Blame - vendor/go.etcd.io/etcd/etcdserver/apply_auth.go - voltha-go

blob: 4b094ad5d8d30e99d7e64c2173bd5c718626ca6d [file] [log] [blame]

khenaidoo	ab1f7bd	2019-11-14 14:00:27 -0500	[diff] [blame]	1	// Copyright 2016 The etcd Authors
				2	//
				3	// Licensed under the Apache License, Version 2.0 (the "License");
				4	// you may not use this file except in compliance with the License.
				5	// You may obtain a copy of the License at
				6	//
				7	// http://www.apache.org/licenses/LICENSE-2.0
				8	//
				9	// Unless required by applicable law or agreed to in writing, software
				10	// distributed under the License is distributed on an "AS IS" BASIS,
				11	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				12	// See the License for the specific language governing permissions and
				13	// limitations under the License.
				14
				15	package etcdserver
				16
				17	import (
				18	"sync"
				19
				20	"go.etcd.io/etcd/auth"
				21	pb "go.etcd.io/etcd/etcdserver/etcdserverpb"
				22	"go.etcd.io/etcd/lease"
				23	"go.etcd.io/etcd/mvcc"
				24	)
				25
				26	type authApplierV3 struct {
				27	applierV3
				28	as auth.AuthStore
				29	lessor lease.Lessor
				30
				31	// mu serializes Apply so that user isn't corrupted and so that
				32	// serialized requests don't leak data from TOCTOU errors
				33	mu sync.Mutex
				34
				35	authInfo auth.AuthInfo
				36	}
				37
				38	func newAuthApplierV3(as auth.AuthStore, base applierV3, lessor lease.Lessor) *authApplierV3 {
				39	return &authApplierV3{applierV3: base, as: as, lessor: lessor}
				40	}
				41
				42	func (aa authApplierV3) Apply(r pb.InternalRaftRequest) *applyResult {
				43	aa.mu.Lock()
				44	defer aa.mu.Unlock()
				45	if r.Header != nil {
				46	// backward-compatible with pre-3.0 releases when internalRaftRequest
				47	// does not have header field
				48	aa.authInfo.Username = r.Header.Username
				49	aa.authInfo.Revision = r.Header.AuthRevision
				50	}
				51	if needAdminPermission(r) {
				52	if err := aa.as.IsAdminPermitted(&aa.authInfo); err != nil {
				53	aa.authInfo.Username = ""
				54	aa.authInfo.Revision = 0
				55	return &applyResult{err: err}
				56	}
				57	}
				58	ret := aa.applierV3.Apply(r)
				59	aa.authInfo.Username = ""
				60	aa.authInfo.Revision = 0
				61	return ret
				62	}
				63
				64	func (aa authApplierV3) Put(txn mvcc.TxnWrite, r pb.PutRequest) (*pb.PutResponse, error) {
				65	if err := aa.as.IsPutPermitted(&aa.authInfo, r.Key); err != nil {
				66	return nil, err
				67	}
				68
				69	if err := aa.checkLeasePuts(lease.LeaseID(r.Lease)); err != nil {
				70	// The specified lease is already attached with a key that cannot
				71	// be written by this user. It means the user cannot revoke the
				72	// lease so attaching the lease to the newly written key should
				73	// be forbidden.
				74	return nil, err
				75	}
				76
				77	if r.PrevKv {
				78	err := aa.as.IsRangePermitted(&aa.authInfo, r.Key, nil)
				79	if err != nil {
				80	return nil, err
				81	}
				82	}
				83	return aa.applierV3.Put(txn, r)
				84	}
				85
				86	func (aa authApplierV3) Range(txn mvcc.TxnRead, r pb.RangeRequest) (*pb.RangeResponse, error) {
				87	if err := aa.as.IsRangePermitted(&aa.authInfo, r.Key, r.RangeEnd); err != nil {
				88	return nil, err
				89	}
				90	return aa.applierV3.Range(txn, r)
				91	}
				92
				93	func (aa authApplierV3) DeleteRange(txn mvcc.TxnWrite, r pb.DeleteRangeRequest) (*pb.DeleteRangeResponse, error) {
				94	if err := aa.as.IsDeleteRangePermitted(&aa.authInfo, r.Key, r.RangeEnd); err != nil {
				95	return nil, err
				96	}
				97	if r.PrevKv {
				98	err := aa.as.IsRangePermitted(&aa.authInfo, r.Key, r.RangeEnd)
				99	if err != nil {
				100	return nil, err
				101	}
				102	}
				103
				104	return aa.applierV3.DeleteRange(txn, r)
				105	}
				106
				107	func checkTxnReqsPermission(as auth.AuthStore, ai auth.AuthInfo, reqs []pb.RequestOp) error {
				108	for _, requ := range reqs {
				109	switch tv := requ.Request.(type) {
