From 445070eb6a920cb6f1c8ca047e34485f38022a52 Mon Sep 17 00:00:00 2001 From: Chelsea Holland Komlo Date: Mon, 25 Sep 2017 17:30:31 +0000 Subject: [PATCH 1/2] add acl for job validate endpoint --- nomad/job_endpoint.go | 7 ++++++ nomad/job_endpoint_test.go | 36 +++++++++++++++++++++++++++++ website/source/api/validate.html.md | 6 ++--- 3 files changed, 46 insertions(+), 3 deletions(-) diff --git a/nomad/job_endpoint.go b/nomad/job_endpoint.go index 2e91337c6..ac6b4eb06 100644 --- a/nomad/job_endpoint.go +++ b/nomad/job_endpoint.go @@ -353,6 +353,13 @@ func (j *Job) Summary(args *structs.JobSummaryRequest, func (j *Job) Validate(args *structs.JobValidateRequest, reply *structs.JobValidateResponse) error { defer metrics.MeasureSince([]string{"nomad", "job", "validate"}, time.Now()) + // Check for read-job permissions + if aclObj, err := j.srv.resolveToken(args.SecretID); err != nil { + return err + } else if aclObj != nil && !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilityReadJob) { + return structs.ErrPermissionDenied + } + // Initialize the job fields (sets defaults and any necessary init work). canonicalizeWarnings := args.Job.Canonicalize() diff --git a/nomad/job_endpoint_test.go b/nomad/job_endpoint_test.go index da70a5216..fa11a958c 100644 --- a/nomad/job_endpoint_test.go +++ b/nomad/job_endpoint_test.go @@ -3118,6 +3118,42 @@ func TestJobEndpoint_ValidateJobUpdate(t *testing.T) { } } +func TestJobEndpoint_ValidateJobUpdate_ACL(t *testing.T) { + t.Parallel() + assert := assert.New(t) + + s1, root := testACLServer(t, func(c *Config) { + c.NumSchedulers = 0 // Prevent automatic dequeue + }) + defer s1.Shutdown() + codec := rpcClient(t, s1) + testutil.WaitForLeader(t, s1.RPC) + + job := mock.Job() + + req := &structs.JobValidateRequest{ + Job: job, + WriteRequest: structs.WriteRequest{ + Region: "global", + Namespace: job.Namespace, + }, + } + + // Attenpt to update without providing a valid token + var resp structs.JobValidateResponse + err := msgpackrpc.CallWithCodec(codec, "Job.Validate", req, &resp) + assert.NotNil(err) + + // Update with a valid token + req.SecretID = root.SecretID + var validResp structs.JobValidateResponse + err = msgpackrpc.CallWithCodec(codec, "Job.Validate", req, &validResp) + assert.Nil(err) + + assert.Equal("", validResp.Error) + assert.Equal("", validResp.Warnings) +} + func TestJobEndpoint_Dispatch(t *testing.T) { t.Parallel() diff --git a/website/source/api/validate.html.md b/website/source/api/validate.html.md index d23741e80..99750b8da 100644 --- a/website/source/api/validate.html.md +++ b/website/source/api/validate.html.md @@ -28,9 +28,9 @@ The table below shows this endpoint's support for [blocking queries](/api/index.html#blocking-queries) and [required ACLs](/api/index.html#acls). -| Blocking Queries | ACL Required | -| ---------------- | ------------ | -| `NO` | `none` | +| Blocking Queries | ACL Required | +| ---------------- | -------------------------- | +| `NO` | `namespace:read-job` | ### Parameters From 10f4b4a82e4c8c079af03029f79848068047d27b Mon Sep 17 00:00:00 2001 From: Chelsea Holland Komlo Date: Mon, 25 Sep 2017 17:41:17 +0000 Subject: [PATCH 2/2] fix type --- nomad/job_endpoint_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nomad/job_endpoint_test.go b/nomad/job_endpoint_test.go index fa11a958c..3dfbf00e8 100644 --- a/nomad/job_endpoint_test.go +++ b/nomad/job_endpoint_test.go @@ -3139,7 +3139,7 @@ func TestJobEndpoint_ValidateJobUpdate_ACL(t *testing.T) { }, } - // Attenpt to update without providing a valid token + // Attempt to update without providing a valid token var resp structs.JobValidateResponse err := msgpackrpc.CallWithCodec(codec, "Job.Validate", req, &resp) assert.NotNil(err)