Remove legacy acl policies (#15922)

* remove legacy tokens

* remove legacy acl policies

* flatten test policies to *_prefix

* address oss feedback re: phrasing and tests
This commit is contained in:
skpratt 2023-02-06 09:35:52 -06:00 committed by GitHub
parent 060b7b7084
commit 9e99a30b77
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
43 changed files with 605 additions and 1134 deletions

3
.changelog/15922.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:breaking-change
acl: remove all functionality and references for legacy acl policies.
```

View File

@ -7,31 +7,6 @@ import (
"github.com/stretchr/testify/require"
)
func legacyPolicy(policy *Policy) *Policy {
return &Policy{
PolicyRules: PolicyRules{
Agents: policy.Agents,
AgentPrefixes: policy.Agents,
Nodes: policy.Nodes,
NodePrefixes: policy.Nodes,
Keys: policy.Keys,
KeyPrefixes: policy.Keys,
Services: policy.Services,
ServicePrefixes: policy.Services,
Sessions: policy.Sessions,
SessionPrefixes: policy.Sessions,
Events: policy.Events,
EventPrefixes: policy.Events,
PreparedQueries: policy.PreparedQueries,
PreparedQueryPrefixes: policy.PreparedQueries,
Keyring: policy.Keyring,
Operator: policy.Operator,
Mesh: policy.Mesh,
Peering: policy.Peering,
},
}
}
//
// The following 1 line functions are created to all conform to what
// can be stored in the aclCheck type to make defining ACL tests
@ -561,7 +536,7 @@ func TestACL(t *testing.T) {
name: "AgentBasicDefaultDeny",
defaultPolicy: DenyAll(),
policyStack: []*Policy{
legacyPolicy(&Policy{
{
PolicyRules: PolicyRules{
Agents: []*AgentRule{
{
@ -577,8 +552,22 @@ func TestACL(t *testing.T) {
Policy: PolicyWrite,
},
},
AgentPrefixes: []*AgentRule{
{
Node: "root",
Policy: PolicyRead,
},
{
Node: "root-nope",
Policy: PolicyDeny,
},
{
Node: "root-rw",
Policy: PolicyWrite,
},
},
},
},
}),
},
checks: []aclCheck{
{name: "DefaultReadDenied", prefix: "ro", check: checkDenyAgentRead},
@ -601,7 +590,7 @@ func TestACL(t *testing.T) {
name: "AgentBasicDefaultAllow",
defaultPolicy: AllowAll(),
policyStack: []*Policy{
legacyPolicy(&Policy{
{
PolicyRules: PolicyRules{
Agents: []*AgentRule{
{
@ -617,8 +606,22 @@ func TestACL(t *testing.T) {
Policy: PolicyWrite,
},
},
AgentPrefixes: []*AgentRule{
{
Node: "root",
Policy: PolicyRead,
},
{
Node: "root-nope",
Policy: PolicyDeny,
},
{
Node: "root-rw",
Policy: PolicyWrite,
},
},
},
},
}),
},
checks: []aclCheck{
{name: "DefaultReadDenied", prefix: "ro", check: checkAllowAgentRead},
@ -641,7 +644,7 @@ func TestACL(t *testing.T) {
name: "PreparedQueryDefaultAllow",
defaultPolicy: AllowAll(),
policyStack: []*Policy{
legacyPolicy(&Policy{
{
PolicyRules: PolicyRules{
PreparedQueries: []*PreparedQueryRule{
{
@ -649,8 +652,14 @@ func TestACL(t *testing.T) {
Policy: PolicyDeny,
},
},
PreparedQueryPrefixes: []*PreparedQueryRule{
{
Prefix: "other",
Policy: PolicyDeny,
},
},
},
},
}),
},
checks: []aclCheck{
// in version 1.2.1 and below this would have failed
@ -665,7 +674,7 @@ func TestACL(t *testing.T) {
name: "AgentNestedDefaultDeny",
defaultPolicy: DenyAll(),
policyStack: []*Policy{
legacyPolicy(&Policy{
{
PolicyRules: PolicyRules{
Agents: []*AgentRule{
{
@ -685,9 +694,27 @@ func TestACL(t *testing.T) {
Policy: PolicyDeny,
},
},
AgentPrefixes: []*AgentRule{
{
Node: "root-nope",
Policy: PolicyDeny,
},
}),
legacyPolicy(&Policy{
{
Node: "root-ro",
Policy: PolicyRead,
},
{
Node: "root-rw",
Policy: PolicyWrite,
},
{
Node: "override",
Policy: PolicyDeny,
},
},
},
},
{
PolicyRules: PolicyRules{
Agents: []*AgentRule{
{
@ -707,8 +734,26 @@ func TestACL(t *testing.T) {
Policy: PolicyWrite,
},
},
AgentPrefixes: []*AgentRule{
{
Node: "child-nope",
Policy: PolicyDeny,
},
{
Node: "child-ro",
Policy: PolicyRead,
},
{
Node: "child-rw",
Policy: PolicyWrite,
},
{
Node: "override",
Policy: PolicyWrite,
},
},
},
},
}),
},
checks: []aclCheck{
{name: "DefaultReadDenied", prefix: "nope", check: checkDenyAgentRead},
@ -745,7 +790,7 @@ func TestACL(t *testing.T) {
name: "AgentNestedDefaultAllow",
defaultPolicy: AllowAll(),
policyStack: []*Policy{
legacyPolicy(&Policy{
{
PolicyRules: PolicyRules{
Agents: []*AgentRule{
{
@ -765,9 +810,27 @@ func TestACL(t *testing.T) {
Policy: PolicyDeny,
},
},
AgentPrefixes: []*AgentRule{
{
Node: "root-nope",
Policy: PolicyDeny,
},
}),
legacyPolicy(&Policy{
{
Node: "root-ro",
Policy: PolicyRead,
},
{
Node: "root-rw",
Policy: PolicyWrite,
},
{
Node: "override",
Policy: PolicyDeny,
},
},
},
},
{
PolicyRules: PolicyRules{
Agents: []*AgentRule{
{
@ -787,8 +850,26 @@ func TestACL(t *testing.T) {
Policy: PolicyWrite,
},
},
AgentPrefixes: []*AgentRule{
{
Node: "child-nope",
Policy: PolicyDeny,
},
{
Node: "child-ro",
Policy: PolicyRead,
},
{
Node: "child-rw",
Policy: PolicyWrite,
},
{
Node: "override",
Policy: PolicyWrite,
},
},
},
},
}),
},
checks: []aclCheck{
{name: "DefaultReadAllowed", prefix: "nope", check: checkAllowAgentRead},
@ -1679,7 +1760,7 @@ func TestACL(t *testing.T) {
name: "NodeDefaultDeny",
defaultPolicy: DenyAll(),
policyStack: []*Policy{
legacyPolicy(&Policy{
{
PolicyRules: PolicyRules{
Nodes: []*NodeRule{
{
@ -1699,9 +1780,27 @@ func TestACL(t *testing.T) {
Policy: PolicyDeny,
},
},
NodePrefixes: []*NodeRule{
{
Name: "root-nope",
Policy: PolicyDeny,
},
}),
legacyPolicy(&Policy{
{
Name: "root-ro",
Policy: PolicyRead,
},
{
Name: "root-rw",
Policy: PolicyWrite,
},
{
Name: "override",
Policy: PolicyDeny,
},
},
},
},
{
PolicyRules: PolicyRules{
Nodes: []*NodeRule{
{
@ -1721,8 +1820,26 @@ func TestACL(t *testing.T) {
Policy: PolicyWrite,
},
},
NodePrefixes: []*NodeRule{
{
Name: "child-nope",
Policy: PolicyDeny,
},
{
Name: "child-ro",
Policy: PolicyRead,
},
{
Name: "child-rw",
Policy: PolicyWrite,
},
{
Name: "override",
Policy: PolicyWrite,
},
},
},
},
}),
},
checks: []aclCheck{
{name: "ReadAllDenied", prefix: "", check: checkDenyNodeReadAll},
@ -1760,7 +1877,7 @@ func TestACL(t *testing.T) {
name: "NodeDefaultAllow",
defaultPolicy: AllowAll(),
policyStack: []*Policy{
legacyPolicy(&Policy{
{
PolicyRules: PolicyRules{
Nodes: []*NodeRule{
{
@ -1780,9 +1897,27 @@ func TestACL(t *testing.T) {
Policy: PolicyDeny,
},
},
NodePrefixes: []*NodeRule{
{
Name: "root-nope",
Policy: PolicyDeny,
},
}),
legacyPolicy(&Policy{
{
Name: "root-ro",
Policy: PolicyRead,
},
{
Name: "root-rw",
Policy: PolicyWrite,
},
{
Name: "override",
Policy: PolicyDeny,
},
},
},
},
{
PolicyRules: PolicyRules{
Nodes: []*NodeRule{
{
@ -1802,8 +1937,26 @@ func TestACL(t *testing.T) {
Policy: PolicyWrite,
},
},
NodePrefixes: []*NodeRule{
{
Name: "child-nope",
Policy: PolicyDeny,
},
{
Name: "child-ro",
Policy: PolicyRead,
},
{
Name: "child-rw",
Policy: PolicyWrite,
},
{
Name: "override",
Policy: PolicyWrite,
},
},
},
},
}),
},
checks: []aclCheck{
{name: "ReadAllDenied", prefix: "", check: checkDenyNodeReadAll},
@ -1841,7 +1994,7 @@ func TestACL(t *testing.T) {
name: "SessionDefaultDeny",
defaultPolicy: DenyAll(),
policyStack: []*Policy{
legacyPolicy(&Policy{
{
PolicyRules: PolicyRules{
Sessions: []*SessionRule{
{
@ -1861,9 +2014,27 @@ func TestACL(t *testing.T) {
Policy: PolicyDeny,
},
},
SessionPrefixes: []*SessionRule{
{
Node: "root-nope",
Policy: PolicyDeny,
},
}),
legacyPolicy(&Policy{
{
Node: "root-ro",
Policy: PolicyRead,
},
{
Node: "root-rw",
Policy: PolicyWrite,
},
{
Node: "override",
Policy: PolicyDeny,
},
},
},
},
{
PolicyRules: PolicyRules{
Sessions: []*SessionRule{
{
@ -1883,8 +2054,26 @@ func TestACL(t *testing.T) {
Policy: PolicyWrite,
},
},
SessionPrefixes: []*SessionRule{
{
Node: "child-nope",
Policy: PolicyDeny,
},
{
Node: "child-ro",
Policy: PolicyRead,
},
{
Node: "child-rw",
Policy: PolicyWrite,
},
{
Node: "override",
Policy: PolicyWrite,
},
},
},
},
}),
},
checks: []aclCheck{
{name: "DefaultReadDenied", prefix: "nope", check: checkDenySessionRead},
@ -1921,7 +2110,7 @@ func TestACL(t *testing.T) {
name: "SessionDefaultAllow",
defaultPolicy: AllowAll(),
policyStack: []*Policy{
legacyPolicy(&Policy{
{
PolicyRules: PolicyRules{
Sessions: []*SessionRule{
{
@ -1941,9 +2130,27 @@ func TestACL(t *testing.T) {
Policy: PolicyDeny,
},
},
SessionPrefixes: []*SessionRule{
{
Node: "root-nope",
Policy: PolicyDeny,
},
}),
legacyPolicy(&Policy{
{
Node: "root-ro",
Policy: PolicyRead,
},
{
Node: "root-rw",
Policy: PolicyWrite,
},
{
Node: "override",
Policy: PolicyDeny,
},
},
},
},
{
PolicyRules: PolicyRules{
Sessions: []*SessionRule{
{
@ -1963,8 +2170,26 @@ func TestACL(t *testing.T) {
Policy: PolicyWrite,
},
},
SessionPrefixes: []*SessionRule{
{
Node: "child-nope",
Policy: PolicyDeny,
},
{
Node: "child-ro",
Policy: PolicyRead,
},
{
Node: "child-rw",
Policy: PolicyWrite,
},
{
Node: "override",
Policy: PolicyWrite,
},
},
},
},
}),
},
checks: []aclCheck{
{name: "DefaultReadAllowed", prefix: "nope", check: checkAllowSessionRead},
@ -2001,7 +2226,7 @@ func TestACL(t *testing.T) {
name: "Parent",
defaultPolicy: DenyAll(),
policyStack: []*Policy{
legacyPolicy(&Policy{
{
PolicyRules: PolicyRules{
Keys: []*KeyRule{
{
@ -2013,6 +2238,16 @@ func TestACL(t *testing.T) {
Policy: PolicyRead,
},
},
KeyPrefixes: []*KeyRule{
{
Prefix: "foo/",
Policy: PolicyWrite,
},
{
Prefix: "bar/",
Policy: PolicyRead,
},
},
PreparedQueries: []*PreparedQueryRule{
{
Prefix: "other",
@ -2023,6 +2258,16 @@ func TestACL(t *testing.T) {
Policy: PolicyRead,
},
},
PreparedQueryPrefixes: []*PreparedQueryRule{
{
Prefix: "other",
Policy: PolicyWrite,
},
{
Prefix: "foo",
Policy: PolicyRead,
},
},
