mirror of https://github.com/hashicorp/consul
add acl token (#20086)
parent
b8b8ad46fc
commit
a879dea377
|
@ -38,6 +38,14 @@ const (
|
||||||
// GRPCCAPathEnvName defines an environment variable name which sets the
|
// GRPCCAPathEnvName defines an environment variable name which sets the
|
||||||
// path to a directory of CA certs to use for talking to Consul gRPC over TLS.
|
// path to a directory of CA certs to use for talking to Consul gRPC over TLS.
|
||||||
GRPCCAPathEnvName = "CONSUL_GRPC_CAPATH"
|
GRPCCAPathEnvName = "CONSUL_GRPC_CAPATH"
|
||||||
|
|
||||||
|
// GRPCTokenEnvName defines an environment variable name which sets
|
||||||
|
// the GRPC token.
|
||||||
|
GRPCTokenEnvName = "CONSUL_GRPC_TOKEN"
|
||||||
|
|
||||||
|
// GRPCTokenFileEnvName defines an environment variable name which sets
|
||||||
|
// the GRPC token file.
|
||||||
|
GRPCTokenFileEnvName = "CONSUL_GRPC_TOKEN_FILE"
|
||||||
)
|
)
|
||||||
|
|
||||||
type GRPCConfig struct {
|
type GRPCConfig struct {
|
||||||
|
@ -67,6 +75,14 @@ type GRPCConfig struct {
|
||||||
// CAPath is the optional path to a directory of CA certificates to use for
|
// CAPath is the optional path to a directory of CA certificates to use for
|
||||||
// Consul communication, defaults to the system bundle if not specified.
|
// Consul communication, defaults to the system bundle if not specified.
|
||||||
CAPath string
|
CAPath string
|
||||||
|
|
||||||
|
// Token is used to provide a per-request ACL token
|
||||||
|
// which overrides the agent's default token.
|
||||||
|
Token string
|
||||||
|
|
||||||
|
// TokenFile is a file containing the current token to use for this client.
|
||||||
|
// If provided it is read once at startup and never again.
|
||||||
|
TokenFile string
|
||||||
}
|
}
|
||||||
|
|
||||||
func GetDefaultGRPCConfig() *GRPCConfig {
|
func GetDefaultGRPCConfig() *GRPCConfig {
|
||||||
|
@ -131,5 +147,13 @@ func loadEnvToDefaultConfig(config *GRPCConfig) (*GRPCConfig, error) {
|
||||||
config.CAPath = caPath
|
config.CAPath = caPath
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if token := os.Getenv(GRPCTokenEnvName); token != "" {
|
||||||
|
config.Token = token
|
||||||
|
}
|
||||||
|
|
||||||
|
if tokenFile := os.Getenv(GRPCTokenFileEnvName); tokenFile != "" {
|
||||||
|
config.TokenFile = tokenFile
|
||||||
|
}
|
||||||
|
|
||||||
return config, nil
|
return config, nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -27,6 +27,8 @@ func TestLoadGRPCConfig(t *testing.T) {
|
||||||
t.Setenv(GRPCClientKeyEnvName, "/path/to/client.key")
|
t.Setenv(GRPCClientKeyEnvName, "/path/to/client.key")
|
||||||
t.Setenv(GRPCCAFileEnvName, "/path/to/ca.crt")
|
t.Setenv(GRPCCAFileEnvName, "/path/to/ca.crt")
|
||||||
t.Setenv(GRPCCAPathEnvName, "/path/to/cacerts")
|
t.Setenv(GRPCCAPathEnvName, "/path/to/cacerts")
|
||||||
|
t.Setenv(GRPCTokenEnvName, "token")
|
||||||
|
t.Setenv(GRPCTokenFileEnvName, "/path/to/token/file")
|
||||||
|
|
||||||
// Load and validate the configuration
|
// Load and validate the configuration
|
||||||
config, err := LoadGRPCConfig(nil)
|
config, err := LoadGRPCConfig(nil)
|
||||||
|
@ -39,6 +41,8 @@ func TestLoadGRPCConfig(t *testing.T) {
|
||||||
KeyFile: "/path/to/client.key",
|
KeyFile: "/path/to/client.key",
|
||||||
CAFile: "/path/to/ca.crt",
|
CAFile: "/path/to/ca.crt",
|
||||||
CAPath: "/path/to/cacerts",
|
CAPath: "/path/to/cacerts",
|
||||||
|
Token: "token",
|
||||||
|
TokenFile: "/path/to/token/file",
|
||||||
}
|
}
|
||||||
assert.Equal(t, expectedConfig, config)
|
assert.Equal(t, expectedConfig, config)
|
||||||
})
|
})
|
||||||
|
|
|
@ -9,12 +9,14 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
type GRPCFlags struct {
|
type GRPCFlags struct {
|
||||||
address TValue[string]
|
address TValue[string]
|
||||||
grpcTLS TValue[bool]
|
grpcTLS TValue[bool]
|
||||||
certFile TValue[string]
|
certFile TValue[string]
|
||||||
keyFile TValue[string]
|
keyFile TValue[string]
|
||||||
caFile TValue[string]
|
caFile TValue[string]
|
||||||
caPath TValue[string]
|
caPath TValue[string]
|
||||||
|
token TValue[string]
|
||||||
|
tokenFile TValue[string]
|
||||||
}
|
}
|
||||||
|
|
||||||
// MergeFlagsIntoGRPCConfig merges flag values into grpc config
|
// MergeFlagsIntoGRPCConfig merges flag values into grpc config
|
||||||
|
@ -34,6 +36,8 @@ func (f *GRPCFlags) MergeFlagsIntoGRPCConfig(c *GRPCConfig) {
|
||||||
f.keyFile.Merge(&c.KeyFile)
|
f.keyFile.Merge(&c.KeyFile)
|
||||||
f.caFile.Merge(&c.CAFile)
|
f.caFile.Merge(&c.CAFile)
|
||||||
f.caPath.Merge(&c.CAPath)
|
f.caPath.Merge(&c.CAPath)
|
||||||
|
f.token.Merge(&c.Token)
|
||||||
|
f.tokenFile.Merge(&c.TokenFile)
|
||||||
}
|
}
|
||||||
|
|
||||||
// merge the client flags into command line flags then parse command line flags
|
// merge the client flags into command line flags then parse command line flags
|
||||||
|
@ -60,5 +64,13 @@ func (f *GRPCFlags) ClientFlags() *flag.FlagSet {
|
||||||
fs.Var(&f.caPath, "ca-path",
|
fs.Var(&f.caPath, "ca-path",
|
||||||
"Path to a directory of CA certificates to use for TLS when communicating "+
|
"Path to a directory of CA certificates to use for TLS when communicating "+
|
||||||
"with Consul. This can also be specified via the CONSUL_CAPATH environment variable.")
