acl: add stub hooks to support some plumbing in enterprise (#4951)

2018-11-13 15:35:54 -06:00 · 2018-11-13 15:35:54 -06:00 · 8662a6d260
parent f0d2d12e65
commit 8662a6d260
5 changed files with 65 additions and 1 deletions
--- a/agent/consul/acl_endpoint_legacy.go
+++ b/agent/consul/acl_endpoint_legacy.go
@ -103,6 +103,15 @@ func aclApplyInternal(srv *Server, args *structs.ACLRequest, reply *string) erro
 			return acl.PermissionDeniedError{Cause: "Cannot modify root ACL"}
 		}

+		// Ensure that we allow more permissive rule formats for legacy tokens,
+		// but that we correct them on the way into the system.
+		//
+		// DEPRECATED (ACL-Legacy-Compat)
+		correctedRules := structs.SanitizeLegacyACLTokenRules(args.ACL.Rules)
+		if correctedRules != "" {
+			args.ACL.Rules = correctedRules
+		}
+
 		// Validate the rules compile
 		_, err := acl.NewPolicyFromSource("", 0, args.ACL.Rules, acl.SyntaxLegacy, srv.sentinel)
 		if err != nil {
--- a/agent/consul/fsm/snapshot_oss.go
+++ b/agent/consul/fsm/snapshot_oss.go
@ -541,6 +541,15 @@ func restoreToken(header *snapshotHeader, restore *state.Restore, decoder *codec
 	if err := decoder.Decode(&req); err != nil {
 		return err
 	}
+
+	// DEPRECATED (ACL-Legacy-Compat)
+	if req.Rules != "" {
+		// When we restore a snapshot we may have to correct old HCL in legacy
+		// tokens to prevent the in-memory representation from using an older
+		// syntax.
+		structs.SanitizeLegacyACLToken(&req)
+	}
+
 	return restore.ACLToken(&req)
 }

--- a/agent/consul/state/acl.go
+++ b/agent/consul/state/acl.go
@ -316,6 +316,17 @@ func (s *Store) aclTokenSetTxn(tx *memdb.Txn, idx uint64, token *structs.ACLToke
 		return ErrMissingACLTokenAccessor
 	}

+	// DEPRECATED (ACL-Legacy-Compat)
+	if token.Rules != "" {
+		// When we update a legacy acl token we may have to correct old HCL to
+		// prevent the propagation of older syntax into the state store and
+		// into in-memory representations.
+		correctedRules := structs.SanitizeLegacyACLTokenRules(token.Rules)
+		if correctedRules != "" {
+			token.Rules = correctedRules
+		}
+	}
+
 	// Check for an existing ACL
 	// DEPRECATED (ACL-Legacy-Compat) - transition to using accessor index instead of secret once v1 compat is removed
 	existing, err := tx.First("acl-tokens", "id", token.SecretID)
--- a/agent/structs/acl_legacy.go
+++ b/agent/structs/acl_legacy.go
@ -60,8 +60,18 @@ type ACLs []*ACL

 // Convert does a 1-1 mapping of the ACLCompat structure to its ACLToken
 // equivalent. This will NOT fill in the other ACLToken fields or perform any other
-// upgrade.
+// upgrade (other than correcting an older HCL syntax that is no longer
+// supported).
 func (a *ACL) Convert() *ACLToken {
+	// Ensure that we correct any old HCL in legacy tokens to prevent old
+	// syntax from leaking elsewhere into the system.
+	//
+	// DEPRECATED (ACL-Legacy-Compat)
+	correctedRules := SanitizeLegacyACLTokenRules(a.Rules)
+	if correctedRules != "" {
+		a.Rules = correctedRules
+	}
+
 	return &ACLToken{
 		AccessorID:  "",
 		SecretID:    a.ID,
--- a/agent/structs/sanitize_oss.go
+++ b/agent/structs/sanitize_oss.go
@ -0,0 +1,25 @@
+// +build !ent
+
+package structs
+
+// SanitizeLegacyACLToken does nothing in the OSS builds. It does not mutate
+// the input argument at all.
+//
+// In enterprise builds this hook is necessary to support fixing old multiline
+// HCL strings in legacy token Sentinel policies into heredocs. If the token
+// was updated and previously had a Hash set, this will also update it.
+//
+// DEPRECATED (ACL-Legacy-Compat)
+func SanitizeLegacyACLToken(token *ACLToken) {
+}
+
+// SanitizeLegacyACLTokenRules does nothing in the OSS builds. It always
+// returns an empty string.
+//
+// In enterprise builds this hook is necessary to support fixing any old
+// multiline HCL strings in legacy token Sentinel policies into heredocs.
+//
+// DEPRECATED (ACL-Legacy-Compat)
+func SanitizeLegacyACLTokenRules(rules string) string {
+	return ""
+}