kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-07 10:55:42 +03:00
Code Issues Packages Projects Releases Wiki Activity

search: enforce correct ACL for search over variables (#14397)

Browse Source
This commit is contained in:
Tim Gross
2022-08-30 13:27:31 -04:00
committed by GitHub
parent b7fea76f7f
commit 36799570f6
2 changed files with 16 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
command/agent/search_endpoint_test.go
View File

@@ -724,12 +724,12 @@ func TestHTTP_PrefixSearch_Variables_ACL(t *testing.T) {
defNSToken := mock.CreatePolicyAndToken(t, state, 8002, "default",
mock.NamespacePolicyWithVariables(
"default", "read", []string{},
map[string][]string{"*": []string{"read", "list"}}))
map[string][]string{"*": {"read", "list"}}))
ns1NSToken := mock.CreatePolicyAndToken(t, state, 8004, "ns-"+ns.Name,
mock.NamespacePolicyWithVariables(
ns.Name, "read", []string{},
map[string][]string{"*": []string{"read", "list"}}))
map[string][]string{"*": {"read", "list"}}))
denyToken := mock.CreatePolicyAndToken(t, state, 8006, "none",
mock.NamespacePolicy("default", "deny", nil))
@@ -834,9 +834,19 @@ func TestHTTP_FuzzySearch_Variables_ACL(t *testing.T) {
require.NoError(t, setResp.Error)
rootToken := s.RootToken
defNSToken := mock.CreatePolicyAndToken(t, state, 8002, "default", mock.NamespacePolicy("default", "read", nil))
ns1NSToken := mock.CreatePolicyAndToken(t, state, 8004, "ns-"+ns.Name, mock.NamespacePolicy(ns.Name, "read", nil))
denyToken := mock.CreatePolicyAndToken(t, state, 8006, "none", mock.NamespacePolicy("default", "deny", nil))
defNSToken := mock.CreatePolicyAndToken(t, state, 8002, "default",
mock.NamespacePolicyWithVariables(
"default", "read", []string{},
map[string][]string{"*": {"list"}}))
ns1NSToken := mock.CreatePolicyAndToken(t, state, 8004, "ns-"+ns.Name,
mock.NamespacePolicyWithVariables(
ns.Name, "read", []string{},
map[string][]string{"*": {"list"}}))
denyToken := mock.CreatePolicyAndToken(t, state, 8006, "none",
mock.NamespacePolicy("default", "deny", nil))
type testCase struct {
desc string

3
nomad/search_endpoint.go
View File

@@ -482,8 +482,7 @@ func nsCapFilter(aclObj *acl.ACL) memdb.FilterFunc {
return !aclObj.AllowNsOp(t.Namespace, acl.NamespaceCapabilityReadJob)
case *structs.VariableEncrypted:
// FIXME: Update to final implementation.
return !aclObj.AllowNsOp(t.Namespace, acl.NamespaceCapabilityReadJob)
return !aclObj.AllowVariableSearch(t.Namespace)
case *structs.Namespace:
return !aclObj.AllowNamespace(t.Name)