open-consul/agent/structs/acl_oss.go

// +build !consulent

package structs

import (
	"fmt"

	"github.com/hashicorp/consul/acl"
)

const (
	EnterpriseACLPolicyGlobalManagement = ""

	// aclPolicyTemplateServiceIdentity is the template used for synthesizing
	// policies for service identities.
	aclPolicyTemplateServiceIdentity = `
service "%[1]s" {
	policy = "write"
}
service "%[1]s-sidecar-proxy" {
	policy = "write"
}
service_prefix "" {
	policy = "read"
}
node_prefix "" {
	policy = "read"
}`

	// A typical Consul node requires two permissions for itself.
	// node:write
	//    - register itself in the catalog
	//    - update its network coordinates
	//    - potentially used to delete services during anti-entropy
	// service:read
	//    - used during anti-entropy to discover all services that
	//      are registered to the node. That way the node can diff
	//      its local state against an accurate depiction of the
	//      remote state.
	aclPolicyTemplateNodeIdentity = `
node "%[1]s" {
	policy = "write"
}
service_prefix "" {
	policy = "read"
}`
)

type ACLAuthMethodEnterpriseFields struct{}

type ACLAuthMethodEnterpriseMeta struct{}

func (_ *ACLAuthMethodEnterpriseMeta) FillWithEnterpriseMeta(_ *EnterpriseMeta) {
	// do nothing
}

func (_ *ACLAuthMethodEnterpriseMeta) ToEnterpriseMeta() *EnterpriseMeta {
	return DefaultEnterpriseMeta()
}

func aclServiceIdentityRules(svc string, _ *EnterpriseMeta) string {
	return fmt.Sprintf(aclPolicyTemplateServiceIdentity, svc)
}

func (p *ACLPolicy) EnterprisePolicyMeta() *acl.EnterprisePolicyMeta {
	return nil
}

func (m *ACLAuthMethod) TargetEnterpriseMeta(_ *EnterpriseMeta) *EnterpriseMeta {
	return &m.EnterpriseMeta
}

func (t *ACLToken) NodeIdentityList() []*ACLNodeIdentity {
	if len(t.NodeIdentities) == 0 {
		return nil
	}

	out := make([]*ACLNodeIdentity, 0, len(t.NodeIdentities))
	for _, n := range t.NodeIdentities {
		out = append(out, n.Clone())
	}
	return out
}

func (r *ACLRole) NodeIdentityList() []*ACLNodeIdentity {
	if len(r.NodeIdentities) == 0 {
		return nil
	}

	out := make([]*ACLNodeIdentity, 0, len(r.NodeIdentities))
	for _, n := range r.NodeIdentities {
		out = append(out, n.Clone())
	}
	return out
}
ACL Authorizer overhaul (#6620) * ACL Authorizer overhaul To account for upcoming features every Authorization function can now take an extra acl.EnterpriseAuthorizerContext. These are unused in OSS and will always be nil. Additionally the acl package has received some thorough refactoring to enable all of the extra Consul Enterprise specific authorizations including moving sentinel enforcement into the stubbed structs. The Authorizer funcs now return an acl.EnforcementDecision instead of a boolean. This improves the overall interface as it makes multiple Authorizers easily chainable as they now indicate whether they had an authoritative decision or should use some other defaults. A ChainedAuthorizer was added to handle this Authorizer enforcement chain and will never itself return a non-authoritative decision. Include stub for extra enterprise rules in the global management policy * Allow for an upgrade of the global-management policy 2019-10-15 20:58:50 +00:00			`// +build !consulent`

			`package structs`

Updates to allow for Namespacing ACL resources in Consul Enterp… (#6675) Main Changes: • method signature updates everywhere to account for passing around enterprise meta. • populate the EnterpriseAuthorizerContext for all ACL related authorizations. • ACL resource listings now operate like the catalog or kv listings in that the returned entries are filtered down to what the token is allowed to see. With Namespaces its no longer all or nothing. • Modified the acl.Policy parsing to abstract away basic decoding so that enterprise can do it slightly differently. Also updated method signatures so that when parsing a policy it can take extra ent metadata to use during rules validation and policy creation. Secondary Changes: • Moved protobuf encoding functions out of the agentpb package to eliminate circular dependencies. • Added custom JSON unmarshalers for a few ACL resource types (to support snake case and to get rid of mapstructure) • AuthMethod validator cache is now an interface as these will be cached per-namespace for Consul Enterprise. • Added checks for policy/role link existence at the RPC API so we don’t push the request through raft to have it fail internally. • Forward ACL token delete request to the primary datacenter when the secondary DC doesn’t have the token. • Added a bunch of ACL test helpers for inserting ACL resource test data. 2019-10-24 18:38:09 +00:00			`import (`
			`"fmt"`

