Merge pull request #11183 from hashicorp/dnephin/acl-legacy-remove-struct
acl: remove the remaining parts of structs/acl_legacy.go
This commit is contained in:
Daniel Nephin
GitHub
commit
6256633120
|
|
@ -3,7 +3,6 @@ package consul
|
|||
import (
|
||||
"github.com/hashicorp/consul/acl"
|
||||
"github.com/hashicorp/consul/agent/structs"
|
||||
"github.com/hashicorp/consul/lib/serf"
|
||||
)
|
||||
|
||||
var clientACLCacheConfig *structs.ACLCachesConfig = &structs.ACLCachesConfig{
|
||||
|
|
@ -80,8 +79,3 @@ func (c *Client) ResolveTokenAndDefaultMeta(token string, entMeta *structs.Enter
|
|||
|
||||
return authz, err
|
||||
}
|
||||
|
||||
func (c *Client) updateSerfTags(key, value string) {
|
||||
// Update the LAN serf
|
||||
serf.UpdateTag(c.serf, key, value)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ func (a *ACL) GetPolicy(*LegacyACLGetPolicy, *LegacyACLGetPolicy) error {
|
|||
return fmt.Errorf("ACL.GetPolicy: the legacy ACL system has been removed")
|
||||
}
|
||||
|
||||
func (a *ACL) Bootstrap(*structs.DCSpecificRequest, *structs.ACL) error {
|
||||
func (a *ACL) Bootstrap(*structs.DCSpecificRequest, *LegacyACLRequest) error {
|
||||
return fmt.Errorf("ACL.Bootstrap: the legacy ACL system has been removed")
|
||||
}
|
||||
|
||||
|
|
@ -22,10 +22,10 @@ func (a *ACL) Apply(*LegacyACLRequest, *string) error {
|
|||
return fmt.Errorf("ACL.Apply: the legacy ACL system has been removed")
|
||||
}
|
||||
|
||||
func (a *ACL) Get(*structs.ACLSpecificRequest, *structs.IndexedACLs) error {
|
||||
func (a *ACL) Get(*LegacyACLRequest, *LegacyACLRequest) error {
|
||||
return fmt.Errorf("ACL.Get: the legacy ACL system has been removed")
|
||||
}
|
||||
|
||||
func (a *ACL) List(*structs.DCSpecificRequest, *structs.IndexedACLs) error {
|
||||
func (a *ACL) List(*structs.DCSpecificRequest, *LegacyACLRequest) error {
|
||||
return fmt.Errorf("ACL.List: the legacy ACL system has been removed")
|
||||
}
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ func init() {
|
|||
registerRestorer(structs.KVSRequestType, restoreKV)
|
||||
registerRestorer(structs.TombstoneRequestType, restoreTombstone)
|
||||
registerRestorer(structs.SessionRequestType, restoreSession)
|
||||
registerRestorer(structs.DeprecatedACLRequestType, restoreACL)
|
||||
registerRestorer(structs.DeprecatedACLRequestType, restoreACL) // TODO(ACL-Legacy-Compat) - remove in phase 2
|
||||
registerRestorer(structs.ACLBootstrapRequestType, restoreACLBootstrap)
|
||||
registerRestorer(structs.CoordinateBatchUpdateType, restoreCoordinates)
|
||||
registerRestorer(structs.PreparedQueryRequestType, restorePreparedQuery)
|
||||
|
|
@ -562,8 +562,9 @@ func restoreSession(header *SnapshotHeader, restore *state.Restore, decoder *cod
|
|||
return nil
|
||||
}
|
||||
|
||||
func restoreACL(header *SnapshotHeader, restore *state.Restore, decoder *codec.Decoder) error {
|
||||
var req structs.ACL
|
||||
// TODO(ACL-Legacy-Compat) - remove in phase 2
|
||||
func restoreACL(_ *SnapshotHeader, restore *state.Restore, decoder *codec.Decoder) error {
|
||||
var req LegacyACL
|
||||
if err := decoder.Decode(&req); err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
@ -574,9 +575,51 @@ func restoreACL(header *SnapshotHeader, restore *state.Restore, decoder *codec.D
|
|||
return nil
|
||||
}
|
||||
|
||||
// DEPRECATED (ACL-Legacy-Compat) - remove once v1 acl compat is removed
|
||||
func restoreACLBootstrap(header *SnapshotHeader, restore *state.Restore, decoder *codec.Decoder) error {
|
||||
var req structs.ACLBootstrap
|
||||
