Browse Source

Perform ACL check inside of blocking query.

pull/17241/head
Derek Menteer 2 years ago
parent
commit
ab3e904470
  1. 39
      agent/consul/health_endpoint.go

39
agent/consul/health_endpoint.go

@ -214,30 +214,10 @@ func (h *Health) ServiceNodes(args *structs.ServiceSpecificRequest, reply *struc
f = h.serviceNodesDefault f = h.serviceNodesDefault
} }
authzContext := acl.AuthorizerContext{
Peer: args.PeerName,
}
authz, err := h.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
if err != nil {
return err
}
if err := h.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil { if err := h.srv.validateEnterpriseRequest(&args.EnterpriseMeta, false); err != nil {
return err return err
} }
// If we're doing a connect or ingress query, we need read access to the service
// we're trying to find proxies for, so check that.
if args.Connect || args.Ingress {
// TODO(acl-error-enhancements) Look for ways to percolate this information up to give any feedback to the user.
if authz.ServiceRead(args.ServiceName, &authzContext) != acl.Allow {
// Just return nil, which will return an empty response (tested)
// We should be careful to set the index to prevent a busy loop from triggering.
reply.Index = 1
return nil
}
}
filter, err := bexpr.CreateFilter(args.Filter, nil, reply.Nodes) filter, err := bexpr.CreateFilter(args.Filter, nil, reply.Nodes)
if err != nil { if err != nil {
return err return err
@ -259,6 +239,25 @@ func (h *Health) ServiceNodes(args *structs.ServiceSpecificRequest, reply *struc
return err return err
} }
authzContext := acl.AuthorizerContext{
Peer: args.PeerName,
}
authz, err := h.srv.ResolveTokenAndDefaultMeta(args.Token, &args.EnterpriseMeta, &authzContext)
if err != nil {
return err
}
// If we're doing a connect or ingress query, we need read access to the service
// we're trying to find proxies for, so check that.
if args.Connect || args.Ingress {
// TODO(acl-error-enhancements) Look for ways to percolate this information up to give any feedback to the user.
if authz.ServiceRead(args.ServiceName, &authzContext) != acl.Allow {
// Return the index here so that the agent cache does not infinitely loop.
reply.Index = index
return nil
}
}
resolvedNodes := nodes resolvedNodes := nodes
if args.MergeCentralConfig { if args.MergeCentralConfig {
for _, node := range resolvedNodes { for _, node := range resolvedNodes {

Loading…
Cancel
Save