acl: remove legacy arg to store.ACLTokenSet

And remove the tests for legacy=true
This commit is contained in:
Daniel Nephin 2021-09-29 18:30:37 -04:00
parent b31a7fc498
commit 88c6aeea34
4 changed files with 47 additions and 140 deletions

View File

@ -411,18 +411,10 @@ func fixupRolePolicyLinks(tx ReadTxn, original *structs.ACLRole) (*structs.ACLRo
return role, nil
}
// ACLTokenSet is used to insert an ACL rule into the state store.
// Deprecated (ACL-Legacy-Compat)
func (s *Store) ACLTokenSet(idx uint64, token *structs.ACLToken, legacy bool) error {
tx := s.db.WriteTxn(idx)
defer tx.Abort()
// Call set on the ACL
if err := aclTokenSetTxn(tx, idx, token, ACLTokenSetOptions{Legacy: legacy}); err != nil {
return err
}
return tx.Commit()
// ACLTokenSet is used in many tests to set a single ACL token. It is now a shim
// for calling ACLTokenBatchSet with default options.
func (s *Store) ACLTokenSet(idx uint64, token *structs.ACLToken) error {
return s.ACLTokenBatchSet(idx, structs.ACLTokens{token}, ACLTokenSetOptions{})
}
type ACLTokenSetOptions struct {

