github.phpd.cn/hashicorp/consul@v1.4.5/api/acl.go (about) 1 package api 2 3 import ( 4 "fmt" 5 "io" 6 "io/ioutil" 7 "time" 8 ) 9 10 const ( 11 // ACLClientType is the client type token 12 ACLClientType = "client" 13 14 // ACLManagementType is the management type token 15 ACLManagementType = "management" 16 ) 17 18 type ACLTokenPolicyLink struct { 19 ID string 20 Name string 21 } 22 23 // ACLToken represents an ACL Token 24 type ACLToken struct { 25 CreateIndex uint64 26 ModifyIndex uint64 27 AccessorID string 28 SecretID string 29 Description string 30 Policies []*ACLTokenPolicyLink 31 Local bool 32 CreateTime time.Time `json:",omitempty"` 33 Hash []byte `json:",omitempty"` 34 35 // DEPRECATED (ACL-Legacy-Compat) 36 // Rules will only be present for legacy tokens returned via the new APIs 37 Rules string `json:",omitempty"` 38 } 39 40 type ACLTokenListEntry struct { 41 CreateIndex uint64 42 ModifyIndex uint64 43 AccessorID string 44 Description string 45 Policies []*ACLTokenPolicyLink 46 Local bool 47 CreateTime time.Time 48 Hash []byte 49 Legacy bool 50 } 51 52 // ACLEntry is used to represent a legacy ACL token 53 // The legacy tokens are deprecated. 54 type ACLEntry struct { 55 CreateIndex uint64 56 ModifyIndex uint64 57 ID string 58 Name string 59 Type string 60 Rules string 61 } 62 63 // ACLReplicationStatus is used to represent the status of ACL replication. 64 type ACLReplicationStatus struct { 65 Enabled bool 66 Running bool 67 SourceDatacenter string 68 ReplicationType string 69 ReplicatedIndex uint64 70 ReplicatedTokenIndex uint64 71 LastSuccess time.Time 72 LastError time.Time 73 } 74 75 // ACLPolicy represents an ACL Policy. 76 type ACLPolicy struct { 77 ID string 78 Name string 79 Description string 80 Rules string 81 Datacenters []string 82 Hash []byte 83 CreateIndex uint64 84 ModifyIndex uint64 85 } 86 87 type ACLPolicyListEntry struct { 88 ID string 89 Name string 90 Description string 91 Datacenters []string 92 Hash []byte 93 CreateIndex uint64 94 ModifyIndex uint64 95 } 96 97 // ACL can be used to query the ACL endpoints 98 type ACL struct { 99 c *Client 100 } 101 102 // ACL returns a handle to the ACL endpoints 103 func (c *Client) ACL() *ACL { 104 return &ACL{c} 105 } 106 107 // Bootstrap is used to perform a one-time ACL bootstrap operation on a cluster 108 // to get the first management token. 109 func (a *ACL) Bootstrap() (*ACLToken, *WriteMeta, error) { 110 r := a.c.newRequest("PUT", "/v1/acl/bootstrap") 111 rtt, resp, err := requireOK(a.c.doRequest(r)) 112 if err != nil { 113 return nil, nil, err 114 } 115 defer resp.Body.Close() 116 117 wm := &WriteMeta{RequestTime: rtt} 118 var out ACLToken 119 if err := decodeBody(resp, &out); err != nil { 120 return nil, nil, err 121 } 122 return &out, wm, nil 123 } 124 125 // Create is used to generate a new token with the given parameters 126 // 127 // Deprecated: Use TokenCreate instead. 128 func (a *ACL) Create(acl *ACLEntry, q *WriteOptions) (string, *WriteMeta, error) { 129 r := a.c.newRequest("PUT", "/v1/acl/create") 130 r.setWriteOptions(q) 131 r.obj = acl 132 rtt, resp, err := requireOK(a.c.doRequest(r)) 133 if err != nil { 134 return "", nil, err 135 } 136 defer resp.Body.Close() 137 138 wm := &WriteMeta{RequestTime: rtt} 139 var out struct{ ID string } 140 if err := decodeBody(resp, &out); err != nil { 141 return "", nil, err 142 } 143 return out.ID, wm, nil 144 } 145 146 // Update is used to update the rules of an existing token 147 // 148 // Deprecated: Use TokenUpdate instead. 