Skip to content

Commit

Permalink
wire up most of the remaining endpoints
Browse files Browse the repository at this point in the history
  • Loading branch information
@tgross
tgross committed Jun 29, 2022
1 parent 2ad1046 commit c2d98ad
Show file tree
Hide file tree
Showing 18 changed files with 453 additions and 22 deletions.
60 changes: 60 additions & 0 deletions nomad/acl_endpoint.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (
metrics "github.com/armon/go-metrics"
log "github.com/hashicorp/go-hclog"
memdb "github.com/hashicorp/go-memdb"
"github.com/hashicorp/nomad/acl"
policy "github.com/hashicorp/nomad/acl"
"github.com/hashicorp/nomad/helper"
"github.com/hashicorp/nomad/helper/uuid"
Expand Down Expand Up @@ -39,6 +40,10 @@ type ACL struct {

// UpsertPolicies is used to create or update a set of policies
func (a *ACL) UpsertPolicies(args *structs.ACLPolicyUpsertRequest, reply *structs.GenericResponse) error {
if err := a.srv.CheckRateLimit("ACL", acl.PolicyWrite, args.AuthToken); err != nil {
return err
}

// Ensure ACLs are enabled, and always flow modification requests to the authoritative region
if !a.srv.config.ACLEnabled {
return aclDisabled
Expand Down Expand Up @@ -83,6 +88,10 @@ func (a *ACL) UpsertPolicies(args *structs.ACLPolicyUpsertRequest, reply *struct

// DeletePolicies is used to delete policies
func (a *ACL) DeletePolicies(args *structs.ACLPolicyDeleteRequest, reply *structs.GenericResponse) error {
if err := a.srv.CheckRateLimit("ACL", acl.PolicyWrite, args.AuthToken); err != nil {
return err
}

// Ensure ACLs are enabled, and always flow modification requests to the authoritative region
if !a.srv.config.ACLEnabled {
return aclDisabled
Expand Down Expand Up @@ -119,6 +128,10 @@ func (a *ACL) DeletePolicies(args *structs.ACLPolicyDeleteRequest, reply *struct

// ListPolicies is used to list the policies
func (a *ACL) ListPolicies(args *structs.ACLPolicyListRequest, reply *structs.ACLPolicyListResponse) error {
if err := a.srv.CheckRateLimit("ACL", acl.PolicyList, args.AuthToken); err != nil {
return err
}

if !a.srv.config.ACLEnabled {
return aclDisabled
}
Expand Down Expand Up @@ -203,6 +216,10 @@ func (a *ACL) ListPolicies(args *structs.ACLPolicyListRequest, reply *structs.AC

// GetPolicy is used to get a specific policy
func (a *ACL) GetPolicy(args *structs.ACLPolicySpecificRequest, reply *structs.SingleACLPolicyResponse) error {
if err := a.srv.CheckRateLimit("ACL", acl.PolicyRead, args.AuthToken); err != nil {
return err
}

if !a.srv.config.ACLEnabled {
return aclDisabled
}
Expand Down Expand Up @@ -294,6 +311,10 @@ func (a *ACL) requestACLToken(secretID string) (*structs.ACLToken, error) {

// GetPolicies is used to get a set of policies
func (a *ACL) GetPolicies(args *structs.ACLPolicySetRequest, reply *structs.ACLPolicySetResponse) error {
if err := a.srv.CheckRateLimit("ACL", acl.PolicyRead, args.AuthToken); err != nil {
return err
}

if !a.srv.config.ACLEnabled {
return aclDisabled
}
Expand Down Expand Up @@ -349,6 +370,10 @@ func (a *ACL) GetPolicies(args *structs.ACLPolicySetRequest, reply *structs.ACLP

// Bootstrap is used to bootstrap the initial token
func (a *ACL) Bootstrap(args *structs.ACLTokenBootstrapRequest, reply *structs.ACLTokenUpsertResponse) error {
if err := a.srv.CheckRateLimit("ACL", acl.PolicyWrite, args.AuthToken); err != nil {
return err
}

// Ensure ACLs are enabled, and always flow modification requests to the authoritative region
if !a.srv.config.ACLEnabled {
return aclDisabled
Expand Down Expand Up @@ -461,6 +486,10 @@ func (a *ACL) fileBootstrapResetIndex() uint64 {

