Affected by GO-2022-1029 and 2 other vulnerabilities

GO-2022-1029: HashiCorp Consul vulnerable to authorization bypass in github.com/hashicorp/consul

GO-2022-1121: Missing Authorization in HashiCorp Consul in github.com/hashicorp/consul

GO-2023-1827: Hashicorp Consul vulnerable to denial of service in github.com/hashicorp/consul

auth

package

v1.13.0 Latest Latest Go to latest Published: Aug 9, 2022 License: MPL-2.0 Imports: 16 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/hashicorp/consul

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
func BuildTokenDescription(prefix string, meta map[string]string) (string, error)
func IsValidBindName(bindType, bindName string, availableVariables []string) (bool, error)
type ACLCache
type Binder
- func NewBinder(store BinderStateStore, datacenter string) *Binder
- func (b *Binder) Bind(authMethod *structs.ACLAuthMethod, verifiedIdentity *authmethod.Identity) (*Bindings, error)
type BinderStateStore
type Bindings
- func (b *Bindings) None() bool
type Login
- func NewLogin(binder *Binder, writer *TokenWriter) *Login
- func (l *Login) TokenForVerifiedIdentity(identity *authmethod.Identity, authMethod *structs.ACLAuthMethod, ...) (*structs.ACLToken, error)
type MockACLCache
- func NewMockACLCache(t testing.TB) *MockACLCache
- func (_m *MockACLCache) RemoveIdentityWithSecretToken(secretToken string)
type RaftApplyFn
type TokenWriter
- func NewTokenWriter(cfg TokenWriterConfig) *TokenWriter
- func (w *TokenWriter) Create(token *structs.ACLToken, fromLogin bool) (*structs.ACLToken, error)
- func (w *TokenWriter) Delete(secretID string, fromLogout bool) error
- func (w *TokenWriter) Update(token *structs.ACLToken) (*structs.ACLToken, error)
type TokenWriterConfig
type TokenWriterStore

Constants ¶

This section is empty.

Variables ¶

View Source

var ErrCannotWriteGlobalToken = errors.New("Cannot upsert global tokens within this datacenter")

ErrCannotWriteGlobalToken indicates that writing a token failed because the token is global and this is a non-primary datacenter.

Functions ¶

func BuildTokenDescription ¶

func BuildTokenDescription(prefix string, meta map[string]string) (string, error)

BuildTokenDescription builds a description for an ACLToken by encoding the given meta as JSON and applying the prefix.

func IsValidBindName ¶

func IsValidBindName(bindType, bindName string, availableVariables []string) (bool, error)

IsValidBindName returns whether the given BindName template produces valid results when interpolating the auth method's available variables.

Types ¶

type ACLCache ¶

type ACLCache interface {
	RemoveIdentityWithSecretToken(secretToken string)
}

type Binder ¶

type Binder struct {
	// contains filtered or unexported fields
}

Binder is responsible for collecting the ACL roles, service identities, node identities, and enterprise metadata to be assigned to a token generated as a result of "logging in" via an auth method.

It does so by applying the auth method's configured binding rules and in the case of enterprise, namespace rules.

func NewBinder ¶

func NewBinder(store BinderStateStore, datacenter string) *Binder

NewBinder creates a Binder with the given state store and datacenter.

func (*Binder) Bind ¶

func (b *Binder) Bind(authMethod *structs.ACLAuthMethod, verifiedIdentity *authmethod.Identity) (*Bindings, error)

Bind collects the ACL roles, service identities, etc. to be assigned to the created token.

type BinderStateStore ¶

type BinderStateStore interface {
	ACLBindingRuleList(ws memdb.WatchSet, methodName string, entMeta *acl.EnterpriseMeta) (uint64, structs.ACLBindingRules, error)
	ACLRoleGetByName(ws memdb.WatchSet, roleName string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLRole, error)
}

BinderStateStore is the subset of state store methods used by the binder.

