From 39be0712646744186f2c47dec43539b2597ead1d Mon Sep 17 00:00:00 2001
From: Ashwin Venkatesh <ashwin@hashicorp.com>
Date: Thu, 17 Feb 2022 16:41:27 -0500
Subject: [PATCH] Parse datacenter from request (#12370)

* Parse datacenter from request
- Parse the value of the datacenter from the create/delete requests for AuthMethods and BindingRules so that they can be created in and deleted from the datacenters specified in the request.
---
 .changelog/12370.txt       |  3 +++
 agent/acl_endpoint.go      | 14 ++++++--------
 agent/acl_endpoint_test.go | 35 +++++++++++++++++++++++++++++++++++
 3 files changed, 44 insertions(+), 8 deletions(-)
 create mode 100644 .changelog/12370.txt

diff --git a/.changelog/12370.txt b/.changelog/12370.txt
new file mode 100644
index 000000000..6b184a63d
--- /dev/null
+++ b/.changelog/12370.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+agent: Parse datacenter from Create/Delete requests for AuthMethods and BindingRules.
+```
diff --git a/agent/acl_endpoint.go b/agent/acl_endpoint.go
index 952b3431d..5b9ddec3b 100644
--- a/agent/acl_endpoint.go
+++ b/agent/acl_endpoint.go
@@ -751,9 +751,8 @@ func (s *HTTPHandlers) ACLBindingRuleCreate(resp http.ResponseWriter, req *http.
 }
 
 func (s *HTTPHandlers) ACLBindingRuleWrite(resp http.ResponseWriter, req *http.Request, bindingRuleID string) (interface{}, error) {
-	args := structs.ACLBindingRuleSetRequest{
-		Datacenter: s.agent.config.Datacenter,
-	}
+	args := structs.ACLBindingRuleSetRequest{}
+	s.parseDC(req, &args.Datacenter)
 	s.parseToken(req, &args.Token)
 	if err := s.parseEntMeta(req, &args.BindingRule.EnterpriseMeta); err != nil {
 		return nil, err
@@ -779,9 +778,9 @@ func (s *HTTPHandlers) ACLBindingRuleWrite(resp http.ResponseWriter, req *http.R
 
 func (s *HTTPHandlers) ACLBindingRuleDelete(resp http.ResponseWriter, req *http.Request, bindingRuleID string) (interface{}, error) {
 	args := structs.ACLBindingRuleDeleteRequest{
-		Datacenter:    s.agent.config.Datacenter,
 		BindingRuleID: bindingRuleID,
 	}
+	s.parseDC(req, &args.Datacenter)
 	s.parseToken(req, &args.Token)
 	if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil {
 		return nil, err
@@ -898,9 +897,8 @@ func (s *HTTPHandlers) ACLAuthMethodCreate(resp http.ResponseWriter, req *http.R
 }
 
 func (s *HTTPHandlers) ACLAuthMethodWrite(resp http.ResponseWriter, req *http.Request, methodName string) (interface{}, error) {
-	args := structs.ACLAuthMethodSetRequest{
-		Datacenter: s.agent.config.Datacenter,
-	}
+	args := structs.ACLAuthMethodSetRequest{}
+	s.parseDC(req, &args.Datacenter)
 	s.parseToken(req, &args.Token)
 	if err := s.parseEntMeta(req, &args.AuthMethod.EnterpriseMeta); err != nil {
 		return nil, err
@@ -929,9 +927,9 @@ func (s *HTTPHandlers) ACLAuthMethodWrite(resp http.ResponseWriter, req *http.Re
 
 func (s *HTTPHandlers) ACLAuthMethodDelete(resp http.ResponseWriter, req *http.Request, methodName string) (interface{}, error) {
 	args := structs.ACLAuthMethodDeleteRequest{
-		Datacenter:     s.agent.config.Datacenter,
 		AuthMethodName: methodName,
 	}
+	s.parseDC(req, &args.Datacenter)
 	s.parseToken(req, &args.Token)
 	if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil {
 		return nil, err
diff --git a/agent/acl_endpoint_test.go b/agent/acl_endpoint_test.go
index 84efebc19..5087367d8 100644
--- a/agent/acl_endpoint_test.go
+++ b/agent/acl_endpoint_test.go
@@ -1222,6 +1222,26 @@ func TestACL_LoginProcedure_HTTP(t *testing.T) {
 			methodMap[method.Name] = method
 		})
 
+		t.Run("Create in remote datacenter", func(t *testing.T) {
+			methodInput := &structs.ACLAuthMethod{
+				Name:        "other",
+				Type:        "testing",
+				Description: "test",
+				Config: map[string]interface{}{
+					"SessionID": testSessionID,
+				},
+				TokenLocality: "global",
+				MaxTokenTTL:   500_000_000_000,
+			}
+
+			req, _ := http.NewRequest("PUT", "/v1/acl/auth-method?token=root&dc=remote", jsonBody(methodInput))
+			resp := httptest.NewRecorder()
+			_, err := a.srv.ACLAuthMethodCRUD(resp, req)
+			require.Error(t, err)
+			_, ok := err.(BadRequestError)
+			require.True(t, ok)
+		})
+
 		t.Run("Update Name URL Mismatch", func(t *testing.T) {
 			methodInput := &structs.ACLAuthMethod{
 				Name:        "test",
@@ -1394,6 +1414,21 @@ func TestACL_LoginProcedure_HTTP(t *testing.T) {
 			ruleMap[rule.ID] = rule
 		})
 
+		t.Run("Create in remote datacenter", func(t *testing.T) {
+			ruleInput := &structs.ACLBindingRule{
+				Description: "other",
+				AuthMethod:  "test",
+				Selector:    "serviceaccount.namespace==default",
+				BindType:    structs.BindingRuleBindTypeRole,
+				BindName:    "fancy-role",
+			}
+
+			req, _ := http.NewRequest("PUT", "/v1/acl/binding-rule?token=root&dc=remote", jsonBody(ruleInput))
+			resp := httptest.NewRecorder()
+			_, err := a.srv.ACLBindingRuleCRUD(resp, req)
+			require.EqualError(t, err, "No path to datacenter")
+		})
+
 		t.Run("BindingRule CRUD Missing ID in URL", func(t *testing.T) {
 			req, _ := http.NewRequest("GET", "/v1/acl/binding-rule/?token=root", nil)
 			resp := httptest.NewRecorder()