// UpsertTokens is used to create or update a set of tokens
func (a *ACL) UpsertTokens(args *structs.ACLTokenUpsertRequest, reply *structs.ACLTokenUpsertResponse) error {
if err := a.srv.CheckRateLimit("ACL", acl.PolicyWrite, args.AuthToken); err != nil {
return err
}

// Ensure ACLs are enabled, and always flow modification requests to the authoritative region
if !a.srv.config.ACLEnabled {
return aclDisabled
Expand Down Expand Up @@ -570,6 +599,10 @@ func (a *ACL) UpsertTokens(args *structs.ACLTokenUpsertRequest, reply *structs.A

// DeleteTokens is used to delete tokens
func (a *ACL) DeleteTokens(args *structs.ACLTokenDeleteRequest, reply *structs.GenericResponse) error {
if err := a.srv.CheckRateLimit("ACL", acl.PolicyWrite, args.AuthToken); err != nil {
return err
}

// Ensure ACLs are enabled, and always flow modification requests to the authoritative region
if !a.srv.config.ACLEnabled {
return aclDisabled
Expand Down Expand Up @@ -650,6 +683,10 @@ func (a *ACL) DeleteTokens(args *structs.ACLTokenDeleteRequest, reply *structs.G

// ListTokens is used to list the tokens
func (a *ACL) ListTokens(args *structs.ACLTokenListRequest, reply *structs.ACLTokenListResponse) error {
if err := a.srv.CheckRateLimit("ACL", acl.PolicyList, args.AuthToken); err != nil {
return err
}

if !a.srv.config.ACLEnabled {
return aclDisabled
}
Expand Down Expand Up @@ -734,6 +771,10 @@ func (a *ACL) ListTokens(args *structs.ACLTokenListRequest, reply *structs.ACLTo

// GetToken is used to get a specific token
func (a *ACL) GetToken(args *structs.ACLTokenSpecificRequest, reply *structs.SingleACLTokenResponse) error {
if err := a.srv.CheckRateLimit("ACL", acl.PolicyRead, args.AuthToken); err != nil {
return err
}

if !a.srv.config.ACLEnabled {
return aclDisabled
}
Expand Down Expand Up @@ -795,6 +836,10 @@ func (a *ACL) GetToken(args *structs.ACLTokenSpecificRequest, reply *structs.Sin

// GetTokens is used to get a set of token
func (a *ACL) GetTokens(args *structs.ACLTokenSetRequest, reply *structs.ACLTokenSetResponse) error {
if err := a.srv.CheckRateLimit("ACL", acl.PolicyRead, args.AuthToken); err != nil {
return err
}

if !a.srv.config.ACLEnabled {
return aclDisabled
}
Expand Down Expand Up @@ -842,6 +887,10 @@ func (a *ACL) GetTokens(args *structs.ACLTokenSetRequest, reply *structs.ACLToke

// ResolveToken is used to lookup a specific token by a secret ID. This is used for enforcing ACLs by clients.
func (a *ACL) ResolveToken(args *structs.ResolveACLTokenRequest, reply *structs.ResolveACLTokenResponse) error {
if err := a.srv.CheckRateLimit("ACL", acl.PolicyRead, args.AuthToken); err != nil {
return err
}

if !a.srv.config.ACLEnabled {
return aclDisabled
}
Expand Down Expand Up @@ -881,6 +930,10 @@ func (a *ACL) ResolveToken(args *structs.ResolveACLTokenRequest, reply *structs.
}

func (a *ACL) UpsertOneTimeToken(args *structs.OneTimeTokenUpsertRequest, reply *structs.OneTimeTokenUpsertResponse) error {
if err := a.srv.CheckRateLimit("ACL", acl.PolicyWrite, args.AuthToken); err != nil {
return err
}

if !a.srv.config.ACLEnabled {
return aclDisabled
}
Expand Down Expand Up @@ -933,6 +986,10 @@ func (a *ACL) UpsertOneTimeToken(args *structs.OneTimeTokenUpsertRequest, reply
// ExchangeOneTimeToken provides a one-time token's secret ID to exchange it
// for the ACL token that created that one-time token
func (a *ACL) ExchangeOneTimeToken(args *structs.OneTimeTokenExchangeRequest, reply *structs.OneTimeTokenExchangeResponse) error {
if err := a.srv.CheckRateLimit("ACL", acl.PolicyWrite, args.AuthToken); err != nil {
return err
}

