backport of commit 3481a62

hashicorp · Oct 19, 2022 · 363d20d · 363d20d
1 parent 0aa3ca6
commit 363d20d
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 18 deletions.
diff --git a/nomad/acl_endpoint.go b/nomad/acl_endpoint.go
@@ -1392,7 +1392,7 @@ func (a *ACL) GetRolesByID(args *structs.ACLRolesByIDRequest, reply *structs.ACL
 	if token == nil {
 		return structs.ErrTokenNotFound
 	}
-	if token.Type != structs.ACLManagementToken && !token.RoleSubset(args.ACLRoleIDs) {
+	if token.Type != structs.ACLManagementToken && !token.HasRoles(args.ACLRoleIDs) {
 		return structs.ErrPermissionDenied
 	}
 

diff --git a/nomad/structs/acl.go b/nomad/structs/acl.go
@@ -233,13 +233,10 @@ func (a *ACLToken) IsExpired(t time.Time) bool {
 	return a.ExpirationTime.Before(t) || t.IsZero()
 }
 
-// RoleSubset checks if a given set of role IDs are assigned to the ACL token.
-func (a *ACLToken) RoleSubset(roleIDs []string) bool {
-
-	// Hot-path: management tokens allows access to all roles.
-	if a.Type == ACLManagementToken {
-		return true
-	}
+// HasRoles checks if a given set of role IDs are assigned to the ACL token. It
+// does not account for management tokens, therefore it is the responsibility
+// of the caller to perform this check, if required.
+func (a *ACLToken) HasRoles(roleIDs []string) bool {
 
 	// Generate a set of role IDs that the token is assigned.
 	roleSet := set.FromFunc(a.Roles, func(roleLink *ACLTokenRoleLink) string { return roleLink.ID })

diff --git a/nomad/structs/acl_test.go b/nomad/structs/acl_test.go
@@ -297,21 +297,13 @@ func TestACLToken_IsExpired(t *testing.T) {
 	}
 }
 
-func TestACLToken_RoleSubset(t *testing.T) {
+func TestACLToken_HasRoles(t *testing.T) {
 	testCases := []struct {
 		name           string
 		inputToken     *ACLToken
 		inputRoleIDs   []string
 		expectedOutput bool
 	}{
-		{
-			name: "management token",
-			inputToken: &ACLToken{
-				Type: ACLManagementToken,
-			},
-			inputRoleIDs:   []string{"foo", "bar", "baz"},
-			expectedOutput: true,
-		},
 		{
 			name: "client token request all subset",
 			inputToken: &ACLToken{
@@ -368,7 +360,7 @@ func TestACLToken_RoleSubset(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			actualOutput := tc.inputToken.RoleSubset(tc.inputRoleIDs)
+			actualOutput := tc.inputToken.HasRoles(tc.inputRoleIDs)
 			require.Equal(t, tc.expectedOutput, actualOutput)
 		})
 	}