From 8bc56d2638db4a27877d45d5856de4d7f552d5b0 Mon Sep 17 00:00:00 2001 From: Alex Dadgar Date: Mon, 25 Sep 2017 14:36:19 -0700 Subject: [PATCH] Allow querying self token This PR allows querying self ACL token when the SecretID is for the AccessorID in question. --- nomad/acl_endpoint.go | 14 ++++++++++---- nomad/acl_endpoint_test.go | 10 ++++++++++ website/source/api/acl-tokens.html.md | 2 +- 3 files changed, 21 insertions(+), 5 deletions(-) diff --git a/nomad/acl_endpoint.go b/nomad/acl_endpoint.go index c7b56bd11..a49c8b2eb 100644 --- a/nomad/acl_endpoint.go +++ b/nomad/acl_endpoint.go @@ -622,11 +622,9 @@ func (a *ACL) GetToken(args *structs.ACLTokenSpecificRequest, reply *structs.Sin } defer metrics.MeasureSince([]string{"nomad", "acl", "get_token"}, time.Now()) - // Check management level permissions - if acl, err := a.srv.resolveToken(args.SecretID); err != nil { + acl, err := a.srv.resolveToken(args.SecretID) + if err != nil { return err - } else if acl == nil || !acl.IsManagement() { - return structs.ErrPermissionDenied } // Setup the blocking query @@ -640,6 +638,14 @@ func (a *ACL) GetToken(args *structs.ACLTokenSpecificRequest, reply *structs.Sin return err } + // Check management level permissions or that the secret ID matches the + // accessor ID + if acl != nil && out != nil { + if !acl.IsManagement() && out.SecretID != args.SecretID { + return structs.ErrPermissionDenied + } + } + // Setup the output reply.Token = out if out != nil { diff --git a/nomad/acl_endpoint_test.go b/nomad/acl_endpoint_test.go index a0dba37a9..25528edfc 100644 --- a/nomad/acl_endpoint_test.go +++ b/nomad/acl_endpoint_test.go @@ -509,6 +509,16 @@ func TestACLEndpoint_GetToken(t *testing.T) { } assert.Equal(t, uint64(1000), resp.Index) assert.Nil(t, resp.Token) + + // Lookup the token by accessor id using the tokens secret ID + get.AccessorID = token.AccessorID + get.SecretID = token.SecretID + var resp2 structs.SingleACLTokenResponse + if err := msgpackrpc.CallWithCodec(codec, "ACL.GetToken", get, &resp2); err != nil { + t.Fatalf("err: %v", err) + } + assert.Equal(t, uint64(1000), resp2.Index) + assert.Equal(t, token, resp2.Token) } func TestACLEndpoint_GetToken_Blocking(t *testing.T) { diff --git a/website/source/api/acl-tokens.html.md b/website/source/api/acl-tokens.html.md index 219dc1371..487a13c66 100644 --- a/website/source/api/acl-tokens.html.md +++ b/website/source/api/acl-tokens.html.md @@ -241,7 +241,7 @@ The table below shows this endpoint's support for | Blocking Queries | Consistency Modes | ACL Required | | ---------------- | ----------------- | ------------ | -| `YES` | `all` | `management` | +| `YES` | `all` | `management` for query other tokens
Matching SecretID to AccessorID for querying self | ### Sample Request