149 func (a *ACL) Update(acl *ACLEntry, q *WriteOptions) (*WriteMeta, error) { 150 r := a.c.newRequest("PUT", "/v1/acl/update") 151 r.setWriteOptions(q) 152 r.obj = acl 153 rtt, resp, err := requireOK(a.c.doRequest(r)) 154 if err != nil { 155 return nil, err 156 } 157 defer resp.Body.Close() 158 159 wm := &WriteMeta{RequestTime: rtt} 160 return wm, nil 161 } 162 163 // Destroy is used to destroy a given ACL token ID 164 // 165 // Deprecated: Use TokenDelete instead. 166 func (a *ACL) Destroy(id string, q *WriteOptions) (*WriteMeta, error) { 167 r := a.c.newRequest("PUT", "/v1/acl/destroy/"+id) 168 r.setWriteOptions(q) 169 rtt, resp, err := requireOK(a.c.doRequest(r)) 170 if err != nil { 171 return nil, err 172 } 173 resp.Body.Close() 174 175 wm := &WriteMeta{RequestTime: rtt} 176 return wm, nil 177 } 178 179 // Clone is used to return a new token cloned from an existing one 180 // 181 // Deprecated: Use TokenClone instead. 182 func (a *ACL) Clone(id string, q *WriteOptions) (string, *WriteMeta, error) { 183 r := a.c.newRequest("PUT", "/v1/acl/clone/"+id) 184 r.setWriteOptions(q) 185 rtt, resp, err := requireOK(a.c.doRequest(r)) 186 if err != nil { 187 return "", nil, err 188 } 189 defer resp.Body.Close() 190 191 wm := &WriteMeta{RequestTime: rtt} 192 var out struct{ ID string } 193 if err := decodeBody(resp, &out); err != nil { 194 return "", nil, err 195 } 196 return out.ID, wm, nil 197 } 198 199 // Info is used to query for information about an ACL token 200 // 201 // Deprecated: Use TokenRead instead. 202 func (a *ACL) Info(id string, q *QueryOptions) (*ACLEntry, *QueryMeta, error) { 203 r := a.c.newRequest("GET", "/v1/acl/info/"+id) 204 r.setQueryOptions(q) 205 rtt, resp, err := requireOK(a.c.doRequest(r)) 206 if err != nil { 207 return nil, nil, err 208 } 209 defer resp.Body.Close() 210 211 qm := &QueryMeta{} 212 parseQueryMeta(resp, qm) 213 qm.RequestTime = rtt 214 215 var entries []*ACLEntry 216 if err := decodeBody(resp, &entries); err != nil { 217 return nil, nil, err 218 } 219 if len(entries) > 0 { 220 return entries[0], qm, nil 221 } 222 return nil, qm, nil 223 } 224 225 // List is used to get all the ACL tokens 226 // 227 // Deprecated: Use TokenList instead. 228 func (a *ACL) List(q *QueryOptions) ([]*ACLEntry, *QueryMeta, error) { 229 r := a.c.newRequest("GET", "/v1/acl/list") 230 r.setQueryOptions(q) 231 rtt, resp, err := requireOK(a.c.doRequest(r)) 232 if err != nil { 233 return nil, nil, err 234 } 235 defer resp.Body.Close() 236 237 qm := &QueryMeta{} 238 parseQueryMeta(resp, qm) 239 qm.RequestTime = rtt 240 241 var entries []*ACLEntry 242 if err := decodeBody(resp, &entries); err != nil { 243 return nil, nil, err 244 } 245 return entries, qm, nil 246 } 247 248 // Replication returns the status of the ACL replication process in the datacenter 249 func (a *ACL) Replication(q *QueryOptions) (*ACLReplicationStatus, *QueryMeta, error) { 250 r := a.c.newRequest("GET", "/v1/acl/replication") 251 r.setQueryOptions(q) 252 rtt, resp, err := requireOK(a.c.doRequest(r)) 253 if err != nil { 254 return nil, nil, err 255 } 256 defer resp.Body.Close() 257 258 qm := &QueryMeta{} 259 parseQueryMeta(resp, qm) 260 qm.RequestTime = rtt 261 262 var entries *ACLReplicationStatus 263 if err := decodeBody(resp, &entries); err != nil { 264 return nil, nil, err 265 } 266 return entries, qm, nil 267 } 268 269 // TokenCreate creates a new ACL token. It requires that the AccessorID and SecretID fields 270 // of the ACLToken structure to be empty as these will be filled in by Consul. 