consul
consul copied to clipboard
Published
20 hours ago •
hashicorp
hashicorp
Fix acl dc validation
Description During various ACL objects creation & updation (policy/role/token) the input value for datacenter is not validated. The dc name should be in a valid format & in tune with the format allowed for the -datacenter value when starting up a consul agent
Testing & Reproduction steps Reproduction steps are provided in the issue# 15229
Testing with the fix - Although new test cases have been added, I have included the manual test results with the fix under ref: [1] below.
Links
- This PR is to handle the issue reported under - https://github.com/hashicorp/consul/issues/15229
- This also takes into consideration the feedback provided by @jkirschner-hashicorp & @rboyer in my previous (self-invalidated) PR: https://github.com/hashicorp/consul/pull/15230
PR Checklist [Y] updated test coverage [N] external facing docs updated [Y] not a security concern
[1]:
Policy validation:
Create:
(venv) vyanamandra bin $ ./consul acl policy create -name v1 -valid-datacenter="dc1[dc2]"
Failed to create new policy: Unexpected response code: 500 (valid-datacenter can only contain lowercase alphanumeric, - or _ characters. received: "dc1[dc2]")
(venv) vyanamandra bin $
(venv) vyanamandra bin $ ./consul acl policy create -name v3 -valid-datacenter=''
ID: 933ee168-563c-4238-9a90-94291e7cfc53
Name: v3
Description:
Datacenters:
Rules:
(venv) vyanamandra bin $ curl -X PUT -H 'X-Consul-Token: root' -d '{ "Name": "n1-curl", "Rules": "node_prefix \"\" { policy = \"read\"}", "Datacenters": ["dc1#dc2"] } ' http://localhost:8500/v1/acl/policy
valid-datacenter can only contain lowercase alphanumeric, - or _ characters. received: "dc1#dc2"%
(venv) vyanamandra bin $ curl -X PUT -H 'X-Consul-Token: root' -d '{ "Name": "n1-curl", "Rules": "node_prefix \"\" { policy = \"read\"}", "Datacenters": [""] } ' http://localhost:8500/v1/acl/policy
{
"ID": "0cbb30fd-ad38-2027-b840-457c20cfcb1b",
"Name": "n1-curl",
"Description": "",
"Rules": "node_prefix \"\" { policy = \"read\"}",
"Datacenters": [
""
],
"Hash": "MFo3jRvx2soM08AsiwgtLAKcHIYavzJVyp7eUB3a0Ew=",
"CreateIndex": 284,
"ModifyIndex": 284
}
(venv) vyanamandra bin $
Update:
(venv) vyanamandra bin $ ./consul acl policy update -name v3 -valid-datacenter="dc1dc2[dc3]"
Error updating policy "6dfd4a2c-52f0-5f95-0e2a-1c20ba43561c": Unexpected response code: 500 (valid-datacenter can only contain lowercase alphanumeric, - or _ characters. received: "dc1dc2[dc3]")
(venv) vyanamandra bin $
(venv) vyanamandra bin $ ./consul acl policy update -name v3 -valid-datacenter=' '
Error updating policy "933ee168-563c-4238-9a90-94291e7cfc53": Unexpected response code: 500 (valid-datacenter can only contain lowercase alphanumeric, - or _ characters. received: " ")
(venv) vyanamandra bin $ ./consul acl policy update -name v3 -valid-datacenter=''
ID: 933ee168-563c-4238-9a90-94291e7cfc53
Name: v3
Description:
Datacenters:
Rules:
(venv) vyanamandra bin $
(venv) vyanamandra bin $ curl -X PUT -H 'X-Consul-Token: root' -d '{ "Name": "node-read", "Rules": "node_prefix \"\" { policy = \"read\"}", "Datacenters": ["dc1"] } ' http://localhost:8500/v1/acl/policy
{
"ID": "c8454f7d-510b-3ad1-0e39-aeebe5fca6f9",
"Name": "node-read",
"Description": "",
"Rules": "node_prefix \"\" { policy = \"read\"}",
"Datacenters": [
"dc1"
],
"Hash": "UaWvnu3K8cvkTBL88yP1KGL3eksF+8U2Z36vIAxGbI8=",
"CreateIndex": 272,
"ModifyIndex": 272
}
(venv) vyanamandra bin $ curl -X PUT -H 'X-Consul-Token: root' -d '{ "Name": "node-read", "Rules": "node_prefix \"\" { policy = \"read\"}", "Datacenters": ["dc1#dc2"] } ' http://localhost:8500/v1/acl/policy/c8454f7d-510b-3ad1-0e39-aeebe5fca6f9
