diff --git a/agent/agent_endpoint.go b/agent/agent_endpoint.go index 6c81e56375..30d93e8161 100644 --- a/agent/agent_endpoint.go +++ b/agent/agent_endpoint.go @@ -623,6 +623,12 @@ func (s *HTTPServer) AgentRegisterService(resp http.ResponseWriter, req *http.Re return nil, nil } + // If we have a proxy, verify that we're allowed to add a proxy via the API + if proxy != nil && !s.agent.config.ConnectProxyAllowManagedAPIRegistration { + return nil, &BadRequestError{ + Reason: "Managed proxy registration via the API is disallowed."} + } + // Add the service. if err := s.agent.AddService(ns, chkTypes, true, token); err != nil { return nil, err diff --git a/agent/agent_endpoint_test.go b/agent/agent_endpoint_test.go index 3d9301f5e4..e8adf4c0ba 100644 --- a/agent/agent_endpoint_test.go +++ b/agent/agent_endpoint_test.go @@ -1396,7 +1396,13 @@ func TestAgent_RegisterService_ManagedConnectProxy(t *testing.T) { assert := assert.New(t) require := require.New(t) - a := NewTestAgent(t.Name(), "") + a := NewTestAgent(t.Name(), ` + connect { + proxy { + allow_managed_api_registration = true + } + } + `) defer a.Shutdown() // Register a proxy. Note that the destination doesn't exist here on @@ -1447,6 +1453,42 @@ func TestAgent_RegisterService_ManagedConnectProxy(t *testing.T) { assert.Equal("abc123", a.State.ServiceToken("web-proxy")) } +// This tests local agent service registration with a managed proxy with +// API registration disabled (default). +func TestAgent_RegisterService_ManagedConnectProxy_Disabled(t *testing.T) { + t.Parallel() + + assert := assert.New(t) + a := NewTestAgent(t.Name(), ``) + defer a.Shutdown() + + // Register a proxy. Note that the destination doesn't exist here on + // this agent or in the catalog at all. This is intended and part + // of the design. + args := &api.AgentServiceRegistration{ + Name: "web", + Port: 8000, + Connect: &api.AgentServiceConnect{ + Proxy: &api.AgentServiceConnectProxy{ + ExecMode: "script", + Command: []string{"proxy.sh"}, + Config: map[string]interface{}{ + "foo": "bar", + }, + }, + }, + } + + req, _ := http.NewRequest("PUT", "/v1/agent/service/register?token=abc123", jsonReader(args)) + resp := httptest.NewRecorder() + _, err := a.srv.AgentRegisterService(resp, req) + assert.Error(err) + + // Ensure the target service does not exist + _, ok := a.State.Services()["web"] + assert.False(ok, "does not has service") +} + // This tests local agent service registration of a unmanaged connect proxy. // This verifies that it is put in the local state store properly for syncing // later. Note that _managed_ connect proxies are registered as part of the