acl: recouple acl filtering from ACLResolver

ACL filtering only needs an authorizer and a logger. We can decouple filtering from
the ACLResolver by passing in the necessary logger.

This change is being made in preparation for moving the ACLResolver into an acl package

agent/consul/acl.go

@@ -1928,12 +1928,11 @@ func (f *aclFilter) filterGatewayServices(mappings *structs.GatewayServices) {
 	*mappings = ret
 }
 
-func (r *ACLResolver) filterACLWithAuthorizer(authorizer acl.Authorizer, subj interface{}) {
+func filterACLWithAuthorizer(logger hclog.Logger, authorizer acl.Authorizer, subj interface{}) {
 	if authorizer == nil {
 		return
 	}
-	// Create the filter
-	filt := newACLFilter(authorizer, r.logger)
+	filt := newACLFilter(authorizer, logger)
 
 	switch v := subj.(type) {
 	case *structs.CheckServiceNodes:
@@ -2030,14 +2029,15 @@ func (r *ACLResolver) filterACLWithAuthorizer(authorizer acl.Authorizer, subj in
 	}
 }
 
-// filterACL is used to filter results from our service catalog based on the
-// rules configured for the provided token.
-func (r *ACLResolver) filterACL(token string, subj interface{}) error {
+// filterACL uses the ACLResolver to resolve the token in an acl.Authorizer,
+// then uses the acl.Authorizer to filter subj. Any entities in subj that are
+// not authorized for read access will be removed from subj.
+func filterACL(r *ACLResolver, token string, subj interface{}) error {
 	// Get the ACL from the token
 	_, authorizer, err := r.ResolveTokenToIdentityAndAuthorizer(token)
 	if err != nil {
 		return err
 	}
-	r.filterACLWithAuthorizer(authorizer, subj)
+	filterACLWithAuthorizer(r.logger, authorizer, subj)
 	return nil
 }

agent/consul/acl_server.go

@@ -268,9 +268,9 @@ func (s *Server) ResolveTokenAndDefaultMeta(token string, entMeta *structs.Enter
 }
 
 func (s *Server) filterACL(token string, subj interface{}) error {
-	return s.acls.filterACL(token, subj)
+	return filterACL(s.acls, token, subj)
 }
 
 func (s *Server) filterACLWithAuthorizer(authorizer acl.Authorizer, subj interface{}) {
-	s.acls.filterACLWithAuthorizer(authorizer, subj)
+	filterACLWithAuthorizer(s.acls.logger, authorizer, subj)
 }

agent/consul/acl_test.go

@@ -3276,7 +3276,7 @@ func TestACL_redactPreparedQueryTokens(t *testing.T) {
 	}
 }
 
-func TestACL_redactTokenSecret(t *testing.T) {
+func TestFilterACL_redactTokenSecret(t *testing.T) {
 	t.Parallel()
 	delegate := &ACLResolverTestDelegate{
 		enabled:       true,
@@ -3293,16 +3293,16 @@ func TestACL_redactTokenSecret(t *testing.T) {
 		SecretID:   "6a5e25b3-28f2-4085-9012-c3fb754314d1",
 	}
 
-	err := r.filterACL("acl-wr", &token)
+	err := filterACL(r, "acl-wr", &token)
 	require.NoError(t, err)
 	require.Equal(t, "6a5e25b3-28f2-4085-9012-c3fb754314d1", token.SecretID)
 
-	err = r.filterACL("acl-ro", &token)
+	err = filterACL(r, "acl-ro", &token)
 	require.NoError(t, err)
 	require.Equal(t, redactedToken, token.SecretID)
 }
 
-func TestACL_redactTokenSecrets(t *testing.T) {
+func TestFilterACL_redactTokenSecrets(t *testing.T) {
 	t.Parallel()
 	delegate := &ACLResolverTestDelegate{
 		enabled:       true,
@@ -3321,11 +3321,11 @@ func TestACL_redactTokenSecrets(t *testing.T) {
 		},
 	}
 
-	err := r.filterACL("acl-wr", &tokens)
+	err := filterACL(r, "acl-wr", &tokens)
 	require.NoError(t, err)
 	require.Equal(t, "6a5e25b3-28f2-4085-9012-c3fb754314d1", tokens[0].SecretID)
 
-	err = r.filterACL("acl-ro", &tokens)
+	err = filterACL(r, "acl-ro", &tokens)
 	require.NoError(t, err)
 	require.Equal(t, redactedToken, tokens[0].SecretID)
 }