open-consul/agent/consul/state/acl_schema.go

package state

import (
	"fmt"
	"strings"

	"github.com/hashicorp/go-memdb"

	"github.com/hashicorp/consul/agent/structs"
)

const (
	tableACLTokens       = "acl-tokens"
	tableACLPolicies     = "acl-policies"
	tableACLRoles        = "acl-roles"
	tableACLBindingRules = "acl-binding-rules"
	tableACLAuthMethods  = "acl-auth-methods"

	indexPolicies   = "policies"
	indexRoles      = "roles"
	indexAuthMethod = "authmethod"
	indexLocal      = "local"
	indexName       = "name"
)

func tokensTableSchema() *memdb.TableSchema {
	return &memdb.TableSchema{
		Name: tableACLTokens,
		Indexes: map[string]*memdb.IndexSchema{
			"accessor": {
				Name: "accessor",
				// DEPRECATED (ACL-Legacy-Compat) - we should not AllowMissing here once legacy compat is removed
				AllowMissing: true,
				Unique:       true,
				Indexer: &memdb.UUIDFieldIndex{
					Field: "AccessorID",
				},
			},
			indexID: {
				Name:         indexID,
				AllowMissing: false,
				Unique:       true,
				Indexer: &memdb.StringFieldIndex{
					Field:     "SecretID",
					Lowercase: false,
				},
			},
			indexPolicies: {
				Name: indexPolicies,
				// Need to allow missing for the anonymous token
				AllowMissing: true,
				Unique:       false,
				Indexer:      &TokenPoliciesIndex{},
			},
			indexRoles: {
				Name:         indexRoles,
				AllowMissing: true,
				Unique:       false,
				Indexer:      &TokenRolesIndex{},
			},
			indexAuthMethod: {
				Name:         indexAuthMethod,
				AllowMissing: true,
				Unique:       false,
				Indexer: &memdb.StringFieldIndex{
					Field:     "AuthMethod",
					Lowercase: false,
				},
			},
			indexLocal: {
				Name:         indexLocal,
				AllowMissing: false,
				Unique:       false,
				Indexer: &memdb.ConditionalIndex{
					Conditional: func(obj interface{}) (bool, error) {
						if token, ok := obj.(*structs.ACLToken); ok {
							return token.Local, nil
						}
						return false, nil
					},
				},
			},
			"expires-global": {
				Name:         "expires-global",
				AllowMissing: true,
				Unique:       false,
				Indexer:      &TokenExpirationIndex{LocalFilter: false},
			},
			"expires-local": {
				Name:         "expires-local",
				AllowMissing: true,
				Unique:       false,
				Indexer:      &TokenExpirationIndex{LocalFilter: true},
			},

			//DEPRECATED (ACL-Legacy-Compat) - This index is only needed while we support upgrading v1 to v2 acls
			// This table indexes all the ACL tokens that do not have an AccessorID
			"needs-upgrade": {
				Name:         "needs-upgrade",
				AllowMissing: false,
				Unique:       false,
				Indexer: &memdb.ConditionalIndex{
					Conditional: func(obj interface{}) (bool, error) {
						if token, ok := obj.(*structs.ACLToken); ok {
							return token.AccessorID == "", nil
						}
						return false, nil
					},
				},
			},
		},
	}
}

func policiesTableSchema() *memdb.TableSchema {
	return &memdb.TableSchema{
		Name: tableACLPolicies,
		Indexes: map[string]*memdb.IndexSchema{
			indexID: {
				Name:         indexID,
				AllowMissing: false,
				Unique:       true,
				Indexer: &memdb.UUIDFieldIndex{
					Field: "ID",
				},
			},
			indexName: {
				Name:         indexName,
				AllowMissing: false,
				Unique:       true,
				Indexer: indexerSingleWithPrefix{
					readIndex:   indexFromQuery,
					writeIndex:  indexNameFromACLPolicy,
					prefixIndex: prefixIndexFromQuery,
				},
			},
		},
	}
}

func indexNameFromACLPolicy(raw interface{}) ([]byte, error) {
	p, ok := raw.(*structs.ACLPolicy)
	if !ok {
		return nil, fmt.Errorf("unexpected type %T for structs.ACLPolicy index", raw)
	}

