diff --git a/agent/consul/acl.go b/agent/consul/acl.go index 3f8c3119f5..770e1c8e7d 100644 --- a/agent/consul/acl.go +++ b/agent/consul/acl.go @@ -1928,12 +1928,11 @@ func (f *aclFilter) filterGatewayServices(mappings *structs.GatewayServices) { *mappings = ret } -func (r *ACLResolver) filterACLWithAuthorizer(authorizer acl.Authorizer, subj interface{}) { +func filterACLWithAuthorizer(logger hclog.Logger, authorizer acl.Authorizer, subj interface{}) { if authorizer == nil { return } - // Create the filter - filt := newACLFilter(authorizer, r.logger) + filt := newACLFilter(authorizer, logger) switch v := subj.(type) { case *structs.CheckServiceNodes: @@ -2030,14 +2029,15 @@ func (r *ACLResolver) filterACLWithAuthorizer(authorizer acl.Authorizer, subj in } } -// filterACL is used to filter results from our service catalog based on the -// rules configured for the provided token. -func (r *ACLResolver) filterACL(token string, subj interface{}) error { +// filterACL uses the ACLResolver to resolve the token in an acl.Authorizer, +// then uses the acl.Authorizer to filter subj. Any entities in subj that are +// not authorized for read access will be removed from subj. +func filterACL(r *ACLResolver, token string, subj interface{}) error { // Get the ACL from the token _, authorizer, err := r.ResolveTokenToIdentityAndAuthorizer(token) if err != nil { return err } - r.filterACLWithAuthorizer(authorizer, subj) + filterACLWithAuthorizer(r.logger, authorizer, subj) return nil } diff --git a/agent/consul/acl_server.go b/agent/consul/acl_server.go index b9f70c3b59..cc32d89d82 100644 --- a/agent/consul/acl_server.go +++ b/agent/consul/acl_server.go @@ -268,9 +268,9 @@ func (s *Server) ResolveTokenAndDefaultMeta(token string, entMeta *structs.Enter } func (s *Server) filterACL(token string, subj interface{}) error { - return s.acls.filterACL(token, subj) + return filterACL(s.acls, token, subj) } func (s *Server) filterACLWithAuthorizer(authorizer acl.Authorizer, subj interface{}) { - s.acls.filterACLWithAuthorizer(authorizer, subj) + filterACLWithAuthorizer(s.acls.logger, authorizer, subj) } diff --git a/agent/consul/acl_test.go b/agent/consul/acl_test.go index 2152b099e7..6699469c12 100644 --- a/agent/consul/acl_test.go +++ b/agent/consul/acl_test.go @@ -3276,7 +3276,7 @@ func TestACL_redactPreparedQueryTokens(t *testing.T) { } } -func TestACL_redactTokenSecret(t *testing.T) { +func TestFilterACL_redactTokenSecret(t *testing.T) { t.Parallel() delegate := &ACLResolverTestDelegate{ enabled: true, @@ -3293,16 +3293,16 @@ func TestACL_redactTokenSecret(t *testing.T) { SecretID: "6a5e25b3-28f2-4085-9012-c3fb754314d1", } - err := r.filterACL("acl-wr", &token) + err := filterACL(r, "acl-wr", &token) require.NoError(t, err) require.Equal(t, "6a5e25b3-28f2-4085-9012-c3fb754314d1", token.SecretID) - err = r.filterACL("acl-ro", &token) + err = filterACL(r, "acl-ro", &token) require.NoError(t, err) require.Equal(t, redactedToken, token.SecretID) } -func TestACL_redactTokenSecrets(t *testing.T) { +func TestFilterACL_redactTokenSecrets(t *testing.T) { t.Parallel() delegate := &ACLResolverTestDelegate{ enabled: true, @@ -3321,11 +3321,11 @@ func TestACL_redactTokenSecrets(t *testing.T) { }, } - err := r.filterACL("acl-wr", &tokens) + err := filterACL(r, "acl-wr", &tokens) require.NoError(t, err) require.Equal(t, "6a5e25b3-28f2-4085-9012-c3fb754314d1", tokens[0].SecretID) - err = r.filterACL("acl-ro", &tokens) + err = filterACL(r, "acl-ro", &tokens) require.NoError(t, err) require.Equal(t, redactedToken, tokens[0].SecretID) }