consul

Commit Graph

Author	SHA1	Message	Date
Dao Thanh Tung	88c7cfa578	URL-encode/decode resource names for HTTP API part 2 (#11957 )	3 years ago
Mathew Estafanous	0fdd1318e9	Ensure consistency with error-handling across all handlers. (#11599 )	3 years ago
Daniel Nephin	18b3ac33e8	acl: remove unused translate rules endpoint The CLI command does not use this endpoint, so we can remove it. It was missed in an earlier pass.	3 years ago
Daniel Nephin	c2b24adb5f	acl: remove ACLRulesTranslateLegacyToken API endpoint	3 years ago
Daniel Nephin	b7bced9bcf	acl: remove legacy bootstrap Return an explicit error from the RPC, and remove the flag from the HTTP API.	3 years ago
Daniel Nephin	858071d55a	agent: update some tests that were using legacy ACL endpoints The tests were updated to use the new ACL endpoints now that the legacy ones have been removed.	3 years ago
Daniel Nephin	e637cd71f3	acl: use authz consistently as the variable name for an acl.Authorizer Follow up to https://github.com/hashicorp/consul/pull/10737#discussion_r682147950 Renames all variables for acl.Authorizer to use `authz`. Previously some places used `rule` which I believe was an old name carried over from the legacy ACL system. A couple places also used authorizer. This commit also removes another couple of authorizer nil checks that are no longer necessary.	3 years ago
Daniel Nephin	4f1a36629a	acl: remove authz == nil checks These case are already impossible conditions, because most of these functions already start with a check for ACLs being disabled. So the code path being removed could never be reached. The one other case (ConnectAuthorized) was already changed in a previous commit. This commit removes an impossible branch because authz == nil can never be true.	3 years ago
Daniel Nephin	84fac3ce0e	acl: use acl.ManangeAll when ACLs are disabled Instead of returning nil and checking for nilness Removes a bunch of nil checks, and fixes one test failures.	3 years ago
Matt Keeler	bbf5993534	Move static token resolution into the ACLResolver (#10013 )	4 years ago
Daniel Nephin	282fbdfa75	api: rename HTTPServer to HTTPHandlers Resolves a TODO about naming. This type is a set of handlers for an http.Server, it is not itself a Server. It provides http.Handler functions.	4 years ago
Daniel Nephin	5247ef4c70	Remove ACLsEnabled from delegate interface In all cases (oss/ent, client/server) this method was returning a value from config. Since the value is consistent, it doesn't need to be part of the delegate interface.	4 years ago
Daniel Nephin	010a609912	Fix a bunch of unparam lint issues	4 years ago
R.B. Boyer	8927b54121	test: move some test helpers over from enterprise (#7754 )	5 years ago
Alejandro Baez	bafa69bb69	Add PolicyReadByName for API (#6615 )	5 years ago
Matt Keeler	d0cd092e3b	Catalog + Namespace OSS changes. (#7219 ) * Various Prepared Query + Namespace things * Last round of OSS changes for a namespaced catalog	5 years ago
Matt Keeler	663cf1e9a8	AuthMethod updates to support alternate namespace logins (#7029 )	5 years ago
Matt Keeler	a704ebe639	Add Namespace support to the API module and the CLI commands (#6874 ) Also update the Docs and fixup the HTTP API to return proper errors when someone attempts to use Namespaces with an OSS agent. Add Namespace HTTP API docs Make all API endpoints disallow unknown fields	5 years ago
Matt Keeler	deb91f3d3c	[Feature] API: Add a internal endpoint to query for ACL authori… (#6888 ) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.	5 years ago
Sarah Adams	78ad8203a4	Use encoding/json as JSON decoder instead of mapstructure (#6680 ) Fixes #6147	5 years ago
