mirror of
https://github.com/kemko/nomad.git
synced 2026-01-01 16:05:42 +03:00
3633ca0f8c
The RPC handlers expect to see `nil` ACL objects whenever ACLs are disabled. By using `nil` as a sentinel value, we have the risk of nil pointer exceptions and improper handling of `nil` when returned from our various auth methods that can lead to privilege escalation bugs. This is the third in a series to eliminate the use of `nil` ACLs as a sentinel value for when ACLs are disabled. This patch involves creating a new "virtual" ACL object for checking permissions on client operations and a matching `AuthenticateClientOnly` method for client-only RPCs that can produce that ACL. Unlike the server ACLs PR, this also includes a special case for "legacy" client RPCs where the client was not previously sending the secret as it should (leaning on mTLS only). Those client RPCs were fixed in Nomad 1.6.0, but it'll take a while before we can guarantee they'll be present during upgrades. Ref: https://github.com/hashicorp/nomad-enterprise/pull/1218 Ref: https://github.com/hashicorp/nomad/pull/18703 Ref: https://github.com/hashicorp/nomad/pull/18715 Ref: https://github.com/hashicorp/nomad/pull/16799
120 lines
3.0 KiB
Go
120 lines
3.0 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
package widmgr_test
|
|
|
|
import (
|
|
"fmt"
|
|
"testing"
|
|
|
|
"github.com/hashicorp/nomad/ci"
|
|
"github.com/hashicorp/nomad/client/widmgr"
|
|
"github.com/hashicorp/nomad/command/agent"
|
|
"github.com/hashicorp/nomad/helper/pointer"
|
|
"github.com/hashicorp/nomad/helper/uuid"
|
|
"github.com/hashicorp/nomad/nomad/mock"
|
|
"github.com/hashicorp/nomad/nomad/structs"
|
|
"github.com/hashicorp/nomad/testutil"
|
|
"github.com/shoenig/test/must"
|
|
)
|
|
|
|
func TestWIDMgr(t *testing.T) {
|
|
ci.Parallel(t)
|
|
|
|
// Create a mixed ta
|
|
ta := agent.NewTestAgent(t, "widtest", func(c *agent.Config) {
|
|
c.Server.Enabled = true
|
|
c.Server.NumSchedulers = pointer.Of(1)
|
|
c.Client.Enabled = true
|
|
})
|
|
t.Cleanup(ta.Shutdown)
|
|
|
|
mgr := widmgr.NewSigner(widmgr.SignerConfig{
|
|
NodeSecret: ta.Client().Node().SecretID,
|
|
Region: "global",
|
|
RPC: ta,
|
|
})
|
|
|
|
_, err := mgr.SignIdentities(1, nil)
|
|
must.ErrorContains(t, err, "no identities to sign")
|
|
|
|
_, err = mgr.SignIdentities(1, []*structs.WorkloadIdentityRequest{
|
|
{
|
|
AllocID: uuid.Generate(),
|
|
WIHandle: structs.WIHandle{
|
|
WorkloadIdentifier: "web",
|
|
IdentityName: "foo",
|
|
},
|
|
},
|
|
})
|
|
must.ErrorContains(t, err, "rejected")
|
|
|
|
// Register a job with 3 identities (but only 2 that need signing)
|
|
job := mock.MinJob()
|
|
job.TaskGroups[0].Tasks[0].Identity = &structs.WorkloadIdentity{
|
|
Env: true,
|
|
}
|
|
job.TaskGroups[0].Tasks[0].Identities = []*structs.WorkloadIdentity{
|
|
{
|
|
Name: "consul",
|
|
Audience: []string{"a", "b"},
|
|
Env: true,
|
|
},
|
|
{
|
|
Name: "vault",
|
|
File: true,
|
|
},
|
|
}
|
|
job.Canonicalize()
|
|
|
|
testutil.RegisterJob(t, ta.RPC, job)
|
|
|
|
var allocs []*structs.AllocListStub
|
|
testutil.WaitForResult(func() (bool, error) {
|
|
args := &structs.JobSpecificRequest{}
|
|
args.JobID = job.ID
|
|
args.QueryOptions.Region = job.Region
|
|
args.Namespace = job.Namespace
|
|
var resp structs.JobAllocationsResponse
|
|
err := ta.RPC("Job.Allocations", args, &resp)
|
|
if err != nil {
|
|
return false, fmt.Errorf("Job.Allocations error: %v", err)
|
|
}
|
|
|
|
if len(resp.Allocations) == 0 {
|
|
return false, fmt.Errorf("no allocs")
|
|
}
|
|
allocs = resp.Allocations
|
|
return len(allocs) == 1, fmt.Errorf("unexpected number of allocs: %d", len(allocs))
|
|
}, func(err error) {
|
|
must.NoError(t, err)
|
|
})
|
|
must.Len(t, 1, allocs)
|
|
|
|
// Get signed identites for alloc
|
|
widreqs := []*structs.WorkloadIdentityRequest{
|
|
{
|
|
AllocID: allocs[0].ID,
|
|
WIHandle: structs.WIHandle{
|
|
WorkloadIdentifier: job.TaskGroups[0].Tasks[0].Name,
|
|
IdentityName: "consul",
|
|
},
|
|
},
|
|
{
|
|
AllocID: allocs[0].ID,
|
|
WIHandle: structs.WIHandle{
|
|
WorkloadIdentifier: job.TaskGroups[0].Tasks[0].Name,
|
|
IdentityName: "vault",
|
|
},
|
|
},
|
|
}
|
|
|
|
swids, err := mgr.SignIdentities(allocs[0].CreateIndex, widreqs)
|
|
must.NoError(t, err)
|
|
must.Len(t, 2, swids)
|
|
must.Eq(t, *widreqs[0], swids[0].WorkloadIdentityRequest)
|
|
must.StrContains(t, swids[0].JWT, ".")
|
|
must.Eq(t, *widreqs[1], swids[1].WorkloadIdentityRequest)
|
|
must.StrContains(t, swids[1].JWT, ".")
|
|
}
|