Merge pull request #10218 from hashicorp/dnephin/backport-local-agent-fix

[1.9.x] agent/local: do not persist the agent or user token
This commit is contained in:
Daniel Nephin 2021-05-12 13:19:29 -04:00 committed by GitHub
commit ff6d4c75b4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 82 additions and 70 deletions

3
.changelog/10188.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
local: agents will no longer persist the default user token along with a service or check.
```

View File

@ -227,25 +227,25 @@ func (l *State) SetDiscardCheckOutput(b bool) {
l.discardCheckOutput.Store(b) l.discardCheckOutput.Store(b)
} }
// ServiceToken returns the configured ACL token for the given // ServiceToken returns the ACL token associated with the service. If the service is
// service ID. If none is present, the agent's token is returned. // not found, or does not have a token, the empty string is returned.
func (l *State) ServiceToken(id structs.ServiceID) string { func (l *State) ServiceToken(id structs.ServiceID) string {
l.RLock() l.RLock()
defer l.RUnlock() defer l.RUnlock()
return l.serviceToken(id) if s := l.services[id]; s != nil {
return s.Token
}
return ""
} }
// serviceToken returns an ACL token associated with a service. // aclTokenForServiceSync returns an ACL token associated with a service. If there is
// no ACL token associated with the service, fallback is used to return a value.
// This method is not synchronized and the lock must already be held. // This method is not synchronized and the lock must already be held.
func (l *State) serviceToken(id structs.ServiceID) string { func (l *State) aclTokenForServiceSync(id structs.ServiceID, fallback func() string) string {
var token string if s := l.services[id]; s != nil && s.Token != "" {
if s := l.services[id]; s != nil { return s.Token
token = s.Token
} }
if token == "" { return fallback()
token = l.tokens.AgentToken()
}
return token
} }
// AddService is used to add a service entry to the local state. // AddService is used to add a service entry to the local state.
@ -440,26 +440,25 @@ func (l *State) ServiceStates(entMeta *structs.EnterpriseMeta) map[structs.Servi
return m return m
} }
// CheckToken is used to return the configured health check token for a // CheckToken returns the ACL token associated with the check. If the check is
// Check, or if none is configured, the default agent ACL token. // not found, or does not have a token, the empty string is returned.
func (l *State) CheckToken(checkID structs.CheckID) string { func (l *State) CheckToken(id structs.CheckID) string {
l.RLock() l.RLock()
defer l.RUnlock() defer l.RUnlock()
return l.checkToken(checkID) if c := l.checks[id]; c != nil {
return c.Token
}
return ""
} }
// checkToken returns an ACL token associated with a check. // aclTokenForCheckSync returns an ACL token associated with a check. If there is
// no ACL token associated with the check, the callback is used to return a value.
// This method is not synchronized and the lock must already be held. // This method is not synchronized and the lock must already be held.
func (l *State) checkToken(id structs.CheckID) string { func (l *State) aclTokenForCheckSync(id structs.CheckID, fallback func() string) string {
var token string if c := l.checks[id]; c != nil && c.Token != "" {
c := l.checks[id] return c.Token
if c != nil {
token = c.Token
} }
if token == "" { return fallback()
token = l.tokens.AgentToken()
}
return token
} }
// AddCheck is used to add a health check to the local state. // AddCheck is used to add a health check to the local state.
@ -1132,8 +1131,7 @@ func (l *State) deleteService(key structs.ServiceID) error {
return fmt.Errorf("ServiceID missing") return fmt.Errorf("ServiceID missing")
} }
st := l.serviceToken(key) st := l.aclTokenForServiceSync(key, l.tokens.AgentToken)
req := structs.DeregisterRequest{ req := structs.DeregisterRequest{
Datacenter: l.config.Datacenter, Datacenter: l.config.Datacenter,
Node: l.config.NodeName, Node: l.config.NodeName,
@ -1182,7 +1180,7 @@ func (l *State) deleteCheck(key structs.CheckID) error {
return fmt.Errorf("CheckID missing") return fmt.Errorf("CheckID missing")
} }
ct := l.checkToken(key) ct := l.aclTokenForCheckSync(key, l.tokens.AgentToken)
req := structs.DeregisterRequest{ req := structs.DeregisterRequest{
Datacenter: l.config.Datacenter, Datacenter: l.config.Datacenter,
Node: l.config.NodeName, Node: l.config.NodeName,
@ -1226,7 +1224,7 @@ func (l *State) pruneCheck(id structs.CheckID) {
// syncService is used to sync a service to the server // syncService is used to sync a service to the server
func (l *State) syncService(key structs.ServiceID) error { func (l *State) syncService(key structs.ServiceID) error {
st := l.serviceToken(key) st := l.aclTokenForServiceSync(key, l.tokens.UserToken)
// If the service has associated checks that are out of sync, // If the service has associated checks that are out of sync,
