acl: demonstrate new authz interface

hashicorp · Jan 26, 2022 · 0eaa784 · 0eaa784
1 parent 8ace474
commit 0eaa784
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 4 deletions.
diff --git a/acl/errors.go b/acl/errors.go
@@ -62,13 +62,23 @@ func IsErrPermissionDenied(err error) bool {
 }
 
 type PermissionDeniedError struct {
+	Resource    Resource
+	AccessLevel AccessLevel
+	AccessorID  string
+	ResourceID  string
+
+	// TODO: remove Cause, use other fields
 	Cause string
 }
 
 func (e PermissionDeniedError) Error() string {
 	if e.Cause != "" {
 		return errPermissionDenied + ": " + e.Cause
 	}
+	if e.Resource != "" {
+		return fmt.Sprintf("%s: token %s is missing %s:%s for %s",
+			errPermissionDenied, e.AccessorID, e.Resource, e.AccessLevel, e.ResourceID)
+	}
 	return errPermissionDenied
 }
 

diff --git a/agent/consul/acl.go b/agent/consul/acl.go
@@ -1119,6 +1119,7 @@ func (r *ACLResolver) ResolveToken(token string) (ACLResolveResult, error) {
 	return ACLResolveResult{Authorizer: acl.NewChainedAuthorizer(chain), ACLIdentity: identity}, nil
 }
 
+// TODO: move to a new package under acl/
 type ACLResolveResult struct {
 	acl.Authorizer
 	// TODO: likely we can reduce this interface
@@ -1132,6 +1133,27 @@ func (a ACLResolveResult) AccessorID() string {
 	return a.ACLIdentity.ID()
 }
 
+type ACLKVResourceID interface {
+	KVResourceID() string
+	FillAuthzContext(*acl.AuthorizerContext)
+}
+
+func (a ACLResolveResult) HasKeyWrite(id ACLKVResourceID) error {
+	key := id.KVResourceID()
+	var authzCtx acl.AuthorizerContext
+	id.FillAuthzContext(&authzCtx)
+
+	if a.Authorizer.KeyWrite(key, &authzCtx) == acl.Allow {
+		return nil
+	}
+	return acl.PermissionDeniedError{
+		Resource:    acl.ResourceKey,
+		ResourceID:  key,
+		AccessorID:  a.AccessorID(),
+		AccessLevel: acl.AccessWrite,
+	}
+}
+
 func (r *ACLResolver) ACLsEnabled() bool {
 	// Whether we desire ACLs to be enabled according to configuration
 	if !r.config.ACLsEnabled {

diff --git a/agent/consul/kvs_endpoint.go b/agent/consul/kvs_endpoint.go
@@ -32,7 +32,7 @@ type KVS struct {
 // preApply does all the verification of a KVS update that is performed BEFORE
 // we submit as a Raft log entry. This includes enforcing the lock delay which
 // must only be done on the leader.
-func kvsPreApply(logger hclog.Logger, srv *Server, authz acl.Authorizer, op api.KVOp, dirEnt *structs.DirEntry) (bool, error) {
+func kvsPreApply(logger hclog.Logger, srv *Server, authz ACLResolveResult, op api.KVOp, dirEnt *structs.DirEntry) (bool, error) {
 	// Verify the entry.
 	if dirEnt.Key == "" && op != api.KVDeleteTree {
 		return false, fmt.Errorf("Must provide key")
@@ -66,8 +66,8 @@ func kvsPreApply(logger hclog.Logger, srv *Server, authz acl.Authorizer, op api.
 		var authzContext acl.AuthorizerContext
 		dirEnt.FillAuthzContext(&authzContext)
 
-		if authz.KeyWrite(dirEnt.Key, &authzContext) != acl.Allow {
-			return false, acl.ErrPermissionDenied
+		if err := authz.HasKeyWrite(dirEnt); err != nil {
+			return false, err
 		}
 	}
 

diff --git a/agent/consul/txn_endpoint.go b/agent/consul/txn_endpoint.go
@@ -32,7 +32,7 @@ type Txn struct {
 
 // preCheck is used to verify the incoming operations before any further
 // processing takes place. This checks things like ACLs.
-func (t *Txn) preCheck(authorizer acl.Authorizer, ops structs.TxnOps) structs.TxnErrors {
+func (t *Txn) preCheck(authorizer ACLResolveResult, ops structs.TxnOps) structs.TxnErrors {
 	var errors structs.TxnErrors
 
 	// Perform the pre-apply checks for any KV operations.

diff --git a/agent/structs/structs.go b/agent/structs/structs.go
@@ -2277,6 +2277,10 @@ func (d *DirEntry) IDValue() string {
 	return d.Key
 }
 
+func (d *DirEntry) KVResourceID() string {
+	return d.Key
+}
+
 type DirEntries []*DirEntry
 
 // KVSRequest is used to operate on the Key-Value store