|
|
|
@ -433,7 +433,8 @@ func (s *Intention) Get(args *structs.IntentionQueryRequest, reply *structs.Inde |
|
|
|
|
|
|
|
|
|
|
|
// Get the ACL token for the request for the checks below.
|
|
|
|
// Get the ACL token for the request for the checks below.
|
|
|
|
var entMeta structs.EnterpriseMeta |
|
|
|
var entMeta structs.EnterpriseMeta |
|
|
|
if _, err := s.srv.ResolveTokenAndDefaultMeta(args.Token, &entMeta, nil); err != nil { |
|
|
|
authz, err := s.srv.ResolveTokenAndDefaultMeta(args.Token, &entMeta, nil) |
|
|
|
|
|
|
|
if err != nil { |
|
|
|
return err |
|
|
|
return err |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
@ -480,13 +481,11 @@ func (s *Intention) Get(args *structs.IntentionQueryRequest, reply *structs.Inde |
|
|
|
reply.Intentions = structs.Intentions{ixn} |
|
|
|
reply.Intentions = structs.Intentions{ixn} |
|
|
|
|
|
|
|
|
|
|
|
// Filter
|
|
|
|
// Filter
|
|
|
|
if err := s.srv.filterACL(args.Token, reply); err != nil { |
|
|
|
s.srv.filterACLWithAuthorizer(authz, reply) |
|
|
|
return err |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// If ACLs prevented any responses, error
|
|
|
|
// If ACLs prevented any responses, error
|
|
|
|
if len(reply.Intentions) == 0 { |
|
|
|
if len(reply.Intentions) == 0 { |
|
|
|
accessorID := s.aclAccessorID(args.Token) |
|
|
|
accessorID := authz.AccessorID() |
|
|
|
// todo(kit) Migrate intention access denial logging over to audit logging when we implement it
|
|
|
|
// todo(kit) Migrate intention access denial logging over to audit logging when we implement it
|
|
|
|
s.logger.Warn("Request to get intention denied due to ACLs", "intention", args.IntentionID, "accessorID", accessorID) |
|
|
|
s.logger.Warn("Request to get intention denied due to ACLs", "intention", args.IntentionID, "accessorID", accessorID) |
|
|
|
return acl.ErrPermissionDenied |
|
|
|
return acl.ErrPermissionDenied |
|
|
|
@ -619,7 +618,7 @@ func (s *Intention) Match(args *structs.IntentionQueryRequest, reply *structs.In |
|
|
|
for _, entry := range args.Match.Entries { |
|
|
|
for _, entry := range args.Match.Entries { |
|
|
|
entry.FillAuthzContext(&authzContext) |
|
|
|
entry.FillAuthzContext(&authzContext) |
|
|
|
if prefix := entry.Name; prefix != "" && authz.IntentionRead(prefix, &authzContext) != acl.Allow { |
|
|
|
if prefix := entry.Name; prefix != "" && authz.IntentionRead(prefix, &authzContext) != acl.Allow { |
|
|
|
accessorID := s.aclAccessorID(args.Token) |
|
|
|
accessorID := authz.AccessorID() |
|
|
|
// todo(kit) Migrate intention access denial logging over to audit logging when we implement it
|
|
|
|
// todo(kit) Migrate intention access denial logging over to audit logging when we implement it
|
|
|
|
s.logger.Warn("Operation on intention prefix denied due to ACLs", "prefix", prefix, "accessorID", accessorID) |
|
|
|
s.logger.Warn("Operation on intention prefix denied due to ACLs", "prefix", prefix, "accessorID", accessorID) |
|
|
|
return acl.ErrPermissionDenied |
|
|
|
return acl.ErrPermissionDenied |
|
|
|
@ -709,7 +708,7 @@ func (s *Intention) Check(args *structs.IntentionQueryRequest, reply *structs.In |
|
|
|
var authzContext acl.AuthorizerContext |
|
|
|
var authzContext acl.AuthorizerContext |
|
|
|
query.FillAuthzContext(&authzContext) |
|
|
|
query.FillAuthzContext(&authzContext) |
|
|
|
if authz.ServiceRead(prefix, &authzContext) != acl.Allow { |
|
|
|
if authz.ServiceRead(prefix, &authzContext) != acl.Allow { |
|
|
|
accessorID := s.aclAccessorID(args.Token) |
|
|
|
accessorID := authz.AccessorID() |
|
|
|
// todo(kit) Migrate intention access denial logging over to audit logging when we implement it
|
|
|
|
// todo(kit) Migrate intention access denial logging over to audit logging when we implement it
|
|
|
|
s.logger.Warn("test on intention denied due to ACLs", "prefix", prefix, "accessorID", accessorID) |
|
|
|
s.logger.Warn("test on intention denied due to ACLs", "prefix", prefix, "accessorID", accessorID) |
|
|
|
return acl.ErrPermissionDenied |
|
|
|
return acl.ErrPermissionDenied |
|
|
|
@ -761,24 +760,6 @@ func (s *Intention) Check(args *structs.IntentionQueryRequest, reply *structs.In |
|
|
|
return nil |
|
|
|
return nil |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
// aclAccessorID is used to convert an ACLToken's secretID to its accessorID for non-
|
|
|
|
|
|
|
|
// critical purposes, such as logging. Therefore we interpret all errors as empty-string
|
|
|
|
|
|
|
|
// so we can safely log it without handling non-critical errors at the usage site.
|
|
|
|
|
|
|
|
func (s *Intention) aclAccessorID(secretID string) string { |
|
|
|
|
|
|
|
_, ident, err := s.srv.ResolveIdentityFromToken(secretID) |
|
|
|
|
|
|
|
if acl.IsErrNotFound(err) { |
|
|
|
|
|
|
|
return "" |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
if err != nil { |
|
|
|
|
|
|
|
s.logger.Debug("non-critical error resolving acl token accessor for logging", "error", err) |
|
|
|
|
|
|
|
return "" |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
if ident == nil { |
|
|
|
|
|
|
|
return "" |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
return ident.ID() |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
func (s *Intention) validateEnterpriseIntention(ixn *structs.Intention) error { |
|
|
|
func (s *Intention) validateEnterpriseIntention(ixn *structs.Intention) error { |
|
|
|
if err := s.srv.validateEnterpriseIntentionPartition(ixn.SourcePartition); err != nil { |
|
|
|
if err := s.srv.validateEnterpriseIntentionPartition(ixn.SourcePartition); err != nil { |
|
|
|
return fmt.Errorf("Invalid source partition %q: %v", ixn.SourcePartition, err) |
|
|
|
return fmt.Errorf("Invalid source partition %q: %v", ixn.SourcePartition, err) |
|
|
|
|
Daniel Nephin
3 years ago