View File

@ -46,7 +46,7 @@ func setupAnonymous(t *testing.T, s *Store) {
Description: "Anonymous Token",
}
token.SetHash(true)
require.NoError(t, s.ACLTokenSet(1, &token, false))
require.NoError(t, s.ACLTokenSet(1, &token))
}
func testACLStateStore(t *testing.T) *Store {
@ -238,103 +238,6 @@ func TestStateStore_ACLBootstrap(t *testing.T) {
require.Len(t, tokens, 2)
}
func TestStateStore_ACLToken_SetGet_Legacy(t *testing.T) {
t.Parallel()
t.Run("Legacy - Existing With Policies", func(t *testing.T) {
t.Parallel()
s := testACLTokensStateStore(t)
token := &structs.ACLToken{
AccessorID: "c8d0378c-566a-4535-8fc9-c883a8cc9849",
SecretID: "6d48ce91-2558-4098-bdab-8737e4e57d5f",
Policies: []structs.ACLTokenPolicyLink{
{
ID: testPolicyID_A,
},
},
}
require.NoError(t, s.ACLTokenSet(2, token.Clone(), false))
// legacy flag is set so it should disallow setting this token
err := s.ACLTokenSet(3, token.Clone(), true)
require.Error(t, err)
})
t.Run("Legacy - Empty Type", func(t *testing.T) {
t.Parallel()
s := testACLTokensStateStore(t)
token := &structs.ACLToken{
AccessorID: "271cd056-0038-4fd3-90e5-f97f50fb3ac8",
SecretID: "c0056225-5785-43b3-9b77-3954f06d6aee",
}
require.NoError(t, s.ACLTokenSet(2, token.Clone(), false))
// legacy flag is set so it should disallow setting this token
err := s.ACLTokenSet(3, token.Clone(), true)
require.Error(t, err)
})
t.Run("Legacy - New", func(t *testing.T) {
t.Parallel()
s := testACLTokensStateStore(t)
token := &structs.ACLToken{
SecretID: "2989e271-6169-4f34-8fec-4618d70008fb",
Type: structs.ACLTokenTypeClient,
Rules: `service "" { policy = "read" }`,
}
require.NoError(t, s.ACLTokenSet(2, token.Clone(), true))
idx, rtoken, err := s.ACLTokenGetBySecret(nil, token.SecretID, nil)
require.NoError(t, err)
require.Equal(t, uint64(2), idx)
require.NotNil(t, rtoken)
require.Equal(t, "", rtoken.AccessorID)
require.Equal(t, "2989e271-6169-4f34-8fec-4618d70008fb", rtoken.SecretID)
require.Equal(t, "", rtoken.Description)
require.Len(t, rtoken.Policies, 0)
require.Equal(t, structs.ACLTokenTypeClient, rtoken.Type)
require.Equal(t, uint64(2), rtoken.CreateIndex)
require.Equal(t, uint64(2), rtoken.ModifyIndex)
})
t.Run("Legacy - Update", func(t *testing.T) {
t.Parallel()
s := testACLTokensStateStore(t)
original := &structs.ACLToken{
SecretID: "2989e271-6169-4f34-8fec-4618d70008fb",
Type: structs.ACLTokenTypeClient,
Rules: `service "" { policy = "read" }`,
}
require.NoError(t, s.ACLTokenSet(2, original.Clone(), true))
updatedRules := `service "" { policy = "read" } service "foo" { policy = "deny"}`
update := &structs.ACLToken{
SecretID: "2989e271-6169-4f34-8fec-4618d70008fb",
Type: structs.ACLTokenTypeClient,
Rules: updatedRules,
}
require.NoError(t, s.ACLTokenSet(3, update.Clone(), true))
idx, rtoken, err := s.ACLTokenGetBySecret(nil, original.SecretID, nil)
require.NoError(t, err)
require.Equal(t, uint64(3), idx)
require.NotNil(t, rtoken)
require.Equal(t, "", rtoken.AccessorID)
require.Equal(t, "2989e271-6169-4f34-8fec-4618d70008fb", rtoken.SecretID)
require.Equal(t, "", rtoken.Description)
require.Len(t, rtoken.Policies, 0)
require.Equal(t, structs.ACLTokenTypeClient, rtoken.Type)
require.Equal(t, updatedRules, rtoken.Rules)
require.Equal(t, uint64(2), rtoken.CreateIndex)
require.Equal(t, uint64(3), rtoken.ModifyIndex)
})
}
func TestStateStore_ACLToken_SetGet(t *testing.T) {
t.Parallel()
t.Run("Missing Secret", func(t *testing.T) {
@ -344,7 +247,7 @@ func TestStateStore_ACLToken_SetGet(t *testing.T) {
AccessorID: "39171632-6f34-4411-827f-9416403687f4",
}
err := s.ACLTokenSet(2, token.Clone(), false)
err := s.ACLTokenSet(2, token.Clone())
require.Error(t, err)
require.Equal(t, ErrMissingACLTokenSecret, err)
})
@ -356,7 +259,7 @@ func TestStateStore_ACLToken_SetGet(t *testing.T) {
SecretID: "39171632-6f34-4411-827f-9416403687f4",
}
err := s.ACLTokenSet(2, token.Clone(), false)
err := s.ACLTokenSet(2, token.Clone())
require.Error(t, err)
require.Equal(t, ErrMissingACLTokenAccessor, err)
})
@ -372,7 +275,7 @@ func TestStateStore_ACLToken_SetGet(t *testing.T) {
},
}
err := s.ACLTokenSet(2, token, false)
err := s.ACLTokenSet(2, token)
require.Error(t, err)
})
@ -389,7 +292,7 @@ func TestStateStore_ACLToken_SetGet(t *testing.T) {
},
}
err := s.ACLTokenSet(2, token, false)
err := s.ACLTokenSet(2, token)
require.Error(t, err)
})
@ -406,7 +309,7 @@ func TestStateStore_ACLToken_SetGet(t *testing.T) {
},
}
err := s.ACLTokenSet(2, token.Clone(), false)
err := s.ACLTokenSet(2, token.Clone())
require.Error(t, err)
})
@ -423,7 +326,7 @@ func TestStateStore_ACLToken_SetGet(t *testing.T) {
},
}
err := s.ACLTokenSet(2, token, false)
err := s.ACLTokenSet(2, token)
require.Error(t, err)
})
@ -440,7 +343,7 @@ func TestStateStore_ACLToken_SetGet(t *testing.T) {
},
}
err := s.ACLTokenSet(2, token.Clone(), false)
err := s.ACLTokenSet(2, token.Clone())
require.Error(t, err)
})
@ -457,7 +360,7 @@ func TestStateStore_ACLToken_SetGet(t *testing.T) {
},
}
err := s.ACLTokenSet(2, token, false)
err := s.ACLTokenSet(2, token)
require.Error(t, err)
})
@ -470,7 +373,7 @@ func TestStateStore_ACLToken_SetGet(t *testing.T) {
AuthMethod: "test",
}
err := s.ACLTokenSet(2, token, false)
err := s.ACLTokenSet(2, token)
require.Error(t, err)
})
@ -497,7 +400,7 @@ func TestStateStore_ACLToken_SetGet(t *testing.T) {
},
}
require.NoError(t, s.ACLTokenSet(2, token.Clone(), false))
require.NoError(t, s.ACLTokenSet(2, token.Clone()))
idx, rtoken, err := s.ACLTokenGetByAccessor(nil, "daf37c07-d04d-4fd5-9678-a8206a57d61a", nil)
require.NoError(t, err)
@ -532,7 +435,7 @@ func TestStateStore_ACLToken_SetGet(t *testing.T) {
},
}
require.NoError(t, s.ACLTokenSet(2, token.Clone(), false))
require.NoError(t, s.ACLTokenSet(2, token.Clone()))
updated := &structs.ACLToken{
AccessorID: "daf37c07-d04d-4fd5-9678-a8206a57d61a",
@ -554,7 +457,7 @@ func TestStateStore_ACLToken_SetGet(t *testing.T) {
},
}
require.NoError(t, s.ACLTokenSet(3, updated.Clone(), false))
require.NoError(t, s.ACLTokenSet(3, updated.Clone()))
idx, rtoken, err := s.ACLTokenGetByAccessor(nil, "daf37c07-d04d-4fd5-9678-a8206a57d61a", nil)
require.NoError(t, err)
@ -588,7 +491,7 @@ func TestStateStore_ACLToken_SetGet(t *testing.T) {
},
}
require.NoError(t, s.ACLTokenSet(2, token.Clone(), false))
require.NoError(t, s.ACLTokenSet(2, token.Clone()))
idx, rtoken, err := s.ACLTokenGetByAccessor(nil, "daf37c07-d04d-4fd5-9678-a8206a57d61a", nil)
require.NoError(t, err)
@ -873,30 +776,42 @@ func TestStateStore_ACLTokens_ListUpgradeable(t *testing.T) {
t.Parallel()
s := testACLTokensStateStore(t)
require.NoError(t, s.ACLTokenSet(2, &structs.ACLToken{
aclTokenSetLegacy := func(idx uint64, token *structs.ACLToken) error {
tx := s.db.WriteTxn(idx)
defer tx.Abort()
opts := ACLTokenSetOptions{Legacy: true}
if err := aclTokenSetTxn(tx, idx, token, opts); err != nil {
return err
}
return tx.Commit()
}
require.NoError(t, aclTokenSetLegacy(2, &structs.ACLToken{
SecretID: "34ec8eb3-095d-417a-a937-b439af7a8e8b",
Type: structs.ACLTokenTypeManagement,
}, true))
}))
require.NoError(t, s.ACLTokenSet(3, &structs.ACLToken{
require.NoError(t, aclTokenSetLegacy(3, &structs.ACLToken{
SecretID: "8de2dd39-134d-4cb1-950b-b7ab96ea20ba",
Type: structs.ACLTokenTypeManagement,
}, true))
}))
require.NoError(t, s.ACLTokenSet(4, &structs.ACLToken{
require.NoError(t, aclTokenSetLegacy(4, &structs.ACLToken{
SecretID: "548bdb8e-c0d6-477b-bcc4-67fb836e9e61",
Type: structs.ACLTokenTypeManagement,
}, true))
}))
require.NoError(t, s.ACLTokenSet(5, &structs.ACLToken{
require.NoError(t, aclTokenSetLegacy(5, &structs.ACLToken{
SecretID: "3ee33676-d9b8-4144-bf0b-92618cff438b",
Type: structs.ACLTokenTypeManagement,
}, true))
}))
require.NoError(t, s.ACLTokenSet(6, &structs.ACLToken{
require.NoError(t, aclTokenSetLegacy(6, &structs.ACLToken{
SecretID: "fa9d658a-6e26-42ab-a5f0-1ea05c893dee",
Type: structs.ACLTokenTypeManagement,
}, true))
}))
tokens, _, err := s.ACLTokenListUpgradeable(3)
require.NoError(t, err)
@ -1246,7 +1161,7 @@ func TestStateStore_ACLToken_FixupPolicyLinks(t *testing.T) {
},
}
require.NoError(t, s.ACLTokenSet(2, token, false))
require.NoError(t, s.ACLTokenSet(2, token))
_, retrieved, err := s.ACLTokenGetByAccessor(nil, token.AccessorID, nil)
require.NoError(t, err)
@ -1372,7 +1287,7 @@ func TestStateStore_ACLToken_FixupRoleLinks(t *testing.T) {
},
}
require.NoError(t, s.ACLTokenSet(2, token, false))
require.NoError(t, s.ACLTokenSet(2, token))
_, retrieved, err := s.ACLTokenGetByAccessor(nil, token.AccessorID, nil)
require.NoError(t, err)
@ -1498,7 +1413,7 @@ func TestStateStore_ACLToken_Delete(t *testing.T) {
Local: true,
}
require.NoError(t, s.ACLTokenSet(2, token.Clone(), false))
require.NoError(t, s.ACLTokenSet(2, token.Clone()))
_, rtoken, err := s.ACLTokenGetByAccessor(nil, "f1093997-b6c7-496d-bfb8-6b1b1895641b", nil)
require.NoError(t, err)

