From b31a7fc498602eb8a233a19e46568d3c1de0f206 Mon Sep 17 00:00:00 2001
From: Daniel Nephin <dnephin@hashicorp.com>
Date: Wed, 29 Sep 2021 17:54:54 -0400
Subject: [PATCH] acl: remove EmbeddedPolicy

This method is no longer. It only existed for legacy tokens, which are no longer supported.
---
 agent/consul/acl.go       |  9 -------
 agent/structs/acl.go      | 35 ---------------------------
 agent/structs/acl_test.go | 50 ---------------------------------------
 3 files changed, 94 deletions(-)

diff --git a/agent/consul/acl.go b/agent/consul/acl.go
index a5c4010f1..cc2c4375a 100644
--- a/agent/consul/acl.go
+++ b/agent/consul/acl.go
@@ -100,10 +100,6 @@ func (id *missingIdentity) RoleIDs() []string {
 	return nil
 }
 
-func (id *missingIdentity) EmbeddedPolicy() *structs.ACLPolicy {
-	return nil
-}
-
 func (id *missingIdentity) ServiceIdentityList() []*structs.ACLServiceIdentity {
 	return nil
 }
@@ -616,11 +612,6 @@ func (r *ACLResolver) resolvePoliciesForIdentity(identity structs.ACLIdentity) (
 	)
 
 	if len(policyIDs) == 0 && len(serviceIdentities) == 0 && len(roleIDs) == 0 && len(nodeIdentities) == 0 {
-		policy := identity.EmbeddedPolicy()
-		if policy != nil {
-			return []*structs.ACLPolicy{policy}, nil
-		}
-
 		// In this case the default policy will be all that is in effect.
 		return nil, nil
 	}
diff --git a/agent/structs/acl.go b/agent/structs/acl.go
index f4b944daf..15edc47f2 100644
--- a/agent/structs/acl.go
+++ b/agent/structs/acl.go
@@ -95,7 +95,6 @@ type ACLIdentity interface {
 	SecretToken() string
 	PolicyIDs() []string
 	RoleIDs() []string
-	EmbeddedPolicy() *ACLPolicy
 	ServiceIdentityList() []*ACLServiceIdentity
 	NodeIdentityList() []*ACLNodeIdentity
 	IsExpired(asOf time.Time) bool
@@ -425,36 +424,6 @@ func (t *ACLToken) UsesNonLegacyFields() bool {
 		t.AuthMethod != ""
 }
 
-func (t *ACLToken) EmbeddedPolicy() *ACLPolicy {
-	// DEPRECATED (ACL-Legacy-Compat)
-	//
-	// For legacy tokens with embedded rules this provides a way to map those
-	// rules to an ACLPolicy. This function can just return nil once legacy
-	// acl compatibility is no longer needed.
-	//
-	// Additionally for management tokens we must embed the policy rules
-	// as well
-	policy := &ACLPolicy{}
-	if t.Type == ACLTokenTypeManagement {
-		hasher := fnv.New128a()
-		policy.ID = fmt.Sprintf("%x", hasher.Sum([]byte(ACLPolicyGlobalManagement)))
-		policy.Name = "legacy-management"
-		policy.Rules = ACLPolicyGlobalManagement
-		policy.Syntax = acl.SyntaxCurrent
-	} else if t.Rules != "" || t.Type == ACLTokenTypeClient {
-		hasher := fnv.New128a()
-		policy.ID = fmt.Sprintf("%x", hasher.Sum([]byte(t.Rules)))
-		policy.Name = fmt.Sprintf("legacy-policy-%s", policy.ID)
-		policy.Rules = t.Rules
-		policy.Syntax = acl.SyntaxLegacy
-	} else {
-		return nil
-	}
-
-	policy.SetHash(true)
-	return policy
-}
-
 func (t *ACLToken) EnterpriseMetadata() *EnterpriseMeta {
 	return &t.EnterpriseMeta
 }
@@ -1799,10 +1768,6 @@ func (id *AgentMasterTokenIdentity) RoleIDs() []string {
 	return nil
 }
 
-func (id *AgentMasterTokenIdentity) EmbeddedPolicy() *ACLPolicy {
-	return nil
-}
-
 func (id *AgentMasterTokenIdentity) ServiceIdentityList() []*ACLServiceIdentity {
 	return nil
 }
diff --git a/agent/structs/acl_test.go b/agent/structs/acl_test.go
index 64f59661e..ec52edce0 100644
--- a/agent/structs/acl_test.go
+++ b/agent/structs/acl_test.go
@@ -44,56 +44,6 @@ func TestStructs_ACLToken_PolicyIDs(t *testing.T) {
 	})
 }
 
-func TestStructs_ACLToken_EmbeddedPolicy(t *testing.T) {
-
-	t.Run("No Rules", func(t *testing.T) {
-
-		token := &ACLToken{}
-		require.Nil(t, token.EmbeddedPolicy())
-	})
-
-	t.Run("Legacy Client", func(t *testing.T) {
-
-		// None of the other fields should be considered
-		token := &ACLToken{
-			Type:  ACLTokenTypeClient,
-			Rules: `acl = "read"`,
-		}
-
-		policy := token.EmbeddedPolicy()
-		require.NotNil(t, policy)
-		require.NotEqual(t, "", policy.ID)
-		require.True(t, strings.HasPrefix(policy.Name, "legacy-policy-"))
-		require.Equal(t, token.Rules, policy.Rules)
-		require.Equal(t, policy.Syntax, acl.SyntaxLegacy)
-		require.NotNil(t, policy.Hash)
-		require.NotEqual(t, []byte{}, policy.Hash)
-	})
-
-	t.Run("Same Policy for Tokens with same Rules", func(t *testing.T) {
-
-		token1 := &ACLToken{
-			AccessorID:  "f55b260c-5e05-418e-ab19-d421d1ab4b52",
-			SecretID:    "b2165bac-7006-459b-8a72-7f549f0f06d6",
-			Description: "token 1",
-			Type:        ACLTokenTypeClient,
-			Rules:       `acl = "read"`,
-		}
-
-		token2 := &ACLToken{
-			AccessorID:  "09d1c059-961a-46bd-a2e4-76adebe35fa5",
-			SecretID:    "65e98e67-9b29-470c-8ffa-7c5a23cc67c8",
-			Description: "token 2",
-			Type:        ACLTokenTypeClient,
-			Rules:       `acl = "read"`,
-		}
-
-		policy1 := token1.EmbeddedPolicy()
-		policy2 := token2.EmbeddedPolicy()
-		require.Equal(t, policy1, policy2)
-	})
-}
-
 func TestStructs_ACLServiceIdentity_SyntheticPolicy(t *testing.T) {
 
 	cases := []struct {