acl: un-embed ACLIdentity
This is safer than embedding two interface because there are a number of places where we check the concrete type. If we check the concrete type on the top-level interface it will fail. So instead expose the ACLIdentity from a method.
This commit is contained in:
parent
404523f7ea
commit
d00a9abca2
|
@ -39,6 +39,12 @@ type TestACLAgent struct {
|
|||
func NewTestACLAgent(t *testing.T, name string, hcl string, resolveAuthz authzResolver, resolveIdent identResolver) *TestACLAgent {
|
||||
t.Helper()
|
||||
|
||||
if resolveIdent == nil {
|
||||
resolveIdent = func(s string) (structs.ACLIdentity, error) {
|
||||
return nil, nil
|
||||
}
|
||||
}
|
||||
|
||||
a := &TestACLAgent{resolveAuthzFn: resolveAuthz, resolveIdentFn: resolveIdent}
|
||||
|
||||
dataDir := testutil.TempDir(t, "acl-agent")
|
||||
|
|
|
@ -1120,7 +1120,7 @@ func (r *ACLResolver) ResolveToken(token string) (ACLResolveResult, error) {
|
|||
type ACLResolveResult struct {
|
||||
acl.Authorizer
|
||||
// TODO: likely we can reduce this interface
|
||||
structs.ACLIdentity
|
||||
ACLIdentity structs.ACLIdentity
|
||||
}
|
||||
|
||||
func (a ACLResolveResult) AccessorID() string {
|
||||
|
@ -1130,6 +1130,10 @@ func (a ACLResolveResult) AccessorID() string {
|
|||
return a.ACLIdentity.ID()
|
||||
}
|
||||
|
||||
func (a ACLResolveResult) Identity() structs.ACLIdentity {
|
||||
return a.ACLIdentity
|
||||
}
|
||||
|
||||
func (r *ACLResolver) ACLsEnabled() bool {
|
||||
// Whether we desire ACLs to be enabled according to configuration
|
||||
if !r.config.ACLsEnabled {
|
||||
|
|
|
@ -437,7 +437,7 @@ func (m *Internal) KeyringOperation(
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if err := m.srv.validateEnterpriseToken(authz.ACLIdentity); err != nil {
|
||||
if err := m.srv.validateEnterpriseToken(authz.Identity()); err != nil {
|
||||
return err
|
||||
}
|
||||
switch args.Operation {
|
||||
|
|
|
@ -21,7 +21,7 @@ func (op *Operator) AutopilotGetConfiguration(args *structs.DCSpecificRequest, r
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if err := op.srv.validateEnterpriseToken(authz.ACLIdentity); err != nil {
|
||||
if err := op.srv.validateEnterpriseToken(authz.Identity()); err != nil {
|
||||
return err
|
||||
}
|
||||
if authz.OperatorRead(nil) != acl.Allow {
|
||||
|
@ -53,7 +53,7 @@ func (op *Operator) AutopilotSetConfiguration(args *structs.AutopilotSetConfigRe
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if err := op.srv.validateEnterpriseToken(authz.ACLIdentity); err != nil {
|
||||
if err := op.srv.validateEnterpriseToken(authz.Identity()); err != nil {
|
||||
return err
|
||||
}
|
||||
if authz.OperatorWrite(nil) != acl.Allow {
|
||||
|
@ -88,7 +88,7 @@ func (op *Operator) ServerHealth(args *structs.DCSpecificRequest, reply *structs
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if err := op.srv.validateEnterpriseToken(authz.ACLIdentity); err != nil {
|
||||
if err := op.srv.validateEnterpriseToken(authz.Identity()); err != nil {
|
||||
return err
|
||||
}
|
||||
if authz.OperatorRead(nil) != acl.Allow {
|
||||
|
@ -155,7 +155,7 @@ func (op *Operator) AutopilotState(args *structs.DCSpecificRequest, reply *autop
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if err := op.srv.validateEnterpriseToken(authz.ACLIdentity); err != nil {
|
||||
if err := op.srv.validateEnterpriseToken(authz.Identity()); err != nil {
|
||||
return err
|
||||
}
|
||||
if authz.OperatorRead(nil) != acl.Allow {
|
||||
|
|
|
@ -85,7 +85,7 @@ func (op *Operator) RaftRemovePeerByAddress(args *structs.RaftRemovePeerRequest,
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if err := op.srv.validateEnterpriseToken(authz.ACLIdentity); err != nil {
|
||||
if err := op.srv.validateEnterpriseToken(authz.Identity()); err != nil {
|
||||
return err
|
||||
}
|
||||
if authz.OperatorWrite(nil) != acl.Allow {
|
||||
|
@ -138,7 +138,7 @@ func (op *Operator) RaftRemovePeerByID(args *structs.RaftRemovePeerRequest, repl
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if err := op.srv.validateEnterpriseToken(authz.ACLIdentity); err != nil {
|
||||
if err := op.srv.validateEnterpriseToken(authz.Identity()); err != nil {
|
||||
return err
|
||||
}
|
||||
if authz.OperatorWrite(nil) != acl.Allow {
|
||||
|
|
Loading…
Reference in a new issue