// TODO(ACL-Legacy-Compat) - remove in phase 2
|
||||
type LegacyACL struct {
|
||||
ID string
|
||||
Name string
|
||||
Type string
|
||||
Rules string
|
||||
|
||||
structs.RaftIndex
|
||||
}
|
||||
|
||||
// TODO(ACL-Legacy-Compat): remove in phase 2, used by snapshot restore
|
||||
func (a LegacyACL) Convert() *structs.ACLToken {
|
||||
correctedRules := structs.SanitizeLegacyACLTokenRules(a.Rules)
|
||||
if correctedRules != "" {
|
||||
a.Rules = correctedRules
|
||||
}
|
||||
|
||||
token := &structs.ACLToken{
|
||||
AccessorID: "",
|
||||
SecretID: a.ID,
|
||||
Description: a.Name,
|
||||
Policies: nil,
|
||||
ServiceIdentities: nil,
|
||||
NodeIdentities: nil,
|
||||
Type: a.Type,
|
||||
Rules: a.Rules,
|
||||
Local: false,
|
||||
RaftIndex: a.RaftIndex,
|
||||
}
|
||||
|
||||
token.SetHash(true)
|
||||
return token
|
||||
}
|
||||
|
||||
// TODO(ACL-Legacy-Compat) - remove in phase 2
|
||||
func restoreACLBootstrap(_ *SnapshotHeader, restore *state.Restore, decoder *codec.Decoder) error {
|
||||
type ACLBootstrap struct {
|
||||
// AllowBootstrap will only be true if no existing management tokens
|
||||
// have been found.
|
||||
AllowBootstrap bool
|
||||
|
||||
structs.RaftIndex
|
||||
}
|
||||
|
||||
var req ACLBootstrap
|
||||
if err := decoder.Decode(&req); err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@ package fsm
|
|||
|
||||
import (
|
||||
"bytes"
|
||||
"fmt"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
|
|
@ -455,7 +456,7 @@ func TestFSM_SnapshotRestore_OSS(t *testing.T) {
|
|||
_, err = sink.Write([]byte{byte(structs.DeprecatedACLRequestType)})
|
||||
require.NoError(t, err)
|
||||
|
||||
acl := structs.ACL{
|
||||
acl := LegacyACL{
|
||||
ID: "1057354f-69ef-4487-94ab-aead3c755445",
|
||||
Name: "test-legacy",
|
||||
Type: "client",
|
||||
|
|
@ -581,7 +582,7 @@ func TestFSM_SnapshotRestore_OSS(t *testing.T) {
|
|||
require.NotNil(t, rtoken)
|
||||
require.NotEmpty(t, rtoken.Hash)
|
||||
|
||||
restoredACL, err := rtoken.Convert()
|
||||
restoredACL, err := convertACLTokenToLegacy(rtoken)
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, &acl, restoredACL)
|
||||
|
||||
|
|
@ -734,6 +735,23 @@ func TestFSM_SnapshotRestore_OSS(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
// convertACLTokenToLegacy attempts to convert an ACLToken into an legacy ACL.
|
||||
// TODO(ACL-Legacy-Compat): remove in phase 2, used by snapshot restore
|
||||
func convertACLTokenToLegacy(tok *structs.ACLToken) (*LegacyACL, error) {
|
||||
if tok.Type == "" {
|
||||
return nil, fmt.Errorf("Cannot convert ACLToken into compat token")
|
||||
}
|
||||
|
||||
compat := &LegacyACL{
|
||||
ID: tok.SecretID,
|
||||
Name: tok.Description,
|
||||
Type: tok.Type,
|
||||
Rules: tok.Rules,
|
||||
RaftIndex: tok.RaftIndex,
|
||||
}
|
||||
return compat, nil
|
||||
}
|
||||
|
||||
func TestFSM_BadRestore_OSS(t *testing.T) {
|
||||
t.Parallel()
|
||||
// Create an FSM with some state.
|
||||
|
|
|
|||
|
|
@ -344,6 +344,8 @@ func (s *Server) revokeLeadership() {
|
|||
|
||||
s.stopConfigReplication()
|
||||
|
||||
s.stopACLReplication()
|
||||
|
||||
s.stopConnectLeader()
|
||||
|
||||
s.stopACLTokenReaping()
|
||||
|
|
|
|||
|
|
@ -6,10 +6,6 @@
|
|||
|
||||
package structs
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
)
|
||||
|
||||
const (
|
||||
// ACLTokenTypeClient tokens have rules applied
|
||||
ACLTokenTypeClient = "client"
|
||||
|
|
@ -17,97 +13,4 @@ const (
|
|||
// ACLTokenTypeManagement tokens have an always allow policy, so they can
|
||||
// make other tokens and can access all resources.
