diff --git a/consul/prepared_query_endpoint.go b/consul/prepared_query_endpoint.go index 7fc9ac86f5..c3f027136e 100644 --- a/consul/prepared_query_endpoint.go +++ b/consul/prepared_query_endpoint.go @@ -134,7 +134,13 @@ func parseQuery(query *structs.PreparedQuery) error { // transaction. Otherwise, people could "steal" queries that they don't // have proper ACL rights to change. // - Session is optional and checked for integrity during the transaction. - // - Token is checked when a query is executed. + + // Token is checked when the query is executed, but we do make sure the + // user hasn't accidentally pasted-in the special redacted token name, + // which if we allowed in would be super hard to debug and understand. + if query.Token == redactedToken { + return fmt.Errorf("Bad Token '%s', it looks like a query definition with a redacted token was submitted", query.Token) + } // Parse the service query sub-structure. if err := parseService(&query.Service); err != nil { diff --git a/consul/prepared_query_endpoint_test.go b/consul/prepared_query_endpoint_test.go index 16c37cb54f..a6c37ce880 100644 --- a/consul/prepared_query_endpoint_test.go +++ b/consul/prepared_query_endpoint_test.go @@ -539,6 +539,17 @@ func TestPreparedQuery_parseQuery(t *testing.T) { t.Fatalf("err: %v", err) } + query.Token = redactedToken + err = parseQuery(query) + if err == nil || !strings.Contains(err.Error(), "Bad Token") { + t.Fatalf("bad: %v", err) + } + + query.Token = "adf4238a-882b-9ddc-4a9d-5b6758e4159e" + if err := parseQuery(query); err != nil { + t.Fatalf("err: %v", err) + } + query.Service.Failover.NearestN = -1 err = parseQuery(query) if err == nil || !strings.Contains(err.Error(), "Bad NearestN") { diff --git a/website/source/docs/agent/http/query.html.markdown b/website/source/docs/agent/http/query.html.markdown index 3140e8f975..07ed2d9feb 100644 --- a/website/source/docs/agent/http/query.html.markdown +++ b/website/source/docs/agent/http/query.html.markdown @@ -167,8 +167,8 @@ queries and all consistency modes. If ACLs are enabled, then the client will only see prepared queries for which their token has `query` read privileges. A management token will be able to see all -prepared queries. Tokens will be displayed as `` unless a management token is -used. +prepared queries. Tokens will be redacted and displayed as `` unless a +management token is used. This returns a JSON list of prepared queries, which looks like: @@ -233,8 +233,8 @@ status code will be returned. If ACLs are enabled, then the client will only see prepared queries for which their token has `query` read privileges. A management token will be able to see all -prepared queries. Tokens will be displayed as `` unless a management token is -used. +prepared queries. Tokens will be redacted and displayed as `` unless a +management token is used. #### DELETE Method