	if p.Name == "" {
		return nil, errMissingValueForIndex
	}

	var b indexBuilder
	b.String(strings.ToLower(p.Name))
	return b.Bytes(), nil
}

func rolesTableSchema() *memdb.TableSchema {
	return &memdb.TableSchema{
		Name: tableACLRoles,
		Indexes: map[string]*memdb.IndexSchema{
			indexID: {
				Name:         indexID,
				AllowMissing: false,
				Unique:       true,
				Indexer: &memdb.UUIDFieldIndex{
					Field: "ID",
				},
			},
			indexName: {
				Name:         indexName,
				AllowMissing: false,
				Unique:       true,
				Indexer: indexerSingleWithPrefix{
					readIndex:   indexFromQuery,
					writeIndex:  indexNameFromACLRole,
					prefixIndex: prefixIndexFromQuery,
				},
			},
			indexPolicies: {
				Name: indexPolicies,
				// Need to allow missing for the anonymous token
				AllowMissing: true,
				Unique:       false,
				Indexer: indexerMulti{
					readIndex:       indexFromUUIDQuery,
					writeIndexMulti: multiIndexPolicyFromACLRole,
				},
			},
		},
	}
}

func indexNameFromACLRole(raw interface{}) ([]byte, error) {
	p, ok := raw.(*structs.ACLRole)
	if !ok {
		return nil, fmt.Errorf("unexpected type %T for structs.ACLRole index", raw)
	}

	if p.Name == "" {
		return nil, errMissingValueForIndex
	}

	var b indexBuilder
	b.String(strings.ToLower(p.Name))
	return b.Bytes(), nil
}

func indexFromUUIDQuery(raw interface{}) ([]byte, error) {
	q, ok := raw.(Query)
	if !ok {
		return nil, fmt.Errorf("unexpected type %T for UUIDQuery index", raw)
	}
	return uuidStringToBytes(q.Value)
}

func multiIndexPolicyFromACLRole(raw interface{}) ([][]byte, error) {
	role, ok := raw.(*structs.ACLRole)
	if !ok {
		return nil, fmt.Errorf("unexpected type %T for structs.ACLRole index", raw)
	}

	count := len(role.Policies)
	if count == 0 {
		return nil, errMissingValueForIndex
	}

	vals := make([][]byte, 0, count)
	for _, link := range role.Policies {
		v, err := uuidStringToBytes(link.ID)
		if err != nil {
			return nil, err
		}
		vals = append(vals, v)
	}

	return vals, nil
}

func bindingRulesTableSchema() *memdb.TableSchema {
	return &memdb.TableSchema{
		Name: tableACLBindingRules,
		Indexes: map[string]*memdb.IndexSchema{
			indexID: {
				Name:         indexID,
				AllowMissing: false,
				Unique:       true,
				Indexer: &memdb.UUIDFieldIndex{
					Field: "ID",
				},
			},
			indexAuthMethod: {
				Name:         indexAuthMethod,
				AllowMissing: false,
				Unique:       false,
				Indexer: &memdb.StringFieldIndex{
					Field:     "AuthMethod",
					Lowercase: true,
				},
			},
		},
	}
}

func authMethodsTableSchema() *memdb.TableSchema {
	return &memdb.TableSchema{
		Name: tableACLAuthMethods,
		Indexes: map[string]*memdb.IndexSchema{
			indexID: {
				Name:         indexID,
				AllowMissing: false,
				Unique:       true,
				Indexer: &memdb.StringFieldIndex{
					Field:     "Name",
					Lowercase: true,
				},
			},
		},
	}
}
state: Move ACL schema indexes to match Ent and use constants for table and index names. 2021-01-29 01:05:09 +00:00			`package state`

			`import (`
state: remove duplication in acl tables schema 2021-03-29 18:07:36 +00:00			`"fmt"`
			`"strings"`

state: Move ACL schema indexes to match Ent and use constants for table and index names. 2021-01-29 01:05:09 +00:00			`"github.com/hashicorp/go-memdb"`

			`"github.com/hashicorp/consul/agent/structs"`
			`)`

			`const (`
			`tableACLTokens = "acl-tokens"`
			`tableACLPolicies = "acl-policies"`
			`tableACLRoles = "acl-roles"`
			`tableACLBindingRules = "acl-binding-rules"`
			`tableACLAuthMethods = "acl-auth-methods"`

			`indexPolicies = "policies"`
			`indexRoles = "roles"`
			`indexAuthMethod = "authmethod"`
			`indexLocal = "local"`
			`indexName = "name"`
			`)`