|
||||
ACLTokenTypeManagement = "management"
|
||||
|
||||
// ACLTokenTypeNone
|
||||
ACLTokenTypeNone = ""
|
||||
)
|
||||
|
||||
// ACL is used to represent a token and its rules
|
||||
type ACL struct {
|
||||
ID string
|
||||
Name string
|
||||
Type string
|
||||
Rules string
|
||||
|
||||
RaftIndex
|
||||
}
|
||||
|
||||
// ACLs is a slice of ACLs.
|
||||
type ACLs []*ACL
|
||||
|
||||
// Convert does a 1-1 mapping of the ACLCompat structure to its ACLToken
|
||||
// equivalent. This will NOT fill in the other ACLToken fields or perform any other
|
||||
// upgrade (other than correcting an older HCL syntax that is no longer
|
||||
// supported).
|
||||
// TODO(ACL-Legacy-Compat): remove
|
||||
func (a *ACL) Convert() *ACLToken {
|
||||
// Ensure that we correct any old HCL in legacy tokens to prevent old
|
||||
// syntax from leaking elsewhere into the system.
|
||||
//
|
||||
// DEPRECATED (ACL-Legacy-Compat)
|
||||
correctedRules := SanitizeLegacyACLTokenRules(a.Rules)
|
||||
if correctedRules != "" {
|
||||
a.Rules = correctedRules
|
||||
}
|
||||
|
||||
token := &ACLToken{
|
||||
AccessorID: "",
|
||||
SecretID: a.ID,
|
||||
Description: a.Name,
|
||||
Policies: nil,
|
||||
ServiceIdentities: nil,
|
||||
NodeIdentities: nil,
|
||||
Type: a.Type,
|
||||
Rules: a.Rules,
|
||||
Local: false,
|
||||
RaftIndex: a.RaftIndex,
|
||||
}
|
||||
|
||||
token.SetHash(true)
|
||||
return token
|
||||
}
|
||||
|
||||
// Convert attempts to convert an ACLToken into an ACLCompat.
|
||||
// TODO(ACL-Legacy-Compat): remove
|
||||
func (tok *ACLToken) Convert() (*ACL, error) {
|
||||
if tok.Type == "" {
|
||||
return nil, fmt.Errorf("Cannot convert ACLToken into compat token")
|
||||
}
|
||||
|
||||
compat := &ACL{
|
||||
ID: tok.SecretID,
|
||||
Name: tok.Description,
|
||||
Type: tok.Type,
|
||||
Rules: tok.Rules,
|
||||
RaftIndex: tok.RaftIndex,
|
||||
}
|
||||
return compat, nil
|
||||
}
|
||||
|
||||
// ACLSpecificRequest is used to request an ACL by ID
|
||||
type ACLSpecificRequest struct {
|
||||
Datacenter string
|
||||
ACL string
|
||||
QueryOptions
|
||||
}
|
||||
|
||||
// RequestDatacenter returns the DC this request is targeted to.
|
||||
func (r *ACLSpecificRequest) RequestDatacenter() string {
|
||||
return r.Datacenter
|
||||
}
|
||||
|
||||
// IndexedACLs has tokens along with the Raft metadata about them.
|
||||
type IndexedACLs struct {
|
||||
ACLs ACLs
|
||||
QueryMeta
|
||||
}
|
||||
|
||||
// ACLBootstrap keeps track of whether bootstrapping ACLs is allowed for a
|
||||
// cluster.
|
||||
type ACLBootstrap struct {
|
||||
// AllowBootstrap will only be true if no existing management tokens
|
||||
// have been found.
