acl: move the legacy ACL struct to the one package where it is used
It is now only used for restoring snapshots. We can remove it in phase 2.
This commit is contained in:
Daniel Nephin
parent
0ba5d0afcd
commit
589b238374
|
|
@ -15,7 +15,7 @@ func init() {
|
|||
registerRestorer(structs.KVSRequestType, restoreKV)
|
||||
registerRestorer(structs.TombstoneRequestType, restoreTombstone)
|
||||
registerRestorer(structs.SessionRequestType, restoreSession)
|
||||
registerRestorer(structs.DeprecatedACLRequestType, restoreACL)
|
||||
registerRestorer(structs.DeprecatedACLRequestType, restoreACL) // TODO(ACL-Legacy-Compat) - remove in phase 2
|
||||
registerRestorer(structs.ACLBootstrapRequestType, restoreACLBootstrap) // TODO(ACL-Legacy-Compat) - remove in phase 2
|
||||
registerRestorer(structs.CoordinateBatchUpdateType, restoreCoordinates)
|
||||
registerRestorer(structs.PreparedQueryRequestType, restorePreparedQuery)
|
||||
|
|
@ -562,8 +562,9 @@ func restoreSession(header *SnapshotHeader, restore *state.Restore, decoder *cod
|
|||
return nil
|
||||
}
|
||||
|
||||
func restoreACL(header *SnapshotHeader, restore *state.Restore, decoder *codec.Decoder) error {
|
||||
var req structs.ACL
|
||||
// TODO(ACL-Legacy-Compat) - remove in phase 2
|
||||
func restoreACL(_ *SnapshotHeader, restore *state.Restore, decoder *codec.Decoder) error {
|
||||
var req LegacyACL
|
||||
if err := decoder.Decode(&req); err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
@ -574,6 +575,40 @@ func restoreACL(header *SnapshotHeader, restore *state.Restore, decoder *codec.D
|
|||
return nil
|
||||
}
|
||||
|
||||
// TODO(ACL-Legacy-Compat) - remove in phase 2
|
||||
type LegacyACL struct {
|
||||
ID string
|
||||
Name string
|
||||
Type string
|
||||
Rules string
|
||||
|
||||
structs.RaftIndex
|
||||
}
|
||||
|
||||
// TODO(ACL-Legacy-Compat): remove in phase 2, used by snapshot restore
|
||||
func (a LegacyACL) Convert() *structs.ACLToken {
|
||||
correctedRules := structs.SanitizeLegacyACLTokenRules(a.Rules)
|
||||
if correctedRules != "" {
|
||||
a.Rules = correctedRules
|
||||
}
|
||||
|
||||
token := &structs.ACLToken{
|
||||
AccessorID: "",
|
||||
SecretID: a.ID,
|
||||
Description: a.Name,
|
||||
Policies: nil,
|
||||
ServiceIdentities: nil,
|
||||
NodeIdentities: nil,
|
||||
Type: a.Type,
|
||||
Rules: a.Rules,
|
||||
Local: false,
|
||||
RaftIndex: a.RaftIndex,
|
||||
}
|
||||
|
||||
token.SetHash(true)
|
||||
return token
|
||||
}
|
||||
|
||||
// TODO(ACL-Legacy-Compat) - remove in phase 2
|
||||
func restoreACLBootstrap(_ *SnapshotHeader, restore *state.Restore, decoder *codec.Decoder) error {
|
||||
type ACLBootstrap struct {
|
||||
|
|
|
|||
|
|
@ -456,7 +456,7 @@ func TestFSM_SnapshotRestore_OSS(t *testing.T) {
|
|||
_, err = sink.Write([]byte{byte(structs.DeprecatedACLRequestType)})
|
||||
require.NoError(t, err)
|
||||
|
||||
acl := structs.ACL{
|
||||
acl := LegacyACL{
|
||||
ID: "1057354f-69ef-4487-94ab-aead3c755445",
|
||||
Name: "test-legacy",
|
||||
Type: "client",
|
||||
|
|
@ -737,12 +737,12 @@ func TestFSM_SnapshotRestore_OSS(t *testing.T) {
|
|||
|
||||
// convertACLTokenToLegacy attempts to convert an ACLToken into an legacy ACL.
|
||||
// TODO(ACL-Legacy-Compat): remove in phase 2, used by snapshot restore
|
||||
func convertACLTokenToLegacy(tok *structs.ACLToken) (*structs.ACL, error) {
|
||||
func convertACLTokenToLegacy(tok *structs.ACLToken) (*LegacyACL, error) {
|
||||
if tok.Type == "" {
|
||||
return nil, fmt.Errorf("Cannot convert ACLToken into compat token")
|
||||
}
|
||||
|
||||
compat := &structs.ACL{
|
||||
compat := &LegacyACL{
|
||||
ID: tok.SecretID,
|
||||
Name: tok.Description,
|
||||
Type: tok.Type,
|
||||
|
|
|
|||
|
|
@ -14,45 +14,3 @@ const (
|
|||
// make other tokens and can access all resources.
