From 62c09b2d0aab1f1abb21dde087d14121bf16af18 Mon Sep 17 00:00:00 2001 From: Daniel Nephin Date: Sat, 22 Jan 2022 14:07:26 -0500 Subject: [PATCH] acl: embed ACLResolver in Client and Server In preparation for removing duplicate resolve token methods. --- agent/consul/acl_client.go | 4 ++-- agent/consul/acl_endpoint.go | 22 ++++++++++----------- agent/consul/acl_server.go | 10 +++++----- agent/consul/acl_test.go | 6 +++--- agent/consul/acl_token_exp.go | 2 +- agent/consul/client.go | 6 +++--- agent/consul/intention_endpoint.go | 2 +- agent/consul/internal_endpoint.go | 2 +- agent/consul/leader.go | 2 +- agent/consul/operator_autopilot_endpoint.go | 8 ++++---- agent/consul/operator_raft_endpoint.go | 4 ++-- agent/consul/server.go | 8 ++++---- agent/consul/server_serf.go | 2 +- 13 files changed, 39 insertions(+), 39 deletions(-) diff --git a/agent/consul/acl_client.go b/agent/consul/acl_client.go index 36f3f19a7..89fcd1b81 100644 --- a/agent/consul/acl_client.go +++ b/agent/consul/acl_client.go @@ -48,12 +48,12 @@ func (c *Client) ResolveTokenToIdentity(token string) (structs.ACLIdentity, erro // not using ResolveTokenToIdentityAndAuthorizer because in this case we don't // need to resolve the roles, policies and namespace but just want the identity // information such as accessor id. - return c.acls.ResolveTokenToIdentity(token) + return c.ACLResolver.ResolveTokenToIdentity(token) } // TODO: Server has an identical implementation, remove duplication func (c *Client) ResolveTokenAndDefaultMeta(token string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (acl.Authorizer, error) { - identity, authz, err := c.acls.ResolveTokenToIdentityAndAuthorizer(token) + identity, authz, err := c.ACLResolver.ResolveTokenToIdentityAndAuthorizer(token) if err != nil { return nil, err } diff --git a/agent/consul/acl_endpoint.go b/agent/consul/acl_endpoint.go index 376278c83..13799c318 100644 --- a/agent/consul/acl_endpoint.go +++ b/agent/consul/acl_endpoint.go @@ -724,7 +724,7 @@ func (a *ACL) tokenSetInternal(args *structs.ACLTokenSetRequest, reply *structs. } // Purge the identity from the cache to prevent using the previous definition of the identity - a.srv.acls.cache.RemoveIdentity(tokenSecretCacheID(token.SecretID)) + a.srv.ACLResolver.cache.RemoveIdentity(tokenSecretCacheID(token.SecretID)) // Don't check expiration times here as it doesn't really matter. if _, updatedToken, err := a.srv.fsm.State().ACLTokenGetByAccessor(nil, token.AccessorID, nil); err == nil && updatedToken != nil { @@ -876,7 +876,7 @@ func (a *ACL) TokenDelete(args *structs.ACLTokenDeleteRequest, reply *string) er } // Purge the identity from the cache to prevent using the previous definition of the identity - a.srv.acls.cache.RemoveIdentity(tokenSecretCacheID(token.SecretID)) + a.srv.ACLResolver.cache.RemoveIdentity(tokenSecretCacheID(token.SecretID)) if reply != nil { *reply = token.AccessorID @@ -1198,7 +1198,7 @@ func (a *ACL) PolicySet(args *structs.ACLPolicySetRequest, reply *structs.ACLPol } // Remove from the cache to prevent stale cache usage - a.srv.acls.cache.RemovePolicy(policy.ID) + a.srv.ACLResolver.cache.RemovePolicy(policy.ID) if _, policy, err := a.srv.fsm.State().ACLPolicyGetByID(nil, policy.ID, &policy.EnterpriseMeta); err == nil && policy != nil { *reply = *policy @@ -1257,7 +1257,7 @@ func (a *ACL) PolicyDelete(args *structs.ACLPolicyDeleteRequest, reply *string) return fmt.Errorf("Failed to apply policy delete request: %v", err) } - a.srv.acls.cache.RemovePolicy(policy.ID) + a.srv.ACLResolver.cache.RemovePolicy(policy.ID) *reply = policy.Name @@ -1318,12 +1318,12 @@ func (a *ACL) PolicyResolve(args *structs.ACLPolicyBatchGetRequest, reply *struc } // get full list of policies for this token - identity, policies, err := a.srv.acls.resolveTokenToIdentityAndPolicies(args.Token) + identity, policies, err := a.srv.ACLResolver.resolveTokenToIdentityAndPolicies(args.Token) if err != nil { return err } - entIdentity, entPolicies, err := a.srv.acls.resolveEnterpriseIdentityAndPolicies(identity) + entIdentity, entPolicies, err := a.srv.ACLResolver.resolveEnterpriseIdentityAndPolicies(identity) if err != nil { return err } @@ -1609,7 +1609,7 @@ func (a *ACL) RoleSet(args *structs.ACLRoleSetRequest, reply *structs.ACLRole) e } // Remove from the cache to prevent stale cache usage - a.srv.acls.cache.RemoveRole(role.ID) + a.srv.ACLResolver.cache.RemoveRole(role.ID) if _, role, err := a.srv.fsm.State().ACLRoleGetByID(nil, role.ID, &role.EnterpriseMeta); err == nil && role != nil { *reply = *role @@ -1664,7 +1664,7 @@ func (a *ACL) RoleDelete(args *structs.ACLRoleDeleteRequest, reply *string) erro return fmt.Errorf("Failed to apply role delete request: %v", err) } - a.srv.acls.cache.RemoveRole(role.ID) + a.srv.ACLResolver.cache.RemoveRole(role.ID) *reply = role.Name @@ -1719,12 +1719,12 @@ func (a *ACL) RoleResolve(args *structs.ACLRoleBatchGetRequest, reply *structs.A } // get full list of roles for this token - identity, roles, err := a.srv.acls.resolveTokenToIdentityAndRoles(args.Token) + identity, roles, err := a.srv.ACLResolver.resolveTokenToIdentityAndRoles(args.Token) if err != nil { return err } - entIdentity, entRoles, err := a.srv.acls.resolveEnterpriseIdentityAndRoles(identity) + entIdentity, entRoles, err := a.srv.ACLResolver.resolveEnterpriseIdentityAndRoles(identity) if err != nil { return err } @@ -2481,7 +2481,7 @@ func (a *ACL) Logout(args *structs.ACLLogoutRequest, reply *bool) error { } // Purge the identity from the cache to prevent using the previous definition of the identity - a.srv.acls.cache.RemoveIdentity(tokenSecretCacheID(token.SecretID)) + a.srv.ACLResolver.cache.RemoveIdentity(tokenSecretCacheID(token.SecretID)) *reply = true diff --git a/agent/consul/acl_server.go b/agent/consul/acl_server.go index f16b1cc86..28c83ab11 100644 --- a/agent/consul/acl_server.go +++ b/agent/consul/acl_server.go @@ -160,7 +160,7 @@ func (s *Server) ResolveRoleFromID(roleID string) (bool, *structs.ACLRole, error } func (s *Server) ResolveToken(token string) (acl.Authorizer, error) { - _, authz, err := s.acls.ResolveTokenToIdentityAndAuthorizer(token) + _, authz, err := s.ACLResolver.ResolveTokenToIdentityAndAuthorizer(token) return authz, err } @@ -168,12 +168,12 @@ func (s *Server) ResolveTokenToIdentity(token string) (structs.ACLIdentity, erro // not using ResolveTokenToIdentityAndAuthorizer because in this case we don't // need to resolve the roles, policies and namespace but just want the identity // information such as accessor id. - return s.acls.ResolveTokenToIdentity(token) + return s.ACLResolver.ResolveTokenToIdentity(token) } // TODO: Client has an identical implementation, remove duplication func (s *Server) ResolveTokenAndDefaultMeta(token string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (acl.Authorizer, error) { - identity, authz, err := s.acls.ResolveTokenToIdentityAndAuthorizer(token) + identity, authz, err := s.ACLResolver.ResolveTokenToIdentityAndAuthorizer(token) if err != nil { return nil, err } @@ -197,9 +197,9 @@ func (s *Server) ResolveTokenAndDefaultMeta(token string, entMeta *structs.Enter } func (s *Server) filterACL(token string, subj interface{}) error { - return filterACL(s.acls, token, subj) + return filterACL(s.ACLResolver, token, subj) } func (s *Server) filterACLWithAuthorizer(authorizer acl.Authorizer, subj interface{}) { - filterACLWithAuthorizer(s.acls.logger, authorizer, subj) + filterACLWithAuthorizer(s.ACLResolver.logger, authorizer, subj) } diff --git a/agent/consul/acl_test.go b/agent/consul/acl_test.go index d45b1e197..2d4f7dc5e 100644 --- a/agent/consul/acl_test.go +++ b/agent/consul/acl_test.go @@ -4065,7 +4065,7 @@ func TestACLResolver_ResolveTokenToIdentityAndAuthorizer_UpdatesPurgeTheCache(t require.NoError(t, err) runStep(t, "first resolve", func(t *testing.T) { - _, authz, err := srv.acls.ResolveTokenToIdentityAndAuthorizer(token) + _, authz, err := srv.ACLResolver.ResolveTokenToIdentityAndAuthorizer(token) require.NoError(t, err) require.NotNil(t, authz) require.Equal(t, acl.Allow, authz.KeyRead("foo", nil)) @@ -4084,7 +4084,7 @@ func TestACLResolver_ResolveTokenToIdentityAndAuthorizer_UpdatesPurgeTheCache(t err := msgpackrpc.CallWithCodec(codec, "ACL.PolicySet", &reqPolicy, &structs.ACLPolicy{}) require.NoError(t, err) - _, authz, err := srv.acls.ResolveTokenToIdentityAndAuthorizer(token) + _, authz, err := srv.ACLResolver.ResolveTokenToIdentityAndAuthorizer(token) require.NoError(t, err) require.NotNil(t, authz) require.Equal(t, acl.Deny, authz.KeyRead("foo", nil)) @@ -4100,7 +4100,7 @@ func TestACLResolver_ResolveTokenToIdentityAndAuthorizer_UpdatesPurgeTheCache(t err := msgpackrpc.CallWithCodec(codec, "ACL.TokenDelete", &req, &resp) require.NoError(t, err) - _, _, err = srv.acls.ResolveTokenToIdentityAndAuthorizer(token) + _, _, err = srv.ACLResolver.ResolveTokenToIdentityAndAuthorizer(token) require.True(t, acl.IsErrNotFound(err), "Error %v is not acl.ErrNotFound", err) }) } diff --git a/agent/consul/acl_token_exp.go b/agent/consul/acl_token_exp.go index a4dfa180f..370d140ef 100644 --- a/agent/consul/acl_token_exp.go +++ b/agent/consul/acl_token_exp.go @@ -107,7 +107,7 @@ func (s *Server) reapExpiredACLTokens(local, global bool) (int, error) { // Purge the identities from the cache for _, secretID := range secretIDs { - s.acls.cache.RemoveIdentity(tokenSecretCacheID(secretID)) + s.ACLResolver.cache.RemoveIdentity(tokenSecretCacheID(secretID)) } return len(req.TokenIDs), nil diff --git a/agent/consul/client.go b/agent/consul/client.go index 999f98663..d83a1c3c1 100644 --- a/agent/consul/client.go +++ b/agent/consul/client.go @@ -56,7 +56,7 @@ type Client struct { config *Config // acls is used to resolve tokens to effective policies - acls *ACLResolver + *ACLResolver // Connection pool to consul servers connPool *pool.ConnPool @@ -127,7 +127,7 @@ func NewClient(config *Config, deps Deps) (*Client, error) { Tokens: deps.Tokens, } var err error - if c.acls, err = NewACLResolver(&aclConfig); err != nil { + if c.ACLResolver, err = NewACLResolver(&aclConfig); err != nil { c.Shutdown() return nil, fmt.Errorf("Failed to create ACL resolver: %v", err) } @@ -172,7 +172,7 @@ func (c *Client) Shutdown() error { // Close the connection pool c.connPool.Shutdown() - c.acls.Close() + c.ACLResolver.Close() return nil } diff --git a/agent/consul/intention_endpoint.go b/agent/consul/intention_endpoint.go index 862637de5..814d1590a 100644 --- a/agent/consul/intention_endpoint.go +++ b/agent/consul/intention_endpoint.go @@ -100,7 +100,7 @@ func (s *Intention) Apply(args *structs.IntentionRequest, reply *string) error { } // Get the ACL token for the request for the checks below. - identity, authz, err := s.srv.acls.ResolveTokenToIdentityAndAuthorizer(args.Token) + identity, authz, err := s.srv.ACLResolver.ResolveTokenToIdentityAndAuthorizer(args.Token) if err != nil { return err } diff --git a/agent/consul/internal_endpoint.go b/agent/consul/internal_endpoint.go index 14fbc4be4..dea21cfc6 100644 --- a/agent/consul/internal_endpoint.go +++ b/agent/consul/internal_endpoint.go @@ -433,7 +433,7 @@ func (m *Internal) KeyringOperation( } // Check ACLs - identity, authz, err := m.srv.acls.ResolveTokenToIdentityAndAuthorizer(args.Token) + identity, authz, err := m.srv.ACLResolver.ResolveTokenToIdentityAndAuthorizer(args.Token) if err != nil { return err } diff --git a/agent/consul/leader.go b/agent/consul/leader.go index 1b55767b1..d8bf099d0 100644 --- a/agent/consul/leader.go +++ b/agent/consul/leader.go @@ -363,7 +363,7 @@ func (s *Server) initializeACLs(ctx context.Context) error { // Purge the cache, since it could've changed while we were not the // leader. - s.acls.cache.Purge() + s.ACLResolver.cache.Purge() // Purge the auth method validators since they could've changed while we // were not leader. diff --git a/agent/consul/operator_autopilot_endpoint.go b/agent/consul/operator_autopilot_endpoint.go index 