|
"with Consul. This can also be specified via the CONSUL_CAPATH environment variable.")
|
||||||
|
fs.Var(&f.token, "token",
|
||||||
|
"ACL token to use in the request. This can also be specified via the "+
|
||||||
|
"CONSUL_GRPC_TOKEN environment variable. If unspecified, the query will "+
|
||||||
|
"default to the token of the Consul agent at the GRPC address.")
|
||||||
|
fs.Var(&f.tokenFile, "token-file",
|
||||||
|
"File containing the ACL token to use in the request instead of one specified "+
|
||||||
|
"via the -token argument or CONSUL_GRPC_TOKEN environment variable. "+
|
||||||
|
"This can also be specified via the CONSUL_GRPC_TOKEN_FILE environment variable.")
|
||||||
return fs
|
return fs
|
||||||
}
|
}
|
||||||
|
|
|
@ -13,12 +13,14 @@ func TestMergeFlagsIntoGRPCConfig(t *testing.T) {
|
||||||
t.Run("MergeFlagsIntoGRPCConfig", func(t *testing.T) {
|
t.Run("MergeFlagsIntoGRPCConfig", func(t *testing.T) {
|
||||||
// Setup GRPCFlags with some flag values
|
// Setup GRPCFlags with some flag values
|
||||||
flags := &GRPCFlags{
|
flags := &GRPCFlags{
|
||||||
address: TValue[string]{v: stringPointer("https://example.com:8502")},
|
address: TValue[string]{v: stringPointer("https://example.com:8502")},
|
||||||
grpcTLS: TValue[bool]{v: boolPointer(true)},
|
grpcTLS: TValue[bool]{v: boolPointer(true)},
|
||||||
certFile: TValue[string]{v: stringPointer("/path/to/client.crt")},
|
certFile: TValue[string]{v: stringPointer("/path/to/client.crt")},
|
||||||
keyFile: TValue[string]{v: stringPointer("/path/to/client.key")},
|
keyFile: TValue[string]{v: stringPointer("/path/to/client.key")},
|
||||||
caFile: TValue[string]{v: stringPointer("/path/to/ca.crt")},
|
caFile: TValue[string]{v: stringPointer("/path/to/ca.crt")},
|
||||||
caPath: TValue[string]{v: stringPointer("/path/to/cacerts")},
|
caPath: TValue[string]{v: stringPointer("/path/to/cacerts")},
|
||||||
|
token: TValue[string]{v: stringPointer("token")},
|
||||||
|
tokenFile: TValue[string]{v: stringPointer("/path/to/token/file")},
|
||||||
}
|
}
|
||||||
|
|
||||||
// Setup GRPCConfig with some initial values
|
// Setup GRPCConfig with some initial values
|
||||||
|
@ -30,6 +32,8 @@ func TestMergeFlagsIntoGRPCConfig(t *testing.T) {
|
||||||
KeyFile: "/path/to/default/client.key",
|
KeyFile: "/path/to/default/client.key",
|
||||||
CAFile: "/path/to/default/ca.crt",
|
CAFile: "/path/to/default/ca.crt",
|
||||||
CAPath: "/path/to/default/cacerts",
|
CAPath: "/path/to/default/cacerts",
|
||||||
|
Token: "default-token",
|
||||||
|
TokenFile: "/path/to/default/token/file",
|
||||||
}
|
}
|
||||||
|
|
||||||
// Call MergeFlagsIntoGRPCConfig to merge flag values into the config
|
// Call MergeFlagsIntoGRPCConfig to merge flag values into the config
|
||||||
|
@ -44,6 +48,8 @@ func TestMergeFlagsIntoGRPCConfig(t *testing.T) {
|
||||||
KeyFile: "/path/to/client.key",
|
KeyFile: "/path/to/client.key",
|
||||||
CAFile: "/path/to/ca.crt",
|
CAFile: "/path/to/ca.crt",
|
||||||
CAPath: "/path/to/cacerts",
|
CAPath: "/path/to/cacerts",
|
||||||
|
Token: "token",
|
||||||
|
TokenFile: "/path/to/token/file",
|
||||||
}
|
}
|
||||||
|
|
||||||
assert.Equal(t, expectedConfig, config)
|
assert.Equal(t, expectedConfig, config)
|
||||||
|
|
Loading…
Reference in New Issue