acl: recouple acl filtering from ACLResolver

ACL filtering only needs an authorizer and a logger. We can decouple filtering from
the ACLResolver by passing in the necessary logger.

This change is being made in preparation for moving the ACLResolver into an acl package
This commit is contained in:
Daniel Nephin 2021-07-30 17:19:57 -04:00
parent 111f3620a8
commit cc4f155801
3 changed files with 15 additions and 15 deletions

View File

@ -1928,12 +1928,11 @@ func (f *aclFilter) filterGatewayServices(mappings *structs.GatewayServices) {
*mappings = ret
}
func (r *ACLResolver) filterACLWithAuthorizer(authorizer acl.Authorizer, subj interface{}) {
func filterACLWithAuthorizer(logger hclog.Logger, authorizer acl.Authorizer, subj interface{}) {
if authorizer == nil {
return
}
// Create the filter
filt := newACLFilter(authorizer, r.logger)
filt := newACLFilter(authorizer, logger)
switch v := subj.(type) {
case *structs.CheckServiceNodes:
@ -2030,14 +2029,15 @@ func (r *ACLResolver) filterACLWithAuthorizer(authorizer acl.Authorizer, subj in
}
}
// filterACL is used to filter results from our service catalog based on the
// rules configured for the provided token.
func (r *ACLResolver) filterACL(token string, subj interface{}) error {
// filterACL uses the ACLResolver to resolve the token in an acl.Authorizer,
// then uses the acl.Authorizer to filter subj. Any entities in subj that are
// not authorized for read access will be removed from subj.
func filterACL(r *ACLResolver, token string, subj interface{}) error {
// Get the ACL from the token
_, authorizer, err := r.ResolveTokenToIdentityAndAuthorizer(token)
if err != nil {
return err
}
r.filterACLWithAuthorizer(authorizer, subj)
filterACLWithAuthorizer(r.logger, authorizer, subj)
return nil
}

View File

@ -268,9 +268,9 @@ func (s *Server) ResolveTokenAndDefaultMeta(token string, entMeta *structs.Enter
}
func (s *Server) filterACL(token string, subj interface{}) error {
return s.acls.filterACL(token, subj)
return filterACL(s.acls, token, subj)
}
func (s *Server) filterACLWithAuthorizer(authorizer acl.Authorizer, subj interface{}) {
s.acls.filterACLWithAuthorizer(authorizer, subj)
filterACLWithAuthorizer(s.acls.logger, authorizer, subj)
}

View File

@ -3276,7 +3276,7 @@ func TestACL_redactPreparedQueryTokens(t *testing.T) {
}
}
func TestACL_redactTokenSecret(t *testing.T) {
func TestFilterACL_redactTokenSecret(t *testing.T) {
t.Parallel()
delegate := &ACLResolverTestDelegate{
enabled: true,
@ -3293,16 +3293,16 @@ func TestACL_redactTokenSecret(t *testing.T) {
SecretID: "6a5e25b3-28f2-4085-9012-c3fb754314d1",
}
err := r.filterACL("acl-wr", &token)
err := filterACL(r, "acl-wr", &token)
require.NoError(t, err)
require.Equal(t, "6a5e25b3-28f2-4085-9012-c3fb754314d1", token.SecretID)
err = r.filterACL("acl-ro", &token)
err = filterACL(r, "acl-ro", &token)
require.NoError(t, err)
require.Equal(t, redactedToken, token.SecretID)
}
func TestACL_redactTokenSecrets(t *testing.T) {
func TestFilterACL_redactTokenSecrets(t *testing.T) {
t.Parallel()
delegate := &ACLResolverTestDelegate{
enabled: true,
@ -3321,11 +3321,11 @@ func TestACL_redactTokenSecrets(t *testing.T) {
},
}
err := r.filterACL("acl-wr", &tokens)
err := filterACL(r, "acl-wr", &tokens)
require.NoError(t, err)
require.Equal(t, "6a5e25b3-28f2-4085-9012-c3fb754314d1", tokens[0].SecretID)
err = r.filterACL("acl-ro", &tokens)
err = filterACL(r, "acl-ro", &tokens)
require.NoError(t, err)
require.Equal(t, redactedToken, tokens[0].SecretID)
}