sec: fix alloc workload identity namespace permission

hashicorp · Dec 16, 2024 · 9f076ae · 9f076ae
1 parent 24fa743
commit 9f076ae
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 1 deletion.
diff --git a/command/agent/node_endpoint.go b/command/agent/node_endpoint.go
@@ -105,6 +105,7 @@ func (s *HTTPServer) nodeAllocations(resp http.ResponseWriter, req *http.Request
 		out.Allocs = make([]*structs.Allocation, 0)
 	}
 	for _, alloc := range out.Allocs {
+		alloc = alloc.Sanitize()
 		alloc.SetEventDisplayMessages()
 	}
 	return out.Allocs, nil

diff --git a/nomad/alloc_endpoint.go b/nomad/alloc_endpoint.go
@@ -172,8 +172,9 @@ func (a *Alloc) GetAlloc(args *structs.AllocSpecificRequest,
 			}
 
 			// Setup the output
-			reply.Alloc = out
 			if out != nil {
+				out = out.Sanitize()
+				reply.Alloc = out
 				// Re-check namespace in case it differs from request.
 				if !aclObj.AllowClientOp() && !allowNsOp(aclObj, out.Namespace) {
 					return structs.NewErrUnknownAllocation(args.AllocID)

diff --git a/nomad/structs/structs.go b/nomad/structs/structs.go
@@ -11199,6 +11199,23 @@ func (a *Allocation) GetID() string {
 	return a.ID
 }
 
+// Sanitize returns a copy of the allocation with the SignedIdentities field
+// removed. This is useful for returning allocations to clients where the
+// SignedIdentities field is not needed.
+func (a *Allocation) Sanitize() *Allocation {
+	if a == nil {
+		return nil
+	}
+
+	if a.SignedIdentities == nil {
+		return a
+	}
+
+	clean := a.Copy()
+	clean.SignedIdentities = nil
+	return clean
+}
+
 // GetNamespace implements the NamespaceGetter interface, required for
 // pagination and filtering namespaces in endpoints that support glob namespace
 // requests using tokens with limited access.