github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #10798 from hashicorp/dnephin/backport-txn-authz-fix 

[1.10.x] acl: fix txn_endpoint to properly authorize service registrations
pull/10839/head
Daniel Nephin 2021-08-05 17:53:34 -04:00 committed by GitHub
parent fe1a2f5d9b f3718c70c1
commit 7720275679
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 8 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.changelog/10798.txt Normal file
View File

@ -0,0 +1,4 @@
```release-note:bug
txn: fixes Txn.Apply to properly authorize service registrations.
```

17
agent/consul/acl.go
View File

@ -2252,23 +2252,6 @@ func vetNodeTxnOp(op *structs.TxnNodeOp, rule acl.Authorizer) error {
return nil return nil
} }
// vetServiceTxnOp applies the given ACL policy to a service transaction operation.
func vetServiceTxnOp(op *structs.TxnServiceOp, rule acl.Authorizer) error {
// Fast path if ACLs are not enabled.
if rule == nil {
return nil
}
var authzContext acl.AuthorizerContext
op.FillAuthzContext(&authzContext)
if rule.ServiceWrite(op.Service.Service, &authzContext) != acl.Allow {
return acl.ErrPermissionDenied
}
return nil
}
// vetCheckTxnOp applies the given ACL policy to a check transaction operation. // vetCheckTxnOp applies the given ACL policy to a check transaction operation.
func vetCheckTxnOp(op *structs.TxnCheckOp, rule acl.Authorizer) error { func vetCheckTxnOp(op *structs.TxnCheckOp, rule acl.Authorizer) error {
// Fast path if ACLs are not enabled. // Fast path if ACLs are not enabled.

6
agent/consul/catalog_endpoint.go
View File

@ -85,7 +85,7 @@ func nodePreApply(nodeName, nodeID string) error {
return nil return nil
} }
func servicePreApply(service *structs.NodeService, authz acl.Authorizer) error { func servicePreApply(service *structs.NodeService, authz acl.Authorizer, authzCtxFill func(*acl.AuthorizerContext)) error {
// Validate the service. This is in addition to the below since // Validate the service. This is in addition to the below since
// the above just hasn't been moved over yet. We should move it over // the above just hasn't been moved over yet. We should move it over
// in time. // in time.
@ -110,7 +110,7 @@ func servicePreApply(service *structs.NodeService, authz acl.Authorizer) error {
} }
var authzContext acl.AuthorizerContext var authzContext acl.AuthorizerContext
service.FillAuthzContext(&authzContext) authzCtxFill(&authzContext)
// Apply the ACL policy if any. The 'consul' service is excluded // Apply the ACL policy if any. The 'consul' service is excluded
// since it is managed automatically internally (that behavior // since it is managed automatically internally (that behavior
@ -175,7 +175,7 @@ func (c *Catalog) Register(args *structs.RegisterRequest, reply *struct{}) error
// Handle a service registration. // Handle a service registration.
if args.Service != nil { if args.Service != nil {
if err := servicePreApply(args.Service, authz); err != nil { if err := servicePreApply(args.Service, authz, args.Service.FillAuthzContext); err != nil {
return err return err
} }
} }

13
agent/consul/txn_endpoint.go
View File

@ -81,18 +81,7 @@ func (t *Txn) preCheck(authorizer acl.Authorizer, ops structs.TxnOps) structs.Tx
} }
service := &op.Service.Service service := &op.Service.Service
// This is intentionally nil as we will authorize the request if err := servicePreApply(service, authorizer, op.Service.FillAuthzContext); err != nil {
// using vetServiceTxnOp next instead of doing it in servicePreApply
if err := servicePreApply(service, nil); err != nil {
errors = append(errors, &structs.TxnError{
OpIndex: i,
What: err.Error(),
})
break
}
// Check that the token has permissions for the given operation.
if err := vetServiceTxnOp(op.Service, authorizer); err != nil {
errors = append(errors, &structs.TxnError{ errors = append(errors, &structs.TxnError{
OpIndex: i, OpIndex: i,
What: err.Error(), What: err.Error(),