Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

acl: canonicalize ACL Auth Method object #15492

Merged
merged 2 commits into from
Dec 8, 2022
Merged

acl: canonicalize ACL Auth Method object #15492

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d6b2a07
acl: canonicalize ACL Auth Method object
pkazmierczak Dec 8, 2022
3114bb5
James is right
pkazmierczak Dec 8, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion nomad/acl_endpoint.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1709,13 +1709,14 @@ func (a *ACL) UpsertAuthMethods(
return structs.NewErrRPCCoded(http.StatusBadRequest, "must specify as least one auth method")
}

// Validate each auth method, compute hash
// Validate each auth method, canonicalize, and compute hash
for idx, authMethod := range args.AuthMethods {
if err := authMethod.Validate(
a.srv.config.ACLTokenMinExpirationTTL,
a.srv.config.ACLTokenMaxExpirationTTL); err != nil {
return structs.NewErrRPCCodedf(http.StatusBadRequest, "auth method %d invalid: %v", idx, err)
}
authMethod.Canonicalize()
authMethod.SetHash()
}

Expand Down
1 change: 1 addition & 0 deletions nomad/mock/acl.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -243,5 +243,6 @@ func ACLAuthMethod() *structs.ACLAuthMethod {
ModifyIndex: 10,
}
method.SetHash()
method.Canonicalize()
return &method
}
1 change: 1 addition & 0 deletions nomad/state/state_store_acl_sso.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,7 @@ func (s *StateStore) upsertACLAuthMethodTxn(index uint64, txn *txn, method *stru
}

method.CreateIndex = existing.CreateIndex
method.CreateTime = existing.CreateTime
method.ModifyIndex = index
} else {
method.CreateIndex = index
Expand Down
10 changes: 10 additions & 0 deletions nomad/structs/acl.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -710,6 +710,16 @@ func (a *ACLAuthMethod) Copy() *ACLAuthMethod {
return c
}

// Canonicalize performs basic canonicalization on the ACL auth method object.
func (a *ACLAuthMethod) Canonicalize() {
t := time.Now().UTC()

if a.CreateTime.IsZero() {
a.CreateTime = t
}
a.ModifyTime = t
}

// Validate returns an error is the ACLAuthMethod is invalid.
//
// TODO revisit possible other validity conditions in the future
Expand Down
35 changes: 35 additions & 0 deletions nomad/structs/acl_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1061,3 +1061,38 @@ func TestACLAuthMethodConfig_Copy(t *testing.T) {
amc3.AllowedRedirectURIs = []string{"new", "urls"}
must.NotEq(t, amc1, amc3)
}

func TestACLAuthMethod_Canonicalize(t *testing.T) {
now := time.Now().UTC()
tests := []struct {
name string
inputMethod *ACLAuthMethod
}{
{
"no create time or modify time set",
&ACLAuthMethod{},
},
{
"create time set to now, modify time not set",
&ACLAuthMethod{CreateTime: now},
},
{
"both create time and modify time set",
&ACLAuthMethod{CreateTime: now, ModifyTime: now.Add(time.Hour)},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
existing := tt.inputMethod.Copy()
tt.inputMethod.Canonicalize()
if existing.CreateTime.IsZero() {
must.NotEq(t, time.Time{}, tt.inputMethod.CreateTime)
} else {
must.Eq(t, existing.CreateTime, tt.inputMethod.CreateTime)
}
if existing.ModifyTime.IsZero() {
must.NotEq(t, time.Time{}, tt.inputMethod.ModifyTime)
}
})
}
}