			`func tokensTableSchema() *memdb.TableSchema {`
			`return &memdb.TableSchema{`
			`Name: tableACLTokens,`
			`Indexes: map[string]*memdb.IndexSchema{`
			`"accessor": {`
			`Name: "accessor",`
			`// DEPRECATED (ACL-Legacy-Compat) - we should not AllowMissing here once legacy compat is removed`
			`AllowMissing: true,`
			`Unique: true,`
			`Indexer: &memdb.UUIDFieldIndex{`
			`Field: "AccessorID",`
			`},`
			`},`
			`indexID: {`
			`Name: indexID,`
			`AllowMissing: false,`
			`Unique: true,`
			`Indexer: &memdb.StringFieldIndex{`
			`Field: "SecretID",`
			`Lowercase: false,`
			`},`
			`},`
			`indexPolicies: {`
			`Name: indexPolicies,`
			`// Need to allow missing for the anonymous token`
			`AllowMissing: true,`
			`Unique: false,`
			`Indexer: &TokenPoliciesIndex{},`
			`},`
			`indexRoles: {`
			`Name: indexRoles,`
			`AllowMissing: true,`
			`Unique: false,`
			`Indexer: &TokenRolesIndex{},`
			`},`
			`indexAuthMethod: {`
			`Name: indexAuthMethod,`
			`AllowMissing: true,`
			`Unique: false,`
			`Indexer: &memdb.StringFieldIndex{`
			`Field: "AuthMethod",`
			`Lowercase: false,`
			`},`
			`},`
			`indexLocal: {`
			`Name: indexLocal,`
			`AllowMissing: false,`
			`Unique: false,`
			`Indexer: &memdb.ConditionalIndex{`
			`Conditional: func(obj interface{}) (bool, error) {`
			`if token, ok := obj.(*structs.ACLToken); ok {`
			`return token.Local, nil`
			`}`
			`return false, nil`
			`},`
			`},`
			`},`
			`"expires-global": {`
			`Name: "expires-global",`
			`AllowMissing: true,`
			`Unique: false,`
			`Indexer: &TokenExpirationIndex{LocalFilter: false},`
			`},`
			`"expires-local": {`
			`Name: "expires-local",`
			`AllowMissing: true,`
			`Unique: false,`
			`Indexer: &TokenExpirationIndex{LocalFilter: true},`
			`},`

			`//DEPRECATED (ACL-Legacy-Compat) - This index is only needed while we support upgrading v1 to v2 acls`
			`// This table indexes all the ACL tokens that do not have an AccessorID`
			`"needs-upgrade": {`
			`Name: "needs-upgrade",`
			`AllowMissing: false,`
			`Unique: false,`
			`Indexer: &memdb.ConditionalIndex{`
			`Conditional: func(obj interface{}) (bool, error) {`
			`if token, ok := obj.(*structs.ACLToken); ok {`
			`return token.AccessorID == "", nil`
			`}`
			`return false, nil`
			`},`
			`},`
			`},`
			`},`
			`}`
			`}`

			`func policiesTableSchema() *memdb.TableSchema {`
			`return &memdb.TableSchema{`
			`Name: tableACLPolicies,`
			`Indexes: map[string]*memdb.IndexSchema{`
			`indexID: {`
			`Name: indexID,`
			`AllowMissing: false,`
			`Unique: true,`
			`Indexer: &memdb.UUIDFieldIndex{`
			`Field: "ID",`
			`},`
			`},`
			`indexName: {`
			`Name: indexName,`
			`AllowMissing: false,`
			`Unique: true,`
state: convert acl-policies table to new pattern 2021-03-16 19:29:30 +00:00			`Indexer: indexerSingleWithPrefix{`
state: remove duplication in acl tables schema 2021-03-29 18:07:36 +00:00			`readIndex: indexFromQuery,`
			`writeIndex: indexNameFromACLPolicy,`
			`prefixIndex: prefixIndexFromQuery,`
state: Move ACL schema indexes to match Ent and use constants for table and index names. 2021-01-29 01:05:09 +00:00			`},`
			`},`
			`},`
			`}`
			`}`

state: remove duplication in acl tables schema 2021-03-29 18:07:36 +00:00			`func indexNameFromACLPolicy(raw interface{}) ([]byte, error) {`
			`p, ok := raw.(*structs.ACLPolicy)`
			`if !ok {`
			`return nil, fmt.Errorf("unexpected type %T for structs.ACLPolicy index", raw)`
			`}`

