acl: remove most of the rest of structs/acl_legacy.go

2021-09-29 17:11:01 -04:00 · 2021-09-29 17:11:01 -04:00 · 0ba5d0afcd
parent ab5cdce760
commit 0ba5d0afcd
5 changed files with 35 additions and 124 deletions
--- a/agent/consul/acl_endpoint_legacy.go
+++ b/agent/consul/acl_endpoint_legacy.go
@ -12,7 +12,7 @@ func (a *ACL) GetPolicy(*LegacyACLGetPolicy, *LegacyACLGetPolicy) error {
 	return fmt.Errorf("ACL.GetPolicy: the legacy ACL system has been removed")
 }

-func (a *ACL) Bootstrap(*structs.DCSpecificRequest, *structs.ACL) error {
+func (a *ACL) Bootstrap(*structs.DCSpecificRequest, *LegacyACLRequest) error {
 	return fmt.Errorf("ACL.Bootstrap: the legacy ACL system has been removed")
 }

@ -22,10 +22,10 @@ func (a *ACL) Apply(*LegacyACLRequest, *string) error {
 	return fmt.Errorf("ACL.Apply: the legacy ACL system has been removed")
 }

-func (a *ACL) Get(*structs.ACLSpecificRequest, *structs.IndexedACLs) error {
+func (a *ACL) Get(*LegacyACLRequest, *LegacyACLRequest) error {
 	return fmt.Errorf("ACL.Get: the legacy ACL system has been removed")
 }

-func (a *ACL) List(*structs.DCSpecificRequest, *structs.IndexedACLs) error {
+func (a *ACL) List(*structs.DCSpecificRequest, *LegacyACLRequest) error {
 	return fmt.Errorf("ACL.List: the legacy ACL system has been removed")
 }
--- a/agent/consul/fsm/snapshot_oss.go
+++ b/agent/consul/fsm/snapshot_oss.go
@ -16,7 +16,7 @@ func init() {
 	registerRestorer(structs.TombstoneRequestType, restoreTombstone)
 	registerRestorer(structs.SessionRequestType, restoreSession)
 	registerRestorer(structs.DeprecatedACLRequestType, restoreACL)
-	registerRestorer(structs.ACLBootstrapRequestType, restoreACLBootstrap)
+	registerRestorer(structs.ACLBootstrapRequestType, restoreACLBootstrap) // TODO(ACL-Legacy-Compat) - remove in phase 2
 	registerRestorer(structs.CoordinateBatchUpdateType, restoreCoordinates)
 	registerRestorer(structs.PreparedQueryRequestType, restorePreparedQuery)
 	registerRestorer(structs.AutopilotRequestType, restoreAutopilot)
@ -574,9 +574,17 @@ func restoreACL(header *SnapshotHeader, restore *state.Restore, decoder *codec.D
 	return nil
 }

-// DEPRECATED (ACL-Legacy-Compat) - remove once v1 acl compat is removed
-func restoreACLBootstrap(header *SnapshotHeader, restore *state.Restore, decoder *codec.Decoder) error {
-	var req structs.ACLBootstrap
+// TODO(ACL-Legacy-Compat) - remove in phase 2
+func restoreACLBootstrap(_ *SnapshotHeader, restore *state.Restore, decoder *codec.Decoder) error {
+	type ACLBootstrap struct {
+		// AllowBootstrap will only be true if no existing management tokens
+		// have been found.
+		AllowBootstrap bool
+
+		structs.RaftIndex
+	}
+
+	var req ACLBootstrap
 	if err := decoder.Decode(&req); err != nil {
 		return err
 	}
--- a/agent/consul/fsm/snapshot_oss_test.go
+++ b/agent/consul/fsm/snapshot_oss_test.go
@ -2,6 +2,7 @@ package fsm

 import (
 	"bytes"
+	"fmt"
 	"testing"
 	"time"

@ -581,7 +582,7 @@ func TestFSM_SnapshotRestore_OSS(t *testing.T) {
 	require.NotNil(t, rtoken)
 	require.NotEmpty(t, rtoken.Hash)

-	restoredACL, err := rtoken.Convert()
+	restoredACL, err := convertACLTokenToLegacy(rtoken)
 	require.NoError(t, err)
 	require.Equal(t, &acl, restoredACL)

@ -734,6 +735,23 @@ func TestFSM_SnapshotRestore_OSS(t *testing.T) {
 	}
 }

+// convertACLTokenToLegacy attempts to convert an ACLToken into an legacy ACL.
+// TODO(ACL-Legacy-Compat): remove in phase 2, used by snapshot restore
+func convertACLTokenToLegacy(tok *structs.ACLToken) (*structs.ACL, error) {
+	if tok.Type == "" {
+		return nil, fmt.Errorf("Cannot convert ACLToken into compat token")
+	}
+
+	compat := &structs.ACL{
+		ID:        tok.SecretID,
+		Name:      tok.Description,
+		Type:      tok.Type,
+		Rules:     tok.Rules,
+		RaftIndex: tok.RaftIndex,
+	}
+	return compat, nil
+}
+
 func TestFSM_BadRestore_OSS(t *testing.T) {
 	t.Parallel()
 	// Create an FSM with some state.
--- a/agent/structs/acl_legacy.go
+++ b/agent/structs/acl_legacy.go
@ -6,10 +6,6 @@

 package structs

-import (
-	"fmt"
-)
-
 const (
 	// ACLTokenTypeClient tokens have rules applied
 	ACLTokenTypeClient = "client"
@ -17,9 +13,6 @@ const (
 	// ACLTokenTypeManagement tokens have an always allow policy, so they can
 	// make other tokens and can access all resources.
 	ACLTokenTypeManagement = "management"
-
-	// ACLTokenTypeNone
-	ACLTokenTypeNone = ""
 )