Services: []*ServiceRule{
{
Name: "other",
@ -2033,9 +2278,19 @@ func TestACL(t *testing.T) {
Policy: PolicyRead,
},
},
ServicePrefixes: []*ServiceRule{
{
Name: "other",
Policy: PolicyWrite,
},
}),
legacyPolicy(&Policy{
{
Name: "foo",
Policy: PolicyRead,
},
},
},
},
{
PolicyRules: PolicyRules{
Keys: []*KeyRule{
{
@ -2051,20 +2306,46 @@ func TestACL(t *testing.T) {
Policy: PolicyRead,
},
},
KeyPrefixes: []*KeyRule{
{
Prefix: "foo/priv/",
Policy: PolicyRead,
},
{
Prefix: "bar/",
Policy: PolicyDeny,
},
{
Prefix: "zip/",
Policy: PolicyRead,
},
},
PreparedQueries: []*PreparedQueryRule{
{
Prefix: "bar",
Policy: PolicyDeny,
},
},
PreparedQueryPrefixes: []*PreparedQueryRule{
{
Prefix: "bar",
Policy: PolicyDeny,
},
},
Services: []*ServiceRule{
{
Name: "bar",
Policy: PolicyDeny,
},
},
ServicePrefixes: []*ServiceRule{
{
Name: "bar",
Policy: PolicyDeny,
},
},
},
},
}),
},
checks: []aclCheck{
{name: "ServiceReadAllDenied", prefix: "", check: checkDenyServiceReadAll},
@ -2113,7 +2394,7 @@ func TestACL(t *testing.T) {
name: "ComplexDefaultAllow",
defaultPolicy: AllowAll(),
policyStack: []*Policy{
legacyPolicy(&Policy{
{
PolicyRules: PolicyRules{
Events: []*EventRule{
{
@ -2129,6 +2410,20 @@ func TestACL(t *testing.T) {
Policy: PolicyDeny,
},
},
EventPrefixes: []*EventRule{
{
Event: "",
Policy: PolicyRead,
},
{
Event: "foo",
Policy: PolicyWrite,
},
{
Event: "bar",
Policy: PolicyDeny,
},
},
Keys: []*KeyRule{
{
Prefix: "foo/",
@ -2151,6 +2446,28 @@ func TestACL(t *testing.T) {
Policy: PolicyList,
},
},
KeyPrefixes: []*KeyRule{
{
Prefix: "foo/",
Policy: PolicyWrite,
},
{
Prefix: "foo/priv/",
Policy: PolicyDeny,
},
{
Prefix: "bar/",
Policy: PolicyDeny,
},
{
Prefix: "zip/",
Policy: PolicyRead,
},
{
Prefix: "zap/",
Policy: PolicyList,
},
},
PreparedQueries: []*PreparedQueryRule{
{
Prefix: "",
@ -2169,6 +2486,24 @@ func TestACL(t *testing.T) {
Policy: PolicyWrite,
},
},
PreparedQueryPrefixes: []*PreparedQueryRule{
{
Prefix: "",
Policy: PolicyRead,
},
{
Prefix: "foo",
Policy: PolicyWrite,
},
{
Prefix: "bar",
Policy: PolicyDeny,
},
{
Prefix: "zoo",
Policy: PolicyWrite,
},
},
Services: []*ServiceRule{
{
Name: "",
@ -2193,8 +2528,32 @@ func TestACL(t *testing.T) {
Intentions: PolicyDeny,
},
},
ServicePrefixes: []*ServiceRule{
{
Name: "",
Policy: PolicyWrite,
},
{
Name: "foo",
Policy: PolicyRead,
},
{
Name: "bar",
Policy: PolicyDeny,
},
{
Name: "barfoo",
Policy: PolicyWrite,
Intentions: PolicyWrite,
},
{
Name: "intbaz",
Policy: PolicyWrite,
Intentions: PolicyDeny,
},
},
},
},
}),
},
checks: []aclCheck{
{name: "ServiceReadAllDenied", prefix: "", check: checkDenyServiceReadAll},
@ -2905,7 +3264,7 @@ func TestACL_ReadAll(t *testing.T) {
body := func(t *testing.T, rules string, defaultPolicy Authorizer, check func(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext)) {
t.Helper()
policy, err := NewPolicyFromSource(rules, SyntaxCurrent, nil, nil)
policy, err := NewPolicyFromSource(rules, nil, nil)
require.NoError(t, err)
acl, err := NewPolicyAuthorizerWithDefaults(defaultPolicy, []*Policy{policy}, nil)

View File

@ -586,9 +586,8 @@ func Enforce(authz Authorizer, rsc Resource, segment string, access string, ctx
// NewAuthorizerFromRules is a convenience function to invoke NewPolicyFromSource followed by NewPolicyAuthorizer with
// the parse policy.
// TODO(ACL-Legacy-Compat): remove syntax arg after removing SyntaxLegacy
func NewAuthorizerFromRules(rules string, syntax SyntaxVersion, conf *Config, meta *EnterprisePolicyMeta) (Authorizer, error) {
policy, err := NewPolicyFromSource(rules, syntax, conf, meta)
func NewAuthorizerFromRules(rules string, conf *Config, meta *EnterprisePolicyMeta) (Authorizer, error) {
policy, err := NewPolicyFromSource(rules, conf, meta)
if err != nil {
return nil, err
}

View File

@ -1,15 +1,8 @@
package acl
import (
"bytes"
"fmt"
"strconv"
"strings"
"github.com/hashicorp/hcl"
"github.com/hashicorp/hcl/hcl/ast"
hclprinter "github.com/hashicorp/hcl/hcl/printer"
"github.com/hashicorp/hcl/hcl/token"
)
type SyntaxVersion int
@ -297,7 +290,7 @@ func (pr *PolicyRules) Validate(conf *Config) error {
return nil
}
func parseCurrent(rules string, conf *Config, meta *EnterprisePolicyMeta) (*Policy, error) {
func parse(rules string, conf *Config, meta *EnterprisePolicyMeta) (*Policy, error) {
p, err := decodeRules(rules, conf, meta)
if err != nil {
return nil, err
@ -314,126 +307,10 @@ func parseCurrent(rules string, conf *Config, meta *EnterprisePolicyMeta) (*Poli
return p, nil
}
// TODO(ACL-Legacy-Compat): remove in phase 2
func parseLegacy(rules string, conf *Config) (*Policy, error) {
p := &Policy{}
type LegacyPolicy struct {
Agents []*AgentRule `hcl:"agent,expand"`
Keys []*KeyRule `hcl:"key,expand"`
Nodes []*NodeRule `hcl:"node,expand"`
Services []*ServiceRule `hcl:"service,expand"`
Sessions []*SessionRule `hcl:"session,expand"`
Events []*EventRule `hcl:"event,expand"`
PreparedQueries []*PreparedQueryRule `hcl:"query,expand"`
Keyring string `hcl:"keyring"`
Operator string `hcl:"operator"`
// NOTE: mesh resources not supported here
}
lp := &LegacyPolicy{}
if err := hcl.Decode(lp, rules); err != nil {
return nil, fmt.Errorf("Failed to parse ACL rules: %v", err)
}
// Validate the agent policy
for _, ap := range lp.Agents {
if !isPolicyValid(ap.Policy, false) {
return nil, fmt.Errorf("Invalid agent policy: %#v", ap)
}
p.AgentPrefixes = append(p.AgentPrefixes, ap)
}
// Validate the key policy
for _, kp := range lp.Keys {
if !isPolicyValid(kp.Policy, true) {
return nil, fmt.Errorf("Invalid key policy: %#v", kp)
}
if err := kp.EnterpriseRule.Validate(kp.Policy, conf); err != nil {
return nil, fmt.Errorf("Invalid key enterprise policy: %#v, got error: %v", kp, err)
}
p.KeyPrefixes = append(p.KeyPrefixes, kp)
}
// Validate the node policies
for _, np := range lp.Nodes {
if !isPolicyValid(np.Policy, false) {
return nil, fmt.Errorf("Invalid node policy: %#v", np)
}
if err := np.EnterpriseRule.Validate(np.Policy, conf); err != nil {
return nil, fmt.Errorf("Invalid node enterprise policy: %#v, got error: %v", np, err)
}
p.NodePrefixes = append(p.NodePrefixes, np)
}
// Validate the service policies
for _, sp := range lp.Services {
if !isPolicyValid(sp.Policy, false) {
return nil, fmt.Errorf("Invalid service policy: %#v", sp)
}
if sp.Intentions != "" && !isPolicyValid(sp.Intentions, false) {
return nil, fmt.Errorf("Invalid service intentions policy: %#v", sp)
}
if err := sp.EnterpriseRule.Validate(sp.Policy, conf); err != nil {
return nil, fmt.Errorf("Invalid service enterprise policy: %#v, got error: %v", sp, err)
}
p.ServicePrefixes = append(p.ServicePrefixes, sp)
}
// Validate the session policies
for _, sp := range lp.Sessions {
if !isPolicyValid(sp.Policy, false) {
return nil, fmt.Errorf("Invalid session policy: %#v", sp)
}
p.SessionPrefixes = append(p.SessionPrefixes, sp)
}
// Validate the user event policies
for _, ep := range lp.Events {
if !isPolicyValid(ep.Policy, false) {
return nil, fmt.Errorf("Invalid event policy: %#v", ep)
}
p.EventPrefixes = append(p.EventPrefixes, ep)
}
// Validate the prepared query policies
for _, pq := range lp.PreparedQueries {
if !isPolicyValid(pq.Policy, false) {
return nil, fmt.Errorf("Invalid query policy: %#v", pq)
}
p.PreparedQueryPrefixes = append(p.PreparedQueryPrefixes, pq)
}
// Validate the keyring policy - this one is allowed to be empty
if lp.Keyring != "" && !isPolicyValid(lp.Keyring, false) {
return nil, fmt.Errorf("Invalid keyring policy: %#v", lp.Keyring)
} else {
p.Keyring = lp.Keyring
}
// Validate the operator policy - this one is allowed to be empty
if lp.Operator != "" && !isPolicyValid(lp.Operator, false) {
return nil, fmt.Errorf("Invalid operator policy: %#v", lp.Operator)
} else {
p.Operator = lp.Operator
}
return p, nil
}
// NewPolicyFromSource is used to parse the specified ACL rules into an
// intermediary set of policies, before being compiled into
// the ACL
func NewPolicyFromSource(rules string, syntax SyntaxVersion, conf *Config, meta *EnterprisePolicyMeta) (*Policy, error) {
func NewPolicyFromSource(rules string, conf *Config, meta *EnterprisePolicyMeta) (*Policy, error) {
if rules == "" {
// Hot path for empty source
return &Policy{}, nil
@ -441,15 +318,7 @@ func NewPolicyFromSource(rules string, syntax SyntaxVersion, conf *Config, meta
var policy *Policy
var err error
switch syntax {
// TODO(ACL-Legacy-Compat): remove and remove as argument from function
case SyntaxLegacy:
policy, err = parseLegacy(rules, conf)
case SyntaxCurrent:
policy, err = parseCurrent(rules, conf, meta)
default:
return nil, fmt.Errorf("Invalid rules version: %d", syntax)
}
policy, err = parse(rules, conf, meta)
return policy, err
}
@ -482,56 +351,3 @@ func takesPrecedenceOver(a, b string) bool {
return false
}
func TranslateLegacyRules(policyBytes []byte) ([]byte, error) {
parsed, err := hcl.ParseBytes(policyBytes)
if err != nil {
return nil, fmt.Errorf("Failed to parse rules: %v", err)
}
rewritten := ast.Walk(parsed, func(node ast.Node) (ast.Node, bool) {
switch n := node.(type) {
case *ast.ObjectItem:
if len(n.Keys) < 1 {
return node, true
}
txt := n.Keys[0].Token.Text
if n.Keys[0].Token.Type == token.STRING {
txt, err = strconv.Unquote(txt)
if err != nil {
return node, true
}
}
switch txt {
case "policy":
n.Keys[0].Token.Text = "policy"
case "agent":
n.Keys[0].Token.Text = "agent_prefix"
case "key":
n.Keys[0].Token.Text = "key_prefix"
case "node":