valid-datacenter can only contain lowercase alphanumeric, - or _ characters. received: "dc1#dc2"%
(venv) vyanamandra bin $ curl -X PUT -H 'X-Consul-Token: root' -d '{ "Name": "node-read", "Rules": "node_prefix \"\" { policy = \"read\"}", "Datacenters": [""] } ' http://localhost:8500/v1/acl/policy/e4207739-7932-0814-cd00-a675f776012e
{
"ID": "c8454f7d-510b-3ad1-0e39-aeebe5fca6f9",
"Name": "node-read",
"Description": "",
"Rules": "node_prefix \"\" { policy = \"read\"}",
"Datacenters": [
""
],
"Hash": "9o26GEzG5CzNx0nyK4Xq+iLyJnPU6SN+6qyllWulPak=",
"CreateIndex": 272,
"ModifyIndex": 278
}
(venv) vyanamandra bin $
Role validation:
Create:
(venv) vyanamandra bin $ ./consul acl role create -name r5 -service-identity="s1:dc1#dc2"
Failed to create new role: Unexpected response code: 500 (Service identity's datacenter can only contain lowercase alphanumeric, - or _ characters. received: "dc1#dc2")
(venv) vyanamandra bin $ ./consul acl role create -name r5 -node-identity="s1:dc1#dc2"
Failed to create new role: Unexpected response code: 500 (Node identity's datacenter can only contain lowercase alphanumeric, - or _ characters. received: "dc1#dc2")
(venv) vyanamandra bin $ ./consul acl role create -name r5 -node-identity="s1"
Malformed -node-identity argument: "s1"
(venv) vyanamandra bin $ ./consul acl role create -name r5 -node-identity="s1:"
Failed to create new role: Unexpected response code: 500 (Node identity's datacenter cannot be empty)
(venv) vyanamandra bin $ ./consul acl role create -name r5 -service-identity="s1"
ID: 656d637e-65a1-335f-a52c-01613dfb0fd4
Name: r5
Description:
Service Identities:
s1 (Datacenters: all)
(venv) vyanamandra bin $ ./consul acl role create -name r6 -service-identity="s1:"
ID: 24bcfa70-568b-a239-f6bd-367e38a1a16d
Name: r6
Description:
Service Identities:
s1 (Datacenters: )
(venv) vyanamandra bin $
(venv) vyanamandra bin $ curl -X PUT -H 'X-Consul-Token: root' -d '{ "Name": "e0", "ServiceIdentities": [ { "ServiceName": "db", "Datacenters": [""] } ]}' http://localhost:8500/v1/acl/role
{
"ID": "4fcf95a8-79b7-89bb-0b83-a542d2324718",
"Name": "e0",
"Description": "",
"ServiceIdentities": [
{
"ServiceName": "db",
"Datacenters": [
""
]
}
],
"Hash": "wfb/M7Iv2wzvc7nep/t8klm/eGc/9N1aSynA+17W6iU=",
"CreateIndex": 303,
"ModifyIndex": 303
}
(venv) vyanamandra bin $ curl -X PUT -H 'X-Consul-Token: root' -d '{ "Name": "e1", "ServiceIdentities": [ { "ServiceName": "db", "Datacenters": ["dc1#dc2"] } ]}' http://localhost:8500/v1/acl/role
Service identity's datacenter can only contain lowercase alphanumeric, - or _ characters. received: "dc1#dc2"%
(venv) vyanamandra bin $ curl -X PUT -H 'X-Consul-Token: root' -d '{ "Name": "e2", "NodeIdentities": [ { "NodeName": "node-1", "Datacenter": "dc2#dc3" } ] }' http://localhost:8500/v1/acl/role
Node identity's datacenter can only contain lowercase alphanumeric, - or _ characters. received: "dc2#dc3"%
(venv) vyanamandra bin $ curl -X PUT -H 'X-Consul-Token: root' -d '{ "Name": "e3", "NodeIdentities": [ { "NodeName": "node-1", "Datacenter": "" } ] }' http://localhost:8500/v1/acl/role
Node identity's datacenter cannot be empty%
(venv) vyanamandra bin $
Update:
(venv) vyanamandra bin $ ./consul acl role update -id=501e7558-e00f-11d2-68e9-23ad519df052 -service-identity="s1:dc1#dc2"
Error updating role "656d637e-65a1-335f-a52c-01613dfb0fd4": Unexpected response code: 500 (Service identity's datacenter can only contain lowercase alphanumeric, - or _ characters. received: "dc1#dc2")
(venv) vyanamandra bin $ ./consul acl role update -id=501e7558-e00f-11d2-68e9-23ad519df052 -node-identity="s1:dc1#dc2"
Error updating role "656d637e-65a1-335f-a52c-01613dfb0fd4": Unexpected response code: 500 (Node identity's datacenter can only contain lowercase alphanumeric, - or _ characters. received: "dc1#dc2")
