consul: check ACLs when firing events

pull/1046/head
Ryan Uber 2015-06-17 18:57:17 -07:00
parent 0c624350eb
commit d777105c11
2 changed files with 45 additions and 0 deletions

View File

@ -57,6 +57,17 @@ func (m *Internal) EventFire(args *structs.EventFireRequest,
return err
}
// Check ACLs
acl, err := m.srv.resolveToken(args.Token)
if err != nil {
return err
}
if acl != nil && !acl.EventWrite(args.Name) {
m.srv.logger.Printf("[WARN] consul: user event %q blocked by ACLs", args.Name)
return permissionDeniedErr
}
// Set the query meta data
m.srv.setQueryMeta(&reply.QueryMeta)

View File

@ -325,3 +325,37 @@ func TestInternal_NodeDump_FilterACL(t *testing.T) {
}
}
}
func TestInternal_EventFire_Token(t *testing.T) {
dir, srv := testServerWithConfig(t, func(c *Config) {
c.ACLDatacenter = "dc1"
c.ACLMasterToken = "root"
c.ACLDownPolicy = "deny"
c.ACLDefaultPolicy = "deny"
})
defer os.RemoveAll(dir)
defer srv.Shutdown()
client := rpcClient(t, srv)
defer client.Close()
testutil.WaitForLeader(t, client.Call, "dc1")
// No token is rejected
event := structs.EventFireRequest{
Name: "foo",
Datacenter: "dc1",
Payload: []byte("nope"),
}
err := client.Call("Internal.EventFire", &event, nil)
if err == nil || err.Error() != permissionDenied {
t.Fatalf("bad: %s", err)
}
// Root token is allowed to fire
event.Token = "root"
err = client.Call("Internal.EventFire", &event, nil)
if err != nil {
t.Fatalf("err: %s", err)
}
}