtx) - if rule.ServiceWrite(other.Service, &secondaryCtx) != acl.Allow { + if authz.ServiceWrite(other.Service, &secondaryCtx) != acl.Allow { return acl.ErrPermissionDenied } } @@ -291,7 +291,7 @@ func vetRegisterWithACL( // Node-level check. if check.ServiceID == "" { - if rule.NodeWrite(subj.Node, &authzContext) != acl.Allow { + if authz.NodeWrite(subj.Node, &authzContext) != acl.Allow { return acl.ErrPermissionDenied } continue @@ -322,7 +322,7 @@ func vetRegisterWithACL( var secondaryCtx acl.AuthorizerContext other.FillAuthzContext(&secondaryCtx) - if rule.ServiceWrite(other.Service, &secondaryCtx) != acl.Allow { + if authz.ServiceWrite(other.Service, &secondaryCtx) != acl.Allow { return acl.ErrPermissionDenied } } @@ -385,7 +385,7 @@ func (c *Catalog) Deregister(args *structs.DeregisterRequest, reply *struct{}) e // endpoint. The NodeService for the referenced service must be supplied, and can // be nil; similar for the HealthCheck for the referenced health check. func vetDeregisterWithACL( - rule acl.Authorizer, + authz acl.Authorizer, subj *structs.DeregisterRequest, ns *structs.NodeService, nc *structs.HealthCheck, @@ -400,7 +400,7 @@ func vetDeregisterWithACL( // Allow service deregistration if the token has write permission for the node. // This accounts for cases where the agent no longer has a token with write permission // on the service to deregister it. - if rule.NodeWrite(subj.Node, &authzContext) == acl.Allow { + if authz.NodeWrite(subj.Node, &authzContext) == acl.Allow { return nil } @@ -415,7 +415,7 @@ func vetDeregisterWithACL( ns.FillAuthzContext(&authzContext) - if rule.ServiceWrite(ns.Service, &authzContext) != acl.Allow { + if authz.ServiceWrite(ns.Service, &authzContext) != acl.Allow { return acl.ErrPermissionDenied } } else if subj.CheckID != "" { @@ -426,11 +426,11 @@ func vetDeregisterWithACL( nc.FillAuthzContext(&authzContext) if nc.ServiceID != "" { - if rule.ServiceWrite(nc.ServiceName, &authzContext) != acl.Allow { + if authz.ServiceWrite(nc.ServiceName, &authzContext) != acl.Allow { return acl.ErrPermissionDenied } } else { - if rule.NodeWrite(subj.Node, &authzContext) != acl.Allow { + if authz.NodeWrite(subj.Node, &authzContext) != acl.Allow { return acl.ErrPermissionDenied } } diff --git a/agent/consul/txn_endpoint.go b/agent/consul/txn_endpoint.go index f9d15bf730..8c8ab41400 100644 --- a/agent/consul/txn_endpoint.go +++ b/agent/consul/txn_endpoint.go @@ -109,29 +109,29 @@ func (t *Txn) preCheck(authorizer acl.Authorizer, ops structs.TxnOps) structs.Tx } // vetNodeTxnOp applies the given ACL policy to a node transaction operation. -func vetNodeTxnOp(op *structs.TxnNodeOp, rule acl.Authorizer) error { +func vetNodeTxnOp(op *structs.TxnNodeOp, authz acl.Authorizer) error { var authzContext acl.AuthorizerContext op.FillAuthzContext(&authzContext) - if rule.NodeWrite(op.Node.Node, &authzContext) != acl.Allow { + if authz.NodeWrite(op.Node.Node, &authzContext) != acl.Allow { return acl.ErrPermissionDenied } return nil } // vetCheckTxnOp applies the given ACL policy to a check transaction operation. -func vetCheckTxnOp(op *structs.TxnCheckOp, rule acl.Authorizer) error { +func vetCheckTxnOp(op *structs.TxnCheckOp, authz acl.Authorizer) error { var authzContext acl.AuthorizerContext op.FillAuthzContext(&authzContext) if op.Check.ServiceID == "" { // Node-level check. - if rule.NodeWrite(op.Check.Node, &authzContext) != acl.Allow { + if authz.NodeWrite(op.Check.Node, &authzContext) != acl.Allow { return acl.ErrPermissionDenied } } else { // Service-level check. - if rule.ServiceWrite(op.Check.ServiceName, &authzContext) != acl.Allow { + if authz.ServiceWrite(op.Check.ServiceName, &authzContext) != acl.Allow { return acl.ErrPermissionDenied } }