(venv) vyanamandra bin $ ./consul acl role update -id=501e7558-e00f-11d2-68e9-23ad519df052 -node-identity="s1:"
Error updating role "656d637e-65a1-335f-a52c-01613dfb0fd4": Unexpected response code: 500 (Node identity's datacenter cannot be empty)
(venv) vyanamandra bin $ ./consul acl role update -id=501e7558-e00f-11d2-68e9-23ad519df052 -node-identity="s1:dc1dc2dc3"
ID: 656d637e-65a1-335f-a52c-01613dfb0fd4
Name: r5
Description:
Service Identities:
s1 (Datacenters: all)
Node Identities:
s1 (Datacenter: dc1dc2dc3)
(venv) vyanamandra bin $
(venv) vyanamandra bin $ curl -X PUT -H 'X-Consul-Token: root' -d '{ "Name": "e6", "ServiceIdentities": [ { "ServiceName": "db", "Datacenters": [""] } ]}' http://localhost:8500/v1/acl/role/501e7558-e00f-11d2-68e9-23ad519df052
{
"ID": "4fcf95a8-79b7-89bb-0b83-a542d2324718",
"Name": "e6",
"Description": "",
"ServiceIdentities": [
{
"ServiceName": "db",
"Datacenters": [
""
]
}
],
"Hash": "WBj9UuhZTY0QSGuhTkLM/vr45hpoEiAKoLl8UZcrr0k=",
"CreateIndex": 303,
"ModifyIndex": 314
}
(venv) vyanamandra bin $ curl -X PUT -H 'X-Consul-Token: root' -d '{ "Name": "e7", "ServiceIdentities": [ { "ServiceName": "db", "Datacenters": ["dc1#dc2"] } ]}' http://localhost:8500/v1/acl/role/501e7558-e00f-11d2-68e9-23ad519df052
Service identity's datacenter can only contain lowercase alphanumeric, - or _ characters. received: "dc1#dc2"%
(venv) vyanamandra bin $ curl -X PUT -H 'X-Consul-Token: root' -d '{ "Name": "e8", "NodeIdentities": [ { "NodeName": "node-1", "Datacenter": "dc2#dc3" } ] }' http://localhost:8500/v1/acl/role/501e7558-e00f-11d2-68e9-23ad519df052
Node identity's datacenter can only contain lowercase alphanumeric, - or _ characters. received: "dc2#dc3"%
(venv) vyanamandra bin $ curl -X PUT -H 'X-Consul-Token: root' -d '{ "Name": "e9", "NodeIdentities": [ { "NodeName": "node-1", "Datacenter": "" } ] }' http://localhost:8500/v1/acl/role/501e7558-e00f-11d2-68e9-23ad519df052
Node identity's datacenter cannot be empty%
(venv) vyanamandra bin $
Token validation:
Create:
(venv) vyanamandra bin $ ./consul acl token create -node-identity="n1"
Malformed -node-identity argument: "n1"
(venv) vyanamandra bin $ ./consul acl token create -node-identity="n1:"
Failed to create new token: Unexpected response code: 500 (Node identity's datacenter cannot be empty)
(venv) vyanamandra bin $ ./consul acl token create -node-identity="n1:dc1#dc2"
Failed to create new token: Unexpected response code: 500 (Node identity's datacenter can only contain lowercase alphanumeric, - or _ characters. received: "dc1#dc2")
(venv) vyanamandra bin $ ./consul acl token create -node-identity="n1:dc1dc2"
AccessorID: 364a551d-a2b5-cfad-9ea2-3faf25abd848
SecretID: 4afe733c-7a71-07e7-0e44-d19e288c4275
Description:
Local: false
Create Time: 2022-11-25 11:25:03.606844 -0800 PST
Node Identities:
n1 (Datacenter: dc1dc2)
(venv) vyanamandra bin $ curl -X PUT -H 'X-Consul-Token: root' -d '{"Local": false, "NodeIdentities": [{"NodeName": "n1", "Datacenter": ""}]}' http://localhost:8500/v1/acl/token
Node identity's datacenter cannot be empty%
(venv) vyanamandra bin $ curl -X PUT -H 'X-Consul-Token: root' -d '{"Local": false, "NodeIdentities": [{"NodeName": "n1", "Datacenter": "dc1#dc2"}]}' http://localhost:8500/v1/acl/token
Node identity's datacenter can only contain lowercase alphanumeric, - or _ characters. received: "dc1#dc2"%
(venv) vyanamandra bin $ curl -X PUT -H 'X-Consul-Token: root' -d '{"Local": false, "ServiceIdentities": [{"ServiceName": "n1", "Datacenters": ["dc3#dc4"]}]}' http://localhost:8500/v1/acl/token
Service identity's datacenter can only contain lowercase alphanumeric, - or _ characters. received: "dc3#dc4"%