			`if p.Name == "" {`
			`return nil, errMissingValueForIndex`
			`}`

			`var b indexBuilder`
			`b.String(strings.ToLower(p.Name))`
			`return b.Bytes(), nil`
			`}`

state: Move ACL schema indexes to match Ent and use constants for table and index names. 2021-01-29 01:05:09 +00:00			`func rolesTableSchema() *memdb.TableSchema {`
			`return &memdb.TableSchema{`
			`Name: tableACLRoles,`
			`Indexes: map[string]*memdb.IndexSchema{`
			`indexID: {`
			`Name: indexID,`
			`AllowMissing: false,`
			`Unique: true,`
			`Indexer: &memdb.UUIDFieldIndex{`
			`Field: "ID",`
			`},`
			`},`
			`indexName: {`
			`Name: indexName,`
			`AllowMissing: false,`
			`Unique: true,`
state: convert acl-roles.name index to the functional indexer pattern 2021-03-17 17:57:40 +00:00			`Indexer: indexerSingleWithPrefix{`
state: remove duplication in acl tables schema 2021-03-29 18:07:36 +00:00			`readIndex: indexFromQuery,`
			`writeIndex: indexNameFromACLRole,`
			`prefixIndex: prefixIndexFromQuery,`
state: Move ACL schema indexes to match Ent and use constants for table and index names. 2021-01-29 01:05:09 +00:00			`},`
			`},`
			`indexPolicies: {`
			`Name: indexPolicies,`
			`// Need to allow missing for the anonymous token`
			`AllowMissing: true,`
			`Unique: false,`
state: convert acl-roles.policies index to new pattern 2021-03-19 20:07:55 +00:00			`Indexer: indexerMulti{`
state: remove duplication in acl tables schema 2021-03-29 18:07:36 +00:00			`readIndex: indexFromUUIDQuery,`
			`writeIndexMulti: multiIndexPolicyFromACLRole,`
state: convert acl-roles.policies index to new pattern 2021-03-19 20:07:55 +00:00			`},`
state: Move ACL schema indexes to match Ent and use constants for table and index names. 2021-01-29 01:05:09 +00:00			`},`
			`},`
			`}`
			`}`

state: remove duplication in acl tables schema 2021-03-29 18:07:36 +00:00			`func indexNameFromACLRole(raw interface{}) ([]byte, error) {`
			`p, ok := raw.(*structs.ACLRole)`
			`if !ok {`
			`return nil, fmt.Errorf("unexpected type %T for structs.ACLRole index", raw)`
			`}`

			`if p.Name == "" {`
			`return nil, errMissingValueForIndex`
			`}`

			`var b indexBuilder`
			`b.String(strings.ToLower(p.Name))`
			`return b.Bytes(), nil`
			`}`

			`func indexFromUUIDQuery(raw interface{}) ([]byte, error) {`
			`q, ok := raw.(Query)`
			`if !ok {`
			`return nil, fmt.Errorf("unexpected type %T for UUIDQuery index", raw)`
			`}`
			`return uuidStringToBytes(q.Value)`
			`}`

			`func multiIndexPolicyFromACLRole(raw interface{}) ([][]byte, error) {`
			`role, ok := raw.(*structs.ACLRole)`
			`if !ok {`
			`return nil, fmt.Errorf("unexpected type %T for structs.ACLRole index", raw)`
			`}`

			`count := len(role.Policies)`
			`if count == 0 {`
			`return nil, errMissingValueForIndex`
			`}`

			`vals := make([][]byte, 0, count)`
			`for _, link := range role.Policies {`
			`v, err := uuidStringToBytes(link.ID)`
			`if err != nil {`
			`return nil, err`
			`}`
			`vals = append(vals, v)`
			`}`

			`return vals, nil`
			`}`

state: Move ACL schema indexes to match Ent and use constants for table and index names. 2021-01-29 01:05:09 +00:00			`func bindingRulesTableSchema() *memdb.TableSchema {`
			`return &memdb.TableSchema{`
			`Name: tableACLBindingRules,`
			`Indexes: map[string]*memdb.IndexSchema{`
			`indexID: {`
			`Name: indexID,`
			`AllowMissing: false,`
			`Unique: true,`
			`Indexer: &memdb.UUIDFieldIndex{`
			`Field: "ID",`
			`},`
			`},`
			`indexAuthMethod: {`
			`Name: indexAuthMethod,`
			`AllowMissing: false,`
			`Unique: false,`
			`Indexer: &memdb.StringFieldIndex{`
			`Field: "AuthMethod",`
			`Lowercase: true,`
			`},`
			`},`
			`},`
			`}`
			`}`

			`func authMethodsTableSchema() *memdb.TableSchema {`
			`return &memdb.TableSchema{`
			`Name: tableACLAuthMethods,`
			`Indexes: map[string]*memdb.IndexSchema{`
			`indexID: {`
			`Name: indexID,`
			`AllowMissing: false,`
			`Unique: true,`
			`Indexer: &memdb.StringFieldIndex{`
			`Field: "Name",`
			`Lowercase: true,`
			`},`
			`},`
			`},`
			`}`
			`}`