Matt Keeler	e4ea9b0a96	Updates to allow for Namespacing ACL resources in Consul Enterp… (#6675 ) Main Changes: • method signature updates everywhere to account for passing around enterprise meta. • populate the EnterpriseAuthorizerContext for all ACL related authorizations. • ACL resource listings now operate like the catalog or kv listings in that the returned entries are filtered down to what the token is allowed to see. With Namespaces its no longer all or nothing. • Modified the acl.Policy parsing to abstract away basic decoding so that enterprise can do it slightly differently. Also updated method signatures so that when parsing a policy it can take extra ent metadata to use during rules validation and policy creation. Secondary Changes: • Moved protobuf encoding functions out of the agentpb package to eliminate circular dependencies. • Added custom JSON unmarshalers for a few ACL resource types (to support snake case and to get rid of mapstructure) • AuthMethod validator cache is now an interface as these will be cached per-namespace for Consul Enterprise. • Added checks for policy/role link existence at the RPC API so we don’t push the request through raft to have it fail internally. • Forward ACL token delete request to the primary datacenter when the secondary DC doesn’t have the token. • Added a bunch of ACL test helpers for inserting ACL resource test data.	5 years ago
Matt Keeler	973341a592	ACL Authorizer overhaul (#6620 ) * ACL Authorizer overhaul To account for upcoming features every Authorization function can now take an extra acl.EnterpriseAuthorizerContext. These are unused in OSS and will always be nil. Additionally the acl package has received some thorough refactoring to enable all of the extra Consul Enterprise specific authorizations including moving sentinel enforcement into the stubbed structs. The Authorizer funcs now return an acl.EnforcementDecision instead of a boolean. This improves the overall interface as it makes multiple Authorizers easily chainable as they now indicate whether they had an authoritative decision or should use some other defaults. A ChainedAuthorizer was added to handle this Authorizer enforcement chain and will never itself return a non-authoritative decision. Include stub for extra enterprise rules in the global management policy * Allow for an upgrade of the global-management policy	5 years ago
Matt Keeler	4daa1585b0	ACL Token ID Initialization (#5307 )	6 years ago
R.B. Boyer	e47d7eeddb	acl: adding support for kubernetes auth provider login (#5600 ) * auth providers * binding rules * auth provider for kubernetes * login/logout	6 years ago
R.B. Boyer	cc1aa3f973	acl: adding Roles to Tokens (#5514 ) Roles are named and can express the same bundle of permissions that can currently be assigned to a Token (lists of Policies and Service Identities). The difference with a Role is that it not itself a bearer token, but just another entity that can be tied to a Token. This lets an operator potentially curate a set of smaller reusable Policies and compose them together into reusable Roles, rather than always exploding that same list of Policies on any Token that needs similar permissions. This also refactors the acl replication code to be semi-generic to avoid 3x copypasta.	6 years ago
R.B. Boyer	2144bd7fbd	acl: tokens can be created with an optional expiration time (#5353 )	6 years ago
R.B. Boyer	f2ed3a3777	clarify the ACL.PolicyDelete endpoint (#5337 ) There was an errant early-return in PolicyDelete() that bypassed the rest of the function. This was ok because the only caller of this function ignores the results. This removes the early-return making it structurally behave like TokenDelete() and for both PolicyDelete and TokenDelete clarify the lone callers to indicate that the return values are ignored. We may wish to avoid the entire return value as well, but this patch doesn't go that far.	6 years ago
