Skip to content

Commit

Permalink
Add Namespace support to the API module and the CLI commands
Browse files Browse the repository at this point in the history 
Also update the Docs and fixup the HTTP API to return proper errors when someone attempts to use Namespaces with an OSS agent.
  • Loading branch information
@mkeeler
mkeeler committed Dec 3, 2019
1 parent 0a7e027 commit a057a94
Show file tree
Hide file tree
Showing 83 changed files with 575 additions and 52 deletions.
109 changes: 80 additions & 29 deletions agent/acl_endpoint.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,9 @@ func (s *HTTPServer) ACLPolicyList(resp http.ResponseWriter, req *http.Request)
if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done {
return nil, nil
}
s.parseEntMeta(req, &args.EnterpriseMeta)
if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil {
return nil, err
}

if args.Datacenter == "" {
args.Datacenter = s.agent.config.Datacenter
Expand Down Expand Up @@ -244,7 +246,9 @@ func (s *HTTPServer) ACLPolicyRead(resp http.ResponseWriter, req *http.Request,
return nil, nil
}

s.parseEntMeta(req, &args.EnterpriseMeta)
if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil {
return nil, err
}

if args.Datacenter == "" {
args.Datacenter = s.agent.config.Datacenter
Expand Down Expand Up @@ -281,9 +285,12 @@ func (s *HTTPServer) aclPolicyWriteInternal(resp http.ResponseWriter, req *http.
Datacenter: s.agent.config.Datacenter,
}
s.parseToken(req, &args.Token)
s.parseEntMeta(req, &args.Policy.EnterpriseMeta)
if err := s.parseEntMeta(req, &args.Policy.EnterpriseMeta); err != nil {
return nil, err
}

if err := decodeBody(req.Body, &args.Policy); err != nil {
if err := decodeBodyStrict(req.Body, &args.Policy); err != nil {
err := s.handleUnknownEnterpriseFields(err)
return nil, BadRequestError{Reason: fmt.Sprintf("Policy decoding failed: %v", err)}
}

Expand Down Expand Up @@ -315,7 +322,9 @@ func (s *HTTPServer) ACLPolicyDelete(resp http.ResponseWriter, req *http.Request
PolicyID: policyID,
}
s.parseToken(req, &args.Token)
s.parseEntMeta(req, &args.EnterpriseMeta)
if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil {
return nil, err
}

var ignored string
if err := s.agent.RPC("ACL.PolicyDelete", args, &ignored); err != nil {
Expand All @@ -338,7 +347,9 @@ func (s *HTTPServer) ACLTokenList(resp http.ResponseWriter, req *http.Request) (
return nil, nil
}

s.parseEntMeta(req, &args.EnterpriseMeta)
if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil {
return nil, err
}

if args.Datacenter == "" {
args.Datacenter = s.agent.config.Datacenter
Expand Down Expand Up @@ -442,7 +453,9 @@ func (s *HTTPServer) ACLTokenGet(resp http.ResponseWriter, req *http.Request, to
return nil, nil
}

s.parseEntMeta(req, &args.EnterpriseMeta)
if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil {
return nil, err
}

if args.Datacenter == "" {
args.Datacenter = s.agent.config.Datacenter
Expand Down Expand Up @@ -471,9 +484,12 @@ func (s *HTTPServer) aclTokenSetInternal(resp http.ResponseWriter, req *http.Req
Create: create,
}
s.parseToken(req, &args.Token)
s.parseEntMeta(req, &args.ACLToken.EnterpriseMeta)
if err := s.parseEntMeta(req, &args.ACLToken.EnterpriseMeta); err != nil {
return nil, err
}

if err := decodeBody(req.Body, &args.ACLToken); err != nil {
if err := decodeBodyStrict(req.Body, &args.ACLToken); err != nil {
err := s.handleUnknownEnterpriseFields(err)
return nil, BadRequestError{Reason: fmt.Sprintf("Token decoding failed: %v", err)}
}

Expand All @@ -499,7 +515,9 @@ func (s *HTTPServer) ACLTokenDelete(resp http.ResponseWriter, req *http.Request,
TokenID: tokenID,
}
s.parseToken(req, &args.Token)
s.parseEntMeta(req, &args.EnterpriseMeta)
if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil {
return nil, err
}

var ignored string
if err := s.agent.RPC("ACL.TokenDelete", args, &ignored); err != nil {
Expand All @@ -518,8 +536,11 @@ func (s *HTTPServer) ACLTokenClone(resp http.ResponseWriter, req *http.Request,
Create: true,
}