n.Keys[0].Token.Text = "node_prefix"
case "query":
n.Keys[0].Token.Text = "query_prefix"
case "service":
n.Keys[0].Token.Text = "service_prefix"
case "session":
n.Keys[0].Token.Text = "session_prefix"
case "event":
n.Keys[0].Token.Text = "event_prefix"
}
}
return node, true
})
buffer := new(bytes.Buffer)
if err := hclprinter.Fprint(buffer, rewritten); err != nil {
return nil, fmt.Errorf("Failed to output new rules: %v", err)
}
return buffer.Bytes(), nil
}

View File

@ -16,7 +16,6 @@ func errStartsWith(t *testing.T, actual error, expected string) {
func TestPolicySourceParse(t *testing.T) {
cases := []struct {
Name string
Syntax SyntaxVersion
Rules string
RulesJSON string
Expected *Policy
@ -24,7 +23,6 @@ func TestPolicySourceParse(t *testing.T) {
}{
{
Name: "Basic",
Syntax: SyntaxCurrent,
Rules: `
agent_prefix "bar" {
policy = "write"
@ -302,291 +300,8 @@ func TestPolicySourceParse(t *testing.T) {
},
}},
},
{
Name: "Legacy Basic",
Syntax: SyntaxLegacy,
Rules: `
agent "foo" {
policy = "read"
}
agent "bar" {
policy = "write"
}
event "" {
policy = "read"
}
event "foo" {
policy = "write"
}
event "bar" {
policy = "deny"
}
key "" {
policy = "read"
}
key "foo/" {
policy = "write"
}
key "foo/bar/" {
policy = "read"
}
key "foo/bar/baz" {
policy = "deny"
}
keyring = "deny"
node "" {
policy = "read"
}
node "foo" {
policy = "write"
}
node "bar" {
policy = "deny"
}
operator = "deny"
service "" {
policy = "write"
}
service "foo" {
policy = "read"
}
session "foo" {
policy = "write"
}
session "bar" {
policy = "deny"
}
session "baz" {
policy = "deny"
}
query "" {
policy = "read"
}
query "foo" {
policy = "write"
}
query "bar" {
policy = "deny"
}
`,
RulesJSON: `
{
"agent": {
"foo": {
"policy": "read"
},
"bar": {
"policy": "write"
}
},
"event": {
"": {
"policy": "read"
},
"foo": {
"policy": "write"
},
"bar": {
"policy": "deny"
}
},
"key": {
"": {
"policy": "read"
},
"foo/": {
"policy": "write"
},
"foo/bar/": {
"policy": "read"
},
"foo/bar/baz": {
"policy": "deny"
}
},
"keyring": "deny",
"node": {
"": {
"policy": "read"
},
"foo": {
"policy": "write"
},
"bar": {
"policy": "deny"
}
},
"operator": "deny",
"service": {
"": {
"policy": "write"
},
"foo": {
"policy": "read"
}
},
"session": {
"foo": {
"policy": "write"
},
"bar": {
"policy": "deny"
},
"baz": {
"policy": "deny"
}
},
"query": {
"": {
"policy": "read"
},
"foo": {
"policy": "write"
},
"bar": {
"policy": "deny"
}
}
}
`,
Expected: &Policy{PolicyRules: PolicyRules{
AgentPrefixes: []*AgentRule{
{
Node: "foo",
Policy: PolicyRead,
},
{
Node: "bar",
Policy: PolicyWrite,
},
},
EventPrefixes: []*EventRule{
{
Event: "",
Policy: PolicyRead,
},
{
Event: "foo",
Policy: PolicyWrite,
},
{
Event: "bar",
Policy: PolicyDeny,
},
},
Keyring: PolicyDeny,
KeyPrefixes: []*KeyRule{
{
Prefix: "",
Policy: PolicyRead,
},
{
Prefix: "foo/",
Policy: PolicyWrite,
},
{
Prefix: "foo/bar/",
Policy: PolicyRead,
},
{
Prefix: "foo/bar/baz",
Policy: PolicyDeny,
},
},
NodePrefixes: []*NodeRule{
{
Name: "",
Policy: PolicyRead,
},
{
Name: "foo",
Policy: PolicyWrite,
},
{
Name: "bar",
Policy: PolicyDeny,
},
},
Operator: PolicyDeny,
PreparedQueryPrefixes: []*PreparedQueryRule{
{
Prefix: "",
Policy: PolicyRead,
},
{
Prefix: "foo",
Policy: PolicyWrite,
},
{
Prefix: "bar",
Policy: PolicyDeny,
},
},
ServicePrefixes: []*ServiceRule{
{
Name: "",
Policy: PolicyWrite,
},
{
Name: "foo",
Policy: PolicyRead,
},
},
SessionPrefixes: []*SessionRule{
{
Node: "foo",
Policy: PolicyWrite,
},
{
Node: "bar",
Policy: PolicyDeny,
},
{
Node: "baz",
Policy: PolicyDeny,
},
},
}},
},
{
Name: "Service No Intentions (Legacy)",
Syntax: SyntaxLegacy,
Rules: `service "foo" { policy = "write" }`,
RulesJSON: `{ "service": { "foo": { "policy": "write" }}}`,
Expected: &Policy{PolicyRules: PolicyRules{
ServicePrefixes: []*ServiceRule{
{
Name: "foo",
Policy: "write",
},
},
}},
},
{
Name: "Service Intentions (Legacy)",
Syntax: SyntaxLegacy,
Rules: `service "foo" { policy = "write" intentions = "read" }`,
RulesJSON: `{ "service": { "foo": { "policy": "write", "intentions": "read" }}}`,
Expected: &Policy{PolicyRules: PolicyRules{
ServicePrefixes: []*ServiceRule{
{
Name: "foo",
Policy: "write",
Intentions: "read",
},
},
}},
},
{
Name: "Service Intention: invalid value (Legacy)",
Syntax: SyntaxLegacy,
Rules: `service "foo" { policy = "write" intentions = "foo" }`,
RulesJSON: `{ "service": { "foo": { "policy": "write", "intentions": "foo" }}}`,
Err: "Invalid service intentions policy",
},
{
Name: "Service No Intentions",
Syntax: SyntaxCurrent,
Rules: `service "foo" { policy = "write" }`,
RulesJSON: `{ "service": { "foo": { "policy": "write" }}}`,
Expected: &Policy{PolicyRules: PolicyRules{
@ -600,7 +315,6 @@ func TestPolicySourceParse(t *testing.T) {
},
{
Name: "Service Intentions",
Syntax: SyntaxCurrent,
Rules: `service "foo" { policy = "write" intentions = "read" }`,
RulesJSON: `{ "service": { "foo": { "policy": "write", "intentions": "read" }}}`,
Expected: &Policy{PolicyRules: PolicyRules{
@ -615,168 +329,144 @@ func TestPolicySourceParse(t *testing.T) {
},
{
Name: "Service Intention: invalid value",
Syntax: SyntaxCurrent,
Rules: `service "foo" { policy = "write" intentions = "foo" }`,
RulesJSON: `{ "service": { "foo": { "policy": "write", "intentions": "foo" }}}`,
Err: "Invalid service intentions policy",
},
{
Name: "Bad Policy - ACL",
Syntax: SyntaxCurrent,
Rules: `acl = "list"`, // there is no list policy but this helps to exercise another check in isPolicyValid
RulesJSON: `{ "acl": "list" }`, // there is no list policy but this helps to exercise another check in isPolicyValid
Err: "Invalid acl policy",
},
{
Name: "Bad Policy - Agent",
Syntax: SyntaxCurrent,
Rules: `agent "foo" { policy = "nope" }`,
RulesJSON: `{ "agent": { "foo": { "policy": "nope" }}}`,
Err: "Invalid agent policy",
},
{
Name: "Bad Policy - Agent Prefix",
Syntax: SyntaxCurrent,
Rules: `agent_prefix "foo" { policy = "nope" }`,
RulesJSON: `{ "agent_prefix": { "foo": { "policy": "nope" }}}`,
Err: "Invalid agent_prefix policy",
},
{
Name: "Bad Policy - Key",
Syntax: SyntaxCurrent,
Rules: `key "foo" { policy = "nope" }`,
RulesJSON: `{ "key": { "foo": { "policy": "nope" }}}`,
Err: "Invalid key policy",
},
{
Name: "Bad Policy - Key Prefix",
Syntax: SyntaxCurrent,
Rules: `key_prefix "foo" { policy = "nope" }`,
RulesJSON: `{ "key_prefix": { "foo": { "policy": "nope" }}}`,
Err: "Invalid key_prefix policy",
},
{
Name: "Bad Policy - Node",
Syntax: SyntaxCurrent,
Rules: `node "foo" { policy = "nope" }`,
RulesJSON: `{ "node": { "foo": { "policy": "nope" }}}`,
Err: "Invalid node policy",
},
{
Name: "Bad Policy - Node Prefix",
Syntax: SyntaxCurrent,
Rules: `node_prefix "foo" { policy = "nope" }`,
RulesJSON: `{ "node_prefix": { "foo": { "policy": "nope" }}}`,
Err: "Invalid node_prefix policy",
},
{
Name: "Bad Policy - Service",
Syntax: SyntaxCurrent,
Rules: `service "foo" { policy = "nope" }`,
RulesJSON: `{ "service": { "foo": { "policy": "nope" }}}`,
Err: "Invalid service policy",
},
{
Name: "Bad Policy - Service Prefix",
Syntax: SyntaxCurrent,
Rules: `service_prefix "foo" { policy = "nope" }`,
RulesJSON: `{ "service_prefix": { "foo": { "policy": "nope" }}}`,
Err: "Invalid service_prefix policy",
},
{
Name: "Bad Policy - Session",
Syntax: SyntaxCurrent,
Rules: `session "foo" { policy = "nope" }`,
RulesJSON: `{ "session": { "foo": { "policy": "nope" }}}`,
Err: "Invalid session policy",
},
{
Name: "Bad Policy - Session Prefix",
Syntax: SyntaxCurrent,
Rules: `session_prefix "foo" { policy = "nope" }`,
RulesJSON: `{ "session_prefix": { "foo": { "policy": "nope" }}}`,
Err: "Invalid session_prefix policy",
},
{
Name: "Bad Policy - Event",
Syntax: SyntaxCurrent,
Rules: `event "foo" { policy = "nope" }`,
RulesJSON: `{ "event": { "foo": { "policy": "nope" }}}`,
Err: "Invalid event policy",
},
{
Name: "Bad Policy - Event Prefix",
Syntax: SyntaxCurrent,
Rules: `event_prefix "foo" { policy = "nope" }`,
RulesJSON: `{ "event_prefix": { "foo": { "policy": "nope" }}}`,
Err: "Invalid event_prefix policy",
},
{
Name: "Bad Policy - Prepared Query",
Syntax: SyntaxCurrent,
Rules: `query "foo" { policy = "nope" }`,
RulesJSON: `{ "query": { "foo": { "policy": "nope" }}}`,
Err: "Invalid query policy",
},
{
Name: "Bad Policy - Prepared Query Prefix",
Syntax: SyntaxCurrent,
Rules: `query_prefix "foo" { policy = "nope" }`,
RulesJSON: `{ "query_prefix": { "foo": { "policy": "nope" }}}`,
Err: "Invalid query_prefix policy",
},
{
Name: "Bad Policy - Keyring",
Syntax: SyntaxCurrent,
Rules: `keyring = "nope"`,
RulesJSON: `{ "keyring": "nope" }`,
Err: "Invalid keyring policy",
},
{
Name: "Bad Policy - Operator",
Syntax: SyntaxCurrent,
Rules: `operator = "nope"`,
RulesJSON: `{ "operator": "nope" }`,
Err: "Invalid operator policy",
},
{
Name: "Bad Policy - Mesh",
Syntax: SyntaxCurrent,
Rules: `mesh = "nope"`,
RulesJSON: `{ "mesh": "nope" }`,
Err: "Invalid mesh policy",
},
{
Name: "Bad Policy - Peering",
Syntax: SyntaxCurrent,
Rules: `peering = "nope"`,
RulesJSON: `{ "peering": "nope" }`,
Err: "Invalid peering policy",
},
{
Name: "Keyring Empty",
Syntax: SyntaxCurrent,
Rules: `keyring = ""`,
RulesJSON: `{ "keyring": "" }`,
Expected: &Policy{PolicyRules: PolicyRules{Keyring: ""}},
},
{
Name: "Operator Empty",
Syntax: SyntaxCurrent,
Rules: `operator = ""`,
RulesJSON: `{ "operator": "" }`,
Expected: &Policy{PolicyRules: PolicyRules{Operator: ""}},
},
{
Name: "Mesh Empty",
Syntax: SyntaxCurrent,
Rules: `mesh = ""`,