Matt Keeler	db2cf01406	Adds documentation for the new ACL APIs (#4851 ) * Update the ACL API docs * Add a CreateTime to the anon token Also require acl:read permissions at least to perform rule translation. Don’t want someone DoSing the system with an open endpoint that actually does a bit of work. * Fix one place where I was referring to id instead of AccessorID * Add godocs for the API package additions. * Minor updates: removed some extra commas and updated the acl intro paragraph * minor tweaks * Updated the language to be clearer * Updated the language to be clearer for policy page * I was also confused by that! Your updates are much clearer. Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com> * Sounds much better. Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com> * Updated sidebar layout and deprecated warning	6 years ago
Matt Keeler	f9cf0eb36e	Remaining ACL Unit Tests (#4852 ) * Add leader token upgrade test and fix various ACL enablement bugs * Update the leader ACL initialization tests. * Add a StateStore ACL tests for ACLTokenSet and ACLTokenGetBy* functions * Advertise the agents acl support status with the agent/self endpoint. * Make batch token upsert CAS’able to prevent consistency issues with token auto-upgrade * Finish up the ACL state store token tests * Finish the ACL state store unit tests Also rename some things to make them more consistent. * Do as much ACL replication testing as I can.	6 years ago
Matt Keeler	d238cb181c	New ACL API Tests (#4848 ) * A few API mods and unit tests. * Update the unit tests to verify query/write metadata and to fix the rules endpoint tests. * Make sure the full information for the replication status is in the api packge	6 years ago
Matt Keeler	18b29c45c4	New ACLs (#4791 ) This PR is almost a complete rewrite of the ACL system within Consul. It brings the features more in line with other HashiCorp products. Obviously there is quite a bit left to do here but most of it is related docs, testing and finishing the last few commands in the CLI. I will update the PR description and check off the todos as I finish them over the next few days/week. Description At a high level this PR is mainly to split ACL tokens from Policies and to split the concepts of Authorization from Identities. A lot of this PR is mostly just to support CRUD operations on ACLTokens and ACLPolicies. These in and of themselves are not particularly interesting. The bigger conceptual changes are in how tokens get resolved, how backwards compatibility is handled and the separation of policy from identity which could lead the way to allowing for alternative identity providers. On the surface and with a new cluster the ACL system will look very similar to that of Nomads. Both have tokens and policies. Both have local tokens. The ACL management APIs for both are very similar. I even ripped off Nomad's ACL bootstrap resetting procedure. There are a few key differences though. Nomad requires token and policy replication where Consul only requires policy replication with token replication being opt-in. In Consul local tokens only work with token replication being enabled though. All policies in Nomad are globally applicable. In Consul all policies are stored and replicated globally but can be scoped to a subset of the datacenters. This allows for more granular access management. Unlike Nomad, Consul has legacy baggage in the form of the original ACL system. The ramifications of this are: A server running the new system must still support other clients using the legacy system. A client running the new system must be able to use the legacy RPCs when the servers in its datacenter are running the legacy system. The primary ACL DC's servers running in legacy mode needs to be a gate that keeps everything else in the entire multi-DC cluster running in legacy mode. So not only does this PR implement the new ACL system but has a legacy mode built in for when the cluster isn't ready for new ACLs. Also detecting that new ACLs can be used is automatic and requires no configuration on the part of administrators. This process is detailed more in the "Transitioning from Legacy to New ACL Mode" section below.	6 years ago