271 func (a *ACL) TokenCreate(token *ACLToken, q *WriteOptions) (*ACLToken, *WriteMeta, error) { 272 if token.AccessorID != "" { 273 return nil, nil, fmt.Errorf("Cannot specify an AccessorID in Token Creation") 274 } 275 276 if token.SecretID != "" { 277 return nil, nil, fmt.Errorf("Cannot specify a SecretID in Token Creation") 278 } 279 280 r := a.c.newRequest("PUT", "/v1/acl/token") 281 r.setWriteOptions(q) 282 r.obj = token 283 rtt, resp, err := requireOK(a.c.doRequest(r)) 284 if err != nil { 285 return nil, nil, err 286 } 287 defer resp.Body.Close() 288 289 wm := &WriteMeta{RequestTime: rtt} 290 var out ACLToken 291 if err := decodeBody(resp, &out); err != nil { 292 return nil, nil, err 293 } 294 295 return &out, wm, nil 296 } 297 298 // TokenUpdate updates a token in place without modifying its AccessorID or SecretID. A valid 299 // AccessorID must be set in the ACLToken structure passed to this function but the SecretID may 300 // be omitted and will be filled in by Consul with its existing value. 301 func (a *ACL) TokenUpdate(token *ACLToken, q *WriteOptions) (*ACLToken, *WriteMeta, error) { 302 if token.AccessorID == "" { 303 return nil, nil, fmt.Errorf("Must specify an AccessorID for Token Updating") 304 } 305 r := a.c.newRequest("PUT", "/v1/acl/token/"+token.AccessorID) 306 r.setWriteOptions(q) 307 r.obj = token 308 rtt, resp, err := requireOK(a.c.doRequest(r)) 309 if err != nil { 310 return nil, nil, err 311 } 312 defer resp.Body.Close() 313 314 wm := &WriteMeta{RequestTime: rtt} 315 var out ACLToken 316 if err := decodeBody(resp, &out); err != nil { 317 return nil, nil, err 318 } 319 320 return &out, wm, nil 321 } 322 323 // TokenClone will create a new token with the same policies and locality as the original 324 // token but will have its own auto-generated AccessorID and SecretID as well having the 325 // description passed to this function. The tokenID parameter must be a valid Accessor ID 326 // of an existing token. 327 func (a *ACL) TokenClone(tokenID string, description string, q *WriteOptions) (*ACLToken, *WriteMeta, error) { 328 if tokenID == "" { 329 return nil, nil, fmt.Errorf("Must specify a tokenID for Token Cloning") 330 } 331 332 r := a.c.newRequest("PUT", "/v1/acl/token/"+tokenID+"/clone") 333 r.setWriteOptions(q) 334 r.obj = struct{ Description string }{description} 335 rtt, resp, err := requireOK(a.c.doRequest(r)) 336 if err != nil { 337 return nil, nil, err 338 } 339 defer resp.Body.Close() 340 341 wm := &WriteMeta{RequestTime: rtt} 342 var out ACLToken 343 if err := decodeBody(resp, &out); err != nil { 344 return nil, nil, err 345 } 346 347 return &out, wm, nil 348 } 349 350 // TokenDelete removes a single ACL token. The tokenID parameter must be a valid 351 // Accessor ID of an existing token. 352 func (a *ACL) TokenDelete(tokenID string, q *WriteOptions) (*WriteMeta, error) { 353 r := a.c.newRequest("DELETE", "/v1/acl/token/"+tokenID) 354 r.setWriteOptions(q) 355 rtt, resp, err := requireOK(a.c.doRequest(r)) 356 if err != nil { 357 return nil, err 358 } 359 resp.Body.Close() 360 361 wm := &WriteMeta{RequestTime: rtt} 362 return wm, nil 363 } 364 365 // TokenRead retrieves the full token details. The tokenID parameter must be a valid 366 // Accessor ID of an existing token. 