s.parseEntMeta(req, &args.ACLToken.EnterpriseMeta)
if err := decodeBody(req.Body, &args.ACLToken); err != nil {
if err := s.parseEntMeta(req, &args.ACLToken.EnterpriseMeta); err != nil {
return nil, err
}
if err := decodeBodyStrict(req.Body, &args.ACLToken); err != nil {
err := s.handleUnknownEnterpriseFields(err)
return nil, BadRequestError{Reason: fmt.Sprintf("Token decoding failed: %v", err)}
}
s.parseToken(req, &args.Token)
Expand All @@ -544,7 +565,9 @@ func (s *HTTPServer) ACLRoleList(resp http.ResponseWriter, req *http.Request) (i
if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done {
return nil, nil
}
s.parseEntMeta(req, &args.EnterpriseMeta)
if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil {
return nil, err
}

if args.Datacenter == "" {
args.Datacenter = s.agent.config.Datacenter
Expand Down Expand Up @@ -621,7 +644,9 @@ func (s *HTTPServer) ACLRoleRead(resp http.ResponseWriter, req *http.Request, ro
if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done {
return nil, nil
}
s.parseEntMeta(req, &args.EnterpriseMeta)
if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil {
return nil, err
}

if args.Datacenter == "" {
args.Datacenter = s.agent.config.Datacenter
Expand Down Expand Up @@ -654,9 +679,12 @@ func (s *HTTPServer) ACLRoleWrite(resp http.ResponseWriter, req *http.Request, r
Datacenter: s.agent.config.Datacenter,
}
s.parseToken(req, &args.Token)
s.parseEntMeta(req, &args.Role.EnterpriseMeta)
if err := s.parseEntMeta(req, &args.Role.EnterpriseMeta); err != nil {
return nil, err
}

if err := decodeBody(req.Body, &args.Role); err != nil {
if err := decodeBodyStrict(req.Body, &args.Role); err != nil {
err := s.handleUnknownEnterpriseFields(err)
return nil, BadRequestError{Reason: fmt.Sprintf("Role decoding failed: %v", err)}
}

Expand All @@ -680,7 +708,9 @@ func (s *HTTPServer) ACLRoleDelete(resp http.ResponseWriter, req *http.Request,
RoleID: roleID,
}
s.parseToken(req, &args.Token)
s.parseEntMeta(req, &args.EnterpriseMeta)
if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil {
return nil, err
}

var ignored string
if err := s.agent.RPC("ACL.RoleDelete", args, &ignored); err != nil {
Expand All @@ -700,7 +730,9 @@ func (s *HTTPServer) ACLBindingRuleList(resp http.ResponseWriter, req *http.Requ
return nil, nil
}

s.parseEntMeta(req, &args.EnterpriseMeta)
if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil {
return nil, err
}

if args.Datacenter == "" {
args.Datacenter = s.agent.config.Datacenter
Expand Down Expand Up @@ -760,7 +792,9 @@ func (s *HTTPServer) ACLBindingRuleRead(resp http.ResponseWriter, req *http.Requ
return nil, nil
}

s.parseEntMeta(req, &args.EnterpriseMeta)
if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil {
return nil, err
}

if args.Datacenter == "" {
args.Datacenter = s.agent.config.Datacenter
Expand Down Expand Up @@ -793,9 +827,12 @@ func (s *HTTPServer) ACLBindingRuleWrite(resp http.ResponseWriter, req *http.Req
Datacenter: s.agent.config.Datacenter,
}
s.parseToken(req, &args.Token)
s.parseEntMeta(req, &args.BindingRule.EnterpriseMeta)
if err := s.parseEntMeta(req, &args.BindingRule.EnterpriseMeta); err != nil {
return nil, err
}

if err := decodeBody(req.Body, &args.BindingRule); err != nil {
if err := decodeBodyStrict(req.Body, &args.BindingRule); err != nil {
err := s.handleUnknownEnterpriseFields(err)
return nil, BadRequestError{Reason: fmt.Sprintf("BindingRule decoding failed: %v", err)}
}

Expand All @@ -819,7 +856,9 @@ func (s *HTTPServer) ACLBindingRuleDelete(resp http.ResponseWriter, req *http.Re
BindingRuleID: bindingRuleID,
}
s.parseToken(req, &args.Token)
s.parseEntMeta(req, &args.EnterpriseMeta)
if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil {
return nil, err
}

var ignored bool
if err := s.agent.RPC("ACL.BindingRuleDelete", args, &ignored); err != nil {
Expand All @@ -838,7 +877,9 @@ func (s *HTTPServer) ACLAuthMethodList(resp http.ResponseWriter, req *http.Reque
if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done {
return nil, nil
}
s.parseEntMeta(req, &args.EnterpriseMeta)
if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil {
return nil, err
}

if args.Datacenter == "" {
args.Datacenter = s.agent.config.Datacenter
Expand Down Expand Up @@ -895,7 +936,9 @@ func (s *HTTPServer) ACLAuthMethodRead(resp http.ResponseWriter, req *http.Reque
if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done {
return nil, nil
}
s.parseEntMeta(req, &args.EnterpriseMeta)
if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil {
return nil, err
}