Edd Steel	77f19f7505	Support OPTIONS requests - register endpoints with supported methods - support OPTIONS requests, indicating supported methods - extract method validation (error 405) from individual endpoints - on 405 where multiple methods are allowed, create a single Allow header with comma-separated values, not multiple Allow headers.	7 years ago
James Phillips	29367cd5ae	Moves ACL disabled response logic down into endpoints. This lets us make the registration of endpoints less fancy, on the road to adding a registration mechanism.	7 years ago
Frank Schröder	1e461110e6	agent: consolidate handling of 405 Method Not Allowed (#3405 ) * agent: consolidate http method not allowed checks This patch uses the error handling of the http handlers to handle HTTP method not allowed errors across all available endpoints. It also adds a test for testing whether the endpoints respond with the correct status code. * agent: do not panic on metrics tests * agent: drop other tests for MethodNotAllowed * agent: align /agent/join with reality /agent/join uses PUT instead of GET as documented. * agent: align /agent/check/{fail,warn,pass} with reality /agent/check/{fail,warn,pass} uses PUT instead of GET as documented. * fix some tests * Drop more tests for method not allowed * Align TestAgent_RegisterService_InvalidAddress with reality * Changes API client join to use PUT instead of GET. * Fixes agent endpoint verbs and removes obsolete tests. * Updates the change log.	7 years ago
Frank Schroeder	d8195b3a4d	agent: drop status code comments	7 years ago
Frank Schroeder	fa121be33f	agent: use http.StatusMethodNotAllowed instead of 405	7 years ago
Frank Schroeder	7e2bc1b411	agent: use http.StatusUnauthorized instead of 401	7 years ago
Frank Schroeder	5d1546b052	agent: use http.StatusBadRequest instead of 400	7 years ago
Frank Schröder	a3934c263c	acl: consolidate error handling (#3401 ) The error handling of the ACL code relies on the presence of certain magic error messages. Since the error values are sent via RPC between older and newer consul agents we cannot just replace the magic values with typed errors and switch to type checks since this would break compatibility with older clients. Therefore, this patch moves all magic ACL error messages into the acl package and provides default error values and helper functions which determine the type of error.	7 years ago
Frank Schroeder	1acff3533e	agent: move agent/consul/structs to agent/structs	7 years ago
James Phillips	c0a5ad7903	Adds a new /v1/acl/bootstrap API (#3349 )	7 years ago
James Phillips	872cf9ff95	Changes ACL clone response to 403 if not authorized, or if token doesn't exist. (#3275 ) Fixes #1113	7 years ago
Frank Schroeder	1c75cf1af5	pkg refactor command/agent/* -> agent/* command/consul/* -> agent/consul/* command/agent/command{,_test}.go -> command/agent{,_test}.go command/base/command.go -> command/base.go command/base/* -> command/* commands.go -> command/commands.go The script which did the refactor is: ( cd $GOPATH/src/github.com/hashicorp/consul git mv command/agent/command.go command/agent.go git mv command/agent/command_test.go command/agent_test.go git mv command/agent/flag_slice_value{,_test}.go command/ git mv command/agent . git mv command/base/command.go command/base.go git mv command/base/config_util{,_test}.go command/ git mv commands.go command/ git mv consul agent rmdir command/base/ gsed -i -e 's\|package agent\|package command\|' command/agent{,_test}.go gsed -i -e 's\|package agent\|package command\|' command/flag_slice_value{,_test}.go gsed -i -e 's\|package base\|package command\|' command/base.go command/config_util{,_test}.go gsed -i -e 's\|package main\|package command\|' command/commands.go gsed -i -e 's\|base.Command\|BaseCommand\|' command/commands.go gsed -i -e 's\|agent.Command\|AgentCommand\|' command/commands.go gsed -i -e 's\|\tCommand:\|\tBaseCommand:\|' command/commands.go gsed -i -e 's\|base\.