syncing changes back from enterprise (#12701)

acl/policy_merger.go

@@ -19,6 +19,8 @@ type policyRulesMergeContext struct {
 	servicePrefixRules       map[string]*ServiceRule
 	sessionRules             map[string]*SessionRule
 	sessionPrefixRules       map[string]*SessionRule
+	// namespaceRule is an enterprise-only field
+	namespaceRule string
 }
 
 func (p *policyRulesMergeContext) init() {

agent/delegate_mock_test.go

@@ -47,9 +47,9 @@ func (m *delegateMock) RemoveFailedNode(node string, prune bool, entMeta *struct
 	return m.Called(node, prune, entMeta).Error(0)
 }
 
-func (m *delegateMock) ResolveTokenAndDefaultMeta(token string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (acl.Authorizer, error) {
+func (m *delegateMock) ResolveTokenAndDefaultMeta(token string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (consul.ACLResolveResult, error) {
 	ret := m.Called(token, entMeta, authzContext)
-	return ret.Get(0).(acl.Authorizer), ret.Error(1)
+	return ret.Get(0).(consul.ACLResolveResult), ret.Error(1)
 }
 
 func (m *delegateMock) RPC(method string, args interface{}, reply interface{}) error {

api/acl_test.go

@@ -237,6 +237,10 @@ func prepTokenPolicies(t *testing.T, acl *ACL) (policies []*ACLPolicy) {
 }
 
 func prepTokenPoliciesInPartition(t *testing.T, acl *ACL, partition string) (policies []*ACLPolicy) {
+	datacenters := []string{"dc1", "dc2"}
+	if partition != "" && partition != "default" {
+		datacenters = []string{"dc1"}
+	}
 	var wqPart *WriteOptions
 	if partition != "" {
 		wqPart = &WriteOptions{Partition: partition}
@@ -245,7 +249,7 @@ func prepTokenPoliciesInPartition(t *testing.T, acl *ACL, partition string) (pol
 		Name:        "one",
 		Description: "one description",
 		Rules:       `acl = "read"`,
-		Datacenters: []string{"dc1", "dc2"},
+		Datacenters: datacenters,
 	}, wqPart)
 
 	require.NoError(t, err)
@@ -256,7 +260,7 @@ func prepTokenPoliciesInPartition(t *testing.T, acl *ACL, partition string) (pol
 		Name:        "two",
 		Description: "two description",
 		Rules:       `node_prefix "" { policy = "read" }`,
-		Datacenters: []string{"dc1", "dc2"},
+		Datacenters: datacenters,
 	}, wqPart)
 
 	require.NoError(t, err)

command/acl/authmethod/create/authmethod_create_test.go

@@ -9,15 +9,16 @@ import (
 	"testing"
 	"time"
 
+	"github.com/hashicorp/go-uuid"
+	"github.com/mitchellh/cli"
+	"github.com/stretchr/testify/require"
+
 	"github.com/hashicorp/consul/agent"
 	"github.com/hashicorp/consul/agent/connect"
 	"github.com/hashicorp/consul/api"
 	"github.com/hashicorp/consul/command/acl"
 	"github.com/hashicorp/consul/sdk/testutil"
 	"github.com/hashicorp/consul/testrpc"
-	"github.com/hashicorp/go-uuid"
-	"github.com/mitchellh/cli"
-	"github.com/stretchr/testify/require"
 
 	// activate testing auth method
 	_ "github.com/hashicorp/consul/agent/consul/authmethod/testauth"
@@ -293,6 +294,7 @@ func TestAuthMethodCreateCommand_JSON(t *testing.T) {
 		delete(raw, "CreateIndex")
 		delete(raw, "ModifyIndex")
 		delete(raw, "Namespace")
+		delete(raw, "Partition")
 
 		require.Equal(t, map[string]interface{}{
 			"Name":        name,
@@ -342,6 +344,7 @@ func TestAuthMethodCreateCommand_JSON(t *testing.T) {
 		delete(raw, "CreateIndex")
 		delete(raw, "ModifyIndex")
 		delete(raw, "Namespace")
+		delete(raw, "Partition")
 
 		require.Equal(t, map[string]interface{}{
 			"Name":          name,
@@ -613,6 +616,9 @@ func getTestMethod(t *testing.T, client *api.Client, methodName string) *api.ACL
 	if method.Namespace == "default" {
 		method.Namespace = ""
 	}
+	if method.Partition == "default" {
+		method.Partition = ""
+	}
 
 	return method
 }

command/acl/authmethod/update/authmethod_update_test.go

@@ -8,15 +8,16 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/hashicorp/go-uuid"
+	"github.com/mitchellh/cli"
+	"github.com/stretchr/testify/require"
+
 	"github.com/hashicorp/consul/agent"
 	"github.com/hashicorp/consul/agent/connect"
 	"github.com/hashicorp/consul/api"
 	"github.com/hashicorp/consul/command/acl"
 	"github.com/hashicorp/consul/sdk/testutil"
 	"github.com/hashicorp/consul/testrpc"
-	"github.com/hashicorp/go-uuid"
-	"github.com/mitchellh/cli"
-	"github.com/stretchr/testify/require"
 
 	// activate testing auth method
 	_ "github.com/hashicorp/consul/agent/consul/authmethod/testauth"
@@ -941,6 +942,9 @@ func getTestMethod(t *testing.T, client *api.Client, methodName string) *api.ACL
 	if method.Namespace == "default" {
 		method.Namespace = ""
 	}
+	if method.Partition == "default" {
+		method.Partition = ""
+	}
 
 	return method
 }

command/connect/expose/expose_test.go

@@ -3,11 +3,12 @@ package expose
 import (
 	"testing"
 
+	"github.com/mitchellh/cli"
+	"github.com/stretchr/testify/require"
+
 	"github.com/hashicorp/consul/agent"
 	"github.com/hashicorp/consul/api"
 	"github.com/hashicorp/consul/testrpc"
-	"github.com/mitchellh/cli"
-	"github.com/stretchr/testify/require"
 )
 
 func TestConnectExpose(t *testing.T) {
@@ -47,6 +48,7 @@ func TestConnectExpose(t *testing.T) {
 		Kind:      api.IngressGateway,
 		Name:      "ingress",
 		Namespace: ns,
+		Partition: ap,
 		Listeners: []api.IngressListener{
 			{
 				Port:     8888,
@@ -280,6 +282,7 @@ func TestConnectExpose_existingConfig(t *testing.T) {
 				},
 			},
 		})
+		ingressConf.Partition = entryConf.Partition
 		ingressConf.Namespace = entryConf.Namespace
 		for i, listener := range ingressConf.Listeners {
 			listener.Services[0].Namespace = entryConf.Listeners[i].Services[0].Namespace

test/integration/connect/envoy/case-basic/capture.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+snapshot_envoy_admin localhost:19000 s1 primary || true
+snapshot_envoy_admin localhost:19001 s2 primary || true

test/integration/connect/envoy/case-http/capture.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+snapshot_envoy_admin localhost:19000 s1 primary || true
+snapshot_envoy_admin localhost:19001 s2 primary || true