From d00a9abca29c5ac68d4ccd0db2959aeb99e69073 Mon Sep 17 00:00:00 2001
From: Daniel Nephin <dnephin@hashicorp.com>
Date: Wed, 2 Feb 2022 12:07:29 -0500
Subject: [PATCH] acl: un-embed ACLIdentity

This is safer than embedding two interface because there are a number of
places where we check the concrete type. If we check the concrete type
on the top-level interface it will fail. So instead expose the
ACLIdentity from a method.
---
 agent/acl_test.go                           | 6 ++++++
 agent/consul/acl.go                         | 6 +++++-
 agent/consul/internal_endpoint.go           | 2 +-
 agent/consul/operator_autopilot_endpoint.go | 8 ++++----
 agent/consul/operator_raft_endpoint.go      | 4 ++--
 5 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/agent/acl_test.go b/agent/acl_test.go
index 5ad4880ed..ad7e8cebb 100644
--- a/agent/acl_test.go
+++ b/agent/acl_test.go
@@ -39,6 +39,12 @@ type TestACLAgent struct {
 func NewTestACLAgent(t *testing.T, name string, hcl string, resolveAuthz authzResolver, resolveIdent identResolver) *TestACLAgent {
 	t.Helper()
 
+	if resolveIdent == nil {
+		resolveIdent = func(s string) (structs.ACLIdentity, error) {
+			return nil, nil
+		}
+	}
+
 	a := &TestACLAgent{resolveAuthzFn: resolveAuthz, resolveIdentFn: resolveIdent}
 
 	dataDir := testutil.TempDir(t, "acl-agent")
diff --git a/agent/consul/acl.go b/agent/consul/acl.go
index e18feb415..350f9993b 100644
--- a/agent/consul/acl.go
+++ b/agent/consul/acl.go
@@ -1120,7 +1120,7 @@ func (r *ACLResolver) ResolveToken(token string) (ACLResolveResult, error) {
 type ACLResolveResult struct {
 	acl.Authorizer
 	// TODO: likely we can reduce this interface
-	structs.ACLIdentity
+	ACLIdentity structs.ACLIdentity
 }
 
 func (a ACLResolveResult) AccessorID() string {
@@ -1130,6 +1130,10 @@ func (a ACLResolveResult) AccessorID() string {
 	return a.ACLIdentity.ID()
 }
 
+func (a ACLResolveResult) Identity() structs.ACLIdentity {
+	return a.ACLIdentity
+}
+
 func (r *ACLResolver) ACLsEnabled() bool {
 	// Whether we desire ACLs to be enabled according to configuration
 	if !r.config.ACLsEnabled {
diff --git a/agent/consul/internal_endpoint.go b/agent/consul/internal_endpoint.go
index 44b6af5aa..0f7740a39 100644
--- a/agent/consul/internal_endpoint.go
+++ b/agent/consul/internal_endpoint.go
@@ -437,7 +437,7 @@ func (m *Internal) KeyringOperation(
 	if err != nil {
 		return err
 	}
-	if err := m.srv.validateEnterpriseToken(authz.ACLIdentity); err != nil {
+	if err := m.srv.validateEnterpriseToken(authz.Identity()); err != nil {
 		return err
 	}
 	switch args.Operation {
diff --git a/agent/consul/operator_autopilot_endpoint.go b/agent/consul/operator_autopilot_endpoint.go
index f4a3db65e..2ee85bb06 100644
--- a/agent/consul/operator_autopilot_endpoint.go
+++ b/agent/consul/operator_autopilot_endpoint.go
@@ -21,7 +21,7 @@ func (op *Operator) AutopilotGetConfiguration(args *structs.DCSpecificRequest, r
 	if err != nil {
 		return err
 	}
-	if err := op.srv.validateEnterpriseToken(authz.ACLIdentity); err != nil {
+	if err := op.srv.validateEnterpriseToken(authz.Identity()); err != nil {
 		return err
 	}
 	if authz.OperatorRead(nil) != acl.Allow {
@@ -53,7 +53,7 @@ func (op *Operator) AutopilotSetConfiguration(args *structs.AutopilotSetConfigRe
 	if err != nil {
 		return err
 	}
-	if err := op.srv.validateEnterpriseToken(authz.ACLIdentity); err != nil {
+	if err := op.srv.validateEnterpriseToken(authz.Identity()); err != nil {
 		return err
 	}
 	if authz.OperatorWrite(nil) != acl.Allow {
@@ -88,7 +88,7 @@ func (op *Operator) ServerHealth(args *structs.DCSpecificRequest, reply *structs
 	if err != nil {
 		return err
 	}
-	if err := op.srv.validateEnterpriseToken(authz.ACLIdentity); err != nil {
+	if err := op.srv.validateEnterpriseToken(authz.Identity()); err != nil {
 		return err
 	}
 	if authz.OperatorRead(nil) != acl.Allow {
@@ -155,7 +155,7 @@ func (op *Operator) AutopilotState(args *structs.DCSpecificRequest, reply *autop
 	if err != nil {
 		return err
 	}
-	if err := op.srv.validateEnterpriseToken(authz.ACLIdentity); err != nil {
+	if err := op.srv.validateEnterpriseToken(authz.Identity()); err != nil {
 		return err
 	}
 	if authz.OperatorRead(nil) != acl.Allow {
diff --git a/agent/consul/operator_raft_endpoint.go b/agent/consul/operator_raft_endpoint.go
index 431b455c0..33f9ad7ff 100644
--- a/agent/consul/operator_raft_endpoint.go
+++ b/agent/consul/operator_raft_endpoint.go
@@ -85,7 +85,7 @@ func (op *Operator) RaftRemovePeerByAddress(args *structs.RaftRemovePeerRequest,
 	if err != nil {
 		return err
 	}
-	if err := op.srv.validateEnterpriseToken(authz.ACLIdentity); err != nil {
+	if err := op.srv.validateEnterpriseToken(authz.Identity()); err != nil {
 		return err
 	}
 	if authz.OperatorWrite(nil) != acl.Allow {
@@ -138,7 +138,7 @@ func (op *Operator) RaftRemovePeerByID(args *structs.RaftRemovePeerRequest, repl
 	if err != nil {
 		return err
 	}
-	if err := op.srv.validateEnterpriseToken(authz.ACLIdentity); err != nil {
+	if err := op.srv.validateEnterpriseToken(authz.Identity()); err != nil {
 		return err
 	}
 	if authz.OperatorWrite(nil) != acl.Allow {