Merge pull request #12780 from hashicorp/oss-expanded-token-fix

oss: Fix namespace default field names in expanded token output

agent/consul/acl_endpoint.go

@@ -381,6 +381,9 @@ func (a *ACL) lookupExpandedTokenInfo(ws memdb.WatchSet, state *state.Store, tok
 		if err != nil {
 			return tokenInfo, err
 		}
+		if role == nil {
+			continue
+		}
 
 		for _, policy := range role.Policies {
 			policyIDs[policy.ID] = struct{}{}
@@ -404,6 +407,9 @@ func (a *ACL) lookupExpandedTokenInfo(ws memdb.WatchSet, state *state.Store, tok
 		if err != nil {
 			return tokenInfo, err
 		}
+		if policy == nil {
+			continue
+		}
 		policies = append(policies, policy)
 	}
 	for _, policy := range identityPolicies {

api/acl.go

@@ -66,8 +66,8 @@ type ACLTokenExpanded struct {
 	ExpandedPolicies []ACLPolicy
 	ExpandedRoles    []ACLRole
 
-	NamespaceDefaultPolicies []string
+	NamespaceDefaultPolicyIDs []string
-	NamespaceDefaultRoles    []string
+	NamespaceDefaultRoleIDs   []string
 
 	AgentACLDefaultPolicy string
 	AgentACLDownPolicy    string

command/acl/token/formatter.go

@@ -239,17 +239,17 @@ func (f *prettyFormatter) FormatTokenExpanded(token *api.ACLTokenExpanded) (stri
 
 	buffer.WriteString("=== End of Authorizer Layer 0: Token ===\n")
 
-	if len(token.NamespaceDefaultPolicies) > 0 || len(token.NamespaceDefaultRoles) > 0 {
+	if len(token.NamespaceDefaultPolicyIDs) > 0 || len(token.NamespaceDefaultRoleIDs) > 0 {
 		buffer.WriteString("=== Start of Authorizer Layer 1: Token Namespace’s Defaults (Inherited) ===\n")
 		buffer.WriteString(fmt.Sprintf("Description: ACL Roles inherited by all Tokens in Namespace %q\n\n", token.Namespace))
 
 		buffer.WriteString("Namespace Policy Defaults:\n")
-		for _, policyID := range token.NamespaceDefaultPolicies {
+		for _, policyID := range token.NamespaceDefaultPolicyIDs {
 			formatPolicy(policies[policyID], WHITESPACE_2)
 		}
 
 		buffer.WriteString("Namespace Role Defaults:\n")
-		for _, roleID := range token.NamespaceDefaultRoles {
+		for _, roleID := range token.NamespaceDefaultRoleIDs {
 			formatRole(roles[roleID], WHITESPACE_2)
 		}
 

command/acl/token/formatter_test.go

@@ -408,11 +408,11 @@ var expandedTokenTestCases = map[string]testCase{
 					},
 				},
 			},
-			NamespaceDefaultPolicies: []string{"2b582ff1-4a43-457f-8a2b-30a8265e29a5"},
+			NamespaceDefaultPolicyIDs: []string{"2b582ff1-4a43-457f-8a2b-30a8265e29a5"},
-			NamespaceDefaultRoles:    []string{"56033f2b-e1a6-4905-b71d-e011c862bc65"},
+			NamespaceDefaultRoleIDs:   []string{"56033f2b-e1a6-4905-b71d-e011c862bc65"},
-			AgentACLDefaultPolicy:    "deny",
+			AgentACLDefaultPolicy:     "deny",
-			AgentACLDownPolicy:       "extend-cache",
+			AgentACLDownPolicy:        "extend-cache",
-			ResolvedByAgent:          "server-1",
+			ResolvedByAgent:           "server-1",
 			ACLToken: api.ACLToken{
 				AccessorID:          "fbd2447f-7479-4329-ad13-b021d74f86ba",
 				SecretID:            "869c6e91-4de9-4dab-b56e-87548435f9c6",

command/acl/token/testdata/FormatTokenExpanded/oss/basic.json.golden

@@ -22,8 +22,8 @@
         }
     ],
     "ExpandedRoles": null,
-    "NamespaceDefaultPolicies": null,
+    "NamespaceDefaultPolicyIDs": null,
-    "NamespaceDefaultRoles": null,
+    "NamespaceDefaultRoleIDs": null,
     "AgentACLDefaultPolicy": "allow",
     "AgentACLDownPolicy": "deny",
     "ResolvedByAgent": "leader",

command/acl/token/testdata/FormatTokenExpanded/oss/complex.json.golden

@@ -133,10 +133,10 @@
             "ModifyIndex": 0
         }
     ],
-    "NamespaceDefaultPolicies": [
+    "NamespaceDefaultPolicyIDs": [
         "2b582ff1-4a43-457f-8a2b-30a8265e29a5"
     ],
-    "NamespaceDefaultRoles": [
+    "NamespaceDefaultRoleIDs": [
         "56033f2b-e1a6-4905-b71d-e011c862bc65"
     ],
     "AgentACLDefaultPolicy": "deny",