kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-06 18:35:44 +03:00
Code Issues Packages Projects Releases Wiki Activity

auth: add client-only ACL (#18730)

Browse Source 
The RPC handlers expect to see `nil` ACL objects whenever ACLs are disabled. By
using `nil` as a sentinel value, we have the risk of nil pointer exceptions and
improper handling of `nil` when returned from our various auth methods that can
lead to privilege escalation bugs. This is the third in a series to eliminate
the use of `nil` ACLs as a sentinel value for when ACLs are disabled.

This patch involves creating a new "virtual" ACL object for checking permissions
on client operations and a matching `AuthenticateClientOnly` method for
client-only RPCs that can produce that ACL.

Unlike the server ACLs PR, this also includes a special case for "legacy" client
RPCs where the client was not previously sending the secret as it
should (leaning on mTLS only). Those client RPCs were fixed in Nomad 1.6.0, but
it'll take a while before we can guarantee they'll be present during upgrades.

Ref: https://github.com/hashicorp/nomad-enterprise/pull/1218
Ref: https://github.com/hashicorp/nomad/pull/18703
Ref: https://github.com/hashicorp/nomad/pull/18715
Ref: https://github.com/hashicorp/nomad/pull/16799
This commit is contained in:
Tim Gross
2023-10-12 12:21:48 -04:00
committed by GitHub
parent cecd9b0472
commit 3633ca0f8c
25 changed files with 467 additions and 244 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
command/agent/event_endpoint_test.go
View File

@@ -212,7 +212,7 @@ func TestHTTP_Alloc_Port_Response(t *testing.T) {
ci.Parallel(t)
httpTest(t, nil, func(srv *TestAgent) {
client := srv.Client()
client := srv.APIClient()
defer srv.Shutdown()
defer client.Close()

2
command/agent/plugins_test.go
View File

@@ -31,6 +31,6 @@ func testServer(t *testing.T, runClient bool, cb func(*Config)) (*TestAgent, *ap
})
t.Cleanup(a.Shutdown)
c := a.Client()
c := a.APIClient()
return a, c, a.HTTPAddr()
}

2
command/agent/testagent.go
View File

@@ -309,7 +309,7 @@ func (a *TestAgent) HTTPAddr() string {
return proto + a.Server.Addr
}
func (a *TestAgent) Client() *api.Client {
func (a *TestAgent) APIClient() *api.Client {
conf := api.DefaultConfig()
conf.Address = a.HTTPAddr()
c, err := api.NewClient(conf)

2
command/operator_debug_test.go
View File

@@ -898,7 +898,7 @@ func testServerWithoutLeader(t *testing.T, runClient bool, cb func(*agent.Config
})
t.Cleanup(func() { a.Shutdown() })
c := a.Client()
c := a.APIClient()
return a, c, a.HTTPAddr()
}

6
command/operator_scheduler_set_config_test.go
View File

@@ -22,7 +22,7 @@ func TestOperatorSchedulerSetConfig_Run(t *testing.T) {
ui := cli.NewMockUi()
c := &OperatorSchedulerSetConfig{Meta: Meta{Ui: ui}}
bootstrappedConfig, _, err := srv.Client().Operator().SchedulerGetConfiguration(nil)
bootstrappedConfig, _, err := srv.APIClient().Operator().SchedulerGetConfiguration(nil)
require.NoError(t, err)
require.NotEmpty(t, bootstrappedConfig.SchedulerConfig)
@@ -34,7 +34,7 @@ func TestOperatorSchedulerSetConfig_Run(t *testing.T) {
// Read the configuration again and test that nothing has changed which
// ensures our empty flags are working correctly.
nonModifiedConfig, _, err := srv.Client().Operator().SchedulerGetConfiguration(nil)
nonModifiedConfig, _, err := srv.APIClient().Operator().SchedulerGetConfiguration(nil)
require.NoError(t, err)
schedulerConfigEquals(t, bootstrappedConfig.SchedulerConfig, nonModifiedConfig.SchedulerConfig)
@@ -56,7 +56,7 @@ func TestOperatorSchedulerSetConfig_Run(t *testing.T) {
s := ui.OutputWriter.String()
require.Contains(t, s, "Scheduler configuration updated!")
modifiedConfig, _, err := srv.Client().Operator().SchedulerGetConfiguration(nil)
modifiedConfig, _, err := srv.APIClient().Operator().SchedulerGetConfiguration(nil)
require.NoError(t, err)
schedulerConfigEquals(t, &api.SchedulerConfiguration{
SchedulerAlgorithm: "spread",

4
command/testing_test.go
View File

@@ -31,7 +31,7 @@ func testServer(t *testing.T, runClient bool, cb func(*agent.Config)) (*agent.Te
})
t.Cleanup(a.Shutdown)
c := a.Client()
c := a.APIClient()
return a, c, a.HTTPAddr()
}
@@ -46,7 +46,7 @@ func testClient(t *testing.T, name string, cb func(*agent.Config)) (*agent.TestA
})
t.Cleanup(a.Shutdown)
c := a.Client()
c := a.APIClient()
t.Logf("Waiting for client %s to join server(s) %s", name, a.GetConfig().Client.Servers)
testutil.WaitForClient(t, a.Agent.RPC, a.Agent.Client().NodeID(), a.Agent.Client().Region())

4
command/var_lock_test.go
View File

@@ -101,7 +101,7 @@ func TestVarLockCommand_Good(t *testing.T) {
code := cmd.Run([]string{"-address=" + url, "test/var/shell", "touch ", filePath})
require.Equal(t, 0, code, "expected exit 0, got: %d; %v", code, ui.ErrorWriter.String())
sv, _, err := srv.Client().Variables().Peek("test/var/shell", nil)
sv, _, err := srv.APIClient().Variables().Peek("test/var/shell", nil)
must.NoError(t, err)
must.NotNil(t, sv)
@@ -135,7 +135,7 @@ func TestVarLockCommand_Good_NoShell(t *testing.T) {
code := cmd.Run([]string{"-address=" + url, "-shell=false", "test/var/noShell", "touch", filePath})
require.Zero(t, 0, code)
sv, _, err := srv.Client().Variables().Peek("test/var/noShell", nil)
sv, _, err := srv.APIClient().Variables().Peek("test/var/noShell", nil)
must.NoError(t, err)
must.NotNil(t, sv)