extend semgrep rule to ensure error is handled

hashicorp · Jan 6, 2023 · b21ebf8 · b21ebf8
1 parent cfc05e1
commit b21ebf8
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 11 deletions.
diff --git a/.semgrep/rpc_endpoint.yml b/.semgrep/rpc_endpoint.yml
@@ -66,7 +66,11 @@ rules:
       # TODO: add authorization steps as well.
       - pattern-not-inside: |
           ...
-          ... := $A.$B.Authenticate($A.ctx, args)
+          authErr := $A.$B.Authenticate($A.ctx, args)
+          ...
+          if authErr != nil {
+            return authErr
+          }
           ...
       - metavariable-pattern:
           metavariable: $METHOD

diff --git a/nomad/acl_endpoint.go b/nomad/acl_endpoint.go
@@ -1997,9 +1997,9 @@ func (a *ACL) GetAuthMethods(
 // once other Workload Identity work is solidified
 func (a *ACL) WhoAmI(args *structs.GenericRequest, reply *structs.ACLWhoAmIResponse) error {
 
-	err := a.srv.Authenticate(a.ctx, args)
-	if err != nil {
-		return err
+	authErr := a.srv.Authenticate(a.ctx, args)
+	if authErr != nil {
+		return authErr
 	}
 
 	if done, err := a.srv.forward("ACL.WhoAmI", args, args, reply); done {

diff --git a/nomad/eval_endpoint.go b/nomad/eval_endpoint.go
@@ -111,13 +111,13 @@ func (e *Eval) GetEval(args *structs.EvalSpecificRequest,
 func (e *Eval) Dequeue(args *structs.EvalDequeueRequest,
 	reply *structs.EvalDequeueResponse) error {
 
-	err := e.srv.Authenticate(e.ctx, args)
-	if err != nil {
-		return err
+	authErr := e.srv.Authenticate(e.ctx, args)
+	if authErr != nil {
+		return authErr
 	}
 
 	// Ensure the connection was initiated by another server if TLS is used.
-	err = validateTLSCertificateLevel(e.srv, e.ctx, tlsCertificateLevelServer)
+	err := validateTLSCertificateLevel(e.srv, e.ctx, tlsCertificateLevelServer)
 	if err != nil {
 		return err
 	}

diff --git a/nomad/variables_endpoint.go b/nomad/variables_endpoint.go
@@ -40,7 +40,7 @@ func (sv *Variables) Apply(args *structs.VariablesApplyRequest, reply *structs.V
 		return err
 	}
 	if authErr != nil {
-		return structs.ErrPermissionDenied
+		return authErr
 	}
 
 	defer metrics.MeasureSince([]string{
@@ -230,7 +230,7 @@ func (sv *Variables) Read(args *structs.VariablesReadRequest, reply *structs.Var
 		return err
 	}
 	if authErr != nil {
-		return structs.ErrPermissionDenied
+		return authErr
 	}
 
 	defer metrics.MeasureSince([]string{"nomad", "variables", "read"}, time.Now())
@@ -280,7 +280,7 @@ func (sv *Variables) List(
 		return err
 	}
 	if authErr != nil {
-		return structs.ErrPermissionDenied
+		return authErr
 	}
 
 	defer metrics.MeasureSince([]string{"nomad", "variables", "list"}, time.Now())