View File

@ -52,7 +52,7 @@ func TestStore_IntegrationWithEventPublisher_ACLTokenUpdate(t *testing.T) {
SecretID: "72e81982-7a0f-491f-a60e-c9c802ac1402",
}
token2.SetHash(false)
require.NoError(s.ACLTokenSet(3, token2.Clone(), false))
require.NoError(s.ACLTokenSet(3, token2.Clone()))
// Ensure there's no reset event.
assertNoEvent(t, eventCh)
@ -64,7 +64,7 @@ func TestStore_IntegrationWithEventPublisher_ACLTokenUpdate(t *testing.T) {
Description: "something else",
}
token3.SetHash(false)
require.NoError(s.ACLTokenSet(4, token3.Clone(), false))
require.NoError(s.ACLTokenSet(4, token3.Clone()))
// Ensure the reset event was sent.
err = assertErr(t, eventCh)
@ -484,7 +484,7 @@ func createTokenAndWaitForACLEventPublish(t *testing.T, s *Store) *structs.ACLTo
eventCh := testRunSub(sub)
// Create the ACL token to be used in the subscription.
require.NoError(t, s.ACLTokenSet(2, token.Clone(), false))
require.NoError(t, s.ACLTokenSet(2, token.Clone()))
// Wait for the pre-subscription to be reset
assertReset(t, eventCh, true)

View File

@ -857,7 +857,7 @@ node "node1" {
SecretID: token,
Rules: "",
}
require.NoError(t, backend.store.ACLTokenSet(ids.Next("update"), aclToken, false))
require.NoError(t, backend.store.ACLTokenSet(ids.Next("update"), aclToken))
select {
case item := <-chEvents: