mirror of https://github.com/hashicorp/consul
consul: check ACLs when firing events
parent
0c624350eb
commit
d777105c11
|
@ -57,6 +57,17 @@ func (m *Internal) EventFire(args *structs.EventFireRequest,
|
|||
return err
|
||||
}
|
||||
|
||||
// Check ACLs
|
||||
acl, err := m.srv.resolveToken(args.Token)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if acl != nil && !acl.EventWrite(args.Name) {
|
||||
m.srv.logger.Printf("[WARN] consul: user event %q blocked by ACLs", args.Name)
|
||||
return permissionDeniedErr
|
||||
}
|
||||
|
||||
// Set the query meta data
|
||||
m.srv.setQueryMeta(&reply.QueryMeta)
|
||||
|
||||
|
|
|
@ -325,3 +325,37 @@ func TestInternal_NodeDump_FilterACL(t *testing.T) {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestInternal_EventFire_Token(t *testing.T) {
|
||||
dir, srv := testServerWithConfig(t, func(c *Config) {
|
||||
c.ACLDatacenter = "dc1"
|
||||
c.ACLMasterToken = "root"
|
||||
c.ACLDownPolicy = "deny"
|
||||
c.ACLDefaultPolicy = "deny"
|
||||
})
|
||||
defer os.RemoveAll(dir)
|
||||
defer srv.Shutdown()
|
||||
|
||||
client := rpcClient(t, srv)
|
||||
defer client.Close()
|
||||
|
||||
testutil.WaitForLeader(t, client.Call, "dc1")
|
||||
|
||||
// No token is rejected
|
||||
event := structs.EventFireRequest{
|
||||
Name: "foo",
|
||||
Datacenter: "dc1",
|
||||
Payload: []byte("nope"),
|
||||
}
|
||||
err := client.Call("Internal.EventFire", &event, nil)
|
||||
if err == nil || err.Error() != permissionDenied {
|
||||
t.Fatalf("bad: %s", err)
|
||||
}
|
||||
|
||||
// Root token is allowed to fire
|
||||
event.Token = "root"
|
||||
err = client.Call("Internal.EventFire", &event, nil)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue