agent/local: only fallback to agent token for deletes

Fallback to the default user token for synching registrations.

agent/local/state.go

@@ -239,18 +239,13 @@ func (l *State) ServiceToken(id structs.ServiceID) string {
 }
 
 // aclTokenForServiceSync returns an ACL token associated with a service. If there is
-// no ACL token associated with the service, falls back to the agent token, then to the
-// user default token.
+// no ACL token associated with the service, fallback is used to return a value.
 // This method is not synchronized and the lock must already be held.
-func (l *State) aclTokenForServiceSync(id structs.ServiceID) string {
-	var token string
-	if s := l.services[id]; s != nil {
-		token = s.Token
+func (l *State) aclTokenForServiceSync(id structs.ServiceID, fallback func() string) string {
+	if s := l.services[id]; s != nil && s.Token != "" {
+		return s.Token
 	}
-	if token == "" {
-		token = l.tokens.AgentToken()
-	}
-	return token
+	return fallback()
 }
 
 // AddService is used to add a service entry to the local state.
@@ -457,19 +452,13 @@ func (l *State) CheckToken(id structs.CheckID) string {
 }
 
 // aclTokenForCheckSync returns an ACL token associated with a check. If there is
-// no ACL token associated with the check, falls back to the agent token, then to the
-// user default token.
+// no ACL token associated with the check, the callback is used to return a value.
 // This method is not synchronized and the lock must already be held.
-func (l *State) aclTokenForCheckSync(id structs.CheckID) string {
-	var token string
-	c := l.checks[id]
-	if c != nil {
-		token = c.Token
+func (l *State) aclTokenForCheckSync(id structs.CheckID, fallback func() string) string {
+	if c := l.checks[id]; c != nil && c.Token != "" {
+		return c.Token
 	}
-	if token == "" {
-		token = l.tokens.AgentToken()
-	}
-	return token
+	return fallback()
 }
 
 // AddCheck is used to add a health check to the local state.
@@ -1142,8 +1131,7 @@ func (l *State) deleteService(key structs.ServiceID) error {
 		return fmt.Errorf("ServiceID missing")
 	}
 
-	st := l.aclTokenForServiceSync(key)
-
+	st := l.aclTokenForServiceSync(key, l.tokens.AgentToken)
 	req := structs.DeregisterRequest{
 		Datacenter:     l.config.Datacenter,
 		Node:           l.config.NodeName,
@@ -1192,7 +1180,7 @@ func (l *State) deleteCheck(key structs.CheckID) error {
 		return fmt.Errorf("CheckID missing")
 	}
 
-	ct := l.aclTokenForCheckSync(key)
+	ct := l.aclTokenForCheckSync(key, l.tokens.AgentToken)
 	req := structs.DeregisterRequest{
 		Datacenter:     l.config.Datacenter,
 		Node:           l.config.NodeName,
@@ -1236,7 +1224,7 @@ func (l *State) pruneCheck(id structs.CheckID) {
 
 // syncService is used to sync a service to the server
 func (l *State) syncService(key structs.ServiceID) error {
-	st := l.aclTokenForServiceSync(key)
+	st := l.aclTokenForServiceSync(key, l.tokens.UserToken)
 
 	// If the service has associated checks that are out of sync,
 	// piggyback them on the service sync so they are part of the
@@ -1252,7 +1240,7 @@ func (l *State) syncService(key structs.ServiceID) error {
 		if !key.Matches(c.Check.CompoundServiceID()) {
 			continue
 		}
-		if st != l.aclTokenForCheckSync(checkKey) {
+		if st != l.aclTokenForCheckSync(checkKey, l.tokens.UserToken) {
 			continue
 		}
 		checks = append(checks, c.Check)
@@ -1318,7 +1306,7 @@ func (l *State) syncService(key structs.ServiceID) error {
 // syncCheck is used to sync a check to the server
 func (l *State) syncCheck(key structs.CheckID) error {
 	c := l.checks[key]
-	ct := l.aclTokenForCheckSync(key)
+	ct := l.aclTokenForCheckSync(key, l.tokens.UserToken)
 	req := structs.RegisterRequest{
 		Datacenter:      l.config.Datacenter,
 		ID:              l.config.NodeID,