 // ACL is used to represent a token and its rules
@ -32,14 +25,11 @@ type ACL struct {
 	RaftIndex
 }

-// ACLs is a slice of ACLs.
-type ACLs []*ACL
-
 // Convert does a 1-1 mapping of the ACLCompat structure to its ACLToken
 // equivalent. This will NOT fill in the other ACLToken fields or perform any other
 // upgrade (other than correcting an older HCL syntax that is no longer
 // supported).
-// TODO(ACL-Legacy-Compat): remove
+// TODO(ACL-Legacy-Compat): remove in phase 2, used by snapshot restore
 func (a *ACL) Convert() *ACLToken {
 	// Ensure that we correct any old HCL in legacy tokens to prevent old
 	// syntax from leaking elsewhere into the system.
@ -66,48 +56,3 @@ func (a *ACL) Convert() *ACLToken {
 	token.SetHash(true)
 	return token
 }
-
-// Convert attempts to convert an ACLToken into an ACLCompat.
-// TODO(ACL-Legacy-Compat): remove
-func (tok *ACLToken) Convert() (*ACL, error) {
-	if tok.Type == "" {
-		return nil, fmt.Errorf("Cannot convert ACLToken into compat token")
-	}
-
-	compat := &ACL{
-		ID:        tok.SecretID,
-		Name:      tok.Description,
-		Type:      tok.Type,
-		Rules:     tok.Rules,
-		RaftIndex: tok.RaftIndex,
-	}
-	return compat, nil
-}
-
-// ACLSpecificRequest is used to request an ACL by ID
-type ACLSpecificRequest struct {
-	Datacenter string
-	ACL        string
-	QueryOptions
-}
-
-// RequestDatacenter returns the DC this request is targeted to.
-func (r *ACLSpecificRequest) RequestDatacenter() string {
-	return r.Datacenter
-}
-
-// IndexedACLs has tokens along with the Raft metadata about them.
-type IndexedACLs struct {
-	ACLs ACLs
-	QueryMeta
-}
-
-// ACLBootstrap keeps track of whether bootstrapping ACLs is allowed for a
-// cluster.
-type ACLBootstrap struct {
-	// AllowBootstrap will only be true if no existing management tokens
-	// have been found.
-	AllowBootstrap bool
-
-	RaftIndex
-}
--- a/agent/structs/acl_legacy_test.go
+++ b/agent/structs/acl_legacy_test.go
@ -27,63 +27,3 @@ func TestStructs_ACL_Convert(t *testing.T) {
 	require.Equal(t, acl.ModifyIndex, token.ModifyIndex)
 	require.NotEmpty(t, token.Hash)
 }
-
-func TestStructs_ACLToken_Convert(t *testing.T) {
-
-	t.Run("Management", func(t *testing.T) {
-		token := &ACLToken{
-			AccessorID:  "6c4eb178-c7f3-4620-b899-91eb8696c265",
-			SecretID:    "67c29ecd-cabc-42e0-a20e-771e9a1ab70c",
-			Description: "new token",
-			Policies: []ACLTokenPolicyLink{
-				{
-					ID: ACLPolicyGlobalManagementID,
-				},
-			},
-			Type: ACLTokenTypeManagement,
-		}
-
-		acl, err := token.Convert()
-		require.NoError(t, err)
-		require.Equal(t, token.SecretID, acl.ID)
-		require.Equal(t, token.Type, acl.Type)
-		require.Equal(t, token.Description, acl.Name)
-		require.Equal(t, "", acl.Rules)
-	})
-
-	t.Run("Client", func(t *testing.T) {
-		token := &ACLToken{
-			AccessorID:  "6c4eb178-c7f3-4620-b899-91eb8696c265",
-			SecretID:    "67c29ecd-cabc-42e0-a20e-771e9a1ab70c",
-			Description: "new token",
-			Policies:    nil,
-			Type:        ACLTokenTypeClient,
-			Rules:       `acl = "read"`,
-		}
-
-		acl, err := token.Convert()
-		require.NoError(t, err)
-		require.Equal(t, token.SecretID, acl.ID)
-		require.Equal(t, token.Type, acl.Type)
-		require.Equal(t, token.Description, acl.Name)
-		require.Equal(t, token.Rules, acl.Rules)
-	})
-
-	t.Run("Unconvertible", func(t *testing.T) {
-		token := &ACLToken{
-			AccessorID:  "6c4eb178-c7f3-4620-b899-91eb8696c265",
-			SecretID:    "67c29ecd-cabc-42e0-a20e-771e9a1ab70c",
-			Description: "new token",
-			Policies: []ACLTokenPolicyLink{
-				{
-					ID: ACLPolicyGlobalManagementID,
-				},
-			},
-		}
-
-		acl, err := token.Convert()
-		require.Error(t, err)
-		require.Nil(t, acl)
-	})
-
-}