if !a.srv.config.ACLEnabled {
return aclDisabled
}
Expand Down Expand Up @@ -992,6 +1049,9 @@ func (a *ACL) ExchangeOneTimeToken(args *structs.OneTimeTokenExchangeRequest, re
// ExpireOneTimeTokens removes all expired tokens from the state store. It is
// called only by garbage collection
func (a *ACL) ExpireOneTimeTokens(args *structs.OneTimeTokenExpireRequest, reply *structs.GenericResponse) error {
if err := a.srv.CheckRateLimit("ACL", acl.PolicyWrite, args.AuthToken); err != nil {
return err
}

if done, err := a.srv.forward(
"ACL.ExpireOneTimeTokens", args, args, reply); done {
Expand Down
22 changes: 22 additions & 0 deletions nomad/alloc_endpoint.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,10 @@ type Alloc struct {

// List is used to list the allocations in the system
func (a *Alloc) List(args *structs.AllocListRequest, reply *structs.AllocListResponse) error {
if err := a.srv.CheckRateLimit("Alloc", acl.PolicyList, args.AuthToken); err != nil {
return err
}

if done, err := a.srv.forward("Alloc.List", args, args, reply); done {
return err
}
Expand Down Expand Up @@ -147,6 +151,10 @@ func (a *Alloc) List(args *structs.AllocListRequest, reply *structs.AllocListRes
// GetAlloc is used to lookup a particular allocation
func (a *Alloc) GetAlloc(args *structs.AllocSpecificRequest,
reply *structs.SingleAllocResponse) error {
if err := a.srv.CheckRateLimit("Alloc", acl.PolicyRead, args.AuthToken); err != nil {
return err
}

if done, err := a.srv.forward("Alloc.GetAlloc", args, args, reply); done {
return err
}
Expand Down Expand Up @@ -216,6 +224,9 @@ func (a *Alloc) GetAlloc(args *structs.AllocSpecificRequest,
// GetAllocs is used to lookup a set of allocations
func (a *Alloc) GetAllocs(args *structs.AllocsGetRequest,
reply *structs.AllocsGetResponse) error {
if err := a.srv.CheckRateLimit("Alloc", acl.PolicyRead, a.ctx.NodeID); err != nil {
return err
}

// Ensure the connection was initiated by a client if TLS is used.
err := validateTLSCertificateLevel(a.srv, a.ctx, tlsCertificateLevelClient)
Expand Down Expand Up @@ -287,6 +298,10 @@ func (a *Alloc) GetAllocs(args *structs.AllocsGetRequest,

// Stop is used to stop an allocation and migrate it to another node.
func (a *Alloc) Stop(args *structs.AllocStopRequest, reply *structs.AllocStopResponse) error {
if err := a.srv.CheckRateLimit("Alloc", acl.PolicyWrite, args.AuthToken); err != nil {
return err
}

if done, err := a.srv.forward("Alloc.Stop", args, args, reply); done {
return err
}
Expand Down Expand Up @@ -346,6 +361,10 @@ func (a *Alloc) Stop(args *structs.AllocStopRequest, reply *structs.AllocStopRes
// UpdateDesiredTransition is used to update the desired transitions of an
// allocation.
func (a *Alloc) UpdateDesiredTransition(args *structs.AllocUpdateDesiredTransitionRequest, reply *structs.GenericResponse) error {
if err := a.srv.CheckRateLimit("Alloc", acl.PolicyWrite, args.AuthToken); err != nil {
return err
}

if done, err := a.srv.forward("Alloc.UpdateDesiredTransition", args, args, reply); done {
return err
}
Expand Down Expand Up @@ -380,6 +399,9 @@ func (a *Alloc) UpdateDesiredTransition(args *structs.AllocUpdateDesiredTransiti
func (a *Alloc) GetServiceRegistrations(
args *structs.AllocServiceRegistrationsRequest,
reply *structs.AllocServiceRegistrationsResponse) error {
if err := a.srv.CheckRateLimit("Alloc", acl.PolicyRead, args.AuthToken); err != nil {
return err
}

if done, err := a.srv.forward(structs.AllocServiceRegistrationsRPCMethod, args, args, reply); done {
return err
Expand Down
55 changes: 55 additions & 0 deletions nomad/csi_endpoint.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,10 @@ func (s *Server) replySetIndex(table string, reply *structs.QueryMeta) error {