\|\|' command/commands.go gsed -i -e 's\|command\.\|\|' command/commands.go gsed -i -e 's\|command\|c\|' main.go gsed -i -e 's\|range Commands\|range command.Commands\|' main.go gsed -i -e 's\|Commands: Commands\|Commands: command.Commands\|' main.go gsed -i -e 's\|base\.BoolValue\|BoolValue\|' command/operator_autopilot_set.go gsed -i -e 's\|base\.DurationValue\|DurationValue\|' command/operator_autopilot_set.go gsed -i -e 's\|base\.StringValue\|StringValue\|' command/operator_autopilot_set.go gsed -i -e 's\|base\.UintValue\|UintValue\|' command/operator_autopilot_set.go gsed -i -e 's\|\bCommand\b\|BaseCommand\|' command/base.go gsed -i -e 's\|BaseCommand Options\|Command Options\|' command/base.go gsed -i -e 's\|base.Command\|BaseCommand\|' command/.go gsed -i -e 's\|c\.Command\|c.BaseCommand\|g' command/.go gsed -i -e 's\|\tCommand:\|\tBaseCommand:\|' command/_test.go gsed -i -e 's\|base\.\|\|' command/_test.go gsed -i -e 's\|\bCommand\b\|AgentCommand\|' command/agent{,_test}.go gsed -i -e 's\|cmd.AgentCommand\|cmd.BaseCommand\|' command/agent.go gsed -i -e 's\|cli.AgentCommand = new(Command)\|cli.Command = new(AgentCommand)\|' command/agent_test.go gsed -i -e 's\|exec.AgentCommand\|exec.Command\|' command/agent_test.go gsed -i -e 's\|exec.BaseCommand\|exec.Command\|' command/agent_test.go gsed -i -e 's\|NewTestAgent\|agent.NewTestAgent\|' command/agent_test.go gsed -i -e 's\|= TestConfig\|= agent.TestConfig\|' command/agent_test.go gsed -i -e 's\|: RetryJoin\|: agent.RetryJoin\|' command/agent_test.go gsed -i -e 's\|\.\./\.\./\|../\|' command/config_util_test.go gsed -i -e 's\|\bverifyUniqueListeners\|VerifyUniqueListeners\|' agent/config{,_test}.go command/agent.go gsed -i -e 's\|\bserfLANKeyring\b\|SerfLANKeyring\|g' agent/{agent,keyring,testagent}.go command/agent.go gsed -i -e 's\|\bserfWANKeyring\b\|SerfWANKeyring\|g' agent/{agent,keyring,testagent}.go command/agent.go gsed -i -e 's\|\bNewAgent\b\|agent.New\|g' command/agent{,_test}.go gsed -i -e 's\|\bNewAgent\|New\|' agent/{acl_test,agent,testagent}.go gsed -i -e 's\|\bAgent\b\|agent.&\|g' command/agent{,_test}.go gsed -i -e 's\|\bBool\b\|agent.&\|g' command/agent{,_test}.go gsed -i -e 's\|\bConfig\b\|agent.&\|g' command/agent{,_test}.go gsed -i -e 's\|\bDefaultConfig\b\|agent.&\|g' command/agent{,_test}.go gsed -i -e 's\|\bDevConfig\b\|agent.&\|g' command/agent{,_test}.go gsed -i -e 's\|\bMergeConfig\b\|agent.&\|g' command/agent{,_test}.go gsed -i -e 's\|\bReadConfigPaths\b\|agent.&\|g' command/agent{,_test}.go gsed -i -e 's\|\bParseMetaPair\b\|agent.&\|g' command/agent{,_test}.go gsed -i -e 's\|\bSerfLANKeyring\b\|agent.&\|g' command/agent{,_test}.go gsed -i -e 's\|\bSerfWANKeyring\b\|agent.&\|g' command/agent{,_test}.go gsed -i -e 's\|circonus\.agent\|circonus\|g' command/agent{,_test}.go gsed -i -e 's\|logger\.agent\|logger\|g' command/agent{,_test}.go gsed -i -e 's\|metrics\.agent\|metrics\|g' command/agent{,_test}.go gsed -i -e 's\|// agent.Agent\|// agent\|' command/agent{,_test}.go gsed -i -e 's\|a\.agent\.Config\|a.Config\|' command/agent{,_test}.go gsed -i -e 's\|agent\.AppendSliceValue\|AppendSliceValue\|' command/{configtest,validate}.go gsed -i -e 's\|consul/consul\|agent/consul\|' GNUmakefile gsed -i -e 's\|\.\./test\|../../test\|' agent/consul/server_test.go # fix imports f=$(grep -rl 'github.com/hashicorp/consul/command/agent' * \| grep '\.go') gsed -i -e 's\|github.com/hashicorp/consul/command/agent\|github.com/hashicorp/consul/agent\|' $f goimports -w $f f=$(grep -rl 'github.com/hashicorp/consul/consul' * \| grep '\.go') gsed -i -e 's\|github.com/hashicorp/consul/consul\|github.com/hashicorp/consul/agent/consul\|' $f goimports -w $f goimports -w command/*.go main.go )	8 years ago

43 Commits (ca3aca92c4d2b2a94f959655ff0db03f00a49a6a)