// vetServiceRegister makes sure the service registration action is allowed by // the given token. func (a *Agent) vetServiceRegister(token string, service *structs.NodeService) error { // Resolve the token and bail if ACLs aren't enabled. acl, err := a.resolveToken(token) if err != nil { return err } if acl == nil { return nil } // Vet the service itself. if !acl.ServiceWrite(service.Service) { return permissionDeniedErr } // Vet any service that might be getting overwritten. services := a.state.Services() if existing, ok := services[service.ID]; ok { if !acl.ServiceWrite(existing.Service) { return permissionDeniedErr } } return nil }
// vetCheckUpdate makes sure that a check update is allowed by the given token. func (a *Agent) vetCheckUpdate(token string, checkID types.CheckID) error { // Resolve the token and bail if ACLs aren't enabled. acl, err := a.resolveToken(token) if err != nil { return err } if acl == nil { return nil } // Vet any changes based on the existing check's info. checks := a.state.Checks() if existing, ok := checks[checkID]; ok { if len(existing.ServiceName) > 0 { if !acl.ServiceWrite(existing.ServiceName) { return permissionDeniedErr } } else { if !acl.NodeWrite(a.config.NodeName) { return permissionDeniedErr } } } else { return fmt.Errorf("Unknown check %q", checkID) } return nil }
// vetCheckRegister makes sure the check registration action is allowed by the // given token. func (a *Agent) vetCheckRegister(token string, check *structs.HealthCheck) error { // Resolve the token and bail if ACLs aren't enabled. acl, err := a.resolveToken(token) if err != nil { return err } if acl == nil { return nil } // Vet the check itself. if len(check.ServiceName) > 0 { if !acl.ServiceWrite(check.ServiceName) { return permissionDeniedErr } } else { if !acl.NodeWrite(a.config.NodeName) { return permissionDeniedErr } } // Vet any check that might be getting overwritten. checks := a.state.Checks() if existing, ok := checks[check.CheckID]; ok { if len(existing.ServiceName) > 0 { if !acl.ServiceWrite(existing.ServiceName) { return permissionDeniedErr } } else { if !acl.NodeWrite(a.config.NodeName) { return permissionDeniedErr } } } return nil }
// vetServiceUpdate makes sure the service update action is allowed by the given // token. func (a *Agent) vetServiceUpdate(token string, serviceID string) error { // Resolve the token and bail if ACLs aren't enabled. acl, err := a.resolveToken(token) if err != nil { return err } if acl == nil { return nil } // Vet any changes based on the existing services's info. services := a.state.Services() if existing, ok := services[serviceID]; ok { if !acl.ServiceWrite(existing.Service) { return permissionDeniedErr } } else { return fmt.Errorf("Unknown service %q", serviceID) } return nil }