9430b30de..d600df83c 100644 --- a/agent/consul/operator_autopilot_endpoint.go +++ b/agent/consul/operator_autopilot_endpoint.go @@ -17,7 +17,7 @@ func (op *Operator) AutopilotGetConfiguration(args *structs.DCSpecificRequest, r } // This action requires operator read access. - identity, authz, err := op.srv.acls.ResolveTokenToIdentityAndAuthorizer(args.Token) + identity, authz, err := op.srv.ACLResolver.ResolveTokenToIdentityAndAuthorizer(args.Token) if err != nil { return err } @@ -49,7 +49,7 @@ func (op *Operator) AutopilotSetConfiguration(args *structs.AutopilotSetConfigRe } // This action requires operator write access. - identity, authz, err := op.srv.acls.ResolveTokenToIdentityAndAuthorizer(args.Token) + identity, authz, err := op.srv.ACLResolver.ResolveTokenToIdentityAndAuthorizer(args.Token) if err != nil { return err } @@ -84,7 +84,7 @@ func (op *Operator) ServerHealth(args *structs.DCSpecificRequest, reply *structs } // This action requires operator read access. - identity, authz, err := op.srv.acls.ResolveTokenToIdentityAndAuthorizer(args.Token) + identity, authz, err := op.srv.ACLResolver.ResolveTokenToIdentityAndAuthorizer(args.Token) if err != nil { return err } @@ -151,7 +151,7 @@ func (op *Operator) AutopilotState(args *structs.DCSpecificRequest, reply *autop } // This action requires operator read access. - identity, authz, err := op.srv.acls.ResolveTokenToIdentityAndAuthorizer(args.Token) + identity, authz, err := op.srv.ACLResolver.ResolveTokenToIdentityAndAuthorizer(args.Token) if err != nil { return err } diff --git a/agent/consul/operator_raft_endpoint.go b/agent/consul/operator_raft_endpoint.go index 4cf38185a..72ae5b195 100644 --- a/agent/consul/operator_raft_endpoint.go +++ b/agent/consul/operator_raft_endpoint.go @@ -81,7 +81,7 @@ func (op *Operator) RaftRemovePeerByAddress(args *structs.RaftRemovePeerRequest, // This is a super dangerous operation that requires operator write // access. - identity, authz, err := op.srv.acls.ResolveTokenToIdentityAndAuthorizer(args.Token) + identity, authz, err := op.srv.ACLResolver.ResolveTokenToIdentityAndAuthorizer(args.Token) if err != nil { return err } @@ -134,7 +134,7 @@ func (op *Operator) RaftRemovePeerByID(args *structs.RaftRemovePeerRequest, repl // This is a super dangerous operation that requires operator write // access. - identity, authz, err := op.srv.acls.ResolveTokenToIdentityAndAuthorizer(args.Token) + identity, authz, err := op.srv.ACLResolver.ResolveTokenToIdentityAndAuthorizer(args.Token) if err != nil { return err } diff --git a/agent/consul/server.go b/agent/consul/server.go index e076af721..851e1745b 100644 --- a/agent/consul/server.go +++ b/agent/consul/server.go @@ -141,7 +141,7 @@ type Server struct { aclConfig *acl.Config // acls is used to resolve tokens to effective policies - acls *ACLResolver + *ACLResolver aclAuthMethodValidators authmethod.Cache @@ -457,7 +457,7 @@ func NewServer(config *Config, flat Deps) (*Server, error) { Tokens: flat.Tokens, } // Initialize the ACL resolver. - if s.acls, err = NewACLResolver(&aclConfig); err != nil { + if s.ACLResolver, err = NewACLResolver(&aclConfig); err != nil { s.Shutdown() return nil, fmt.Errorf("Failed to create ACL resolver: %v", err) } @@ -994,8 +994,8 @@ func (s *Server) Shutdown() error { s.connPool.Shutdown() } - if s.acls != nil { - s.acls.Close() + if s.ACLResolver != nil { + s.ACLResolver.Close() } if s.fsm != nil { diff --git a/agent/consul/server_serf.go b/agent/consul/server_serf.go index 44c3f857a..ff1b1e406 100644 --- a/agent/consul/server_serf.go +++ b/agent/consul/server_serf.go @@ -121,7 +121,7 @@ func (s *Server) setupSerfConfig(opts setupSerfOptions) (*serf.Config, error) { // TODO(ACL-Legacy-Compat): remove in phase 2. These are kept for now to // allow for upgrades. - if s.acls.ACLsEnabled() { + if s.ACLResolver.ACLsEnabled() { conf.Tags[metadata.TagACLs] = string(structs.ACLModeEnabled) } else { conf.Tags[metadata.TagACLs] = string(structs.ACLModeDisabled)