// vetCheckUpdate makes sure that a check update is allowed by the given token. func (a *Agent) vetCheckUpdate(token string, checkID types.CheckID) error { // Resolve the token and bail if ACLs aren't enabled. acl, err := a.resolveToken(token) if err != nil { return err } if acl == nil { return nil } // Vet any changes based on the existing check's info. checks := a.state.Checks() if existing, ok := checks[checkID]; ok { if len(existing.ServiceName) > 0 { if !acl.ServiceWrite(existing.ServiceName) { return permissionDeniedErr } } else { if !acl.NodeWrite(a.config.NodeName) { return permissionDeniedErr } } } else { return fmt.Errorf("Unknown check %q", checkID) } return nil }
// vetCheckRegister makes sure the check registration action is allowed by the // given token. func (a *Agent) vetCheckRegister(token string, check *structs.HealthCheck) error { // Resolve the token and bail if ACLs aren't enabled. acl, err := a.resolveToken(token) if err != nil { return err } if acl == nil { return nil } // Vet the check itself. if len(check.ServiceName) > 0 { if !acl.ServiceWrite(check.ServiceName) { return permissionDeniedErr } } else { if !acl.NodeWrite(a.config.NodeName) { return permissionDeniedErr } } // Vet any check that might be getting overwritten. checks := a.state.Checks() if existing, ok := checks[check.CheckID]; ok { if len(existing.ServiceName) > 0 { if !acl.ServiceWrite(existing.ServiceName) { return permissionDeniedErr } } else { if !acl.NodeWrite(a.config.NodeName) { return permissionDeniedErr } } } return nil }