Merge pull request #12250 from hashicorp/dnephin/acl-resolver-safer-identity

acl: un-embed ACLIdentity
pull/11783/head
Daniel Nephin 2022-02-02 13:10:35 -05:00 committed by GitHub
commit 2ef26f48b8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 18 additions and 8 deletions

View File

@ -39,6 +39,12 @@ type TestACLAgent struct {
func NewTestACLAgent(t *testing.T, name string, hcl string, resolveAuthz authzResolver, resolveIdent identResolver) *TestACLAgent { func NewTestACLAgent(t *testing.T, name string, hcl string, resolveAuthz authzResolver, resolveIdent identResolver) *TestACLAgent {
t.Helper() t.Helper()
if resolveIdent == nil {
resolveIdent = func(s string) (structs.ACLIdentity, error) {
return nil, nil
}
}
a := &TestACLAgent{resolveAuthzFn: resolveAuthz, resolveIdentFn: resolveIdent} a := &TestACLAgent{resolveAuthzFn: resolveAuthz, resolveIdentFn: resolveIdent}
dataDir := testutil.TempDir(t, "acl-agent") dataDir := testutil.TempDir(t, "acl-agent")

View File

@ -1120,7 +1120,7 @@ func (r *ACLResolver) ResolveToken(token string) (ACLResolveResult, error) {
type ACLResolveResult struct { type ACLResolveResult struct {
acl.Authorizer acl.Authorizer
// TODO: likely we can reduce this interface // TODO: likely we can reduce this interface
structs.ACLIdentity ACLIdentity structs.ACLIdentity
} }
func (a ACLResolveResult) AccessorID() string { func (a ACLResolveResult) AccessorID() string {
@ -1130,6 +1130,10 @@ func (a ACLResolveResult) AccessorID() string {
return a.ACLIdentity.ID() return a.ACLIdentity.ID()
} }
func (a ACLResolveResult) Identity() structs.ACLIdentity {
return a.ACLIdentity
}
func (r *ACLResolver) ACLsEnabled() bool { func (r *ACLResolver) ACLsEnabled() bool {
// Whether we desire ACLs to be enabled according to configuration // Whether we desire ACLs to be enabled according to configuration
if !r.config.ACLsEnabled { if !r.config.ACLsEnabled {

View File

@ -437,7 +437,7 @@ func (m *Internal) KeyringOperation(
if err != nil { if err != nil {
return err return err
} }
if err := m.srv.validateEnterpriseToken(authz.ACLIdentity); err != nil { if err := m.srv.validateEnterpriseToken(authz.Identity()); err != nil {
return err return err
} }
switch args.Operation { switch args.Operation {

View File

@ -21,7 +21,7 @@ func (op *Operator) AutopilotGetConfiguration(args *structs.DCSpecificRequest, r
if err != nil { if err != nil {
return err return err
} }
if err := op.srv.validateEnterpriseToken(authz.ACLIdentity); err != nil { if err := op.srv.validateEnterpriseToken(authz.Identity()); err != nil {
return err return err
} }
if authz.OperatorRead(nil) != acl.Allow { if authz.OperatorRead(nil) != acl.Allow {
@ -53,7 +53,7 @@ func (op *Operator) AutopilotSetConfiguration(args *structs.AutopilotSetConfigRe
if err != nil { if err != nil {
return err return err
} }
if err := op.srv.validateEnterpriseToken(authz.ACLIdentity); err != nil { if err := op.srv.validateEnterpriseToken(authz.Identity()); err != nil {
return err return err
} }
if authz.OperatorWrite(nil) != acl.Allow { if authz.OperatorWrite(nil) != acl.Allow {
@ -88,7 +88,7 @@ func (op *Operator) ServerHealth(args *structs.DCSpecificRequest, reply *structs
if err != nil { if err != nil {
return err return err
} }
if err := op.srv.validateEnterpriseToken(authz.ACLIdentity); err != nil { if err := op.srv.validateEnterpriseToken(authz.Identity()); err != nil {
return err return err
} }
if authz.OperatorRead(nil) != acl.Allow { if authz.OperatorRead(nil) != acl.Allow {
@ -155,7 +155,7 @@ func (op *Operator) AutopilotState(args *structs.DCSpecificRequest, reply *autop
if err != nil { if err != nil {
return err return err
} }
if err := op.srv.validateEnterpriseToken(authz.ACLIdentity); err != nil { if err := op.srv.validateEnterpriseToken(authz.Identity()); err != nil {
return err return err
} }
if authz.OperatorRead(nil) != acl.Allow { if authz.OperatorRead(nil) != acl.Allow {

View File

@ -85,7 +85,7 @@ func (op *Operator) RaftRemovePeerByAddress(args *structs.RaftRemovePeerRequest,
if err != nil { if err != nil {
return err return err
} }
if err := op.srv.validateEnterpriseToken(authz.ACLIdentity); err != nil { if err := op.srv.validateEnterpriseToken(authz.Identity()); err != nil {
return err return err
} }
if authz.OperatorWrite(nil) != acl.Allow { if authz.OperatorWrite(nil) != acl.Allow {
@ -138,7 +138,7 @@ func (op *Operator) RaftRemovePeerByID(args *structs.RaftRemovePeerRequest, repl
if err != nil { if err != nil {
return err return err
} }
if err := op.srv.validateEnterpriseToken(authz.ACLIdentity); err != nil { if err := op.srv.validateEnterpriseToken(authz.Identity()); err != nil {
return err return err
} }
if authz.OperatorWrite(nil) != acl.Allow { if authz.OperatorWrite(nil) != acl.Allow {