From be0d6efac9b35d3e76c283639ed3eff7e7bb6800 Mon Sep 17 00:00:00 2001
From: Matt Keeler <mkeeler@users.noreply.github.com>
Date: Thu, 13 Feb 2020 14:55:27 -0500
Subject: [PATCH] =?UTF-8?q?Allow=20the=20PolicyResolve=20and=20RoleResolve?=
 =?UTF-8?q?=20endpoints=20to=20process=20na=E2=80=A6=20(#7296)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 agent/consul/acl_endpoint.go | 28 ++++++++++++++++++++++++++++
 agent/consul/acl_oss.go      | 12 ++++++++++++
 2 files changed, 40 insertions(+)

diff --git a/agent/consul/acl_endpoint.go b/agent/consul/acl_endpoint.go
index a21550acd..0a0315723 100644
--- a/agent/consul/acl_endpoint.go
+++ b/agent/consul/acl_endpoint.go
@@ -1249,13 +1249,27 @@ func (a *ACL) PolicyResolve(args *structs.ACLPolicyBatchGetRequest, reply *struc
 		return err
 	}
 
+	entIdentity, entPolicies, err := a.srv.acls.resolveEnterpriseIdentityAndPolicies(identity)
+	if err != nil {
+		return err
+	}
+
 	idMap := make(map[string]*structs.ACLPolicy)
 	for _, policyID := range identity.PolicyIDs() {
 		idMap[policyID] = nil
 	}
+	if entIdentity != nil {
+		for _, policyID := range entIdentity.PolicyIDs() {
+			idMap[policyID] = nil
+		}
+	}
+
 	for _, policy := range policies {
 		idMap[policy.ID] = policy
 	}
+	for _, policy := range entPolicies {
+		idMap[policy.ID] = policy
+	}
 
 	for _, policyID := range args.PolicyIDs {
 		if policy, ok := idMap[policyID]; ok {
@@ -1679,13 +1693,27 @@ func (a *ACL) RoleResolve(args *structs.ACLRoleBatchGetRequest, reply *structs.A
 		return err
 	}
 
+	entIdentity, entRoles, err := a.srv.acls.resolveEnterpriseIdentityAndRoles(identity)
+	if err != nil {
+		return err
+	}
+
 	idMap := make(map[string]*structs.ACLRole)
 	for _, roleID := range identity.RoleIDs() {
 		idMap[roleID] = nil
 	}
+	if entIdentity != nil {
+		for _, roleID := range entIdentity.RoleIDs() {
+			idMap[roleID] = nil
+		}
+	}
+
 	for _, role := range roles {
 		idMap[role.ID] = role
 	}
+	for _, role := range entRoles {
+		idMap[role.ID] = role
+	}
 
 	for _, roleID := range args.RoleIDs {
 		if role, ok := idMap[roleID]; ok {
diff --git a/agent/consul/acl_oss.go b/agent/consul/acl_oss.go
index 3945a41d3..591c596e1 100644
--- a/agent/consul/acl_oss.go
+++ b/agent/consul/acl_oss.go
@@ -24,3 +24,15 @@ func newACLConfig(hclog.Logger) *acl.Config {
 func (r *ACLResolver) resolveEnterpriseDefaultsForIdentity(identity structs.ACLIdentity) (acl.Authorizer, error) {
 	return nil, nil
 }
+
+// resolveEnterpriseIdentityAndRoles will resolve an enterprise identity to an additional set of roles
+func (_ *ACLResolver) resolveEnterpriseIdentityAndRoles(_ structs.ACLIdentity) (structs.ACLIdentity, structs.ACLRoles, error) {
+	// this function does nothing in OSS
+	return nil, nil, nil
+}
+
+// resolveEnterpriseIdentityAndPolicies will resolve an enterprise identity to an additional set of policies
+func (_ *ACLResolver) resolveEnterpriseIdentityAndPolicies(_ structs.ACLIdentity) (structs.ACLIdentity, structs.ACLPolicies, error) {
+	// this function does nothing in OSS
+	return nil, nil, nil
+}