// piggyback them on the service sync so they are part of the // piggyback them on the service sync so they are part of the
@ -1242,7 +1240,7 @@ func (l *State) syncService(key structs.ServiceID) error {
if !key.Matches(c.Check.CompoundServiceID()) { if !key.Matches(c.Check.CompoundServiceID()) {
continue continue
} }
if st != l.checkToken(checkKey) { if st != l.aclTokenForCheckSync(checkKey, l.tokens.UserToken) {
continue continue
} }
checks = append(checks, c.Check) checks = append(checks, c.Check)
@ -1308,7 +1306,7 @@ func (l *State) syncService(key structs.ServiceID) error {
// syncCheck is used to sync a check to the server // syncCheck is used to sync a check to the server
func (l *State) syncCheck(key structs.CheckID) error { func (l *State) syncCheck(key structs.CheckID) error {
c := l.checks[key] c := l.checks[key]
ct := l.checkToken(key) ct := l.aclTokenForCheckSync(key, l.tokens.UserToken)
req := structs.RegisterRequest{ req := structs.RegisterRequest{
Datacenter: l.config.Datacenter, Datacenter: l.config.Datacenter,
ID: l.config.NodeID, ID: l.config.NodeID,

View File

@ -1720,61 +1720,72 @@ func TestAgentAntiEntropy_NodeInfo(t *testing.T) {
} }
} }
func TestAgent_ServiceTokens(t *testing.T) { func TestState_ServiceTokens(t *testing.T) {
t.Parallel()
tokens := new(token.Store) tokens := new(token.Store)
tokens.UpdateUserToken("default", token.TokenSourceConfig)
cfg := config.DefaultRuntimeConfig(`bind_addr = "127.0.0.1" data_dir = "dummy"`) cfg := config.DefaultRuntimeConfig(`bind_addr = "127.0.0.1" data_dir = "dummy"`)
l := local.NewState(agent.LocalConfig(cfg), nil, tokens) l := local.NewState(agent.LocalConfig(cfg), nil, tokens)
l.TriggerSyncChanges = func() {} l.TriggerSyncChanges = func() {}
l.AddService(&structs.NodeService{ID: "redis"}, "") id := structs.NewServiceID("redis", nil)
// Returns default when no token is set t.Run("defaults to empty string", func(t *testing.T) {
if token := l.ServiceToken(structs.NewServiceID("redis", nil)); token != "default" { require.Equal(t, "", l.ServiceToken(id))
t.Fatalf("bad: %s", token) })
}
// Returns configured token t.Run("empty string when there is no token", func(t *testing.T) {
l.AddService(&structs.NodeService{ID: "redis"}, "abc123") err := l.AddService(&structs.NodeService{ID: "redis"}, "")
if token := l.ServiceToken(structs.NewServiceID("redis", nil)); token != "abc123" { require.NoError(t, err)
t.Fatalf("bad: %s", token)
}
// Keeps token around for the delete require.Equal(t, "", l.ServiceToken(id))
l.RemoveService(structs.NewServiceID("redis", nil)) })
if token := l.ServiceToken(structs.NewServiceID("redis", nil)); token != "abc123" {
t.Fatalf("bad: %s", token) t.Run("returns configured token", func(t *testing.T) {
} err := l.AddService(&structs.NodeService{ID: "redis"}, "abc123")
require.NoError(t, err)
require.Equal(t, "abc123", l.ServiceToken(id))
})
t.Run("RemoveCheck keeps token around for the delete", func(t *testing.T) {
err := l.RemoveService(structs.NewServiceID("redis", nil))
require.NoError(t, err)
require.Equal(t, "abc123", l.ServiceToken(id))
})
} }
func TestAgent_CheckTokens(t *testing.T) { func TestState_CheckTokens(t *testing.T) {
t.Parallel()
tokens := new(token.Store) tokens := new(token.Store)
tokens.UpdateUserToken("default", token.TokenSourceConfig)
cfg := config.DefaultRuntimeConfig(`bind_addr = "127.0.0.1" data_dir = "dummy"`) cfg := config.DefaultRuntimeConfig(`bind_addr = "127.0.0.1" data_dir = "dummy"`)
l := local.NewState(agent.LocalConfig(cfg), nil, tokens) l := local.NewState(agent.LocalConfig(cfg), nil, tokens)
l.TriggerSyncChanges = func() {} l.TriggerSyncChanges = func() {}
// Returns default when no token is set id := structs.NewCheckID("mem", nil)
l.AddCheck(&structs.HealthCheck{CheckID: types.CheckID("mem")}, "")
if token := l.CheckToken(structs.NewCheckID("mem", nil)); token != "default" {
t.Fatalf("bad: %s", token)
}
// Returns configured token t.Run("defaults to empty string", func(t *testing.T) {
l.AddCheck(&structs.HealthCheck{CheckID: types.CheckID("mem")}, "abc123") require.Equal(t, "", l.CheckToken(id))
if token := l.CheckToken(structs.NewCheckID("mem", nil)); token != "abc123" { })
t.Fatalf("bad: %s", token)
}
// Keeps token around for the delete t.Run("empty string when there is no token", func(t *testing.T) {
l.RemoveCheck(structs.NewCheckID("mem", nil)) err := l.AddCheck(&structs.HealthCheck{CheckID: "mem"}, "")
if token := l.CheckToken(structs.NewCheckID("mem", nil)); token != "abc123" { require.NoError(t, err)
t.Fatalf("bad: %s", token)
} require.Equal(t, "", l.CheckToken(id))
})
t.Run("returns configured token", func(t *testing.T) {
err := l.AddCheck(&structs.HealthCheck{CheckID: "mem"}, "abc123")
require.NoError(t, err)
require.Equal(t, "abc123", l.CheckToken(id))
})
t.Run("RemoveCheck keeps token around for the delete", func(t *testing.T) {
err := l.RemoveCheck(structs.NewCheckID("mem", nil))
require.NoError(t, err)
require.Equal(t, "abc123", l.CheckToken(id))
})
} }
func TestAgent_CheckCriticalTime(t *testing.T) { func TestAgent_CheckCriticalTime(t *testing.T) {