(venv) vyanamandra bin $ curl -X PUT -H 'X-Consul-Token: root' -d '{"Local": false, "ServiceIdentities": [{"ServiceName": "n1", "Datacenters": [""]}]}' http://localhost:8500/v1/acl/token
{
"AccessorID": "7c8b32af-5382-41a6-e0c8-2d3dfa55e2da",
"SecretID": "42fc4f1d-5325-1467-ca60-dda60e2d38f4",
"Description": "",
"ServiceIdentities": [
{
"ServiceName": "n1",
"Datacenters": [
""
]
}
],
"Local": false,
"CreateTime": "2022-11-25T11:50:55.340063-08:00",
"Hash": "EXXmIDF4AfTRIoQHVcUzfGGC/kPWh0URsPO+YyOghdU=",
"CreateIndex": 342,
"ModifyIndex": 342
}
(venv) vyanamandra bin $
Update:
(venv) vyanamandra bin $ ./consul acl token update -id 3fe08047-9121-86b1-2801-73898fb99083 -node-identity="n1:"
Failed to update token 364a551d-a2b5-cfad-9ea2-3faf25abd848: Unexpected response code: 500 (Node identity's datacenter cannot be empty)
(venv) vyanamandra bin $ ./consul acl token update -id 3fe08047-9121-86b1-2801-73898fb99083 -node-identity="n1:dc1dc2#dc3"
Failed to update token 364a551d-a2b5-cfad-9ea2-3faf25abd848: Unexpected response code: 500 (Node identity's datacenter can only contain lowercase alphanumeric, - or _ characters. received: "dc1dc2#dc3")
(venv) vyanamandra bin $ ./consul acl token update -id 3fe08047-9121-86b1-2801-73898fb99083 -node-identity="n1:dc1dc2dc3"
AccessorID: 364a551d-a2b5-cfad-9ea2-3faf25abd848
SecretID: 4afe733c-7a71-07e7-0e44-d19e288c4275
Description:
Local: false
Create Time: 2022-11-25 11:25:03.606844 -0800 PST
Node Identities:
n1 (Datacenter: dc1dc2dc3)
(venv) vyanamandra bin $
(venv) vyanamandra bin $ curl -X PUT -H 'X-Consul-Token: root' -d '{"Local": false, "NodeIdentities": [{"NodeName": "n2", "Datacenter": ""}]}' http://localhost:8500/v1/acl/token/3fe08047-9121-86b1-2801-73898fb99083
Node identity's datacenter cannot be empty%
(venv) vyanamandra bin $ curl -X PUT -H 'X-Consul-Token: root' -d '{"Local": false, "NodeIdentities": [{"NodeName": "n3", "Datacenter": "dc1#dc2"}]}' http://localhost:8500/v1/acl/token/3fe08047-9121-86b1-2801-73898fb99083
Node identity's datacenter can only contain lowercase alphanumeric, - or _ characters. received: "dc1#dc2"%
(venv) vyanamandra bin $ curl -X PUT -H 'X-Consul-Token: root' -d '{"Local": false, "ServiceIdentities": [{"ServiceName": "s1", "Datacenters": ["dc3#dc4"]}]}' http://localhost:8500/v1/acl/token/3fe08047-9121-86b1-2801-73898fb99083
Service identity's datacenter can only contain lowercase alphanumeric, - or _ characters. received: "dc3#dc4"%
(venv) vyanamandra bin $ curl -X PUT -H 'X-Consul-Token: root' -d '{"Local": false, "ServiceIdentities": [{"ServiceName": "s2", "Datacenters": ["dc33"]}]}' http://localhost:8500/v1/acl/token/3fe08047-9121-86b1-2801-73898fb99083
{
"AccessorID": "7c8b32af-5382-41a6-e0c8-2d3dfa55e2da",
"SecretID": "42fc4f1d-5325-1467-ca60-dda60e2d38f4",
"Description": "",
"ServiceIdentities": [
{
"ServiceName": "s2",
"Datacenters": [
"dc33"
]
}
],
"Local": false,
"CreateTime": "2022-11-25T11:50:55.340063-08:00",
"Hash": "fSe6ICtZOoLiwxwd2DIZkTmLFXxQPG6vz5Cmni0hkks=",
"CreateIndex": 342,
"ModifyIndex": 351
}
(venv) vyanamandra bin $
@vyanamandra : Just checking, is this ready for review? Or is there anything else you're finishing up first?
Thanks for expanding this from the initial PR!
This pull request has been automatically flagged for inactivity because it has not been acted upon in the last 60 days. It will be closed if no new activity occurs in the next 30 days. Please feel free to re-open to resurrect the change if you feel this has happened by mistake. Thank you for your contributions.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Closing due to inactivity. If you feel this was a mistake or you wish to re-open at any time in the future, please leave a comment and it will be re-surfaced for the maintainers to review.