type Bindings ¶

type Bindings struct {
	Roles             []structs.ACLTokenRoleLink
	ServiceIdentities []*structs.ACLServiceIdentity
	NodeIdentities    []*structs.ACLNodeIdentity
	EnterpriseMeta    acl.EnterpriseMeta
}

Bindings contains the ACL roles, service identities, node identities and enterprise meta to be assigned to the created token.

func (*Bindings) None ¶

func (b *Bindings) None() bool

None indicates that the resulting bindings would not give the created token access to any resources.

type Login struct {
	// contains filtered or unexported fields
}

Login wraps the process of creating an ACLToken from the identity verified by an auth method.

func NewLogin ¶

func NewLogin(binder *Binder, writer *TokenWriter) *Login

NewLogin returns a new Login with the given binder and writer.

func (l *Login) TokenForVerifiedIdentity(identity *authmethod.Identity, authMethod *structs.ACLAuthMethod, description string) (*structs.ACLToken, error)

TokenForVerifiedIdentity creates an ACLToken for the given identity verified by an auth method.

type MockACLCache ¶

type MockACLCache struct {
	mock.Mock
}

MockACLCache is an autogenerated mock type for the ACLCache type

func NewMockACLCache ¶

func NewMockACLCache(t testing.TB) *MockACLCache

NewMockACLCache creates a new instance of MockACLCache. It also registers the testing.TB interface on the mock and a cleanup function to assert the mocks expectations.

func (*MockACLCache) RemoveIdentityWithSecretToken ¶

func (_m *MockACLCache) RemoveIdentityWithSecretToken(secretToken string)

RemoveIdentityWithSecretToken provides a mock function with given fields: secretToken

type RaftApplyFn ¶

type RaftApplyFn func(structs.MessageType, interface{}) (interface{}, error)

type TokenWriter ¶

type TokenWriter struct {
	TokenWriterConfig
}

TokenWriter encapsulates the logic of writing ACL tokens to the state store including validation, cache purging, etc.

func NewTokenWriter ¶

func NewTokenWriter(cfg TokenWriterConfig) *TokenWriter

NewTokenWriter creates a new token writer.

func (*TokenWriter) Create ¶

func (w *TokenWriter) Create(token *structs.ACLToken, fromLogin bool) (*structs.ACLToken, error)

Create a new token. Setting fromLogin to true changes behavior slightly for tokens created by login (as opposed to set manually via the API).

func (*TokenWriter) Delete ¶

func (w *TokenWriter) Delete(secretID string, fromLogout bool) error

Delete the ACL token with the given SecretID from the state store.

func (*TokenWriter) Update ¶

func (w *TokenWriter) Update(token *structs.ACLToken) (*structs.ACLToken, error)

Update an existing token.

type TokenWriterConfig ¶

type TokenWriterConfig struct {
	RaftApply RaftApplyFn
	ACLCache  ACLCache
	Store     TokenWriterStore
	CheckUUID lib.UUIDCheckFunc

	MaxExpirationTTL time.Duration
	MinExpirationTTL time.Duration

	PrimaryDatacenter   string
	InPrimaryDatacenter bool
	LocalTokensEnabled  bool
}

type TokenWriterStore ¶

type TokenWriterStore interface {
	ACLTokenGetByAccessor(ws memdb.WatchSet, accessorID string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLToken, error)
	ACLTokenGetBySecret(ws memdb.WatchSet, secretID string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLToken, error)
	ACLRoleGetByID(ws memdb.WatchSet, id string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLRole, error)
	ACLRoleGetByName(ws memdb.WatchSet, name string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLRole, error)
	ACLPolicyGetByID(ws memdb.WatchSet, id string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLPolicy, error)
	ACLPolicyGetByName(ws memdb.WatchSet, name string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLPolicy, error)
	ACLTokenUpsertValidateEnterprise(token *structs.ACLToken, existing *structs.ACLToken) error
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL