github.com/manicqin/nomad@v0.9.5/nomad/search_endpoint_oss.go

github.com/manicqin/nomad@v0.9.5/nomad/search_endpoint_oss.go (about)

     1  // +build !pro,!ent
     2  
     3  package nomad
     4  
     5  import (
     6  	"fmt"
     7  
     8  	memdb "github.com/hashicorp/go-memdb"
     9  	"github.com/hashicorp/nomad/acl"
    10  	"github.com/hashicorp/nomad/nomad/state"
    11  	"github.com/hashicorp/nomad/nomad/structs"
    12  )
    13  
    14  var (
    15  	// allContexts are the available contexts which are searched to find matches
    16  	// for a given prefix
    17  	allContexts = ossContexts
    18  )
    19  
    20  // contextToIndex returns the index name to lookup in the state store.
    21  func contextToIndex(ctx structs.Context) string {
    22  	return string(ctx)
    23  }
    24  
    25  // getEnterpriseMatch is a no-op in oss since there are no enterprise objects.
    26  func getEnterpriseMatch(match interface{}) (id string, ok bool) {
    27  	return "", false
    28  }
    29  
    30  // getEnterpriseResourceIter is used to retrieve an iterator over an enterprise
    31  // only table.
    32  func getEnterpriseResourceIter(context structs.Context, _ *acl.ACL, namespace, prefix string, ws memdb.WatchSet, state *state.StateStore) (memdb.ResultIterator, error) {
    33  	// If we have made it here then it is an error since we have exhausted all
    34  	// open source contexts.
    35  	return nil, fmt.Errorf("context must be one of %v or 'all' for all contexts; got %q", allContexts, context)
    36  }
    37  
    38  // anySearchPerms returns true if the provided ACL has access to any
    39  // capabilities required for prefix searching. Returns true if aclObj is nil.
    40  func anySearchPerms(aclObj *acl.ACL, namespace string, context structs.Context) bool {
    41  	if aclObj == nil {
    42  		return true
    43  	}
    44  
    45  	nodeRead := aclObj.AllowNodeRead()
    46  	jobRead := aclObj.AllowNsOp(namespace, acl.NamespaceCapabilityReadJob)
    47  	if !nodeRead && !jobRead {
    48  		return false
    49  	}
    50  
    51  	// Reject requests that explicitly specify a disallowed context. This
    52  	// should give the user better feedback then simply filtering out all
    53  	// results and returning an empty list.
    54  	if !nodeRead && context == structs.Nodes {
    55  		return false
    56  	}
    57  	if !jobRead {
    58  		switch context {
    59  		case structs.Allocs, structs.Deployments, structs.Evals, structs.Jobs:
    60  			return false
    61  		}
    62  	}
    63  
    64  	return true
    65  }
    66  
    67  // searchContexts returns the contexts the aclObj is valid for. If aclObj is
    68  // nil all contexts are returned.
    69  func searchContexts(aclObj *acl.ACL, namespace string, context structs.Context) []structs.Context {
    70  	var all []structs.Context
    71  
    72  	switch context {
    73  	case structs.All:
    74  		all = make([]structs.Context, len(allContexts))
    75  		copy(all, allContexts)
    76  	default:
    77  		all = []structs.Context{context}
    78  	}
    79  
    80  	// If ACLs aren't enabled return all contexts
    81  	if aclObj == nil {
    82  		return all
    83  	}
    84  
    85  	jobRead := aclObj.AllowNsOp(namespace, acl.NamespaceCapabilityReadJob)
    86  
    87  	// Filter contexts down to those the ACL grants access to
    88  	available := make([]structs.Context, 0, len(all))
    89  	for _, c := range all {
    90  		switch c {
    91  		case structs.Allocs, structs.Jobs, structs.Evals, structs.Deployments:
    92  			if jobRead {
    93  				available = append(available, c)
    94  			}
    95  		case structs.Nodes:
    96  			if aclObj.AllowNodeRead() {
    97  				available = append(available, c)
    98  			}
    99  		}
   100  	}
   101  	return available
   102  }