RulesJSON: `{ "mesh": "" }`,
Expected: &Policy{PolicyRules: PolicyRules{Mesh: ""}},
},
{
Name: "Peering Empty",
Syntax: SyntaxCurrent,
Rules: `peering = ""`,
RulesJSON: `{ "peering": "" }`,
Expected: &Policy{PolicyRules: PolicyRules{Peering: ""}},
@ -788,7 +478,7 @@ func TestPolicySourceParse(t *testing.T) {
require.True(t, tc.Rules != "" || tc.RulesJSON != "")
if tc.Rules != "" {
t.Run("hcl", func(t *testing.T) {
actual, err := NewPolicyFromSource(tc.Rules, tc.Syntax, nil, nil)
actual, err := NewPolicyFromSource(tc.Rules, nil, nil)
if tc.Err != "" {
errStartsWith(t, err, tc.Err)
} else {
@ -798,7 +488,7 @@ func TestPolicySourceParse(t *testing.T) {
}
if tc.RulesJSON != "" {
t.Run("json", func(t *testing.T) {
actual, err := NewPolicyFromSource(tc.RulesJSON, tc.Syntax, nil, nil)
actual, err := NewPolicyFromSource(tc.RulesJSON, nil, nil)
if tc.Err != "" {
errStartsWith(t, err, tc.Err)
} else {
@ -1585,236 +1275,6 @@ func TestMergePolicies(t *testing.T) {
}
func TestRulesTranslate(t *testing.T) {
input := `
# top level comment
# block comment
agent "" {
# policy comment
policy = "write"
}
# block comment
key "" {
# policy comment
policy = "write"
}
# block comment
node "" {
# policy comment
policy = "write"
}
# block comment
event "" {
# policy comment
policy = "write"
}
# block comment
service "" {
# policy comment
policy = "write"
}
# block comment
session "" {
# policy comment
policy = "write"
}
# block comment
query "" {
# policy comment
policy = "write"
}
# comment
keyring = "write"
# comment
operator = "write"
# comment
mesh = "write"
# comment
peering = "write"
`
expected := `
# top level comment
# block comment
agent_prefix "" {
# policy comment
policy = "write"
}
# block comment
key_prefix "" {
# policy comment
policy = "write"
}
# block comment
node_prefix "" {
# policy comment
policy = "write"
}
# block comment
event_prefix "" {
# policy comment
policy = "write"
}
# block comment
service_prefix "" {
# policy comment
policy = "write"
}
# block comment
session_prefix "" {
# policy comment
policy = "write"
}
# block comment
query_prefix "" {
# policy comment
policy = "write"
}
# comment
keyring = "write"
# comment
operator = "write"
# comment
mesh = "write"
# comment
peering = "write"
`
output, err := TranslateLegacyRules([]byte(input))
require.NoError(t, err)
require.Equal(t, strings.Trim(expected, "\n"), string(output))
}
func TestRulesTranslate_GH5493(t *testing.T) {
input := `
{
"key": {
"": {
"policy": "read"
},
"key": {
"policy": "read"
},
"policy": {
"policy": "read"
},
"privatething1/": {
"policy": "deny"
},
"anapplication/private/": {
"policy": "deny"
},
"privatething2/": {
"policy": "deny"
}
},
"session": {
"": {
"policy": "write"
}
},
"node": {
"": {
"policy": "read"
}
},
"agent": {
"": {
"policy": "read"
}
},
"service": {
"": {
"policy": "read"
}
},
"event": {
"": {
"policy": "read"
}
},
"query": {
"": {
"policy": "read"
}
}
}`
expected := `
key_prefix "" {
policy = "read"
}
key_prefix "key" {
policy = "read"
}
key_prefix "policy" {
policy = "read"
}
key_prefix "privatething1/" {
policy = "deny"
}
key_prefix "anapplication/private/" {
policy = "deny"
}
key_prefix "privatething2/" {
policy = "deny"
}
session_prefix "" {
policy = "write"
}
node_prefix "" {
policy = "read"
}
agent_prefix "" {
policy = "read"
}
service_prefix "" {
policy = "read"
}
event_prefix "" {
policy = "read"
}
query_prefix "" {
policy = "read"
}
`
output, err := TranslateLegacyRules([]byte(input))
require.NoError(t, err)
require.Equal(t, strings.Trim(expected, "\n"), string(output))
}
func TestPrecedence(t *testing.T) {
type testCase struct {
name string

View File

@ -215,8 +215,6 @@ func (s *HTTPHandlers) aclPolicyWriteInternal(_resp http.ResponseWriter, req *ht
return nil, HTTPError{StatusCode: http.StatusBadRequest, Reason: fmt.Sprintf("Policy decoding failed: %v", err)}
}
args.Policy.Syntax = acl.SyntaxCurrent
if create {
if args.Policy.ID != "" {
return nil, HTTPError{StatusCode: http.StatusBadRequest, Reason: "Cannot specify the ID when creating a new policy"}
@ -1009,10 +1007,9 @@ func (s *HTTPHandlers) ACLAuthorize(resp http.ResponseWriter, req *http.Request)
// There are a number of reason why this is okay.
//
// 1. The authorizations performed here are the same as what would be done if other HTTP APIs
// were used. This is just a way to see if it would be allowed. In the future when we have
// audit logging, these authorization checks will be logged along with those from the real
// endpoints. In that respect, you can figure out if you have access just as easily by
// attempting to perform the requested operation.
// were used. This is just a way to see if it would be allowed. These authorization checks
// will be logged along with those from the real endpoints. In that respect, you can figure
// out if you have access just as easily by attempting to perform the requested operation.
// 2. In order to use this API you must have a valid ACL token secret.
// 3. Along with #2 you can use the ACL.GetPolicy RPC endpoint which will return a rolled up
// set of policy rules showing your tokens effective policy. This RPC endpoint exposes

View File

@ -238,7 +238,7 @@ func catalogPolicy(testACL string) (structs.ACLIdentity, acl.Authorizer, error)
return nil, nil, acl.ErrNotFound
}
policy, err := acl.NewPolicyFromSource(tok.rules, acl.SyntaxCurrent, nil, nil)
policy, err := acl.NewPolicyFromSource(tok.rules, nil, nil)
if err != nil {
return nil, nil, err
}

View File

@ -535,7 +535,7 @@ func TestAgent_Service(t *testing.T) {
tests := []struct {
name string
tokenRules string
policies string
url string
updateFunc func()
wantWait time.Duration
@ -671,7 +671,7 @@ func TestAgent_Service(t *testing.T) {
name: "err: bad ACL for service",
url: "/v1/agent/service/web-sidecar-proxy",
// Limited token doesn't grant read to the service
tokenRules: `
policies: `
key "" {
policy = "read"
}
@ -685,7 +685,7 @@ func TestAgent_Service(t *testing.T) {
name: "good ACL for service",
url: "/v1/agent/service/web-sidecar-proxy",
// Limited token doesn't grant read to the service
tokenRules: `
policies: `
service "web-sidecar-proxy" {
policy = "read"
}
@ -711,9 +711,9 @@ func TestAgent_Service(t *testing.T) {
// Inject the root token for tests that don't care about ACL
token := "root"
if tt.tokenRules != "" {
if tt.policies != "" {
// Create new token and use that.
token = testCreateToken(t, a, tt.tokenRules)
token = testCreateToken(t, a, tt.policies)
}
req.Header.Set("X-Consul-Token", token)
resp := httptest.NewRecorder()
@ -4353,7 +4353,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar(t *testing.T, extraHCL s
// directly.
json string
enableACL bool
tokenRules string
policies string
wantNS *structs.NodeService
wantErr string
wantSidecarIDLeftAfterDereg bool
@ -4396,7 +4396,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar(t *testing.T, extraHCL s
}
`,
enableACL: true,
tokenRules: `
policies: `
service "web-sidecar-proxy" {
policy = "write"
}
@ -4418,7 +4418,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar(t *testing.T, extraHCL s
}
`,
enableACL: true,
tokenRules: ``, // No token rules means no valid token
policies: ``, // No token rules means no valid token
wantNS: nil,
wantErr: "Permission denied",
},
@ -4435,7 +4435,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar(t *testing.T, extraHCL s
`,
enableACL: true,
// This will become more common/reasonable when ACLs support exact match.
tokenRules: `
policies: `
service "web-sidecar-proxy" {
policy = "deny"
}
@ -4461,7 +4461,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar(t *testing.T, extraHCL s
}
`,
enableACL: true,
tokenRules: `
policies: `
service "web-sidecar-proxy" {
policy = "write"
}
@ -4485,7 +4485,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar(t *testing.T, extraHCL s
}
`,
enableACL: true,
tokenRules: `
policies: `
service "web-sidecar-proxy" {
policy = "write"
}
@ -4514,7 +4514,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar(t *testing.T, extraHCL s
}
`,
enableACL: true,
tokenRules: `
policies: `
service "web-sidecar-proxy" {
policy = "write"
}
@ -4739,8 +4739,8 @@ func testAgent_RegisterServiceDeregisterService_Sidecar(t *testing.T, extraHCL s
// Create an ACL token with require policy
var token string
if tt.enableACL && tt.tokenRules != "" {
token = testCreateToken(t, a, tt.tokenRules)
if tt.enableACL && tt.policies != "" {
token = testCreateToken(t, a, tt.policies)
}
br := bytes.NewBufferString(tt.json)
@ -4850,7 +4850,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar_UDP(t *testing.T, extraH
// directly.
json string
enableACL bool
tokenRules string
policies string
wantNS *structs.NodeService
wantErr string
wantSidecarIDLeftAfterDereg bool
@ -4893,7 +4893,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar_UDP(t *testing.T, extraH
}
`,
enableACL: true,
tokenRules: `
policies: `
service "web-sidecar-proxy" {
policy = "write"
}
@ -4915,7 +4915,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar_UDP(t *testing.T, extraH
}
`,
enableACL: true,
tokenRules: ``, // No token rules means no valid token
policies: ``, // No policies means no valid token
wantNS: nil,
wantErr: "Permission denied",
},
@ -4932,7 +4932,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar_UDP(t *testing.T, extraH
`,
enableACL: true,
// This will become more common/reasonable when ACLs support exact match.