if args.Datacenter == "" {
args.Datacenter = s.agent.config.Datacenter
Expand Down Expand Up @@ -929,9 +972,12 @@ func (s *HTTPServer) ACLAuthMethodWrite(resp http.ResponseWriter, req *http.Requ
Datacenter: s.agent.config.Datacenter,
}
s.parseToken(req, &args.Token)
s.parseEntMeta(req, &args.AuthMethod.EnterpriseMeta)
if err := s.parseEntMeta(req, &args.AuthMethod.EnterpriseMeta); err != nil {
return nil, err
}

if err := decodeBody(req.Body, &args.AuthMethod); err != nil {
if err := decodeBodyStrict(req.Body, &args.AuthMethod); err != nil {
err := s.handleUnknownEnterpriseFields(err)
return nil, BadRequestError{Reason: fmt.Sprintf("AuthMethod decoding failed: %v", err)}
}

Expand All @@ -958,7 +1004,9 @@ func (s *HTTPServer) ACLAuthMethodDelete(resp http.ResponseWriter, req *http.Req
AuthMethodName: methodName,
}
s.parseToken(req, &args.Token)
s.parseEntMeta(req, &args.EnterpriseMeta)
if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil {
return nil, err
}

var ignored bool
if err := s.agent.RPC("ACL.AuthMethodDelete", args, &ignored); err != nil {
Expand All @@ -978,9 +1026,12 @@ func (s *HTTPServer) ACLLogin(resp http.ResponseWriter, req *http.Request) (inte
Auth: &structs.ACLLoginParams{},
}
s.parseDC(req, &args.Datacenter)
s.parseEntMeta(req, &args.Auth.EnterpriseMeta)
if err := s.parseEntMeta(req, &args.Auth.EnterpriseMeta); err != nil {
return nil, err
}

if err := decodeBody(req.Body, &args.Auth); err != nil {
if err := decodeBodyStrict(req.Body, &args.Auth); err != nil {
err := s.handleUnknownEnterpriseFields(err)
return nil, BadRequestError{Reason: fmt.Sprintf("Failed to decode request body:: %v", err)}
}

Expand Down
2 changes: 1 addition & 1 deletion agent/agent_endpoint_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3055,7 +3055,7 @@ func testCreateToken(t *testing.T, a *TestAgent, rules string) string {
policyID := testCreatePolicy(t, a, policyName, rules)

args := map[string]interface{}{
"Name": "User Token",
"Description": "User Token",
"Policies": []map[string]interface{}{
map[string]interface{}{
"ID": policyID,
Expand Down
9 changes: 9 additions & 0 deletions agent/http.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -580,6 +580,15 @@ func decodeBody(body io.Reader, out interface{}) error {
return json.NewDecoder(body).Decode(&out)
}

func decodeBodyStrict(body io.Reader, out interface{}) error {
if body == nil {
return io.EOF
}
decoder := json.NewDecoder(body)
decoder.DisallowUnknownFields()
return decoder.Decode(&out)
}

// decodeBodyDeprecated is deprecated, please ues decodeBody above.
// decodeBodyDeprecated is used to decode a JSON request body
func decodeBodyDeprecated(req *http.Request, out interface{}, cb func(interface{}) error) error {
Expand Down
29 changes: 28 additions & 1 deletion agent/http_oss.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,37 @@
package agent

import (
"fmt"
"net/http"
"strings"

"github.com/hashicorp/consul/agent/structs"
)

func (s *HTTPServer) parseEntMeta(req *http.Request, entMeta *structs.EnterpriseMeta) {
func (s *HTTPServer) parseEntMeta(req *http.Request, entMeta *structs.EnterpriseMeta) error {
if headerNS := req.Header.Get("X-Consul-Namespace"); headerNS != "" {
return BadRequestError{Reason: "Invalid header: \"X-Consul-Namespace\" - Namespaces is a Consul Enterprise feature"}
}
if queryNS := req.URL.Query().Get("ns"); queryNS != "" {
return BadRequestError{Reason: "Invalid query parameter: \"ns\" - Namespaces is a Consul Enterprise feature"}
}
return nil
}

func (s *HTTPServer) handleUnknownEnterpriseFields(err error) error {
if err == nil {
return nil
}
msg := err.Error()

if strings.Contains(msg, "json: unknown field ") {
quotedField := strings.TrimPrefix(msg, "json: unknown field ")

switch quotedField {
case `"Namespace"`:
return fmt.Errorf("%v - Namespaces is a Consul Enterprise feature", err)
}
}

return err
}
4 changes: 3 additions & 1 deletion agent/kvs_endpoint.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,9 @@ func (s *HTTPServer) KVSEndpoint(resp http.ResponseWriter, req *http.Request) (i
if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done {
return nil, nil
}
s.parseEntMeta(req, &args.EnterpriseMeta)
if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil {
return nil, err
}

// Pull out the key name, validation left to each sub-handler
args.Key = strings.TrimPrefix(req.URL.Path, "/v1/kv/")
Expand Down
Loading

0 comments on commit a057a94

Please sign in to comment.