mirror of
https://github.com/kemko/nomad.git
synced 2026-01-03 08:55:43 +03:00
cbd7248248
The RPC handlers expect to see `nil` ACL objects whenever ACLs are disabled. By using `nil` as a sentinel value, we have the risk of nil pointer exceptions and improper handling of `nil` when returned from our various auth methods that can lead to privilege escalation bugs. This is the final patch in a series to eliminate the use of `nil` ACLs as a sentinel value for when ACLs are disabled. This patch adds a new virtual ACL policy field for when ACLs are disabled and updates our authentication logic to use it. Included: * Extends auth package tests to demonstrate that nil ACLs are treated as failed auth and disabled ACLs succeed auth. * Adds a new `AllowDebug` ACL check for the weird special casing we have for pprof debugging when ACLs are disabled. * Removes the remaining unexported methods (and repeated tests) from the `nomad/acl.go` file. * Update the semgrep rules to detect improper nil ACL checking and remove the old invalid ACL checks. * Update the contributing guide for RPC authentication. Ref: https://github.com/hashicorp/nomad-enterprise/pull/1218 Ref: https://github.com/hashicorp/nomad/pull/18703 Ref: https://github.com/hashicorp/nomad/pull/18715 Ref: https://github.com/hashicorp/nomad/pull/16799 Ref: https://github.com/hashicorp/nomad/pull/18730 Ref: https://github.com/hashicorp/nomad/pull/18744
82 lines
2.2 KiB
Go
82 lines
2.2 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
package nomad
|
|
|
|
import (
|
|
"fmt"
|
|
|
|
"github.com/hashicorp/go-hclog"
|
|
|
|
"github.com/hashicorp/nomad/nomad/structs"
|
|
)
|
|
|
|
// System endpoint is used to call invoke system tasks.
|
|
type System struct {
|
|
srv *Server
|
|
ctx *RPCContext
|
|
logger hclog.Logger
|
|
}
|
|
|
|
func NewSystemEndpoint(srv *Server, ctx *RPCContext) *System {
|
|
return &System{srv: srv, ctx: ctx, logger: srv.logger.Named("system")}
|
|
}
|
|
|
|
// GarbageCollect is used to trigger the system to immediately garbage collect nodes, evals
|
|
// and jobs.
|
|
func (s *System) GarbageCollect(args *structs.GenericRequest, reply *structs.GenericResponse) error {
|
|
|
|
authErr := s.srv.Authenticate(s.ctx, args)
|
|
if done, err := s.srv.forward("System.GarbageCollect", args, args, reply); done {
|
|
return err
|
|
}
|
|
s.srv.MeasureRPCRate("system", structs.RateMetricWrite, args)
|
|
if authErr != nil {
|
|
return structs.ErrPermissionDenied
|
|
}
|
|
|
|
// Check management level permissions
|
|
if aclObj, err := s.srv.ResolveACL(args); err != nil {
|
|
return err
|
|
} else if !aclObj.IsManagement() {
|
|
return structs.ErrPermissionDenied
|
|
}
|
|
|
|
// Get the states current index
|
|
snapshotIndex, err := s.srv.fsm.State().LatestIndex()
|
|
if err != nil {
|
|
return fmt.Errorf("failed to determine state store's index: %v", err)
|
|
}
|
|
|
|
s.srv.evalBroker.Enqueue(s.srv.coreJobEval(structs.CoreJobForceGC, snapshotIndex))
|
|
return nil
|
|
}
|
|
|
|
// ReconcileJobSummaries reconciles the summaries of all the jobs in the state
|
|
// store
|
|
func (s *System) ReconcileJobSummaries(args *structs.GenericRequest, reply *structs.GenericResponse) error {
|
|
|
|
authErr := s.srv.Authenticate(s.ctx, args)
|
|
if done, err := s.srv.forward("System.ReconcileJobSummaries", args, args, reply); done {
|
|
return err
|
|
}
|
|
s.srv.MeasureRPCRate("system", structs.RateMetricWrite, args)
|
|
if authErr != nil {
|
|
return structs.ErrPermissionDenied
|
|
}
|
|
|
|
// Check management level permissions
|
|
if aclObj, err := s.srv.ResolveACL(args); err != nil {
|
|
return err
|
|
} else if !aclObj.IsManagement() {
|
|
return structs.ErrPermissionDenied
|
|
}
|
|
|
|
_, index, err := s.srv.raftApply(structs.ReconcileJobSummariesRequestType, args)
|
|
if err != nil {
|
|
return fmt.Errorf("reconciliation of job summaries failed: %v", err)
|
|
}
|
|
reply.Index = index
|
|
return nil
|
|
}
|