tokenRules: `
policies: `
service "web-sidecar-proxy" {
policy = "deny"
}
@ -4958,7 +4958,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar_UDP(t *testing.T, extraH
}
`,
enableACL: true,
tokenRules: `
policies: `
service "web-sidecar-proxy" {
policy = "write"
}
@ -4982,7 +4982,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar_UDP(t *testing.T, extraH
}
`,
enableACL: true,
tokenRules: `
policies: `
service "web-sidecar-proxy" {
policy = "write"
}
@ -5011,7 +5011,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar_UDP(t *testing.T, extraH
}
`,
enableACL: true,
tokenRules: `
policies: `
service "web-sidecar-proxy" {
policy = "write"
}
@ -5236,8 +5236,8 @@ func testAgent_RegisterServiceDeregisterService_Sidecar_UDP(t *testing.T, extraH
// Create an ACL token with require policy
var token string
if tt.enableACL && tt.tokenRules != "" {
token = testCreateToken(t, a, tt.tokenRules)
if tt.enableACL && tt.policies != "" {
token = testCreateToken(t, a, tt.policies)
}
br := bytes.NewBufferString(tt.json)

View File

@ -284,7 +284,7 @@ func agentRecoveryAuthorizer(nodeName string, entMeta *acl.EnterpriseMeta, aclCo
node_prefix "" {
policy = "read"
}
`, nodeName), acl.SyntaxCurrent, &conf, entMeta.ToEnterprisePolicyMeta())
`, nodeName), &conf, entMeta.ToEnterprisePolicyMeta())
if err != nil {
return nil, err
}

View File

@ -913,7 +913,7 @@ func (a *ACL) PolicySet(args *structs.ACLPolicySetRequest, reply *structs.ACLPol
}
// validate the rules
_, err = acl.NewPolicyFromSource(policy.Rules, policy.Syntax, a.srv.aclConfig, policy.EnterprisePolicyMeta())
_, err = acl.NewPolicyFromSource(policy.Rules, a.srv.aclConfig, policy.EnterprisePolicyMeta())
if err != nil {
return err
}

View File

@ -1,31 +0,0 @@
package consul
import (
"fmt"
"github.com/hashicorp/consul/agent/structs"
)
type LegacyACLGetPolicy struct{}
func (a *ACL) GetPolicy(*LegacyACLGetPolicy, *LegacyACLGetPolicy) error {
return fmt.Errorf("ACL.GetPolicy: the legacy ACL system has been removed")
}
func (a *ACL) Bootstrap(*structs.DCSpecificRequest, *LegacyACLRequest) error {
return fmt.Errorf("ACL.Bootstrap: the legacy ACL system has been removed")
}
type LegacyACLRequest struct{}
func (a *ACL) Apply(*LegacyACLRequest, *string) error {
return fmt.Errorf("ACL.Apply: the legacy ACL system has been removed")
}
func (a *ACL) Get(*LegacyACLRequest, *LegacyACLRequest) error {
return fmt.Errorf("ACL.Get: the legacy ACL system has been removed")
}
func (a *ACL) List(*structs.DCSpecificRequest, *LegacyACLRequest) error {
return fmt.Errorf("ACL.List: the legacy ACL system has been removed")
}

View File

@ -10,7 +10,6 @@ import (
"github.com/stretchr/testify/require"
"github.com/hashicorp/consul/acl"
"github.com/hashicorp/consul/agent/consul/authmethod/testauth"
"github.com/hashicorp/consul/agent/structs"
"github.com/hashicorp/consul/agent/structs/aclfilter"
@ -31,7 +30,6 @@ func TestACLReplication_diffACLPolicies(t *testing.T) {
Name: "policy1",
Description: "policy1 - already in sync",
Rules: `acl = "read"`,
Syntax: acl.SyntaxCurrent,
Datacenters: nil,
Hash: []byte{1, 2, 3, 4},
RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2},
@ -41,7 +39,6 @@ func TestACLReplication_diffACLPolicies(t *testing.T) {
Name: "policy2",
Description: "policy2 - updated but not changed",
Rules: `acl = "read"`,
Syntax: acl.SyntaxCurrent,
Datacenters: nil,
Hash: []byte{1, 2, 3, 4},
RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 25},
@ -51,7 +48,6 @@ func TestACLReplication_diffACLPolicies(t *testing.T) {
Name: "policy3",
Description: "policy3 - updated and changed",
Rules: `acl = "read"`,
Syntax: acl.SyntaxCurrent,
Datacenters: nil,
Hash: []byte{1, 2, 3, 4},
RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 25},
@ -61,7 +57,6 @@ func TestACLReplication_diffACLPolicies(t *testing.T) {
Name: "policy4",
Description: "policy4 - needs deleting",
Rules: `acl = "read"`,
Syntax: acl.SyntaxCurrent,
Datacenters: nil,
Hash: []byte{1, 2, 3, 4},
RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 25},

View File

@ -213,7 +213,6 @@ func testPolicyForID(policyID string) (bool, *structs.ACLPolicy, error) {
Name: "acl-ro",
Description: "acl-ro",
Rules: `acl = "read"`,
Syntax: acl.SyntaxCurrent,
RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2},
}
p.SetHash(false)
@ -224,7 +223,6 @@ func testPolicyForID(policyID string) (bool, *structs.ACLPolicy, error) {
Name: "acl-wr",
Description: "acl-wr",
Rules: `acl = "write"`,
Syntax: acl.SyntaxCurrent,
RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2},
}
p.SetHash(false)
@ -235,7 +233,6 @@ func testPolicyForID(policyID string) (bool, *structs.ACLPolicy, error) {
Name: "service-ro",
Description: "service-ro",
Rules: `service_prefix "" { policy = "read" }`,
Syntax: acl.SyntaxCurrent,
RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2},
}
p.SetHash(false)
@ -246,7 +243,6 @@ func testPolicyForID(policyID string) (bool, *structs.ACLPolicy, error) {
Name: "service-wr",
Description: "service-wr",
Rules: `service_prefix "" { policy = "write" }`,
Syntax: acl.SyntaxCurrent,
RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2},
}
p.SetHash(false)
@ -257,7 +253,6 @@ func testPolicyForID(policyID string) (bool, *structs.ACLPolicy, error) {
Name: "node-wr",
Description: "node-wr",
Rules: `node_prefix "" { policy = "write"}`,
Syntax: acl.SyntaxCurrent,
Datacenters: []string{"dc1"},
RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2},
}
@ -269,7 +264,6 @@ func testPolicyForID(policyID string) (bool, *structs.ACLPolicy, error) {
Name: "dc2-key-wr",
Description: "dc2-key-wr",
Rules: `key_prefix "" { policy = "write"}`,
Syntax: acl.SyntaxCurrent,
Datacenters: []string{"dc2"},
RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2},
}
@ -1699,7 +1693,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega
Name: "acl-ro",
Description: "acl-ro",
Rules: `acl = "read"`,
Syntax: acl.SyntaxCurrent,
RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2},
},
})
@ -1733,7 +1726,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega
Name: "acl-ro",
Description: "acl-ro",
Rules: `acl = "read"`,
Syntax: acl.SyntaxCurrent,
RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2},
},
})
@ -1768,7 +1760,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega
Name: "acl-ro",
Description: "acl-ro",
Rules: `acl = "read"`,
Syntax: acl.SyntaxCurrent,
RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2},
},
})
@ -1793,7 +1784,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega
Name: "node-wr",
Description: "node-wr",
Rules: `node_prefix "" { policy = "write"}`,
Syntax: acl.SyntaxCurrent,
Datacenters: []string{"dc1"},
RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2},
},
@ -1802,7 +1792,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega
Name: "dc2-key-wr",
Description: "dc2-key-wr",
Rules: `key_prefix "" { policy = "write"}`,
Syntax: acl.SyntaxCurrent,
Datacenters: []string{"dc2"},
RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2},
},
@ -1836,7 +1825,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega
Name: "node-wr",
Description: "node-wr",
Rules: `node_prefix "" { policy = "write"}`,
Syntax: acl.SyntaxCurrent,
Datacenters: []string{"dc1"},
RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2},
},
@ -1845,7 +1833,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega
Name: "dc2-key-wr",
Description: "dc2-key-wr",
Rules: `key_prefix "" { policy = "write"}`,
Syntax: acl.SyntaxCurrent,
Datacenters: []string{"dc2"},
RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2},
},
@ -1874,7 +1861,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega
Name: "node-wr",
Description: "node-wr",
Rules: `node_prefix "" { policy = "write"}`,
Syntax: acl.SyntaxCurrent,
Datacenters: []string{"dc1"},
RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2},
},
@ -1883,7 +1869,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega
Name: "dc2-key-wr",
Description: "dc2-key-wr",
Rules: `key_prefix "" { policy = "write"}`,
Syntax: acl.SyntaxCurrent,
Datacenters: []string{"dc2"},
RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2},
},
@ -1901,7 +1886,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega
Name: "service-ro",
Description: "service-ro",
Rules: `service_prefix "" { policy = "read" }`,
Syntax: acl.SyntaxCurrent,
RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2},
},
})
@ -2072,7 +2056,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega
Name: "node-wr",
Description: "node-wr",
Rules: `node_prefix "" { policy = "write"}`,
Syntax: acl.SyntaxCurrent,
Datacenters: []string{"dc1"},
RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2},
},
@ -2098,7 +2081,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega
Name: "ixn-write",
Description: "ixn-write",
Rules: `service_prefix "" { policy = "write" intentions = "write" }`,
Syntax: acl.SyntaxCurrent,
RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2},
},
})

View File

@ -306,10 +306,6 @@ func (w *TokenWriter) write(token, existing *structs.ACLToken, fromLogin bool) (
}
token.NodeIdentities = nodeIdentities
if token.Type != "" {
return nil, errors.New("Type cannot be specified for this token")
}
if err := w.enterpriseValidation(token, existing); err != nil {
return nil, err
}

View File

@ -98,10 +98,6 @@ func TestTokenWriter_Create_Validation(t *testing.T) {
fromLogin: false,
errorContains: "AuthMethod field is disallowed outside of login",
},
"Type set": {
token: structs.ACLToken{Type: "some-type"},
errorContains: "Type cannot be specified for this token",
},
}
for desc, tc := range testCases {
t.Run(desc, func(t *testing.T) {
@ -494,10 +490,6 @@ func TestTokenWriter_Update_Validation(t *testing.T) {
token: structs.ACLToken{AccessorID: token.AccessorID, ExpirationTime: timePointer(token.ExpirationTime.Add(1 * time.Minute))},
errorContains: "Cannot change expiration time",
},
"Type set": {
token: structs.ACLToken{AccessorID: token.AccessorID, Type: "some-type"},
errorContains: "Type cannot be specified for this token",
},
}
for desc, tc := range testCases {
t.Run(desc, func(t *testing.T) {

View File

@ -101,7 +101,7 @@ func TestEventPayloadReadyServers_HasReadPermission(t *testing.T) {
service "foo" {
policy = "write"
}
`, acl.SyntaxCurrent, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)

View File

@ -3588,7 +3588,7 @@ service "gateway" {
func TestVetRegisterWithACL(t *testing.T) {
appendAuthz := func(t *testing.T, defaultAuthz acl.Authorizer, rules string) acl.Authorizer {
policy, err := acl.NewPolicyFromSource(rules, acl.SyntaxCurrent, nil, nil)
policy, err := acl.NewPolicyFromSource(rules, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(defaultAuthz, []*acl.Policy{policy}, nil)
@ -3876,10 +3876,10 @@ func TestVetDeregisterWithACL(t *testing.T) {
// Create a basic node policy.
policy, err := acl.NewPolicyFromSource(`
node "node" {
node_prefix "node" {
policy = "write"
}
`, acl.SyntaxLegacy, nil, nil)
}
`, nil, nil)
if err != nil {
t.Fatalf("err %v", err)
}
@ -3892,7 +3892,7 @@ node "node" {
service "my-service" {
policy = "write"
}
`, acl.SyntaxLegacy, nil, nil)
`, nil, nil)
if err != nil {
t.Fatalf("err %v", err)
}

View File

@ -10,7 +10,7 @@ import (
func TestFilter_DirEnt(t *testing.T) {
t.Parallel()
policy, _ := acl.NewPolicyFromSource(testFilterRules, acl.SyntaxLegacy, nil, nil)
policy, _ := acl.NewPolicyFromSource(testFilterRules, nil, nil)
aclR, _ := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
type tcase struct {
@ -52,7 +52,7 @@ func TestFilter_DirEnt(t *testing.T) {
func TestFilter_TxnResults(t *testing.T) {
t.Parallel()
policy, _ := acl.NewPolicyFromSource(testFilterRules, acl.SyntaxLegacy, nil, nil)
policy, _ := acl.NewPolicyFromSource(testFilterRules, nil, nil)
aclR, _ := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
type tcase struct {
@ -101,16 +101,16 @@ func TestFilter_TxnResults(t *testing.T) {
}
var testFilterRules = `
key "" {
key_prefix "" {
policy = "deny"
}
key "foo/" {
key_prefix "foo/" {
policy = "read"
}
key "foo/priv/" {
key_prefix "foo/priv/" {
policy = "deny"
}
key "zip/" {
key_prefix "zip/" {
policy = "read"
}
`

View File

@ -113,7 +113,6 @@ func TestFSM_SnapshotRestore_OSS(t *testing.T) {
},
CreateTime: time.Now(),
Local: false,
Type: "management",
}
require.NoError(t, fsm.state.ACLBootstrap(10, 0, token))

View File

@ -413,7 +413,6 @@ func (s *Server) initializeACLs(ctx context.Context) error {
Name: "global-management",
Description: "Builtin Policy that grants unlimited access",
Rules: structs.ACLPolicyGlobalManagement,
Syntax: acl.SyntaxCurrent,
EnterpriseMeta: *structs.DefaultEnterpriseMetaInDefaultPartition(),
}
if policy != nil {

View File

@ -450,13 +450,13 @@ func aclTokenSetTxn(tx WriteTxn, idx uint64, token *structs.ACLToken, opts ACLTo
if token.AccessorID == "" {
return ErrMissingACLTokenAccessor
}
if opts.FromReplication && token.Local {
return fmt.Errorf("Cannot replicate local tokens")
}
// Check for an existing ACL
// DEPRECATED (ACL-Legacy-Compat) - transition to using accessor index instead of secret once v1 compat is removed
_, existing, err := aclTokenGetFromIndex(tx, token.SecretID, "id", nil)
_, existing, err := aclTokenGetFromIndex(tx, token.AccessorID, indexAccessor, nil)
if err != nil {
return fmt.Errorf("failed token lookup: %s", err)
}
@ -553,7 +553,7 @@ func aclTokenSetTxn(tx WriteTxn, idx uint64, token *structs.ACLToken, opts ACLTo
// ACLTokenGetBySecret is used to look up an existing ACL token by its SecretID.
func (s *Store) ACLTokenGetBySecret(ws memdb.WatchSet, secret string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLToken, error) {
return s.aclTokenGet(ws, secret, "id", entMeta)
return s.aclTokenGet(ws, secret, indexID, entMeta)
}
// ACLTokenGetByAccessor is used to look up an existing ACL token by its AccessorID.