// List replies with CSIVolumes, filtered by ACL access
func (v *CSIVolume) List(args *structs.CSIVolumeListRequest, reply *structs.CSIVolumeListResponse) error {
if err := v.srv.CheckRateLimit("CSIVolume", acl.PolicyList, args.AuthToken); err != nil {
return err
}

if done, err := v.srv.forward("CSIVolume.List", args, args, reply); done {
return err
}
Expand Down Expand Up @@ -205,6 +209,10 @@ func (v *CSIVolume) List(args *structs.CSIVolumeListRequest, reply *structs.CSIV

// Get fetches detailed information about a specific volume
func (v *CSIVolume) Get(args *structs.CSIVolumeGetRequest, reply *structs.CSIVolumeGetResponse) error {
if err := v.srv.CheckRateLimit("CSIVolume", acl.PolicyRead, args.AuthToken); err != nil {
return err
}

if done, err := v.srv.forward("CSIVolume.Get", args, args, reply); done {
return err
}
Expand Down Expand Up @@ -303,6 +311,10 @@ func (v *CSIVolume) controllerValidateVolume(req *structs.CSIVolumeRegisterReque
// again with the right settings. This lets us be as strict with
// validation here as the CreateVolume CSI RPC is expected to be.
func (v *CSIVolume) Register(args *structs.CSIVolumeRegisterRequest, reply *structs.CSIVolumeRegisterResponse) error {
if err := v.srv.CheckRateLimit("CSIVolume", acl.PolicyWrite, args.AuthToken); err != nil {
return err
}

if done, err := v.srv.forward("CSIVolume.Register", args, args, reply); done {
return err
}
Expand Down Expand Up @@ -394,6 +406,10 @@ func (v *CSIVolume) Register(args *structs.CSIVolumeRegisterRequest, reply *stru

// Deregister removes a set of volumes
func (v *CSIVolume) Deregister(args *structs.CSIVolumeDeregisterRequest, reply *structs.CSIVolumeDeregisterResponse) error {
if err := v.srv.CheckRateLimit("CSIVolume", acl.PolicyWrite, args.AuthToken); err != nil {
return err
}

if done, err := v.srv.forward("CSIVolume.Deregister", args, args, reply); done {
return err
}
Expand Down Expand Up @@ -431,6 +447,10 @@ func (v *CSIVolume) Deregister(args *structs.CSIVolumeDeregisterRequest, reply *

// Claim submits a change to a volume claim
func (v *CSIVolume) Claim(args *structs.CSIVolumeClaimRequest, reply *structs.CSIVolumeClaimResponse) error {
if err := v.srv.CheckRateLimit("CSIVolume", acl.PolicyWrite, args.AuthToken); err != nil {
return err
}

if done, err := v.srv.forward("CSIVolume.Claim", args, args, reply); done {
return err
}
Expand Down Expand Up @@ -613,6 +633,10 @@ func allowCSIMount(aclObj *acl.ACL, namespace string) bool {
// ControllerUnpublish RPCs to the client. It handles errors according to the
// current claim state.
func (v *CSIVolume) Unpublish(args *structs.CSIVolumeUnpublishRequest, reply *structs.CSIVolumeUnpublishResponse) error {
if err := v.srv.CheckRateLimit("CSIVolume", acl.PolicyWrite, args.AuthToken); err != nil {
return err
}

if done, err := v.srv.forward("CSIVolume.Unpublish", args, args, reply); done {
return err
}
Expand Down Expand Up @@ -906,6 +930,9 @@ func (v *CSIVolume) checkpointClaim(vol *structs.CSIVolume, claim *structs.CSIVo
}

func (v *CSIVolume) Create(args *structs.CSIVolumeCreateRequest, reply *structs.CSIVolumeCreateResponse) error {
if err := v.srv.CheckRateLimit("CSIVolume", acl.PolicyWrite, args.AuthToken); err != nil {
return err
}

if done, err := v.srv.forward("CSIVolume.Create", args, args, reply); done {
return err
Expand Down Expand Up @@ -1031,6 +1058,10 @@ func (v *CSIVolume) createVolume(vol *structs.CSIVolume, plugin *structs.CSIPlug
}

