acl: Clarify node/service identities must be lowercase (#12807)
Modify ACL error message for invalid node/service identities names to clearly state only lowercase alphanumeric characters are supported.
This commit is contained in:
parent
8898d4eb1f
commit
2beea7eb7c
|
@ -0,0 +1,3 @@
|
||||||
|
```release-note:improvement
|
||||||
|
acl: Clarify node/service identities must be lowercase
|
||||||
|
```
|
|
@ -1142,6 +1142,41 @@ func TestACL_HTTP(t *testing.T) {
|
||||||
_, err := a.srv.ACLTokenCreate(resp, req)
|
_, err := a.srv.ACLTokenCreate(resp, req)
|
||||||
require.Error(t, err)
|
require.Error(t, err)
|
||||||
})
|
})
|
||||||
|
|
||||||
|
t.Run("Create with uppercase node identity", func(t *testing.T) {
|
||||||
|
tokenInput := &structs.ACLToken{
|
||||||
|
Description: "agent token for foo node",
|
||||||
|
NodeIdentities: []*structs.ACLNodeIdentity{
|
||||||
|
{
|
||||||
|
NodeName: "FOO",
|
||||||
|
Datacenter: "bar",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
req, _ := http.NewRequest("PUT", "/v1/acl/token?token=root", jsonBody(tokenInput))
|
||||||
|
resp := httptest.NewRecorder()
|
||||||
|
_, err := a.srv.ACLTokenCreate(resp, req)
|
||||||
|
require.Error(t, err)
|
||||||
|
testutil.RequireErrorContains(t, err, "Only lowercase alphanumeric")
|
||||||
|
})
|
||||||
|
|
||||||
|
t.Run("Create with uppercase service identity", func(t *testing.T) {
|
||||||
|
tokenInput := &structs.ACLToken{
|
||||||
|
Description: "token for service identity foo",
|
||||||
|
ServiceIdentities: []*structs.ACLServiceIdentity{
|
||||||
|
{
|
||||||
|
ServiceName: "FOO",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
req, _ := http.NewRequest("PUT", "/v1/acl/token?token=root", jsonBody(tokenInput))
|
||||||
|
resp := httptest.NewRecorder()
|
||||||
|
_, err := a.srv.ACLTokenCreate(resp, req)
|
||||||
|
require.Error(t, err)
|
||||||
|
testutil.RequireErrorContains(t, err, "Only lowercase alphanumeric")
|
||||||
|
})
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -770,7 +770,7 @@ func (a *ACL) tokenSetInternal(args *structs.ACLTokenSetRequest, reply *structs.
|
||||||
return fmt.Errorf("Service identity %q cannot specify a list of datacenters on a local token", svcid.ServiceName)
|
return fmt.Errorf("Service identity %q cannot specify a list of datacenters on a local token", svcid.ServiceName)
|
||||||
}
|
}
|
||||||
if !isValidServiceIdentityName(svcid.ServiceName) {
|
if !isValidServiceIdentityName(svcid.ServiceName) {
|
||||||
return fmt.Errorf("Service identity %q has an invalid name. Only alphanumeric characters, '-' and '_' are allowed", svcid.ServiceName)
|
return fmt.Errorf("Service identity %q has an invalid name. Only lowercase alphanumeric characters, '-' and '_' are allowed", svcid.ServiceName)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
token.ServiceIdentities = dedupeServiceIdentities(token.ServiceIdentities)
|
token.ServiceIdentities = dedupeServiceIdentities(token.ServiceIdentities)
|
||||||
|
@ -783,7 +783,7 @@ func (a *ACL) tokenSetInternal(args *structs.ACLTokenSetRequest, reply *structs.
|
||||||
return fmt.Errorf("Node identity is missing the datacenter field on this token")
|
return fmt.Errorf("Node identity is missing the datacenter field on this token")
|
||||||
}
|
}
|
||||||
if !isValidNodeIdentityName(nodeid.NodeName) {
|
if !isValidNodeIdentityName(nodeid.NodeName) {
|
||||||
return fmt.Errorf("Node identity has an invalid name. Only alphanumeric characters, '-' and '_' are allowed")
|
return fmt.Errorf("Node identity has an invalid name. Only lowercase alphanumeric characters, '-' and '_' are allowed")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
token.NodeIdentities = dedupeNodeIdentities(token.NodeIdentities)
|
token.NodeIdentities = dedupeNodeIdentities(token.NodeIdentities)
|
||||||
|
@ -1682,7 +1682,7 @@ func (a *ACL) RoleSet(args *structs.ACLRoleSetRequest, reply *structs.ACLRole) e
|
||||||
return fmt.Errorf("Service identity is missing the service name field on this role")
|
return fmt.Errorf("Service identity is missing the service name field on this role")
|
||||||
}
|
}
|
||||||
if !isValidServiceIdentityName(svcid.ServiceName) {
|
if !isValidServiceIdentityName(svcid.ServiceName) {
|
||||||
return fmt.Errorf("Service identity %q has an invalid name. Only alphanumeric characters, '-' and '_' are allowed", svcid.ServiceName)
|
return fmt.Errorf("Service identity %q has an invalid name. Only lowercase alphanumeric characters, '-' and '_' are allowed", svcid.ServiceName)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
role.ServiceIdentities = dedupeServiceIdentities(role.ServiceIdentities)
|
role.ServiceIdentities = dedupeServiceIdentities(role.ServiceIdentities)
|
||||||
|
@ -1695,7 +1695,7 @@ func (a *ACL) RoleSet(args *structs.ACLRoleSetRequest, reply *structs.ACLRole) e
|
||||||
return fmt.Errorf("Node identity is missing the datacenter field on this role")
|
return fmt.Errorf("Node identity is missing the datacenter field on this role")
|
||||||
}
|
}
|
||||||
if !isValidNodeIdentityName(nodeid.NodeName) {
|
if !isValidNodeIdentityName(nodeid.NodeName) {
|
||||||
return fmt.Errorf("Node identity has an invalid name. Only alphanumeric characters, '-' and '_' are allowed")
|
return fmt.Errorf("Node identity has an invalid name. Only lowercase alphanumeric characters, '-' and '_' are allowed")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
role.NodeIdentities = dedupeNodeIdentities(role.NodeIdentities)
|
role.NodeIdentities = dedupeNodeIdentities(role.NodeIdentities)
|
||||||
|
|
Loading…
Reference in New Issue