View File

@ -33,7 +33,6 @@ func setupGlobalManagement(t *testing.T, s *Store) {
Name: "global-management",
Description: "Builtin Policy that grants unlimited access",
Rules: structs.ACLPolicyGlobalManagement,
Syntax: acl.SyntaxCurrent,
}
policy.SetHash(true)
require.NoError(t, s.ACLPolicySet(1, &policy))
@ -74,35 +73,30 @@ func setupExtraPolicies(t *testing.T, s *Store) {
Name: "node-read",
Description: "Allows reading all node information",
Rules: `node_prefix "" { policy = "read" }`,
Syntax: acl.SyntaxCurrent,
},
&structs.ACLPolicy{
ID: testPolicyID_B,
Name: "agent-read",
Description: "Allows reading all node information",
Rules: `agent_prefix "" { policy = "read" }`,
Syntax: acl.SyntaxCurrent,
},
&structs.ACLPolicy{
ID: testPolicyID_C,
Name: "acl-read",
Description: "Allows acl read",
Rules: `acl = "read"`,
Syntax: acl.SyntaxCurrent,
},
&structs.ACLPolicy{
ID: testPolicyID_D,
Name: "acl-write",
Description: "Allows acl write",
Rules: `acl = "write"`,
Syntax: acl.SyntaxCurrent,
},
&structs.ACLPolicy{
ID: testPolicyID_E,
Name: "kv-read",
Description: "Allows kv read",
Rules: `key_prefix "" { policy = "read" }`,
Syntax: acl.SyntaxCurrent,
},
}
@ -1068,7 +1062,6 @@ func TestStateStore_ACLToken_FixupPolicyLinks(t *testing.T) {
Name: "node-read-renamed",
Description: "Allows reading all node information",
Rules: `node_prefix "" { policy = "read" }`,
Syntax: acl.SyntaxCurrent,
}
renamed.SetHash(true)
require.NoError(t, s.ACLPolicySet(3, renamed))
@ -1475,7 +1468,6 @@ func TestStateStore_ACLPolicy_SetGet(t *testing.T) {
Name: "node-read",
Description: "Allows reading all node information",
Rules: `node_prefix "" { policy = "read" }`,
Syntax: acl.SyntaxCurrent,
Datacenters: []string{"dc1"},
}
@ -1488,7 +1480,6 @@ func TestStateStore_ACLPolicy_SetGet(t *testing.T) {
require.Equal(t, "node-read", rpolicy.Name)
require.Equal(t, "Allows reading all node information", rpolicy.Description)
require.Equal(t, `node_prefix "" { policy = "read" }`, rpolicy.Rules)
require.Equal(t, acl.SyntaxCurrent, rpolicy.Syntax)
require.Len(t, rpolicy.Datacenters, 1)
require.Equal(t, "dc1", rpolicy.Datacenters[0])
require.Equal(t, uint64(3), rpolicy.CreateIndex)
@ -1502,7 +1493,6 @@ func TestStateStore_ACLPolicy_SetGet(t *testing.T) {
require.Equal(t, "global-management", rpolicy.Name)
require.Equal(t, "Builtin Policy that grants unlimited access", rpolicy.Description)
require.Equal(t, structs.ACLPolicyGlobalManagement, rpolicy.Rules)
require.Equal(t, acl.SyntaxCurrent, rpolicy.Syntax)
require.Len(t, rpolicy.Datacenters, 0)
require.Equal(t, uint64(1), rpolicy.CreateIndex)
require.Equal(t, uint64(1), rpolicy.ModifyIndex)
@ -1518,7 +1508,6 @@ func TestStateStore_ACLPolicy_SetGet(t *testing.T) {
Name: "node-read-modified",
Description: "Modified",
Rules: `node_prefix "" { policy = "read" } node "secret" { policy = "deny" }`,
Syntax: acl.SyntaxCurrent,
Datacenters: []string{"dc1", "dc2"},
}
@ -2307,7 +2296,6 @@ func TestStateStore_ACLRole_FixupPolicyLinks(t *testing.T) {
Name: "node-read-renamed",
Description: "Allows reading all node information",
Rules: `node_prefix "" { policy = "read" }`,
Syntax: acl.SyntaxCurrent,
}
renamed.SetHash(true)
require.NoError(t, s.ACLPolicySet(3, renamed))
@ -3368,14 +3356,12 @@ func TestStateStore_ACLTokens_Snapshot_Restore(t *testing.T) {
Name: "policy1",
Description: "policy1",
Rules: `node_prefix "" { policy = "read" }`,
Syntax: acl.SyntaxCurrent,
},
&structs.ACLPolicy{
ID: "7b70fa0f-58cd-412d-93c3-a0f17bb19a3e",
Name: "policy2",
Description: "policy2",
Rules: `acl = "read"`,
Syntax: acl.SyntaxCurrent,
},
}
@ -3769,14 +3755,12 @@ func TestStateStore_ACLRoles_Snapshot_Restore(t *testing.T) {
Name: "policy1",
Description: "policy1",
Rules: `node_prefix "" { policy = "read" }`,
Syntax: acl.SyntaxCurrent,
},
&structs.ACLPolicy{
ID: "7b70fa0f-58cd-412d-93c3-a0f17bb19a3e",
Name: "policy2",
Description: "policy2",
Rules: `acl = "read"`,
Syntax: acl.SyntaxCurrent,
},
}

View File

@ -105,7 +105,7 @@ func TestEventPayloadCARoots_HasReadPermission(t *testing.T) {
service "foo" {
policy = "write"
}
`, acl.SyntaxCurrent, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)

View File

@ -140,7 +140,6 @@ func TestStore_IntegrationWithEventPublisher_ACLPolicyUpdate(t *testing.T) {
ID: testPolicyID_C,
Name: "foo-read",
Rules: `node "foo" { policy = "read" }`,
Syntax: acl.SyntaxCurrent,
Datacenters: []string{"dc1"},
}
policy2.SetHash(false)
@ -154,7 +153,6 @@ func TestStore_IntegrationWithEventPublisher_ACLPolicyUpdate(t *testing.T) {
ID: testPolicyID_A,
Name: "node-read",
Rules: `node_prefix "" { policy = "write" }`,
Syntax: acl.SyntaxCurrent,
Datacenters: []string{"dc1"},
}
policy3.SetHash(false)
@ -213,7 +211,6 @@ func TestStore_IntegrationWithEventPublisher_ACLPolicyUpdate(t *testing.T) {
ID: testPolicyID_B,
Name: "node-read",
Rules: `node_prefix "foo" { policy = "read" }`,
Syntax: acl.SyntaxCurrent,
Datacenters: []string{"dc1"},
}
policy4.SetHash(false)

View File

@ -47,7 +47,7 @@ func ACLServiceWriteAny(t *testing.T) resolver.Result {
service "foo" {
policy = "write"
}
`, acl.SyntaxCurrent, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)

View File

@ -692,7 +692,7 @@ node "node1" {
}
`
cfg := &acl.Config{WildcardName: structs.WildcardSpecifier}
authorizer, err := acl.NewAuthorizerFromRules(rules, acl.SyntaxCurrent, cfg, nil)
authorizer, err := acl.NewAuthorizerFromRules(rules, cfg, nil)
require.NoError(t, err)
authorizer = acl.NewChainedAuthorizer([]acl.Authorizer{authorizer, acl.DenyAll()})
require.Equal(t, acl.Deny, authorizer.NodeRead("denied", nil))
@ -896,7 +896,7 @@ node "node1" {
policy = "write"
}
`
authorizer, err := acl.NewAuthorizerFromRules(rules, acl.SyntaxCurrent, &acl.Config{WildcardName: structs.WildcardSpecifier}, nil)
authorizer, err := acl.NewAuthorizerFromRules(rules, &acl.Config{WildcardName: structs.WildcardSpecifier}, nil)
require.NoError(t, err)
authorizer = acl.NewChainedAuthorizer([]acl.Authorizer{authorizer, acl.DenyAll()})
require.Equal(t, acl.Deny, authorizer.NodeRead("denied", nil))

View File

@ -91,7 +91,7 @@ func disableLegacyIntentions(t *testing.T, store *state.Store) {
}
func policyAuthorizer(t *testing.T, policyHCL string) acl.Authorizer {
policy, err := acl.NewPolicyFromSource(policyHCL, acl.SyntaxCurrent, nil, nil)
policy, err := acl.NewPolicyFromSource(policyHCL, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)

View File

@ -1732,25 +1732,21 @@ func upsertTestACLs(t *testing.T, store *state.Store) {
ID: testPolicyPeeringReadID,
Name: "peering-read",
Rules: `peering = "read"`,
Syntax: acl.SyntaxCurrent,
},
{
ID: testPolicyPeeringWriteID,
Name: "peering-write",
Rules: `peering = "write"`,
Syntax: acl.SyntaxCurrent,
},
{
ID: testPolicyServiceReadID,
Name: "service-read",
Rules: `service "api" { policy = "read" }`,
Syntax: acl.SyntaxCurrent,
},
{
ID: testPolicyServiceWriteID,
Name: "service-write",
Rules: `service "api" { policy = "write" }`,
Syntax: acl.SyntaxCurrent,
},
}
require.NoError(t, store.ACLPolicyBatchSet(100, policies))

View File

@ -160,7 +160,6 @@ func (s *ACLServiceIdentity) SyntheticPolicy(entMeta *acl.EnterpriseMeta) *ACLPo
sn := NewServiceName(s.ServiceName, entMeta)
policy.Description = fmt.Sprintf("synthetic policy for service identity %q", sn.String())
policy.Rules = rules
policy.Syntax = acl.SyntaxCurrent
policy.Datacenters = s.Datacenters
policy.EnterpriseMeta.Merge(entMeta)
policy.SetHash(true)
@ -232,7 +231,6 @@ func (s *ACLNodeIdentity) SyntheticPolicy(entMeta *acl.EnterpriseMeta) *ACLPolic
policy.Name = fmt.Sprintf("synthetic-policy-%s", hashID)
policy.Description = fmt.Sprintf("synthetic policy for node identity %q", s.NodeName)
policy.Rules = rules
policy.Syntax = acl.SyntaxCurrent
policy.Datacenters = []string{s.Datacenter}
policy.EnterpriseMeta.Merge(entMeta)
policy.SetHash(true)
@ -286,13 +284,6 @@ type ACLToken struct {
// The node identities that this token should be allowed to manage.
NodeIdentities ACLNodeIdentities `json:",omitempty"`
// Type is the V1 Token Type
// DEPRECATED (ACL-Legacy-Compat) - remove once we no longer support v1 ACL compat
// Even though we are going to auto upgrade management tokens we still
// want to be able to have the old APIs operate on the upgraded management tokens
// so this field is being kept to identify legacy tokens even after an auto-upgrade
Type string `json:"-"`
// Whether this token is DC local. This means that it will not be synced
// to the ACL datacenter and replicated to others.
Local bool
@ -479,7 +470,6 @@ func (t *ACLToken) SetHash(force bool) []byte {
// Write all the user set fields
hash.Write([]byte(t.Description))
hash.Write([]byte(t.Type))
if t.Local {
hash.Write([]byte("local"))
@ -516,7 +506,7 @@ func (t *ACLToken) SetHash(force bool) []byte {
func (t *ACLToken) EstimateSize() int {
// 41 = 16 (RaftIndex) + 8 (Hash) + 8 (ExpirationTime) + 8 (CreateTime) + 1 (Local)
size := 41 + len(t.AccessorID) + len(t.SecretID) + len(t.Description) + len(t.Type) + len(t.AuthMethod)
size := 41 + len(t.AccessorID) + len(t.SecretID) + len(t.Description) + len(t.AuthMethod)
for _, link := range t.Policies {
size += len(link.ID) + len(link.Name)
}
@ -604,9 +594,6 @@ type ACLPolicy struct {
// The rule set (using the updated rule syntax)
Rules string
// DEPRECATED (ACL-Legacy-Compat) - This is only needed while we support the legacy ACLs
Syntax acl.SyntaxVersion `json:"-"`
// Datacenters that the policy is valid within.