367 func (a *ACL) TokenRead(tokenID string, q *QueryOptions) (*ACLToken, *QueryMeta, error) { 368 r := a.c.newRequest("GET", "/v1/acl/token/"+tokenID) 369 r.setQueryOptions(q) 370 rtt, resp, err := requireOK(a.c.doRequest(r)) 371 if err != nil { 372 return nil, nil, err 373 } 374 defer resp.Body.Close() 375 376 qm := &QueryMeta{} 377 parseQueryMeta(resp, qm) 378 qm.RequestTime = rtt 379 380 var out ACLToken 381 if err := decodeBody(resp, &out); err != nil { 382 return nil, nil, err 383 } 384 385 return &out, qm, nil 386 } 387 388 // TokenReadSelf retrieves the full token details of the token currently 389 // assigned to the API Client. In this manner its possible to read a token 390 // by its Secret ID. 391 func (a *ACL) TokenReadSelf(q *QueryOptions) (*ACLToken, *QueryMeta, error) { 392 r := a.c.newRequest("GET", "/v1/acl/token/self") 393 r.setQueryOptions(q) 394 rtt, resp, err := requireOK(a.c.doRequest(r)) 395 if err != nil { 396 return nil, nil, err 397 } 398 defer resp.Body.Close() 399 400 qm := &QueryMeta{} 401 parseQueryMeta(resp, qm) 402 qm.RequestTime = rtt 403 404 var out ACLToken 405 if err := decodeBody(resp, &out); err != nil { 406 return nil, nil, err 407 } 408 409 return &out, qm, nil 410 } 411 412 // TokenList lists all tokens. The listing does not contain any SecretIDs as those 413 // may only be retrieved by a call to TokenRead. 414 func (a *ACL) TokenList(q *QueryOptions) ([]*ACLTokenListEntry, *QueryMeta, error) { 415 r := a.c.newRequest("GET", "/v1/acl/tokens") 416 r.setQueryOptions(q) 417 rtt, resp, err := requireOK(a.c.doRequest(r)) 418 if err != nil { 419 return nil, nil, err 420 } 421 defer resp.Body.Close() 422 423 qm := &QueryMeta{} 424 parseQueryMeta(resp, qm) 425 qm.RequestTime = rtt 426 427 var entries []*ACLTokenListEntry 428 if err := decodeBody(resp, &entries); err != nil { 429 return nil, nil, err 430 } 431 return entries, qm, nil 432 } 433 434 // PolicyCreate will create a new policy. It is not allowed for the policy parameters 435 // ID field to be set as this will be generated by Consul while processing the request. 436 func (a *ACL) PolicyCreate(policy *ACLPolicy, q *WriteOptions) (*ACLPolicy, *WriteMeta, error) { 437 if policy.ID != "" { 438 return nil, nil, fmt.Errorf("Cannot specify an ID in Policy Creation") 439 } 440 441 r := a.c.newRequest("PUT", "/v1/acl/policy") 442 r.setWriteOptions(q) 443 r.obj = policy 444 rtt, resp, err := requireOK(a.c.doRequest(r)) 445 if err != nil { 446 return nil, nil, err 447 } 448 defer resp.Body.Close() 449 450 wm := &WriteMeta{RequestTime: rtt} 451 var out ACLPolicy 452 if err := decodeBody(resp, &out); err != nil { 453 return nil, nil, err 454 } 455 456 return &out, wm, nil 457 } 458 459 // PolicyUpdate updates a policy. The ID field of the policy parameter must be set to an 460 // existing policy ID 461 func (a *ACL) PolicyUpdate(policy *ACLPolicy, q *WriteOptions) (*ACLPolicy, *WriteMeta, error) { 462 if policy.ID == "" { 463 return nil, nil, fmt.Errorf("Must specify an ID in Policy Creation") 464 } 465 466 r := a.c.newRequest("PUT", "/v1/acl/policy/"+policy.ID) 467 r.setWriteOptions(q) 468 r.obj = policy 469 rtt, resp, err := requireOK(a.c.doRequest(r)) 470 if err != nil { 471 return nil, nil, err 472 } 473 defer resp.Body.Close() 474 475 wm := &WriteMeta{RequestTime: rtt} 476 var out ACLPolicy 477 if