consul: check ACLs when firing events

consul/internal_endpoint.go

@@ -57,6 +57,17 @@ func (m *Internal) EventFire(args *structs.EventFireRequest,
 		return err
 	}
 
+	// Check ACLs
+	acl, err := m.srv.resolveToken(args.Token)
+	if err != nil {
+		return err
+	}
+
+	if acl != nil && !acl.EventWrite(args.Name) {
+		m.srv.logger.Printf("[WARN] consul: user event %q blocked by ACLs", args.Name)
+		return permissionDeniedErr
+	}
+
 	// Set the query meta data
 	m.srv.setQueryMeta(&reply.QueryMeta)
 

consul/internal_endpoint_test.go

@@ -325,3 +325,37 @@ func TestInternal_NodeDump_FilterACL(t *testing.T) {
 		}
 	}
 }
+
+func TestInternal_EventFire_Token(t *testing.T) {
+	dir, srv := testServerWithConfig(t, func(c *Config) {
+		c.ACLDatacenter = "dc1"
+		c.ACLMasterToken = "root"
+		c.ACLDownPolicy = "deny"
+		c.ACLDefaultPolicy = "deny"
+	})
+	defer os.RemoveAll(dir)
+	defer srv.Shutdown()
+
+	client := rpcClient(t, srv)
+	defer client.Close()
+
+	testutil.WaitForLeader(t, client.Call, "dc1")
+
+	// No token is rejected
+	event := structs.EventFireRequest{
+		Name:       "foo",
+		Datacenter: "dc1",
+		Payload:    []byte("nope"),
+	}
+	err := client.Call("Internal.EventFire", &event, nil)
+	if err == nil || err.Error() != permissionDenied {
+		t.Fatalf("bad: %s", err)
+	}
+
+	// Root token is allowed to fire
+	event.Token = "root"
+	err = client.Call("Internal.EventFire", &event, nil)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+}