|
||||
AllowBootstrap bool
|
||||
|
||||
RaftIndex
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,89 +0,0 @@
|
|||
package structs
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
func TestStructs_ACL_Convert(t *testing.T) {
|
||||
|
||||
acl := &ACL{
|
||||
ID: "guid",
|
||||
Name: "AN ACL for testing",
|
||||
Type: "client",
|
||||
Rules: `service "" { policy "read" }`,
|
||||
}
|
||||
|
||||
token := acl.Convert()
|
||||
require.Equal(t, "", token.AccessorID)
|
||||
require.Equal(t, acl.ID, token.SecretID)
|
||||
require.Equal(t, acl.Type, token.Type)
|
||||
require.Equal(t, acl.Name, token.Description)
|
||||
require.Nil(t, token.Policies)
|
||||
require.False(t, token.Local)
|
||||
require.Equal(t, acl.Rules, token.Rules)
|
||||
require.Equal(t, acl.CreateIndex, token.CreateIndex)
|
||||
require.Equal(t, acl.ModifyIndex, token.ModifyIndex)
|
||||
require.NotEmpty(t, token.Hash)
|
||||
}
|
||||
|
||||
func TestStructs_ACLToken_Convert(t *testing.T) {
|
||||
|
||||
t.Run("Management", func(t *testing.T) {
|
||||
token := &ACLToken{
|
||||
AccessorID: "6c4eb178-c7f3-4620-b899-91eb8696c265",
|
||||
SecretID: "67c29ecd-cabc-42e0-a20e-771e9a1ab70c",
|
||||
Description: "new token",
|
||||
Policies: []ACLTokenPolicyLink{
|
||||
{
|
||||
ID: ACLPolicyGlobalManagementID,
|
||||
},
|
||||
},
|
||||
Type: ACLTokenTypeManagement,
|
||||
}
|
||||
|
||||
acl, err := token.Convert()
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, token.SecretID, acl.ID)
|
||||
require.Equal(t, token.Type, acl.Type)
|
||||
require.Equal(t, token.Description, acl.Name)
|
||||
require.Equal(t, "", acl.Rules)
|
||||
})
|
||||
|
||||
t.Run("Client", func(t *testing.T) {
|
||||
token := &ACLToken{
|
||||
AccessorID: "6c4eb178-c7f3-4620-b899-91eb8696c265",
|
||||
SecretID: "67c29ecd-cabc-42e0-a20e-771e9a1ab70c",
|
||||
Description: "new token",
|
||||
Policies: nil,
|
||||
Type: ACLTokenTypeClient,
|
||||
Rules: `acl = "read"`,
|
||||
}
|
||||
|
||||
acl, err := token.Convert()
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, token.SecretID, acl.ID)
|
||||
require.Equal(t, token.Type, acl.Type)
|
||||
require.Equal(t, token.Description, acl.Name)
|
||||
require.Equal(t, token.Rules, acl.Rules)
|
||||
})
|
||||
|
||||
t.Run("Unconvertible", func(t *testing.T) {
|
||||
token := &ACLToken{
|
||||
AccessorID: "6c4eb178-c7f3-4620-b899-91eb8696c265",
|
||||
SecretID: "67c29ecd-cabc-42e0-a20e-771e9a1ab70c",
|
||||
Description: "new token",
|
||||
Policies: []ACLTokenPolicyLink{
|
||||
{
|
||||
ID: ACLPolicyGlobalManagementID,
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
acl, err := token.Convert()
|
||||
require.Error(t, err)
|
||||
require.Nil(t, acl)
|
||||
})
|
||||
|
||||
}
|
||||
|
|
@ -35,43 +35,6 @@ func TestStructs_ACLToken_PolicyIDs(t *testing.T) {
|
|||
require.Equal(t, "three", policyIDs[2])
|
||||
})
|
||||
|
||||
t.Run("Legacy Management", func(t *testing.T) {
|
||||
|
||||
a := &ACL{
|
||||
ID: "root",
|
||||
Type: ACLTokenTypeManagement,
|
||||
Name: "management",
|
||||
}
|
||||
|
||||
token := a.Convert()
|
||||
|
||||
policyIDs := token.PolicyIDs()
|
||||
require.Len(t, policyIDs, 0)
|
||||
|
||||
embedded := token.EmbeddedPolicy()
|
||||
require.NotNil(t, embedded)
|
||||
require.Equal(t, ACLPolicyGlobalManagement, embedded.Rules)
|
||||
})
|
||||
|
||||
t.Run("Legacy Management With Rules", func(t *testing.T) {
|
||||
|
||||
a := &ACL{
|
||||
ID: "root",
|
||||
Type: ACLTokenTypeManagement,
|
||||
Name: "management",
|
||||
Rules: "operator = \"write\"",
|
||||
}
|
||||
|
||||
token := a.Convert()
|
||||
|
||||
policyIDs := token.PolicyIDs()
|
||||
require.Len(t, policyIDs, 0)
|
||||
|
||||
embedded := token.EmbeddedPolicy()
|
||||
require.NotNil(t, embedded)
|
||||
require.Equal(t, ACLPolicyGlobalManagement, embedded.Rules)
|
||||
})
|
||||
|
||||
t.Run("No Policies", func(t *testing.T) {
|
||||
|
||||
token := &ACLToken{}
|
||||
|
|
|
|||
Loading…
Reference in New Issue