2023-03-28 19:39:22 +01:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
2023-08-11 09:12:13 -04:00
|
|
|
// SPDX-License-Identifier: BUSL-1.1
|
2023-03-28 19:39:22 +01:00
|
|
|
|
2021-11-16 12:04:01 -06:00
|
|
|
//go:build !consulent
|
2019-10-15 16:58:50 -04:00
|
|
|
|
|
|
|
package structs
|
|
|
|
|
2019-10-24 14:38:09 -04:00
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
|
|
|
|
"github.com/hashicorp/consul/acl"
|
|
|
|
)
|
|
|
|
|
2019-10-15 16:58:50 -04:00
|
|
|
const (
|
|
|
|
EnterpriseACLPolicyGlobalManagement = ""
|
2023-08-01 10:12:14 -07:00
|
|
|
EnterpriseACLPolicyGlobalReadOnly = ""
|
2019-10-24 14:38:09 -04:00
|
|
|
|
|
|
|
// aclPolicyTemplateServiceIdentity is the template used for synthesizing
|
|
|
|
// policies for service identities.
|
|
|
|
aclPolicyTemplateServiceIdentity = `
|
|
|
|
service "%[1]s" {
|
|
|
|
policy = "write"
|
|
|
|
}
|
|
|
|
service "%[1]s-sidecar-proxy" {
|
|
|
|
policy = "write"
|
|
|
|
}
|
|
|
|
service_prefix "" {
|
|
|
|
policy = "read"
|
|
|
|
}
|
|
|
|
node_prefix "" {
|
|
|
|
policy = "read"
|
|
|
|
}`
|
2020-06-16 12:54:27 -04:00
|
|
|
|
|
|
|
// A typical Consul node requires two permissions for itself.
|
|
|
|
// node:write
|
|
|
|
// - register itself in the catalog
|
|
|
|
// - update its network coordinates
|
|
|
|
// - potentially used to delete services during anti-entropy
|
|
|
|
// service:read
|
|
|
|
// - used during anti-entropy to discover all services that
|
|
|
|
// are registered to the node. That way the node can diff
|
|
|
|
// its local state against an accurate depiction of the
|
|
|
|
// remote state.
|
|
|
|
aclPolicyTemplateNodeIdentity = `
|
|
|
|
node "%[1]s" {
|
|
|
|
policy = "write"
|
|
|
|
}
|
|
|
|
service_prefix "" {
|
|
|
|
policy = "read"
|
|
|
|
}`
|
2019-10-15 16:58:50 -04:00
|
|
|
)
|
2019-10-24 14:38:09 -04:00
|
|
|
|
2020-05-06 13:48:04 -05:00
|
|
|
type ACLAuthMethodEnterpriseFields struct{}
|
|
|
|
|
2020-01-14 10:09:29 -05:00
|
|
|
type ACLAuthMethodEnterpriseMeta struct{}
|
|
|
|
|
2022-03-12 19:55:53 -08:00
|
|
|
func (_ *ACLAuthMethodEnterpriseMeta) FillWithEnterpriseMeta(_ *acl.EnterpriseMeta) {
|
2020-01-14 10:09:29 -05:00
|
|
|
// do nothing
|
|
|
|
}
|
|
|
|
|
2022-03-12 19:55:53 -08:00
|
|
|
func (_ *ACLAuthMethodEnterpriseMeta) ToEnterpriseMeta() *acl.EnterpriseMeta {
|
2021-07-22 13:20:45 -05:00
|
|
|
return DefaultEnterpriseMetaInDefaultPartition()
|
2020-01-14 10:09:29 -05:00
|
|
|
}
|
|
|
|
|
2022-03-12 19:55:53 -08:00
|
|
|
func aclServiceIdentityRules(svc string, _ *acl.EnterpriseMeta) string {
|
2019-10-24 14:38:09 -04:00
|
|
|
return fmt.Sprintf(aclPolicyTemplateServiceIdentity, svc)
|
|
|
|
}
|
|
|
|
|
2022-03-12 19:55:53 -08:00
|
|
|
func aclNodeIdentityRules(node string, _ *acl.EnterpriseMeta) string {
|
2021-09-16 08:17:02 -06:00
|
|
|
return fmt.Sprintf(aclPolicyTemplateNodeIdentity, node)
|
|
|
|
}
|
|
|
|
|
2019-10-24 14:38:09 -04:00
|
|
|
func (p *ACLPolicy) EnterprisePolicyMeta() *acl.EnterprisePolicyMeta {
|
|
|
|
return nil
|
|
|
|
}
|
2020-01-14 10:09:29 -05:00
|
|
|
|
2020-06-16 12:54:27 -04:00
|
|
|
func (t *ACLToken) NodeIdentityList() []*ACLNodeIdentity {
|
|
|
|
if len(t.NodeIdentities) == 0 {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
out := make([]*ACLNodeIdentity, 0, len(t.NodeIdentities))
|
|
|
|
for _, n := range t.NodeIdentities {
|
|
|
|
out = append(out, n.Clone())
|
|
|
|
}
|
|
|
|
return out
|
|
|
|
}
|
|
|
|
|
|
|
|
func (r *ACLRole) NodeIdentityList() []*ACLNodeIdentity {
|
|
|
|
if len(r.NodeIdentities) == 0 {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
out := make([]*ACLNodeIdentity, 0, len(r.NodeIdentities))
|
|
|
|
for _, n := range r.NodeIdentities {
|
|
|
|
out = append(out, n.Clone())
|
|
|
|
}
|
|
|
|
return out
|
|
|
|
}
|
2021-12-03 10:20:25 -08:00
|
|
|
|
2022-03-12 19:55:53 -08:00
|
|
|
func IsValidPartitionAndDatacenter(meta acl.EnterpriseMeta, datacenters []string, primaryDatacenter string) bool {
|
2021-12-03 10:20:25 -08:00
|
|
|
return true
|
|
|
|
}
|