|
||||
ACLTokenTypeManagement = "management"
|
||||
)
|
||||
|
||||
// ACL is used to represent a token and its rules
|
||||
type ACL struct {
|
||||
ID string
|
||||
Name string
|
||||
Type string
|
||||
Rules string
|
||||
|
||||
RaftIndex
|
||||
}
|
||||
|
||||
// Convert does a 1-1 mapping of the ACLCompat structure to its ACLToken
|
||||
// equivalent. This will NOT fill in the other ACLToken fields or perform any other
|
||||
// upgrade (other than correcting an older HCL syntax that is no longer
|
||||
// supported).
|
||||
// TODO(ACL-Legacy-Compat): remove in phase 2, used by snapshot restore
|
||||
func (a *ACL) Convert() *ACLToken {
|
||||
// Ensure that we correct any old HCL in legacy tokens to prevent old
|
||||
// syntax from leaking elsewhere into the system.
|
||||
//
|
||||
// DEPRECATED (ACL-Legacy-Compat)
|
||||
correctedRules := SanitizeLegacyACLTokenRules(a.Rules)
|
||||
if correctedRules != "" {
|
||||
a.Rules = correctedRules
|
||||
}
|
||||
|
||||
token := &ACLToken{
|
||||
AccessorID: "",
|
||||
SecretID: a.ID,
|
||||
Description: a.Name,
|
||||
Policies: nil,
|
||||
ServiceIdentities: nil,
|
||||
NodeIdentities: nil,
|
||||
Type: a.Type,
|
||||
Rules: a.Rules,
|
||||
Local: false,
|
||||
RaftIndex: a.RaftIndex,
|
||||
}
|
||||
|
||||
token.SetHash(true)
|
||||
return token
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,29 +0,0 @@
|
|||
package structs
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
func TestStructs_ACL_Convert(t *testing.T) {
|
||||
|
||||
acl := &ACL{
|
||||
ID: "guid",
|
||||
Name: "AN ACL for testing",
|
||||
Type: "client",
|
||||
Rules: `service "" { policy "read" }`,
|
||||
}
|
||||
|
||||
token := acl.Convert()
|
||||
require.Equal(t, "", token.AccessorID)
|
||||
require.Equal(t, acl.ID, token.SecretID)
|
||||
require.Equal(t, acl.Type, token.Type)
|
||||
require.Equal(t, acl.Name, token.Description)
|
||||
require.Nil(t, token.Policies)
|
||||
require.False(t, token.Local)
|
||||
require.Equal(t, acl.Rules, token.Rules)
|
||||
require.Equal(t, acl.CreateIndex, token.CreateIndex)
|
||||
require.Equal(t, acl.ModifyIndex, token.ModifyIndex)
|
||||
require.NotEmpty(t, token.Hash)
|
||||
}
|
||||
|
|
@ -35,43 +35,6 @@ func TestStructs_ACLToken_PolicyIDs(t *testing.T) {
|
|||
require.Equal(t, "three", policyIDs[2])
|
||||
})
|
||||
|
||||
t.Run("Legacy Management", func(t *testing.T) {
|
||||
|
||||
a := &ACL{
|
||||
ID: "root",
|
||||
Type: ACLTokenTypeManagement,
|
||||
Name: "management",
|
||||
}
|
||||
|
||||
token := a.Convert()
|
||||
|
||||
policyIDs := token.PolicyIDs()
|
||||
require.Len(t, policyIDs, 0)
|
||||
|
||||
embedded := token.EmbeddedPolicy()
|
||||
require.NotNil(t, embedded)
|
||||
require.Equal(t, ACLPolicyGlobalManagement, embedded.Rules)
|
||||
})
|
||||
|
||||
t.Run("Legacy Management With Rules", func(t *testing.T) {
|
||||
|
||||
a := &ACL{
|
||||
ID: "root",
|
||||
Type: ACLTokenTypeManagement,
|
||||
Name: "management",
|
||||
Rules: "operator = \"write\"",
|
||||
}
|
||||
|
||||
token := a.Convert()
|
||||
|
||||
policyIDs := token.PolicyIDs()
|
||||
require.Len(t, policyIDs, 0)
|
||||
|
||||
embedded := token.EmbeddedPolicy()
|
||||
require.NotNil(t, embedded)
|
||||
require.Equal(t, ACLPolicyGlobalManagement, embedded.Rules)
|
||||
})
|
||||
|
||||
t.Run("No Policies", func(t *testing.T) {
|
||||
|
||||
token := &ACLToken{}
|
||||
|
|
|
|||
Loading…
Reference in New Issue