2018-10-19 16:04:07 +00:00
|
|
|
// DEPRECATED (ACL-Legacy-Compat)
|
|
|
|
//
|
|
|
|
// Everything within this file is deprecated and related to the original ACL
|
|
|
|
// implementation. Once support for v1 ACLs are removed this whole file can
|
|
|
|
// be deleted.
|
|
|
|
|
|
|
|
package structs
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
"github.com/hashicorp/consul/acl"
|
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
// ACLTokenTypeClient tokens have rules applied
|
|
|
|
ACLTokenTypeClient = "client"
|
|
|
|
|
|
|
|
// ACLTokenTypeManagement tokens have an always allow policy, so they can
|
|
|
|
// make other tokens and can access all resources.
|
|
|
|
ACLTokenTypeManagement = "management"
|
|
|
|
|
|
|
|
// ACLTokenTypeNone
|
|
|
|
ACLTokenTypeNone = ""
|
|
|
|
)
|
|
|
|
|
|
|
|
// ACL is used to represent a token and its rules
|
|
|
|
type ACL struct {
|
|
|
|
ID string
|
|
|
|
Name string
|
|
|
|
Type string
|
|
|
|
Rules string
|
|
|
|
|
|
|
|
RaftIndex
|
|
|
|
}
|
|
|
|
|
|
|
|
// ACLs is a slice of ACLs.
|
|
|
|
type ACLs []*ACL
|
|
|
|
|
|
|
|
// Convert does a 1-1 mapping of the ACLCompat structure to its ACLToken
|
|
|
|
// equivalent. This will NOT fill in the other ACLToken fields or perform any other
|
2018-11-13 21:35:54 +00:00
|
|
|
// upgrade (other than correcting an older HCL syntax that is no longer
|
|
|
|
// supported).
|
2021-09-03 16:57:48 +00:00
|
|
|
// TODO(ACL-Legacy-Compat): remove
|
2018-10-19 16:04:07 +00:00
|
|
|
func (a *ACL) Convert() *ACLToken {
|
2018-11-13 21:35:54 +00:00
|
|
|
// Ensure that we correct any old HCL in legacy tokens to prevent old
|
|
|
|
// syntax from leaking elsewhere into the system.
|
|
|
|
//
|
|
|
|
// DEPRECATED (ACL-Legacy-Compat)
|
|
|
|
correctedRules := SanitizeLegacyACLTokenRules(a.Rules)
|
|
|
|
if correctedRules != "" {
|
|
|
|
a.Rules = correctedRules
|
|
|
|
}
|
|
|
|
|
2020-06-08 19:44:06 +00:00
|
|
|
token := &ACLToken{
|
2019-04-08 18:19:09 +00:00
|
|
|
AccessorID: "",
|
|
|
|
SecretID: a.ID,
|
|
|
|
Description: a.Name,
|
|
|
|
Policies: nil,
|
|
|
|
ServiceIdentities: nil,
|
2020-06-16 16:54:27 +00:00
|
|
|
NodeIdentities: nil,
|
2019-04-08 18:19:09 +00:00
|
|
|
Type: a.Type,
|
|
|
|
Rules: a.Rules,
|
|
|
|
Local: false,
|
|
|
|
RaftIndex: a.RaftIndex,
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
2020-06-08 19:44:06 +00:00
|
|
|
|
|
|
|
token.SetHash(true)
|
|
|
|
return token
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Convert attempts to convert an ACLToken into an ACLCompat.
|
2021-09-03 16:42:06 +00:00
|
|
|
// TODO(ACL-Legacy-Compat): remove
|
2018-10-19 16:04:07 +00:00
|
|
|
func (tok *ACLToken) Convert() (*ACL, error) {
|
|
|
|
if tok.Type == "" {
|
|
|
|
return nil, fmt.Errorf("Cannot convert ACLToken into compat token")
|
|
|
|
}
|
|
|
|
|
|
|
|
compat := &ACL{
|
|
|
|
ID: tok.SecretID,
|
|
|
|
Name: tok.Description,
|
|
|
|
Type: tok.Type,
|
|
|
|
Rules: tok.Rules,
|
|
|
|
RaftIndex: tok.RaftIndex,
|
|
|
|
}
|
|
|
|
return compat, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// ACLSpecificRequest is used to request an ACL by ID
|
|
|
|
type ACLSpecificRequest struct {
|
|
|
|
Datacenter string
|
|
|
|
ACL string
|
|
|
|
QueryOptions
|
|
|
|
}
|
|
|
|
|
|
|
|
// RequestDatacenter returns the DC this request is targeted to.
|
|
|
|
func (r *ACLSpecificRequest) RequestDatacenter() string {
|
|
|
|
return r.Datacenter
|
|
|
|
}
|
|
|
|
|
|
|
|
// IndexedACLs has tokens along with the Raft metadata about them.
|
|
|
|
type IndexedACLs struct {
|
|
|
|
ACLs ACLs
|
|
|
|
QueryMeta
|
|
|
|
}
|
|
|
|
|
|
|
|
// ACLBootstrap keeps track of whether bootstrapping ACLs is allowed for a
|
|
|
|
// cluster.
|
|
|
|
type ACLBootstrap struct {
|
|
|
|
// AllowBootstrap will only be true if no existing management tokens
|
|
|
|
// have been found.
|
|
|
|
AllowBootstrap bool
|
|
|
|
|
|
|
|
RaftIndex
|
|
|
|
}
|
|
|
|
|
|
|
|
// ACLPolicyResolveLegacyRequest is used to request an ACL by Token SecretID, conditionally
|
|
|
|
// filtering on an ID
|
|
|
|
type ACLPolicyResolveLegacyRequest struct {
|
|
|
|
Datacenter string // The Datacenter the RPC may be sent to
|
|
|
|
ACL string // The Tokens Secret ID
|
|
|
|
ETag string // Caching ETag to prevent resending the policy when not needed
|
|
|
|
QueryOptions
|
|
|
|
}
|
|
|
|
|
|
|
|
// RequestDatacenter returns the DC this request is targeted to.
|
|
|
|
func (r *ACLPolicyResolveLegacyRequest) RequestDatacenter() string {
|
|
|
|
return r.Datacenter
|
|
|
|
}
|
|
|
|
|
|
|
|
type ACLPolicyResolveLegacyResponse struct {
|
|
|
|
ETag string
|
|
|
|
Parent string
|
|
|
|
Policy *acl.Policy
|
|
|
|
TTL time.Duration
|
|
|
|
QueryMeta
|
|
|
|
}
|