				110	case *pb.RequestOp_RequestRange:
				111	if tv.RequestRange == nil {
				112	continue
				113	}
				114
				115	if err := as.IsRangePermitted(ai, tv.RequestRange.Key, tv.RequestRange.RangeEnd); err != nil {
				116	return err
				117	}
				118
				119	case *pb.RequestOp_RequestPut:
				120	if tv.RequestPut == nil {
				121	continue
				122	}
				123
				124	if err := as.IsPutPermitted(ai, tv.RequestPut.Key); err != nil {
				125	return err
				126	}
				127
				128	case *pb.RequestOp_RequestDeleteRange:
				129	if tv.RequestDeleteRange == nil {
				130	continue
				131	}
				132
				133	if tv.RequestDeleteRange.PrevKv {
				134	err := as.IsRangePermitted(ai, tv.RequestDeleteRange.Key, tv.RequestDeleteRange.RangeEnd)
				135	if err != nil {
				136	return err
				137	}
				138	}
				139
				140	err := as.IsDeleteRangePermitted(ai, tv.RequestDeleteRange.Key, tv.RequestDeleteRange.RangeEnd)
				141	if err != nil {
				142	return err
				143	}
				144	}
				145	}
				146
				147	return nil
				148	}
				149
				150	func checkTxnAuth(as auth.AuthStore, ai auth.AuthInfo, rt pb.TxnRequest) error {
				151	for _, c := range rt.Compare {
				152	if err := as.IsRangePermitted(ai, c.Key, c.RangeEnd); err != nil {
				153	return err
				154	}
				155	}
				156	if err := checkTxnReqsPermission(as, ai, rt.Success); err != nil {
				157	return err
				158	}
				159	return checkTxnReqsPermission(as, ai, rt.Failure)
				160	}
				161
				162	func (aa authApplierV3) Txn(rt pb.TxnRequest) (*pb.TxnResponse, error) {
				163	if err := checkTxnAuth(aa.as, &aa.authInfo, rt); err != nil {
				164	return nil, err
				165	}
				166	return aa.applierV3.Txn(rt)
				167	}
				168
				169	func (aa authApplierV3) LeaseRevoke(lc pb.LeaseRevokeRequest) (*pb.LeaseRevokeResponse, error) {
				170	if err := aa.checkLeasePuts(lease.LeaseID(lc.ID)); err != nil {
				171	return nil, err
				172	}
				173	return aa.applierV3.LeaseRevoke(lc)
				174	}
				175
				176	func (aa *authApplierV3) checkLeasePuts(leaseID lease.LeaseID) error {
				177	lease := aa.lessor.Lookup(leaseID)
				178	if lease != nil {
				179	for _, key := range lease.Keys() {
				180	if err := aa.as.IsPutPermitted(&aa.authInfo, []byte(key)); err != nil {
				181	return err
				182	}
				183	}
				184	}
				185
				186	return nil
				187	}
				188
				189	func (aa authApplierV3) UserGet(r pb.AuthUserGetRequest) (*pb.AuthUserGetResponse, error) {
				190	err := aa.as.IsAdminPermitted(&aa.authInfo)
				191	if err != nil && r.Name != aa.authInfo.Username {
				192	aa.authInfo.Username = ""
				193	aa.authInfo.Revision = 0
				194	return &pb.AuthUserGetResponse{}, err
				195	}
				196
				197	return aa.applierV3.UserGet(r)
				198	}
				199
				200	func (aa authApplierV3) RoleGet(r pb.AuthRoleGetRequest) (*pb.AuthRoleGetResponse, error) {
				201	err := aa.as.IsAdminPermitted(&aa.authInfo)
				202	if err != nil && !aa.as.HasRole(aa.authInfo.Username, r.Role) {
				203	aa.authInfo.Username = ""
				204	aa.authInfo.Revision = 0
				205	return &pb.AuthRoleGetResponse{}, err
				206	}
				207
				208	return aa.applierV3.RoleGet(r)
				209	}
				210
				211	func needAdminPermission(r *pb.InternalRaftRequest) bool {
				212	switch {
				213	case r.AuthEnable != nil:
				214	return true
				215	case r.AuthDisable != nil:
				216	return true
				217	case r.AuthUserAdd != nil:
				218	return true
				219	case r.AuthUserDelete != nil:
				220	return true
				221	case r.AuthUserChangePassword != nil:
				222	return true
				223	case r.AuthUserGrantRole != nil:
				224	return true
				225	case r.AuthUserRevokeRole != nil:
				226	return true
				227	case r.AuthRoleAdd != nil:
				228	return true
				229	case r.AuthRoleGrantPermission != nil:
				230	return true
				231	case r.AuthRoleRevokePermission != nil:
				232	return true
				233	case r.AuthRoleDelete != nil:
				234	return true
				235	case r.AuthUserList != nil:
				236	return true
				237	case r.AuthRoleList != nil:
				238	return true
				239	default:
				240	return false
				241	}
				242	}