func (v *CSIVolume) Delete(args *structs.CSIVolumeDeleteRequest, reply *structs.CSIVolumeDeleteResponse) error {
if err := v.srv.CheckRateLimit("CSIVolume", acl.PolicyWrite, args.AuthToken); err != nil {
return err
}

if done, err := v.srv.forward("CSIVolume.Delete", args, args, reply); done {
return err
}
Expand Down Expand Up @@ -1110,6 +1141,9 @@ func (v *CSIVolume) deleteVolume(vol *structs.CSIVolume, plugin *structs.CSIPlug
}

func (v *CSIVolume) ListExternal(args *structs.CSIVolumeExternalListRequest, reply *structs.CSIVolumeExternalListResponse) error {
if err := v.srv.CheckRateLimit("CSIVolume", acl.PolicyList, args.AuthToken); err != nil {
return err
}

if done, err := v.srv.forward("CSIVolume.ListExternal", args, args, reply); done {
return err
Expand Down Expand Up @@ -1170,6 +1204,9 @@ func (v *CSIVolume) ListExternal(args *structs.CSIVolumeExternalListRequest, rep
}

func (v *CSIVolume) CreateSnapshot(args *structs.CSISnapshotCreateRequest, reply *structs.CSISnapshotCreateResponse) error {
if err := v.srv.CheckRateLimit("CSIVolume", acl.PolicyWrite, args.AuthToken); err != nil {
return err
}

if done, err := v.srv.forward("CSIVolume.CreateSnapshot", args, args, reply); done {
return err
Expand Down Expand Up @@ -1261,6 +1298,9 @@ func (v *CSIVolume) CreateSnapshot(args *structs.CSISnapshotCreateRequest, reply
}

func (v *CSIVolume) DeleteSnapshot(args *structs.CSISnapshotDeleteRequest, reply *structs.CSISnapshotDeleteResponse) error {
if err := v.srv.CheckRateLimit("CSIVolume", acl.PolicyWrite, args.AuthToken); err != nil {
return err
}

if done, err := v.srv.forward("CSIVolume.DeleteSnapshot", args, args, reply); done {
return err
Expand Down Expand Up @@ -1321,6 +1361,9 @@ func (v *CSIVolume) DeleteSnapshot(args *structs.CSISnapshotDeleteRequest, reply
}

func (v *CSIVolume) ListSnapshots(args *structs.CSISnapshotListRequest, reply *structs.CSISnapshotListResponse) error {
if err := v.srv.CheckRateLimit("CSIVolume", acl.PolicyList, args.AuthToken); err != nil {
return err
}

if done, err := v.srv.forward("CSIVolume.ListSnapshots", args, args, reply); done {
return err
Expand Down Expand Up @@ -1389,6 +1432,10 @@ type CSIPlugin struct {

// List replies with CSIPlugins, filtered by ACL access
func (v *CSIPlugin) List(args *structs.CSIPluginListRequest, reply *structs.CSIPluginListResponse) error {
if err := v.srv.CheckRateLimit("CSIPlugin", acl.PolicyList, args.AuthToken); err != nil {
return err
}

if done, err := v.srv.forward("CSIPlugin.List", args, args, reply); done {
return err
}
Expand Down Expand Up @@ -1444,6 +1491,10 @@ func (v *CSIPlugin) List(args *structs.CSIPluginListRequest, reply *structs.CSIP

// Get fetches detailed information about a specific plugin
func (v *CSIPlugin) Get(args *structs.CSIPluginGetRequest, reply *structs.CSIPluginGetResponse) error {
if err := v.srv.CheckRateLimit("CSIPlugin", acl.PolicyRead, args.AuthToken); err != nil {
return err
}

if done, err := v.srv.forward("CSIPlugin.Get", args, args, reply); done {
return err
}
Expand Down Expand Up @@ -1509,6 +1560,10 @@ func (v *CSIPlugin) Get(args *structs.CSIPluginGetRequest, reply *structs.CSIPlu

// Delete deletes a plugin if it is unused
func (v *CSIPlugin) Delete(args *structs.CSIPluginDeleteRequest, reply *structs.CSIPluginDeleteResponse) error {
if err := v.srv.CheckRateLimit("CSIPlugin", acl.PolicyWrite, args.AuthToken); err != nil {
return err
}

if done, err := v.srv.forward("CSIPlugin.Delete", args, args, reply); done {
return err
}
Expand Down
Loading

0 comments on commit c2d98ad

Please sign in to comment.