// - No wildcards allowed
// - If empty then the policy is valid within all datacenters
@ -767,7 +754,7 @@ func (policies ACLPolicies) resolveWithCache(cache *ACLCaches, entConf *acl.Conf
continue
}
p, err := acl.NewPolicyFromSource(policy.Rules, policy.Syntax, entConf, policy.EnterprisePolicyMeta())
p, err := acl.NewPolicyFromSource(policy.Rules, entConf, policy.EnterprisePolicyMeta())
if err != nil {
return nil, fmt.Errorf("failed to parse %q: %v", policy.Name, err)
}

View File

@ -67,7 +67,6 @@ func TestStructs_ACLServiceIdentity_SyntheticPolicy(t *testing.T) {
}
expect := &ACLPolicy{
Syntax: acl.SyntaxCurrent,
Datacenters: test.datacenters,
Rules: test.expectRules,
}
@ -402,7 +401,6 @@ func TestStructs_ACLPolicies_resolveWithCache(t *testing.T) {
Name: "policy1",
Description: "policy1",
Rules: `node_prefix "" { policy = "read" }`,
Syntax: acl.SyntaxCurrent,
RaftIndex: RaftIndex{
CreateIndex: 1,
ModifyIndex: 2,
@ -413,7 +411,6 @@ func TestStructs_ACLPolicies_resolveWithCache(t *testing.T) {
Name: "policy2",
Description: "policy2",
Rules: `agent_prefix "" { policy = "read" }`,
Syntax: acl.SyntaxCurrent,
RaftIndex: RaftIndex{
CreateIndex: 3,
ModifyIndex: 4,
@ -424,7 +421,6 @@ func TestStructs_ACLPolicies_resolveWithCache(t *testing.T) {
Name: "policy3",
Description: "policy3",
Rules: `key_prefix "" { policy = "read" }`,
Syntax: acl.SyntaxCurrent,
RaftIndex: RaftIndex{
CreateIndex: 5,
ModifyIndex: 6,
@ -435,7 +431,6 @@ func TestStructs_ACLPolicies_resolveWithCache(t *testing.T) {
Name: "policy4",
Description: "policy4",
Rules: `service_prefix "" { policy = "read" }`,
Syntax: acl.SyntaxCurrent,
RaftIndex: RaftIndex{
CreateIndex: 7,
ModifyIndex: 8,
@ -492,7 +487,6 @@ func TestStructs_ACLPolicies_Compile(t *testing.T) {
Name: "policy1",
Description: "policy1",
Rules: `node_prefix "" { policy = "read" }`,
Syntax: acl.SyntaxCurrent,
RaftIndex: RaftIndex{
CreateIndex: 1,
ModifyIndex: 2,
@ -503,7 +497,6 @@ func TestStructs_ACLPolicies_Compile(t *testing.T) {
Name: "policy2",
Description: "policy2",
Rules: `agent_prefix "" { policy = "read" }`,
Syntax: acl.SyntaxCurrent,
RaftIndex: RaftIndex{
CreateIndex: 3,
ModifyIndex: 4,
@ -514,7 +507,6 @@ func TestStructs_ACLPolicies_Compile(t *testing.T) {
Name: "policy3",
Description: "policy3",
Rules: `key_prefix "" { policy = "read" }`,
Syntax: acl.SyntaxCurrent,
RaftIndex: RaftIndex{
CreateIndex: 5,
ModifyIndex: 6,
@ -525,7 +517,6 @@ func TestStructs_ACLPolicies_Compile(t *testing.T) {
Name: "policy4",
Description: "policy4",
Rules: `service_prefix "" { policy = "read" }`,
Syntax: acl.SyntaxCurrent,
RaftIndex: RaftIndex{
CreateIndex: 7,
ModifyIndex: 8,

View File

@ -28,7 +28,7 @@ func TestACL_filterImported_IndexedHealthChecks(t *testing.T) {
}
run := func(t *testing.T, tc testCase) {
policy, err := acl.NewPolicyFromSource(tc.policyRules, acl.SyntaxCurrent, nil, nil)
policy, err := acl.NewPolicyFromSource(tc.policyRules, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -99,7 +99,7 @@ func TestACL_filterImported_IndexedNodes(t *testing.T) {
}
run := func(t *testing.T, tc testCase) {
policy, err := acl.NewPolicyFromSource(tc.policyRules, acl.SyntaxCurrent, nil, nil)
policy, err := acl.NewPolicyFromSource(tc.policyRules, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -172,7 +172,7 @@ func TestACL_filterImported_IndexedNodeServices(t *testing.T) {
}
run := func(t *testing.T, tc testCase) {
policy, err := acl.NewPolicyFromSource(tc.policyRules, acl.SyntaxCurrent, nil, nil)
policy, err := acl.NewPolicyFromSource(tc.policyRules, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -253,7 +253,7 @@ func TestACL_filterImported_IndexedNodeServiceList(t *testing.T) {
}
run := func(t *testing.T, tc testCase) {
policy, err := acl.NewPolicyFromSource(tc.policyRules, acl.SyntaxCurrent, nil, nil)
policy, err := acl.NewPolicyFromSource(tc.policyRules, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -333,7 +333,7 @@ func TestACL_filterImported_IndexedServiceNodes(t *testing.T) {
}
run := func(t *testing.T, tc testCase) {
policy, err := acl.NewPolicyFromSource(tc.policyRules, acl.SyntaxCurrent, nil, nil)
policy, err := acl.NewPolicyFromSource(tc.policyRules, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -402,7 +402,7 @@ func TestACL_filterImported_CheckServiceNode(t *testing.T) {
}
run := func(t *testing.T, tc testCase) {
policy, err := acl.NewPolicyFromSource(tc.policyRules, acl.SyntaxCurrent, nil, nil)
policy, err := acl.NewPolicyFromSource(tc.policyRules, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -505,10 +505,16 @@ func TestACL_filterHealthChecks(t *testing.T) {
service "foo" {
policy = "read"
}
service_prefix "foo" {
policy = "read"
}
node "node1" {
policy = "read"
}
`, acl.SyntaxLegacy, nil, nil)
node_prefix "node1" {
policy = "read"
}
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -527,7 +533,10 @@ func TestACL_filterHealthChecks(t *testing.T) {
service "foo" {
policy = "read"
}
`, acl.SyntaxLegacy, nil, nil)
service_prefix "foo" {
policy = "read"
}
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -546,7 +555,10 @@ func TestACL_filterHealthChecks(t *testing.T) {
node "node1" {
policy = "read"
}
`, acl.SyntaxLegacy, nil, nil)
node_prefix "node1" {
policy = "read"
}
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -604,7 +616,10 @@ func TestACL_filterIntentions(t *testing.T) {
service "foo" {
policy = "read"
}
`, acl.SyntaxLegacy, nil, nil)
service_prefix "foo" {
policy = "read"
}
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -675,7 +690,7 @@ func TestACL_filterServiceNodes(t *testing.T) {
node "node1" {
policy = "read"
}
`, acl.SyntaxLegacy, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -694,7 +709,7 @@ func TestACL_filterServiceNodes(t *testing.T) {
service "foo" {
policy = "read"
}
`, acl.SyntaxLegacy, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -758,7 +773,7 @@ func TestACL_filterNodeServices(t *testing.T) {
node "node1" {
policy = "read"
}
`, acl.SyntaxLegacy, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -777,7 +792,7 @@ func TestACL_filterNodeServices(t *testing.T) {
service "foo" {
policy = "read"
}
`, acl.SyntaxLegacy, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -796,7 +811,7 @@ func TestACL_filterNodeServices(t *testing.T) {
node "node1" {
policy = "read"
}
`, acl.SyntaxLegacy, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -855,7 +870,7 @@ func TestACL_filterNodeServiceList(t *testing.T) {
node "node1" {
policy = "read"
}
`, acl.SyntaxLegacy, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -874,7 +889,7 @@ func TestACL_filterNodeServiceList(t *testing.T) {
service "foo" {
policy = "read"
}
`, acl.SyntaxLegacy, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -893,7 +908,7 @@ func TestACL_filterNodeServiceList(t *testing.T) {
node "node1" {
policy = "read"
}
`, acl.SyntaxLegacy, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -936,7 +951,7 @@ func TestACL_filterGatewayServices(t *testing.T) {
service "foo" {
policy = "read"
}
`, acl.SyntaxLegacy, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -996,7 +1011,7 @@ func TestACL_filterCheckServiceNodes(t *testing.T) {
node "node1" {
policy = "read"
}
`, acl.SyntaxLegacy, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -1015,7 +1030,7 @@ func TestACL_filterCheckServiceNodes(t *testing.T) {
service "foo" {
policy = "read"
}
`, acl.SyntaxLegacy, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -1034,7 +1049,7 @@ func TestACL_filterCheckServiceNodes(t *testing.T) {
node "node1" {
policy = "read"
}
`, acl.SyntaxLegacy, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -1094,7 +1109,7 @@ func TestACL_filterPreparedQueryExecuteResponse(t *testing.T) {
node "node1" {
policy = "read"
}
`, acl.SyntaxLegacy, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -1113,7 +1128,7 @@ func TestACL_filterPreparedQueryExecuteResponse(t *testing.T) {
service "foo" {
policy = "read"
}
`, acl.SyntaxLegacy, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -1132,7 +1147,7 @@ func TestACL_filterPreparedQueryExecuteResponse(t *testing.T) {
node "node1" {
policy = "read"
}
`, acl.SyntaxLegacy, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -1231,7 +1246,7 @@ node "node1" {
service "foo" {
policy = "read"
}`
policy, err := acl.NewPolicyFromSource(rules, acl.SyntaxLegacy, nil, nil)
policy, err := acl.NewPolicyFromSource(rules, nil, nil)
if err != nil {
t.Fatalf("err %v", err)
}
@ -1259,7 +1274,7 @@ node "node2" {
service "bar" {
policy = "read"
}`
policy, err := acl.NewPolicyFromSource(rules, acl.SyntaxLegacy, nil, nil)
policy, err := acl.NewPolicyFromSource(rules, nil, nil)
if err != nil {
t.Fatalf("err %v", err)
}
@ -1293,7 +1308,7 @@ node "node2" {
service "bar" {
policy = "read"
}`
policy, err := acl.NewPolicyFromSource(rules, acl.SyntaxLegacy, nil, nil)
policy, err := acl.NewPolicyFromSource(rules, nil, nil)
if err != nil {
t.Fatalf("err %v", err)
}
@ -1344,7 +1359,7 @@ func TestACL_filterCoordinates(t *testing.T) {
node "node1" {
policy = "read"
}
`, acl.SyntaxLegacy, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -1396,7 +1411,7 @@ func TestACL_filterSessions(t *testing.T) {
session "foo" {
policy = "read"
}
`, acl.SyntaxLegacy, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -1500,7 +1515,7 @@ func TestACL_filterNodeDump(t *testing.T) {
service "foo" {
policy = "read"
}
`, acl.SyntaxLegacy, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -1520,7 +1535,7 @@ func TestACL_filterNodeDump(t *testing.T) {
node "node1" {
policy = "read"
}
`, acl.SyntaxLegacy, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -1549,7 +1564,7 @@ func TestACL_filterNodeDump(t *testing.T) {
node "node1" {
policy = "read"
}
`, acl.SyntaxLegacy, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -1587,7 +1602,7 @@ func TestACL_filterNodeDump(t *testing.T) {
service "" {
policy = "read"
}
`, acl.SyntaxLegacy, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -1607,8 +1622,11 @@ func TestACL_filterNodeDump(t *testing.T) {
policy, err := acl.NewPolicyFromSource(`
node "" {
policy = "read"
},
node_prefix "" {
policy = "read"
}
`, acl.SyntaxLegacy, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -1640,11 +1658,17 @@ func TestACL_filterNodeDump(t *testing.T) {
policy, err := acl.NewPolicyFromSource(`
service "" {
policy = "read"
},
service_prefix "" {
policy = "read"
}
node "" {
policy = "read"
},
node_prefix "" {
policy = "read"
}
`, acl.SyntaxLegacy, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -1813,7 +1837,7 @@ func TestACL_filterIndexedNodesWithGateways(t *testing.T) {
node "node1" {
policy = "read"
}
`, acl.SyntaxLegacy, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -1877,7 +1901,7 @@ func TestACL_filterIndexedNodesWithGateways(t *testing.T) {
service "bar" {
policy = "read"
}
`, acl.SyntaxLegacy, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -1903,7 +1927,7 @@ func TestACL_filterIndexedNodesWithGateways(t *testing.T) {
service "bar" {
policy = "read"
}
`, acl.SyntaxLegacy, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -1928,7 +1952,7 @@ func TestACL_filterIndexedNodesWithGateways(t *testing.T) {
node "node1" {
policy = "read"
}
`, acl.SyntaxLegacy, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -2022,7 +2046,7 @@ func TestACL_filterIndexedServiceDump(t *testing.T) {
service_prefix "bar" {
policy = "read"
}
`, acl.SyntaxCurrent, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -2044,7 +2068,7 @@ func TestACL_filterIndexedServiceDump(t *testing.T) {
service_prefix "bar" {
policy = "read"
}
`, acl.SyntaxCurrent, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -2067,7 +2091,7 @@ func TestACL_filterIndexedServiceDump(t *testing.T) {
service "foo-gateway" {
policy = "read"
}
`, acl.SyntaxCurrent, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -2089,7 +2113,7 @@ func TestACL_filterIndexedServiceDump(t *testing.T) {
service "foo" {
policy = "read"
}
`, acl.SyntaxCurrent, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -2164,7 +2188,7 @@ func TestACL_filterDatacenterCheckServiceNodes(t *testing.T) {
service_prefix "" {
policy = "read"
}
`, acl.SyntaxCurrent, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -2184,7 +2208,7 @@ func TestACL_filterDatacenterCheckServiceNodes(t *testing.T) {
service_prefix "" {
policy = "read"
}
`, acl.SyntaxCurrent, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -2203,7 +2227,7 @@ func TestACL_filterDatacenterCheckServiceNodes(t *testing.T) {
node_prefix "" {
policy = "read"
}
`, acl.SyntaxCurrent, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -2360,7 +2384,7 @@ func TestACL_filterPreparedQueries(t *testing.T) {
query "query-with-a-token" {
policy = "read"
}
`, acl.SyntaxLegacy, nil, nil)
`, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -2432,7 +2456,7 @@ func TestACL_unhandledFilterType(t *testing.T) {
func policy(t *testing.T, hcl string) acl.Authorizer {
t.Helper()
policy, err := acl.NewPolicyFromSource(hcl, acl.SyntaxCurrent, nil, nil)
policy, err := acl.NewPolicyFromSource(hcl, nil, nil)
require.NoError(t, err)
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)

View File

@ -17,7 +17,7 @@ func TestConfigEntries_ListRelatedServices_AndACLs(t *testing.T) {
// This test tests both of these because they are related functions.