			`"github.com/hashicorp/consul/acl"`
			`)`

ACL Authorizer overhaul (#6620) * ACL Authorizer overhaul To account for upcoming features every Authorization function can now take an extra acl.EnterpriseAuthorizerContext. These are unused in OSS and will always be nil. Additionally the acl package has received some thorough refactoring to enable all of the extra Consul Enterprise specific authorizations including moving sentinel enforcement into the stubbed structs. The Authorizer funcs now return an acl.EnforcementDecision instead of a boolean. This improves the overall interface as it makes multiple Authorizers easily chainable as they now indicate whether they had an authoritative decision or should use some other defaults. A ChainedAuthorizer was added to handle this Authorizer enforcement chain and will never itself return a non-authoritative decision. Include stub for extra enterprise rules in the global management policy * Allow for an upgrade of the global-management policy 2019-10-15 20:58:50 +00:00			`const (`
			`EnterpriseACLPolicyGlobalManagement = ""`
Updates to allow for Namespacing ACL resources in Consul Enterp… (#6675) Main Changes: • method signature updates everywhere to account for passing around enterprise meta. • populate the EnterpriseAuthorizerContext for all ACL related authorizations. • ACL resource listings now operate like the catalog or kv listings in that the returned entries are filtered down to what the token is allowed to see. With Namespaces its no longer all or nothing. • Modified the acl.Policy parsing to abstract away basic decoding so that enterprise can do it slightly differently. Also updated method signatures so that when parsing a policy it can take extra ent metadata to use during rules validation and policy creation. Secondary Changes: • Moved protobuf encoding functions out of the agentpb package to eliminate circular dependencies. • Added custom JSON unmarshalers for a few ACL resource types (to support snake case and to get rid of mapstructure) • AuthMethod validator cache is now an interface as these will be cached per-namespace for Consul Enterprise. • Added checks for policy/role link existence at the RPC API so we don’t push the request through raft to have it fail internally. • Forward ACL token delete request to the primary datacenter when the secondary DC doesn’t have the token. • Added a bunch of ACL test helpers for inserting ACL resource test data. 2019-10-24 18:38:09 +00:00
			`// aclPolicyTemplateServiceIdentity is the template used for synthesizing`
			`// policies for service identities.`
			aclPolicyTemplateServiceIdentity = `
			`service "%[1]s" {`
			`policy = "write"`
			`}`
			`service "%[1]s-sidecar-proxy" {`
			`policy = "write"`
			`}`
			`service_prefix "" {`
			`policy = "read"`
			`}`
			`node_prefix "" {`
			`policy = "read"`
			}`
ACL Node Identities (#7970) A Node Identity is very similar to a service identity. Its main targeted use is to allow creating tokens for use by Consul agents that will grant the necessary permissions for all the typical agent operations (node registration, coordinate updates, anti-entropy). Half of this commit is for golden file based tests of the acl token and role cli output. Another big updates was to refactor many of the tests in agent/consul/acl_endpoint_test.go to use the same style of tests and the same helpers. Besides being less boiler plate in the tests it also uses a common way of starting a test server with ACLs that should operate without any warnings regarding deprecated non-uuid master tokens etc. 2020-06-16 16:54:27 +00:00
			`// A typical Consul node requires two permissions for itself.`
			`// node:write`
			`// - register itself in the catalog`
			`// - update its network coordinates`
			`// - potentially used to delete services during anti-entropy`
			`// service:read`
			`// - used during anti-entropy to discover all services that`
			`// are registered to the node. That way the node can diff`
			`// its local state against an accurate depiction of the`
			`// remote state.`
			aclPolicyTemplateNodeIdentity = `
			`node "%[1]s" {`
			`policy = "write"`
			`}`
			`service_prefix "" {`
			`policy = "read"`
			}`
ACL Authorizer overhaul (#6620) * ACL Authorizer overhaul To account for upcoming features every Authorization function can now take an extra acl.EnterpriseAuthorizerContext. These are unused in OSS and will always be nil. Additionally the acl package has received some thorough refactoring to enable all of the extra Consul Enterprise specific authorizations including moving sentinel enforcement into the stubbed structs. The Authorizer funcs now return an acl.EnforcementDecision instead of a boolean. This improves the overall interface as it makes multiple Authorizers easily chainable as they now indicate whether they had an authoritative decision or should use some other defaults. A ChainedAuthorizer was added to handle this Authorizer enforcement chain and will never itself return a non-authoritative decision. Include stub for extra enterprise rules in the global management policy * Allow for an upgrade of the global-management policy 2019-10-15 20:58:50 +00:00			`)`
Updates to allow for Namespacing ACL resources in Consul Enterp… (#6675) Main Changes: • method signature updates everywhere to account for passing around enterprise meta. • populate the EnterpriseAuthorizerContext for all ACL related authorizations. • ACL resource listings now operate like the catalog or kv listings in that the returned entries are filtered down to what the token is allowed to see. With Namespaces its no longer all or nothing. • Modified the acl.Policy parsing to abstract away basic decoding so that enterprise can do it slightly differently. Also updated method signatures so that when parsing a policy it can take extra ent metadata to use during rules validation and policy creation. Secondary Changes: • Moved protobuf encoding functions out of the agentpb package to eliminate circular dependencies. • Added custom JSON unmarshalers for a few ACL resource types (to support snake case and to get rid of mapstructure) • AuthMethod validator cache is now an interface as these will be cached per-namespace for Consul Enterprise. • Added checks for policy/role link existence at the RPC API so we don’t push the request through raft to have it fail internally. • Forward ACL token delete request to the primary datacenter when the secondary DC doesn’t have the token. • Added a bunch of ACL test helpers for inserting ACL resource test data. 2019-10-24 18:38:09 +00:00
acl: oss plumbing to support auth method namespace rules in enterprise (#7794) This includes website docs updates. 2020-05-06 18:48:04 +00:00			`type ACLAuthMethodEnterpriseFields struct{}`

AuthMethod updates to support alternate namespace logins (#7029) 2020-01-14 15:09:29 +00:00			`type ACLAuthMethodEnterpriseMeta struct{}`

			`func (_ ACLAuthMethodEnterpriseMeta) FillWithEnterpriseMeta(_ EnterpriseMeta) {`
			`// do nothing`
			`}`

			`func (_ ACLAuthMethodEnterpriseMeta) ToEnterpriseMeta() EnterpriseMeta {`
			`return DefaultEnterpriseMeta()`
			`}`

Updates to allow for Namespacing ACL resources in Consul Enterp… (#6675) Main Changes: • method signature updates everywhere to account for passing around enterprise meta. • populate the EnterpriseAuthorizerContext for all ACL related authorizations. • ACL resource listings now operate like the catalog or kv listings in that the returned entries are filtered down to what the token is allowed to see. With Namespaces its no longer all or nothing. • Modified the acl.Policy parsing to abstract away basic decoding so that enterprise can do it slightly differently. Also updated method signatures so that when parsing a policy it can take extra ent metadata to use during rules validation and policy creation. Secondary Changes: • Moved protobuf encoding functions out of the agentpb package to eliminate circular dependencies. • Added custom JSON unmarshalers for a few ACL resource types (to support snake case and to get rid of mapstructure) • AuthMethod validator cache is now an interface as these will be cached per-namespace for Consul Enterprise. • Added checks for policy/role link existence at the RPC API so we don’t push the request through raft to have it fail internally. • Forward ACL token delete request to the primary datacenter when the secondary DC doesn’t have the token. • Added a bunch of ACL test helpers for inserting ACL resource test data. 2019-10-24 18:38:09 +00:00			`func aclServiceIdentityRules(svc string, _ *EnterpriseMeta) string {`
			`return fmt.Sprintf(aclPolicyTemplateServiceIdentity, svc)`
			`}`

			`func (p ACLPolicy) EnterprisePolicyMeta() acl.EnterprisePolicyMeta {`
			`return nil`
			`}`
AuthMethod updates to support alternate namespace logins (#7029) 2020-01-14 15:09:29 +00:00
			`func (m ACLAuthMethod) TargetEnterpriseMeta(_ EnterpriseMeta) *EnterpriseMeta {`
			`return &m.EnterpriseMeta`
			`}`
ACL Node Identities (#7970) A Node Identity is very similar to a service identity. Its main targeted use is to allow creating tokens for use by Consul agents that will grant the necessary permissions for all the typical agent operations (node registration, coordinate updates, anti-entropy). Half of this commit is for golden file based tests of the acl token and role cli output. Another big updates was to refactor many of the tests in agent/consul/acl_endpoint_test.go to use the same style of tests and the same helpers. Besides being less boiler plate in the tests it also uses a common way of starting a test server with ACLs that should operate without any warnings regarding deprecated non-uuid master tokens etc. 2020-06-16 16:54:27 +00:00
			`func (t ACLToken) NodeIdentityList() []ACLNodeIdentity {`
			`if len(t.NodeIdentities) == 0 {`
			`return nil`
			`}`

			`out := make([]*ACLNodeIdentity, 0, len(t.NodeIdentities))`
			`for _, n := range t.NodeIdentities {`
			`out = append(out, n.Clone())`
			`}`
			`return out`
			`}`

			`func (r ACLRole) NodeIdentityList() []ACLNodeIdentity {`
			`if len(r.NodeIdentities) == 0 {`
			`return nil`
			`}`

			`out := make([]*ACLNodeIdentity, 0, len(r.NodeIdentities))`
			`for _, n := range r.NodeIdentities {`
			`out = append(out, n.Clone())`
			`}`
			`return out`
			`}`