mirror of https://github.com/hashicorp/consul
47 lines
1.4 KiB
Go
47 lines
1.4 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
package external
|
|
|
|
import (
|
|
"github.com/hashicorp/go-uuid"
|
|
"google.golang.org/grpc/codes"
|
|
"google.golang.org/grpc/status"
|
|
|
|
"github.com/hashicorp/consul/acl"
|
|
"github.com/hashicorp/consul/acl/resolver"
|
|
)
|
|
|
|
// We tag logs with a unique identifier to ease debugging. In the future this
|
|
// should probably be a real Open Telemetry trace ID.
|
|
func TraceID() string {
|
|
id, err := uuid.GenerateUUID()
|
|
if err != nil {
|
|
return ""
|
|
}
|
|
return id
|
|
}
|
|
|
|
type ACLResolver interface {
|
|
ResolveTokenAndDefaultMeta(string, *acl.EnterpriseMeta, *acl.AuthorizerContext) (resolver.Result, error)
|
|
}
|
|
|
|
// RequireAnyValidACLToken checks that the caller provided a valid ACL token
|
|
// without requiring any specific permissions. This is useful for endpoints
|
|
// that are used by all/most consumers of our API, such as those called by the
|
|
// consul-server-connection-manager library when establishing a new connection.
|
|
//
|
|
// Note: no token is required if ACLs are disabled.
|
|
func RequireAnyValidACLToken(resolver ACLResolver, token string) error {
|
|
authz, err := resolver.ResolveTokenAndDefaultMeta(token, nil, nil)
|
|
if err != nil {
|
|
return status.Error(codes.Unauthenticated, err.Error())
|
|
}
|
|
|
|
if id := authz.ACLIdentity; id != nil && id.ID() == acl.AnonymousTokenID {
|
|
return status.Error(codes.Unauthenticated, "An ACL token must be provided (via the `x-consul-token` metadata field) to call this endpoint")
|
|
}
|
|
|
|
return nil
|
|
}
|