newAuthz := func(t *testing.T, src string) acl.Authorizer {
policy, err := acl.NewPolicyFromSource(src, acl.SyntaxCurrent, nil, nil)
policy, err := acl.NewPolicyFromSource(src, nil, nil)
require.NoError(t, err)
authorizer, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
@ -34,7 +34,7 @@ func TestConfigEntries_ListRelatedServices_AndACLs(t *testing.T) {
buf.WriteString(fmt.Sprintf("service %q { policy = %q }\n", s, "write"))
}
policy, err := acl.NewPolicyFromSource(buf.String(), acl.SyntaxCurrent, nil, nil)
policy, err := acl.NewPolicyFromSource(buf.String(), nil, nil)
require.NoError(t, err)
authorizer, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)

View File

@ -26,7 +26,7 @@ func TestConfigEntries_ACLs(t *testing.T) {
type testcase = configEntryACLTestCase
newAuthz := func(t *testing.T, src string) acl.Authorizer {
policy, err := acl.NewPolicyFromSource(src, acl.SyntaxCurrent, nil, nil)
policy, err := acl.NewPolicyFromSource(src, nil, nil)
require.NoError(t, err)
authorizer, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)

View File

@ -117,7 +117,7 @@ func TestIntention_ACLs(t *testing.T) {
for name, tcase := range cases {
t.Run(name, func(t *testing.T) {
authz, err := acl.NewAuthorizerFromRules(tcase.rules, acl.SyntaxCurrent, &config, nil)
authz, err := acl.NewAuthorizerFromRules(tcase.rules, &config, nil)
require.NoError(t, err)
require.Equal(t, tcase.read, tcase.intention.CanRead(authz))

View File

@ -1069,7 +1069,7 @@ func TestServer_DeltaAggregatedResources_v3_ACLEnforcement(t *testing.T) {
// Ensure the correct token was passed
require.Equal(t, tt.token, id)
// Parse the ACL and enforce it
policy, err := acl.NewPolicyFromSource(tt.acl, acl.SyntaxLegacy, nil, nil)
policy, err := acl.NewPolicyFromSource(tt.acl, nil, nil)
require.NoError(t, err)
return acl.NewPolicyAuthorizerWithDefaults(acl.RootAuthorizer("deny"), []*acl.Policy{policy}, nil)
}
@ -1158,7 +1158,7 @@ func TestServer_DeltaAggregatedResources_v3_ACLTokenDeleted_StreamTerminatedDuri
aclRules := `service "web" { policy = "write" }`
token := "service-write-on-web"
policy, err := acl.NewPolicyFromSource(aclRules, acl.SyntaxLegacy, nil, nil)
policy, err := acl.NewPolicyFromSource(aclRules, nil, nil)
require.NoError(t, err)
var validToken atomic.Value
@ -1256,7 +1256,7 @@ func TestServer_DeltaAggregatedResources_v3_ACLTokenDeleted_StreamTerminatedInBa
aclRules := `service "web" { policy = "write" }`
token := "service-write-on-web"
policy, err := acl.NewPolicyFromSource(aclRules, acl.SyntaxLegacy, nil, nil)
policy, err := acl.NewPolicyFromSource(aclRules, nil, nil)
require.NoError(t, err)
var validToken atomic.Value

View File

@ -201,11 +201,11 @@ const (
// ACLModeEnabled indicates that ACLs are enabled and operating in new ACL
// mode (v1.4.0+ ACLs)
ACLModeEnabled MemberACLMode = "1"
// ACLModeLegacy indicates that ACLs are enabled and operating in legacy mode.
ACLModeLegacy MemberACLMode = "2"
// ACLModeLegacy has been deprecated, and will be treated as ACLModeUnknown.
ACLModeLegacy MemberACLMode = "2" // DEPRECATED
// ACLModeUnkown is used to indicate that the AgentMember.Tags didn't advertise
// an ACL mode at all. This is the case for Consul versions before v1.4.0 and
// should be treated similarly to ACLModeLegacy.
// should be treated the same as ACLModeLegacy.
ACLModeUnknown MemberACLMode = "3"
)
@ -244,8 +244,6 @@ func (m *AgentMember) ACLMode() MemberACLMode {
return ACLModeDisabled
case ACLModeEnabled:
return ACLModeEnabled
case ACLModeLegacy:
return ACLModeLegacy
default:
return ACLModeUnknown
}

View File

@ -2017,7 +2017,7 @@ func TestMemberACLMode(t *testing.T) {
},
"legacy": {
tagValue: "2",
expectedMode: ACLModeLegacy,
expectedMode: ACLModeUnknown,
},
"unknown-3": {
tagValue: "3",

View File

@ -908,15 +908,6 @@ func TestAPI_Headers(t *testing.T) {
require.Error(t, err)
require.Equal(t, "application/octet-stream", request.Header.Get("Content-Type"))
_, err = c.ACL().RulesTranslate(strings.NewReader(`
agent "" {
policy = "read"
}
`))
// ACL support is disabled
require.Error(t, err)
require.Equal(t, "application/octet-stream", request.Header.Get("Content-Type"))
_, _, err = c.Event().Fire(&UserEvent{
Name: "test",
Payload: []byte("foo"),
@ -925,6 +916,24 @@ func TestAPI_Headers(t *testing.T) {
require.Equal(t, "application/octet-stream", request.Header.Get("Content-Type"))
}
func TestAPI_Deprecated(t *testing.T) {
t.Parallel()
c, s := makeClientWithConfig(t, func(c *Config) {
transport := http.DefaultTransport.(*http.Transport).Clone()
c.Transport = transport
}, nil)
defer s.Stop()
// Rules translation functionality was completely removed in Consul 1.15.
_, err := c.ACL().RulesTranslate(strings.NewReader(`
agent "" {
policy = "read"
}
`))
require.Error(t, err)
_, err = c.ACL().RulesTranslateToken("")
require.Error(t, err)
}
func TestAPI_RequestToHTTP(t *testing.T) {
t.Parallel()
c, s := makeClient(t)

View File

@ -30,9 +30,6 @@ type License struct {
// no longer be used in any capacity
TerminationTime time.Time `json:"termination_time"`
// Whether the license will ignore termination
IgnoreTermination bool `json:"ignore_termination"`
// The product the license is valid for
Product string `json:"product"`

View File

@ -1,7 +1,6 @@
import BaseAbility from './base';
import { inject as service } from '@ember/service';
import { isLegacy } from 'consul-ui/helpers/token/is-legacy';
import { isAnonymous } from 'consul-ui/helpers/token/is-anonymous';
export default class TokenAbility extends BaseAbility {
@ -28,6 +27,6 @@ export default class TokenAbility extends BaseAbility {
}
get canDuplicate() {
return this.env.var('CONSUL_ACLS_ENABLED') && !isLegacy([this.item]) && super.canWrite;
return this.env.var('CONSUL_ACLS_ENABLED') && super.canWrite;
}
}

View File

@ -15,7 +15,6 @@ export default class Token extends Model {
@attr('string') IDPName;
@attr('string') SecretID;
@attr('boolean') Legacy;
@attr('boolean') Local;
@attr('string', { defaultValue: () => '' }) Description;
@attr() meta; // {}
@ -29,12 +28,6 @@ export default class Token extends Model {
@attr('number') CreateIndex;
@attr('number') ModifyIndex;
// Legacy
@attr('string') Type;
@attr('string', { defaultValue: () => '' }) Name;
@attr('string') Rules;
// End Legacy
@computed('Policies.[]')
get isGlobalManagement() {
return (this.Policies || []).find((item) => item.ID === MANAGEMENT_ID);

View File

@ -1,17 +0,0 @@
import { module, test } from 'qunit';
import { setupRenderingTest } from 'ember-qunit';
import { render } from '@ember/test-helpers';
import hbs from 'htmlbars-inline-precompile';
module('Integration | Helper | token/is-legacy', function (hooks) {
setupRenderingTest(hooks);
// Replace this with your real tests.
test('it renders', async function (assert) {
this.set('inputValue', {});
await render(hbs`{{token/is-legacy inputValue}}`);
assert.equal(this.element.textContent.trim(), 'false');
});
});

View File

@ -1,53 +0,0 @@
import { isLegacy } from 'consul-ui/helpers/token/is-legacy';
import { module, test } from 'qunit';
module('Unit | Helper | token/is-legacy', function () {
test('it returns true if the token has a Legacy=true', function (assert) {
const actual = isLegacy([{ Legacy: true }]);
assert.ok(actual);
});
test('it returns false if the token has a Legacy=false', function (assert) {
const actual = isLegacy([{ Legacy: false }]);
assert.notOk(actual);
});
test('it returns true if the token has Rules', function (assert) {
const actual = isLegacy([{ Rules: 'some rules' }]);
assert.ok(actual);
});
test('it returns false if the token has Rules but those rules are empty', function (assert) {
const actual = isLegacy([{ Rules: '' }]);
assert.notOk(actual);
});
test('it returns false if the token has Rules but those rules is null', function (assert) {
const actual = isLegacy([{ Rules: null }]);
assert.notOk(actual);
});
// passing arrays
test("it returns false if things don't have Legacy or Rules", function (assert) {
const actual = isLegacy([[{}, {}]]);
assert.notOk(actual);
});
test('it returns true if the token has a Legacy=true', function (assert) {
const actual = isLegacy([[{}, { Legacy: true }]]);
assert.ok(actual);
});
test('it returns false if the token has a Legacy=false', function (assert) {
const actual = isLegacy([[{}, { Legacy: false }]]);
assert.notOk(actual);
});
test('it returns true if one token has Rules', function (assert) {
const actual = isLegacy([[{}, { Rules: 'some rules' }]]);
assert.ok(actual);
});
test('it returns false if tokens have no Rules, or has Rules but those rules are empty', function (assert) {
const actual = isLegacy([[{}, { Rules: '' }]]);
assert.notOk(actual);
});
test('it returns false if a token is marked as legacy, has Rules but those rules are empty', function (assert) {
// this may seem strange, but empty Rules should override Legacy, this only happens
// when a legacy token that has already been loaded has its rules wiped out
// WITHOUT then the ui refreshing
const actual = isLegacy([{ Legacy: true, Rules: '' }]);
assert.notOk(actual);
});
});