err := decodeBody(resp, &out); err != nil { 478 return nil, nil, err 479 } 480 481 return &out, wm, nil 482 } 483 484 // PolicyDelete deletes a policy given its ID. 485 func (a *ACL) PolicyDelete(policyID string, q *WriteOptions) (*WriteMeta, error) { 486 r := a.c.newRequest("DELETE", "/v1/acl/policy/"+policyID) 487 r.setWriteOptions(q) 488 rtt, resp, err := requireOK(a.c.doRequest(r)) 489 if err != nil { 490 return nil, err 491 } 492 resp.Body.Close() 493 494 wm := &WriteMeta{RequestTime: rtt} 495 return wm, nil 496 } 497 498 // PolicyRead retrieves the policy details including the rule set. 499 func (a *ACL) PolicyRead(policyID string, q *QueryOptions) (*ACLPolicy, *QueryMeta, error) { 500 r := a.c.newRequest("GET", "/v1/acl/policy/"+policyID) 501 r.setQueryOptions(q) 502 rtt, resp, err := requireOK(a.c.doRequest(r)) 503 if err != nil { 504 return nil, nil, err 505 } 506 defer resp.Body.Close() 507 508 qm := &QueryMeta{} 509 parseQueryMeta(resp, qm) 510 qm.RequestTime = rtt 511 512 var out ACLPolicy 513 if err := decodeBody(resp, &out); err != nil { 514 return nil, nil, err 515 } 516 517 return &out, qm, nil 518 } 519 520 // PolicyList retrieves a listing of all policies. The listing does not include the 521 // rules for any policy as those should be retrieved by subsequent calls to PolicyRead. 522 func (a *ACL) PolicyList(q *QueryOptions) ([]*ACLPolicyListEntry, *QueryMeta, error) { 523 r := a.c.newRequest("GET", "/v1/acl/policies") 524 r.setQueryOptions(q) 525 rtt, resp, err := requireOK(a.c.doRequest(r)) 526 if err != nil { 527 return nil, nil, err 528 } 529 defer resp.Body.Close() 530 531 qm := &QueryMeta{} 532 parseQueryMeta(resp, qm) 533 qm.RequestTime = rtt 534 535 var entries []*ACLPolicyListEntry 536 if err := decodeBody(resp, &entries); err != nil { 537 return nil, nil, err 538 } 539 return entries, qm, nil 540 } 541 542 // RulesTranslate translates the legacy rule syntax into the current syntax. 543 // 544 // Deprecated: Support for the legacy syntax translation will be removed 545 // when legacy ACL support is removed. 546 func (a *ACL) RulesTranslate(rules io.Reader) (string, error) { 547 r := a.c.newRequest("POST", "/v1/acl/rules/translate") 548 r.body = rules 549 rtt, resp, err := requireOK(a.c.doRequest(r)) 550 if err != nil { 551 return "", err 552 } 553 defer resp.Body.Close() 554 qm := &QueryMeta{} 555 parseQueryMeta(resp, qm) 556 qm.RequestTime = rtt 557 558 ruleBytes, err := ioutil.ReadAll(resp.Body) 559 if err != nil { 560 return "", fmt.Errorf("Failed to read translated rule body: %v", err) 561 } 562 563 return string(ruleBytes), nil 564 } 565 566 // RulesTranslateToken translates the rules associated with the legacy syntax 567 // into the current syntax and returns the results. 568 // 569 // Deprecated: Support for the legacy syntax translation will be removed 570 // when legacy ACL support is removed. 571 func (a *ACL) RulesTranslateToken(tokenID string) (string, error) { 572 r := a.c.newRequest("GET", "/v1/acl/rules/translate/"+tokenID) 573 rtt, resp, err := requireOK(a.c.doRequest(r)) 574 if err != nil { 575 return "", err 576 } 577 defer resp.Body.Close() 578 qm := &QueryMeta{} 579 parseQueryMeta(resp, qm) 580 qm.RequestTime = rtt 581 582 ruleBytes, err := ioutil.ReadAll(resp.Body) 583 if err != nil { 584 return "", fmt.Errorf("Failed to read translated rule body: %v", err) 585 } 586 587 return string(ruleBytes), nil 588 }